From owner-freebsd-security@FreeBSD.ORG Mon Oct 20 11:45:51 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 022B71065674 for ; Mon, 20 Oct 2008 11:45:51 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id 8735A8FC1E for ; Mon, 20 Oct 2008 11:45:49 +0000 (UTC) (envelope-from gunther.mayer@googlemail.com) Received: by ey-out-2122.google.com with SMTP id 6so510738eyi.7 for ; Mon, 20 Oct 2008 04:45:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:user-agent :mime-version:to:subject:content-type:content-transfer-encoding:from; bh=f7E1VqZFbaXikmaBJOSukw6wsNEFvfJBTMivH+vF08M=; b=rg8dCTytRvnzNyEQUgKgeF9xUlKh4QPTaeIQbAsUtpaLM3U9psd7BB5/Yy3ypjnvJy eflMqylTaIXmnCw2MQXsgs45PDQB7PYN8zCT15rJlcPNRUUTDBlxf2gLlNd094RkLWmf cb4zfIN/Mdbtp1O13xppCcs3Yd8Fq9OFNGNr4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:user-agent:mime-version:to:subject:content-type :content-transfer-encoding:from; b=pQFqGZft8VowWE5YUXBtAln62YVFErn9ijnmrcL01Aqd1d5ZS5Z/wGYE0iKAFEoLmO luicy73b+RRoRccZxFTzaHCO9xjMNHO+7HDo0olqrbBcVw2whDuukhcj6XcfZdNdrKTz xpzrdaiy/c2M7eVVb0i1NKwSun/u7aCRjwnLk= Received: by 10.210.28.6 with SMTP id b6mr8644084ebb.3.1224501746511; Mon, 20 Oct 2008 04:22:26 -0700 (PDT) Received: from ?172.25.0.157? ([196.7.14.186]) by mx.google.com with ESMTPS id k10sm5869689nfh.25.2008.10.20.04.22.24 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 20 Oct 2008 04:22:25 -0700 (PDT) Message-ID: <48FC69EC.9000609@gmail.com> Date: Mon, 20 Oct 2008 13:22:20 +0200 User-Agent: Thunderbird 2.0.0.17 (X11/20080925) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit From: Gunther Mayer X-Mailman-Approved-At: Mon, 20 Oct 2008 12:01:04 +0000 Subject: Secure libxml2? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 11:45:51 -0000 Hi there, We're using libxml2 and the version in ports (2.6.x) currently suffers from a rather serious security vulnerability already posted last Friday: http://www.freebsd.org/ports/portaudit/d71da236-9a94-11dd-8f42-001c2514716c.html Yet there's no libxml2-2.7.x in ports as required by the above notice. So there's no solution other than compiling an up-to-date one by hand and that opens up a whole different can of worms regarding dependencies. I emailed the official maintainer (gnome@freebsd.org) but am not holding my breath, chances are they won't even see my mail amongst all the spam they must be getting. So I'm wondering does anybody know what's going on or what I could do to get my systems secure? Regards, Gunther From owner-freebsd-security@FreeBSD.ORG Mon Oct 20 12:57:13 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57B021065672 for ; Mon, 20 Oct 2008 12:57:13 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 1A9538FC30 for ; Mon, 20 Oct 2008 12:57:12 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id E37476D443; Mon, 20 Oct 2008 12:57:10 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id C013484492; Mon, 20 Oct 2008 14:57:10 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Gunther Mayer References: <48FC69EC.9000609@gmail.com> Date: Mon, 20 Oct 2008 14:57:10 +0200 In-Reply-To: <48FC69EC.9000609@gmail.com> (Gunther Mayer's message of "Mon, 20 Oct 2008 13:22:20 +0200") Message-ID: <861vybifvd.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Secure libxml2? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 12:57:13 -0000 Gunther Mayer writes: > I emailed the official maintainer (gnome@freebsd.org) but am not > holding my breath, chances are they won't even see my mail amongst all > the spam they must be getting. So I'm wondering does anybody know > what's going on or what I could do to get my systems secure? Actually, gnome@freebsd.org is a mailing list (freebsd-gnome) that gets very little spam. Feel free to subscribe and / or peruse the archive. In the meantime, there is a PR (ports/127661) with a patch that you might try. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Oct 21 12:36:05 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 979331065675 for ; Tue, 21 Oct 2008 12:36:05 +0000 (UTC) (envelope-from spamd@stu.cn.ua) Received: from stu.cn.ua (stalker.stu.cn.ua [195.69.76.130]) by mx1.freebsd.org (Postfix) with ESMTP id 11E9B8FC29 for ; Tue, 21 Oct 2008 12:36:04 +0000 (UTC) (envelope-from spamd@stu.cn.ua) Received: from stu.cn.ua (localhost [127.0.0.1]) by stu.cn.ua (Postfix) with ESMTP id DC91E244DF2 for ; Tue, 21 Oct 2008 15:19:52 +0300 (EEST) Received: by stu.cn.ua (Postfix, from userid 58) id C1362244DE5; Tue, 21 Oct 2008 15:19:52 +0300 (EEST) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on stalker.stu.cn.ua X-Spam-Level: X-Spam-Status: No, score=-6.6 required=4.5 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_PASS autolearn=ham version=3.2.5 Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by stu.cn.ua (Postfix) with ESMTP id 3E8AF244F9E for ; Tue, 21 Oct 2008 15:01:35 +0300 (EEST) Received: from hub.freebsd.org (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 3831C164307; Tue, 21 Oct 2008 12:00:24 +0000 (UTC) (envelope-from owner-freebsd-security@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 486D910656CF; Tue, 21 Oct 2008 12:00:23 +0000 (UTC) (envelope-from owner-freebsd-security@freebsd.org) From: freebsd-security-request@freebsd.org To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Sender: owner-freebsd-security@freebsd.org Errors-To: owner-freebsd-security@freebsd.org Message-Id: <20081021120023.486D910656CF@hub.freebsd.org> Date: Tue, 21 Oct 2008 12:00:23 +0000 (UTC) X-Virus-Scanned: ClamAV using ClamSMTP on stalker.stu.cn.ua X-Mailman-Approved-At: Tue, 21 Oct 2008 13:21:04 +0000 Subject: freebsd-security Digest, Vol 270, Issue 1 X-BeenThere: freebsd-security@freebsd.org Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2008 12:36:05 -0000 Send freebsd-security mailing list submissions to freebsd-security@freebsd.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freebsd.org/mailman/listinfo/freebsd-security or, via email, send a message with subject or body 'help' to freebsd-security-request@freebsd.org You can reach the person managing the list at freebsd-security-owner@freebsd.org When replying, please edit your Subject line so it is more specific than "Re: Contents of freebsd-security digest..." Today's Topics: 1. Secure libxml2? (Gunther Mayer) 2. Re: Secure libxml2? (Dag-Erling Sm?rgrav) ---------------------------------------------------------------------- Message: 1 Date: Mon, 20 Oct 2008 13:22:20 +0200 From: Gunther Mayer Subject: Secure libxml2? To: freebsd-security@freebsd.org Message-ID: <48FC69EC.9000609@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi there, We're using libxml2 and the version in ports (2.6.x) currently suffers from a rather serious security vulnerability already posted last Friday: http://www.freebsd.org/ports/portaudit/d71da236-9a94-11dd-8f42-001c2514716c.html Yet there's no libxml2-2.7.x in ports as required by the above notice. So there's no solution other than compiling an up-to-date one by hand and that opens up a whole different can of worms regarding dependencies. I emailed the official maintainer (gnome@freebsd.org) but am not holding my breath, chances are they won't even see my mail amongst all the spam they must be getting. So I'm wondering does anybody know what's going on or what I could do to get my systems secure? Regards, Gunther ------------------------------ Message: 2 Date: Mon, 20 Oct 2008 14:57:10 +0200 From: Dag-Erling Sm?rgrav Subject: Re: Secure libxml2? To: Gunther Mayer Cc: freebsd-security@freebsd.org Message-ID: <861vybifvd.fsf@ds4.des.no> Content-Type: text/plain; charset=utf-8 Gunther Mayer writes: > I emailed the official maintainer (gnome@freebsd.org) but am not > holding my breath, chances are they won't even see my mail amongst all > the spam they must be getting. So I'm wondering does anybody know > what's going on or what I could do to get my systems secure? Actually, gnome@freebsd.org is a mailing list (freebsd-gnome) that gets very little spam. Feel free to subscribe and / or peruse the archive. In the meantime, there is a PR (ports/127661) with a patch that you might try. DES -- Dag-Erling Smørgrav - des@des.no ------------------------------ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" End of freebsd-security Digest, Vol 270, Issue 1 ************************************************ From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 08:49:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C9F6106567A for ; Wed, 22 Oct 2008 08:49:24 +0000 (UTC) (envelope-from andy.kosela@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.233]) by mx1.freebsd.org (Postfix) with ESMTP id 5BEB28FC23 for ; Wed, 22 Oct 2008 08:49:24 +0000 (UTC) (envelope-from andy.kosela@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so2501025rvf.43 for ; Wed, 22 Oct 2008 01:49:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=bQAk+Jp62W2ZSb797rW1XRWIZSpkImdTXCkjSjBvQew=; b=fl/Dah29rFUfnDOnpSkPWEtK1Lxl/pMwEiY3uBkJT7dmYXPlmgJxiJ/sKJ9mT06sLm M5FHnU9xawBxJWL7zGaAhR+UKeugQ6BY1nsmCjX2IkISe4HYfrlwtSfN7JbWWjl9xAB0 87QsBB1YgFtUTYLObfJ9JDubZaXdqy68m08t0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=ToY8505RDppjCCzQCB5HEe9j6c2dhrtqTAHjnYf/gjStass9UUk4Pb2E0Xlq4F3Cmu WX2Sf9FfXqZVsIn3a+VEG2ypFGrNoPehO0WzhVMkYc+reeVW0kS99x5flcJ0kmsYEsf9 JmIaMImW8X30EZvdmyOX7sutXLzY6WdG3Gw0A= Received: by 10.141.53.20 with SMTP id f20mr6291645rvk.128.1224665361742; Wed, 22 Oct 2008 01:49:21 -0700 (PDT) Received: by 10.140.177.10 with HTTP; Wed, 22 Oct 2008 01:49:21 -0700 (PDT) Message-ID: <3cc535c80810220149o3d0fe787w4cace41ee3a8694c@mail.gmail.com> Date: Wed, 22 Oct 2008 10:49:21 +0200 From: "Andy Kosela" Sender: andy.kosela@gmail.com To: freebsd-security@freebsd.org In-Reply-To: <3cc535c80810220137g4afec193h947a0886b43a3a62@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <3cc535c80810220137g4afec193h947a0886b43a3a62@mail.gmail.com> X-Google-Sender-Auth: 41af947f10714473 Subject: [Fwd: Kaminsky redux - libspf2 dns parsing bug] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2008 08:49:24 -0000 Some of you probably already heard about this... >From Kaminsky's http://www.doxpara.com/?p=3D1263 ------ I really need to learn to leave DNS alone :) DNS TXT Record Parsing Bug in LibSPF2 A relatively common bug parsing TXT records delivered over DNS, dating at least back to 2002 in Sendmail 8.2.0 and almost certainly much earlier, has been found in LibSPF2, a library frequently used to retrieve SPF (Sender Policy Framework) records and apply policy according to those records. This implementation flaw allows for relatively flexible memory corruption, and should thus be treated as a path to anonymous remote code execution. Of particular note is that the remote code execution would occur on servers specifically designed to receive E-Mail from the Internet, and that these systems may in fact be high volume mail exchangers. This creates privacy implications. It is also the case that a corrupted email server is a useful "jumping off" point for attackers to corrupt desktop machines, since attachments can be corrupted with malware while the containing message stays intact. So there are internal security implications as well, above and beyond corruption of the mail server on the DMZ. Apparently LibSPF2 is actually used to secure quite a bit of mail traffic =96 there's a lot of SPAM out there. Fix is out, see http://www.libspf2.org/index.html or your friendly neighborhood distro. Thanks to Shevek, CERT (VU#183657), Ken Simpson of MailChannels, Andre Engel, Scott Kitterman, and Hannah Schroeter for their help with this. ------ --=20 Andy Kosela ora et labora From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 09:07:01 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C86E3106566B for ; Wed, 22 Oct 2008 09:07:01 +0000 (UTC) (envelope-from andy.kosela@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.235]) by mx1.freebsd.org (Postfix) with ESMTP id 9C4E18FC12 for ; Wed, 22 Oct 2008 09:07:01 +0000 (UTC) (envelope-from andy.kosela@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so2507577rvf.43 for ; Wed, 22 Oct 2008 02:07:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:content-transfer-encoding :content-disposition:x-google-sender-auth; bh=bQAk+Jp62W2ZSb797rW1XRWIZSpkImdTXCkjSjBvQew=; b=bZgUfVXGh+uuiJv6LyxyLQ+XXEaYhiiXKLUf6Bfm9JtI87k8dAkSLD57pvV8lEqWAG i/VHA7o4uD9pr6O2f35qJcTfXsulFTHLhU296+4JTc2eGY96eysMDoR/eFFdQlPFTfF/ e+ixd2/lPAN+BbH39LKbiO0az4rDgkIBycw/4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition:x-google-sender-auth; b=MrY5h/ji/U4D7JvjX8Ln3hKT4i7B6i/eV8z4LcYJglmR1K8m0CTkX8p+EabSWC/4v/ WixsGutVERpTYvQCDtz7StH1ms3hy/OmxsY7evNKo1wpD5zb4ywSnrTvEUAwIXkr683L x90IzF5QSvfVP1GKmqwW6wwwktp6WmmyRInsY= Received: by 10.141.29.18 with SMTP id g18mr6273557rvj.162.1224664653970; Wed, 22 Oct 2008 01:37:33 -0700 (PDT) Received: by 10.140.177.10 with HTTP; Wed, 22 Oct 2008 01:37:33 -0700 (PDT) Message-ID: <3cc535c80810220137g4afec193h947a0886b43a3a62@mail.gmail.com> Date: Wed, 22 Oct 2008 10:37:33 +0200 From: "Andy Kosela" Sender: andy.kosela@gmail.com To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Google-Sender-Auth: 3f811017b8920636 Subject: [Fwd: Kaminsky redux - libspf2 dns parsing bug] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2008 09:07:01 -0000 Some of you probably already heard about this... >From Kaminsky's http://www.doxpara.com/?p=3D1263 ------ I really need to learn to leave DNS alone :) DNS TXT Record Parsing Bug in LibSPF2 A relatively common bug parsing TXT records delivered over DNS, dating at least back to 2002 in Sendmail 8.2.0 and almost certainly much earlier, has been found in LibSPF2, a library frequently used to retrieve SPF (Sender Policy Framework) records and apply policy according to those records. This implementation flaw allows for relatively flexible memory corruption, and should thus be treated as a path to anonymous remote code execution. Of particular note is that the remote code execution would occur on servers specifically designed to receive E-Mail from the Internet, and that these systems may in fact be high volume mail exchangers. This creates privacy implications. It is also the case that a corrupted email server is a useful "jumping off" point for attackers to corrupt desktop machines, since attachments can be corrupted with malware while the containing message stays intact. So there are internal security implications as well, above and beyond corruption of the mail server on the DMZ. Apparently LibSPF2 is actually used to secure quite a bit of mail traffic =96 there's a lot of SPAM out there. Fix is out, see http://www.libspf2.org/index.html or your friendly neighborhood distro. Thanks to Shevek, CERT (VU#183657), Ken Simpson of MailChannels, Andre Engel, Scott Kitterman, and Hannah Schroeter for their help with this. ------ --=20 Andy Kosela ora et labora From owner-freebsd-security@FreeBSD.ORG Sat Oct 25 22:03:54 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 866C41065676 for ; Sat, 25 Oct 2008 22:03:54 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 40A878FC17 for ; Sat, 25 Oct 2008 22:03:54 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 3267041C69F for ; Sat, 25 Oct 2008 23:45:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id xvyFx6D7VeMO for ; Sat, 25 Oct 2008 23:45:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id C03C141C67B; Sat, 25 Oct 2008 23:45:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id CFEDC44487F for ; Sat, 25 Oct 2008 21:43:38 +0000 (UTC) Date: Sat, 25 Oct 2008 21:43:32 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: freebsd-security@freebsd.org Message-ID: <20081025211406.A2978@maildrop.int.zabbadoz.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Sat, 25 Oct 2008 22:05:46 +0000 Subject: CVE-2008-3831 / svn commit: r184263 - head/sys/dev/drm (fwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Oct 2008 22:03:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, the commit referenced below fixes a problem arosen from an insufficient (missing) privilege check. If you are running a HEAD kernel from Aug 23 2008 (r182080) or later with drm/i915drm you want to update your kernel. The problem is only present in HEAD thus there will be no security advisory. Regards, Bjoern A. Zeeb FreeBSD Security Team - -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. - ---------- Forwarded message ---------- Date: Sat, 25 Oct 2008 16:29:28 +0000 (UTC) From: Robert Noland To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r184263 - head/sys/dev/drm Author: rnoland Date: Sat Oct 25 16:29:28 2008 New Revision: 184263 URL: http://svn.freebsd.org/changeset/base/184263 Log: drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831) Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to write actual exploit code though. It only affects the Intel G33 series and newer. Approved by: bz (secteam) Obtained from: Intel drm repo Security: CVE-2008-3831 Modified: head/sys/dev/drm/i915_dma.c Modified: head/sys/dev/drm/i915_dma.c ============================================================================== - --- head/sys/dev/drm/i915_dma.c Sat Oct 25 14:01:29 2008 (r184262) +++ head/sys/dev/drm/i915_dma.c Sat Oct 25 16:29:28 2008 (r184263) @@ -1228,7 +1228,7 @@ struct drm_ioctl_desc i915_ioctls[] = { DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH ), DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH), DRM_IOCTL_DEF(DRM_I915_MMIO, i915_mmio, DRM_AUTH), - - DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH), + DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), #ifdef I915_HAVE_BUFFER DRM_IOCTL_DEF(DRM_I915_EXECBUFFER, i915_execbuffer, DRM_AUTH), #endif -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.2 (FreeBSD) iD8DBQFJA5MKK1i4+DzPGEIRAp0NAJ9cGyIwyTLp4hYvbwYMll7cROkmKQCghNvb sy2LhCFWcEzfad7oEP1qU4M= =RXrx -----END PGP SIGNATURE-----