From owner-freebsd-announce@FreeBSD.ORG Tue Sep 10 11:20:50 2013 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2A633865; Tue, 10 Sep 2013 11:20:50 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C2DF92E45; Tue, 10 Sep 2013 11:20:49 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 913C049D0; Tue, 10 Sep 2013 11:20:48 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id B4BA036382; Tue, 10 Sep 2013 13:20:48 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20130910112048.B4BA036382@nine.des.no> Date: Tue, 10 Sep 2013 13:20:48 +0200 (CEST) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:13.nullfs X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2013 11:20:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:13.nullfs Security Advisory The FreeBSD Project Topic: Cross-mount links between nullfs(5) mounts Category: core Module: nullfs Announced: 2013-09-10 Credits: Konstantin Belousov Affects: All supported versions of FreeBSD. Corrected: 2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC3-p1) 2013-09-10 10:15:33 UTC (releng/9.1, 9.1-RELEASE-p7) 2013-09-10 10:12:09 UTC (stable/8, 8.4-STABLE) 2013-09-10 10:14:19 UTC (releng/8.4, 8.4-RELEASE-p4) 2013-09-10 10:13:14 UTC (releng/8.3, 8.3-RELEASE-p11) CVE Name: CVE-2013-5710 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The nullfs(5) filesystem allows all or a part of an already mounted filesystem to be made available in a different part of the global filesystem namespace. It is commonly used to make a set of files available to multiple chroot(2) or jail(2) environments without replicating the files in each environment. A common idiom, described in the FreeBSD Handbook, is to mount one subtree of a filesystem read-only within a jail's filesystem namespace, and mount a different subtree of the same filesystem read-write. II. Problem Description The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the underlying (source) filesystem is the same. III. Impact If multiple nullfs views into the same filesystem are mounted in different locations, a user with read access to one of these views and write access to another will be able to create a hard link from the latter to a file in the former, even though they are, from the user's perspective, different filesystems. The user may thereby gain write access to files which are nominally on a read-only filesystem. IV. Workaround No workaround is available, but systems which do not use the nullfs(5) filesystem, or do not null-mount different subtrees of the same source filesystem with different permissions, are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch # fetch http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch.asc # gpg --verify nullfs.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r255445 releng/8.3/ r255446 releng/8.4/ r255447 stable/9/ r255443 releng/9.1/ r255448 releng/9.2/ r255444 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (FreeBSD) iEYEARECAAYFAlIu+7EACgkQFdaIBMps37K+7gCfVrmhwyE+k5QU3Z4wsdJFoeyL BqEAn23QlLQ7o4HlDSiJuPoX622IsFbk =/7Zz -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Sep 10 11:20:49 2013 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 26D88860; Tue, 10 Sep 2013 11:20:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id A41D12E40; Tue, 10 Sep 2013 11:20:48 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 951F349C9; Tue, 10 Sep 2013 11:20:47 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id EB1D836361; Tue, 10 Sep 2013 13:20:47 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20130910112047.EB1D836361@nine.des.no> Date: Tue, 10 Sep 2013 13:20:47 +0200 (CEST) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:09.ip_multicast [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2013 11:20:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:09.ip_multicast Security Advisory The FreeBSD Project Topic: integer overflow in IP_MSFILTER Category: core Module: kernel Announced: 2013-08-22 Credits: Clement Lecigne (Google Security Team) Affects: All supported versions of FreeBSD. Corrected: 2013-08-22 00:51:37 UTC (stable/9, 9.2-PRERELEASE) 2013-08-22 00:51:43 UTC (releng/9.1, 9.2-RC1-p1) 2013-08-22 00:51:43 UTC (releng/9.2, 9.2-RC2-p1) 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) 2013-08-22 00:51:37 UTC (stable/8, 8.4-STABLE) 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) CVE Name: CVE-2013-3077 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2013-08-22 Initial release. v1.1 2013-09-07 Binary patch released for 9.2-RC1. I. Background IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission. II. Problem Description An integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. III. Impact An unprivileged process can read or write pages of memory which belong to the kernel. These may lead to exposure of sensitive information or allow privilege escalation. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch # fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch.asc # gpg --verify ip_multicast.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r254629 releng/8.3/ r254632 releng/8.4/ r254632 stable/9/ r254629 releng/9.1/ r254631 releng/9.2/ r254630 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (FreeBSD) iEYEARECAAYFAlIu+gwACgkQFdaIBMps37L2+QCePwycOYKrh9VJi7Pc2AS+DfsQ UcUAnimJz9bKgDUOEIwefkPbF85yH3aw =tnWM -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Sep 10 11:20:49 2013 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8C3D0863; Tue, 10 Sep 2013 11:20:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 31A7C2E43; Tue, 10 Sep 2013 11:20:49 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 5F3A149CF; Tue, 10 Sep 2013 11:20:48 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id A83E536381; Tue, 10 Sep 2013 13:20:48 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20130910112048.A83E536381@nine.des.no> Date: Tue, 10 Sep 2013 13:20:48 +0200 (CEST) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:12.ifioctl X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2013 11:20:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:12.ifioctl Security Advisory The FreeBSD Project Topic: Insufficient credential checks in network ioctl(2) Category: core Module: sys_netinet6 sys_netatm Announced: 2013-09-10 Credits: Loganaden Velvindron Gleb Smirnoff Affects: All supported versions of FreeBSD. Corrected: 2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC3-p1) 2013-09-10 10:15:33 UTC (releng/9.1, 9.1-RELEASE-p7) 2013-09-10 10:12:09 UTC (stable/8, 8.4-STABLE) 2013-09-10 10:14:19 UTC (releng/8.4, 8.4-RELEASE-p4) 2013-09-10 10:13:14 UTC (releng/8.3, 8.3-RELEASE-p11) CVE Name: CVE-2013-5691 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ioctl(2) system call allows an application to perform device- or protocol-specific operations through a file or socket descriptor associated with a specific device or protocol. The SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK ioctl requests are used to associate a network address, broadcast address, destination address (for point-to-point interfaces) or netmask with an interface. They operate on the assumption that each interface only has one address per protocol, and are therefore of limited use for IPv4, where interfaces may have more than one address. They were never implemented for IPv6, where interfaces nearly always have at least two, and in many cases three, addresses; nor were they ever implemented for ATM. II. Problem Description As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code. Network interface drivers, however, assume that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been handled at the network layer, and therefore do not perform input validation or verify the caller's credentials. Typical link-layer actions for these requests may include marking the interface as "up" and resetting the underlying hardware. III. Impact An unprivileged user with the ability to run arbitrary code can cause any network interface in the system to perform the link layer actions associated with a SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl request; or trigger a kernel panic by passing a specially crafted address structure which causes a network interface driver to dereference an invalid pointer. Although this has not been confirmed, the possibility that an attacker may be able to execute arbitrary code in kernel context can not be ruled out. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch # fetch http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch.asc # gpg --verify ifioctl.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r255445 releng/8.3/ r255446 releng/8.4/ r255447 stable/9/ r255443 releng/9.1/ r255448 releng/9.2/ r255444 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (FreeBSD) iEYEARECAAYFAlIu8rUACgkQFdaIBMps37ImRQCdGUcSBvK6+kAN69aGChHT6fVb YI4AoJNveN9PSowTG0NnUkPJR9oJimZT =xb3g -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Sep 10 11:20:54 2013 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 47D41868; Tue, 10 Sep 2013 11:20:54 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C7EE82E48; Tue, 10 Sep 2013 11:20:53 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 18D6249D6; Tue, 10 Sep 2013 11:20:53 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 6B1E236372; Tue, 10 Sep 2013 13:20:48 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20130910112048.6B1E236372@nine.des.no> Date: Tue, 10 Sep 2013 13:20:48 +0200 (CEST) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:11.sendfile X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2013 11:20:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:11.sendfile Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in sendfile(2) Category: core Module: sendfile Announced: 2013-09-10 Credits: Ed Maste Affects: FreeBSD 9.2-RC1 and 9.2-RC2 Corrected: 2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2) CVE Name: CVE-2013-5666 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The sendfile(2) system call allows a server application (such as an HTTP or FTP server) to transmit the contents of a file over a network connection without first copying it to application memory. High performance servers such as Apache and ftpd use sendfile. II. Problem Description On affected systems, if the length passed to sendfile(2) is non-zero and greater than the length of the file being transmitted, sendfile(2) will pad the transmission up to the requested length or the next pagesize boundary, whichever is smaller. The content of the additional bytes transmitted in this manner depends on the underlying filesystem, but may potentially include information useful to an attacker. III. Impact An unprivileged user with the ability to run arbitrary code may be able to obtain arbitrary kernel memory contents. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.2-STABLE] # fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-stable.patch # fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-stable.patch.asc # gpg --verify sendfile-9.2-stable.patch.asc [FreeBSD 9.2-RC1 and 9.2-RC2] # fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-rc.patch # fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-rc.patch.asc # gpg --verify sendfile-9.2-rc.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r255443 releng/9.2/ r255444 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (FreeBSD) iEYEARECAAYFAlIu8rIACgkQFdaIBMps37K01ACgmwaW3PZhjDqWSlTHusjIPNVy A/YAn3DFUAvlX8sH89taM+sedjbD5In8 =gZwu -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Sep 10 11:21:18 2013 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F17AE6B2; Tue, 10 Sep 2013 11:21:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9729A2E82; Tue, 10 Sep 2013 11:21:18 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id F1B4149E0; Tue, 10 Sep 2013 11:21:17 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 465443636D; Tue, 10 Sep 2013 13:20:47 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20130910112048.465443636D@nine.des.no> Date: Tue, 10 Sep 2013 13:20:47 +0200 (CEST) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:10.sctp [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Sep 2013 11:21:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:10.sctp Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in sctp(4) Category: core Module: sctp Announced: 2013-08-22 Credits: Julian Seward, Michael Tuexen Affects: All supported versions of FreeBSD. Corrected: 2013-08-15 04:25:16 UTC (stable/9, 9.2-PRERELEASE) 2013-08-15 05:14:20 UTC (releng/9.2, 9.2-RC1-p1) 2013-08-15 05:14:20 UTC (releng/9.2, 9.2-RC2) 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) 2013-08-15 04:35:25 UTC (stable/8, 8.4-STABLE) 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) CVE Name: CVE-2013-5209 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2013-08-22 Initial release. v1.1 2013-09-07 Binary patch released for 9.2-RC1. I. Background The SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. The SCTP protocol checks the integrity of messages by validating the state cookie information that is returned from the peer. II. Problem Description When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized. III. Impact Fragments of kernel memory may be included in SCTP packets and transmitted over the network. For each SCTP session, there are two separate instances in which a 4-byte fragment may be transmitted. This memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available, but systems not using the SCTP protocol are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch # fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r254354 releng/8.3/ r254632 releng/8.4/ r254632 stable/9/ r254352 releng/9.1/ r254631 releng/9.2/ r254355 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (FreeBSD) iEYEARECAAYFAlIu+g8ACgkQFdaIBMps37JBjgCgkRdb24STra3EjItZymFqU0S8 6rQAn0EQeP1D8BUCIbzR5uNYrrNv9Eo6 =2Ot5 -----END PGP SIGNATURE-----