daily CVS update output
Updating src tree: P src/distrib/sun2/miniroot/Makefile P src/distrib/sun2/ramdisk/Makefile P src/distrib/sun3/miniroot/Makefile P src/distrib/sun3/ramdisk/Makefile P src/etc/security P src/libexec/ld.elf_so/rtld.h P src/sys/arch/arm/arm32/locore.S P src/sys/arch/sparc64/dev/ebus_mainbus.c P src/sys/arch/zaurus/stand/zboot/Makefile P src/sys/external/bsd/drm2/dist/drm/i915/i915_irq.c P src/sys/external/bsd/drm2/linux/linux_kmap.c P src/sys/lib/libkern/arch/m68k/Makefile.inc P src/tests/lib/librumphijack/t_asyncio.sh P src/usr.bin/make/suff.c Updating xsrc tree: Killing core files: Running the SUP scanner: SUP Scan for current starting at Thu Aug 28 03:06:37 2014 SUP Scan for current completed at Thu Aug 28 03:06:54 2014 SUP Scan for mirror starting at Thu Aug 28 03:06:54 2014 SUP Scan for mirror completed at Thu Aug 28 03:09:58 2014 Updating file list: -rw-rw-r-- 1 srcmastr netbsd 43072068 Aug 28 03:20 ls-lRA.gz
Re: NetBSD Security Advisory 2014-011: User-controlled memory allocation in the modctl system call
Salut, Please ignore this advisory for now as it contains errors. It will be re-published once these errors have been addressed. I am deeply sorry for my failure to handle these advisories in an appropriate way and to provide you with the level of service you deserve. On Wed, Aug 27, 2014 at 09:36:40AM +, NetBSD Security Officer wrote: > NetBSD Security Advisory 2014-011 > = > > Topic:User-controlled memory allocation in the modctl system > call > > > Version: NetBSD-current: source prior to Thu, Jul 10th 2014 > NetBSD 6.1 - 6.1.4: affected > NetBSD 6.0 - 6.0.5: affected > NetBSD 5.1 - 5.1.4: affected > NetBSD 5.2 - 5.2.2: affected > > Severity: Local DoS > > Fixed:NetBSD-current: Thu, Jul 10th 2014 > NetBSD-6-1 branch: Mon, Jul 14th 2014 > NetBSD-6-0 branch: Mon, Jul 14th 2014 > NetBSD-6 branch:Mon, Jul 14th 2014 > NetBSD-5.2 branch: Mon, Jul 14th 2014 > NetBSD-5.1 branch: Mon, Jul 14th 2014 > NetBSD-5 branch:Mon, Jul 14th 2014 > > Teeny versions released later than the fix date will contain the fix. > > Please note that NetBSD releases prior to 5.1 are no longer supported. > It is recommended that all users upgrade to a supported release. > > > Abstract > > > Due to missing input validation checks, a local (un)privileged user > could cause the kernel to perform a zero-sized or unbounded memory > allocation, resulting in a crash. > > > Technical Details > = > > The modctl system call takes as second argument a buffer which is > represented as a structure when loading a kernel module. This structure > indicates special information on how to load a module, including a > string pointer and the length of the string pointed to. A kernel buffer > of the same size is allocated, but no check was performed to ensure the > size is neither too low nor too high, thus allowing a local user to > crash the system. > > > Solutions and Workarounds > = > > For all NetBSD versions, you need to obtain fixed kernel sources, > rebuild and install the new kernel, and reboot the system. > > The fixed source may be obtained from the NetBSD CVS repository. > The following instructions briefly summarise how to upgrade your > kernel. In these instructions, replace: > > ARCH with your architecture (from uname -m), > KERNCONF with the name of your kernel configuration file and > VERSION with the file version below > > File versions containing the fixes: > > FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 netbsd-5 netbsd-5-2 netbsd-5-1 > -- -- -- -- > sys/kern/sys_module.c > 1.15 1.13.8.1 1.13.14.1 1.13.12.1 1.8.4.2 1.8.4.1.6.1 > 1.8.4.1.2.1 > > To update from CVS, re-build, and re-install the kernel: > > # cd src > # cvs update -d -P -r VERSION sys/kern/sys_module.c > # ./build.sh kernel=KERNCONF > # mv /netbsd /netbsd.old > # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd > # shutdown -r now > > For more information on how to do this, see: > >http://www.NetBSD.org/guide/en/chap-kernel.html > > > Thanks To > = > > Thanks to Maxime Villard, who found the issue and provided a fix. > > > Revision History > > > 2014-08-27 Initial release > > > More Information > > > Advisories may be updated as new information becomes available. > The most recent version of this advisory (PGP signed) can be found at > > http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-011.txt.asc > > Information about NetBSD and NetBSD security can be found at > http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . > > > Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. > Redistribution permitted only in full, unmodified form. > > $NetBSD: NetBSD-SA2014-011.txt,v 1.1 2014/08/27 00:33:51 tonnerre Exp $ > > Tonnerre pgp8Z97e2ymER.pgp Description: PGP signature
Re: NetBSD Security Advisory 2014-010: Multiple vulnerabilities in the compatibility layers
Salut,
Please ignore this advisory for now as it contains errors. It will be
published again after these errors have been addressed.
I am deeply sorry for my failure to provide you a good service on this
matter.
On Wed, Aug 27, 2014 at 09:36:07AM +, NetBSD Security Officer wrote:
> NetBSD Security Advisory 2014-010
> =
>
> Topic:Multiple vulnerabilities in the compatibility layers
>
>
> Version: NetBSD-current: source prior to Tue, Apr 15th 2014
> NetBSD 6.1 - 6.1.4: affected
> NetBSD 6.0 - 6.0.5: affected
> NetBSD 5.1 - 5.1.4: affected
> NetBSD 5.2 - 5.2.2: affected
>
> Severity: Local DoS
>
> Fixed:NetBSD-current: Tue, Apr 15th 2014
> NetBSD-6-0 branch: Mon, Apr 21th 2014
> NetBSD-6-1 branch: Mon, Apr 21th 2014
> NetBSD-6 branch:Mon, Apr 21th 2014
> NetBSD-5-2 branch: Wed, May 14th 2014
> NetBSD-5-1 branch: Wed, May 14th 2014
> NetBSD-5 branch:Wed, May 14th 2014
>
> Teeny versions released later than the fix date will contain the fix.
>
> Please note that NetBSD releases prior to 5.1 are no longer supported.
> It is recommended that all users upgrade to a supported release.
>
>
> Abstract
>
>
> Four compatibility layers are affected by several vulnerabilities:
>
> 1) FreeBSD compatibility: NULL pointer dereference
> 2) NetBSD 32-bit compatibility: Zero-sized memory allocation
> 3) Digital UNIX (formerly OSF/1) compatibility: Zero-sized
> memory allocation
> 4) Linux and Linux 32-bit compatibility: User-controllable
> kernel memory array index.
>
> Each of them allows a local user to crash the system.
>
>
> Technical Details
> =
>
> For more clarity the four layers affected will be referred to as
> COMPAT_xx, where xx is the emulated system.
>
> 1) Due to a programming mistake in COMPAT_FREEBSD, a simple call to the
> sched_getparam system call would cause the kernel to dereference a
> NULL pointer, and thus to crash.
> 2) Due to a missing input validation check in COMPAT_NETBSD32's kevent
> system call, a user could cause the kernel to perform a zero-sized
> memory allocation, resulting in a crash.
> 3) Due to a missing input validation check in COMPAT_OSF1's
> getdirentries system call, a user could cause the kernel to perform
> a zero-sized memory allocation, resulting in a crash.
> 4) Due to missing input validation checks in the COMPAT_LINUX and
> COMPAT_LINUX32 ELF binary loader, a specially-crafted binary could
> control a kernel memory array index - address from which data is
> read. Attempting to read at an unmapped memory page will cause the
> kernel to crash.
>
>
> Solutions and Workarounds
> =
>
> - Disable the compability modules
> -
> You can achieve this with the modunload(8) tool. Please read the
> appropriate manual page. For example, you can disable the Linux modules
> by moving the kernel object files out of the way. These are located in:
>
>
> /stand/${MACHINE_ARCH}/${KERNEL_VERSION}/modules/compat_${NAME}/compat_${NAME}.kmod
>
> And running the following command to unload them:
>
> # modunload compat_${NAME}
>
> The modules have dependencies, so you need to unload them in the proper
> order.
>
> You can also disable these modules by rebuilding your kernel without the
> COMPAT_${NAME} options.
>
> Note however that it is to be considered as a temporary workaround, and
> you are strongly advised to fix your system from source.
>
> - Fix from source
> -
> For all NetBSD versions, you need to obtain fixed kernel sources,
> rebuild and install the new kernel, and reboot the system.
>
> The fixed source may be obtained from the NetBSD CVS repository.
> The following instructions briefly summarise how to upgrade your
> kernel. In these instructions, replace:
>
> ARCH with your architecture (from uname -m),
> KERNCONF with the name of your kernel configuration file and
> VERSION with the file version below
>
> File versions containing the fixes:
>
> FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 netbsd-5 netbsd-5-2 netbsd-5-1
> -- -- -- --
> src/sys/compat/freebsd/freebsd_sched.c
> 1.20 1.19.40.1 1.19.56.1 1.19.46.1 1.19.10.1 1.19.48.1 1.19.24.1
> src/sys/compat/netbsd32/netbsd32_compat_50.c
> 1.24 1.20.6.1 1.20.14.1 1.20.12.1 XX XX
> src/sys/compat/netbsd32/netbsd32_event.c
> 1.11 1.9.10.2 1.9.24.11.9.16.1 XX XX
> src/s
Re: NetBSD Security Advisory 2014-009: Multiple vulnerabilities in the execve system call
Salut, Please ignore this advisory for now as it contains errors. I was falsely under the impression that it did not. It will be released again once these errors have been taken care of. I am deeply sorry for my failure to provide a good service on this matter. On Wed, Aug 27, 2014 at 09:35:42AM +, NetBSD Security Officer wrote: > NetBSD Security Advisory 2014-009 > = > > Topic:Multiple vulnerabilities in the execve system call > > > Version: NetBSD-current: source prior to Fri, Feb 14th 2014 > NetBSD 6.1 - 6.1.3: affected > NetBSD 6.1.4: not affected > NetBSD 6.0 - 6.0.4: affected > NetBSD 6.0.5: not affected > NetBSD 5.1 - 5.1.4: not affected > NetBSD 5.2 - 5.2.2: not affected > > Severity: Local DoS > > Fixed:NetBSD-current: Fri, Feb 14th 2014 > NetBSD-6-0 branch: Fri, Feb 14th 2014 > NetBSD-6-1 branch: Fri, Feb 14th 2014 > NetBSD-6 branch:Fri, Feb 14th 2014 > > Teeny versions released later than the fix date will contain the fix. > > Please note that NetBSD releases prior to 5.1 are no longer supported. > It is recommended that all users upgrade to a supported release. > > > Abstract > > > The execve system call is affected by two vulnerabilities: > 1) A memory leak in the kernel could cause a local (un)privileged user > to use up kernel memory via a bogus ELF binary, and thus to freeze - or > eventually panic - the system. > 2) A bug in the kernel could lead to a use-after-free condition when > loading a binary or a script, which would allow a local (un)privileged > user to crash the system. > > > Technical Details > = > > 1) When trying to execute an ELF binary, the kernel looks up the > corresponding "interpreter" (in case of native dynamic ELF binaries: the > dynamic linker ld.elf_so). If this interpreter cannot be accessed > appropriately, or if it is bogus, a structure allocated to hold special > information on this interpreter was not freed. > If a standard toolchain is installed, a local user can easily create > such broken binaries by passing the -dynamic-linker switch to the linker. > > 2) When executing a binary via execve(), the kernel computes the new > user stack size, and returns an error if this size exceeds the maximum > architecture-defined stack size or the maximum stack size allowed by the > calling process through rlimit. However, the variable in charge of hold- > ing the error code returned was not properly initialised, causing the > kernel to keep setting up the new process environment and use data that > was already freed. > Both the new stack size and the rlimit stack size are approximately > user-controllable, which makes it easy to trigger from a local user. > > > Solutions and Workarounds > = > > For all NetBSD versions, you need to obtain fixed kernel sources, > rebuild and install the new kernel, and reboot the system. > > The fixed source may be obtained from the NetBSD CVS repository. > The following instructions briefly summarise how to upgrade your > kernel. In these instructions, replace: > > ARCH with your architecture (from uname -m), > KERNCONF with the name of your kernel configuration file and > VERSION with the file version below > > File versions containing the fixes: > > FILEHEADnetbsd-6netbsd-6-1 netbsd-6-0 > -- -- > sys/kern/exec_elf.c > 1.551.37.2.21.37.2.1.6.11.37.2.1.4.1 > sys/kern/kern_exec.c > 1.403 1.339.2.9 1.339.2.6.2.2 1.339.2.5.4.3 > > To update from CVS, re-build, and re-install the kernel: > > # cd src > # cvs update -d -P -r VERSION sys/kern/exec_elf.c > # cvs update -d -P -r VERSION sys/kern/kern_exec.c > # ./build.sh kernel=KERNCONF > # mv /netbsd /netbsd.old > # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd > # shutdown -r now > > For more information on how to do this, see: > >http://www.NetBSD.org/guide/en/chap-kernel.html > > > Thanks To > = > > Thanks to Maxime Villard, who found the issues and provided fixes. > > > Revision History > > > 2014-08-27 Initial release > > > More Information > > > Advisories may be updated as new information becomes available. > The most recent version of this advisory (PGP signed) can be found at > > http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-009.txt.asc > > Information about NetBSD and NetBSD security can be found at > http://www.NetBSD.org/ and http:/
NetBSD Security Advisory 2014-011: User-controlled memory allocation in the modctl system call
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-011 = Topic: User-controlled memory allocation in the modctl system call Version:NetBSD-current: source prior to Thu, Jul 10th 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected Severity: Local DoS Fixed: NetBSD-current: Thu, Jul 10th 2014 NetBSD-6-1 branch: Mon, Jul 14th 2014 NetBSD-6-0 branch: Mon, Jul 14th 2014 NetBSD-6 branch:Mon, Jul 14th 2014 NetBSD-5.2 branch: Mon, Jul 14th 2014 NetBSD-5.1 branch: Mon, Jul 14th 2014 NetBSD-5 branch:Mon, Jul 14th 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Due to missing input validation checks, a local (un)privileged user could cause the kernel to perform a zero-sized or unbounded memory allocation, resulting in a crash. Technical Details = The modctl system call takes as second argument a buffer which is represented as a structure when loading a kernel module. This structure indicates special information on how to load a module, including a string pointer and the length of the string pointed to. A kernel buffer of the same size is allocated, but no check was performed to ensure the size is neither too low nor too high, thus allowing a local user to crash the system. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 netbsd-5 netbsd-5-2 netbsd-5-1 - -- -- -- -- sys/kern/sys_module.c 1.15 1.13.8.1 1.13.14.1 1.13.12.1 1.8.4.2 1.8.4.1.6.1 1.8.4.1.2.1 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/kern/sys_module.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Thanks to Maxime Villard, who found the issue and provided a fix. Revision History 2014-08-27 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-011.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-011.txt,v 1.1 2014/08/27 00:33:51 tonnerre Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJT/SeDAAoJEAZJc6xMSnBuBL4QAIW2I1UEwOmj5kWStYYl1Pxh AZLvbbi2u89q1Dw2OHqycsCTA4E2FNMCJI0Dqr4jHYvTFjQY52K33vTw/u5K5YxC etdYXa68W7u1rKedajx+H/BLBTKNHCwjL4uA7AsIs7XQTQqIYDKRr8SkPdH/j/kH 7Szd90WHWisDVzET+91sGbGmw7wFIiXm80Ovp+DI9/Aib13eQ9GlxEQ4cCRBBIwQ Smu86UI92BYarbPjKq+INwbYSc0uZDnuUPXq2UgJtp10VpKDdxmYZPrn4nvggJOf HCe95l9vo3L6Fs/5g5jU9TjiHd0X/SEfwSx0sN168U5+vyu2l87fCxSrFxM16aJW N0b7PhrO6WOL3LPzZXXNDjUh2LxOINcNvB3zO8PAMrf4XOzYQfRhXByQlZ2orcOf w6ly9sWBvSSgV39BkM8Lh+selVZ6z2mzlfL4nBa2Jb8CLTtiKfzPyDTmxIZcZuH5 SJ1P7nTFvwW5fk+8Ff7zo00gCikSa+vTfu29OdWgrdrwSyuIcP+ZO+gP7GHzcU5U QQl1qzqx8PurKuMY732aigPyosPPb8KLRebokXWVUuygnd3MzJFpDsJhn/QiIXce 4YA7IYMBMGT6+5R0l57m950lCdnoBIf5pTu7Y3/jaAQBfTQHIGyhYItHSgwUe97N gDnChdomglOFD4nWmOwp =g8zM -END PGP SIGNATURE-
NetBSD Security Advisory 2014-010: Multiple vulnerabilities in the compatibility layers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
NetBSD Security Advisory 2014-010
=
Topic: Multiple vulnerabilities in the compatibility layers
Version:NetBSD-current: source prior to Tue, Apr 15th 2014
NetBSD 6.1 - 6.1.4: affected
NetBSD 6.0 - 6.0.5: affected
NetBSD 5.1 - 5.1.4: affected
NetBSD 5.2 - 5.2.2: affected
Severity: Local DoS
Fixed: NetBSD-current: Tue, Apr 15th 2014
NetBSD-6-0 branch: Mon, Apr 21th 2014
NetBSD-6-1 branch: Mon, Apr 21th 2014
NetBSD-6 branch:Mon, Apr 21th 2014
NetBSD-5-2 branch: Wed, May 14th 2014
NetBSD-5-1 branch: Wed, May 14th 2014
NetBSD-5 branch:Wed, May 14th 2014
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
Four compatibility layers are affected by several vulnerabilities:
1) FreeBSD compatibility: NULL pointer dereference
2) NetBSD 32-bit compatibility: Zero-sized memory allocation
3) Digital UNIX (formerly OSF/1) compatibility: Zero-sized
memory allocation
4) Linux and Linux 32-bit compatibility: User-controllable
kernel memory array index.
Each of them allows a local user to crash the system.
Technical Details
=
For more clarity the four layers affected will be referred to as
COMPAT_xx, where xx is the emulated system.
1) Due to a programming mistake in COMPAT_FREEBSD, a simple call to the
sched_getparam system call would cause the kernel to dereference a
NULL pointer, and thus to crash.
2) Due to a missing input validation check in COMPAT_NETBSD32's kevent
system call, a user could cause the kernel to perform a zero-sized
memory allocation, resulting in a crash.
3) Due to a missing input validation check in COMPAT_OSF1's
getdirentries system call, a user could cause the kernel to perform
a zero-sized memory allocation, resulting in a crash.
4) Due to missing input validation checks in the COMPAT_LINUX and
COMPAT_LINUX32 ELF binary loader, a specially-crafted binary could
control a kernel memory array index - address from which data is
read. Attempting to read at an unmapped memory page will cause the
kernel to crash.
Solutions and Workarounds
=
- - Disable the compability modules
- -
You can achieve this with the modunload(8) tool. Please read the
appropriate manual page. For example, you can disable the Linux modules
by moving the kernel object files out of the way. These are located in:
/stand/${MACHINE_ARCH}/${KERNEL_VERSION}/modules/compat_${NAME}/compat_${NAME}.kmod
And running the following command to unload them:
# modunload compat_${NAME}
The modules have dependencies, so you need to unload them in the proper
order.
You can also disable these modules by rebuilding your kernel without the
COMPAT_${NAME} options.
Note however that it is to be considered as a temporary workaround, and
you are strongly advised to fix your system from source.
- - Fix from source
- -
For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your
kernel. In these instructions, replace:
ARCH with your architecture (from uname -m),
KERNCONF with the name of your kernel configuration file and
VERSION with the file version below
File versions containing the fixes:
FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 netbsd-5 netbsd-5-2 netbsd-5-1
- -- -- -- --
src/sys/compat/freebsd/freebsd_sched.c
1.20 1.19.40.1 1.19.56.1 1.19.46.1 1.19.10.1 1.19.48.1 1.19.24.1
src/sys/compat/netbsd32/netbsd32_compat_50.c
1.24 1.20.6.1 1.20.14.1 1.20.12.1 XX XX
src/sys/compat/netbsd32/netbsd32_event.c
1.11 1.9.10.2 1.9.24.11.9.16.1 XX XX
src/sys/compat/osf1/osf1_file.c
1.42 % % % XX XX
src/sys/compat/linux/common/linux_exec_elf32.c
1.91 1.86.2.1 1.86.16.1 1.86.8.11.81.10.1 1.81.20.1 1.81.16.1
To update from CVS, re-build, and re-install the kernel:
# cd src
# cvs update -d -P -r VERSION sys/compat/freebsd/freebsd_sched.c
# cvs update -d -P -r VERSION sys/comp
NetBSD Security Advisory 2014-009: Multiple vulnerabilities in the execve system call
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-009 = Topic: Multiple vulnerabilities in the execve system call Version:NetBSD-current: source prior to Fri, Feb 14th 2014 NetBSD 6.1 - 6.1.3: affected NetBSD 6.1.4: not affected NetBSD 6.0 - 6.0.4: affected NetBSD 6.0.5: not affected NetBSD 5.1 - 5.1.4: not affected NetBSD 5.2 - 5.2.2: not affected Severity: Local DoS Fixed: NetBSD-current: Fri, Feb 14th 2014 NetBSD-6-0 branch: Fri, Feb 14th 2014 NetBSD-6-1 branch: Fri, Feb 14th 2014 NetBSD-6 branch:Fri, Feb 14th 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract The execve system call is affected by two vulnerabilities: 1) A memory leak in the kernel could cause a local (un)privileged user to use up kernel memory via a bogus ELF binary, and thus to freeze - or eventually panic - the system. 2) A bug in the kernel could lead to a use-after-free condition when loading a binary or a script, which would allow a local (un)privileged user to crash the system. Technical Details = 1) When trying to execute an ELF binary, the kernel looks up the corresponding "interpreter" (in case of native dynamic ELF binaries: the dynamic linker ld.elf_so). If this interpreter cannot be accessed appropriately, or if it is bogus, a structure allocated to hold special information on this interpreter was not freed. If a standard toolchain is installed, a local user can easily create such broken binaries by passing the -dynamic-linker switch to the linker. 2) When executing a binary via execve(), the kernel computes the new user stack size, and returns an error if this size exceeds the maximum architecture-defined stack size or the maximum stack size allowed by the calling process through rlimit. However, the variable in charge of hold- ing the error code returned was not properly initialised, causing the kernel to keep setting up the new process environment and use data that was already freed. Both the new stack size and the rlimit stack size are approximately user-controllable, which makes it easy to trigger from a local user. Solutions and Workarounds = For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system. The fixed source may be obtained from the NetBSD CVS repository. The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace: ARCH with your architecture (from uname -m), KERNCONF with the name of your kernel configuration file and VERSION with the file version below File versions containing the fixes: FILEHEADnetbsd-6netbsd-6-1 netbsd-6-0 - -- -- sys/kern/exec_elf.c 1.551.37.2.21.37.2.1.6.11.37.2.1.4.1 sys/kern/kern_exec.c 1.403 1.339.2.9 1.339.2.6.2.2 1.339.2.5.4.3 To update from CVS, re-build, and re-install the kernel: # cd src # cvs update -d -P -r VERSION sys/kern/exec_elf.c # cvs update -d -P -r VERSION sys/kern/kern_exec.c # ./build.sh kernel=KERNCONF # mv /netbsd /netbsd.old # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd # shutdown -r now For more information on how to do this, see: http://www.NetBSD.org/guide/en/chap-kernel.html Thanks To = Thanks to Maxime Villard, who found the issues and provided fixes. Revision History 2014-08-27 Initial release More Information Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-009.txt,v 1.1 2014/08/27 00:19:19 tonnerre Exp $ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJT/SReAAoJEAZJc6xMSnBugpsP/1YehXy/YfxDcErEWQlAHHp/ We1okuTaLhJQMw1gAHIAFoc1d9dRNqN9dmAsQ9FW9qUvpQ2MxWWBvTdmlLjBh990 mCOMSsEu92h0P4nCyziOAyIqf67Eq1X798ovqDyXIvxvMlWsx7RFthM5hGB9ZJAR HpBd/+5OUmOEqQN7UsrmBIUHU8ErDGb/
NetBSD Security Advisory 2014-008: Multiple OpenSSL vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 NetBSD Security Advisory 2014-008 = Topic: Multiple OpenSSL vulnerabilities Version:NetBSD-current: prior to Aug 10th, 2014 NetBSD 6.1 - 6.1.4: affected NetBSD 6.0 - 6.0.5: affected NetBSD 5.1 - 5.1.4: partially affected NetBSD 5.2 - 5.2.2: partially affected Severity: MitM, Remote Code Execution, Remote DoS, Local Information Leak Fixed: NetBSD-current: Aug 10th, 2014 NetBSD-6-0 branch: Aug 11th, 2014 NetBSD-6-1 branch: Aug 11th, 2014 NetBSD-6 branch:Aug 11th, 2014 NetBSD-5-2 branch: Aug 11th, 2014 NetBSD-5-1 branch: Aug 11th, 2014 NetBSD-5 branch:Aug 11th, 2014 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract Information leak in pretty printing functions (CVE-2014-3508) Double Free when processing DTLS packets (CVE-2014-3505) DTLS memory exhaustion (CVE-2014-3506) DTLS memory leak from zero-length fragments (CVE-2014-3507) OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) OpenSSL TLS protocol downgrade attack (CVE-2014-3511) only in NetBSD-6 and NetBSD-current: Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) SRP buffer overrun (CVE-2014-3512) Technical Details = See http://www.openssl.org/news/secadv_20140806.txt Solutions and Workarounds = Update the OpenSSL libraries and make sure the old libssl and libcrypto are no longer used. - From source: - Update src and rebuild and install. Note: OpenSSL in NetBSD-6 and NetBSD-current has been updated to version 1.0.1h; updating the entire src tree is recommended. - From tarballs: - -- To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz from a daily build later than the fix dates, from http://nyftp.netbsd.org/pub/NetBSD-dailybinary/sets/ with a date 20140812* or larger, and your release version and architecture (e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201408140100Z/amd64/binary/sets/), and then extract the files: Shared libraries: tar xzpf base.tgz \*libssl\* \*libcrypto\* And static libraries and linker config files: tar xzpf comp.tgz \*libssl\* \*libcrypto\* Get the fixed library into use - -- Since the vulnerability is in a shared library, getting the old library purged and the fixed one into use requires restarting all programs that load libssl and libcrypto. The easiest way to do this is to reboot the system. Another method: using /bin/sh, ps ax -o pid | (while read pid; do \ pmap $pid | egrep '(libssl|libcrypto)' && echo found $pid ;\ done) will find non-chrooted programs that have the affected libraries open; restart them. sshd will not show up in this list since it runs chrooted and re-exec'ed but also needs to be restartet. ldd will show the shared libraries a programs is wont to use. Lastly, remove the vulnerable libraries to make sure they won't get used accidentially: rm /usr/lib/libssl.so.10.3 /lib/libcrypto.so.8.2 /usr/lib/libcrypto.so.8.2 Fixed versions - -- files relative to src/crypto/external/bsd/openssl/dist/ssl branch d1_both.ct1_lib.c s3_clnt.cs23_srvr.c - -- --- --- --- netbsd-6-0 1.1.1.4.4.1.4.2 1.4.4.1.4.2 1.9.4.1.4.2 1.10.2.1.4.2 netbsd-6-1 1.1.1.4.4.1.6.2 1.4.4.1.6.2 1.9.4.1.6.2 1.10.2.1.6.2 netbsd-61.1.1.4.4.3 1.4.4.3 1.9.4.3 1.10.2.3 HEAD1.1.1.8 1.9 1.16 1.16 files relative to src/crypto/external/bsd/openssl/dist/crypto branch asn1/a_object.c objects/obj_dat.c srp/srp_lib.c - -- --- - - netbsd-6-0 1.1.1.4.4.1.4.2 1.4.4.1.4.21.9.4.1.4.2 netbsd-6-1 1.1.1.4.4.1.6.2 1.4.4.1.6.21.9.4.1.6.2 netbsd-61.1.1.4.4.3 1.4.4.31.9.4.3 HEAD1.1.1.8 1.91.16 files relative to crypto/dist/openssl/ssl branch d1_both.ct1_lib.c s3_clnt.cs23_srvr.c - -- --- --- --- netbsd-5-1 1.1.1.4.4.1.4.2 1.4.4.1.4.2 1.9.4.1.4.2 1.10.2.1.4.2 netbsd-5-2 1.1.1.4.4.1.6.2 1.4.4.1.6.2 1.9.4.1.6.2 1.10.2.1.6.2 netbsd-51.1.1.4.4.3 1.4.4.3 1.9.4.3 1.10.2.3 files relative to crypto/dist/openssl/crypto branch asn1/a_object.c objects/obj_dat.c srp/srp_lib.c - -- ---
Re: netbsd7-i386 build failure
On Tue, Aug 26, 2014 at 02:41:40PM -0700, Hisashi T Fujinaka wrote: > I've been complaining about this for days, but of course in the wrong > venues. This one is ok, and the issue should be fixed now - sorry for the delay. Martin
