FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
lxn smth
lxn.smth at gmail.com
Thu Dec 3 19:49:11 UTC 2009
Any body can explain why no credit section for this advisory?
On Thu, Dec 3, 2009 at 1:30 AM, FreeBSD Security Advisories
<security-advisories at freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-09:16.rtld Security Advisory
> The FreeBSD Project
>
> Topic: Improper environment sanitization in rtld(1)
>
> Category: core
> Module: rtld
> Announced: 2009-12-03
> Affects: FreeBSD 7.0 and later.
> Corrected: 2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE)
> 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1)
> 2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE)
> 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5)
> 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9)
> CVE Name: CVE-2009-4146, CVE-2009-4147
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I. Background
>
> The run-time link-editor, rtld, links dynamic executable with their
> needed libraries at run-time. It also allows users to explicitly
> load libraries via various LD_ environmental variables.
>
> II. Problem Description
>
> When running setuid programs rtld will normally remove potentially
> dangerous environment variables. Due to recent changes in FreeBSD
> environment variable handling code, a corrupt environment may
> result in attempts to unset environment variables failing.
>
> III. Impact
>
> An unprivileged user who can execute programs on a system can gain
> the privileges of any setuid program which he can run. On most
> systems configurations, this will allow a local attacker to execute
> code as the root user.
>
> IV. Workaround
>
> No workaround is available, but systems without untrusted local users,
> where all the untrusted local users are jailed superusers, and/or where
> untrusted users cannot execute arbitrary code (e.g., due to use of read
> only and noexec mount options) are not affected.
>
> Note that "untrusted local users" include users with the ability to
> upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they
> may be able to exploit this issue.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE,
> or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated
> after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 7.1, 7.2,
> and 8.0 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 7.x]
> # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc
>
> [FreeBSD 8.0]
> # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch
> # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/libexec/rtld-elf
> # make obj && make depend && make && make install
>
> NOTE: On the amd64 platform, the above procedure will not update the
> ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). On
> amd64 systems where the i386 rtld are installed, the operating system
> should instead be recompiled as described in
> <URL:http://www.FreeBSD.org/handbook/makeworld.html>
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch Revision
> Path
> - -------------------------------------------------------------------------
> RELENG_7
> src/libexec/rtld-elf/rtld.c 1.124.2.7
> RELENG_7_2
> src/UPDATING 1.507.2.23.2.8
> src/sys/conf/newvers.sh 1.72.2.11.2.9
> src/libexec/rtld-elf/rtld.c 1.124.2.4.2.2
> RELENG_7_1
> src/UPDATING 1.507.2.13.2.12
> src/sys/conf/newvers.sh 1.72.2.9.2.13
> src/libexec/rtld-elf/rtld.c 1.124.2.3.2.2
> RELENG_8
> src/libexec/rtld-elf/rtld.c 1.139.2.4
> RELENG_8_0
> src/UPDATING 1.632.2.7.2.4
> src/sys/conf/newvers.sh 1.83.2.6.2.4
> src/libexec/rtld-elf/rtld.c 1.139.2.2.2.2
> - -------------------------------------------------------------------------
>
> Subversion:
>
> Branch/path Revision
> - -------------------------------------------------------------------------
> stable/7/ r199981
> releng/7.2/ r200054
> releng/7.1/ r200054
> stable/8/ r199980
> releng/8.0/ r200054
> - -------------------------------------------------------------------------
>
> VII. References
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4146
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4147
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-09:16.rtld.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (FreeBSD)
>
> iEUEARECAAYFAksXg/IACgkQFdaIBMps37KrLwCdH4JsCrvdS1RGoGj7MlNgV3+/
> nhYAliVcz9tL8Ll6pYKpIalR740sZ5s=
> =jK/a
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list