From owner-freebsd-security@FreeBSD.ORG Tue Jun 18 07:32:55 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 51EF7BEF; Tue, 18 Jun 2013 07:32:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D0F2B1DD8; Tue, 18 Jun 2013 07:32:54 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id AB0D096ED; Tue, 18 Jun 2013 07:32:53 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 3982D3728D; Tue, 18 Jun 2013 09:32:24 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-13:06.mmap Precedence: bulk Message-Id: <20130618073224.3982D3728D@nine.des.no> Date: Tue, 18 Jun 2013 09:32:24 +0200 (CEST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2013 07:32:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:06.mmap Security Advisory The FreeBSD Project Topic: Privilege escalation via mmap Category: core Module: kernel Announced: 2013-06-18 Credits: Konstantin Belousov Alan Cox Affects: FreeBSD 9.0 and later Corrected: 2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE) 2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4) CVE Name: CVE-2013-2171 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The FreeBSD virtual memory system allows files to be memory-mapped. All or parts of a file can be made available to a process via its address space. The process can then access the file using memory operations rather than filesystem I/O calls. The ptrace(2) system call provides tracing and debugging facilities by allowing one process (the tracing process) to watch and control another (the traced process). II. Problem Description Due to insufficient permission checks in the virtual memory system, a tracing process (such as a debugger) may be able to modify portions of the traced process's address space to which the traced process itself does not have write access. III. Impact This error can be exploited to allow unauthorized modification of an arbitrary file to which the attacker has read access, but not write access. Depending on the file and the nature of the modifications, this can result in privilege escalation. To exploit this vulnerability, an attacker must be able to run arbitrary code with user privileges on the target system. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch # fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch.asc # gpg --verify mmap.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r251902 releng/9.1/ r251903 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing XXXXXX with the revision number, on a machine with Subversion installed: # svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing XXXXXX with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (FreeBSD) iEYEARECAAYFAlHAB+YACgkQFdaIBMps37IjFACdFSoiYO1YkcPunLh7Zw4TC6MF X9MAnjjVWB2uEl60Rl3K4WOuJ71AVNlP =8309 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jun 18 07:47:07 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 20325C8A for ; Tue, 18 Jun 2013 07:47:07 +0000 (UTC) (envelope-from trond@fagskolen.gjovik.no) Received: from smtp.fagskolen.gjovik.no (smtp.fagskolen.gjovik.no [IPv6:2001:700:1100:1:200:ff:fe00:b]) by mx1.freebsd.org (Postfix) with ESMTP id 8ABC011D4 for ; Tue, 18 Jun 2013 07:47:06 +0000 (UTC) Received: from mail.fig.ol.no (localhost [127.0.0.1]) by mail.fig.ol.no (8.14.7/8.14.7) with ESMTP id r5I7l2Aw028376 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 18 Jun 2013 09:47:02 +0200 (CEST) (envelope-from trond@fagskolen.gjovik.no) Received: from localhost (trond@localhost) by mail.fig.ol.no (8.14.7/8.14.7/Submit) with ESMTP id r5I7l24n028373 for ; Tue, 18 Jun 2013 09:47:02 +0200 (CEST) (envelope-from trond@fagskolen.gjovik.no) X-Authentication-Warning: mail.fig.ol.no: trond owned process doing -bs Date: Tue, 18 Jun 2013 09:47:02 +0200 (CEST) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= Sender: Trond.Endrestol@fagskolen.gjovik.no To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:06.mmap In-Reply-To: <20130618073224.4B77537290@nine.des.no> Message-ID: References: <20130618073224.4B77537290@nine.des.no> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) Organization: Fagskolen Innlandet OpenPGP: url=http://fig.ol.no/~trond/trond.key MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="2055831798-1932397192-1371541622=:31028" X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.fig.ol.no X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2013 07:47:07 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --2055831798-1932397192-1371541622=:31028 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Tue, 18 Jun 2013 09:32+0200, FreeBSD Security Advisories wrote: > Corrected: 2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE) > 2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4) Something is not right about these timestamps, or my eyes and/or brain needs a transplant. 2013-06-18T09:04:19+0000 corresponds to 2013-06-18T11:04:19+0200 which hasn't occured yet. http://svnweb.freebsd.org/base/stable/9/sys/?view=log says it's Tue Jun 18 07:04:19 2013 UTC for r251902. -- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+ --2055831798-1932397192-1371541622=:31028-- From owner-freebsd-security@FreeBSD.ORG Tue Jun 18 09:45:39 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 32498E26 for ; Tue, 18 Jun 2013 09:45:39 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id ED2111BEF for ; Tue, 18 Jun 2013 09:45:38 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 569B499C1; Tue, 18 Jun 2013 09:45:32 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id D59A8372AD; Tue, 18 Jun 2013 11:45:02 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Trond =?utf-8?Q?Endrest=C3=B8l?= Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:06.mmap References: <20130618073224.4B77537290@nine.des.no> Date: Tue, 18 Jun 2013 11:45:02 +0200 In-Reply-To: ("Trond =?utf-8?Q?Endrest=C3=B8l=22's?= message of "Tue, 18 Jun 2013 09:47:02 +0200 (CEST)") Message-ID: <86wqprvjkx.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2013 09:45:39 -0000 Trond Endrest=C3=B8l writes: > FreeBSD Security Advisories writes: > > Corrected: 2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE) > > 2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4) > > Something is not right about these timestamps, or my eyes and/or brain=20 > needs a transplant. Yes, they're CEST instead of UTC. I'll consider correcting the web version of the advisory, but I don't think it's worth a re-post. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Jun 18 12:41:16 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 907AF9DF for ; Tue, 18 Jun 2013 12:41:16 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by mx1.freebsd.org (Postfix) with ESMTP id 703C31791 for ; Tue, 18 Jun 2013 12:41:16 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [198.74.231.63]) by cyrus.watson.org (Postfix) with ESMTPS id EBC9346B52; Tue, 18 Jun 2013 08:41:15 -0400 (EDT) Date: Tue, 18 Jun 2013 13:41:15 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Dewayne Geraghty Subject: RE: libarchive and MAC labels In-Reply-To: <62DD3F47DDCD4105AC023171CCF8BDA2@white> Message-ID: References: <62DD3F47DDCD4105AC023171CCF8BDA2@white> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: priit@cc.ttu.ee, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2013 12:41:16 -0000 On Wed, 12 Jun 2013, Dewayne Geraghty wrote: >> I've created a patch for libarchive that allows storing and restoring MAC >> labels from/to a multilabel filesystem using bsdtar. Now before going >> anywhere with this I had a few questions: ... > Thank-you for addressing a significant backup/recovery shortcoming. > > I've used biba extensively, however if files/directories are backed-up with > MLS+biba and recovered in a biba only environment, that is the sysadmin > choice. Warning messages are fine, but the restoration should continue (if > possible). I'd also like to see this go back into libarchive; I suspect many people would find this useful. Robert From owner-freebsd-security@FreeBSD.ORG Wed Jun 19 21:33:00 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id ABCFFB88 for ; Wed, 19 Jun 2013 21:33:00 +0000 (UTC) (envelope-from hunger0hu@gmail.com) Received: from mail-ve0-x235.google.com (mail-ve0-x235.google.com [IPv6:2607:f8b0:400c:c01::235]) by mx1.freebsd.org (Postfix) with ESMTP id 6F86B1088 for ; Wed, 19 Jun 2013 21:33:00 +0000 (UTC) Received: by mail-ve0-f181.google.com with SMTP id db10so4437143veb.40 for ; Wed, 19 Jun 2013 14:32:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=YUggtYYNgT1y3s+r90Q2yrDhflePqxmAxDHyuYi2PUM=; b=qqR8M38cokEsNf2sZAqK1bJD6fpvvLlKSiKHdB24/lVBasUAjJy9ZhlaE23YYta7Pa wxZkaolEnWMh0XADsdZscyTwxOfnTKQ+5f7G3fj+4TklBnO76pJNUGWOM0EIMiGy0l+y 0VngcxyBy4qDU+g++qwJmdrVrUmMvA8u/JoxIJOtwgeWYtd3KWRDNEZb3fMfti3T2ykR OfhIZfCJSaX+d01EnDQ7/IMJtyD49oBnmLwxb/uAkYSMb6ueugXwpez0glUjidt12fIx EY8jvLsaWweEOJCn5Lmrc+SZU37TZebwvIJnjiXiDubFU39u651vokxxyZE4/tiYrXFB krFQ== MIME-Version: 1.0 X-Received: by 10.58.6.210 with SMTP id d18mr1516842vea.96.1371677579895; Wed, 19 Jun 2013 14:32:59 -0700 (PDT) Sender: hunger0hu@gmail.com Received: by 10.52.160.226 with HTTP; Wed, 19 Jun 2013 14:32:59 -0700 (PDT) Date: Wed, 19 Jun 2013 23:32:59 +0200 X-Google-Sender-Auth: I9HUAcrmkmmQDKzNJGWn2qsCrfU Message-ID: Subject: Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :) From: Hunger To: full-disclosure@lists.grok.org.uk Content-Type: multipart/mixed; boundary=047d7b6d84e8e5d0e304df8892e1 X-Mailman-Approved-At: Wed, 19 Jun 2013 21:57:01 +0000 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2013 21:33:00 -0000 --047d7b6d84e8e5d0e304df8892e1 Content-Type: text/plain; charset=ISO-8859-1 $ uname -a FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 $ id uid=1001(hunger) gid=1002(hunger) groups=1002(hunger) $ gcc fbsd9lul.c -o fbsd9lul $ ./fbsd9lul FreeBSD 9.{0,1} mmap/ptrace exploit by Hunger # id uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger) # --047d7b6d84e8e5d0e304df8892e1-- From owner-freebsd-security@FreeBSD.ORG Wed Jun 19 23:57:04 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7C009D18 for ; Wed, 19 Jun 2013 23:57:04 +0000 (UTC) (envelope-from tam.sergio@gmail.com) Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) by mx1.freebsd.org (Postfix) with ESMTP id 5311E184A for ; Wed, 19 Jun 2013 23:57:04 +0000 (UTC) Received: by mail-ie0-f179.google.com with SMTP id c10so14837760ieb.38 for ; Wed, 19 Jun 2013 16:57:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=SFTK4+CoRsQwGLLuU5YKk76GOHtHTs66fpldN8SC09I=; b=eAP7IWi8GzQW/wI4APmuh6uHjQxuv3wqE4Bc/jwvIJj1mjVb6RrMv4ZgvEkkmh69LG 0sM6StzMKWZeasy8VKw0za7qxapC5CIyICGEqvM3QVOHjM7TmOsolPvFa7fuzccadFgP 7hmfPdx/9PXCa3ZAPPpszK68KzUOorOSRZOXsVeD9L/h8hGwzxfZuc76Lv7PlLr05ed0 FA6hjVJB/O0fus1ySW6kNaX8b66RegWUKOo/+f6avjYhAT4bvvlQjEFs5Jg34W23WH5Q /g73socuW+rNipJLrNTJoEKWZrrnll3Mmk75q3rhkhSP3p8VMVbJEyVW6ogJ7nTjN7M3 YHgA== MIME-Version: 1.0 X-Received: by 10.43.148.71 with SMTP id kf7mr2140265icc.42.1371686224039; Wed, 19 Jun 2013 16:57:04 -0700 (PDT) Received: by 10.64.46.197 with HTTP; Wed, 19 Jun 2013 16:57:03 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Jun 2013 18:57:03 -0500 Message-ID: Subject: Re: Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :) From: Sergio Tam To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2013 23:57:04 -0000 Hello Hunger 2013/6/19 Hunger : > $ uname -a > FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec > 4 09:23:10 UTC 2012 > root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > $ id > uid=1001(hunger) gid=1002(hunger) groups=1002(hunger) > $ gcc fbsd9lul.c -o fbsd9lul > $ ./fbsd9lul > FreeBSD 9.{0,1} mmap/ptrace exploit > by Hunger > # id > uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger) > # > I am new can you clarify a question? I have not installed nmap. Its FreBSD insecure? Can you do the same? can you exploit freebsd without nmap? Regards. From owner-freebsd-security@FreeBSD.ORG Thu Jun 20 00:04:35 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C07D7AE for ; Thu, 20 Jun 2013 00:04:35 +0000 (UTC) (envelope-from holmesmich@gmail.com) Received: from mail-oa0-x22d.google.com (mail-oa0-x22d.google.com [IPv6:2607:f8b0:4003:c02::22d]) by mx1.freebsd.org (Postfix) with ESMTP id 91A2C18BC for ; Thu, 20 Jun 2013 00:04:35 +0000 (UTC) Received: by mail-oa0-f45.google.com with SMTP id j1so7341285oag.18 for ; Wed, 19 Jun 2013 17:04:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=v7/p4Jd7mL6jdLz2NxYyOXwuxdy0Sy0KT9SotTqdFqI=; b=WVOho7iXiCjsJCoV6YpJg2z8cj5EawDD1VutKj+pCRVIQIhFUrjBSFXKLaDTxtA8Ir ceslzDiJmVejZbq6sGrH5BI2iwvvndegmj5fP7LGSC8vqSGMn/ItjtS3HVcsUMLpCKWB jQa4+kBHhFB+5h2bce58MqIE1cK2vx0p+b++UDzvifONw7TdB7DQCGNrGthlL+IKFuGj XBQw2tOwyFwuq6j1yStMLZFDpE/F4og+wjHYWKhL1tE+nxIvxH0EfMuMs81JZqKD7Wvr 2cMQv3Et8p3ZYi1nRFUKptep575xI3rY1nIdtYAaICyiNY4+gHsZj6ymUdcs3Toykoyt OQFw== MIME-Version: 1.0 X-Received: by 10.60.94.72 with SMTP id da8mr3328766oeb.123.1371686675123; Wed, 19 Jun 2013 17:04:35 -0700 (PDT) Received: by 10.76.33.99 with HTTP; Wed, 19 Jun 2013 17:04:35 -0700 (PDT) In-Reply-To: References: Date: Thu, 20 Jun 2013 01:04:35 +0100 Message-ID: Subject: Re: Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :) From: Michael Holmes Cc: freebsd-security Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2013 00:04:35 -0000 On Thu, Jun 20, 2013 at 12:57 AM, Sergio Tam wrote: > > Hello Hunger > > I am new can you clarify a question? > I have not installed nmap. Its FreBSD insecure? > Can you do the same? > can you exploit freebsd without nmap? > > Regards. It's *mmap*, a POSIX standard system call for mapping memory. All systems running affected versions of the FreeBSD kernel are vulnerable. From owner-freebsd-security@FreeBSD.ORG Thu Jun 20 00:09:22 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CAD391EF for ; Thu, 20 Jun 2013 00:09:22 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-qa0-x232.google.com (mail-qa0-x232.google.com [IPv6:2607:f8b0:400d:c00::232]) by mx1.freebsd.org (Postfix) with ESMTP id 9190618FC for ; Thu, 20 Jun 2013 00:09:22 +0000 (UTC) Received: by mail-qa0-f50.google.com with SMTP id l18so778198qak.2 for ; Wed, 19 Jun 2013 17:09:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/OMXa6dSxI+s0Kx5JhFpPdP2sLxfZK+CQEUW6N8pgI4=; b=dvZeE8FdiHlAfcdAvxpMY8v3G+Xw8cbHeuaFz0gccBeVkmJwRmH4gop0rv5eZ70JPt I7diG7o446A7pg2rX4ogG0I0UneYQIM78Nq3WuN3h+YD9uWtYmn1Sl0pENuVewfCVMvD bFxVL/Ie8CIw43pi6roCBV/lRxkilPkZUXXRg4CJttLfLX0QaAkUnaKAIRpaS2DOj4jF 7zWKr8gAkwIY8fZiJltjFzaXrP/4EK/RkPCOUPmuXEpuLMJpdZKOfUK9fNjShHgjHaPB jMLVpJiXLiCn+cia5dPx25gciuuF3uQZswK6Qo2RcpHr3eMWqvvkcXyN0GfcuXi8csd3 deTw== MIME-Version: 1.0 X-Received: by 10.229.170.20 with SMTP id b20mr2082416qcz.19.1371686962136; Wed, 19 Jun 2013 17:09:22 -0700 (PDT) Received: by 10.224.182.148 with HTTP; Wed, 19 Jun 2013 17:09:22 -0700 (PDT) In-Reply-To: References: Date: Thu, 20 Jun 2013 03:09:22 +0300 Message-ID: Subject: Re: Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :) From: Kimmo Paasiala To: Michael Holmes Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2013 00:09:22 -0000 On Thu, Jun 20, 2013 at 3:04 AM, Michael Holmes wrote: > On Thu, Jun 20, 2013 at 12:57 AM, Sergio Tam wrote: >> >> Hello Hunger >> >> I am new can you clarify a question? >> I have not installed nmap. Its FreBSD insecure? >> Can you do the same? >> can you exploit freebsd without nmap? >> >> Regards. > > It's *mmap*, a POSIX standard system call for mapping memory. All > systems running affected versions of the FreeBSD kernel are > vulnerable. And it's already been fixed, see: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc It's quite laughable to use 9.1-RELEASE without any of the security patches that have been issued after its release to showcase the vulnerability, it just proves that the OP is a troll, a troll who knows how to use the information to create a succesfull attack but still a troll. From owner-freebsd-security@FreeBSD.ORG Thu Jun 20 00:13:47 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 46516559 for ; Thu, 20 Jun 2013 00:13:47 +0000 (UTC) (envelope-from tam.sergio@gmail.com) Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) by mx1.freebsd.org (Postfix) with ESMTP id 1C5DF1960 for ; Thu, 20 Jun 2013 00:13:47 +0000 (UTC) Received: by mail-ie0-f172.google.com with SMTP id 16so14878515iea.17 for ; Wed, 19 Jun 2013 17:13:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=PshLqnLzQxHy3OAIYS8yKxnFwqdGdPgQYkYmppiJXG0=; b=BYsqGmHIWaLAZdxyz+/rxVARW5jpM2cUlXNlYzvBdujeEXYcilkBZSOWKzxUlOWZPG SY8fKU/dqkTW/asR967rS6Sa/JoesiTdBaeVSV03KkEuZ6cmm1Vsdvj5LpLCNIA9iYU/ jh1o3cFiuebwg8OizUg8YsKvhO4WBzviJtiRG76kW5+WbSHg4X/uLUhPKcO/nz1Cq7KI f0GC+bJjTvDWsNyd4pQ/h0s8JzVlcZVQzq4Ho50xROXc+Z2lLHyNipQsHRzwwytNPDaS oL3teF00no8A08TZhsULFL6GJRY0nzx3Z3H1lD9uXslosoaGr9cOhTvj+tDGDf70IiVX H2oQ== MIME-Version: 1.0 X-Received: by 10.50.176.228 with SMTP id cl4mr2611390igc.7.1371687226393; Wed, 19 Jun 2013 17:13:46 -0700 (PDT) Received: by 10.64.46.197 with HTTP; Wed, 19 Jun 2013 17:13:46 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Jun 2013 19:13:46 -0500 Message-ID: Subject: Re: Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :) From: Sergio Tam To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2013 00:13:47 -0000 2013/6/19 Oliver Pinter : > Hi Sergio! > > This exploit is not against NMAP, it is against MMAP FreeBSD system call. > > See this: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc Hello Oliver Oh. I need to buy lenses Thans for the observation. Regards. From owner-freebsd-security@FreeBSD.ORG Thu Jun 20 12:55:22 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 496BD14E; Thu, 20 Jun 2013 12:55:22 +0000 (UTC) (envelope-from priit.jarv@gmail.com) Received: from mail-ea0-x233.google.com (mail-ea0-x233.google.com [IPv6:2a00:1450:4013:c01::233]) by mx1.freebsd.org (Postfix) with ESMTP id A82671669; Thu, 20 Jun 2013 12:55:21 +0000 (UTC) Received: by mail-ea0-f179.google.com with SMTP id b15so3873985eae.38 for ; Thu, 20 Jun 2013 05:55:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:x-x-sender:to:cc:subject:in-reply-to:message-id :references:user-agent:mime-version:content-type; bh=LLgLgR7P9ZqB2g9st7lQXK0iksWJqQq4AP3bF7vgYzU=; b=e241A/M2Ukbn9Z20HsQFRiJB2+v6O/Aog2DeN7R3uSEfea8oT3QPwhBwGsE2ylgVwW rVMokBXf4vYRcgTZkSHoLGrCK7ts+bH8eGj+oZjkB6d4mkx8r3mSfyykRz395l43VSxC d0EaJXM3X+xtjPz+oYOKnCAranzgYwZOojALgxZYUKFobTFhVZt64TP7IWkRQ2wdwFNS 35zyrUo9FhjlfY02rBtoFeNkRT9KkknqWGHmFaRcFpNZnUSCJEprgv06FQV5f/S+dT0h MymQBd+MNnqQBh9gApnMNrW07wysOtJyfJYIxMSAVpFE5rjPIvmZl7r9pzJMdvxox+FO 3wEg== X-Received: by 10.15.45.5 with SMTP id a5mr7645627eew.7.1371732920699; Thu, 20 Jun 2013 05:55:20 -0700 (PDT) Received: from chu (243.100.196.88.dyn.estpak.ee. [88.196.100.243]) by mx.google.com with ESMTPSA id c44sm297751eeb.8.2013.06.20.05.55.18 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 20 Jun 2013 05:55:19 -0700 (PDT) Sender: =?UTF-8?Q?Priit_J=C3=A4rv?= Date: Thu, 20 Jun 2013 15:46:57 +0300 (EEST) From: priit@cc.ttu.ee X-X-Sender: priit@chu To: Robert Watson Subject: RE: libarchive and MAC labels In-Reply-To: Message-ID: References: <62DD3F47DDCD4105AC023171CCF8BDA2@white> User-Agent: Alpine 2.03 (LNX 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2013 12:55:22 -0000 On Tue, 18 Jun 2013, Robert Watson wrote: > I'd also like to see this go back into libarchive; I suspect many people > would find this useful. Thank you for the feedback. I've already submitted the patch to libarchive. If anybody would like to view the changes the diff can be seen at: https://github.com/libarchive/libarchive/pull/42/files It remains quite basic so I'm open to suggestions for improvement. The question of archiving the system namespace extattrs instead has been brought up. Based on my limited understanding the system extattrs aren't supposed to be accessed that way, which is why the patch doesn't do that. It would however bypass some of the issues the current solution needs to deal with. Priit. From owner-freebsd-security@FreeBSD.ORG Thu Jun 20 13:02:23 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id DB49850C for ; Thu, 20 Jun 2013 13:02:22 +0000 (UTC) (envelope-from bryan-lists@shatow.net) Received: from secure.xzibition.com (secure.xzibition.com [173.160.118.92]) by mx1.freebsd.org (Postfix) with ESMTP id 7B3D2171A for ; Thu, 20 Jun 2013 13:02:22 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; c=nofws; d=shatow.net; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sweb; b=T+Go3I 2zzuwPHRqrV9cyE+x9CGcVTDo0cXzLQvDHIwGntBkaCjy/eXCg0a9OAw4qRG/f5L VWi+MvK3yDGuG69+H2XlhvfpKrZkWVOFiv9nFee5Z9dshV1bWTJHAtUE+rO6W6iV y5KJ4cn9EyPoWKwcSiiyfHPbysNQGH9dYEMFM= DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=shatow.net; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sweb; bh=a071haplGTMj 81ACcqWlx1EjMb/zO+/vWVy760vP1F8=; b=p7YxgaMmrWCxUpO9Eyje3eFuRH9/ OBR+SOtnM/yIlaYTia2byCpBoH/FjSLwNprIzpZBaAdhcLMR0cFUpaAIwEe64yUd E6uer8orhbe0gP6iTPjXbz6STDUqE6iqYI1ajf2MXlSOB9Sz/cjNvIsO7RBkvtiL yzoKWQ/WqTUkY2Q= Received: (qmail 14273 invoked from network); 20 Jun 2013 08:02:15 -0500 Received: from unknown (HELO ?172.20.24.175?) (bryan@shatow.net@12.10.75.2) by sweb.xzibition.com with ESMTPA; 20 Jun 2013 08:02:15 -0500 Message-ID: <51C2FD56.5010202@shatow.net> Date: Thu, 20 Jun 2013 08:02:14 -0500 From: Bryan Drewery User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:06.mmap References: <20130618073224.3982D3728D@nine.des.no> In-Reply-To: <20130618073224.3982D3728D@nine.des.no> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2013 13:02:23 -0000 On 6/18/2013 2:32 AM, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-13:06.mmap Security Advisory > The FreeBSD Project > > Topic: Privilege escalation via mmap > > Category: core > Module: kernel > Announced: 2013-06-18 > Credits: Konstantin Belousov > Alan Cox > Affects: FreeBSD 9.0 and later > Corrected: 2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE) > 2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4) > CVE Name: CVE-2013-2171 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The FreeBSD virtual memory system allows files to be memory-mapped. > All or parts of a file can be made available to a process via its > address space. The process can then access the file using memory > operations rather than filesystem I/O calls. > > The ptrace(2) system call provides tracing and debugging facilities by > allowing one process (the tracing process) to watch and control > another (the traced process). > > II. Problem Description > > Due to insufficient permission checks in the virtual memory system, a > tracing process (such as a debugger) may be able to modify portions of > the traced process's address space to which the traced process itself > does not have write access. > > III. Impact > > This error can be exploited to allow unauthorized modification of an > arbitrary file to which the attacker has read access, but not write > access. Depending on the file and the nature of the modifications, > this can result in privilege escalation. > > To exploit this vulnerability, an attacker must be able to run > arbitrary code with user privileges on the target system. > > IV. Workaround > > No workaround is available. There is an exploit in the wild. If you have not patched yet you can disable ptrace(2) for unprivileged users. Note this disables ptrace, gdb, truss, etc for non-root. This will do it until the next reboot: sysctl security.bsd.unprivileged_proc_debug=0 This will permanently disable it. I recommend doing this as it avoids similar issues in the future: echo 'security.bsd.unprivileged_proc_debug=0' >> /etc/sysctl.conf service sysctl start You should still hastily patch/reboot your system though. -- Regards, Bryan Drewery From owner-freebsd-security@FreeBSD.ORG Thu Jun 20 13:12:05 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 21FC0A20 for ; Thu, 20 Jun 2013 13:12:05 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) by mx1.freebsd.org (Postfix) with ESMTP id AF17117EB for ; Thu, 20 Jun 2013 13:12:04 +0000 (UTC) Received: by mail-wi0-f178.google.com with SMTP id k10so1679307wiv.11 for ; Thu, 20 Jun 2013 06:12:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=HZkg3SCS1fLdsAAEAf8wSkZVbOW8lQYVnBbtrArM9Es=; b=JwS0HXWLjyw40sWrPFPt+qCaBWpf0UWTkRUAjkka+VnmG2+Umh9/HmFyCc7z5X+gAf 7q8BTUC5FI+vzZ+AhO2xN+mdSnhBDVzQCrESEvAgOAl4mBBu75Th+l9YlJotYxd5WjTJ UCgTfl35D6VNZdoprm+b1mxt+6xugFbdterW8f/DLtROl0Rd2cwK3QWcEEzovW5RwnCG 1tw1H5vifdxgK0m3hptlzmUcnvg08wbD6Bkl8ctTvlneDR5CzNI+3vPIxfXA6BMyg+xQ h+CAvtmeth7bruFLxSf1KpAMliZVYzH/+CvyiaWVrrnUlWbTdrmhxUFJ0IA06pUSxqZk SOfA== X-Received: by 10.180.37.133 with SMTP id y5mr5455711wij.20.1371733923856; Thu, 20 Jun 2013 06:12:03 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPSA id fo10sm411194wib.8.2013.06.20.06.12.02 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Thu, 20 Jun 2013 06:12:03 -0700 (PDT) Date: Thu, 20 Jun 2013 14:12:00 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-13:06.mmap Message-ID: <20130620141200.0e1f358b@gumby.homeunix.com> In-Reply-To: <51C2FD56.5010202@shatow.net> References: <20130618073224.3982D3728D@nine.des.no> <51C2FD56.5010202@shatow.net> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.17; amd64-portbld-freebsd10.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2013 13:12:05 -0000 On Thu, 20 Jun 2013 08:02:14 -0500 Bryan Drewery wrote: > This will do it until the next reboot: > sysctl security.bsd.unprivileged_proc_debug=0 > > This will permanently disable it. I recommend doing this as it avoids > similar issues in the future: Perhaps the default should be changed then. From owner-freebsd-security@FreeBSD.ORG Fri Jun 21 21:40:46 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 68EED3BC; Fri, 21 Jun 2013 21:40:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2E81773; Fri, 21 Jun 2013 21:40:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r5LLekEZ026070; Fri, 21 Jun 2013 21:40:46 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r5LLekFt026067; Fri, 21 Jun 2013 21:40:46 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 21 Jun 2013 21:40:46 GMT Message-Id: <201306212140.r5LLekFt026067@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-13:06.mmap [REVISED] Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jun 2013 21:40:46 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:06.mmap Security Advisory The FreeBSD Project Topic: Privilege escalation via mmap Category: core Module: kernel Announced: 2013-06-18 Credits: Konstantin Belousov Alan Cox Affects: FreeBSD 9.0 and later Corrected: 2013-06-18 07:04:19 UTC (stable/9, 9.1-STABLE) 2013-06-18 07:05:51 UTC (releng/9.1, 9.1-RELEASE-p4) CVE Name: CVE-2013-2171 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2013-06-18 Initial release. v1.1 2013-06-21 Corrected correction date. Added workaround information. I. Background The FreeBSD virtual memory system allows files to be memory-mapped. All or parts of a file can be made available to a process via its address space. The process can then access the file using memory operations rather than filesystem I/O calls. The ptrace(2) system call provides tracing and debugging facilities by allowing one process (the tracing process) to watch and control another (the traced process). II. Problem Description Due to insufficient permission checks in the virtual memory system, a tracing process (such as a debugger) may be able to modify portions of the traced process's address space to which the traced process itself does not have write access. III. Impact This error can be exploited to allow unauthorized modification of an arbitrary file to which the attacker has read access, but not write access. Depending on the file and the nature of the modifications, this can result in privilege escalation. To exploit this vulnerability, an attacker must be able to run arbitrary code with user privileges on the target system. IV. Workaround Systems that do not allow unprivileged users to use the ptrace(2) system call are not vulnerable, this can be accomplished by setting the sysctl variable security.bsd.unprivileged_proc_debug to zero. Please note that this will also prevent debugging tools, for instance gdb, truss, procstat, as well as some built-in debugging facilities in certain scripting language like PHP, etc., from working for unprivileged users. The following command will set the sysctl accordingly and works until the next reboot of the system: sysctl security.bsd.unprivileged_proc_debug=0 To make this change persistent across reboot, the system administrator should also add the setting into /etc/sysctl.conf: echo 'security.bsd.unprivileged_proc_debug=0' >> /etc/sysctl.conf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch # fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch.asc # gpg --verify mmap.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r251902 releng/9.1/ r251903 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing XXXXXX with the revision number, on a machine with Subversion installed: # svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing XXXXXX with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAlHExy0ACgkQFdaIBMps37L8PwCdGXatzPm7OWjZu+GmbbXQC16/ 8sgAoJ0LEmREO8Mp7f4YcLHAEwgnJtjT =WRZD -----END PGP SIGNATURE-----