From owner-freebsd-announce@FreeBSD.ORG Wed Dec 14 22:46:26 2011 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EDF1106566B for ; Wed, 14 Dec 2011 22:46:26 +0000 (UTC) (envelope-from deb@freebsdfoundation.org) Received: from aslan.scsiguy.com (aslan.scsiguy.com [70.89.174.89]) by mx1.freebsd.org (Postfix) with ESMTP id D3E948FC0A for ; Wed, 14 Dec 2011 22:46:25 +0000 (UTC) Received: from Deb-Goodkins-MacBook-Pro.local (c-71-196-153-166.hsd1.co.comcast.net [71.196.153.166]) (authenticated bits=0) by aslan.scsiguy.com (8.14.4/8.14.4) with ESMTP id pBEMkPAK090281 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 14 Dec 2011 15:46:25 -0700 (MST) (envelope-from deb@freebsdfoundation.org) Message-ID: <4EE9273B.9060808@freebsdfoundation.org> Date: Wed, 14 Dec 2011 15:46:19 -0700 From: Deb Goodkin User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: freebsd-announce@freebsd.org References: <4EE8C0CC.90307@freebsdfoundation.org> In-Reply-To: <4EE8C0CC.90307@freebsdfoundation.org> X-Forwarded-Message-Id: <4EE8C0CC.90307@freebsdfoundation.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (aslan.scsiguy.com [70.89.174.89]); Wed, 14 Dec 2011 15:46:25 -0700 (MST) X-Mailman-Approved-At: Sun, 18 Dec 2011 14:51:35 +0000 Subject: [FreeBSD-Announce] FreeBSD Foundation's End-of-Year Newsletter X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2011 22:46:26 -0000 Dear FreeBSD Community, We are pleased to announce the publication of The FreeBSD Foundation's 2011 End-of-Year Newsletter. Go to http://www.freebsdfoundation.org/press/2011Dec-newsletter.shtml to find out how we have supported the FreeBSD Project and community this year. Please help us continue and increase our support of FreeBSD by making a donation to the Foundation. You can go to http://www.freebsdfoundation.org/donate/ to find out how to make a donation. Sincerely, The FreeBSD Foundation From owner-freebsd-announce@FreeBSD.ORG Wed Dec 14 15:29:22 2011 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5D391065679 for ; Wed, 14 Dec 2011 15:29:22 +0000 (UTC) (envelope-from deb@freebsdfoundation.org) Received: from aslan.scsiguy.com (aslan.scsiguy.com [70.89.174.89]) by mx1.freebsd.org (Postfix) with ESMTP id B89938FC16 for ; Wed, 14 Dec 2011 15:29:22 +0000 (UTC) Received: from Deb-Goodkins-MacBook-Pro.local (c-71-196-153-166.hsd1.co.comcast.net [71.196.153.166]) (authenticated bits=0) by aslan.scsiguy.com (8.14.4/8.14.4) with ESMTP id pBEFTLWi087788 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 14 Dec 2011 08:29:22 -0700 (MST) (envelope-from deb@freebsdfoundation.org) Message-ID: <4EE8C0CC.90307@freebsdfoundation.org> Date: Wed, 14 Dec 2011 08:29:16 -0700 From: Deb Goodkin User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: freebsd-announce@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (aslan.scsiguy.com [70.89.174.89]); Wed, 14 Dec 2011 08:29:22 -0700 (MST) X-Mailman-Approved-At: Sun, 18 Dec 2011 21:51:30 +0000 Subject: [FreeBSD-Announce] FreeBSD Foundation's End-of-Year Newsletter X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2011 15:29:23 -0000 Dear FreeBSD Community, We are pleased to announce the publication of The FreeBSD Foundation's 2011 End-of-Year Newsletter. Go to http://www.freebsdfoundation.org/press/2011Dec-newsletter.shtml to find out how we have supported the FreeBSD Project and community this year. Please help us continue and increase our support of FreeBSD by making a donation to the Foundation. You can go to http://www.freebsdfoundation.org/donate/ to find out how to make a donation. Sincerely, The FreeBSD Foundation From owner-freebsd-announce@FreeBSD.ORG Fri Dec 16 16:16:15 2011 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 503A61065675 for ; Fri, 16 Dec 2011 16:16:15 +0000 (UTC) (envelope-from deb@freebsdfoundation.org) Received: from aslan.scsiguy.com (ns1.scsiguy.com [70.89.174.89]) by mx1.freebsd.org (Postfix) with ESMTP id 1C9FA8FC14 for ; Fri, 16 Dec 2011 16:16:14 +0000 (UTC) Received: from Deb-Goodkins-MacBook-Pro.local (c-71-196-153-166.hsd1.co.comcast.net [71.196.153.166]) (authenticated bits=0) by aslan.scsiguy.com (8.14.4/8.14.4) with ESMTP id pBGGG2hU005316 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 16 Dec 2011 09:16:02 -0700 (MST) (envelope-from deb@freebsdfoundation.org) Message-ID: <4EEB6EBD.6000909@freebsdfoundation.org> Date: Fri, 16 Dec 2011 09:15:57 -0700 From: Deb Goodkin User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: freebsd-announce@freebsd.org References: <4EE9273B.9060808@freebsdfoundation.org> In-Reply-To: <4EE9273B.9060808@freebsdfoundation.org> X-Forwarded-Message-Id: <4EE9273B.9060808@freebsdfoundation.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (aslan.scsiguy.com [70.89.174.89]); Fri, 16 Dec 2011 09:16:03 -0700 (MST) X-Mailman-Approved-At: Sun, 18 Dec 2011 21:51:37 +0000 Cc: David Wolfskill Subject: [FreeBSD-Announce] FreeBSD Foundation's End-of-Year Newsletter X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2011 16:16:15 -0000 Dear FreeBSD Community, We are pleased to announce the publication of The FreeBSD Foundation's 2011 End-of-Year Newsletter. Go to http://www.freebsdfoundation.org/press/2011Dec-newsletter.shtml to find out how we have supported the FreeBSD Project and community this year. Please help us continue and increase our support of FreeBSD by making a donation to the Foundation. You can go to http://www.freebsdfoundation.org/donate/ to find out how to make a donation. Sincerely, The FreeBSD Foundation From owner-freebsd-announce@FreeBSD.ORG Fri Dec 23 15:36:33 2011 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B419C106566B; Fri, 23 Dec 2011 15:36:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9FA268FC22; Fri, 23 Dec 2011 15:36:33 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFaXJE078817; Fri, 23 Dec 2011 15:36:33 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFaXSJ078816; Fri, 23 Dec 2011 15:36:33 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:33 GMT Message-Id: <201112231536.pBNFaXSJ078816@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:06.bind X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:06.bind Security Advisory The FreeBSD Project Topic: Remote packet Denial of Service against named(8) servers Category: contrib Module: bind Announced: 2011-12-23 Affects: All supported versions of FreeBSD. Corrected: 2011-11-17 01:10:16 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-11-17 00:36:10 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-01 21:13:41 UTC (RELENG_9, 9.0-STABLE) 2011-12-01 21:17:59 UTC (RELENG_9_0, 9.0-RC3) 2011-11-16 23:41:13 UTC (ports tree) CVE Name: CVE-2011-4313 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description A remote attacker could cause the BIND resolver to cache an invalid record, which could cause the BIND daemon to crash when that record is being queried. III. Impact An attacker that is able to send an specifically crafted response to the BIND daemon can cause it to crash, resulting in a denial of service. Note that due to the nature of this vulnerability, the attacker does not necessarily have to have query access to the victim server. The vulnerability can be triggered by tricking legitimate clients, for instance spam filtering systems or an end user browser, which can be made to the query on their behalf. IV. Workaround No workaround is available, but systems not running the BIND resolving name server are not affected. Servers that are running in authoritative-only mode appear not to be affected by this vulnerability. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.3-RELEASE and 7.4-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-11:06/bind7.patch # fetch http://security.FreeBSD.org/patches/SA-11:06/bind7.patch.asc [FreeBSD 8.1-RELEASE and 8.2-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-11:06/bind8.patch # fetch http://security.FreeBSD.org/patches/SA-11:06/bind8.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind/ # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) Install and run BIND from the Ports Collection after the correction date. The following versions and newer versions of BIND installed from the Ports Collection already have the mitigation measure: bind96-9.6.3.1.ESV.R5.1 bind97-9.7.4.1 bind98-9.8.1.1 VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.9 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.8 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.6.2.1 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.6.2.1 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.3.2.2 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.3.2.2 RELENG_8 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.9 src/contrib/bind9/bin/named/query.c 1.3.2.8 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.5.2.1 src/contrib/bind9/bin/named/query.c 1.3.2.5.2.1 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.3.2.1 src/contrib/bind9/bin/named/query.c 1.3.2.3.2.1 RELENG_9 src/contrib/bind9/lib/dns/rbtdb.c 1.13.2.1 src/contrib/bind9/bin/named/query.c 1.11.2.1 RELENG_9_0 src/contrib/bind9/lib/dns/rbtdb.c 1.13.4.1 src/contrib/bind9/bin/named/query.c 1.11.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r227603 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r227599 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228189 releng/9.0/ r228190 - ------------------------------------------------------------------------- VII. References https://www.isc.org/software/bind/advisories/cve-2011-4313 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:06.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37K18wCeLYPkREXJsMXYdzt+guRFcPZR VY4AoII3kmCzRX/gYRmPW7lwGqWIgwlM =wMSJ -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Fri Dec 23 15:36:38 2011 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D9FC0106566B; Fri, 23 Dec 2011 15:36:38 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C51F08FC1E; Fri, 23 Dec 2011 15:36:38 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFaclN078851; Fri, 23 Dec 2011 15:36:38 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFacgx078849; Fri, 23 Dec 2011 15:36:38 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:38 GMT Message-Id: <201112231536.pBNFacgx078849@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:07.chroot X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:07.chroot Security Advisory The FreeBSD Project Topic: Code execution via chrooted ftpd Category: core Module: libc Announced: 2011-12-23 Affects: All supported versions of FreeBSD. Corrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE) 2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Chroot is an operation that changes the apparent root directory for the current process and its children. The chroot(2) system call is widely used in many applications as a measure of limiting a process's access to the file system, as part of implementing privilege separation. The nsdispatch(3) API implementation has a feature to reload its configuration on demand. This feature may also load shared libraries and run code provided by the library when requested by the configuration file. II. Problem Description The nsdispatch(3) API has no mechanism to alert it to whether it is operating within a chroot environment in which the standard paths for configuration files and shared libraries may be untrustworthy. The FreeBSD ftpd(8) daemon can be configured to use chroot(2), and also uses the nsdispatch(3) API. III. Impact If ftpd is configured to place a user in a chroot environment, then an attacker who can log in as that user may be able to run arbitrary code with elevated ("root") privileges. IV. Workaround Don't use ftpd with the chroot option. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.3 and 7.4] # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch.asc [FreeBSD 8.1 and 8.2] # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) This update adds a new API, __FreeBSD_libc_enter_restricted_mode() to the C library, which completely disables loading of shared libraries upon return. Applications doing chroot(2) jails need to be updated to call this API explicitly right after the chroot(2) operation as a safety measure. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/include/unistd.h 1.80.2.4 src/lib/libc/include/libc_private.h 1.17.2.4 src/lib/libc/Versions.def 1.3.2.3 src/lib/libc/net/nsdispatch.c 1.14.2.3 src/lib/libc/gen/Symbol.map 1.6.2.7 src/lib/libc/gen/Makefile.inc 1.128.2.6 src/lib/libc/gen/libc_dlopen.c 1.2.2.2 src/libexec/ftpd/popen.c 1.26.10.2 src/libexec/ftpd/ftpd.c 1.212.2.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/include/unistd.h 1.80.2.3.4.2 src/lib/libc/include/libc_private.h 1.17.2.3.4.2 src/lib/libc/Versions.def 1.3.2.2.4.2 src/lib/libc/net/nsdispatch.c 1.14.2.2.2.2 src/lib/libc/gen/Symbol.map 1.6.2.6.4.2 src/lib/libc/gen/Makefile.inc 1.128.2.5.4.2 src/lib/libc/gen/libc_dlopen.c 1.2.4.2 src/libexec/ftpd/popen.c 1.26.10.1.2.2 src/libexec/ftpd/ftpd.c 1.212.2.1.6.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/include/unistd.h 1.80.2.3.2.2 src/lib/libc/include/libc_private.h 1.17.2.3.2.2 src/lib/libc/Versions.def 1.3.2.2.2.2 src/lib/libc/net/nsdispatch.c 1.14.2.1.6.2 src/lib/libc/gen/Symbol.map 1.6.2.6.2.2 src/lib/libc/gen/Makefile.inc 1.128.2.5.2.2 src/lib/libc/gen/libc_dlopen.c 1.1.2.1 src/libexec/ftpd/popen.c 1.26.24.2 src/libexec/ftpd/ftpd.c 1.212.2.1.4.2 RELENG_8 src/include/unistd.h 1.95.2.2 src/lib/libc/include/libc_private.h 1.20.2.3 src/lib/libc/Versions.def 1.8.2.3 src/lib/libc/net/nsdispatch.c 1.18.2.3 src/lib/libc/gen/Symbol.map 1.21.2.6 src/lib/libc/gen/Makefile.inc 1.144.2.7 src/lib/libc/gen/libc_dlopen.c 1.1.4.2 src/libexec/ftpd/popen.c 1.26.22.3 src/libexec/ftpd/ftpd.c 1.214.2.3 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/include/unistd.h 1.95.2.1.6.2 src/lib/libc/include/libc_private.h 1.20.2.2.4.2 src/lib/libc/Versions.def 1.8.2.2.4.2 src/lib/libc/net/nsdispatch.c 1.18.2.2.2.2 src/lib/libc/gen/Symbol.map 1.21.2.5.2.2 src/lib/libc/gen/Makefile.inc 1.144.2.6.2.2 src/lib/libc/gen/libc_dlopen.c 1.2.8.2 src/libexec/ftpd/popen.c 1.26.22.2.4.2 src/libexec/ftpd/ftpd.c 1.214.2.1.6.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/include/unistd.h 1.95.2.1.4.2 src/lib/libc/include/libc_private.h 1.20.2.2.2.2 src/lib/libc/Versions.def 1.8.2.2.2.2 src/lib/libc/net/nsdispatch.c 1.18.2.1.4.2 src/lib/libc/gen/Symbol.map 1.21.2.3.2.2 src/lib/libc/gen/Makefile.inc 1.144.2.4.2.2 src/lib/libc/gen/libc_dlopen.c 1.2.10.2 src/libexec/ftpd/popen.c 1.26.22.2.2.2 src/libexec/ftpd/ftpd.c 1.214.2.1.4.2 RELENG_9 src/include/unistd.h 1.101.2.2 src/lib/libc/include/libc_private.h 1.26.2.2 src/lib/libc/Versions.def 1.9.2.2 src/lib/libc/net/nsdispatch.c 1.19.2.2 src/lib/libc/gen/Symbol.map 1.38.2.2 src/lib/libc/gen/Makefile.inc 1.159.2.2 src/lib/libc/gen/libc_dlopen.c 1.1.6.2 src/lib/libc/iconv/citrus_module.c 1.1.2.2 src/libexec/ftpd/popen.c 1.27.2.2 src/libexec/ftpd/ftpd.c 1.220.2.2 RELENG_9_0 src/include/unistd.h 1.101.2.1.2.2 src/lib/libc/include/libc_private.h 1.26.2.1.2.2 src/lib/libc/Versions.def 1.9.2.1.2.2 src/lib/libc/net/nsdispatch.c 1.19.2.1.2.2 src/lib/libc/gen/Symbol.map 1.38.2.1.2.2 src/lib/libc/gen/Makefile.inc 1.159.2.1.2.2 src/lib/libc/gen/libc_dlopen.c 1.2.6.2 src/lib/libc/iconv/citrus_module.c 1.1.2.1.2.2 src/libexec/ftpd/popen.c 1.27.2.1.2.2 src/libexec/ftpd/ftpd.c 1.220.2.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228843 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228843 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228843 releng/9.0/ r228843 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:07.chroot.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37ILmgCgjVxRH+NsPpnXOVdwWmuxlSDp h9wAniE0tokORcqQlFJim5Pc1Z65ybwl =45yE -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Fri Dec 23 15:36:43 2011 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27CB110656F2; Fri, 23 Dec 2011 15:36:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 136488FC14; Fri, 23 Dec 2011 15:36:43 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFaguu078886; Fri, 23 Dec 2011 15:36:42 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFagkc078885; Fri, 23 Dec 2011 15:36:42 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:42 GMT Message-Id: <201112231536.pBNFagkc078885@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:08.telnetd X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:08.telnetd Security Advisory The FreeBSD Project Topic: telnetd code execution vulnerability Category: core Module: contrib Announced: 2011-12-23 Affects: All supported versions of FreeBSD. Corrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE) 2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE) CVE Name: CVE-2011-4862 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The FreeBSD telnet daemon, telnetd(8), implements the server side of the TELNET virtual terminal protocol. It has been disabled by default in FreeBSD since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is strongly recommended that the SSH protocol be used instead. The FreeBSD telnet daemon can be enabled via the /etc/inetd.conf configuration file and the inetd(8) daemon. The TELNET protocol has a mechanism for encryption of the data stream (but it is not cryptographically strong and should not be relied upon in any security-critical applications). II. Problem Description When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. III. Impact An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser). IV. Workaround No workaround is available, but systems not running the telnet daemon are not vulnerable. Note that the telnet daemon is usually run via inetd, and consequently will not show up in a process listing unless a connection is currently active; to determine if it is enabled, run $ ps ax | grep telnetd | grep -v grep $ grep telnetd /etc/inetd.conf | grep -vE '^#' If any output is produced, your system may be vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2, and 8.1 systems. a) Download the patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch # fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libtelnet # make obj && make depend && make && make install # cd /usr/src/libexec/telnetd # make obj && make depend && make && make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.24.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.24.1 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.38.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.40.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.36.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.38.2 RELENG_8 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.2.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.36.2 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.8.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.6.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.6.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.4.2 RELENG_9 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.10.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.42.2 RELENG_9_0 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.12.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.42.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228843 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228843 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228843 releng/9.0/ r228843 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37IYcwCfXn5aQTfQDe/AnS31JBg+BB1m HJMAmgOE5pUKTlFqLw5UBouMNFfUmu2u =dcyj -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Fri Dec 23 15:36:50 2011 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4ED4F1065878; Fri, 23 Dec 2011 15:36:50 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 339178FC16; Fri, 23 Dec 2011 15:36:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFaoWI078920; Fri, 23 Dec 2011 15:36:50 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFaoSq078919; Fri, 23 Dec 2011 15:36:50 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:50 GMT Message-Id: <201112231536.pBNFaoSq078919@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:09.pam_ssh X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:09.pam_ssh Security Advisory The FreeBSD Project Topic: pam_ssh improperly grants access when user account has unencrypted SSH private keys Category: contrib Module: pam Announced: 2011-12-23 Credits: Guy Helmer, Dag-Erling Smorgrav Affects: All supported versions of FreeBSD. Corrected: 2011-12-11 20:40:23 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-11 20:38:36 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-11 16:57:27 UTC (RELENG_9, 9.0-STABLE) 2011-12-11 17:32:37 UTC (RELENG_9_0, 9.0-RELEASE) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/. The base system includes a module named pam_ssh which, if enabled, allows users to authenticate themselves by typing in the passphrase of one of the SSH private keys which are stored in encrypted form in the their .ssh directory. Authentication is considered successful if at least one of these keys could be decrypted using the provided passphrase. By default, the pam_ssh module rejects SSH private keys with no passphrase. A "nullok" option exists to allow these keys. II. Problem Description The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. III. Impact If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys. IV. Workaround No workaround is available, but systems that do not have the pam_ssh module enabled are not vulnerable. The pam_ssh module is not enabled in any of the default policies provided in the base system. The system administrator can use the following procedure to inspect all PAM policy files to determine whether the pam_ssh module is enabled. If the following command produces any output, the system may be vulnerable: # egrep -r '^[^#].*\' /etc/pam.* /usr/local/etc/pam.* The following command will disable the pam_ssh module in all PAM policies present in the system: # sed -i '' -e '/^[^#].*pam_ssh/s/^/#/' /etc/pam.conf /etc/pam.d/* \ /usr/local/etc/pam.conf /usr/local/etc/pam.d/* V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch # fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libpam/modules/pam_ssh # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.44.2.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.44.2.1.8.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.44.2.1.6.2 RELENG_8 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.45.2.3 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.45.2.2.4.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.45.2.2.2.2 RELENG_9 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.47.2.2 RELENG_9_0 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.47.2.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228421 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228420 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228410 releng/9.0/ r228414 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37JTSwCfS+bmWBxv5hote7Hrcl7VZjjk vKMAn116aLADxmdYsyZ5WdSrfFTRt3Xm =Y+ar -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Fri Dec 23 15:36:57 2011 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 760361065A30; Fri, 23 Dec 2011 15:36:57 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 61A828FC1D; Fri, 23 Dec 2011 15:36:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFavQK078966; Fri, 23 Dec 2011 15:36:57 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFav1M078965; Fri, 23 Dec 2011 15:36:57 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:57 GMT Message-Id: <201112231536.pBNFav1M078965@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:10.pam X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:10.pam Security Advisory The FreeBSD Project Topic: pam_start() does not validate service names Category: contrib Module: pam Announced: 2011-12-23 Credits: Matthias Drochner Affects: All supported versions of FreeBSD. Corrected: 2011-12-13 13:03:11 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-13 13:02:52 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-13 12:59:39 UTC (RELENG_9, 9.0-STABLE) 2011-12-13 13:02:31 UTC (RELENG_9_0, 9.0-RELEASE) CVE Name: CVE-2011-4122 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/. The PAM API is a de facto industry standard which has been implemented by several parties. FreeBSD uses the OpenPAM implementation. II. Problem Description Some third-party applications, including KDE's kcheckpass command, allow the user to specify the name of the policy on the command line. Since OpenPAM treats the policy name as a path relative to /etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run such an application can craft their own policies and cause the application to load and execute their own modules. III. Impact If an application that runs with root privileges allows the user to specify the name of the PAM policy to load, users who are permitted to run that application will be able to execute arbitrary code with root privileges. There are no vulnerable applications in the base system. IV. Workaround No workaround is available, but systems without untrusted users are not vulnerable. Inspect any third-party setuid / setgid binaries which use the PAM library and ascertain whether they allow the user to specify the policy name, then either change the binary's permissions to prevent its use or remove it altogether. The following command will output a non-zero number if a dynamically linked binary uses libpam: # ldd /usr/local/bin/suspicious_binary | grep -c libpam The following command will output a non-zero number if a statically linked binary uses libpam: # grep -acF "/etc/pam.d/" /usr/local/bin/suspicious_binary V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch # fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libpam # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.1.8.1 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.1.6.1 RELENG_8 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.2.1 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.8.1 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.6.1 RELENG_9 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.10.1 RELENG_9_0 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.12.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228467 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228466 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228464 releng/9.0/ r228465 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:10.pam.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37KEWgCgiD/7EymFrnFueD7yyLiI3hLV lU4An2FUTQRJ0GakViobm9ejHdfmf2Vb =9COS -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Fri Dec 23 15:51:24 2011 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38A9D1065672 for ; Fri, 23 Dec 2011 15:51:24 +0000 (UTC) (envelope-from bounces+73574-bfec-freebsd-announce=freebsd.org@sendgrid.me) Received: from o1.shared.sendgrid.net (o1.shared.sendgrid.net [74.63.231.244]) by mx1.freebsd.org (Postfix) with SMTP id E70858FC19 for ; Fri, 23 Dec 2011 15:51:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h= message-id:date:from:reply-to:mime-version:to:subject :content-type:content-transfer-encoding; s=smtpapi; bh=SK7mqlrTn ixksJfJB7zKsN2/OdA=; b=FxutWxp9g1lJaioaXAHW3Cr5NWfH1v89rLCNzvuBo OwMIFG1a78MNrK6S7iwS5hGVAPjbF/Yas+UMMXyfttaFdYAJwX4P78JNRJE2E64e nmMRYGvW50NQeIiIy6v9t0GIx7K0k9kiB9TfOU0Uv/JsoAsIkNwioDv9xJIY41ep lA= Received: by 10.16.69.80 with SMTP id mf39.9408.4EF4A0DC4 Fri, 23 Dec 2011 09:40:12 -0600 (CST) Received: from mail.tarsnap.com (unknown [10.9.180.5]) by mi2 (SG) with ESMTP id 4ef4a0dc.2694.1a2d286 for ; Fri, 23 Dec 2011 09:40:12 -0600 (CST) Received: (qmail 74090 invoked from network); 23 Dec 2011 15:39:30 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by mail.tarsnap.com with ESMTP; 23 Dec 2011 15:39:30 -0000 Received: (qmail 60827 invoked from network); 23 Dec 2011 15:39:21 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by clamshell.daemonology.net with SMTP; 23 Dec 2011 15:39:21 -0000 Message-ID: <4EF4A0A8.3000707@freebsd.org> Date: Fri, 23 Dec 2011 07:39:20 -0800 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111112 Thunderbird/8.0 MIME-Version: 1.0 To: freebsd-announce@freebsd.org, freebsd-security-notifications@freebsd.org X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Sendgrid-EID: t2fXfoZHCw6vGsGKHqKxJ0THZFEB2DzICq8XtV6xzb2KXm8kRxXGL5PyN/FFLwlfIhg3cxC5U/4Mdgju1y0aTQheYom/mDgUn8PQ5X8giyjocrjhkgrwhnvG34IIMmF09dnqaIsPQQARH05CLlAIH7F0hswQ72I/2ZDeGGYf+QM= X-Mailman-Approved-At: Fri, 23 Dec 2011 17:25:44 +0000 Cc: Subject: [FreeBSD-Announce] Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:51:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes aren't deceiving you: We really did just send out 5 security advisories. The timing, to put it bluntly, sucks. We normally aim to release advisories on Wednesdays in order to maximize the number of system administrators who will be at work already; and we try very hard to avoid issuing advisories any time close to holidays for the same reason. The start of the Christmas weekend -- in some parts of the world it's already Saturday -- is absolutely not when we want to be releasing security advisories. Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) is a remote root vulnerability which is being actively exploited in the wild; bugs really don't come any worse than this. On the positive side, most people have moved past telnet and on to SSH by now; but this is still not an issue we could postpone until a more convenient time. While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a rather messy fix involving adding a new interface to libc; this has the awkward side effect of causing the sizes of some "symbols" (aka. functions) in libc to change, resulting in cascading changes into many binaries. The long list of updated files is irritating, but isn't a sign that anything in freebsd-update went wrong. - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70oKgACgkQFdaIBMps37IsdACgh01CeO+zVGe3o9dn2cLvhh70 ISoAoJCeLUAbJ+0ibyfbVM4fYxpiEfo0 =vt5I -----END PGP SIGNATURE-----