Date: Mon, 14 Sep 2009 22:22:19 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: dgoodin@theregister.com Cc: freebsd-questions@freebsd.org Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD Message-ID: <4AAEB40B.1090302@infracaninophile.co.uk> In-Reply-To: <4AAE95B2.5050409@sitpub.com> References: <4AAE95B2.5050409@sitpub.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig7FCFC45C43B92D5B005DA7B7 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Dan Goodin wrote: > Hello, >=20 > Dan Goodin, a reporter at technology news website The Register. Securit= y > researcher Przemyslaw Frasunek says versions 6.x through 6.4 of FreeBSD= > has a security bug. He says he notified the FreeBSD Foundation on Augus= t > 29 and never got a response. We'll be writing a brief article about > this. Please let me know ASAP if someone cares to comment. >=20 > Kind regards, >=20 > Dan Goodin > 415-495-5411 >=20 > -------- Original Message -------- > Subject: Re: [Full-disclosure] FreeBSD <=3D 6.1 kqueue() NULL pointer > dereference > Date: Sun, 13 Sep 2009 10:49:33 +0200 > From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl> > Organization: frasunek.com > To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com > References: <4A9028AC.9080902@freebsd.lublin.pl> >=20 > Przemyslaw Frasunek pisze: >> FreeBSD <=3D 6.1 suffers from classical check/use race condition on SM= P >=20 > There is yet another kqueue related vulnerability. It affects 6.x, up t= o > 6.4-STABLE. FreeBSD security team was notified on 29th Aug, but there i= s no > response until now, so I won't publish any details. >=20 > Sucessful exploitation yields local root and allows to exit from jail. > For now, > you can see demo on: >=20 > http://www.vimeo.com/6554787 >=20 You need to contact the Security Officer to get the official position. T= hat's security-officer@freebsd.org I don't know why you seem to think this should have been reported to the = FreeBSD Foundation. They aren't the responsible parties. What to do is clearly = explained on this web page: http://www.freebsd.org/security/security.html (which=20 Przemyslaw for one seems to have read). Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig7FCFC45C43B92D5B005DA7B7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkqutBIACgkQ8Mjk52CukIxzewCfdC7bak2J0AAGqlQvPikfRP1q XkEAn0lFPYd3oiH9yU8Enj/utXVSdcmM =0Z3C -----END PGP SIGNATURE----- --------------enig7FCFC45C43B92D5B005DA7B7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AAEB40B.1090302>