From owner-freebsd-security@FreeBSD.ORG Wed Sep 16 00:06:03 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8101106568F for ; Wed, 16 Sep 2009 00:06:03 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6144B8FC08 for ; Wed, 16 Sep 2009 00:06:03 +0000 (UTC) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id A91305C025 for ; Wed, 16 Sep 2009 08:06:02 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 6F75955CE02F; Wed, 16 Sep 2009 08:06:02 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id JrdV6+gsjkln; Wed, 16 Sep 2009 08:05:57 +0800 (CST) Received: from charlie.delphij.net (unknown [12.130.152.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 8CF4555CD9EF; Wed, 16 Sep 2009 08:05:56 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=PppaAz1Koc7XcSf42Oa7Xm0lUeKHk2zzBJE4Clj0q03sUWo8pKVFuqlQXaqRZ1b0s p5M4JMLTgQekhODr5sY0Q== Message-ID: <4AB02BE0.1030305@delphij.net> Date: Tue, 15 Sep 2009 17:05:52 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.22 (X11/20090803) MIME-Version: 1.0 To: Chris Palmer References: <4AAF45B4.60307@isafeelin.org> <0016e6d99efa540b8b047399738b@google.com> <20090915202703.GF24361@noncombatant.org> In-Reply-To: <20090915202703.GF24361@noncombatant.org> X-Enigmail-Version: 0.96.0 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, utisoft@googlemail.com Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2009 00:06:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Palmer wrote: > utisoft@googlemail.com writes: > >> It appears to only affect 6.x.... and requires local access. If an >> attacker has local access to a machine you're screwed anyway. > > No, the thing you're screwed anyway by is local *physical* access. Merely > running a process as a non-root local user should *not* be a "you're screwed > anyway" scenario. The fundamental security guarantee of a modern operating > system is that different principals cannot affect each other's resources > (user chris cannot read or write user jane's email -- let alone root's > email). This bug breaks that guarantee, and is definitely not a ho-hum bug. Exactly. This type of vulnerability could turn into a serious threat if being used with some other vulnerabilities that allows code injection, which is worse. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkqwK+AACgkQi+vbBBjt66Cu2gCfQWDWssPUTP+YESUOS7pJXCal TY0An332WH2WDUiF1vhlgOW+QUk9U0rk =S2nD -----END PGP SIGNATURE-----