From owner-freebsd-security-notifications@FreeBSD.ORG Wed Aug 1 21:26:09 2007 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0100D16A41F; Wed, 1 Aug 2007 21:26:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E029C13C46C; Wed, 1 Aug 2007 21:26:08 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l71LQ8Td068195; Wed, 1 Aug 2007 21:26:08 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l71LQ88k068193; Wed, 1 Aug 2007 21:26:08 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 1 Aug 2007 21:26:08 GMT Message-Id: <200708012126.l71LQ88k068193@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-07:01.jail [REVISED] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 21:26:09 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:01.jail Security Advisory The FreeBSD Project Topic: Jail rc.d script privilege escalation Category: core Module: etc_rc.d Announced: 2007-01-11 Credits: Dirk Engling Affects: All FreeBSD releases since 5.3 Corrected: 2007-01-11 18:16:58 UTC (RELENG_6, 6.2-STABLE) 2007-01-11 18:17:24 UTC (RELENG_6_2, 6.2-RELEASE) 2007-01-11 18:18:08 UTC (RELENG_6_1, 6.1-RELEASE-p12) 2007-01-11 18:18:35 UTC (RELENG_6_0, 6.0-RELEASE-p17) 2007-08-01 20:47:13 UTC (RELENG_5, 5.5-STABLE) 2007-08-01 20:48:19 UTC (RELENG_5_5, 5.5-RELEASE-p15) CVE Name: CVE-2007-0166 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2007-01-11 Initial release. v1.1 2007-08-01 Corrected patch for FreeBSD 5.5. I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. The host's jail rc.d(8) script can be used to start and stop jails automatically on system boot/shutdown. II. Problem Description In multiple situations the host's jail rc.d(8) script does not check if a path inside the jail file system structure is a symbolic link before using the path. In particular this is the case when writing the output from the jail start-up to /var/log/console.log and when mounting and unmounting file systems inside the jail directory structure. III. Impact Due to the lack of handling of potential symbolic links the host's jail rc.d(8) script is vulnerable to "symlink attacks". By replacing /var/log/console.log inside the jail with a symbolic link it is possible for the superuser (root) inside the jail to overwrite files on the host system outside the jail with arbitrary content. This in turn can be used to execute arbitrary commands with non-jailed superuser privileges. Similarly, by changing directory mount points inside the jail file system structure into symbolic links, it may be possible for a jailed attacker to mount file systems which were meant to be mounted inside the jail at arbitrary points in the host file system structure, or to unmount arbitrary file systems on the host system. NOTE WELL: The above vulnerabilities occur only when a jail is being started or stopped using the host's jail rc.d(8) script; once started (and until stopped), running jails cannot exploit this. IV. Workaround If the sysctl(8) variable security.jail.chflags_allowed is set to 0 (the default), setting the "sunlnk" system flag on /var, /var/log, /var/log/console.log, and all file system mount points and their parent directories inside the jail(s) will ensure that the console log file and mount points are not replaced by symbolic links. If this is done while jails are running, the administrator must check that an attacker has not replaced any directories with symlinks after setting the "sunlnk" flag. V. Solution NOTE WELL: The solution described changes the default location of the "console.log" for jails from /var/log/console.log inside each jail to /var/log/jail_${jail_name}_console.log on host system. If this is a problem, it may be possible to create a hard link from the new position of the console log file to a location inside the jail. A new rc.conf(5) variable, jail_${jail_name}_consolelog, can be used to change the location of console.log files on a per-jail basis. In addition, the solution described below does not fully secure jail configurations where two jails have overlapping directory trees and a file system is mounted inside the overlap. Overlapping directory trees can occur when jails share the same root directory; when a jail has a root directory which is a subdirectory of another jail's root directory; or when a part of the file system space of one jail is mounted inside the file system space of another jail, e.g., using nullfs or unionfs. To handle overlapping jails safely the administrator must set the sysctl(8) variable security.jail.chflags_allowed to 0 (the default) and manually set the "sunlnk" file/directory flag on all mount points and all parent directories of mount points. If this is done while jails are running, the adminstrator must check that an attacker has not replaced any directories with symlinks after setting the "sunlnk" flag. Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.5] # fetch http://security.FreeBSD.org/patches/SA-07:01/jail5.patch # fetch http://security.FreeBSD.org/patches/SA-07:01/jail5.patch.asc [FreeBSD 6.0] # fetch http://security.FreeBSD.org/patches/SA-07:01/jail60.patch # fetch http://security.FreeBSD.org/patches/SA-07:01/jail60.patch.asc [FreeBSD 6.1] # fetch http://security.FreeBSD.org/patches/SA-07:01/jail61.patch # fetch http://security.FreeBSD.org/patches/SA-07:01/jail61.patch.asc NOTE: The patch distributed at the time of the original advisory was incorrect for FreeBSD 5.5 (both RELENG_5 and RELENG_5_5). Systems to which the original patch was applied should be patched with the following corrective patch, which contains only the changes between the original and updated patch: # fetch http://security.FreeBSD.org/patches/SA-07:01/jail5-correction.patch # fetch http://security.FreeBSD.org/patches/SA-07:01/jail5-correction.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # install -o root -g wheel -m 555 etc/rc.d/jail /etc/rc.d VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/etc/rc.d/jail 1.15.2.7 RELENG_5_5 src/UPDATING 1.342.2.35.2.15 src/sys/conf/newvers.sh 1.62.2.21.2.17 src/etc/rc.d/jail 1.15.2.5.2.2 RELENG_6 src/etc/rc.d/jail 1.23.2.9 RELENG_6_2 src/UPDATING 1.416.2.29.2.2 src/etc/rc.d/jail 1.23.2.7.2.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.14 src/sys/conf/newvers.sh 1.69.2.11.2.14 src/etc/rc.d/jail 1.23.2.3.2.3 RELENG_6_0 src/UPDATING 1.416.2.3.2.22 src/sys/conf/newvers.sh 1.69.2.8.2.18 src/etc/rc.d/jail 1.23.2.2.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0166 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:01.jail.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGsPfrFdaIBMps37IRAgksAJ4yGy3zTBcr2N+TbDoTlN3aHUA8QQCgi/8B It4pOMoA0QMzAp8HxUWo+xU= =9tTT -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Wed Aug 1 21:27:00 2007 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3BBA16A5D1; Wed, 1 Aug 2007 21:27:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8BD0013C467; Wed, 1 Aug 2007 21:27:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l71LR0xP068307; Wed, 1 Aug 2007 21:27:00 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l71LR0AZ068305; Wed, 1 Aug 2007 21:27:00 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 1 Aug 2007 21:27:00 GMT Message-Id: <200708012127.l71LR0AZ068305@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-07:06.tcpdump X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 21:27:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:06.tcpdump Security Advisory The FreeBSD Project Topic: Buffer overflow in tcpdump(1) Category: contrib Module: tcpdump Announced: 2007-08-01 Credits: "mu-b" Affects: All supported versions of FreeBSD Corrected: 2007-08-01 20:42:48 UTC (RELENG_6, 6.2-STABLE) 2007-08-01 20:44:58 UTC (RELENG_6_2, 6.2-RELEASE-p7) 2007-08-01 20:45:49 UTC (RELENG_6_1, 6.1-RELEASE-p19) 2007-08-01 20:47:13 UTC (RELENG_5, 5.5-STABLE) 2007-08-01 20:48:19 UTC (RELENG_5_5, 5.5-RELEASE-p15) CVE Name: CVE-2007-3798 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Tcpdump is a commonly used network diagnostic utility which decodes packets received on the wire into human readable format. II. Problem Description An un-checked return value in the BGP dissector code can result in an integer overflow. This value is used in subsequent buffer management operations, resulting in a stack based buffer overflow under certain circumstances. III. Impact By crafting malicious BGP packets, an attacker could exploit this vulnerability to execute code or crash the tcpdump process on the target system. This code would be executed in the context of the user running tcpdump(1). It should be noted that tcpdump(1) requires privileges in order to open live network interfaces. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.1, and 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-07:06/tcpdump.patch # fetch http://security.FreeBSD.org/patches/SA-07:06/tcpdump.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/tcpdump/tcpdump # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/contrib/tcpdump/print-bgp.c 1.1.1.5.2.2 RELENG_5_5 src/UPDATING 1.342.2.35.2.15 src/sys/conf/newvers.sh 1.62.2.21.2.17 src/contrib/tcpdump/print-bgp.c 1.1.1.5.2.1.2.1 RELENG_6 src/contrib/tcpdump/print-bgp.c 1.1.1.8.2.1 RELENG_6_2 src/UPDATING 1.416.2.29.2.10 src/sys/conf/newvers.sh 1.69.2.13.2.10 src/contrib/tcpdump/print-bgp.c 1.1.1.8.8.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.21 src/sys/conf/newvers.sh 1.69.2.11.2.21 src/contrib/tcpdump/print-bgp.c 1.1.1.8.6.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:06.tcpdump.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGsPfwFdaIBMps37IRAmK/AJ0adsy8zlOOXaJhJJdcX6A0Uy+bSQCfQYVi 4qk7MNSrKFZotejLEXKMCYI= =JIZh -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Wed Aug 1 21:27:30 2007 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 217BC16A656; Wed, 1 Aug 2007 21:27:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0CBFF13C4D5; Wed, 1 Aug 2007 21:27:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l71LRTLB068384; Wed, 1 Aug 2007 21:27:29 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l71LRTd1068382; Wed, 1 Aug 2007 21:27:29 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 1 Aug 2007 21:27:29 GMT Message-Id: <200708012127.l71LRTd1068382@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-07:07.bind X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 21:27:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:07.bind Security Advisory The FreeBSD Project Topic: Predictable query ids in named(8) Category: contrib Module: bind Announced: 2007-08-01 Credits: Amit Klein Affects: FreeBSD 5.3 and later. Corrected: 2007-07-25 08:23:08 UTC (RELENG_6, 6.2-STABLE) 2007-08-01 20:44:58 UTC (RELENG_6_2, 6.2-RELEASE-p7) 2007-08-01 20:45:49 UTC (RELENG_6_1, 6.1-RELEASE-p19) 2007-07-25 08:24:40 UTC (RELENG_5, 5.5-STABLE) 2007-08-01 20:48:19 UTC (RELENG_5_5, 5.5-RELEASE-p15) CVE Name: CVE-2007-2926 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS requests contain a query id which is used match a DNS request with the response and to make it harder for anybody but the DNS server which received the request to send a valid response. II. Problem Description When named(8) is operating as a recursive DNS server or sending NOTIFY requests to slave DNS servers, named(8) uses a predictable query id. III. Impact An attacker who can see the query id for some request(s) sent by named(8) is likely to be able to perform DNS cache poisoning by predicting the query id for other request(s). IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.1, and 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-07:07/bind.patch # fetch http://security.FreeBSD.org/patches/SA-07:07/bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/contrib/bind9/bin/named/client.c 1.1.1.1.2.5 src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.2.3 src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.2.2 RELENG_5_5 src/UPDATING 1.342.2.35.2.15 src/sys/conf/newvers.sh 1.62.2.21.2.17 src/contrib/bind9/bin/named/client.c 1.1.1.1.2.3.2.1 src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.2.1.6.1 src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.2.1.6.1 RELENG_6 src/contrib/bind9/bin/named/client.c 1.1.1.2.2.3 src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.2 src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.1 RELENG_6_2 src/UPDATING 1.416.2.29.2.10 src/sys/conf/newvers.sh 1.69.2.13.2.10 src/contrib/bind9/bin/named/client.c 1.1.1.2.2.1.4.2 src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.10.2 src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.10.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.21 src/sys/conf/newvers.sh 1.69.2.11.2.21 src/contrib/bind9/bin/named/client.c 1.1.1.2.2.1.2.1 src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.8.1 src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.8.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926 http://www.isc.org/sw/bind/bind-security.php http://www.trusteer.com/docs/bind9dns_s.html The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:07.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGsPfzFdaIBMps37IRAgIfAJ9cO2LUUc0eb8T+6pltpha91wR2IgCeITpx H3SHyAkPMSICqnT9nY/UBE8= =Fop4 -----END PGP SIGNATURE-----