svn commit: r41998 - head/share/security/advisories

Xin LI delphij at FreeBSD.org
Fri Jun 21 21:41:49 UTC 2013 

Author: delphij
Date: Fri Jun 21 21:41:48 2013
New Revision: 41998
URL: http://svnweb.freebsd.org/changeset/doc/41998

Log:
  Commit revised advisory for 13:06.mmap.

Modified:
  head/share/security/advisories/FreeBSD-SA-13:06.mmap.asc

Modified: head/share/security/advisories/FreeBSD-SA-13:06.mmap.asc
==============================================================================
--- head/share/security/advisories/FreeBSD-SA-13:06.mmap.asc	Fri Jun 21 17:57:26 2013	(r41997)
+++ head/share/security/advisories/FreeBSD-SA-13:06.mmap.asc	Fri Jun 21 21:41:48 2013	(r41998)
@@ -13,14 +13,20 @@ Announced:      2013-06-18
 Credits:        Konstantin Belousov
                 Alan Cox
 Affects:        FreeBSD 9.0 and later
-Corrected:      2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE)
-                2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4)
+Corrected:      2013-06-18 07:04:19 UTC (stable/9, 9.1-STABLE)
+                2013-06-18 07:05:51 UTC (releng/9.1, 9.1-RELEASE-p4)
 CVE Name:       CVE-2013-2171
 
 For general information regarding FreeBSD Security Advisories,
 including descriptions of the fields above, security branches, and the
 following sections, please visit <URL:http://security.FreeBSD.org/>.
 
+0.   Revision History
+
+v1.0  2013-06-18 Initial release.
+v1.1  2013-06-21 Corrected correction date.
+                 Added workaround information.
+
 I.   Background
 
 The FreeBSD virtual memory system allows files to be memory-mapped.
@@ -51,7 +57,23 @@ arbitrary code with user privileges on t
 
 IV.  Workaround
 
-No workaround is available.
+Systems that do not allow unprivileged users to use the ptrace(2)
+system call are not vulnerable, this can be accomplished by setting
+the sysctl variable security.bsd.unprivileged_proc_debug to zero.
+Please note that this will also prevent debugging tools, for instance
+gdb, truss, procstat, as well as some built-in debugging facilities in
+certain scripting language like PHP, etc., from working for unprivileged
+users.
+
+The following command will set the sysctl accordingly and works until the
+next reboot of the system:
+
+    sysctl security.bsd.unprivileged_proc_debug=0
+
+To make this change persistent across reboot, the system administrator
+should also add the setting into /etc/sysctl.conf:
+
+    echo 'security.bsd.unprivileged_proc_debug=0' >> /etc/sysctl.conf
 
 V.   Solution
 
@@ -112,16 +134,13 @@ Or visit the following URL, replacing XX
 
 VII. References
 
-<other info on vulnerability>
-
 <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2171>
 
 The latest revision of this advisory is available at
 <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:06.mmap.asc>
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.13 (FreeBSD)
 
-iEYEARECAAYFAlHAB+YACgkQFdaIBMps37IjFACdFSoiYO1YkcPunLh7Zw4TC6MF
-X9MAnjjVWB2uEl60Rl3K4WOuJ71AVNlP
-=8309
+iEYEARECAAYFAlHExy0ACgkQFdaIBMps37L8PwCdGXatzPm7OWjZu+GmbbXQC16/
+8sgAoJ0LEmREO8Mp7f4YcLHAEwgnJtjT
+=WRZD
 -----END PGP SIGNATURE-----

More information about the svn-doc-all mailing list