From owner-freebsd-security@FreeBSD.ORG Fri Aug 29 14:10:00 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33EA6106566B; Fri, 29 Aug 2008 14:10:00 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from pin.if.uz.zgora.pl (pin.if.uz.zgora.pl [212.109.128.251]) by mx1.freebsd.org (Postfix) with ESMTP id 9BE498FC3A; Fri, 29 Aug 2008 14:09:59 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: by pin.if.uz.zgora.pl (Postfix, from userid 1001) id 4757E39CFA; Fri, 29 Aug 2008 15:59:05 +0200 (CEST) Date: Fri, 29 Aug 2008 15:59:05 +0200 From: Edward Tomasz Napierala To: trustedbsd-discuss@freebsd.org, freebsd-current@freebsd.org Message-ID: <20080829135905.GA25236@pin.if.uz.zgora.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) X-Mailman-Approved-At: Sun, 31 Aug 2008 13:33:13 +0000 Cc: Subject: NFSv4 ACLs. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2008 14:10:00 -0000 Right now, FreeBSD supports one type of ACLs - so called POSIX.1e ACLs. They are natural extension of the traditional Unix permissions, and for a long time were the only nonproprietary ACL type in Unix systems. Times change, and now there are several problems with them: they never actually become standard (the draft they are based on was withdrawn); this results in minor incompatibilities related to e.g. umask handling; they don't fit into Windows or NFSv4 security model, which makes interoperability between these systems harder; finally, they don't work with ZFS. The aim of my GSoC project was to implement NFSv4 ACLs in a similar way POSIX.1e ACLs are supported. That was done by extending user utilities (setfacl(1)/getfacl(1)), libc API and adding neccessary kernel stuff. Semantics is supposed to be identical to the one in SunOS. There is also a wrapper (distributed separately) that implements SunOS-compatible acl(2)/facl(2) API, to make porting applications like Samba easier. Userland tools - setfacl(1) and getfacl(1) were modified to work with new ACLs. The former was slightly restructured to make it more readable. Most of the setfacl(1) options work the same way with NFS4 ACLs as they do with POSIX.1e ACLs. However, things like "-m" or "-x" don't always fit in a model where ordering of entries matters and there may be more than one identical entry. Thus, two more options were added - "-a", that adds ACL entry at the specified position, and '-x number', which removes ACL entry at a specified position. Manual pages were updated as appropriate. ACL format is the same as SunOS "positional", aka "compact", format. For example: [trasz@traszkan:~]$ getfacl / # file: / # owner: root # group: wheel owner@:--------------:------:deny owner@:rwxp---A-W-Co-:------:allow group@:-w-p----------:------:deny group@:r-x-----------:------:allow everyone@:-w-p---A-W-Co-:------:deny everyone@:r-x---a-R-c--s:------:allow There is also a "verbose" format, similar - but not identical - to the SunOS counterpart: [trasz@traszkan:~]$ getfacl -v / # file: / # owner: root # group: wheel owner@:::deny owner@:read_data/write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::allow group@:write_data/append_data::deny group@:read_data/execute::allow everyone@:write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::deny everyone@:read_data/execute/read_attributes/read_xattr/read_acl/synchronize::allow The ls(1) and chmod(1) utilities were modified to remove POSIX.1e-specific assumptions. The following functions were added to the acl(3) API: acl_add_flag_np, acl_clear_flags_np, acl_create_entry_np, acl_delete_entry_np, acl_delete_flag_np, acl_get_extended_np, acl_get_flag_np, acl_get_flagset_np, acl_set_extended_np, acl_set_flagset_np, acl_to_text_np, acl_is_trivial_np, acl_strip_np, acl_get_brand_np. The flags part is source compatible with Darwin, other functions don't have their counterparts there. Manual pages were added or modified as neccessary. There should be no backward incompatible changes. As for the libc internals - "struct acl" et al were extended to make room for additional entries required by NFS4. Mechanism called "branding" was introduced to prevent API users from mixing POSIX and NFS4 specific stuff in a single ACL. One thing that still needs to be done is to add a few binary compatibility wrappers; these places are marked with 'XXX' in the code. ACL_MAX_ENTRIES was increased from 32 to 204. Syscall interface remains the same, except for a changed "type" constants, in order to preserve backwards compatibility with older libc. VOP_SETACL, VOP_GETACL and VOP_ACLCHECK interface remains the same, except for modified "struct acl". VOP_ACCESS changed a little - second argument was changed from "int" to "vaccess_t"; there should be no functional changes related to that. There are differences related to permissions granularity; as long as VOP_ACCESS implementation simply passes the "a_mode" parameter to the proper vaccess(9) routine, there should be no difference in behaviour. Adding granularity required adding some VWHATEVER defines to sys/vnode.h, adding several VOP_ACCESS checks in the syscall layer, replacing VADMIN with more specific permission in UFS and adding a unixify_vaccess() routine that "strips the granularity" from the mode. This routine is used in vaccess(9) and vaccess_acl_posix1e(9). Filesystem-independent functionality was implemented in kern/subr_acl_nfs4.c. This includes vaccess_acl_nfs4, routines to recompute ACL after the mode change, recompute the mode after ACL change, compute inherited ACL, and check the ACL for correctness. Implementation is based on draft-ietf-nfsv4-minorversion1-03, with small tweaks to make it behave exactly as ZFS does. Later drafts are unfortunately less specific, probably to make it possible to actually pass the voting. Note that these routines are used only by UFS; ZFS has its own implementation. Support for NFS4 ACL storage and retrieval was added to ufs/ufs/ufs_acl.c. Stored ACLs are variable in size, to reduce disk space used. Other parts of UFS (ufs_vnops.c and ufs_lookup.c) were modified to implement granularity. Support for NFS4 ACL storage and retrival was added to ZFS. It interfaces with ZFS own ACL mechanisms through wrappers. Two sets of unit tests were implemented. First, to test permission checks, was implemented as a part of fstest, tools/regression/fstest/tests/granular. Second, an "utility-level" test, is in tools/regression/acltools. It checks behaviour from the command-line point of view. It verifies the correct behaviour of getfacl(1), setfacl(1), cp(1) and mv(1) utilities (which obviously requires correct operation of the libc part), as well as recomputing ACLs on mode change, recomputing mode on ACL change, and ACL inheritance, which are performed by the kernel. These tests were used to make sure UFS behaves exactly the same way ZFS does. There is also a basic test for POSIX.1e ACLs as well, to make sure that part of functionality wasn't broken. The code is in working state. It can be found in Perforce: //depot/projects/soc2008/trasz_nfs4acl/... Patch against yesterdays -CURRENT is at: http://people.freebsd.org/~trasz/20080827-nfs4acls.diff I'd like to ask you for review, comments and suggestions. And testing, of course - this is just a prototype, but a working one. This work was done as a Google Summer of Code project. Thanks, Google :-) From owner-freebsd-security@FreeBSD.ORG Sat Aug 30 22:03:55 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D6B21065676 for ; Sat, 30 Aug 2008 22:03:55 +0000 (UTC) (envelope-from carpetsmoker@rwxrwxrwx.net) Received: from mail.rwxrwxrwx.net (rwxrwxrwx.net [82.93.23.199]) by mx1.freebsd.org (Postfix) with ESMTP id 8C9328FC1A for ; Sat, 30 Aug 2008 22:03:54 +0000 (UTC) (envelope-from carpetsmoker@rwxrwxrwx.net) Received: from localhost (localhost [127.0.0.1]) by mail.rwxrwxrwx.net (Postfix) with ESMTP id 89D2D6D448; Sat, 30 Aug 2008 23:51:38 +0200 (CEST) Received: from mail.rwxrwxrwx.net ([127.0.0.1]) by localhost (mail.rwxrwxrwx.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AvcAuIHVZYXn; Sat, 30 Aug 2008 23:51:22 +0200 (CEST) Received: from rwxrwxrwx.net (phong [192.168.100.10]) by mail.rwxrwxrwx.net (Postfix) with ESMTPSA id 5651A6D43D; Sat, 30 Aug 2008 23:51:20 +0200 (CEST) Date: Sat, 30 Aug 2008 23:47:46 +0200 From: Martin Tournoij To: tethys ocean Message-ID: <20080830214746.GA7279@rwxrwxrwx.net> Mail-Followup-To: tethys ocean , freebsd-questions@freebsd.org, freebsd-security@freebsd.org References: <235b80000808301408v49e91675se91a257e257537fc@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <235b80000808301408v49e91675se91a257e257537fc@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) X-Mailman-Approved-At: Sun, 31 Aug 2008 13:33:44 +0000 Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: jail stop extracting iso file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Aug 2008 22:03:55 -0000 On Sun, Aug 31, 2008 at 12:08:31AM +0300, tethys ocean wrote: > Hi all >=20 > In server jail and squid is running on it as lots of another packet. i w= ant > to extract iso image in this server. But i havent do it. >=20 > #mdconfig -a -t vnode -f big_bcbcv.iso > #mdconfig: open(/dev/mdctl): No such file or directory >=20 > #ls -l /dev/md* > #ls -ls /dev/mdctl > ls: /dev/mdctl: No such file or directory >=20 >=20 > i am not familiar with jail. only i can extract my iso file. =C4=B0 supp= ose that > jail stop me, jail blocking me for access some source >=20 >=20 > is it true? >=20 > 1-how can extract this iso file > 2-is jail stop me? or any other trouble about my mdctl? You can use tar to extract iso images, i.e.: # tar xvf image.iso You can also use mdconfig, but you must add a devfs rule to add md devices, i.e.: add path 'md*' mode 0660 See devfs(8) and devfs.rules(5) --=20 Martin Tournoij carpetsmoker@rwxrwxrwx.net http://www.daemonforums.org QOTD: Beware of a tall blond man with one black shoe. From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 09:12:52 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C8671065679; Sun, 31 Aug 2008 09:12:52 +0000 (UTC) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Received: from wojtek.tensor.gdynia.pl (wojtek.tensor.gdynia.pl [IPv6:2001:4070:101:2::1]) by mx1.freebsd.org (Postfix) with ESMTP id B77878FC1E; Sun, 31 Aug 2008 09:12:51 +0000 (UTC) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Received: from wojtek.tensor.gdynia.pl (localhost [IPv6:::1]) by wojtek.tensor.gdynia.pl (8.14.2/8.14.2) with ESMTP id m7V9CgXB017688; Sun, 31 Aug 2008 11:12:42 +0200 (CEST) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Received: from localhost (wojtek@localhost) by wojtek.tensor.gdynia.pl (8.14.2/8.14.2/Submit) with ESMTP id m7V9CfS4017685; Sun, 31 Aug 2008 11:12:42 +0200 (CEST) (envelope-from wojtek@wojtek.tensor.gdynia.pl) Date: Sun, 31 Aug 2008 11:12:41 +0200 (CEST) From: Wojciech Puchar To: tethys ocean In-Reply-To: <235b80000808301408v49e91675se91a257e257537fc@mail.gmail.com> Message-ID: <20080831111208.P17652@wojtek.tensor.gdynia.pl> References: <235b80000808301408v49e91675se91a257e257537fc@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Mailman-Approved-At: Sun, 31 Aug 2008 13:33:57 +0000 Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: jail stop extracting iso file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2008 09:12:52 -0000 In server jail and squid is running on it as lots of another packet. i want to extract iso image in this server. But i havent do it. #mdconfig -a -t vnode -f big_bcbcv.iso #mdconfig: open(/dev/mdctl): No such file or directory you can't jail doesn't allow it. From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 19:01:10 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94B241065765 for ; Sun, 31 Aug 2008 19:01:10 +0000 (UTC) (envelope-from tethys.ocean@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.175]) by mx1.freebsd.org (Postfix) with ESMTP id 626DF8FC16 for ; Sun, 31 Aug 2008 19:01:10 +0000 (UTC) (envelope-from tethys.ocean@gmail.com) Received: by wf-out-1314.google.com with SMTP id 24so1537692wfg.7 for ; Sun, 31 Aug 2008 12:01:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=BjOgAxAFxlaTVORuXBanZxHRVIz53W3/G0F6zBs7pXQ=; b=ZI2qVeveDnZOAIfNo55N0uWdkWEN4TnM7dyVgaWTzkUIZ7oFvfr9QdIRJZnqPz3OVK 3E52Ter2yVG2jOZG+FalkRoTY0a5iLtEJkcfHNSpeVPeouERY6NXsibvE+dFB9l/fyx3 dQgiYcpzQJfuBfzeDCKh0tviJq3WDnio4V7Vo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=oaMM6FcGiJQCKzxlksARsTRM83OsYBqSHC3CBaRK21vPeiCczHhKcOUCA9XQK1A2lW kyovGlpFtsh5vr696B2TIrQSPwh2DgxXk+LYVRiSsxSe6q/ZdMlS27xBL14KK/nKMqR9 J1gwBs+TaXRHW71DhztXSTiQ6cnDz+O5sSLkk= Received: by 10.142.215.5 with SMTP id n5mr1821131wfg.61.1220209270141; Sun, 31 Aug 2008 12:01:10 -0700 (PDT) Received: by 10.142.44.21 with HTTP; Sun, 31 Aug 2008 12:01:10 -0700 (PDT) Message-ID: <235b80000808311201x1afc099t3b0af9615369fcd3@mail.gmail.com> Date: Sun, 31 Aug 2008 22:01:10 +0300 From: "tethys ocean" To: "Robert Watson" In-Reply-To: MIME-Version: 1.0 References: <235b80000808301408v49e91675se91a257e257537fc@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: base64 Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: jail stop extracting iso file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2008 19:01:10 -0000 3SBzZWUsIGkgc2hvdWxkIGV4dHJhY3QgdGhpcyBpc28gaW1hZ2UgKG5vdCB1c2luZyB0YXIpIG1h eSBpIGNsb3NlIHRoaXMKamFpbD8gYW5kIGNhbiBpIHJlc3RhcnQgY29ycmVjdGx5PyBpIGFtIGhl c2l0YXRlIHNpbmNlIHNxdWlkIGluIHJ1bm5pbmcgb24KamFpbD8gcHJvY2VzcyBpcyBsaWtlCgpb cm9vdEBmaW5uIC9ldGNdIyAgcHMgYXggLW8gcGlkLGppZCxhcmdzCiAgUElEICAgIEpJRCBDT01N QU5ECiA4NDE1ICAgICAgMCAvdXNyL2xvY2FsL3NiaW4vaHR0cGQgLWsgc3RhcnQKMTA0MTQgICAg ICAwIHNzaGQ6IG1hcnkgW3ByaXZdIChzc2hkKQoxMDQxNyAgICAgIDAgc3NoZDogbWFyeUB0dHlw MyAoc3NoZCkKMTcxNjggICAgICAwIC91c3IvbG9jYWwvc2Jpbi9zcXVpZCAtRAoxNzE3MCAgICAg IDAgKHNxdWlkKSAtRCAoc3F1aWQpCjE3MTcxICAgICAgMCAodW5saW5rZCkgKHVubGlua2QpCjIw NzU0ICAgICAgMCAvdXNyL3NiaW4vc3lzbG9nZCAtc3MKMjA4NzEgICAgICAwIC91c3Ivc2Jpbi9z c2hkCjM1Njg4ICAgICAgMCBzc2hkOiBhbmR5IFtwcml2XSAoc3NoZCkKMzU2OTEgICAgICAwIHNz aGQ6IGFuZHlAdHR5cGIgKHNzaGQpCjQyMDc0ICAgICAgMCAvdXNyL2xvY2FsL3NiaW4vbXVuaW4t bm9kZSAocGVybCkKNDg2MzAgICAgICAwIC91c3IvbG9jYWwvc2Jpbi9odHRwZCAtayBzdGFydAo2 NDI2NiAgICAgIDAgc2NyZWVuCjY3NzQwICAgICAgMCAvdXNyL2xvY2FsL3NiaW4vaHR0cGQgLWsg c3RhcnQKNzExNzEgICAgICAwIC91c3IvbG9jYWwvc2Jpbi9odHRwZCAtayBzdGFydAo3NjQyNiAg ICAgIDAgL3Vzci9sb2NhbC9zYmluL2h0dHBkIC1rIHN0YXJ0CjkyODYyICAgICAgMCAvdXNyL2xv Y2FsL3NiaW4vaHR0cGQgLWsgc3RhcnQKOTM5MTIgICAgICAwIHNzaGQ6IGFsZXggW3ByaXZdIChz c2hkKQo5MzkyOSAgICAgIDAgc3NoZDogYWxleEB0dHlwcSAoc3NoZCkKOTM5NTUgICAgICAwIHNj cmVlbgoxMDQxOCAgICAgIDAgLWJhc2ggKGJhc2gpCjM1NjkyICAgICAgMCAtYmFzaCAoYmFzaCkK MzU2OTMgICAgICAwIHN1IC0KMzU2OTQgICAgICAwIC1zdSAoY3NoKQo2NDI2OCAgICAgIDAgL3Vz ci9sb2NhbC9iaW4vYmFzaAo5MzkzMCAgICAgIDAgLWJhc2ggKGJhc2gpCjkzOTMyICAgICAgMCBz dSAtCjkzOTMzICAgICAgMCAtc3UgKGJhc2gpCjkzOTU0ICAgICAgMCBzY3JlZW4KOTM5NTYgICAg ICAwIC91c3IvbG9jYWwvYmluL2Jhc2gKOTQ2NTQgICAgICAwIHBzIGF4IC1vIHBpZCxqaWQsYXJn cwpbcm9vdEBmaW5uIC9ldGNdIwoKCmkgdGhpbmsgc28gaSBjYW4gc3RvcCBqYWlsIGJ5IHRoaXMg Y29tbWFuZD8gKGJ1dCBpdCBydW4pCgovZXRjL3JjLmQvamFpbCBzdGFydAovZXRjL3JjLmQvamFp bCBzdG9wCgoKT1IgaSBjYW4ga2lsbCBqYWlsIHByb2Nlc3MgYW5kIHRoYW4gL2V0Yy9yYy5kL2ph aWwgc3RvcCAgYW5kIGkgY2FuIGRpc2FibGUKaW4gc3lzY3RsIGphaWwgbGluZQoKI3NlY3VyaXR5 LmphaWwuc2V0X2hvc3RuYW1lX2FsbG93ZWQ9MQojc2VjdXJpdHkuamFpbC5zb2NrZXRfdW5peGlw cm91dGVfb25seT0xCiNzZWN1cml0eS5qYWlsLnN5c3ZpcGNfYWxsb3dlZD0wCiNzZWN1cml0eS5q YWlsLmVuZm9yY2Vfc3RhdGZzPTIKI3NlY3VyaXR5LmphaWwuYWxsb3dfcmF3X3NvY2tldHM9MAoj c2VjdXJpdHkuamFpbC5jaGZsYWdzX2FsbG93ZWQ9MAojc2VjdXJpdHkuamFpbC5qYWlsZWQ9MAoK dGhhbiBleHRyYWN0IGlzbyAgZmlsZSBhbmQgcmVzdGFydCBqYWlsPyAgcG9zc2libGU/IGFuZCBp dCBjb250YWlucyBhbnkKcmlzaz8gc2luY2Ugc3F1aWQgaXMgc28gc28gaW1wb3J0YW50CgpzaW5j ZSBpIHZlIHJlYWQgIHRoaXMgcGFwZXIKaHR0cDovL3d3dy5mcmVlYnNkLm9yZy9kb2MvZW4vYm9v a3MvaGFuZGJvb2svamFpbHMtYXBwbGljYXRpb24uaHRtbAoKYnV0IGkgd2Fzbid0IGFibGUgdG8g ZmluZCBzb21lIGphaWwgZGV0YWlscy9zZXR0aW5nIGluIHRoaXMgc2VydmVyIGJ1dApuZXZlcnRo bGVzcyBqYWlsIGlzIHJ1bm5pbmcKCnJlZ2FyZHMKCgoKMjAwOC84LzMxIFJvYmVydCBXYXRzb24g PHJ3YXRzb25AZnJlZWJzZC5vcmc+Cgo+Cj4gT24gU3VuLCAzMSBBdWcgMjAwOCwgdGV0aHlzIG9j ZWFuIHdyb3RlOgo+Cj4gIEluIHNlcnZlciBqYWlsIGFuZCBzcXVpZCBpcyBydW5uaW5nIG9uIGl0 IGFzIGxvdHMgb2YgYW5vdGhlciBwYWNrZXQuIGkKPj4gd2FudCB0byBleHRyYWN0IGlzbyBpbWFn ZSBpbiB0aGlzIHNlcnZlci4gIEJ1dCBpIGhhdmVudCBkbyBpdC4KPj4KPgo+IFlvdSBhcmUgY29y cmVjdCB0aGF0IGRpcmVjdCBtYW5pcHVsYXRpb24gb2YgbWQoNCkgZGV2aWNlcyBpcyBub3QgYWxs b3dlZCBpbgo+IGphaWwuICBIb3dldmVyLCB5b3UgbWF5IGJlIHJ1bm5pbmcgb24gYSB2ZXJzaW9u IEZyZWVCU0QgaW4gd2hpY2ggdGFyKDEpIGNhbgo+IGJlIHVzZWQgdG8gZXh0cmFjdCBpc28gZmls ZXMsIHdoaWNoIGlzIHF1aXRlIGEgYml0IG1vcmUgY29udmVuaWVudCBmb3IgbWFueQo+IHVzZXMu Cj4KPiBSb2JlcnQgTiBNIFdhdHNvbgo+IENvbXB1dGVyIExhYm9yYXRvcnkKPiBVbml2ZXJzaXR5 IG9mIENhbWJyaWRnZQo+Cj4KPgo+PiAjbWRjb25maWcgLWEgLXQgdm5vZGUgLWYgYmlnX2JjYmN2 Lmlzbwo+PiAjbWRjb25maWc6IG9wZW4oL2Rldi9tZGN0bCk6IE5vIHN1Y2ggZmlsZSBvciBkaXJl Y3RvcnkKPj4KPj4gI2xzIC1sIC9kZXYvbWQqCj4+ICNscyAtbHMgL2Rldi9tZGN0bAo+PiBsczog L2Rldi9tZGN0bDogTm8gc3VjaCBmaWxlIG9yIGRpcmVjdG9yeQo+Pgo+Pgo+PiBpIGFtIG5vdCBm YW1pbGlhciB3aXRoIGphaWwuICBvbmx5IGkgY2FuIGV4dHJhY3QgbXkgaXNvIGZpbGUuIN0gc3Vw cG9zZQo+PiB0aGF0Cj4+IGphaWwgc3RvcCBtZSwgamFpbCBibG9ja2luZyBtZSBmb3IgYWNjZXNz IHNvbWUgc291cmNlCj4+Cj4+Cj4+IGlzIGl0IHRydWU/Cj4+Cj4+IDEtaG93IGNhbiBleHRyYWN0 IHRoaXMgaXNvIGZpbGUKPj4gMi1pcyBqYWlsIHN0b3AgbWU/ICBvciBhbnkgb3RoZXIgdHJvdWJs ZSBhYm91dCBteSBtZGN0bD8KPj4KPj4gcmVnYXJkCj4+Cj4+CgoKLS0gClNoYXJlIG5vdyBhIHBp Z2VvbidzIGZsaWdodApCbHVlYm91bmQgYWxvbmcgdGhlIGFuY2llbnQgc2tpZXMsCkl0cyB3b21l biBmb3JldmVyIGhhaXIgYW5kIG1hbW1hbCwKQSBNZWRpdGVycmFuZWFuIHRvd24gbWF5IGFyaXNl CklmIHlvdSByaXAgYXBhcnQgYSBwaWdlb24ncyBoZWFydC4K From owner-freebsd-security@FreeBSD.ORG Sun Aug 31 20:46:32 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42A9E106568B for ; Sun, 31 Aug 2008 20:46:32 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 849348FC19 for ; Sun, 31 Aug 2008 20:46:31 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 15385 invoked by uid 0); 31 Aug 2008 20:19:49 -0000 Received: from 194.231.39.124 by www115.gmx.net with HTTP; Sun, 31 Aug 2008 22:19:49 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Sun, 31 Aug 2008 22:19:49 +0200 From: "Olli Hauer" In-Reply-To: <20080831111208.P17652@wojtek.tensor.gdynia.pl> Message-ID: <20080831201949.96800@gmx.net> MIME-Version: 1.0 References: <235b80000808301408v49e91675se91a257e257537fc@mail.gmail.com> <20080831111208.P17652@wojtek.tensor.gdynia.pl> To: Wojciech Puchar , tethys.ocean@gmail.com X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1/CZJ5syCHCYGldKK30vTfWwPipo4NgFvJ8pPv1iB mcVD0ddpFr6C6sY40ktP1YbhLza7F0eSc1Bw== Content-Transfer-Encoding: 8bit X-GMX-UID: 08mIcOcWPjl+K4LuKzU2gk47MTE2NUne Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: jail stop extracting iso file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Aug 2008 20:46:32 -0000 > In server jail and squid is running on it as lots of another packet. i > want > to extract iso image in this server. But i havent do it. > > #mdconfig -a -t vnode -f big_bcbcv.iso > #mdconfig: open(/dev/mdctl): No such file or directory > > you can't > > jail doesn't allow it. Yes, but why don't mount the ISO at the host system and do a nullfs mount into the jail? at the host system (not in the jail) # mdconfig -a -t vnode -u 10 -f ${path_to_iso_image} # mount_cd9660 -o ro /dev/md10 /mnt/ # mount_nullfs /mnt ${path_to_jail}/mnt ssh into the jail # pkg_add /mnt/filename -- GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion! http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196 From owner-freebsd-security@FreeBSD.ORG Mon Sep 1 09:15:50 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB6E8106566C for ; Mon, 1 Sep 2008 09:15:49 +0000 (UTC) (envelope-from tethys.ocean@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.175]) by mx1.freebsd.org (Postfix) with ESMTP id BCCDD8FC2D for ; Mon, 1 Sep 2008 09:15:49 +0000 (UTC) (envelope-from tethys.ocean@gmail.com) Received: by wf-out-1314.google.com with SMTP id 24so1764074wfg.7 for ; Mon, 01 Sep 2008 02:15:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=AChoLMgyvRsvh2ul+AwXWEMQ6tGyt2VZG0nyGre50LE=; b=vvnmTaeKEXkMZqrRimCQRVLl4G12GzbTpbmmV6Ec+UF0KeW+NnC5xPrhCnx3CUa2uT EdP1S8FfR1/xZNQP8uWXCO8XkvJtdZLLJCZoqRn5rKYni6MhTR8Uc9EPYCxkBx8vQc5Y 2kVGhs4xcmMeZO7t4yb0as5rF4i43fMx3UAfs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=oZeg6N3jXIiaNdrXuDMDKuP1InAAZHGyALUZzT8wxZJh9jWkzQdOVZ5qODpYpYq6Ag 0yuAr/P4DWnkd+v+om9E+7qP1eRxH6J8jWsvNUqc0NpHlF+kgbxzn9R7eZp3kim87ftt njcfZmbWLuQWa8Ky7kpszdACIpcTISwPeUQss= Received: by 10.142.215.5 with SMTP id n5mr2033109wfg.131.1220260549246; Mon, 01 Sep 2008 02:15:49 -0700 (PDT) Received: by 10.142.44.21 with HTTP; Mon, 1 Sep 2008 02:15:49 -0700 (PDT) Message-ID: <235b80000809010215o65579305m155f664fe4f1f145@mail.gmail.com> Date: Mon, 1 Sep 2008 12:15:49 +0300 From: "tethys ocean" To: "Olli Hauer" In-Reply-To: <20080831201949.96800@gmx.net> MIME-Version: 1.0 References: <235b80000808301408v49e91675se91a257e257537fc@mail.gmail.com> <20080831111208.P17652@wojtek.tensor.gdynia.pl> <20080831201949.96800@gmx.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Wojciech Puchar , freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: Re: jail stop extracting iso file X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2008 09:15:50 -0000 the problem is already here "at the host system (not in the jail)" i wasnt able to get rid of jail and can't access to device in jail somehow i must access mdconfig and mount but i shouldnt stop jail. On Sun, Aug 31, 2008 at 11:19 PM, Olli Hauer wrote: > > In server jail and squid is running on it as lots of another packet. i > > want > > to extract iso image in this server. But i havent do it. > > > > #mdconfig -a -t vnode -f big_bcbcv.iso > > #mdconfig: open(/dev/mdctl): No such file or directory > > > > you can't > > > > jail doesn't allow it. > > Yes, but why don't mount the ISO at the host system and do a nullfs mount > into the jail? > > at the host system (not in the jail) > # mdconfig -a -t vnode -u 10 -f ${path_to_iso_image} > # mount_cd9660 -o ro /dev/md10 /mnt/ > # mount_nullfs /mnt ${path_to_jail}/mnt > > ssh into the jail > # pkg_add /mnt/filename > > > -- > GMX Kostenlose Spiele: Einfach online spielen und Spa=DF haben mit Pastry > Passion! > > http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/616= 9196 > --=20 Share now a pigeon's flight Bluebound along the ancient skies, Its women forever hair and mammal, A Mediterranean town may arise If you rip apart a pigeon's heart. From owner-freebsd-security@FreeBSD.ORG Wed Sep 3 20:13:05 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D5921065670; Wed, 3 Sep 2008 20:13:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2778FC26; Wed, 3 Sep 2008 20:13:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m83KD58Q043767; Wed, 3 Sep 2008 20:13:05 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m83KD5RL043766; Wed, 3 Sep 2008 20:13:05 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 3 Sep 2008 20:13:05 GMT Message-Id: <200809032013.m83KD5RL043766@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-08:07.amd64 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 20:13:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:07.amd64 Security Advisory The FreeBSD Project Topic: amd64 swapgs local privilege escalation Category: core Module: sys_amd64_amd64 Announced: 2008-09-03 Credits: Nate Eldredge Affects: All supported FreeBSD/amd64 versions. Corrected: 2008-08-21 09:58:18 UTC (RELENG_7, 7.0-STABLE) 2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4) 2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4) CVE Name: CVE-2008-3890 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel CPU's. For Intel CPU's this architecture is known as EM64T or Intel 64. The gs segment CPU register is used by both user processes and the kernel to convieniently access state data. User processes use it to manage per-thread data, and the kernel uses it to manage per-processor data. As the processor enters and leaves the kernel it uses the 'swapgs' instruction to toggle between the kernel and user values for the gs register. The kernel stores critical information in its per-processor data block. This includes the currently executing process and its credentials. As the processor switches between user and kernel level, a number of checks are performed in order to implement the privilege protection system. If the processor detects a problem while attempting to switch privilege levels it generates a trap - typically general protection fault (GPF). In that case, the processor aborts the return to the user level process and re-enters the kernel. The FreeBSD kernel allows the user process to be notified of such an event by a signal (SIGSEGV or SIGBUS). II. Problem Description If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed. III. Impact A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges. The vulnerability can be used to gain kernel / supervisor privilege. This can for example be used by normal users to gain root privileges, to break out of jails, or bypass Mandatory Access Control (MAC) restrictions. IV. Workaround No workaround is available, but only systems running the 64 bit FreeSD/amd64 kernels are vulnerable. Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 kernel are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_0, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch # fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/amd64/amd64/exception.S 1.125.2.3 RELENG_6_3 src/UPDATING 1.416.2.37.2.9 src/sys/conf/newvers.sh 1.69.2.15.2.8 src/sys/amd64/amd64/exception.S 1.125.2.2.2.1 RELENG_7 src/sys/amd64/amd64/exception.S 1.129.2.2 RELENG_7_0 src/UPDATING 1.507.2.3.2.8 src/sys/conf/newvers.sh 1.72.2.5.2.8 src/sys/amd64/amd64/exception.S 1.129.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3890 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:07.amd64.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFIvu2TFdaIBMps37IRAqt8AJsGd/2WDuMZYUeOcVKekHEHZWRoMACdGnVs 0JZMykjScj7GbrsOlOW3uQg= =bs1z -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 3 20:13:13 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A00FE10656A4; Wed, 3 Sep 2008 20:13:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7B83F8FC14; Wed, 3 Sep 2008 20:13:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m83KDDtk043943; Wed, 3 Sep 2008 20:13:13 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m83KDDMv043940; Wed, 3 Sep 2008 20:13:13 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 3 Sep 2008 20:13:13 GMT Message-Id: <200809032013.m83KDDMv043940@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-08:08.nmount X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 20:13:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:08.nmount Security Advisory The FreeBSD Project Topic: nmount(2) local arbitrary code execution Category: core Module: sys_kern Announced: 2008-09-03 Credits: James Gritton Affects: FreeBSD 7.0-RELEASE, FreeBSD 7.0-STABLE Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4) CVE Name: CVE-2008-3531 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The mount(2) and nmount(2) system calls are used by various utilities in the base system to graft a file system object on to the file system tree to a given mount point. It is possible to allow unprivileged users to utililize these system calls by setting the vfs.usermount sysctl(8) variable. II. Problem Description Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking. III. Impact If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel. IV. Workaround It is possible to work around this issue by allowing only privileged users to mount file systems by running the following sysctl(8) command: # sysctl vfs.usermount=0 V. Solution NOTE WELL: Even with this fix allowing users to mount arbitrary media should not be considered safe. Most of the file systems in FreeBSD was not built to protect safeguard against malicious devices. While such bugs in file systems are fixed when found, a complete audit has not been perfomed on the file system code. Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/kern/vfs_mount.c 1.265.2.10 RELENG_7_0 src/UPDATING 1.507.2.3.2.8 src/sys/conf/newvers.sh 1.72.2.5.2.8 src/sys/kern/vfs_mount.c 1.265.2.1.2.2 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX yvNI1gVmhAQ7MXOUvPoLcLk= =EsCn -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 3 20:13:20 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D6D1B10657DA; Wed, 3 Sep 2008 20:13:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C12118FC17; Wed, 3 Sep 2008 20:13:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m83KDK4C044554; Wed, 3 Sep 2008 20:13:20 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m83KDKnX044551; Wed, 3 Sep 2008 20:13:20 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 3 Sep 2008 20:13:20 GMT Message-Id: <200809032013.m83KDKnX044551@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-08:09.icmp6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 20:13:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:09.icmp6 Security Advisory The FreeBSD Project Topic: Remote kernel panics on IPv6 connections Category: core Module: sys_netinet6 Announced: 2008-09-03 Credits: Tom Parker, Bjoern A. Zeeb Affects: All supported versions of FreeBSD. Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4) 2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE) 2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4) CVE Name: CVE-2008-3530 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 nodes use ICMPv6 amongst other things to report errors encountered while processing packets. The 'Packet Too Big Message' is sent in case a node cannot forward a packet because the size of the packet is larger than the MTU of next-hop link. II. Problem Description In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination. III. Impact When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big Message' could cause the TCP stack of the kernel to panic, IV. Workaround Systems without INET6 / IPv6 support are not vulnerable and neither are systems which do not listen on any IPv6 TCP sockets and have no active IPv6 connections. Filter ICMPv6 'Packet Too Big Messages' using a firewall, but this will at the same time break PMTU support for IPv6 connections. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the RELENG_6_3 or RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and FreeBSD 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch # fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/netinet6/icmp6.c 1.62.2.11 RELENG_6_3 src/UPDATING 1.416.2.37.2.9 src/sys/conf/newvers.sh 1.69.2.15.2.8 src/sys/netinet6/icmp6.c 1.62.2.9.2.1 RELENG_7 src/sys/netinet6/icmp6.c 1.80.2.7 RELENG_7_0 src/UPDATING 1.507.2.3.2.8 src/sys/conf/newvers.sh 1.72.2.5.2.8 src/sys/netinet6/icmp6.c 1.80.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3530 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:09.icmp6.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFIvu2hFdaIBMps37IRAjxxAJwIIXP+ALAZkvG5m687PC+92BtXTwCfUZdS AvvrO0r+UAa6bn1H9mFf9So= =MBB1 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 3 23:14:27 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2A15106567B for ; Wed, 3 Sep 2008 23:14:27 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 795228FC16 for ; Wed, 3 Sep 2008 23:14:27 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 9FEB746BC4 for ; Wed, 3 Sep 2008 19:14:25 -0400 (EDT) Date: Thu, 4 Sep 2008 00:14:26 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: freebsd-security@freebsd.org In-Reply-To: <200809032013.m83KDDMv043940@freefall.freebsd.org> Message-ID: References: <200809032013.m83KDDMv043940@freefall.freebsd.org> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:08.nmount X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 23:14:27 -0000 On Wed, 3 Sep 2008, FreeBSD Security Advisories wrote: > The mount(2) and nmount(2) system calls are used by various utilities in the > base system to graft a file system object on to the file system tree to a > given mount point. It is possible to allow unprivileged users to utililize > these system calls by setting the vfs.usermount sysctl(8) variable. Note that as-shipped by the FreeBSD Project, vfs.usermount is *disabled* in FreeBSD. This may not be the case in rebundled or derived systems, however. You can check whether it is enabled using "sysctl vfs.usermount" -- if the result is "0" then you should be fine. Robert N M Watson Computer Laboratory University of Cambridge > > II. Problem Description > > Various user defined input such as mount points, devices, and mount > options are prepared and passed as arguments to nmount(2) into the > kernel. Under certain error conditions, user defined data will be > copied into a stack allocated buffer stored in the kernel without > sufficient bounds checking. > > III. Impact > > If the system is configured to allow unprivileged users to mount file > systems, it is possible for a local adversary to exploit this > vulnerability and execute code in the context of the kernel. > > IV. Workaround > > It is possible to work around this issue by allowing only privileged > users to mount file systems by running the following sysctl(8) > command: > > # sysctl vfs.usermount=0 > > V. Solution > > NOTE WELL: Even with this fix allowing users to mount arbitrary media > should not be considered safe. Most of the file systems in FreeBSD > was not built to protect safeguard against malicious devices. While > such bugs in file systems are fixed when found, a complete audit has > not been perfomed on the file system code. > > Perform one of the following: > > 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0 > security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 7.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch > # fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc > > b) Apply the patch. > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_7 > src/sys/kern/vfs_mount.c 1.265.2.10 > RELENG_7_0 > src/UPDATING 1.507.2.3.2.8 > src/sys/conf/newvers.sh 1.72.2.5.2.8 > src/sys/kern/vfs_mount.c 1.265.2.1.2.2 > - ------------------------------------------------------------------------- > > VII. References > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (FreeBSD) > > iD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX > yvNI1gVmhAQ7MXOUvPoLcLk= > =EsCn > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >