Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 14 Jan 2007 10:15:15 -0500
From:      Bill Moran <wmoran@collaborativefusion.com>
To:        "Kobajashi Zaghi" <kobajashi@gmail.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: MOAB advisories
Message-ID:  <20070114101515.adaecd4e.wmoran@collaborativefusion.com>
In-Reply-To: <64b272cb0701140319y4e86d969ld4532cfa2408cc8f@mail.gmail.com>
References:  <64b272cb0701140319y4e86d969ld4532cfa2408cc8f@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
"Kobajashi Zaghi" <kobajashi@gmail.com> wrote:
> 
> I would like to know, that these following "vulnerabilities" does
> affect FreeBSD's reliability? If the answer is "yes", what version of
> FreeBSD affected, when will be fixed, etc.
> 
> http://projects.info-pull.com/moab/MOAB-12-01-2007.html
> http://projects.info-pull.com/moab/MOAB-10-01-2007.html

These folks are establishing themselves as careless, alarmist, and
uneducated when it comes to kernel bugs.

In FreeBSD, the above mentioned flaws can, indeed, cause a kernel panic.
However, this is intended behaviour when a corrupt filesystem is
encountered.  It protects the system from serious damage that could
result from trying to work with the corrupt filesystem.

The difference, that the info-pull folks seem to be too stupid to
understand, is that FreeBSD does not allow mounting of filesystems
by anyone other than root.  If someone with root access wants to
DoS your system, then don't need any flaws, they could just rm -rf /,
or other nasty actions.

Apple made the mistake of making a function that was designed to be
usable by an administrator-only accessible to the average user.  Doing
this requires that lots and lots of code be investigated and updated.
Places where it makes sense to intentionally call panic() in FreeBSD
require less drastic and considerably more complex action in Mac OS.
Apparently, Apple didn't review this carefully enough.

The thing that amazes me is that the info-pull folks are smart enough
to uncover these issues, but too stupid to accurately report them and
their consequences.

-Bill



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070114101515.adaecd4e.wmoran>