Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
From: hh (hh@dsgx.org)
Date: 04/22/02
- Next message: Jason Stone: "Re: DNS Question"
- Previous message: Mark.Andrews@isc.org: "Re: DNS Question"
- In reply to: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
- Next in thread: Jason Stone: "Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
- Reply: Jason Stone: "Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Apr 2002 21:09:47 +0000 From: hh <hh@dsgx.org> To: freebsd-security@freebsd.org
does anybody know's which kind of another files should be taken the +s option to block this bug ? because i just can't reboot the sys again .. right now ..
and on this advisore says .. may be exploit with another files ..
On Mon, 22 Apr 2002 11:01:35 -0700 (PDT)
FreeBSD Security Advisories <security-advisories@FreeBSD.ORG> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> =============================================================================
> FreeBSD-SA-02:23.stdio Security Advisory
> The FreeBSD Project
>
> Topic: insecure handling of stdio file descriptors
>
> Category: core
> Module: kernel
> Announced: 2002-04-22
> Credits: Joost Pol <joost@pine.nl>
> Affects: All releases of FreeBSD up to and including 4.5-RELEASE
> 4.5-STABLE prior to the correction date
> Corrected: 2002-04-21 13:06:45 UTC (RELENG_4)
> 2002-04-21 13:08:57 UTC (RELENG_4_5)
> 2002-04-21 13:10:51 UTC (RELENG_4_4)
> FreeBSD only: NO
>
> I. Background
>
> By convention, POSIX systems associate file descriptors 0, 1, and 2
> with standard input, standard output, and standard error,
> respectively. Almost all applications give these stdio file
> descriptors special significance, such as writing error messages to
> standard error (file descriptor 2).
>
> In new processes, all file descriptors are duplicated from the parent
> process. Unless these descriptors are marked close-on-exec, they
> retain their state during an exec.
>
> All POSIX systems assign file descriptors in sequential order,
> starting with the lowest unused file descriptor. For example, if a
> newly exec'd process has file descriptors 0 and 1 open, but file
> descriptor 2 closed, and then opens a file, the new file descriptor is
> guaranteed to be 2 (standard error).
>
> II. Problem Description
>
> Some programs are set-user-id or set-group-id, and therefore run with
> increased privileges. If such a program is started with some of the
> stdio file descriptors closed, the program may open a file and
> inadvertently associate it with standard input, standard output, or
> standard error. The program may then read data from or write data to
> the file inappropriately. If the file is one that the user would
> normally not have privileges to open, this may result in an
> opportunity for privilege escalation.
>
> III. Impact
>
> Local users may gain superuser privileges. It is known that the
> `keyinit' set-user-id program is exploitable using this method. There
> may be other programs that are exploitable.
>
> IV. Workaround
>
> None. The set-user-id bit may be removed from `keyinit' using the
> following command, but note that there may be other programs that can
> be exploited.
>
> # chmod 0555 /usr/bin/keyinit
>
> V. Solution
>
> 1) Upgrade your vulnerable system to 4.5-STABLE; or to either of the
> RELENG_4_5 (4.5-RELEASE-p4) or RELENG_4_4 (4.4-RELEASE-p11) security
> branches dated after the respective correction dates.
>
> 2) To patch your present system:
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch
> # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> http://www.freebsd.org/handbook/kernelconfig.html and reboot the
> system.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Path Revision
> Branch
> - -------------------------------------------------------------------------
> sys/sys/filedesc.h
> RELENG_4 1.19.2.4
> RELENG_4_5 1.19.2.3.6.1
> RELENG_4_4 1.19.2.3.4.1
> sys/kern/kern_exec.c
> RELENG_4 1.107.2.14
> RELENG_4_5 1.107.2.13.2.1
> RELENG_4_4 1.107.2.8.2.2
> sys/kern/kern_descrip.c
> RELENG_4 1.81.2.11
> RELENG_4_5 1.81.2.9.2.1
> RELENG_4_4 1.81.2.8.2.1
> sys/conf/newvers.sh
> RELENG_4_5 1.44.2.20.2.5
> RELENG_4_4 1.44.2.17.2.10
> - -------------------------------------------------------------------------
>
> VII. References
>
> PINE-CERT-20020401 <URL:http://www.pine.nl/advisories/pine-cert-20020401.txt>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iQCVAwUBPMRPoFUuHi5z0oilAQE0/AP/R2qPI5bI2XIFgQ6FL+m4rUZ7M6VQzZqY
> yzGskbEkG2LKTYPFQ/FF+Tx6ffbMicnyrTTvDcJ3F9lmKRNvPBVaOuiNBjkrLdQc
> rerg2aHSJunQCkcd7f/+RjxtWO8wbjTM9TXmc8X1G9kJGaglCwEfHkZJzmsyGDyD
> qjkDToXu9a8=
> =oXDh
> -----END PGP SIGNATURE-----
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Jason Stone: "Re: DNS Question"
- Previous message: Mark.Andrews@isc.org: "Re: DNS Question"
- In reply to: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
- Next in thread: Jason Stone: "Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
- Reply: Jason Stone: "Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
