[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #2093 - 36 msgs

Danny daygl0 at ns.sympatico.ca
Thu Dec 2 23:25:40 GMT 2004 

There is a security update, I just noticed it.

  Security Update 2004-12-02 delivers a number of security enhancements  
and is recommended for all Macintosh users. This update includes the  
following components:

  Apache
  AppKit
  HIToolbox
  Kerberos
  Postfix
  PSNormalizer
  Safari
  Terminal


  For detailed information on this Update, please visit this website:  
http://www.info.apple.com/kbnum/n61798

On 2-Dec-04, at 3:32 PM, Randall Craig wrote:

> On Thu, 2 Dec 2004 10:58:02 -0600, Randall Craig <rgcraig at gmail.com>  
> wrote:
>  Ok I am super duper new to this list and also new to *nix... i will
>  never go back to M$ ceptin for gaming purposes... I am running on OS
>  X.3.3 and was wanting to know if the Security Alert pertaining to
>  FreeBSD would also affect my system. I know that BSD is running
>  underneath OS X... I am fairly sure that Apple is aware of it by
>  now-.
>  thnx
>
>  n0 r3m0r53
>
> ###############
>
> FreeBSD-SA-04:17.procfs                                     Security  
> Advisory
>                                                          The FreeBSD  
> Project
>
> Topic:          Kernel memory disclosure in procfs and linprocfs
>
> Category:       core
> Module:         sys
> Announced:      2004-12-01
> Credits:        Bryan Fulton, Ted Unangst, and the SWAT analysis tool
>                Coverity, Inc.
> Affects:        All FreeBSD releases
> Corrected:      2004-12-01 21:33:35 UTC (RELENG_5, 5.3-STABLE)
>                2004-12-01 21:34:23 UTC (RELENG_5_3, 5.3-RELEASE-p2)
>                2004-12-01 21:34:43 UTC (RELENG_5_2, 5.2.1-RELEASE-p13)
>                2004-12-01 21:33:57 UTC (RELENG_4, 4.10-STABLE)
>                2004-12-01 21:35:10 UTC (RELENG_4_10, 4.10-RELEASE-p5)
>                2004-12-01 21:35:57 UTC (RELENG_4_8, 4.8-RELEASE-p27)
> CVE Name:       CAN-2004-1066
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit
> <URL:http://www.freebsd.org/security/>.
>
> I.   Background
>
> The process file system, procfs(5), implements a view of the system
> process table inside the file system.  It is normally mounted on
> /proc, and is required for the complete operation of programs such as
> ps(1) and w(1).
>
> The Linux process file system, linprocfs(5), emulates a subset of
> Linux's process file system and is required for the complete operation
> of some Linux binaries.
>
> II.  Problem Description
>
> The implementation of the /proc/curproc/cmdline pseudofile in the  
> procfs(5)
> file system on FreeBSD 4.x and 5.x, and of the /proc/self/cmdline
> pseudofile in the linprocfs(5) file system on FreeBSD 5.x reads a  
> process'
> argument vector from the process address space.  During this operation,
> a pointer was dereferenced directly without the necessary validation
> steps being performed.
>
> III. Impact
>
> A malicious local user could perform a local denial of service attack  
> by
> causing a system panic; or he could read parts of kernel memory.  Such
> memory might contain sensitive information, such as portions of the  
> file
> cache or terminal buffers.  This information might be directly useful,  
> or
> it might be leveraged to obtain elevated privileges in some way.  For
> example, a terminal buffer might contain a user-entered password.
>
> FreeBSD 4.x does not implement the /proc/self/cmdline pseudofile in
> its linprocfs(5) file system, and is therefore only affected if the
> procfs(5) file system is mounted.
>
> In its default configuration, FreeBSD 5.x does not utilize procfs(5)
> or linprocfs(5) and will therefore be unaffected by this vulnerability
> unless the configuration is changed.
>
> IV.  Workaround
>
> Unmount the procfs and linprocfs file systems if they are mounted.
> Execute the following command as root:
>
>  umount -A -t procfs,linprocfs
>
> Also, remove or comment out any lines in fstab(5) that reference
> `procfs' or `linprocfs', so that they will not be re-mounted at next
> reboot.
>
> V.   Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
> RELENG_5_3, RELENG_5_2, RELENG_4_10, or RELENG_4_8 security branch  
> dated
> after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 4.8, 4.10,
> 5.2, and 5.3 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 4.x]
> # fetch  
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch
> # fetch  
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/ 
> procfs4.patch.asc
>
> [FreeBSD 5.x]
> # fetch  
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch
> # fetch  
> ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/ 
> procfs5.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch                                                            
> Revision
>  Path
> -  
> ----------------------------------------------------------------------- 
> --
> RELENG_4
>  src/sys/miscfs/procfs/procfs_status.c                          
>  1.20.2.6
> RELENG_4_10
>  src/UPDATING                                              
>  1.73.2.90.2.6
>  src/sys/conf/newvers.sh                                    
> 1.44.2.34.2.7
>  src/sys/miscfs/procfs/procfs_status.c                      
>  1.20.2.5.4.1
> RELENG_4_8
>  src/UPDATING                                              
> 1.73.2.80.2.30
>  src/sys/conf/newvers.sh                                  
>  1.44.2.29.2.28
>  src/sys/miscfs/procfs/procfs_status.c                      
>  1.20.2.4.8.2
> RELENG_5
>  src/sys/compat/linprocfs/linprocfs.c                            
> 1.84.2.1
>  src/sys/fs/procfs/procfs_status.c                              
>  1.52.2.1
> RELENG_5_3
>  src/UPDATING                                              
> 1.342.2.13.2.5
>  src/sys/compat/linprocfs/linprocfs.c                            
> 1.84.4.1
>  src/sys/conf/newvers.sh                                    
> 1.62.2.15.2.7
>  src/sys/fs/procfs/procfs_status.c                              
>  1.52.4.1
> RELENG_5_2
>  src/UPDATING                                                  
> 1.282.2.21
>  src/sys/compat/linprocfs/linprocfs.c                            
> 1.78.2.1
>  src/sys/conf/newvers.sh                                        
> 1.56.2.20
>  src/sys/fs/procfs/procfs_status.c                              
>  1.49.2.1
>
>
> ###############
> -- 
>
>
> R__|____||    C____
>                             |
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 7024 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041202/740ca10d/attachment.bin

Full-Disclosure is hosted and sponsored by Secunia.