Date: Mon, 16 Sep 2002 10:48:55 -0700 From: "Mike Grissom" <mikeyg@igalaxy.net> To: <freebsd-questions@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:39.libkvm Message-ID: <009e01c25da9$5abe43b0$0301a8c0@mikeyg> References: <200209161615.g8GGFk0g073000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
For some reason the patch is not on the ftp and the directory doesnt even exist. When will it be added? ----- Original Message ----- From: "FreeBSD Security Advisories" <security-advisories@freebsd.org> To: "FreeBSD Security Advisories" <security-advisories@freebsd.org> Sent: Monday, September 16, 2002 9:15 AM Subject: FreeBSD Security Advisory FreeBSD-SA-02:39.libkvm > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================ = > FreeBSD-SA-02:39.libkvm Security Advisory > The FreeBSD Project > > Topic: Applications using libkvm may leak sensitive descriptors > > Category: core > Module: libkvm > Announced: 2002-09-16 > Credits: David Endler <DEndler@iDefense.com>, > <badc0ded@badc0ded.com> > Affects: All releases prior to and including 4.6.2-RELEASE. > Security branch releases prior to 4.4-RELEASE-p27, > 4.5-RELEASE-p20, and 4.6.2-RELEASE-p2. > Corrected: 2002-09-13 14:53:43 UTC (RELENG_4) > 2002-09-13 15:04:22 UTC (RELENG_4_6) > 2002-09-13 15:07:26 UTC (RELENG_4_5) > 2002-09-13 15:09:07 UTC (RELENG_4_4) > FreeBSD only: NO > > I. Background > > The kvm(3) library provides a uniform interface for accessing kernel > virtual memory images, including live systems and crash dumps. Access > to live systems is via /dev/mem and /dev/kmem. Memory can be read and > written, kernel symbol addresses can be looked up efficiently, and > information about user processes can be gathered. > > The kvm_openfiles(3) function opens the special device files /dev/mem > and /dev/kmem, and returns an opaque handle that must be passed > to the other library functions. > > II. Problem Description > > Applications that wish to present system information such as swap > utilization, virtual memory utilization, CPU utilization, and > so on may use the kvm(3) library to read kernel memory directly > and gather this information. Such applications typically must > be run set-group-ID kmem so that the call to kvm_openfiles(3) > can access /dev/mem and /dev/kmem. > > If the application then uses exec(2) to start another application, > the new application will continue to have open file descriptors to > /dev/mem and /dev/kmem. This is usually avoided by marking file > descriptors as close-on-exec, but since the handle returned by > kvm_openfiles(3) is opaque, there is no direct way for the application > to determine what file descriptors have been opened by the library. > As a result, application writers may neglect to take these file > descriptors into account. > > III. Impact > > Set-group-ID kmem applications which use kvm(3) and start other > applications may leak /dev/mem and /dev/kmem file descriptors. If > those applications can be specified by a local user, they may be > used to read kernel memory, resulting in disclosure of sensitive > information such as file, network, and tty buffers, authentication > tokens, and so on. > > Several applications in the FreeBSD Ports Collection were identified > that are affected: asmon, ascpu, bubblemon, wmmon, and wmnet2. There > may be other applications as well. > > IV. Workaround > > Remove the set-group-ID bit on affected applications. This will > result in the applications losing some functionality. > > V. Solution > > Do one of the following: > > 1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6, > RELENG_4_5, or RELENG_4_4 security branch dated after the correction > date (4.6.2-RELEASE-p2, 4.5-RELEASE-p20, or 4.4-RELEASE-p27). > > 2) To patch your present system: > > The following patch has been verified to apply to FreeBSD 4.4, FreeBSD > 4.5, FreeBSD 4.6, and FreeBSD 4.6.2 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:39/libkvm.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:39/libkvm.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libkvm > # make depend && make && make install > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Path Revision > Branch > - ------------------------------------------------------------------------ - > src/lib/libkvm/kvm.c > RELENG_4 1.12.2.3 > RELENG_4_6 1.12.2.2.8.1 > RELENG_4_5 1.12.2.2.6.1 > RELENG_4_4 1.12.2.2.4.1 > src/sys/conf/newvers.sh > RELENG_4_6 1.44.2.23.2.19 > RELENG_4_5 1.44.2.20.2.21 > RELENG_4_4 1.44.2.17.2.26 > - ------------------------------------------------------------------------ - > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (FreeBSD) > > iQCVAwUBPYXz/1UuHi5z0oilAQGNGAP/cpg8s9L034EbrJriQDicHptv/2QgSnrw > 2BvOaUXRIEweDz7FAoLstbxDFVE3Hx9+zN4gn7S49WIbFjATFRcL2FT/1yBhrbBx > Yp20/gveFQSU+AnjsriKVDrH9ksBO4/ZX6lBxjvxD0Hbyj4ATd027jNAXl7WeLbq > 2DN6Lf4FB1Y= > =699Y > -----END PGP SIGNATURE----- > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-announce" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?009e01c25da9$5abe43b0$0301a8c0>