patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
		
			
				
	
	
		
			182 lines
		
	
	
	
		
			7.5 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
			
		
		
	
	
			182 lines
		
	
	
	
		
			7.5 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
| -----BEGIN PGP SIGNED MESSAGE-----
 | |
| Hash: SHA1
 | |
| 
 | |
| =============================================================================
 | |
| FreeBSD-SA-11:05.unix                                       Security Advisory
 | |
|                                                           The FreeBSD Project
 | |
| 
 | |
| Topic:          Buffer overflow in handling of UNIX socket addresses
 | |
| 
 | |
| Category:       core
 | |
| Module:         kern
 | |
| Announced:      2011-09-28
 | |
| Credits:        Mateusz Guzik
 | |
| Affects:        All supported versions of FreeBSD.
 | |
| Corrected:      2011-10-04 19:07:38 UTC (RELENG_7, 7.4-STABLE)
 | |
|                 2011-10-04 19:07:38 UTC (RELENG_7_4, 7.4-RELEASE-p4)
 | |
|                 2011-10-04 19:07:38 UTC (RELENG_7_3, 7.3-RELEASE-p8)
 | |
|                 2011-10-04 19:07:38 UTC (RELENG_8, 8.2-STABLE)
 | |
|                 2011-10-04 19:07:38 UTC (RELENG_8_2, 8.2-RELEASE-p4)
 | |
|                 2011-10-04 19:07:38 UTC (RELENG_8_1, 8.1-RELEASE-p6)
 | |
|                 2011-10-04 19:07:38 UTC (RELENG_9, 9.0-RC1)
 | |
| 
 | |
| For general information regarding FreeBSD Security Advisories,
 | |
| including descriptions of the fields above, security branches, and the
 | |
| following sections, please visit <URL:http://security.FreeBSD.org/>.
 | |
| 
 | |
| 0.   Revision History
 | |
| 
 | |
| v1.0  2011-09-28 Initial release.
 | |
| v1.1  2011-10-04 Updated patch to add linux emulation bug fix.
 | |
| 
 | |
| I.   Background
 | |
| 
 | |
| UNIX-domain sockets, also known as "local" sockets, are a mechanism for
 | |
| interprocess communication.  They are similar to Internet sockets (and
 | |
| utilize the same system calls) but instead of relying on IP addresses
 | |
| and port numbers, UNIX-domain sockets have addresses in the local file
 | |
| system address space.
 | |
| 
 | |
| FreeBSD contains "linux emulation" support via system call translation
 | |
| in order to make it possible to use certain linux applications without
 | |
| recompilation.
 | |
| 
 | |
| II.  Problem Description
 | |
| 
 | |
| When a UNIX-domain socket is attached to a location using the bind(2)
 | |
| system call, the length of the provided path is not validated.  Later,
 | |
| when this address was returned via other system calls, it is copied into
 | |
| a fixed-length buffer.
 | |
| 
 | |
| Linux uses a larger socket address structure for UNIX-domain sockets
 | |
| than FreeBSD, and the FreeBSD's linux emulation code did not translate
 | |
| UNIX-domain socket addresses into the correct size of structure.
 | |
| 
 | |
| III. Impact
 | |
| 
 | |
| A local user can cause the FreeBSD kernel to panic.  It may also be
 | |
| possible to execute code with elevated privileges ("gain root"), escape
 | |
| from a jail, or to bypass security mechanisms in other ways.
 | |
| 
 | |
| The patch provided with the initial version of this advisory exposed
 | |
| the pre-existing bug in FreeBSD's linux emulation code, resulting in
 | |
| attempts to use UNIX sockets from linux applications failing.  The most
 | |
| common instance where UNIX sockets were used by linux applications is
 | |
| in the context of the X windowing system, including the widely used
 | |
| linux "flash" web browser plugin.
 | |
| 
 | |
| IV.  Workaround
 | |
| 
 | |
| No workaround is available, but systems without untrusted local users
 | |
| are not vulnerable.
 | |
| 
 | |
| V.   Solution
 | |
| 
 | |
| Perform one of the following:
 | |
| 
 | |
| 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to
 | |
| the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security
 | |
| branch dated after the correction date.
 | |
| 
 | |
| 2) To update your vulnerable system via a source code patch:
 | |
| 
 | |
| The following patch has been verified to apply to FreeBSD 7.4, 7.3,
 | |
| 8.2 and 8.1 systems.
 | |
| 
 | |
| a) Download the relevant patch from the location below, and verify the
 | |
| detached PGP signature using your PGP utility.
 | |
| 
 | |
| # fetch http://security.FreeBSD.org/patches/SA-11:05/unix2.patch
 | |
| # fetch http://security.FreeBSD.org/patches/SA-11:05/unix2.patch.asc
 | |
| 
 | |
| NOTE: The patch distributed at the time of the original advisory fixed
 | |
| the security vulnerability but exposed the pre-existing bug in the linux
 | |
| emulation subsystem.  Systems to which the original patch was applied
 | |
| should be patched with the following corrective patch, which contains
 | |
| only the additional changes required to fix the newly-exposed linux
 | |
| emulation bug:
 | |
| 
 | |
| # fetch http://security.FreeBSD.org/patches/SA-11:05/unix-linux.patch
 | |
| # fetch http://security.FreeBSD.org/patches/SA-11:05/unix-linux.patch.asc
 | |
| 
 | |
| b) Apply the patch.
 | |
| 
 | |
| # cd /usr/src
 | |
| # patch < /path/to/patch
 | |
| 
 | |
| c) Recompile your kernel as described in
 | |
| <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
 | |
| system.
 | |
| 
 | |
| 3) To update your vulnerable system via a binary patch:
 | |
| 
 | |
| Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on
 | |
| the i386 or amd64 platforms can be updated via the freebsd-update(8)
 | |
| utility:
 | |
| 
 | |
| # freebsd-update fetch
 | |
| # freebsd-update install
 | |
| 
 | |
| VI.  Correction details
 | |
| 
 | |
| The following list contains the revision numbers of each file that was
 | |
| corrected in FreeBSD.
 | |
| 
 | |
| CVS:
 | |
| 
 | |
| Branch                                                           Revision
 | |
|   Path
 | |
| - -------------------------------------------------------------------------
 | |
| RELENG_7
 | |
|   src/sys/kern/uipc_usrreq.c                                   1.206.2.13
 | |
|   src/sys/compat/linux/linux_socket.c                           1.74.2.15
 | |
| RELENG_7_4
 | |
|   src/UPDATING                                             1.507.2.36.2.5
 | |
|   src/sys/conf/newvers.sh                                   1.72.2.18.2.8
 | |
|   src/sys/kern/uipc_usrreq.c                               1.206.2.11.4.2
 | |
|   src/sys/compat/linux/linux_socket.c                       1.74.2.13.2.2
 | |
| RELENG_7_3
 | |
|   src/UPDATING                                             1.507.2.34.2.9
 | |
|   src/sys/conf/newvers.sh                                  1.72.2.16.2.11
 | |
|   src/sys/kern/uipc_usrreq.c                               1.206.2.11.2.2
 | |
|   src/sys/compat/linux/linux_socket.c                       1.74.2.12.2.2
 | |
| RELENG_8
 | |
|   src/sys/kern/uipc_usrreq.c                                    1.233.2.6
 | |
|   src/sys/compat/linux/linux_socket.c                           1.101.2.5
 | |
| RELENG_8_2
 | |
|   src/UPDATING                                             1.632.2.19.2.5
 | |
|   src/sys/conf/newvers.sh                                   1.83.2.12.2.8
 | |
|   src/sys/kern/uipc_usrreq.c                                1.233.2.2.2.2
 | |
|   src/sys/compat/linux/linux_socket.c                       1.101.2.3.4.2
 | |
| RELENG_8_1
 | |
|   src/UPDATING                                             1.632.2.14.2.8
 | |
|   src/sys/conf/newvers.sh                                   1.83.2.10.2.9
 | |
|   src/sys/kern/uipc_usrreq.c                                1.233.2.1.4.2
 | |
|   src/sys/compat/linux/linux_socket.c                       1.101.2.3.2.2
 | |
| RELENG_9
 | |
|   src/sys/kern/uipc_usrreq.c                                    1.244.2.2
 | |
|   src/sys/compat/linux/linux_socket.c                           1.108.2.2
 | |
| - -------------------------------------------------------------------------
 | |
| 
 | |
| Subversion:
 | |
| 
 | |
| Branch/path                                                      Revision
 | |
| - -------------------------------------------------------------------------
 | |
| stable/7/                                                         r226023
 | |
| releng/7.4/                                                       r226023
 | |
| releng/7.3/                                                       r226023
 | |
| stable/8/                                                         r226023
 | |
| releng/8.2/                                                       r226023
 | |
| releng/8.1/                                                       r226023
 | |
| stable/9/                                                         r226023
 | |
| - -------------------------------------------------------------------------
 | |
| 
 | |
| The latest revision of this advisory is available at
 | |
| http://security.FreeBSD.org/advisories/FreeBSD-SA-11:05.unix.asc
 | |
| -----BEGIN PGP SIGNATURE-----
 | |
| Version: GnuPG v2.0.18 (FreeBSD)
 | |
| 
 | |
| iEYEARECAAYFAk6LWp4ACgkQFdaIBMps37LlGQCgl5uCTA/QydDSsIuBR/TOxTRD
 | |
| Bg0AnjL43sOhR5yIp8xNAkMZxwfl3YiE
 | |
| =Df+l
 | |
| -----END PGP SIGNATURE-----
 |