FAMP技术文摘 – 第15页 – FreeBSD相关技术文章

FreeBSD-SA-10:08.bzip2

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:08.bzip2 Security Advisory
The FreeBSD Project

Topic: Integer overflow in bzip2 decompression

Category:       contrib
Module:         bzip2
Announced:      2010-09-20
Credits:        Mikolaj Izdebski
Affects:        All supported versions of FreeBSD.
Corrected:      2010-09-20 14:58:08 UTC (RELENG_8, 8.1-STABLE)
2010-09-20 14:58:08 UTC (RELENG_8_1, 8.1-RELEASE-p1)
2010-09-20 14:58:08 UTC (RELENG_8_0, 8.0-RELEASE-p5)
2010-09-20 14:58:08 UTC (RELENG_7, 7.3-STABLE)
2010-09-20 14:58:08 UTC (RELENG_7_3, 7.3-RELEASE-p3)
2010-09-20 14:58:08 UTC (RELENG_7_1, 7.1-RELEASE-p14)
2010-09-20 14:58:08 UTC (RELENG_6, 6.4-STABLE)
2010-09-20 14:58:08 UTC (RELENG_6_4, 6.4-RELEASE-p11)
CVE Name:       CVE-2010-0405

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The bzip2/bunzip2 utilities and the libbz2 library compress and decompress
files using an algorithm based on the Burrows-Wheeler transform. They are
generally slower than Lempel-Ziv compressors such as gzip, but usually
provide a greater compression ratio.

II. Problem Description

When decompressing data, the run-length encoded values are not adequately
sanity-checked, allowing for an integer overflow.

III. Impact

An attacker who can cause maliciously chosen inputs to be decompressed can
cause the decompressor to crash. It is suspected that such an attacker
can cause arbitrary code to be executed, but this is not known for certain.

Note that some utilities, including the tar archiver and the bspatch
binary patching utility (used in portsnap and freebsd-update) decompress
bzip2-compressed data internally; system administrators should assume that
their systems will at some point decompress bzip2-compressed data even if
they never explicitly invoke the bunzip2 utility.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
or to the RELENG_8_1, RELENG_8_0, RELENG_7_3, RELENG_7_1, or
RELENG_6_4 security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 6.4, 7.1,
7.3, 8.0 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch
# fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libbz2
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

3) To update your vulnerable system via a binary patch:

Systems running 6.4-RELEASE, 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or
8.1-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_6
src/contrib/bzip2/decompress.c                              1.1.1.3.2.3
RELENG_6_4
src/UPDATING                                            1.416.2.40.2.15
src/sys/conf/newvers.sh                                  1.69.2.18.2.17
src/contrib/bzip2/decompress.c                          1.1.1.3.2.2.2.1
RELENG_7
src/contrib/bzip2/decompress.c                              1.1.1.4.2.2
RELENG_7_3
src/UPDATING                                             1.507.2.34.2.5
src/sys/conf/newvers.sh                                   1.72.2.16.2.7
src/contrib/bzip2/decompress.c                          1.1.1.4.2.1.6.1
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.17
src/sys/conf/newvers.sh                                   1.72.2.9.2.18
src/contrib/bzip2/decompress.c                          1.1.1.4.2.1.2.1
RELENG_8
src/contrib/bzip2/decompress.c                              1.1.1.5.2.1
RELENG_8_1
src/UPDATING                                             1.632.2.14.2.4
src/sys/conf/newvers.sh                                   1.83.2.10.2.5
src/contrib/bzip2/decompress.c                              1.1.1.5.6.1
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.8
src/sys/conf/newvers.sh                                    1.83.2.6.2.8
src/contrib/bzip2/decompress.c                              1.1.1.5.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/6/                                                         r212901
releng/6.4/                                                       r212901
stable/7/                                                         r212901
releng/7.3/                                                       r212901
releng/7.1/                                                       r212901
stable/8/                                                         r212901
releng/8.0/                                                       r212901
releng/8.1/                                                       r212901
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0405

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:08.bzip2.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iEYEARECAAYFAkyXd3QACgkQFdaIBMps37JekgCfcYbIYtG1ZXKsfrFC8RKNl8uV
PhsAniSinLogV/Nfj67AcPnoKoyhrXY2
=Qop+
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc

FreeBSD-SA-10:07.mbuf

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:07.mbuf Security Advisory
The FreeBSD Project

Topic: Lost mbuf flag resulting in data corruption

Category:       core
Module:         kern
Announced:      2010-07-13
Credits:        Ming Fu
Affects:        FreeBSD 7.x and later.
Corrected:      2010-07-13 02:45:17 UTC (RELENG_8, 8.1-PRERELEASE)
2010-07-13 02:45:17 UTC (RELENG_8_1, 8.1-RELEASE)
2010-07-13 02:45:17 UTC (RELENG_8_0, 8.0-RELEASE-p4)
2010-07-13 02:45:17 UTC (RELENG_7, 7.3-STABLE)
2010-07-13 02:45:17 UTC (RELENG_7_3, 7.3-RELEASE-p2)
2010-07-13 02:45:17 UTC (RELENG_7_1, 7.1-RELEASE-p13)
CVE Name:       CVE-2010-2693

I. Background

An mbuf is a basic unit of memory management in the FreeBSD kernel
inter-process communication and networking subsystem. Network packets
and socket buffers are dependent on mbufs for their storage.

Data can be embedded directly in mbufs, or mbufs can instead reference
external buffers. The sendfile(2) system call uses external mbuf storage
to directly map the contents of a file into a chain of mbufs for
transmission purposes. The mbuf object supports a read-only flag that
must be honored to prevent modification or writes to buffer data in
cases like these.

II. Problem Description

The read-only flag is not correctly copied when a mbuf buffer reference
is duplicated. When the sendfile(2) system call is used to transmit
data over the loopback interface, this can result in the backing pages
for the transmitted file being modified, causing data corruption.

III. Impact

This data corruption can be exploited by an local attacker to escalate
their privilege by carefully controlling the corruption of system files.
It should be noted that the attacker can corrupt any file they have read
access to.

NOTE: While systems without untrusted local users are not affected by
the security aspects of this issue, the potential for data corruption
implies that this should still be treated as a critical erratum.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch
# fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or
amd64 platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Now reboot the system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_7
src/sys/kern/uipc_mbuf.c                                      1.174.2.4
RELENG_7_3
src/UPDATING                                             1.507.2.34.2.4
src/sys/conf/newvers.sh                                   1.72.2.16.2.6
src/sys/kern/uipc_mbuf.c                                  1.174.2.3.4.2
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.16
src/sys/conf/newvers.sh                                   1.72.2.9.2.17
src/sys/kern/uipc_mbuf.c                                  1.174.2.2.2.2
RELENG_8
src/sys/kern/uipc_mbuf.c                                      1.185.2.3
RELENG_8_1
src/UPDATING                                             1.632.2.14.2.2
src/sys/conf/newvers.sh                                   1.83.2.10.2.4
src/sys/kern/uipc_mbuf.c                                  1.185.2.2.2.2
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.7
src/sys/conf/newvers.sh                                    1.83.2.6.2.7
src/sys/kern/uipc_mbuf.c                                  1.185.2.1.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r209964
releng/7.3/                                                       r209964
releng/7.1/                                                       r209964
stable/8/                                                         r209964
releng/8.0/                                                       r209964
releng/8.1/                                                       r209964
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2693

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:07.mbuf.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iEYEARECAAYFAkw71A0ACgkQFdaIBMps37JOOACff8w8qvsgopj11FFAPQdwyPLB
JEQAniRHbomY2hJVw5FmrdQv3SP+ZziI
=Reds
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-10:07.mbuf.asc

FreeBSD-SA-10:06.nfsclient

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:06.nfsclient Security Advisory
The FreeBSD Project

Topic: Unvalidated input in nfsclient

Category:       core
Module:         nfsclient
Announced:      2010-05-27
Credits:        Patroklos Argyroudis
Affects:        FreeBSD 7.2 and later.
Corrected:      2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE)
2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3)
2010-05-27 03:15:04 UTC (RELENG_7, 7.3-STABLE)
2010-05-27 03:15:04 UTC (RELENG_7_3, 7.3-RELEASE-p1)
2010-05-27 03:15:04 UTC (RELENG_7_2, 7.2-RELEASE-p8)
CVE Name:       CVE-2010-2020

I. Background

The Network File System (NFS) allows a host to export some or all of its
file systems so that other hosts can access them over the network and mount
them as if they were on local disks. FreeBSD includes server and client
implementations of NFS.

II. Problem Description

The NFS client subsystem fails to correctly validate the length of a
parameter provided by the user when a filesystem is mounted.

III. Impact

A user who can mount filesystems can execute arbitrary code in the kernel.
On systems where the non-default vfs.usermount feature has been enabled,
unprivileged users may be able to gain superuser (“root”) privileges.

IV. Workaround

Do not allow untrusted users to mount filesystems. To prevent unprivileged
users from mounting filesystems, set the vfs.usermount sysctl variable to
zero:

# sysctl vfs.usermount=0

Note that the default value of this variable is zero, i.e., FreeBSD is not
affected by this vulnerability in its default configuration, and FreeBSD
system administrators are strongly encouraged not to change this setting.

V. Solution

NOTE WELL: Even with this fix allowing users to mount arbitrary media
should not be considered safe. Most of the file systems in FreeBSD were
not built to protect safeguard against malicious devices. While such bugs
in file systems are fixed when found, a complete audit has not been
perfomed on the file system code.

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_0, RELENG_7_3, or RELENG_7_2 security branch dated after the
correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.2, 7.3
and 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:06/nfsclient.patch
# fetch http://security.FreeBSD.org/patches/SA-10:06/nfsclient.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running 7.2-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or
amd64 platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_7
src/sys/nfsclient/nfs_vfsops.c                                1.193.2.7
src/lib/libc/sys/mount.2                                       1.45.2.1
RELENG_7_3
src/UPDATING                                             1.507.2.34.2.3
src/sys/conf/newvers.sh                                   1.72.2.16.2.5
src/sys/nfsclient/nfs_vfsops.c                            1.193.2.5.4.2
src/lib/libc/sys/mount.2                                      1.45.12.2
RELENG_7_2
src/UPDATING                                            1.507.2.23.2.11
src/sys/conf/newvers.sh                                  1.72.2.11.2.12
src/sys/nfsclient/nfs_vfsops.c                            1.193.2.5.2.2
src/lib/libc/sys/mount.2                                       1.45.8.2
RELENG_8
src/sys/nfsclient/nfs_vfsops.c                                1.226.2.7
src/lib/libc/sys/mount.2                                      1.45.10.2
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.6
src/sys/conf/newvers.sh                                    1.83.2.6.2.6
src/sys/nfsclient/nfs_vfsops.c                            1.226.2.2.2.2
src/lib/libc/sys/mount.2                                  1.45.10.1.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/6/                                                         r208586
releng/6.4/                                                       r208586
stable/7/                                                         r208586
releng/7.3/                                                       r208586
releng/7.2/                                                       r208586
releng/7.1/                                                       r208586
stable/8/                                                         r208586
releng/8.0/                                                       r208586
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2020

http://census-labs.com/news/2010/05/26/freebsd-kernel-nfsclient/

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:06.nfsclient.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iEYEARECAAYFAkv95SUACgkQFdaIBMps37Km5gCdG4RNPkwuDsx05w3CfwLd/aM1
NusAn0dzFUcuGlMgNb9V43yUFVFa+NbX
=zMAI
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-10:06.nfsclient.asc

FreeBSD-SA-10:05.opie

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:05.opie Security Advisory
The FreeBSD Project

Topic: OPIE off-by-one stack overflow

Category:       contrib
Module:         contrib_opie
Announced:      2010-05-27
Credits:        Maksymilian Arciemowicz and Adam Zabrocki
Affects:        All supported versions of FreeBSD
Corrected:      2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE)
2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3)
2010-05-27 03:15:04 UTC (RELENG_7, 7.3-STABLE)
2010-05-27 03:15:04 UTC (RELENG_7_3, 7.3-RELEASE-p1)
2010-05-27 03:15:04 UTC (RELENG_7_2, 7.2-RELEASE-p8)
2010-05-27 03:15:04 UTC (RELENG_7_1, 7.1-RELEASE-p12)
2010-05-27 03:15:04 UTC (RELENG_6, 6.4-STABLE)
2010-05-27 03:15:04 UTC (RELENG_6_4, 6.4-RELEASE-p10)
CVE Name:       CVE-2010-1938

I. Background

OPIE is a one-time password system designed to help to secure a system
against replay attacks. It does so using a secure hash function and a
challenge/response system.

OPIE is enabled by default on FreeBSD.

II. Problem Description

A programming error in the OPIE library could allow an off-by-one buffer
overflow to write a single zero byte beyond the end of an on-stack buffer.

III. Impact

An attacker can remotely crash a service process which uses OPIE when
stack protector is enabled.

Note that this can happen even if OPIE is not enabled on the system,
for instance the base system ftpd(8) is affected by this. Depending
on the design and usage of OPIE, this may either affect only the
process that handles the user authentication, or cause a Denial of
Service condition.

It is possible but very unlikely that an attacker could exploit this to
gain access to a system.

IV. Workaround

No workaround is available, but systems without OPIE capable services
running are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
or to the RELENG_8_0, RELENG_7_3, RELENG_7_2, RELENG_7_1, RELENG_6_4
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 6.4,
7.1, 7.2, 7.3, and 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:05/opie.patch
# fetch http://security.FreeBSD.org/patches/SA-10:05/opie.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libopie
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 6.4-RELEASE, 7.1-RELEASE, 7.2-RELEASE, 7.3-RELEASE or
8.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_6
src/contrib/opie/libopie/readrec.c                         1.1.1.4.14.1
RELENG_6_4
src/UPDATING                                            1.416.2.40.2.14
src/sys/conf/newvers.sh                                  1.69.2.18.2.16
src/contrib/opie/libopie/readrec.c                         1.1.1.4.26.1
RELENG_7
src/contrib/opie/libopie/readrec.c                              1.2.2.1
RELENG_7_3
src/UPDATING                                             1.507.2.34.2.3
src/sys/conf/newvers.sh                                   1.72.2.16.2.5
src/contrib/opie/libopie/readrec.c                             1.2.12.2
RELENG_7_2
src/UPDATING                                            1.507.2.23.2.11
src/sys/conf/newvers.sh                                  1.72.2.11.2.12
src/contrib/opie/libopie/readrec.c                              1.2.8.2
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.15
src/sys/conf/newvers.sh                                   1.72.2.9.2.16
src/contrib/opie/libopie/readrec.c                              1.2.6.2
RELENG_8
src/contrib/opie/libopie/readrec.c                             1.2.10.2
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.6
src/sys/conf/newvers.sh                                    1.83.2.6.2.6
src/contrib/opie/libopie/readrec.c                         1.2.10.1.2.2
– ————————————————————————-

Subversion:

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1938

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:05.opie.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iEYEARECAAYFAkv+sTQACgkQFdaIBMps37IDOACfReDDYdDp06vHNNxoovTPeVv2
ZBwAniPhGUNiWSa1hYFcW8RTIkJZNVcE
=UFal
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc

FreeBSD-SA-10:04.jail

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:04.jail Security Advisory
The FreeBSD Project

Topic: Insufficient environment sanitization in jail(8)

Category:       core
Module:         jail
Announced:      2010-05-27
Credits:        Aaron D. Gifford
Affects:        FreeBSD 8.0
Corrected:      2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE)
2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3)
CVE Name:       CVE-2010-2022

I. Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

By design, neither the chroot(2) nor the jail(2) system call modify
existing open file descriptors of the calling process, in order to
allow programmers to make fine grained access control and privilege
separation.

The jail(8) utility creates a new jail or modifies an existing jail,
optionally imprisoning the current process (and future descendants)
inside it.

II. Problem Description

The jail(8) utility does not change the current working directory while
imprisoning. The current working directory can be accessed by its
descendants.

III. Impact

Access to arbitrary files may be possible if an attacker managed to obtain
the descriptor of the current working directory before the jail call.
Such descriptor would be inherited by all descendants of the first process
that starts the jail, unless an intermediate process changes the current
working directory inside the jail.

By default, the FreeBSD /etc/rc.d/jail script, which can be enabled
using the jail_* rc.conf(5) variables, is not affected by this issue.
This is due to the default jail flags (“-l -U root”) used to start a
jail as these flags will result in jail(8) performing a chdir(2) call.
If the rc.conf(5) variables jail_flags or jail_<jname>_flags has been
set, and do not include ‘-l -U root’, the jails are affected by the
vulnerability.

IV. Workaround

Include the “-l -U root” arguments to the jail(8) command when
starting the jail.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 8-STABLE, or to the RELENG_8_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch
# fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/jail
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 8.0-RELEASE on the i386 or amd64 platforms can be
updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_8
src/usr.sbin/jail/jail.c                                       1.33.2.2
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.6
src/sys/conf/newvers.sh                                    1.83.2.6.2.6
src/usr.sbin/jail/jail.c                                   1.33.2.1.2.2
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/8/                                                         r208586
releng/8.0/                                                       r208586
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2022

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:04.jail.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iEYEARECAAYFAkv95RAACgkQFdaIBMps37ImPgCfRS7pcslVSb89JluACMlg8ZBa
PmAAn0jq693qHOXK+Z2ljpQdc+EpTTja
=9o7h
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-10:04.jail.asc

FreeBSD-SA-10:03.zfs

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:03.zfs Security Advisory
The FreeBSD Project

Topic: ZFS ZIL playback with insecure permissions

Category:       contrib
Module:         zfs
Announced:      2010-01-06
Credits:        Pawel Jakub Dawidek
Affects:        FreeBSD 7.0 and later.
Corrected:      2009-11-14 11:59:59 UTC (RELENG_8, 8.0-STABLE)
2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE)
2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)

I. Background

ZFS is a file-system originally developed by Sun Microsystems.

The ZFS Intent Log (“ZIL”) is a mechanism that gathers together in memory
transactions of writes, and is flushed onto disk when synchronous
semantics is necessary. In the event of crash or power failure, the
log is examined and the uncommitted transaction would be replayed to
maintain the synchronous semantics.

II. Problem Description

When replaying setattr transaction, the replay code would set the
attributes with certain insecure defaults, when the logged
transaction did not touch these attributes.

III. Impact

A system crash or power fail would leave some file with mode set
to 07777. This could leak sensitive information or cause privilege
escalation.

IV. Workaround

No workaround is available, but systems not using ZFS are not
vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 7.1, 7.2,
and 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-10:03/zfs712.patch
# fetch http://security.FreeBSD.org/patches/SA-10:03/zfs712.patch.asc

[FreeBSD 8.0]
# fetch http://security.FreeBSD.org/patches/SA-10:03/zfs.patch
# fetch http://security.FreeBSD.org/patches/SA-10:03/zfs.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) Examine the system and look for affected files.

These files can be identified with the following command:

# find / -perm -7777 -print0 | xargs -0 ls -ld

The system administrator will have to correct these problems if there
is any files with such permission modes. For example:

# find / -perm -7777 -print0 | xargs -0 chmod u=rwx,go=

Will reset access mode bits to be readable, writable and executable
by the owner only. The system administrator should determine the
appropriate mode bits wisely.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_7
src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.3
RELENG_7_2
src/UPDATING                                             1.507.2.23.2.9
src/sys/conf/newvers.sh                                  1.72.2.11.2.10
src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c
1.6.2.1.4.1
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.13
src/sys/conf/newvers.sh                                   1.72.2.9.2.14
src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c
1.6.2.1.2.1
RELENG_8
src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.8.2.2
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.5
src/sys/conf/newvers.sh                                    1.83.2.6.2.5
src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.8.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/7/                                                         r201679
releng/7.2/                                                       r201679
releng/7.1/                                                       r201679
stable/8/                                                         r199266
releng/8.0/                                                       r201679
head/                                                             r199157
– ————————————————————————-

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:03.zfs.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFLRRILFdaIBMps37IRAnI3AJ9ioK1Bbg++DpPYW/RX9wnujAeJxACff+Ph
oEIfaiJ5y/DoGhklcAJdXTU=
=JPje
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-10:03.zfs.asc

FreeBSD-SA-10:02.ntpd

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:02.ntpd Security Advisory
The FreeBSD Project

Topic: ntpd mode 7 denial of service

Category:       contrib
Module:         ntpd
Announced:      2010-01-06
Affects:        All supported versions of FreeBSD.
Corrected:      2010-01-06 21:45:30 UTC (RELENG_8, 8.0-STABLE)
2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE)
2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE)
2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9)
2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15)
CVE Name:       CVE-2009-3563

I. Background

The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.

II. Problem Description

If ntpd receives a mode 7 (MODE_PRIVATE) request or error response
from a source address not listed in either a ‘restrict … noquery’
or a ‘restrict … ignore’ section it will log the even and send
a mode 7 error response.

III. Impact

If an attacker can spoof such a packet from a source IP of an affected
ntpd to the same or a different affected ntpd, the host(s) will endlessly
send error responses to each other and log each event, consuming network
bandwidth, CPU and possibly disk space.

IV. Workaround

Proper filtering of mode 7 NTP packets by a firewall can limit the
number of systems used to attack your resources.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or
RELENG_6_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, 7.2, and 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch
# fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/ntp/ntpd
# make obj && make depend && make && make install
# /etc/rc.d/ntpd restart

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_6
src/contrib/ntp/ntpd/ntp_request.c                          1.1.1.4.8.2
RELENG_6_4
src/UPDATING                                            1.416.2.40.2.13
src/sys/conf/newvers.sh                                  1.69.2.18.2.15
src/contrib/ntp/ntpd/ntp_request.c                      1.1.1.4.8.1.2.1
RELENG_6_3
src/UPDATING                                            1.416.2.37.2.20
src/sys/conf/newvers.sh                                  1.69.2.15.2.19
src/contrib/ntp/ntpd/ntp_request.c                         1.1.1.4.20.1
RELENG_7
src/contrib/ntp/ntpd/ntp_request.c                         1.1.1.4.18.2
RELENG_7_2
src/UPDATING                                             1.507.2.23.2.9
src/sys/conf/newvers.sh                                  1.72.2.11.2.10
src/contrib/ntp/ntpd/ntp_request.c                     1.1.1.4.18.1.4.1
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.13
src/sys/conf/newvers.sh                                   1.72.2.9.2.14
src/contrib/ntp/ntpd/ntp_request.c                     1.1.1.4.18.1.2.1
RELENG_8
src/contrib/ntp/ntpd/ntp_request.c                              1.2.2.1
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.5
src/sys/conf/newvers.sh                                    1.83.2.6.2.5
src/contrib/ntp/ntpd/ntp_request.c                              1.2.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/6/                                                         r201679
releng/6.4/                                                       r201679
releng/6.3/                                                       r201679
stable/7/                                                         r201679
releng/7.2/                                                       r201679
releng/7.1/                                                       r201679
stable/8/                                                         r201679
releng/8.0/                                                       r201679
head/                                                             r200576
– ————————————————————————-

VII. References

http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode
https://support.ntp.org/bugs/show_bug.cgi?id=1331
http://www.kb.cert.org/vuls/id/568372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:02.ntpd.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFLRQ9gFdaIBMps37IRAuH1AJ9eOII8McK5332jhuBHEMxAUbWKNQCghYfs
y66+ElAr2uZrrXwerlVETPc=
=yJm1
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-10:02.ntpd.asc

FreeBSD-SA-10:01.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:01.bind Security Advisory
The FreeBSD Project

Topic: BIND named(8) cache poisoning with DNSSEC validation

Category:       contrib
Module:         bind
Announced:      2010-01-06
Credits:        Michael Sinatra
Affects:        All supported versions of FreeBSD.
Corrected:      2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE)
2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE)
2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE)
2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9)
2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15)
CVE Name:       CVE-2009-4022

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.

II. Problem Description

If a client requests DNSSEC records with the Checking Disabled (CD) flag
set, BIND may cache the unvalidated responses. These responses may later
be returned to another client that has not set the CD flag.

III. Impact

If a client can send such queries to a server, it can exploit this
problem to mount a cache poisoning attack, seeding the cache with
unvalidated information.

IV. Workaround

Disabling DNSSEC validation will prevent BIND from caching unvalidated
records, but also prevent DNSSEC authentication of records. Systems not
using DNSSEC validation are not affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or
RELENG_6_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, 7.2, and 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.3]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc

[FreeBSD 6.4]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc

[FreeBSD 7.1]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc

[FreeBSD 7.2]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc

[FreeBSD 8.0]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart

NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get
a more recent BIND version with more complete DNSSEC support. This
can be done either by upgrading to FreeBSD 7.x or later, or installing
BIND for the FreeBSD Ports Collection.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_6
src/contrib/bind9/lib/dns/rbtdb.c                           1.1.1.1.4.4
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.1.4.2
src/contrib/bind9/lib/dns/resolver.c                       1.1.1.2.2.11
src/contrib/bind9/lib/dns/masterdump.c                      1.1.1.1.4.3
src/contrib/bind9/lib/dns/validator.c                       1.1.1.2.2.6
src/contrib/bind9/bin/named/query.c                         1.1.1.1.4.7
RELENG_6_4
src/UPDATING                                            1.416.2.40.2.13
src/sys/conf/newvers.sh                                  1.69.2.18.2.15
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.1.4.3.2.1
src/contrib/bind9/lib/dns/include/dns/types.h           1.1.1.1.4.1.4.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.2.2.9.2.1
src/contrib/bind9/lib/dns/masterdump.c                  1.1.1.1.4.1.4.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.2.2.4.2.1
src/contrib/bind9/bin/named/query.c                     1.1.1.1.4.5.2.1
RELENG_6_3
src/UPDATING                                            1.416.2.37.2.20
src/sys/conf/newvers.sh                                  1.69.2.15.2.19
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.1.4.2.2.1
src/contrib/bind9/lib/dns/include/dns/types.h           1.1.1.1.4.1.2.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.2.2.6.2.2
src/contrib/bind9/lib/dns/masterdump.c                  1.1.1.1.4.1.2.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.2.2.3.2.1
src/contrib/bind9/bin/named/query.c                     1.1.1.1.4.4.2.1
RELENG_7
src/contrib/bind9/lib/dns/rbtdb.c                           1.1.1.4.2.4
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.3.2.2
src/contrib/bind9/lib/dns/resolver.c                        1.1.1.9.2.6
src/contrib/bind9/lib/dns/masterdump.c                      1.1.1.3.2.3
src/contrib/bind9/lib/dns/validator.c                       1.1.1.6.2.5
src/contrib/bind9/bin/named/query.c                         1.1.1.6.2.4
RELENG_7_2
src/UPDATING                                             1.507.2.23.2.9
src/sys/conf/newvers.sh                                  1.72.2.11.2.10
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.4.2.2.2.1
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.3.8.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.9.2.4.2.1
src/contrib/bind9/lib/dns/masterdump.c                  1.1.1.3.2.1.2.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.6.2.3.2.1
src/contrib/bind9/bin/named/query.c                     1.1.1.6.2.2.2.1
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.13
src/sys/conf/newvers.sh                                   1.72.2.9.2.14
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.4.2.1.4.1
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.3.6.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.9.2.3.2.1
src/contrib/bind9/lib/dns/masterdump.c                      1.1.1.3.6.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.6.2.1.4.1
src/contrib/bind9/bin/named/query.c                     1.1.1.6.2.1.4.1
RELENG_8
src/contrib/bind9/lib/dns/rbtdb.c                               1.3.2.2
src/contrib/bind9/lib/dns/include/dns/types.h                   1.2.2.2
src/contrib/bind9/lib/dns/resolver.c                            1.6.2.2
src/contrib/bind9/lib/dns/masterdump.c                          1.3.2.2
src/contrib/bind9/lib/dns/validator.c                           1.4.2.2
src/contrib/bind9/bin/named/query.c                             1.3.2.2
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.5
src/sys/conf/newvers.sh                                    1.83.2.6.2.5
src/contrib/bind9/lib/dns/rbtdb.c                               1.3.4.1
src/contrib/bind9/lib/dns/include/dns/types.h                   1.2.4.1
src/contrib/bind9/lib/dns/resolver.c                            1.6.4.1
src/contrib/bind9/lib/dns/masterdump.c                          1.3.4.1
src/contrib/bind9/lib/dns/validator.c                           1.4.4.1
src/contrib/bind9/bin/named/query.c                             1.3.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/6/                                                         r200394
releng/6.4/                                                       r201679
releng/6.3/                                                       r201679
stable/7/                                                         r200393
releng/7.2/                                                       r201679
releng/7.1/                                                       r201679
stable/8/                                                         r200383
releng/8.0/                                                       r201679
head/                                                             r199958
– ————————————————————————-

VII. References

https://www.isc.org/node/504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFLRQ9dFdaIBMps37IRAip+AJ0S55AYqLsrwrLLMo8Qi6fGxoH7EQCfU/6K
RUb5Kn+O1qc/FUzEQ12AmrA=
=Pfoo
—–END PGP SIGNATURE—–

原文链接：http://security.freebsd.org/advisories/FreeBSD-SA-10:01.bind.asc