For HAL users: [Fwd: FreeBSD Security Advisory
FreeBSD-SA-06:25.kmem]
Tom McLaughlin
tmclaugh at sdf.lonestar.org
Wed Dec 6 09:40:24 PST 2006
This affects anyone with HAL setup properly according to our port's
defaults and uses firewire.
I like changing the default group to wheel since most Gnome users on
Free will probably already be a part of wheel. I'll stop beating the
dead horse now. ;)
tom
-------- Forwarded Message --------
> From: FreeBSD Security Advisories <security-advisories at freebsd.org>
> Reply-To: security-advisories at freebsd.org
> To: FreeBSD Security Advisories <security-advisories at freebsd.org>
> Subject: FreeBSD Security Advisory FreeBSD-SA-06:25.kmem
> Date: Wed, 6 Dec 2006 09:33:14 GMT
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> =============================================================================
> FreeBSD-SA-06:25.kmem Security Advisory
> The FreeBSD Project
>
> Topic: Kernel memory disclosure in firewire(4)
>
> Category: core
> Module: sys_dev
> Announced: 2006-12-06
> Credits: Rodrigo Rubira Branco
> Affects: All FreeBSD releases.
> Corrected: 2006-12-06 09:13:51 UTC (RELENG_6, 6.2-STABLE)
> 2006-12-06 09:14:23 UTC (RELENG_6_2, 6.2-RC2)
> 2006-12-06 09:14:59 UTC (RELENG_6_1, 6.1-RELEASE-p11)
> 2006-12-06 09:15:40 UTC (RELENG_6_0, 6.0-RELEASE-p16)
> 2006-12-06 09:16:17 UTC (RELENG_5, 5.5-STABLE)
> 2006-12-06 09:16:41 UTC (RELENG_5_5, 5.5-RELEASE-p9)
> 2006-12-06 09:17:09 UTC (RELENG_4, 4.11-STABLE)
> 2006-12-06 09:18:02 UTC (RELENG_4_11, 4.11-RELEASE-p26)
> CVE Name: CVE-2006-6013
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I. Background
>
> The firewire(4) driver provides support for IEEE 1394 ("FireWire")
> interfaces. This driver provides some of its functionality via the
> ioctl(2) system call.
>
> II. Problem Description
>
> In the FW_GCROM ioctl, a signed integer comparison is used instead of
> an unsigned integer comparison when computing the length of a buffer
> to be copied from the kernel into the calling application.
>
> III. Impact
>
> A user in the "operator" group can read the contents of kernel memory.
> Such memory might contain sensitive information, such as portions of
> the file cache or terminal buffers. This information might be directly
> useful, or it might be leveraged to obtain elevated privileges in some
> way; for example, a terminal buffer might include a user-entered
> password.
>
> IV. Workaround
>
> No workaround is available, but systems without IEEE 1394 ("FireWire")
> interfaces are not vulnerable. (Note that systems with IEEE 1394
> interfaces are affected regardless of whether any devices are attached.)
>
> Note also that FreeBSD does not have any non-root users in the "operator"
> group by default; systems on which no users have been added to this group
> are therefore also not vulnerable.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
> or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, or RELENG_4_11 security
> branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 4.11, 5.5,
> 6.0, and 6.1 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-06:25/kmem.patch
> # fetch http://security.FreeBSD.org/patches/SA-06:25/kmem.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch Revision
> Path
> - -------------------------------------------------------------------------
> RELENG_4
> src/sys/dev/firewire/fwdev.c 1.2.4.17
> RELENG_4_11
> src/UPDATING 1.73.2.91.2.27
> src/sys/conf/newvers.sh 1.44.2.39.2.30
> src/sys/dev/firewire/fwdev.c 1.2.4.16.4.1
> RELENG_5
> src/sys/dev/firewire/fwdev.c 1.44.2.2
> RELENG_5_5
> src/UPDATING 1.342.2.35.2.9
> src/sys/conf/newvers.sh 1.62.2.21.2.11
> src/sys/dev/firewire/fwdev.c 1.44.2.1.4.1
> RELENG_6
> src/sys/dev/firewire/fwdev.c 1.46.2.2
> RELENG_6_2
> src/UPDATING 1.416.2.29.2.1
> src/sys/dev/firewire/fwdev.c 1.46.2.1.6.1
> RELENG_6_1
> src/UPDATING 1.416.2.22.2.13
> src/sys/conf/newvers.sh 1.69.2.11.2.13
> src/sys/dev/firewire/fwdev.c 1.46.2.1.4.1
> RELENG_6_0
> src/UPDATING 1.416.2.3.2.21
> src/sys/conf/newvers.sh 1.69.2.8.2.17
> src/sys/dev/firewire/fwdev.c 1.46.2.1.2.1
> - -------------------------------------------------------------------------
>
> VII. References
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6013
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-06:25.kmem.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (FreeBSD)
>
> iD8DBQFFdo1QFdaIBMps37IRAj4vAJ4vzhNk4MBkhAxsmeIAA0UgnXXOwACfY+Oe
> WhWIJLjTgqq+T3ZpySyRCNo=
> =FbZj
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-security-notifications at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
> To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe at freebsd.org"
--
| tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org |
| FreeBSD http://www.FreeBSD.org |
| BSD# http://www.mono-project.com/Mono:FreeBSD |
More information about the freebsd-gnome
mailing list