145 lines
5.2 KiB
Text
145 lines
5.2 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-16:04.linux Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Linux compatibility layer setgroups(2) system call
|
|
vulnerability
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2016-01-14
|
|
Credits: Dmitry Chagin
|
|
Affects: All supported versions of FreeBSD
|
|
Corrected: 2016-01-14 09:11:42 UTC (stable/10, 10.2-STABLE)
|
|
2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
|
|
2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
|
|
2016-01-14 09:11:48 UTC (stable/9, 9.3-STABLE)
|
|
2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)
|
|
CVE Name: CVE-2016-1881
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
FreeBSD is binary-compatible with the Linux operating system through a
|
|
loadable kernel module/optional kernel component. The support is
|
|
provided on amd64 and i386 machines.
|
|
|
|
II. Problem Description
|
|
|
|
A programming error in the Linux compatibility layer setgroups(2) system
|
|
call can lead to an unexpected results, such as overwriting random kernel
|
|
memory contents.
|
|
|
|
III. Impact
|
|
|
|
It is possible for a local attacker to overwrite portions of kernel
|
|
memory, which may result in a privilege escalation or cause a system
|
|
panic.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available, but systems not using the Linux binary
|
|
compatibility layer are not vulnerable.
|
|
|
|
The following command can be used to test if the Linux binary
|
|
compatibility layer is loaded:
|
|
|
|
# kldstat -m linuxelf
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
Reboot the system or unload and reload the linux.ko kernel module.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Reboot the system or unload and reload the linux.ko kernel module.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:04/linux.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:04/linux.patch.asc
|
|
# gpg --verify linux.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
# cd /usr/src/amd64/linux32
|
|
# make sysent
|
|
# cd /usr/src/i386/linux
|
|
# make sysent
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>.
|
|
|
|
Reboot the system or unload and reload the linux.ko kernel module.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/9/ r293898
|
|
releng/9.3/ r293896
|
|
stable/10/ r293897
|
|
releng/10.1/ r293894
|
|
releng/10.2/ r293893
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1881>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:04.linux.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQIcBAEBCgAGBQJWl2j3AAoJEO1n7NZdz2rnstMP/jddSJehSXe9rlL2qhYfRrQY
|
|
XZSuoOtolvcl2xSQCZYprXN95/i890VOdJ9x4+iYJA2IQO55a8MjS1DcJjjonV7J
|
|
zJa7Apnu1jaK1jDx+RL6C3eVDff0ss1B7NvZTXmjHn+nIsIRxd6vzxDp2NujTnWS
|
|
XHNinNAPcVK9Hy/AJh1W+mClvgLg+lyMICuraMjTDc5ML3+fxUmXfDUWq1mm2Chq
|
|
uYXMXcIBXBJx1mnnm9n2izExr7j7AHaVJywe/UYk+KCNbSeags76pt1vuPfoOjdE
|
|
BaSlX9KNMouYU0JNfv/wC7/UnuQ/BY1XzxheVpIqmXwlFstAmSiKYIQkpIuypVF1
|
|
yUmf8CjN6AOx9P5CjxX88eeY3F6J1yohch1AI4IMqT3F3fd5LbJ5WqOjritt0J96
|
|
hDjnsiVhw4ozQE6SWTY8TKlokOOEfJC+yhNIJ0cNaHnkLSCUuDDErtGzp1CYoYmt
|
|
Q8D1VJ1UEaVPaKcaNAo4+sjiE1uK6svPiWa1+W9VbKGvc3Y7PbcuVIzU0aI4ySgj
|
|
VecEFM1O5wr3WXIYnDQNwkWVxbCQdxOIPyW0rqMGQVpu1h7MKk0oMboY1bLcQYFy
|
|
Aa9okOl+D7ItpEpRUgnIT06B6krC5sUQuzkUxnVIBPKtcl1OZ4B8KidLjEqu4BSx
|
|
3qOQSGqZzr8TFcwPIJv4
|
|
=JKVW
|
|
-----END PGP SIGNATURE-----
|