From security-advisories at freebsd.org Thu Oct 2 00:39:20 2008
From: security-advisories at freebsd.org (FreeBSD Security Advisories)
Date: Thu Oct 2 00:39:33 2008
Subject: FreeBSD Security Advisory FreeBSD-SA-08:10.nd6
Message-ID: <200810020039.m920dK3F025616@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:10.nd6 Security Advisory
The FreeBSD Project
Topic: IPv6 Neighbor Discovery Protocol routing vulnerability
Category: core
Module: sys_netinet6
Announced: 2008-10-01
Credits: David Miles
Affects: All supported versions of FreeBSD.
Corrected: 2008-10-01 00:32:59 UTC (RELENG_7, 7.1-PRERELEASE)
2008-10-01 00:32:59 UTC (RELENG_7_0, 7.0-RELEASE-p5)
2008-10-01 00:32:59 UTC (RELENG_6, 6.4-PRERELEASE)
2008-10-01 00:32:59 UTC (RELENG_6_3, 6.3-RELEASE-p5)
CVE Name: CVE-2008-2476
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer
address of other nodes, find routers, and maintain reachability information.
The Neighbor Discovery protocol uses Neighbor Solicitation (ICMPv6 type 135)
to query target nodes for their link-layer addresses.
II. Problem Description
IPv6 routers may allow "on-link" IPv6 nodes to create and update the
router's neighbor cache and forwarding information. A malicious IPv6 node
sharing a common router but on a different physical segment from another
node may be able to spoof Neighbor Discovery messages, allowing it to update
router information for the victim node.
III. Impact
An attacker on a different physical network connected to the same IPv6
router as another node could redirect IPv6 traffic intended for that node.
This could lead to denial of service or improper access to private network
traffic.
IV. Workaround
Firewall packet filters can be used to filter incoming Neighbor
Solicitation messages but may interfere with normal IPv6 operation if not
configured carefully.
Reverse path forwarding checks could be used to make gateways, such as
routers or firewalls, drop Neighbor Solicitation messages from
nodes with unexpected source addresses on a particular interface.
IPv6 router administrators are encouraged to read RFC 3756 for further
discussion of Neighbor Discovery security implications.
V. Solution
NOTE WELL: The solution described below causes IPv6 Neighbor Discovery
Neighbor Solicitation messages from non-neighbors to be ignored.
This can be re-enabled if required by setting the newly added
net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to a non-zero value.
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 6.3]
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch.asc
[FreeBSD 7.0]
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/netinet6/in6.h 1.36.2.10
src/sys/netinet6/in6_proto.c 1.32.2.10
src/sys/netinet6/nd6.h 1.19.2.4
src/sys/netinet6/nd6_nbr.c 1.29.2.11
RELENG_6_3
src/UPDATING 1.416.2.37.2.10
src/sys/conf/newvers.sh 1.69.2.15.2.9
src/sys/netinet6/in6.h 1.36.2.8.2.1
src/sys/netinet6/in6_proto.c 1.32.2.8.2.1
src/sys/netinet6/nd6.h 1.19.2.2.6.1
src/sys/netinet6/nd6_nbr.c 1.29.2.9.2.1
RELENG_7
src/sys/netinet6/in6.h 1.51.2.2
src/sys/netinet6/in6_proto.c 1.46.2.3
src/sys/netinet6/nd6.h 1.21.2.2
src/sys/netinet6/nd6_nbr.c 1.47.2.3
RELENG_7_0
src/UPDATING 1.507.2.3.2.9
src/sys/conf/newvers.sh 1.72.2.5.2.9
src/sys/netinet6/in6.h 1.51.4.1
src/sys/netinet6/in6_proto.c 1.46.4.1
src/sys/netinet6/nd6.h 1.21.4.1
src/sys/netinet6/nd6_nbr.c 1.47.4.1
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2476
http://www.kb.cert.org/vuls/id/472363
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:10.nd6.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkjkF2cACgkQFdaIBMps37KWWgCZAfug94zPIdkzW0tdIdSDzH/0
j18AnjypvJrRtzeQqhJkRU9wQWozgWvj
=ieTi
-----END PGP SIGNATURE-----
From smithi at nimnet.asn.au Thu Oct 2 06:47:26 2008
From: smithi at nimnet.asn.au (Ian Smith)
Date: Thu Oct 2 06:47:34 2008
Subject: FreeBSD Security Advisory FreeBSD-SA-08:10.nd6
In-Reply-To: <200810020039.m920dK3F025616@freefall.freebsd.org>
References: <200810020039.m920dK3F025616@freefall.freebsd.org>
Message-ID: <20081002161648.R49572@sola.nimnet.asn.au>
On Thu, 2 Oct 2008, FreeBSD Security Advisories wrote:
[..]
> VII. References
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2476
While this link works, the first link on that page, 'Learn more at
National Vulnerability Database (NVD)' to
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2476
does not, saying it's not in the right format of CVE-XXX-XXXX ?
> http://www.kb.cert.org/vuls/id/472363
This link doesn't work, and neither does searching for '472363' there?
Or at least, not from here :)
cheers, Ian
From rwatson at FreeBSD.org Thu Oct 2 12:19:11 2008
From: rwatson at FreeBSD.org (Robert Watson)
Date: Thu Oct 2 12:19:18 2008
Subject: Missing /dev/auditpipe
In-Reply-To: <48DB7CA4.80609@fsn.hu>
References: <48DB7CA4.80609@fsn.hu>
Message-ID:
On Thu, 25 Sep 2008, Attila Nagy wrote:
> Running RELENG_7 (and HEAD too), and I can't find the auditpipe device. Is
> there anything which should be set in order to make it useable?
>
> auditd runs and logs to /var/audit, which I can read with praudit.
(Following up to the list because Attila and I exchanged e-mail offline)
The problem here was that /dev/auditpipe is cloning, so it doesn't exist until
you try to open it. In FreeBSD 8.x, and possibly 7.2, we're moving to the new
per-cdev private data so that /dev/auditpipe will always exist supporting
multiple session, and there won't be a series of dynamicall created devices,
but that's not ready to hit a release yet.
Robert N M Watson
Computer Laboratory
University of Cambridge
From bzeeb-lists at lists.zabbadoz.net Thu Oct 2 17:51:08 2008
From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb)
Date: Thu Oct 2 17:51:15 2008
Subject: FreeBSD Security Advisory FreeBSD-SA-08:10.nd6
In-Reply-To: <20081002161648.R49572@sola.nimnet.asn.au>
References: <200810020039.m920dK3F025616@freefall.freebsd.org>
<20081002161648.R49572@sola.nimnet.asn.au>
Message-ID: <20081002173325.M7528@maildrop.int.zabbadoz.net>
On Thu, 2 Oct 2008, Ian Smith wrote:
> > http://www.kb.cert.org/vuls/id/472363
>
> This link doesn't work, and neither does searching for '472363' there?
>
> Or at least, not from here :)
It's been working for a few hours now. Time difference in continents
and coasts and all that...
--
Bjoern A. Zeeb Stop bit received. Insert coin for new game.
From smithi at nimnet.asn.au Thu Oct 2 22:56:00 2008
From: smithi at nimnet.asn.au (Ian Smith)
Date: Thu Oct 2 22:56:07 2008
Subject: FreeBSD Security Advisory FreeBSD-SA-08:10.nd6
In-Reply-To: <20081002173325.M7528@maildrop.int.zabbadoz.net>
References: <200810020039.m920dK3F025616@freefall.freebsd.org>
<20081002161648.R49572@sola.nimnet.asn.au>
<20081002173325.M7528@maildrop.int.zabbadoz.net>
Message-ID: <20081003084008.G49572@sola.nimnet.asn.au>
On Thu, 2 Oct 2008, Bjoern A. Zeeb wrote:
> On Thu, 2 Oct 2008, Ian Smith wrote:
>
> > > http://www.kb.cert.org/vuls/id/472363
> >
> > This link doesn't work, and neither does searching for '472363' there?
> >
> > Or at least, not from here :)
>
> It's been working for a few hours now. Time difference in continents
> and coasts and all that...
Thanks. Glad to see our SA was out ahead of the game ..
Now to read this another 3 times to try making more sense of it:
http://www.potaroo.net/ispcol/2008-08/ipv6addr.html
cheers, Ian
From olli at lurza.secnetix.de Thu Oct 9 13:38:35 2008
From: olli at lurza.secnetix.de (Oliver Fromme)
Date: Thu Oct 9 13:38:43 2008
Subject: Sockstress
In-Reply-To:
Message-ID: <200810091338.m99DcW3a006320@lurza.secnetix.de>
This is the wrong mailing list, you should send this
to the -security list.
By the way, this kind of attack isn't really new
(as far as I can tell from the few information that
have been made public so far). One way to mitigate
it is to limit the number of open connections per
remote IP address; you can easily do that with PF
or IPFW ("limit" option).
Best regards
Oliver
Lukasz Jaroszewski wrote:
> Hi,
> I am wondering about sockstres informations recently published. I cant
> really figure what new they could found. Do we have anything to worry about?
> ;-)
>
> http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html
>
> ``(...)Sockstress computes and stores so-called client-side SYN cookies and
> enables Lee and Louis to specify a destination port and IP address. The
> method allows them to complete the TCP handshake without having to store any
> values, which takes time and resources. "We can then say that we want to
> establish X number of TCP connections on that address and that we want to
> use this attack type, and it does it," Lee said.(...)''
>
> ``(...)Lee said that when and _if_ specific vendors develop workarounds for
> the issues, they will release details of those issues.(...)''
>
> Was FreeBSD team contacted? ;)
>
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Gesch?ftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M?n-
chen, HRB 125758, Gesch?ftsf?hrer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"Unix gives you just enough rope to hang yourself --
and then a couple of more feet, just to be sure."
-- Eric Allman
From gunther.mayer at googlemail.com Mon Oct 20 11:45:51 2008
From: gunther.mayer at googlemail.com (Gunther Mayer)
Date: Mon Oct 20 12:01:56 2008
Subject: Secure libxml2?
Message-ID: <48FC69EC.9000609@gmail.com>
Hi there,
We're using libxml2 and the version in ports (2.6.x) currently suffers
from a rather serious security vulnerability already posted last Friday:
http://www.freebsd.org/ports/portaudit/d71da236-9a94-11dd-8f42-001c2514716c.html
Yet there's no libxml2-2.7.x in ports as required by the above notice.
So there's no solution other than compiling an up-to-date one by hand
and that opens up a whole different can of worms regarding dependencies.
I emailed the official maintainer (gnome@freebsd.org) but am not holding
my breath, chances are they won't even see my mail amongst all the spam
they must be getting. So I'm wondering does anybody know what's going on
or what I could do to get my systems secure?
Regards,
Gunther
From des at des.no Mon Oct 20 12:57:13 2008
From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=)
Date: Mon Oct 20 12:57:21 2008
Subject: Secure libxml2?
In-Reply-To: <48FC69EC.9000609@gmail.com> (Gunther Mayer's message of "Mon, 20
Oct 2008 13:22:20 +0200")
References: <48FC69EC.9000609@gmail.com>
Message-ID: <861vybifvd.fsf@ds4.des.no>
Gunther Mayer writes:
> I emailed the official maintainer (gnome@freebsd.org) but am not
> holding my breath, chances are they won't even see my mail amongst all
> the spam they must be getting. So I'm wondering does anybody know
> what's going on or what I could do to get my systems secure?
Actually, gnome@freebsd.org is a mailing list (freebsd-gnome) that gets
very little spam. Feel free to subscribe and / or peruse the archive.
In the meantime, there is a PR (ports/127661) with a patch that you
might try.
DES
--
Dag-Erling Sm?rgrav - des@des.no
From freebsd-security-request at freebsd.org Tue Oct 21 12:36:05 2008
From: freebsd-security-request at freebsd.org (freebsd-security-request@freebsd.org)
Date: Tue Oct 21 13:21:06 2008
Subject: freebsd-security Digest, Vol 270, Issue 1
Message-ID: <20081021120023.486D910656CF@hub.freebsd.org>
Send freebsd-security mailing list submissions to
freebsd-security@freebsd.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-security
or, via email, send a message with subject or body 'help' to
freebsd-security-request@freebsd.org
You can reach the person managing the list at
freebsd-security-owner@freebsd.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-security digest..."
Today's Topics:
1. Secure libxml2? (Gunther Mayer)
2. Re: Secure libxml2? (Dag-Erling Sm?rgrav)
----------------------------------------------------------------------
Message: 1
Date: Mon, 20 Oct 2008 13:22:20 +0200
From: Gunther Mayer
Subject: Secure libxml2?
To: freebsd-security@freebsd.org
Message-ID: <48FC69EC.9000609@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi there,
We're using libxml2 and the version in ports (2.6.x) currently suffers
from a rather serious security vulnerability already posted last Friday:
http://www.freebsd.org/ports/portaudit/d71da236-9a94-11dd-8f42-001c2514716c.html
Yet there's no libxml2-2.7.x in ports as required by the above notice.
So there's no solution other than compiling an up-to-date one by hand
and that opens up a whole different can of worms regarding dependencies.
I emailed the official maintainer (gnome@freebsd.org) but am not holding
my breath, chances are they won't even see my mail amongst all the spam
they must be getting. So I'm wondering does anybody know what's going on
or what I could do to get my systems secure?
Regards,
Gunther
------------------------------
Message: 2
Date: Mon, 20 Oct 2008 14:57:10 +0200
From: Dag-Erling Sm?rgrav
Subject: Re: Secure libxml2?
To: Gunther Mayer
Cc: freebsd-security@freebsd.org
Message-ID: <861vybifvd.fsf@ds4.des.no>
Content-Type: text/plain; charset=utf-8
Gunther Mayer writes:
> I emailed the official maintainer (gnome@freebsd.org) but am not
> holding my breath, chances are they won't even see my mail amongst all
> the spam they must be getting. So I'm wondering does anybody know
> what's going on or what I could do to get my systems secure?
Actually, gnome@freebsd.org is a mailing list (freebsd-gnome) that gets
very little spam. Feel free to subscribe and / or peruse the archive.
In the meantime, there is a PR (ports/127661) with a patch that you
might try.
DES
--
Dag-Erling Smørgrav - des@des.no
------------------------------
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
End of freebsd-security Digest, Vol 270, Issue 1
************************************************
From akosela at andykosela.com Wed Oct 22 08:49:24 2008
From: akosela at andykosela.com (Andy Kosela)
Date: Wed Oct 22 08:49:32 2008
Subject: [Fwd: Kaminsky redux - libspf2 dns parsing bug]
In-Reply-To: <3cc535c80810220137g4afec193h947a0886b43a3a62@mail.gmail.com>
References: <3cc535c80810220137g4afec193h947a0886b43a3a62@mail.gmail.com>
Message-ID: <3cc535c80810220149o3d0fe787w4cace41ee3a8694c@mail.gmail.com>
Some of you probably already heard about this...
>From Kaminsky's http://www.doxpara.com/?p=1263
------
I really need to learn to leave DNS alone :)
DNS TXT Record Parsing Bug in LibSPF2
A relatively common bug parsing TXT records delivered over DNS, dating
at least back to 2002 in Sendmail 8.2.0 and almost certainly much
earlier, has been found in LibSPF2, a library frequently used to
retrieve SPF (Sender Policy Framework) records and apply policy
according to those records. This implementation flaw allows for
relatively flexible memory corruption, and should thus be treated as a
path to anonymous remote code execution. Of particular note is that
the remote code execution would occur on servers specifically designed
to receive E-Mail from the Internet, and that these systems may in
fact be high volume mail exchangers. This creates privacy
implications. It is also the case that a corrupted email server is a
useful "jumping off" point for attackers to corrupt desktop machines,
since attachments can be corrupted with malware while the containing
message stays intact. So there are internal security implications as
well, above and beyond corruption of the mail server on the DMZ.
Apparently LibSPF2 is actually used to secure quite a bit of mail
traffic ? there's a lot of SPAM out there. Fix is out, see
http://www.libspf2.org/index.html or your friendly neighborhood
distro. Thanks to Shevek, CERT (VU#183657), Ken Simpson of
MailChannels, Andre Engel, Scott Kitterman, and Hannah Schroeter for
their help with this.
------
--
Andy Kosela
ora et labora
From akosela at andykosela.com Wed Oct 22 09:07:01 2008
From: akosela at andykosela.com (Andy Kosela)
Date: Wed Oct 22 09:07:08 2008
Subject: [Fwd: Kaminsky redux - libspf2 dns parsing bug]
Message-ID: <3cc535c80810220137g4afec193h947a0886b43a3a62@mail.gmail.com>
Some of you probably already heard about this...
>From Kaminsky's http://www.doxpara.com/?p=1263
------
I really need to learn to leave DNS alone :)
DNS TXT Record Parsing Bug in LibSPF2
A relatively common bug parsing TXT records delivered over DNS, dating
at least back to 2002 in Sendmail 8.2.0 and almost certainly much
earlier, has been found in LibSPF2, a library frequently used to
retrieve SPF (Sender Policy Framework) records and apply policy
according to those records. This implementation flaw allows for
relatively flexible memory corruption, and should thus be treated as a
path to anonymous remote code execution. Of particular note is that
the remote code execution would occur on servers specifically designed
to receive E-Mail from the Internet, and that these systems may in
fact be high volume mail exchangers. This creates privacy
implications. It is also the case that a corrupted email server is a
useful "jumping off" point for attackers to corrupt desktop machines,
since attachments can be corrupted with malware while the containing
message stays intact. So there are internal security implications as
well, above and beyond corruption of the mail server on the DMZ.
Apparently LibSPF2 is actually used to secure quite a bit of mail
traffic ? there's a lot of SPAM out there. Fix is out, see
http://www.libspf2.org/index.html or your friendly neighborhood
distro. Thanks to Shevek, CERT (VU#183657), Ken Simpson of
MailChannels, Andre Engel, Scott Kitterman, and Hannah Schroeter for
their help with this.
------
--
Andy Kosela
ora et labora
From bz at FreeBSD.org Sat Oct 25 22:03:54 2008
From: bz at FreeBSD.org (Bjoern A. Zeeb)
Date: Sat Oct 25 22:05:47 2008
Subject: CVE-2008-3831 / svn commit: r184263 - head/sys/dev/drm (fwd)
Message-ID: <20081025211406.A2978@maildrop.int.zabbadoz.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the commit referenced below fixes a problem arosen from an insufficient
(missing) privilege check.
If you are running a HEAD kernel from Aug 23 2008 (r182080) or later
with drm/i915drm you want to update your kernel.
The problem is only present in HEAD thus there will be no security
advisory.
Regards,
Bjoern A. Zeeb
FreeBSD Security Team
- --
Bjoern A. Zeeb Stop bit received. Insert coin for new game.
- ---------- Forwarded message ----------
Date: Sat, 25 Oct 2008 16:29:28 +0000 (UTC)
From: Robert Noland
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
svn-src-head@freebsd.org
Subject: svn commit: r184263 - head/sys/dev/drm
Author: rnoland
Date: Sat Oct 25 16:29:28 2008
New Revision: 184263
URL: http://svn.freebsd.org/changeset/base/184263
Log:
drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)
Olaf Kirch noticed that the i915_set_status_page() function of the i915
kernel driver calls ioremap with an address offset that is supplied by
userspace via ioctl. The function zeroes the mapped memory via memset
and tells the hardware about the address. Turns out that access to that
ioctl is not restricted to root so users could probably exploit that to
do nasty things. We haven't tried to write actual exploit code though.
It only affects the Intel G33 series and newer.
Approved by: bz (secteam)
Obtained from: Intel drm repo
Security: CVE-2008-3831
Modified:
head/sys/dev/drm/i915_dma.c
Modified: head/sys/dev/drm/i915_dma.c
==============================================================================
- --- head/sys/dev/drm/i915_dma.c Sat Oct 25 14:01:29 2008 (r184262)
+++ head/sys/dev/drm/i915_dma.c Sat Oct 25 16:29:28 2008 (r184263)
@@ -1228,7 +1228,7 @@ struct drm_ioctl_desc i915_ioctls[] = {
DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH ),
DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH),
DRM_IOCTL_DEF(DRM_I915_MMIO, i915_mmio, DRM_AUTH),
- - DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH),
+ DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY),
#ifdef I915_HAVE_BUFFER
DRM_IOCTL_DEF(DRM_I915_EXECBUFFER, i915_execbuffer, DRM_AUTH),
#endif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.2 (FreeBSD)
iD8DBQFJA5MKK1i4+DzPGEIRAp0NAJ9cGyIwyTLp4hYvbwYMll7cROkmKQCghNvb
sy2LhCFWcEzfad7oEP1qU4M=
=RXrx
-----END PGP SIGNATURE-----