FreeBSD Security Advisory FreeBSD-SA-04:15.syscons

From: FreeBSD Security Advisories (security-advisories_at_freebsd.org)
Date: 10/04/04

  • Next message: Darren Pilgrim: "RE: FreeBSD Security Advisory FreeBSD-SA-04:15.syscons" 
    Date: Mon, 4 Oct 2004 20:54:11 GMT
To: FreeBSD Security Advisories <security-advisories@freebsd.org>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    =============================================================================
    FreeBSD-SA-04:15.syscons Security Advisory
                                                              The FreeBSD Project

    Topic: Boundary checking errors in syscons

    Category: core
    Module: sys_dev_syscons
    Announced: 2004-10-04
    Credits: Christer Oberg
    Affects: FreeBSD 5.x releases
    Corrected: 2004-09-30 17:49:15 UTC (RELENG_5, 5.3-BETA6)
                    2004-10-04 17:04:25 UTC (RELENG_5_2, 5.2.1-RELEASE-p11)
    CVE Name: CAN-2004-0919
    FreeBSD only: YES

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the
    following sections, please visit
    <URL:http://www.freebsd.org/security/>.

    I. Background

    syscons(4) is the default console driver for FreeBSD. Using the
    physical keyboard and screen, it provides multiple virtual terminals
    which appear as if they were separate terminals. One virtual terminal
    is considered current and exclusively occupies the screen and the
    keyboard; the other virtual terminals are placed in the background.

    II. Problem Description

    The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of
    its input arguments. In particular, negative coordinates or large
    coordinates may cause unexpected behavior.

    III. Impact

    It may be possible to cause the CONS_SCRSHOT ioctl to return portions of
    kernel memory. Such memory might contain sensitive information, such as
    portions of the file cache or terminal buffers. This information might
    be directly useful, or it might be leveraged to obtain elevated
    privileges in some way. For example, a terminal buffer might include a
    user-entered password.

    IV. Workaround

    There is no known workaround. However, this bug is only exploitable
    by users who have access to the physical console or can otherwise open
    a /dev/ttyv* device node.

    V. Solution

    Perform one of the following:

    1) Upgrade your vulnerable system to the RELENG_5_2 security branch
    dated after the correction date.

    2) To patch your present system:

    The following patches have been verified to apply to FreeBSD 5.2
    systems.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:15/syscons.patch.asc

    b) Apply the patch.

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile your kernel as described in
    <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
    system.

    VI. Correction details

    The following list contains the revision numbers of each file that was
    corrected in FreeBSD.

    Branch Revision
      Path
    - -------------------------------------------------------------------------
    RELENG_5_2
      src/UPDATING 1.282.2.19
      src/sys/conf/newvers.sh 1.56.2.18
      src/sys/dev/syscons/syscons.c 1.409.2.1
    - -------------------------------------------------------------------------

    VII. References

    <URL:http://cvsweb.freebsd.org/src/sys/dev/syscons/syscons.c.diff?r1=1.428&r2=1.429>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.6 (FreeBSD)

    iD8DBQFBYYMTFdaIBMps37IRAuNbAJ4jbPnqo3vvEeD33ItW09r3zAuh5QCghq5v
    SN4Y+OCpzJ7Szy3s++slzeQ=
    =FlYi
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Darren Pilgrim: "RE: FreeBSD Security Advisory FreeBSD-SA-04:15.syscons"

    Relevant Pages

    • FreeBSD Security Advisory FreeBSD-SA-05:03.amd64
      ... For general information regarding FreeBSD Security Advisories, ... including descriptions of the fields above, security branches, and the ... access hardware: Kernel code can access hardware directly by reason of ... To patch your present system: ...
      (Bugtraq)
    • FreeBSD Security Advisory FreeBSD-SA-05:03.amd64
      ... For general information regarding FreeBSD Security Advisories, ... including descriptions of the fields above, security branches, and the ... access hardware: Kernel code can access hardware directly by reason of ... To patch your present system: ...
      (FreeBSD-Security)
    • [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:03.amd64
      ... For general information regarding FreeBSD Security Advisories, ... including descriptions of the fields above, security branches, and the ... access hardware: Kernel code can access hardware directly by reason of ... To patch your present system: ...
      (freebsd-announce)
    • [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-04:15.syscons
      ... For general information regarding FreeBSD Security Advisories, ... including descriptions of the fields above, security branches, and the ... the other virtual terminals are placed in the background. ... To patch your present system: ...
      (freebsd-announce)
    • FreeBSD Security Advisory FreeBSD-SA-04:15.syscons
      ... For general information regarding FreeBSD Security Advisories, ... including descriptions of the fields above, security branches, and the ... the other virtual terminals are placed in the background. ... To patch your present system: ...
      (Bugtraq)