rst.void.ru
RusH security team
 
 [ Рекомендовано к прочтению ]   [ Поиск ]   [ Регистрация [ Профиль ]   [ Войти и проверить личные сообщения ]   [ Вход

*BSD bugtraq

 
Начать новую тему   Ответить на тему    Список форумов rst.void.ru -> *BSD
Предыдущая тема :: Следующая тема  
Автор Сообщение
__blf
moder


Зарегистрирован: 31.01.2005
Сообщения: 428

СообщениеДобавлено: Чт Мар 10, 2005 3:51 pm
    Заголовок сообщения: *BSD bugtraq
Ответить с цитатой

Если у кого появляются интересные описания уязвимостей под *BSD системы (OpenBSD/FreeBSD/NetBSD/DFBSD) - пишите тут пожалуйста, в качестве награды добавим в Gr33tz при выходе эксплоита.
Вернуться к началу
Посмотреть профиль Отправить личное сообщение Отправить e-mail Посетить сайт автора
Dark_Ghost
moder


Зарегистрирован: 19.01.2004
Сообщения: 498
Откуда: берутся дети?

СообщениеДобавлено: Чт Мар 31, 2005 10:42 pm
    Заголовок сообщения:
Ответить с цитатой

Today's Topics:

1. FreeBSD Security Advisory FreeBSD-SA-05:01.telnet
(FreeBSD Security Advisories)

----------------------------------------------------------------------

Message: 1
Date: Mon, 28 Mar 2005 19:52:14 GMT
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Message-ID: <200503281952.j2SJqE6Q041133@freefall.freebsd.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:01.telnet Security Advisory
The FreeBSD Project

Topic: telnet client buffer overflows

Category: contrib
Module: contrib/telnet
Announced: 2005-03-28
Credits: iDEFENSE
Affects: All FreeBSD releases prior to 5.4-RELEASE
Corrected: 2005-03-28 15:50:00 UTC (RELENG_5, 5.4-PRERELEASE)
2005-03-28 15:48:00 UTC (RELENG_4, 4.11-STABLE)
2005-03-28 15:52:00 UTC (RELENG_5_3, 5.3-RELEASE-p6)
2005-03-28 15:57:00 UTC (RELENG_4_11, 4.11-RELEASE-p1)
2005-03-28 15:58:00 UTC (RELENG_4_10, 4.10-RELEASE-p6)
2005-03-28 16:00:00 UTC (RELENG_4_8, 4.8-RELEASE-p28)
CVE Name: CAN-2005-0468 CAN-2005-0469

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The telnet(1) command is a TELNET protocol client, used primarily to
establish terminal sessions across a network.

II. Problem Description

Buffer overflows were discovered in the env_opt_add() and
slc_add_reply() functions of the telnet(1) command. TELNET protocol
commands, options, and data are copied from the network to a
fixed-sized buffer. In the case of env_opt_add (CAN-2005-0468), the
buffer is located on the heap. In the case of slc_add_reply
(CAN-2005-0469), the buffer is global uninitialized data (BSS).

III. Impact

These buffer overflows may be triggered when connecting to a malicious
server, or by an active attacker in the network path between the
client and server. Specially crafted TELNET command sequences may
cause the execution of arbitrary code with the privileges of the user
invoking telnet(1).

IV. Workaround

Do not use telnet(1) to connect to untrusted machines or over an
untrusted network.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, RELENG_4_10, or RELENG_4_8 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.8, 4.10,
4.11, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet4.patch.asc

[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:01/telnet5.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Rebuild the operating system as described in
<URL:http://www.freebsd.org/doc/handbook/makeworld.html>.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/crypto/heimdal/appl/telnet/telnet/telnet.c 1.1.1.1.2.4
src/crypto/kerberosIV/appl/telnet/telnet/telnet.c 1.1.1.1.2.1
src/crypto/telnet/telnet/telnet.c 1.4.2.6
src/usr.bin/telnet/telnet.c 1.8.2.4
RELENG_4_11
src/UPDATING 1.73.2.91.2.2
src/crypto/heimdal/appl/telnet/telnet/telnet.c 1.1.1.1.2.3.10.1
src/crypto/kerberosIV/appl/telnet/telnet/telnet.c 1.1.1.1.22.1
src/crypto/telnet/telnet/telnet.c 1.4.2.5.12.1
src/sys/conf/newvers.sh 1.44.2.39.2.5
src/usr.bin/telnet/telnet.c 1.8.2.3.12.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.7
src/crypto/heimdal/appl/telnet/telnet/telnet.c 1.1.1.1.2.3.8.1
src/crypto/kerberosIV/appl/telnet/telnet/telnet.c 1.1.1.1.20.1
src/crypto/telnet/telnet/telnet.c 1.4.2.5.10.1
src/sys/conf/newvers.sh 1.44.2.34.2.8
src/usr.bin/telnet/telnet.c 1.8.2.3.10.1
RELENG_4_8
src/UPDATING 1.73.2.80.2.32
src/crypto/heimdal/appl/telnet/telnet/telnet.c 1.1.1.1.2.3.4.1
src/crypto/kerberosIV/appl/telnet/telnet/telnet.c 1.1.1.1.16.1
src/crypto/telnet/telnet/telnet.c 1.4.2.5.6.1
src/sys/conf/newvers.sh 1.44.2.29.2.29
src/usr.bin/telnet/telnet.c 1.8.2.3.6.1
RELENG_5
src/contrib/telnet/telnet/telnet.c 1.14.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.9
src/contrib/telnet/telnet/telnet.c 1.14.8.1
src/sys/conf/newvers.sh 1.62.2.15.2.11
- -------------------------------------------------------------------------

VII. References

[IDEF0866] Multiple Telnet Client slc_add_reply() Buffer Overflow
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities

[IDEF0867] Multiple Telnet Client env_opt_add() Buffer Overflow
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0

iD8DBQFCSECrFdaIBMps37IRAnRJAJ0VbP6TyaX7SLE2EwSrIYU25JSD9wCfYoe9
Qg2Lw/6QFLOgYG1jPuzogEs=
=0rFv
-----END PGP SIGNATURE-----

------------------------------
_________________
Плохому хакеру логи мешают.

[EXT]
Вернуться к началу
Посмотреть профиль Отправить личное сообщение Посетить сайт автора ICQ Number
zZz
geek


Зарегистрирован: 19.02.2005
Сообщения: 47

СообщениеДобавлено: Чт Мар 31, 2005 11:40 pm
    Заголовок сообщения:
Ответить с цитатой

Ну кто ж сейчас telnet'ом пользуется....
Кстати эта уязвимость не только во фряшном телнете - еще в solaris 9,10 и в mac os x
_________________
Be yourself, no matter what they say...
Вернуться к началу
Посмотреть профиль Отправить личное сообщение
greenwood3
GOLD visitor


Зарегистрирован: 01.06.2004
Сообщения: 254

СообщениеДобавлено: Чт Апр 07, 2005 2:17 pm
    Заголовок сообщения:
Ответить с цитатой

System call sendfile()

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:02.sendfile.asc

AMD64 таких архитектур ещё мало (

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:03.amd64.asc
Вернуться к началу
Посмотреть профиль Отправить личное сообщение Посетить сайт автора ICQ Number
Dark_Ghost
moder


Зарегистрирован: 19.01.2004
Сообщения: 498
Откуда: берутся дети?

СообщениеДобавлено: Ср Апр 13, 2005 8:22 pm
    Заголовок сообщения:
Ответить с цитатой

Цитата:
=============================================================================
FreeBSD-SA-05:02.sendfile Security Advisory
The FreeBSD Project

Topic: sendfile kernel memory disclosure

Category: core
Module: sys_kern
Announced: 2005-04-04
Credits: Sven Berkvens <sven@berkvens.net>
Marc Olzheim <zlo@zlo.nu>
Affects: All FreeBSD 4.x releases
All FreeBSD 5.x releases prior to 5.4-RELEASE
Corrected: 2005-04-04 23:52:02 UTC (RELENG_5, 5.4-STABLE)
2005-04-04 23:52:35 UTC (RELENG_5_4, 5.4-RELEASE)
2005-04-04 23:53:24 UTC (RELENG_5_3, 5.3-RELEASE-p7)
2005-04-04 23:53:36 UTC (RELENG_4, 4.11-STABLE)
2005-04-04 23:53:56 UTC (RELENG_4_11, 4.11-RELEASE-p2)
2005-04-04 23:54:13 UTC (RELENG_4_10, 4.10-RELEASE-p7)
2005-04-04 23:54:33 UTC (RELENG_4_8, 4.8-RELEASE-p29)
CVE Name: CAN-2005-0708

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The sendfile(2) system call allows a server application (such as an HTTP
or FTP server) to transmit the contents of a file over a network
connection without first copying it to application memory. High
performance servers such as Apache and ftpd use sendfile.

II. Problem Description

If the file being transmitted is truncated after the transfer has
started but before it completes, sendfile(2) will transfer the contents
of more or less random portions of kernel memory in lieu of the
missing part of the file.

III. Impact

A local user could create a large file and truncate it while
transferring it to himself, thus obtaining a copy of portions of system
memory to which he would normally not have access. Such memory might
contain sensitive information, such as portions of the file cache or
terminal buffers. This information might be directly useful, or it
might be leveraged to obtain elevated privileges in some way. For
example, a terminal buffer might include a user-entered password.

IV. Workaround

No known workaround.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, RELENG_4_10, or RELENG_4_8 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.8, 4.10,
4.11, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_4.patch.asc

[FreeBSD 5.3]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:02/sendfile_5.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/sys/ufs/ffs/ffs_inode.c 1.56.2.6
RELENG_4_11
src/UPDATING 1.73.2.91.2.3
src/sys/conf/newvers.sh 1.44.2.39.2.6
src/sys/ufs/ffs/ffs_inode.c 1.56.2.5.12.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.8
src/sys/conf/newvers.sh 1.44.2.34.2.8
src/sys/ufs/ffs/ffs_inode.c 1.56.2.5.10.1
RELENG_4_8
src/UPDATING 1.73.2.80.2.33
src/sys/conf/newvers.sh 1.44.2.29.2.29
src/sys/ufs/ffs/ffs_inode.c 1.56.2.5.6.1
RELENG_5
src/sys/ufs/ffs/ffs_inode.c 1.93.2.2
RELENG_5_4
src/UPDATING 1.342.2.24.2.1
src/sys/ufs/ffs/ffs_inode.c 1.93.2.1.2.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.10
src/sys/conf/newvers.sh 1.62.2.15.2.12
src/sys/ufs/ffs/ffs_inode.c 1.93.4.1
- -------------------------------------------------------------------------



&


Цитата:
=============================================================================
FreeBSD-SA-05:03.amd64 Security Advisory
The FreeBSD Project

Topic: unprivileged hardware access on amd64

Category: core
Module: sys_amd64
Announced: 2004-04-06
Credits: Jari Kirma
Affects: All FreeBSD/amd64 5.x releases prior to 5.4-RELEASE
Corrected: 2005-04-06 01:05:51 UTC (RELENG_5, 5.4-STABLE)
2005-04-06 01:06:15 UTC (RELENG_5_4, 5.4-RELEASE)
2005-04-06 01:06:44 UTC (RELENG_5_3, 5.3-RELEASE-pCool

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The AMD64 architecture has two mechanisms for permitting processes to
access hardware: Kernel code can access hardware directly by reason of
its elevated privilege level, while user code can access a subset of
hardware determined by a bitmap.

II. Problem Description

The bitmap which determines which hardware can be accessed by unprivileged
processes was not initialized properly.

III. Impact

Unprivileged users on amd64 systems can gain direct access to some
hardware, allowing for denial of service, disclosure of sensitive
information, or possible privilege escalation.

IV. Workaround

No workaround is known for amd64 systems; other platforms are not
affected by this issue.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE or to the RELENG_5_3
security branch dated after the correction date.

2) To patch your present system:

a) Download the patch from the location below, and verify the detached
PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:03/amd64.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:03/amd64.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/amd64/amd64/machdep.c 1.618.2.10
src/sys/amd64/amd64/mp_machdep.c 1.242.2.8
src/sys/amd64/include/tss.h 1.16.2.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.2
src/sys/amd64/amd64/machdep.c 1.618.2.9.2.1
src/sys/amd64/amd64/mp_machdep.c 1.242.2.7.2.1
src/sys/amd64/include/tss.h 1.16.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.11
src/sys/conf/newvers.sh 1.62.2.15.2.13
src/sys/amd64/amd64/machdep.c 1.618.2.1.2.1
src/sys/amd64/amd64/mp_machdep.c 1.242.2.2.2.1
src/sys/amd64/include/tss.h 1.16.4.1
- -------------------------------------------------------------------------

_________________
Плохому хакеру логи мешают.

[EXT]
Вернуться к началу
Посмотреть профиль Отправить личное сообщение Посетить сайт автора ICQ Number
Dark_Ghost
moder


Зарегистрирован: 19.01.2004
Сообщения: 498
Откуда: берутся дети?

СообщениеДобавлено: Пт Апр 15, 2005 3:18 pm
    Заголовок сообщения:
Ответить с цитатой

=============================================================================
FreeBSD-SA-05:04.ifconf Security Advisory
The FreeBSD Project

Topic: Kernel memory disclosure in ifconf()

Category: core
Module: sys_net
Announced: 2005-04-15
Credits: Ilja van Sprundel
Affects: All FreeBSD 4.x releases
All FreeBSD 5.x releases prior to 5.4-RELEASE
Corrected: 2005-04-15 01:51:44 UTC (RELENG_5, 5.4-STABLE)
2005-04-15 01:52:03 UTC (RELENG_5_4, 5.4-RELEASE)
2005-04-15 01:52:25 UTC (RELENG_5_3, 5.3-RELEASE-p9)
2005-04-15 01:52:40 UTC (RELENG_4, 4.11-STABLE)
2005-04-15 01:52:57 UTC (RELENG_4_11, 4.11-RELEASE-p3)
2005-04-15 01:53:14 UTC (RELENG_4_10, 4.10-RELEASE-pCool

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The SIOCGIFCONF ioctl allows a user process to ask the kernel to produce
a list of the existing network interfaces and copy it into a buffer
provided by the user process.

II. Problem Description

In generating the list of network interfaces, the kernel writes into a
portion of a buffer without first zeroing it. As a result, the prior
contents of the buffer will be disclosed to the calling process.

III. Impact

Up to 12 bytes of kernel memory may be disclosed to the user process.
Such memory might contain sensitive information, such as portions of
the file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way. For example, a terminal buffer might include a user-entered
password.

IV. Workaround

No known workaround.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10, 4.11,
and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf4.patch.asc

[FreeBSD 5.3]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf5.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/sys/net/if.c 1.85.2.29
RELENG_4_11
src/UPDATING 1.73.2.91.2.4
src/sys/conf/newvers.sh 1.44.2.39.2.7
src/sys/net/if.c 1.85.2.28.2.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.9
src/sys/conf/newvers.sh 1.44.2.34.2.10
src/sys/net/if.c 1.85.2.25.2.1
RELENG_5
src/sys/net/if.c 1.199.2.15
RELENG_5_4
src/UPDATING 1.342.2.24.2.3
src/sys/net/if.c 1.199.2.14.2.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.12
src/sys/conf/newvers.sh 1.62.2.15.2.14
src/sys/net/if.c 1.199.2.7.2.3
- -------------------------------------------------------------------------
_________________
Плохому хакеру логи мешают.

[EXT]
Вернуться к началу
Посмотреть профиль Отправить личное сообщение Посетить сайт автора ICQ Number
Dark_Ghost
moder


Зарегистрирован: 19.01.2004
Сообщения: 498
Откуда: берутся дети?

СообщениеДобавлено: Сб Апр 23, 2005 10:41 pm
    Заголовок сообщения:
Ответить с цитатой

Цитата:

=============================================================================
FreeBSD-SA-05:05.cvs Security Advisory
The FreeBSD Project

Topic: Multiple vulnerabilities in CVS

Category: contrib
Module: cvs
Announced: 2005-04-22
Credits: Alen Zukich
Affects: All FreeBSD 4.x releases
All FreeBSD 5.x releases prior to 5.4-RELEASE
Corrected: 2005-04-22 18:01:04 UTC (RELENG_5, 5.4-STABLE)
2005-04-22 18:03:18 UTC (RELENG_5_4, 5.4-RELEASE)
2005-04-22 18:07:10 UTC (RELENG_5_3, 5.3-RELEASE-p10)
2005-04-22 18:13:30 UTC (RELENG_4, 4.11-STABLE)
2005-04-22 18:17:22 UTC (RELENG_4_11, 4.11-RELEASE-p4)
2005-04-22 18:16:15 UTC (RELENG_4_10, 4.10-RELEASE-p9)
CVE Name: CAN-2005-0753

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

The Concurrent Versions System (CVS) is a version control system. It
may be used to access a repository locally, or to access a `remote
repository' using a number of different methods. When accessing a
remote repository, the target machine runs the CVS server to fulfill
client requests.

II. Problem Description

Multiple programming errors were found in CVS. In one case, variable
length strings are copied into a fixed length buffer without adequate
checks being made; other errors include NULL pointer dereferences,
possible use of uninitialized variables, and memory leaks.

III. Impact

CVS servers ("cvs server" or :pserver: modes) are affected by these
problems. The buffer overflow may potentially be exploited to execute
arbitrary code on the CVS server, either in the context of the
authenticated user or in the context of the CVS server, depending on
the access method used. The other errors may lead to a denial of
service.

IV. Workaround

No workaround is available for cvs servers; cvs clients are unaffected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.10]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:05/cvs410.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:05/cvs410.patch.asc

[FreeBSD 4.11 and 5.3]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:05/cvs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:05/cvs.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/cvs
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/contrib/cvs/src/login.c 1.3.2.6
src/contrib/cvs/src/patch.c 1.1.1.7.2.7
src/contrib/cvs/src/rcs.c 1.19.2.7
RELENG_4_11
src/UPDATING 1.73.2.91.2.5
src/sys/conf/newvers.sh 1.44.2.39.2.8
src/contrib/cvs/src/login.c 1.3.2.5.2.1
src/contrib/cvs/src/patch.c 1.1.1.7.2.6.2.1
src/contrib/cvs/src/rcs.c 1.19.2.6.2.1
RELENG_4_10
src/UPDATING 1.73.2.90.2.10
src/sys/conf/newvers.sh 1.44.2.34.2.11
src/contrib/cvs/src/login.c 1.3.2.4.6.1
src/contrib/cvs/src/patch.c 1.1.1.7.2.5.6.1
src/contrib/cvs/src/rcs.c 1.19.2.5.6.1
RELENG_5
src/contrib/cvs/src/login.c 1.8.2.1
src/contrib/cvs/src/patch.c 1.1.1.13.2.1
src/contrib/cvs/src/rcs.c 1.27.2.1
RELENG_5_4
src/UPDATING 1.342.2.24.2.4
src/contrib/cvs/src/login.c 1.8.6.1
src/contrib/cvs/src/patch.c 1.1.1.13.6.1
src/contrib/cvs/src/rcs.c 1.27.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.13
src/sys/conf/newvers.sh 1.62.2.15.2.15
src/contrib/cvs/src/login.c 1.8.4.1
src/contrib/cvs/src/patch.c 1.1.1.13.4.1
src/contrib/cvs/src/rcs.c 1.27.4.1
- -------------------------------------------------------------------------

_________________
Плохому хакеру логи мешают.

[EXT]
Вернуться к началу
Посмотреть профиль Отправить личное сообщение Посетить сайт автора ICQ Number
Dark_Ghost
moder


Зарегистрирован: 19.01.2004
Сообщения: 498
Откуда: берутся дети?

СообщениеДобавлено: Пт Май 06, 2005 5:30 pm
    Заголовок сообщения:
Ответить с цитатой

вот только что прям прилетело:
Код:

=============================================================================
FreeBSD-SA-05:06.iir                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Incorrect permissions on /dev/iir

Category:       core
Module:         sys_dev
Announced:      2005-05-06
Credits:        Christian S.J. Peron
Affects:        All FreeBSD 4.x releases since 4.6-RELEASE
                All FreeBSD 5.x releases prior to 5.4-RELEASE
Corrected:      2005-05-06 02:33:46 UTC (RELENG_5, 5.4-STABLE)
                2005-05-06 02:34:18 UTC (RELENG_5_4, 5.4-RELEASE)
                2005-05-06 02:34:01 UTC (RELENG_5_3, 5.3-RELEASE-p11)
                2005-05-06 02:32:54 UTC (RELENG_4, 4.11-STABLE)
                2005-05-06 02:33:28 UTC (RELENG_4_11, 4.11-RELEASE-p5)
                2005-05-06 02:33:12 UTC (RELENG_4_10, 4.10-RELEASE-p10)
CVE Name:       CAN-2005-1399

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The iir(4) driver provides support for the Intel Integrated RAID
controllers and ICP Vortex RAID controllers.

II.  Problem Description

The default permissions on the /dev/iir device node allow unprivileged
local users to open the device and execute ioctl calls.

III. Impact

Unprivileged local users can send commands to the hardware supported by
the iir(4) driver, allowing destruction of data and possible disclosure
of data.

IV.  Workaround

Systems without hardware supported by the iir(4) driver are not affected
by this issue.  On systems which are affected, as a workaround, the
permissions on /dev/iir can be changed manually.

As root, execute the following command:

# chmod 0600 /dev/iir*

On 5.x, the following commands are also needed to ensure that the
correct permissions are used after rebooting.

# echo 'perm iir* 0600' >> /etc/devfs.conf
# echo 'devfs_enable="YES"' >> /etc/rc.conf

If the administrator has created additional device nodes, or mounted
additional instances of devfs(5) elsewhere in the file system name
space, attention should be paid to ensure that either the iir device
node is not visible in those name spaces, or is similarly protected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after
the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:06/iir.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:06/iir.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/sys/dev/iir/iir_ctrl.c                                      1.2.2.5
RELENG_4_11
  src/UPDATING                                              1.73.2.91.2.6
  src/sys/conf/newvers.sh                                   1.44.2.39.2.9
  src/sys/dev/iir/iir_ctrl.c                                 1.2.2.4.12.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.11
  src/sys/conf/newvers.sh                                  1.44.2.34.2.12
  src/sys/dev/iir/iir_ctrl.c                                 1.2.2.4.10.1
RELENG_5
  src/sys/dev/iir/iir_ctrl.c                                     1.15.2.2
RELENG_5_4
  src/UPDATING                                             1.342.2.24.2.5
  src/sys/dev/iir/iir_ctrl.c                                 1.15.2.1.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.14
  src/sys/conf/newvers.sh                                  1.62.2.15.2.16
  src/sys/dev/iir/iir_ctrl.c                                     1.15.4.1
- -------------------------------------------------------------------------

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:06.iir.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD4DBQFCetz4FdaIBMps37IRAvyMAJjeLAyi4DGQGV3J5Ay+zzt5z4awAKCQ2Z9f
Hh/14bkUQqNXbUTAXEUBrw==
=HFZ7
-----END PGP SIGNATURE-----

------------------------------

Message: 2
Date: Fri, 6 May 2005 03:03:13 GMT
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-05:07.ldt
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Message-ID: <200505060303.j4633D8E089127@freefall.freebsd.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:07.ldt                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Local kernel memory disclosure in i386_get_ldt

Category:       core
Module:         sys_i386
Announced:      2005-05-06
Credits:        Christer Oberg
Affects:        All FreeBSD/i386 4.x releases since 4.7-RELEASE
                All FreeBSD/i386 5.x and FreeBSD/amd64 5.x releases
                prior to 5.4-RELEASE
Corrected:      2005-05-06 02:40:19 UTC (RELENG_5, 5.4-STABLE)
                2005-05-06 02:40:49 UTC (RELENG_5_4, 5.4-RELEASE)
                2005-05-06 02:40:32 UTC (RELENG_5_3, 5.3-RELEASE-p12)
                2005-05-06 02:39:35 UTC (RELENG_4, 4.11-STABLE)
                2005-05-06 02:40:05 UTC (RELENG_4_11, 4.11-RELEASE-p6)
                2005-05-06 02:39:52 UTC (RELENG_4_10, 4.10-RELEASE-p11)
CVE Name:       CAN-2005-1400

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The i386_get_ldt(2) system call allows a process to request that a
portion of its Local Descriptor Table be copied from the kernel into
userland.

II.  Problem Description

The i386_get_ldt(2) syscall performs insufficient validation of its
input arguments.  In particular, negative or very large values may
allow inappropriate data to be copied from the kernel.

III. Impact

Kernel memory may be disclosed to the user process.  Such memory might
contain sensitive information, such as portions of the file cache or
terminal buffers.  This information might be directly useful, or it
might be leveraged to obtain elevated privileges in some way.  For
example, a terminal buffer might include a user-entered password.

IV.  Workaround

No workaround is known for i386 and amd64 systems; other platforms are
not affected by this issue.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after
the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:07/ldt4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:07/ldt4.patch.asc

[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:07/ldt5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:07/ldt5.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/sys/i386/i386/sys_machdep.c                                1.47.2.4
RELENG_4_11
  src/UPDATING                                              1.73.2.91.2.7
  src/sys/conf/newvers.sh                                  1.44.2.39.2.10
  src/sys/i386/i386/sys_machdep.c                            1.47.2.3.8.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.12
  src/sys/conf/newvers.sh                                  1.44.2.34.2.13
  src/sys/i386/i386/sys_machdep.c                            1.47.2.3.6.1
RELENG_5
  src/sys/i386/i386/sys_machdep.c                                1.92.2.3
RELENG_5_4
  src/UPDATING                                             1.342.2.24.2.6
  src/sys/i386/i386/sys_machdep.c                            1.92.2.1.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.15
  src/sys/conf/newvers.sh                                  1.62.2.15.2.17
  src/sys/i386/i386/sys_machdep.c                                1.92.4.1
- -------------------------------------------------------------------------

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:07.ldt.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCetz/FdaIBMps37IRAsGyAJ0e/186b85KV2w0iqXy+eZe4aoGMwCfSlRm
TqqVUL/yrYbXxlyzJZNEjPs=
=/YXX
-----END PGP SIGNATURE-----

------------------------------

Message: 3
Date: Fri, 6 May 2005 03:03:23 GMT
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-05:08.kmem
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Message-ID: <200505060303.j4633NvP089169@freefall.freebsd.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:08.kmem                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Local kernel memory disclosure

Category:       core
Module:         sys
Announced:      2005-05-06
Credits:        Christian S.J. Peron
Affects:        All FreeBSD releases prior to 5.4-RELEASE
Corrected:      2005-05-06 02:50:00 UTC (RELENG_5, 5.4-STABLE)
                2005-05-06 02:51:10 UTC (RELENG_5_4, 5.4-RELEASE)
                2005-05-06 02:50:35 UTC (RELENG_5_3, 5.3-RELEASE-p13)
                2005-05-06 02:48:46 UTC (RELENG_4, 4.11-STABLE)
                2005-05-06 02:49:35 UTC (RELENG_4_11, 4.11-RELEASE-p7)
                2005-05-06 02:49:08 UTC (RELENG_4_10, 4.10-RELEASE-p12)
CVE Name:       CAN-2005-1406

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

In many parts of the FreeBSD kernel, names (of mount points, devices,
files, etc.) are manipulated as NULL-terminated strings, but are provided
to applications within fixed-length buffers.

II.  Problem Description

In several places, variable-length strings were copied into fixed-length
buffers without zeroing the unused portion of the buffer.

III. Impact

The previous contents of part of the fixed-length buffers will be
disclosed to applications.  Such memory might contain sensitive
information, such as portions of the file cache or terminal buffers.
This information might be directly useful, or it might be leveraged to
obtain elevated privileges in some way.  For example, a terminal buffer
might include a user-entered password.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after
the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem4.patch.asc

[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem5.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/sys/kern/vfs_subr.c                                      1.249.2.32
  src/sys/net/if_mib.c                                            1.8.2.3
  src/sys/netinet/ip_divert.c                                    1.42.2.8
  src/sys/netinet/raw_ip.c                                      1.64.2.20
  src/sys/netinet/udp_usrreq.c                                  1.64.2.20
RELENG_4_11
  src/UPDATING                                              1.72.2.91.2.8
  src/sys/conf/newvers.sh                                  1.44.2.39.2.11
  src/sys/kern/vfs_subr.c                                  1.249.2.31.6.1
  src/sys/net/if_mib.c                                        1.8.2.2.2.1
  src/sys/netinet/ip_divert.c                                1.42.2.7.2.1
  src/sys/netinet/raw_ip.c                                  1.64.2.19.2.1
  src/sys/netinet/udp_usrreq.c                              1.64.2.19.6.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.13
  src/sys/conf/newvers.sh                                  1.44.2.34.2.14
  src/sys/kern/vfs_subr.c                                  1.249.2.31.4.1
  src/sys/net/if_mib.c                                       1.8.2.1.16.2
  src/sys/netinet/ip_divert.c                                1.42.2.6.6.1
  src/sys/netinet/raw_ip.c                                  1.64.2.18.4.1
  src/sys/netinet/udp_usrreq.c                              1.64.2.19.4.1
RELENG_5
  src/sys/kern/subr_bus.c                                       1.156.2.7
  src/sys/kern/vfs_subr.c                                       1.522.2.5
  src/sys/net/if_mib.c                                           1.13.4.2
  src/sys/netinet/ip_divert.c                                    1.98.2.3
  src/sys/netinet/raw_ip.c                                      1.142.2.5
  src/sys/netinet/udp_usrreq.c                                  1.162.2.8
RELENG_5_4
  src/UPDATING                                             1.342.2.24.2.7
  src/sys/kern/subr_bus.c                                   1.156.2.5.2.1
  src/sys/kern/vfs_subr.c                                   1.522.2.4.2.1
  src/sys/net/if_mib.c                                       1.13.4.1.2.1
  src/sys/netinet/ip_divert.c                                1.98.2.2.2.1
  src/sys/netinet/raw_ip.c                                  1.142.2.4.2.1
  src/sys/netinet/udp_usrreq.c                              1.162.2.7.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.16
  src/sys/conf/newvers.sh                                  1.62.2.15.2.18
  src/sys/kern/subr_bus.c                                   1.156.2.2.2.1
  src/sys/kern/vfs_subr.c                                   1.522.2.1.2.1
  src/sys/net/if_mib.c                                           1.13.6.1
  src/sys/netinet/ip_divert.c                                    1.98.4.1
  src/sys/netinet/raw_ip.c                                  1.142.2.2.2.1
  src/sys/netinet/udp_usrreq.c                              1.162.2.3.2.1
- -------------------------------------------------------------------------

_________________
Плохому хакеру логи мешают.

[EXT]
Вернуться к началу
Посмотреть профиль Отправить личное сообщение Посетить сайт автора ICQ Number
Dark_Ghost
moder


Зарегистрирован: 19.01.2004
Сообщения: 498
Откуда: берутся дети?

СообщениеДобавлено: Вс Май 08, 2005 5:38 pm
    Заголовок сообщения:
Ответить с цитатой

Код:
=============================================================================
FreeBSD-SA-05:06.iir                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Incorrect permissions on /dev/iir

Category:       core
Module:         sys_dev
Announced:      2005-05-06
Credits:        Christian S.J. Peron
                Andre Guibert de Bruet
Affects:        All FreeBSD 4.x releases since 4.6-RELEASE
                All FreeBSD 5.x releases prior to 5.4-RELEASE
Corrected:      2005-05-06 02:33:46 UTC (RELENG_5, 5.4-STABLE)
                2005-05-06 02:34:18 UTC (RELENG_5_4, 5.4-RELEASE)
                2005-05-06 02:34:01 UTC (RELENG_5_3, 5.3-RELEASE-p11)
                2005-05-06 02:32:54 UTC (RELENG_4, 4.11-STABLE)
                2005-05-06 02:33:28 UTC (RELENG_4_11, 4.11-RELEASE-p5)
                2005-05-06 02:33:12 UTC (RELENG_4_10, 4.10-RELEASE-p10)
CVE Name:       CAN-2005-1399

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

0.   Revision History

v1.0 2005-05-06  Initial release.
v1.1 2005-05-07  Updated credits to include Andre Guibert de Bruet, who
                 was inadvertantly omitted from the original advisory.

I.   Background

The iir(4) driver provides support for the Intel Integrated RAID
controllers and ICP Vortex RAID controllers.

II.  Problem Description

The default permissions on the /dev/iir device node allow unprivileged
local users to open the device and execute ioctl calls.

III. Impact

Unprivileged local users can send commands to the hardware supported by
the iir(4) driver, allowing destruction of data and possible disclosure
of data.

IV.  Workaround

Systems without hardware supported by the iir(4) driver are not affected
by this issue.  On systems which are affected, as a workaround, the
permissions on /dev/iir can be changed manually.

As root, execute the following command:

# chmod 0600 /dev/iir*

On 5.x, the following commands are also needed to ensure that the
correct permissions are used after rebooting.

# echo 'perm iir* 0600' >> /etc/devfs.conf
# echo 'devfs_enable="YES"' >> /etc/rc.conf

If the administrator has created additional device nodes, or mounted
additional instances of devfs(5) elsewhere in the file system name
space, attention should be paid to ensure that either the iir device
node is not visible in those name spaces, or is similarly protected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after
the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:06/iir.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:06/iir.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/sys/dev/iir/iir_ctrl.c                                      1.2.2.5
RELENG_4_11
  src/UPDATING                                              1.73.2.91.2.6
  src/sys/conf/newvers.sh                                   1.44.2.39.2.9
  src/sys/dev/iir/iir_ctrl.c                                 1.2.2.4.12.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.11
  src/sys/conf/newvers.sh                                  1.44.2.34.2.12
  src/sys/dev/iir/iir_ctrl.c                                 1.2.2.4.10.1
RELENG_5
  src/sys/dev/iir/iir_ctrl.c                                     1.15.2.2
RELENG_5_4
  src/UPDATING                                             1.342.2.24.2.5
  src/sys/dev/iir/iir_ctrl.c                                 1.15.2.1.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.14
  src/sys/conf/newvers.sh                                  1.62.2.15.2.16
  src/sys/dev/iir/iir_ctrl.c                                     1.15.4.1
- -------------------------------------------------------------------------

_________________
Плохому хакеру логи мешают.

[EXT]
Вернуться к началу
Посмотреть профиль Отправить личное сообщение Посетить сайт автора ICQ Number
Dark_Ghost
moder


Зарегистрирован: 19.01.2004
Сообщения: 498
Откуда: берутся дети?

СообщениеДобавлено: Пн Май 09, 2005 7:44 pm
    Заголовок сообщения:
Ответить с цитатой

Код:
=============================================================================
FreeBSD-SA-05:08.kmem                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Local kernel memory disclosure

Category:       core
Module:         sys
Announced:      2005-05-06
Credits:        Christian S.J. Peron
                Uwe Doering
Affects:        All FreeBSD releases prior to 5.4-RELEASE
Corrected:      2005-05-08 10:19:37 UTC (RELENG_5, 5.4-STABLE)
                2005-05-07 03:58:26 UTC (RELENG_5_4, 5.4-RELEASE)
                2005-05-08 10:23:52 UTC (RELENG_5_3, 5.3-RELEASE-p14)
                2005-05-08 10:26:42 UTC (RELENG_4, 4.11-STABLE)
                2005-05-08 10:29:54 UTC (RELENG_4_11, 4.11-RELEASE-p8)
                2005-05-08 10:35:56 UTC (RELENG_4_10, 4.10-RELEASE-p13)
CVE Name:       CAN-2005-1406

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

0.   Revision History

v1.0 2005-05-06  Initial release.
v1.1 2005-05-07  Updated patch to include related issues reported by
                 Uwe Doering.

I.   Background

In many parts of the FreeBSD kernel, names (of mount points, devices,
files, etc.) are manipulated as NULL-terminated strings, but are provided
to applications within fixed-length buffers.

II.  Problem Description

In several places, variable-length strings were copied into fixed-length
buffers without zeroing the unused portion of the buffer.

III. Impact

The previous contents of part of the fixed-length buffers will be
disclosed to applications.  Such memory might contain sensitive
information, such as portions of the file cache or terminal buffers.
This information might be directly useful, or it might be leveraged to
obtain elevated privileges in some way.  For example, a terminal buffer
might include a user-entered password.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after
the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, and 5.3 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem4x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem4x.patch.asc

[FreeBSD 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem5x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem5x.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/sys/kern/uipc_usrreq.c                                    1.54.2.11
  src/sys/kern/vfs_subr.c                                      1.249.2.32
  src/sys/net/if_mib.c                                            1.8.2.3
  src/sys/netinet/ip_divert.c                                    1.42.2.8
  src/sys/netinet/raw_ip.c                                      1.64.2.20
  src/sys/netinet/tcp_subr.c                                    1.73.2.34
  src/sys/netinet/udp_usrreq.c                                  1.64.2.20
RELENG_4_11
  src/UPDATING                                              1.72.2.91.2.9
  src/sys/conf/newvers.sh                                  1.44.2.39.2.12
  src/sys/kern/uipc_usrreq.c                                1.54.2.10.8.1
  src/sys/kern/vfs_subr.c                                  1.249.2.31.6.1
  src/sys/net/if_mib.c                                        1.8.2.2.2.1
  src/sys/netinet/ip_divert.c                                1.42.2.7.2.1
  src/sys/netinet/raw_ip.c                                  1.64.2.19.2.1
  src/sys/netinet/tcp_subr.c                                1.73.2.33.4.1
  src/sys/netinet/udp_usrreq.c                              1.64.2.19.6.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.14
  src/sys/conf/newvers.sh                                  1.44.2.34.2.15
  src/sys/kern/uipc_usrreq.c                                1.54.2.10.6.1
  src/sys/kern/vfs_subr.c                                  1.249.2.31.4.1
  src/sys/net/if_mib.c                                       1.8.2.1.16.2
  src/sys/netinet/ip_divert.c                                1.42.2.6.6.1
  src/sys/netinet/raw_ip.c                                  1.64.2.18.4.1
  src/sys/netinet/tcp_subr.c                                1.73.2.33.2.1
  src/sys/netinet/udp_usrreq.c                              1.64.2.19.4.1
RELENG_5
  src/sys/kern/subr_bus.c                                       1.156.2.7
  src/sys/kern/uipc_usrreq.c                                   1.138.2.14
  src/sys/kern/vfs_subr.c                                       1.522.2.5
  src/sys/net/if_mib.c                                           1.13.4.2
  src/sys/netinet/ip_divert.c                                    1.98.2.3
  src/sys/netinet/raw_ip.c                                      1.142.2.5
  src/sys/netinet/tcp_subr.c                                   1.201.2.18
  src/sys/netinet/udp_usrreq.c                                  1.162.2.8
RELENG_5_4
  src/UPDATING                                             1.342.2.24.2.9
  src/sys/kern/subr_bus.c                                   1.156.2.5.2.1
  src/sys/kern/uipc_usrreq.c                               1.138.2.13.2.1
  src/sys/kern/vfs_subr.c                                   1.522.2.4.2.1
  src/sys/net/if_mib.c                                       1.13.4.1.2.1
  src/sys/netinet/ip_divert.c                                1.98.2.2.2.1
  src/sys/netinet/raw_ip.c                                  1.142.2.4.2.1
  src/sys/netinet/tcp_subr.c                               1.201.2.15.2.1
  src/sys/netinet/udp_usrreq.c                              1.162.2.7.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.17
  src/sys/conf/newvers.sh                                  1.62.2.15.2.19
  src/sys/kern/subr_bus.c                                   1.156.2.2.2.1
  src/sys/kern/uipc_usrreq.c                                1.138.2.2.2.2
  src/sys/kern/vfs_subr.c                                   1.522.2.1.2.1
  src/sys/net/if_mib.c                                           1.13.6.1
  src/sys/netinet/ip_divert.c                                    1.98.4.1
  src/sys/netinet/raw_ip.c                                  1.142.2.2.2.1
  src/sys/netinet/tcp_subr.c                                1.201.2.1.2.2
  src/sys/netinet/udp_usrreq.c                              1.162.2.3.2.1
- -------------------------------------------------------------------------

_________________
Плохому хакеру логи мешают.

[EXT]
Вернуться к началу
Посмотреть профиль Отправить личное сообщение Посетить сайт автора ICQ Number
Показать сообщения:   
Начать новую тему   Ответить на тему    Список форумов rst.void.ru -> *BSD Часовой пояс: GMT +3:00
Страница 1 из 1

 
Перейти:  
Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете голосовать в опросах
Powered by Invision Power Board © 2001-2004 IPB