From owner-freebsd-announce@FreeBSD.ORG Thu Dec 2 00:12:27 2004 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56B1716A523; Thu, 2 Dec 2004 00:12:27 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14DC843D4C; Thu, 2 Dec 2004 00:12:27 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iB20CQgg039499; Thu, 2 Dec 2004 00:12:26 GMT (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iB20CQ14039498; Thu, 2 Dec 2004 00:12:26 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 2 Dec 2004 00:12:26 GMT Message-Id: <200412020012.iB20CQ14039498@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-04:17.procfs X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 00:12:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:17.procfs Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in procfs and linprocfs Category: core Module: sys Announced: 2004-12-01 Credits: Bryan Fulton, Ted Unangst, and the SWAT analysis tool Coverity, Inc. Affects: All FreeBSD releases Corrected: 2004-12-01 21:33:35 UTC (RELENG_5, 5.3-STABLE) 2004-12-01 21:34:23 UTC (RELENG_5_3, 5.3-RELEASE-p2) 2004-12-01 21:34:43 UTC (RELENG_5_2, 5.2.1-RELEASE-p13) 2004-12-01 21:33:57 UTC (RELENG_4, 4.10-STABLE) 2004-12-01 21:35:10 UTC (RELENG_4_10, 4.10-RELEASE-p5) 2004-12-01 21:35:57 UTC (RELENG_4_8, 4.8-RELEASE-p27) CVE Name: CAN-2004-1066 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The process file system, procfs(5), implements a view of the system process table inside the file system. It is normally mounted on /proc, and is required for the complete operation of programs such as ps(1) and w(1). The Linux process file system, linprocfs(5), emulates a subset of Linux's process file system and is required for the complete operation of some Linux binaries. II. Problem Description The implementation of the /proc/curproc/cmdline pseudofile in the procfs(5) file system on FreeBSD 4.x and 5.x, and of the /proc/self/cmdline pseudofile in the linprocfs(5) file system on FreeBSD 5.x reads a process' argument vector from the process address space. During this operation, a pointer was dereferenced directly without the necessary validation steps being performed. III. Impact A malicious local user could perform a local denial of service attack by causing a system panic; or he could read parts of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might contain a user-entered password. FreeBSD 4.x does not implement the /proc/self/cmdline pseudofile in its linprocfs(5) file system, and is therefore only affected if the procfs(5) file system is mounted. In its default configuration, FreeBSD 5.x does not utilize procfs(5) or linprocfs(5) and will therefore be unaffected by this vulnerability unless the configuration is changed. IV. Workaround Unmount the procfs and linprocfs file systems if they are mounted. Execute the following command as root: umount -A -t procfs,linprocfs Also, remove or comment out any lines in fstab(5) that reference `procfs' or `linprocfs', so that they will not be re-mounted at next reboot. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_5_2, RELENG_4_10, or RELENG_4_8 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.8, 4.10, 5.2, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/miscfs/procfs/procfs_status.c 1.20.2.6 RELENG_4_10 src/UPDATING 1.73.2.90.2.6 src/sys/conf/newvers.sh 1.44.2.34.2.7 src/sys/miscfs/procfs/procfs_status.c 1.20.2.5.4.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.30 src/sys/conf/newvers.sh 1.44.2.29.2.28 src/sys/miscfs/procfs/procfs_status.c 1.20.2.4.8.2 RELENG_5 src/sys/compat/linprocfs/linprocfs.c 1.84.2.1 src/sys/fs/procfs/procfs_status.c 1.52.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.5 src/sys/compat/linprocfs/linprocfs.c 1.84.4.1 src/sys/conf/newvers.sh 1.62.2.15.2.7 src/sys/fs/procfs/procfs_status.c 1.52.4.1 RELENG_5_2 src/UPDATING 1.282.2.21 src/sys/compat/linprocfs/linprocfs.c 1.78.2.1 src/sys/conf/newvers.sh 1.56.2.20 src/sys/fs/procfs/procfs_status.c 1.49.2.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- iD8DBQFBrlpUFdaIBMps37IRAkqSAJ9bJt5VXd0g+OpZq76O84LGEtw3HgCfayws iuc0B5+J0K67LvDIUA6+wck= =2l7f -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Thu Dec 2 04:34:34 2004 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2B4216A4CE for ; Thu, 2 Dec 2004 04:34:34 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4807243D49 for ; Thu, 2 Dec 2004 04:34:34 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id E6B2E3D37 for ; Wed, 1 Dec 2004 23:34:33 -0500 (EST) From: "Dan Langille" To: freebsd-announce@freebsd.org Date: Wed, 01 Dec 2004 23:34:34 -0500 MIME-Version: 1.0 Message-ID: <41AE550A.24944.8BF7F5DF@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (4.21c) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Mailman-Approved-At: Thu, 02 Dec 2004 13:13:54 +0000 Subject: [FreeBSD-Announce] BSDCan 2005 - call for papers X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 04:34:34 -0000 BSDCan 2004 was an enormously successful grass-roots style conference. It brought together a great mix of *BSD developers and users for a nice blend of both developer-centric and user-centric presentations, food, and activities. Based upon that accomplishment, planning for the next event began shortly thereafter. BSDCan 2005 will be held May 13-14, 2005, in Ottawa. We are now requesting proposals for papers. The papers should be written with a very strong technical content bias. Papers and proposals of a business development or marketing nature are not appropriate for this venue. The schedule is: 19 Dec 2003 Proposals acceptance begins 19 Jan 2003 Proposals acceptance ends 19 Feb 2003 Confirmation of accepted proposals 19 Mar 2004 Abstracts due 19 Apr 2004 Formatted final papers must arrive no later than this date Please submit all proposals to papers@bsdcan.org NOTE: This is the schedule for formal papers. We are also accepting submissions for for talks and presentations. If you have a proposal, please contact us on papers@bsdcan.org. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-announce@FreeBSD.ORG Thu Dec 2 13:26:25 2004 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38DF816A4CE for ; Thu, 2 Dec 2004 13:26:25 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FADD43D2F for ; Thu, 2 Dec 2004 13:26:25 +0000 (GMT) (envelope-from dan@langille.org) Received: from wocker (wocker.unixathome.org [192.168.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 83E3E3D37 for ; Thu, 2 Dec 2004 08:26:24 -0500 (EST) From: "Dan Langille" To: freebsd-announce@freebsd.org Date: Thu, 02 Dec 2004 08:26:25 -0500 MIME-Version: 1.0 Subject: Re: [FreeBSD-Announce] BSDCan 2005 - call for papers Message-ID: <41AED1B1.9273.8DDEE17B@localhost> Priority: normal In-reply-to: <41AE550A.24944.8BF7F5DF@localhost> X-mailer: Pegasus Mail for Windows (4.21c) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Mailman-Approved-At: Thu, 02 Dec 2004 13:39:12 +0000 X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 13:26:25 -0000 The original announcement had the wrong years. What a good start. Sorry folks. On 1 Dec 2004 at 23:34, Dan Langille wrote: > The schedule is: > > 19 Dec 2004 Proposals acceptance begins > 19 Jan 2005 Proposals acceptance ends > 19 Feb 2005 Confirmation of accepted proposals > 19 Mar 2005 Abstracts due > 19 Apr 2005 Formatted final papers must arrive no later than this > date > > Please submit all proposals to papers@bsdcan.org > > NOTE: This is the schedule for formal papers. We are also accepting > submissions for for talks and presentations. If you have a proposal, > please contact us on papers@bsdcan.org. -- Dan Langille : http://www.langille.org/ BSDCan - The Technical BSD Conference - http://www.bsdcan.org/ From owner-freebsd-announce@FreeBSD.ORG Thu Dec 2 20:47:39 2004 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C794D16A4CE for ; Thu, 2 Dec 2004 20:47:39 +0000 (GMT) Received: from mail.freebsdmall.com (ns1.freebsdmall.com [69.50.233.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2EA343D4C for ; Thu, 2 Dec 2004 20:47:39 +0000 (GMT) (envelope-from murray@freebsdmall.com) Received: by mail.freebsdmall.com (Postfix, from userid 2074) id 472041CD8F; Thu, 2 Dec 2004 12:54:35 -0800 (PST) Date: Thu, 2 Dec 2004 12:54:35 -0800 From: Murray Stokely To: announce@freebsd.org Message-ID: <20041202205435.GA60811@freebsdmall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-GPG-Key-ID: 1024D/0E451F7D X-GPG-Key-Fingerprint: E2CA 411D DD44 53FD BB4B 3CB5 B4D7 10A2 0E45 1F7D Subject: [FreeBSD-Announce] FreeBSD Handbook 3rd Edition, FreeBSD 5.3, FreeBSD Training X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 20:47:39 -0000 FreeBSD Mall, Inc. is happy to announce the availability of the second volume of the third edition FreeBSD Handbook. We also have FreeBSD 5.3 DVD and CD-set products and a variety of promotional bundles available for ordering both at a reduced price. If you haven't yet placed your order, you may do so at http://www.freebsdmall.com. Next week we will be offering our last week-long FreeBSD System Administration class of the year. In addition to CDs, DVDs, books, and training about FreeBSD, we also have a large collection of FreeBSD shirts, hats, jackets, boxer shorts, stickers, case-plates, coffee mugs, mouse pads, and other promotional materials. More information about the second volume FreeBSD Handbook is included below. Thanks and enjoy! - Murray Stokely FreeBSD Mall, Inc. http://www.freebsdmall.com The new second volume of the FreeBSD Handbook provides detailed information for system administrators seeking to setup or maintain network servers running FreeBSD. The primary topics covered in this volume include : * Configuration and Tuning * The Boot Process * Users and Account Management * Security * Mandatory Access Control * Storage * The Vinum Volume Manager * Localization * Source Updates * Serial Communications * PPP and PPP over Ethernet * Electronic Mail * Running Network Servers * Advanced Networking A User Guide (Volume I) is also available.