From owner-freebsd-security@FreeBSD.ORG Tue Dec 15 07:43:39 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C1721065672 for ; Tue, 15 Dec 2009 07:43:39 +0000 (UTC) (envelope-from ml@infosec.pl) Received: from v027580.home.net.pl (v027580.home.net.pl [89.161.156.148]) by mx1.freebsd.org (Postfix) with SMTP id 6F94B8FC12 for ; Tue, 15 Dec 2009 07:43:38 +0000 (UTC) Received: from 94-193-57-116.zone7.bethere.co.uk (94.193.57.116) (HELO [192.168.1.66]) by freeside.home.pl (89.161.156.148) with SMTP (IdeaSmtpServer v0.70) id c7149c3c61b5a0f6; Tue, 15 Dec 2009 08:43:38 +0100 Message-ID: <4B273E20.80101@infosec.pl> Date: Tue, 15 Dec 2009 07:43:28 +0000 From: Michal User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.5) Gecko/20091214 Thunderbird/3.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: ZFS bug - candidate for Security Advisory? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 07:43:39 -0000 Hello, On 10/11/2009 in "HEADS UP: Important bug fix in ZFS replay code!" post on freebsd-fs PJD wrote: "There was important bug in ZFS replay code. If there were setattr logs (not related to permission change) in ZIL during unclean shutdown, one can end up with files that have mode set to 07777. This is very dangerous, especially if you have untrusted local users, as this will set setuid bit on such files. Note that FreeBSD will remove setuid bits when someone will try to modify the file, but it is still dangerous." It is not fixed in 8.0 as I got bitten by this bug just recently (and other users report it on freebsd-fs). In my case it was about ten files in /var/www, / and two users home directory. Is it feasible to issue a SA and warn people? As far as I understand PJD post it's got important security implications. I'm wondering how many systems are sitting out there with bunch of 7777 files all over the place because administrator/user is not following freebsd-fs. Cheers, Michal -- "There cannot be a crisis next week. My schedule is already full." -Henry Kissinger From owner-freebsd-security@FreeBSD.ORG Wed Dec 16 17:43:54 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E97E11065672 for ; Wed, 16 Dec 2009 17:43:54 +0000 (UTC) (envelope-from ntarmos@cs.uoi.gr) Received: from gaia.cs.uoi.gr (gaia.cs.uoi.gr [195.130.121.201]) by mx1.freebsd.org (Postfix) with ESMTP id 481D58FC0A for ; Wed, 16 Dec 2009 17:43:53 +0000 (UTC) Received: from zeus.cs.uoi.gr (zeus.cs.uoi.gr [195.130.121.11]) by gaia.cs.uoi.gr (8.14.1/8.14.1) with ESMTP id nBGHVRWb083242 for ; Wed, 16 Dec 2009 19:31:32 +0200 (EET) (envelope-from ntarmos@cs.uoi.gr) Received: from zeus.cs.uoi.gr (localhost [127.0.0.1]) by zeus.cs.uoi.gr (8.13.5/8.13.5) with ESMTP id nBGHVLsd003507 for ; Wed, 16 Dec 2009 19:31:26 +0200 (EET) Received: (from ntarmos@localhost) by zeus.cs.uoi.gr (8.13.5/8.13.5/Submit) id nBGHVLGF003505 for freebsd-security@freebsd.org; Wed, 16 Dec 2009 19:31:21 +0200 (EET) X-Authentication-Warning: zeus.cs.uoi.gr: ntarmos set sender to ntarmos@cs.uoi.gr using -f Date: Wed, 16 Dec 2009 19:31:27 +0200 From: Nikos Ntarmos To: freebsd-security@freebsd.org Message-ID: <20091216173127.GA15741@ace.cs.uoi.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: Computer Science Dept., U. of Ioannina, Greece WWW-Homepage: http://ntarmos.dyndns.org/ X-PGP-Fingerprint: 9680 60A7 DE60 0298 B1F0 9B22 9BA2 7569 CF95 160A Office-Phone: +30-26510-98866 GPS-Info: 39.617660N, 20.838790E User-Agent: Mutt/1.5.20 (2009-06-14) X-Virus-Scanned: ClamAV 0.91.2/10187/Wed Dec 16 17:31:07 2009 on gaia.cs.uoi.gr X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (gaia.cs.uoi.gr [195.130.121.201]); Wed, 16 Dec 2009 19:31:32 +0200 (EET) X-Mailman-Approved-At: Wed, 16 Dec 2009 18:01:41 +0000 Subject: dhclient and pf/ipf/ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2009 17:43:55 -0000 Hi all. I recently turned net.inet.udp.log_in_vain on on some of my boxen and have been seeing UDP connection attempts to port 67 on the local host. This initially seemed odd, as the target ip addres was indeed that of a DHCP-configured interface and the source address was that of my DHCP server. However, it turns out this is totally valid, as dhclient(8) does not bind(2) on the bootpc port but rather uses bpf(4) to intercept incoming (e.g. DHCPACK) packets destined to the local machine. Nothing wrong with this (other than the occasional log entries), but it got me thinking that there is no need for a firewall rule to allow this sort of traffic on the ingress path on single-host configurations. Moreover, even if there is an inbound deny rule, dhclient(8) will still be able to "receive" those DHCP reply packages (outbound broadcast packets (e.g. DHCPDISCOVER) will also go out just fine but we still need an outbound allow rule to let unicast messages leave the local host). Should we update the relevant pf/ipf/ipfw/dhclient manpages, handbook sections, and example configurations (at least those that have a rule to allow incoming dhcp traffic)? Along the same lines, should udp.log_in_vain be somehow informed to ignore connections to local port 67 from (a possible list of) dhcp servers or even have dhclient(8) bind(2) on UDP port 67 and ignore any incoming messages? Cheers. \n\n PS: Sorry if this has come up again in the past; some google'ing through mailing list archives didn't turn up anything related. From owner-freebsd-security@FreeBSD.ORG Wed Dec 16 22:34:22 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 404401065670 for ; Wed, 16 Dec 2009 22:34:22 +0000 (UTC) (envelope-from roberto@keltia.freenix.fr) Received: from keltia.freenix.fr (cl-180.mrs-01.fr.sixxs.net [IPv6:2a01:240:fe00:b3::2]) by mx1.freebsd.org (Postfix) with ESMTP id E3F818FC08 for ; Wed, 16 Dec 2009 22:34:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by keltia.freenix.fr (Postfix/TLS) with ESMTP id BD19E208F for ; Wed, 16 Dec 2009 23:34:20 +0100 (CET) X-Virus-Scanned: amavisd-new at keltia.freenix.fr Received: from keltia.freenix.fr ([127.0.0.1]) by localhost (keltia.freenix.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jhWBWsiHJ3gd for ; Wed, 16 Dec 2009 23:34:20 +0100 (CET) Received: from sidhe.keltia.net (unknown [IPv6:2a01:240:fe5c:0:222:41ff:fe33:d76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: roberto) by keltia.freenix.fr (Postfix/TLS) with ESMTPSA id 50787208E for ; Wed, 16 Dec 2009 23:34:20 +0100 (CET) Date: Wed, 16 Dec 2009 23:37:45 +0100 From: Ollivier Robert To: freebsd-security@freebsd.org Message-ID: <20091216223745.GA85336@sidhe.keltia.net> References: <20091211093550.GA22688@roberto-al.eurocontrol.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091211093550.GA22688@roberto-al.eurocontrol.fr> X-Operating-System: MacOS X / MBP 4,1 - FreeBSD 8.0 / T3500-E5520 Nehalem User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: ntpd 4.2.4p8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2009 22:34:22 -0000 According to Ollivier Robert: > Yes. It is in the works. For those not following the commit logs, I updated ntpd to 4.2.4p8 in head. For the release branches, a patch will be released (as we do not update whole programs in these). After two weeks, it will be merged to stable/8. 4.2.6 (or .7, whichever ntp-stable is) will follow soon. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr In memoriam to Ondine : http://ondine.keltia.net/