From owner-svn-doc-all@FreeBSD.ORG  Mon Apr 29 20:53:59 2013
Return-Path: <owner-svn-doc-all@FreeBSD.ORG>
Delivered-To: svn-doc-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 52C56111;
 Mon, 29 Apr 2013 20:53:59 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id 2080B1EE0;
 Mon, 29 Apr 2013 20:53:59 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TKrxx4081507;
 Mon, 29 Apr 2013 20:53:59 GMT (envelope-from des@svn.freebsd.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3TKrwJQ081502;
 Mon, 29 Apr 2013 20:53:58 GMT (envelope-from des@svn.freebsd.org)
Message-Id: <201304292053.r3TKrwJQ081502@svn.freebsd.org>
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Mon, 29 Apr 2013 20:53:58 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-all@freebsd.org,
 svn-doc-head@freebsd.org
Subject: svn commit: r41519 - in head/share: security/advisories
 security/patches/SA-13:05 xml
X-SVN-Group: doc-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-all@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "SVN commit messages for the entire doc trees \(except for &quot;
 user&quot; , &quot; projects&quot; , and &quot; translations&quot;
 \)" <svn-doc-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-doc-all>,
 <mailto:svn-doc-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-doc-all>
List-Post: <mailto:svn-doc-all@freebsd.org>
List-Help: <mailto:svn-doc-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-doc-all>,
 <mailto:svn-doc-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2013 20:53:59 -0000

Author: des
Date: Mon Apr 29 20:53:58 2013
New Revision: 41519
URL: http://svnweb.freebsd.org/changeset/doc/41519

Log:
  Fix a bug that allows NFS clients to issue READDIR on files.
  
  PR:		kern/178016
  Security:	CVE-2013-3266
  Security:	FreeBSD-SA-13:05.nfsserver
  Approved by:	so

Added:
  head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc   (contents, props changed)
  head/share/security/patches/SA-13:05/
  head/share/security/patches/SA-13:05/nfsserver.patch   (contents, props changed)
  head/share/security/patches/SA-13:05/nfsserver.patch.asc   (contents, props changed)
Modified:
  head/share/xml/advisories.xml

Added: head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc	Mon Apr 29 20:53:58 2013	(r41519)
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:05.nfsserver                                  Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Insufficient input validation in the NFS server
+
+Category:       core
+Module:         nfsserver
+Announced:      2013-04-29
+Credits:        Adam Nowacki
+Affects:        All supported versions of FreeBSD.
+Corrected:      2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE)
+                2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8)
+                2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1)
+                2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1)
+                2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE)
+                2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3)
+CVE Name:       CVE-2013-3266
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The Network File System (NFS) allows a host to export some or all of its
+file systems so that other hosts can access them over the network and mount
+them as if they were on local disks.  FreeBSD includes server and client
+implementations of NFS.
+
+FreeBSD 8.0 and onward has two NFS implementations: the original CSRG
+NFSv2 and NFSv3 implementation and a new implementation which also
+supports NFSv4.
+
+FreeBSD 9.0 and onward uses the new NFS implementation by default.
+
+II.  Problem Description
+
+When processing READDIR requests, the NFS server does not check that
+it is in fact operating on a directory node.  An attacker can use a
+specially modified NFS client to submit a READDIR request on a file,
+causing the underlying filesystem to interpret that file as a
+directory.
+
+III. Impact
+
+The exact consequences of an attack depend on the amount of input
+validation in the underlying filesystem:
+
+ - If the file resides on a UFS filesystem on a little-endian server,
+   an attacker can cause random heap corruption with completely
+   unpredictable consequences.
+
+ - If the file resides on a ZFS filesystem, an attacker can write
+   arbitrary data on the stack.  It is believed, but has not been
+   confirmed, that this can be exploited to run arbitrary code in
+   kernel context.
+
+Other filesystems may also be vulnerable.
+
+IV.  Workaround
+
+Systems that do not provide NFS service are not vulnerable.  Neither
+are systems that do but use the old NFS implementation, which is the
+default in FreeBSD 8.x.
+
+To determine which implementation an NFS server is running, run the
+following command:
+
+# kldstat -v | grep -cw nfsd
+
+This will print 1 if the system is running the new NFS implementation,
+and 0 otherwise.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch
+# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc
+# gpg --verify nfsserver.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r250058
+releng/8.3/                                                       r250059
+releng/8.4/                                                       r250062
+stable/9/                                                         r250060
+releng/9.1/                                                       r250061
+- -------------------------------------------------------------------------
+
+VII. References
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc
+-----BEGIN PGP SIGNATURE-----
+
+iEYEARECAAYFAlF+18oACgkQFdaIBMps37J1PACgm+zcbGd6xF1hkpvFVJbbwR0Q
+9PoAnivbP1R0qXFyTlF/t3+sUYcxBtfQ
+=polM
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-13:05/nfsserver.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-13:05/nfsserver.patch	Mon Apr 29 20:53:58 2013	(r41519)
@@ -0,0 +1,13 @@
+Index: sys/fs/nfsserver/nfs_nfsdport.c
+===================================================================
+--- sys/fs/nfsserver/nfs_nfsdport.c	(revision 249651)
++++ sys/fs/nfsserver/nfs_nfsdport.c	(working copy)
+@@ -1568,6 +1568,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd, int isdg
+ 			nd->nd_repstat = NFSERR_BAD_COOKIE;
+ #endif
+ 	}
++	if (!nd->nd_repstat && vp->v_type != VDIR)
++		nd->nd_repstat = NFSERR_NOTDIR;
+ 	if (nd->nd_repstat == 0 && cnt == 0) {
+ 		if (nd->nd_flag & ND_NFSV2)
+ 			/* NFSv2 does not have NFSERR_TOOSMALL */

Added: head/share/security/patches/SA-13:05/nfsserver.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-13:05/nfsserver.patch.asc	Mon Apr 29 20:53:58 2013	(r41519)
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iEYEABECAAYFAlF+1+sACgkQFdaIBMps37J22ACeM6TTZjh94AhbnwqTaCfcMjnO
+F74AnAiX1rUC1Zvo3XU42efklaBo6F1g
+=yQwz
+-----END PGP SIGNATURE-----

Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml	Mon Apr 29 16:02:00 2013	(r41518)
+++ head/share/xml/advisories.xml	Mon Apr 29 20:53:58 2013	(r41519)
@@ -14,6 +14,14 @@
 	<name>2</name>
 
 	<advisory>
+	  <name>FreeBSD-SA-13:05.bind</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-13:04.bind</name>
+	</advisory>
+
+	<advisory>
 	  <name>FreeBSD-SA-13:04.bind</name>
 	</advisory>