From rea-fbsd at codelabs.ru Fri May 1 18:42:29 2009 From: rea-fbsd at codelabs.ru (Eygene Ryabinkin) Date: Fri May 1 18:42:36 2009 Subject: ports/126853: ports-mgmt/portaudit: speed up audit of installed packages In-Reply-To: References: <48DE5CC0.9000708@localhost.inse.ru> <48DF6735.4030906@quip.cz> <4bESZpNwE3z/DdlE2fwK/BXzQSo@2MQ0uKCiT7mdMUuLeUzs8Nv3ToQ> Message-ID: Gentlemen, good day. Just a reminder about this PR -- it is already a bit old. But it is still viable and kicking on many machines of mine. I am seeing speedups from 10x to 26x comparing to the plain portaudit. Since VuXML database will only grow, this will be good to consider these patches and (likely) integrate them into main trees. Could someone, please, look at the patches? I had uploaded slightly modified patches to the old locations. Most of changes were cosmetic: whitespace and so on. No real code was changed. In the case of suggestions, bugs, etc -- I am all ears. Thanks! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # From cperciva at freebsd.org Sat May 2 02:13:17 2009 From: cperciva at freebsd.org (FreeBSD Security Officer) Date: Sat May 2 02:13:37 2009 Subject: FreeBSD supported branches update Message-ID: <49FBAC3A.7050009@freebsd.org> Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 7.0. The new list is below and at . Please note that FreeBSD 7.0 was originally announced with an EoL date of February 28, 2009, but the EoL was delayed by two months in order to allow a 3 month window for systems to be upgraded to FreeBSD 7.1. Users of FreeBSD 7.0 are advised to upgrade promptly to FreeBSD 7.1, either by downloading an updated source tree and building updates manually, or (for i386 and amd64 systems) using the FreeBSD Update utility as described in the FreeBSD 7.1 release announcement. Some users may wish to wait for the upcoming FreeBSD 7.2-RELEASE; however, they should be aware that FreeBSD 7.2-RELEASE will only receive "normal" support (i.e., support for 12 months) and consequently it will not be supported for as long as FreeBSD 7.1. [Excerpt from http://security.freebsd.org/ follows] FreeBSD Security Advisories The FreeBSD Security Officer provides security advisories for several branches of FreeBSD development. These are the -STABLE Branches and the Security Branches. (Advisories are not issued for the -CURRENT Branch.) * The -STABLE branch tags have names like RELENG_7. The corresponding builds have names like FreeBSD 7.0-STABLE. * Each FreeBSD Release has an associated Security Branch. The Security Branch tags have names like RELENG_7_0. The corresponding builds have names like FreeBSD 7.0-RELEASE-p1. Isses affecting the FreeBSD Ports Collection are covered in the FreeBSD VuXML document. Each branch is supported by the Security Officer for a limited time only, and is designated as one of `Early adopter', `Normal', or `Extended'. The designation is used as a guideline for determining the lifetime of the branch as follows. Early adopter Releases which are published from the -CURRENT branch will be supported by the Security Officer for a minimum of 6 months after the release. Normal Releases which are published from a -STABLE branch will be supported by the Security Officer for a minimum of 12 months after the release, and for sufficient additional time (if needed) to ensure that there is a newer release for at least 3 months before the older Normal release expires. Extended Selected releases (normally every second release plus the last release from each -STABLE branch) will be supported by the Security Officer for a minimum of 24 months after the release, and for sufficient additional time (if needed) to ensure that there is a newer Extended release for at least 3 months before the older Extended release expires. The current designation and estimated lifetimes of the currently supported branches are given below. The Estimated EoL (end-of-life) column gives the earliest date on which that branch is likely to be dropped. Please note that these dates may be extended into the future, but only extenuating circumstances would lead to a branch's support being dropped earlier than the date listed. +--------------------------------------------------------------------+ | Branch | Release | Type | Release date | Estimated EoL | |-----------+-----------+--------+-----------------+-----------------| |RELENG_6 |n/a |n/a |n/a |November 30, 2010| |-----------+-----------+--------+-----------------+-----------------| |RELENG_6_3 |6.3-RELEASE|Extended|January 18, 2008 |January 31, 2010 | |-----------+-----------+--------+-----------------+-----------------| |RELENG_6_4 |6.4-RELEASE|Extended|November 28, 2008|November 30, 2010| |-----------+-----------+--------+-----------------+-----------------| |RELENG_7 |n/a |n/a |n/a |last release + 2y| |-----------+-----------+--------+-----------------+-----------------| |RELENG_7_1 |7.1-RELEASE|Extended|January 4, 2009 |January 31, 2011 | +--------------------------------------------------------------------+ [End excerpt] -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid From oliver.pntr at gmail.com Mon May 18 16:41:24 2009 From: oliver.pntr at gmail.com (Oliver Pinter) Date: Mon May 18 16:41:56 2009 Subject: FreeBSD 7.2 Message-ID: <6101e8c40905180908x6d80b279n919fdcc3890e69f6@mail.gmail.com> Hi all! here is an paxtest output: http://www.grsecurity.net/~paxguy1/paxtest-0.9.7-pre5.tar.gz [oliver@oliverp /tmp/paxtest-0.9.7-pre5]$ ./paxtest usage: paxtest [kiddie|blackhat] [oliver@oliverp /tmp/paxtest-0.9.7-pre5]$ ./paxtest kiddie PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later __________Mode: kiddie________ FreeBSD oliverp 7.2-STABLE FreeBSD 7.2-STABLE #20: Sat May 9 21:13:36 CEST 2009 root@oliverp:/usr/obj/usr/src/sys/stable amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Vulnerable Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable >>>>>>>>> Executable shared library bss (mprotect) : Vulnerable <<<<<<<<<< Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : No randomisation Main executable randomisation (ET_EXEC) : No randomisation Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : No randomisation Stack randomisation test (PAGEEXEC) : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable [oliver@oliverp /tmp/paxtest-0.9.7-pre5]$ ./paxtest blackhat PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later ____________Mode: blackhat__________ FreeBSD oliverp 7.2-STABLE FreeBSD 7.2-STABLE #20: Sat May 9 21:13:36 CEST 2009 root@oliverp:/usr/obj/usr/src/sys/stable amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Vulnerable Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable >>>>>>>>> Executable shared library bss (mprotect) : Killed <<<<<<<<<<<<<<<<<< Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : No randomisation Main executable randomisation (ET_EXEC) : No randomisation Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : No randomisation Stack randomisation test (PAGEEXEC) : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable [oliver@oliverp /tmp/paxtest-0.9.7-pre5]$ ./paxtest kiddie PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later __________________Mode: kiddie____________ FreeBSD oliverp 7.2-STABLE FreeBSD 7.2-STABLE #20: Sat May 9 21:13:36 CEST 2009 root@oliverp:/usr/obj/usr/src/sys/stable amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Vulnerable Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable >>>>>>>>>>>Executable shared library bss (mprotect) : Vulnerable <<<<<<<<<<<<<<<<<<< Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : No randomisation Main executable randomisation (ET_EXEC) : No randomisation Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : No randomisation Stack randomisation test (PAGEEXEC) : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable oliver@oliverp /tmp/paxtest-0.9.7-pre5]$ ./paxtest blackhat PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later ___________Mode: blackhat_______ FreeBSD oliverp 7.2-STABLE FreeBSD 7.2-STABLE #20: Sat May 9 21:13:36 CEST 2009 root@oliverp:/usr/obj/usr/src/sys/stable amd64 Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Vulnerable Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable >>>>>>>>>>>>>Executable shared library bss (mprotect) : Vulnerable<<<<<<<<< Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : No randomisation Heap randomisation test (ET_EXEC) : No randomisation Main executable randomisation (ET_EXEC) : No randomisation Shared library randomisation test : No randomisation Stack randomisation test (SEGMEXEC) : No randomisation Stack randomisation test (PAGEEXEC) : No randomisation Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (strcpy, RANDEXEC) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Writable text segments : Vulnerable -------------------- sum kiddie 1st: Executable shared library bss (mprotect) : Vulnerable blackhat 1st: Executable shared library bss (mprotect) : Killed kiddie 2nd: Executable shared library bss (mprotect) : Vulnerable blackhat 2nd: Executable shared library bss (mprotect) : Vulnerable it is the interesst part, when in kiddie mode is vulnarable, and in black mode is too vulnarable, but in first run not.. the running order is: kiddie, blackbat, kiddie, blackhat ps.: sorry for the bad english From rea-fbsd at codelabs.ru Thu May 21 15:27:15 2009 From: rea-fbsd at codelabs.ru (Eygene Ryabinkin) Date: Thu May 21 15:27:22 2009 Subject: FYI: ntpd, CVE-2009-1252, remote code execution with enabled Autokey authentication Message-ID: For those who are running Autokey with stock NTPD: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252 http://www.freebsd.org/cgi/query-pr.cgi?pr=134787 For users of net/ntp: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/134755 http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/134756 -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # From jakub_lach at mailplus.pl Tue May 26 17:36:47 2009 From: jakub_lach at mailplus.pl (Jakub Lach) Date: Tue May 26 17:42:51 2009 Subject: FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability Message-ID: <23727599.post@talk.nabble.com> http://www.milw0rm.com/exploits/8786 http://redmine.lighttpd.net/issues/1989 http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/21768 affected: FreeBSD, OSX, Solaris < 10 not affected: Linux, NetBSD, OpenBSD, DragonflyBSD, Solaris 10 -- View this message in context: http://www.nabble.com/FYI-Lighttpd-1.4.23--kernel-%28trailing-%27-%27-on-regular-file-symlink%29-vulnerability-tp23727599p23727599.html Sent from the freebsd-security mailing list archive at Nabble.com. From des at des.no Tue May 26 20:32:46 2009 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Tue May 26 21:02:20 2009 Subject: FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability In-Reply-To: <23727599.post@talk.nabble.com> (Jakub Lach's message of "Tue, 26 May 2009 10:18:50 -0700 (PDT)") References: <23727599.post@talk.nabble.com> Message-ID: <86prdvipwe.fsf@ds4.des.no> [moving from security@ to hackers@] Jakub Lach writes: > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/21768 Like bde@ pointed out, the patch is incorrect. It moves the test for v_type != VDIR up to a point where, in the case of a symlink, v_type is always (by definition) VLNK. The reason why the current code does not work is that, in the symlink case, the v_type != VDIR test is never reached: we will have jumped to either bad2 or success. However, it should be safe to move the test to after the success label, because trailing_slash is only ever true for the last component of the path we were asked to look up (see lines 520 through 535). The attached patch should work. DES -- Dag-Erling Sm?rgrav - des@des.no -------------- next part -------------- A non-text attachment was scrubbed... Name: symlink-slash.diff Type: text/x-patch Size: 748 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20090526/2309e5a0/symlink-slash.bin