Date: Tue, 19 Dec 2000 03:42:05 +0200 From: Esa Etelavuori <eetelavu@cc.hut.fi> To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:77.procfs Message-ID: <20001219034205.A29042@ksylofoni.hut.fi> In-Reply-To: <20001218153619.071BE37B400@hub.freebsd.org>; from security-advisories@FreeBSD.ORG on Mon, Dec 18, 2000 at 07:36:19AM -0800 References: <20001218153619.071BE37B400@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- > Topic: Several vulnerabilities in procfs > Announced: 2000-12-18 > Affects: Problem #1: FreeBSD 4.x prior to the correction date. > FreeBSD 3.x is unaffected. ... except for procfs/ctl > Problem #2, #3: FreeBSD 4.x and 3.x prior to the correction > date. > Corrected: 2000-12-16 (FreeBSD 4.2-STABLE) > 2000-12-18 (FreeBSD 3.5.1-STABLE) Looks fine but the story is quite unfortunate. I heard afterwards from Frank van Vliet that they notified security-officer@freebsd.org about procfs/mem problems on October 25. I mailed the FreeBSD team about the procfs/status buffer overflow on October 27. I quickly got confirmation emails, but a public announcement seemed to take ages although fixes had been committed to -current in two weeks. I asked about the status and agreed that it would be ok for me to wait for the advisory until the soon coming release of 4.2. After 4.2 had been released I got a draft advisory, checked the fixes and noticed that the procfs/ctl fix was missing. I emailed about it on November 25. Looking at the CVS repository it seems that procfs/ctl had been broken in FreeBSD since procfs was implemented. It was corrected in OpenBSD in 1996 and in NetBSD in 1997. Procfs/{mem,regs} had been corrected in 1997 (mem was still otherwise broken until early 2000), but the CHECKIO() checks were incorrectly replaced about a year ago. Afterwards it seems like a mistake to wait for over 7 weeks when partial fixes had been on the public CVS for most of the time. Now I wonder how many of "bad guys" actually scan for those changes, apparently one could get atleast several days advantage with many open source projects. CVS changes/notes can be very revealing for automated scanners, and there probably has been other silent "minor" fixes in addition to netgraph(3) loading kernel modules regardless of the securelevel on <4.1 (pointed to me by Pascal Bouchareine). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (DreamOS) Comment: http://www.iki.fi/ee/08C1E33D.asc iQCVAwUBOj68r1ZDrCkIweM9AQGuwQP9HPfsTi0BFe6V237BaFUfOMI9CLfdEqNv ojK4CGCrXZlc6FjOTAiO8BehQPnKm18dV1zePIiYFqoUTfSwNgNC428sMa5SayIX aHBkxwe/+arBaoxhd1BGtxdrnjT59ud3wqQiew2W3irX9KE4JQRyO//Zpcopt5m4 Pa9GRcdieTQ= =+XaS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001219034205.A29042>