From owner-freebsd-announce@FreeBSD.ORG Tue Jul 13 02:52:10 2010 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 417AF1065676; Tue, 13 Jul 2010 02:52:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 14C9E8FC17; Tue, 13 Jul 2010 02:52:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6D2q9rv018700; Tue, 13 Jul 2010 02:52:09 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6D2q9do018699; Tue, 13 Jul 2010 02:52:09 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 13 Jul 2010 02:52:09 GMT Message-Id: <201007130252.o6D2q9do018699@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:07.mbuf X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jul 2010 02:52:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:07.mbuf Security Advisory The FreeBSD Project Topic: Lost mbuf flag resulting in data corruption Category: core Module: kern Announced: 2010-07-13 Credits: Ming Fu Affects: FreeBSD 7.x and later. Corrected: 2010-07-13 02:45:17 UTC (RELENG_8, 8.1-PRERELEASE) 2010-07-13 02:45:17 UTC (RELENG_8_1, 8.1-RELEASE) 2010-07-13 02:45:17 UTC (RELENG_8_0, 8.0-RELEASE-p4) 2010-07-13 02:45:17 UTC (RELENG_7, 7.3-STABLE) 2010-07-13 02:45:17 UTC (RELENG_7_3, 7.3-RELEASE-p2) 2010-07-13 02:45:17 UTC (RELENG_7_1, 7.1-RELEASE-p13) CVE Name: CVE-2010-2693 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background An mbuf is a basic unit of memory management in the FreeBSD kernel inter-process communication and networking subsystem. Network packets and socket buffers are dependent on mbufs for their storage. Data can be embedded directly in mbufs, or mbufs can instead reference external buffers. The sendfile(2) system call uses external mbuf storage to directly map the contents of a file into a chain of mbufs for transmission purposes. The mbuf object supports a read-only flag that must be honored to prevent modification or writes to buffer data in cases like these. II. Problem Description The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption. III. Impact This data corruption can be exploited by an local attacker to escalate their privilege by carefully controlling the corruption of system files. It should be noted that the attacker can corrupt any file they have read access to. NOTE: While systems without untrusted local users are not affected by the security aspects of this issue, the potential for data corruption implies that this should still be treated as a critical erratum. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.1, 7.3, 8.0 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch # fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Now reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/kern/uipc_mbuf.c 1.174.2.4 RELENG_7_3 src/UPDATING 1.507.2.34.2.4 src/sys/conf/newvers.sh 1.72.2.16.2.6 src/sys/kern/uipc_mbuf.c 1.174.2.3.4.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.16 src/sys/conf/newvers.sh 1.72.2.9.2.17 src/sys/kern/uipc_mbuf.c 1.174.2.2.2.2 RELENG_8 src/sys/kern/uipc_mbuf.c 1.185.2.3 RELENG_8_1 src/UPDATING 1.632.2.14.2.2 src/sys/conf/newvers.sh 1.83.2.10.2.4 src/sys/kern/uipc_mbuf.c 1.185.2.2.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.7 src/sys/conf/newvers.sh 1.83.2.6.2.7 src/sys/kern/uipc_mbuf.c 1.185.2.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r209964 releng/7.3/ r209964 releng/7.1/ r209964 stable/8/ r209964 releng/8.0/ r209964 releng/8.1/ r209964 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2693 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:07.mbuf.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkw71A0ACgkQFdaIBMps37JOOACff8w8qvsgopj11FFAPQdwyPLB JEQAniRHbomY2hJVw5FmrdQv3SP+ZziI =Reds -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Jul 14 19:27:31 2010 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 514E0106564A for ; Wed, 14 Jul 2010 19:27:31 +0000 (UTC) (envelope-from deb@freebsdfoundation.org) Received: from aslan.scsiguy.com (mail.scsiguy.com [70.89.174.89]) by mx1.freebsd.org (Postfix) with ESMTP id 1CA858FC08 for ; Wed, 14 Jul 2010 19:27:30 +0000 (UTC) Received: from [192.168.16.104] (c-71-196-155-13.hsd1.co.comcast.net [71.196.155.13]) (authenticated bits=0) by aslan.scsiguy.com (8.14.4/8.14.4) with ESMTP id o6EJRTeV069726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 14 Jul 2010 13:27:30 -0600 (MDT) (envelope-from deb@freebsdfoundation.org) Message-ID: <4C3E0F93.6070602@freebsdfoundation.org> Date: Wed, 14 Jul 2010 12:27:15 -0700 From: Deb Goodkin User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-announce@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 14 Jul 2010 19:54:23 +0000 Subject: [FreeBSD-Announce] Foundation Announces Resource Containers Project X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2010 19:27:31 -0000 Dear FreeBSD Community, We are pleased to announce that Edward Tomasz Napierala has been awarded a grant to implement resource containers and a simple per-jail resource limits mechanism. Unlike Solaris zones, the current implementation of FreeBSD Jails does not provide per-jail resource limits. As a result, users are often forced to replace jails with other virtualization mechanisms. The goal of this project is to create a single, unified framework for controlling resource utilisation, and to use that framework to implement per-jail resource limits. In the future, the same framework might be used to implement more sophisticated resource controls, such as Hierarchical Resource Limits, or to implement mechanisms similar to AIX WLM. It could also be used to provide precise resource usage accounting for administrative or billing purposes. "It's great that the Foundation decided to fund this project," Edward noted. "It will make jail-based virtualization a much better choice in many scenarios, for example for Virtual Private Server providers." Sincerely, The FreeBSD Foundation From owner-freebsd-announce@FreeBSD.ORG Wed Jul 14 19:35:52 2010 Return-Path: Delivered-To: announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F116D1065674 for ; Wed, 14 Jul 2010 19:35:52 +0000 (UTC) (envelope-from philip@paeps.cx) Received: from rincewind.paeps.cx (rincewind.paeps.cx [IPv6:2002:596a:f092::149]) by mx1.freebsd.org (Postfix) with ESMTP id B13438FC1A for ; Wed, 14 Jul 2010 19:35:52 +0000 (UTC) Received: by rincewind.paeps.cx (Postfix, from userid 1001) id 163A2D7444F; Wed, 14 Jul 2010 21:35:52 +0200 (CEST) Date: Wed, 14 Jul 2010 21:35:52 +0200 From: Philip Paeps To: announce@freebsd.org Message-ID: <20100714193552.GS32232@rincewind.paeps.cx> Mail-Followup-To: announce@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="0vzXIDBeUiKkjNJl" Content-Disposition: inline X-PGP-Fingerprint: 356B AE02 4763 F739 2FA2 E438 2649 E628 C5D3 4D05 X-Date: Setting Orange, Confusion 49, 3176 YOLD X-Phase-of-Moon: The Moon is Waxing Crescent (13% of Full) X-Philip-Conspiracy: There is no conspiracy Organization: Happily Disorganized User-Agent: Mutt/1.5.20 (2009-06-14) X-Mailman-Approved-At: Wed, 14 Jul 2010 22:03:26 +0000 Cc: Subject: [FreeBSD-Announce] New FreeBSD core team elected X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: core@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2010 19:35:53 -0000 --0vzXIDBeUiKkjNJl Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The FreeBSD Project is pleased to announce the completion of the 2010 core team election. The FreeBSD core team acts as the project's "board of directors" and is responsible for approving new src committers, resolving disputes between developers, appointing sub-committees for specific purposes (security officer, release engineering, port managers, webmaster, et cetera= ), and making any other administrative or policy decisions as needed. The core team has been elected by FreeBSD developers every 2 years since 2000. The newly elected core team is: ------------------------------- John Baldwin Konstantin Belousov Wilko Bulte Brooks Davis Warner Losh Pav Lucistnik Colin Percival Hiroki Sato Robert Watson The new core team would like to thank outgoing members Kris Kennaway, Peter Wemm, Murray Stokely, George V. Neville-Neil, and Giorgos Keramidas for the= ir service over the past two (and in some cases, many more) years. The core team would also especially like to thank Dag-Erling Sm=C3=B8rgrav = for running the election. - Philip [core team secretary] --=20 Philip Paeps philip@freebsd.org --0vzXIDBeUiKkjNJl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iQCVAwUBTD4RmPymwUj/iuMFAQiG3QQAlhv6CPIVSbliznRn0k57Q0JRFJdVVCqU R/LUyZY1pNONOEe6V9CMIENuGQ4+7hnvewdIvA/3NPsm3xei6vQO50O0nLIkYLM/ xNQllFsX4o7VEc98zcDN5UWu/kN45FZqpe4/HXjydP8eIyuY+EUJ2P7j4Nif+Hn9 sYlaCslG7Rw= =eMGn -----END PGP SIGNATURE----- --0vzXIDBeUiKkjNJl--