Upcoming FreeBSD Security Advisory
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Tue Dec 1 07:52:37 UTC 2009
Colin, *, good day.
Tue, Dec 01, 2009 at 01:20:45AM +0000, FreeBSD Security Officer wrote:
> A short time ago a "local root" exploit was posted to the full-disclosure
> mailing list; as the name suggests, this allows a local user to execute
> arbitrary code as root.
>
> [...]
>
> The patch is at
> http://people.freebsd.org/~cperciva/rtld.patch
> and has SHA256 hash
> ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1
Just to ease other's life: for 7.1 (and 7.0, but it seems to be at EoL
now, so there is already no support for it), one should use another patch:
-----
http://codelabs.ru/fbsd/patches/vulns/freebsd-7.0-rtld-unsetenv.diff
SHA256 (freebsd-7.0-rtld-unsetenv.diff) = e5ebbea24073bf644d3bc0c1ba37674a387af656b4c7e583a564a83598930897
SHA1 (freebsd-7.0-rtld-unsetenv.diff) = 24a79be52be0ea00ed0ea279f25efbf597f9c850
-----
Actually, every system that has rtld.c with r190323 or lower, should
use this variant -- clearing of LD_ELF_HINTS_PATH was introduced only
in r190324.
By the way, if people are using NO_DYNAMIC_ROOT and all setuid
executables come from the system itself (no sudo and other stuff from
ports or manual installations), such system is obviously safe from this
issue -- no dynamic loading takes place. I don't mean that people with
such systems shouldn't upgrade, but they probably can do it with a least
urgency.
Thanks for posting the patch!
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #
More information about the freebsd-security
mailing list