From owner-freebsd-security@FreeBSD.ORG Sun Jan 14 15:25:19 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2891816A54C for ; Sun, 14 Jan 2007 15:25:19 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 085F113C43E for ; Sun, 14 Jan 2007 15:25:17 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from working (c-71-60-174-60.hsd1.pa.comcast.net [71.60.174.60]) (AUTH: LOGIN wmoran, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Sun, 14 Jan 2007 10:15:16 -0500 id 0005643A.45AA4904.0000CF3B Date: Sun, 14 Jan 2007 10:15:15 -0500 From: Bill Moran To: "Kobajashi Zaghi" Message-Id: <20070114101515.adaecd4e.wmoran@collaborativefusion.com> In-Reply-To: <64b272cb0701140319y4e86d969ld4532cfa2408cc8f@mail.gmail.com> References: <64b272cb0701140319y4e86d969ld4532cfa2408cc8f@mail.gmail.com> Organization: Collaborative Fusion Inc. X-Mailer: Sylpheed version 2.2.10 (GTK+ 2.10.6; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: MOAB advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jan 2007 15:25:19 -0000 "Kobajashi Zaghi" wrote: > > I would like to know, that these following "vulnerabilities" does > affect FreeBSD's reliability? If the answer is "yes", what version of > FreeBSD affected, when will be fixed, etc. > > http://projects.info-pull.com/moab/MOAB-12-01-2007.html > http://projects.info-pull.com/moab/MOAB-10-01-2007.html These folks are establishing themselves as careless, alarmist, and uneducated when it comes to kernel bugs. In FreeBSD, the above mentioned flaws can, indeed, cause a kernel panic. However, this is intended behaviour when a corrupt filesystem is encountered. It protects the system from serious damage that could result from trying to work with the corrupt filesystem. The difference, that the info-pull folks seem to be too stupid to understand, is that FreeBSD does not allow mounting of filesystems by anyone other than root. If someone with root access wants to DoS your system, then don't need any flaws, they could just rm -rf /, or other nasty actions. Apple made the mistake of making a function that was designed to be usable by an administrator-only accessible to the average user. Doing this requires that lots and lots of code be investigated and updated. Places where it makes sense to intentionally call panic() in FreeBSD require less drastic and considerably more complex action in Mac OS. Apparently, Apple didn't review this carefully enough. The thing that amazes me is that the info-pull folks are smart enough to uncover these issues, but too stupid to accurately report them and their consequences. -Bill