FreeBSD Security Advisory (bzip2)

The FreeBSD Security Team have identified a little bug in FreeBSD with the integer overflow in bzip2 decompression:

I. Background

“The bzip2/bunzip2 utilities and the libbz2 library compress and decompress files using an algorithm based on the Burrows-Wheeler transform. They are generally slower than Lempel-Ziv compressors such as gzip, but usually
provide a greater compression ratio.

II. Problem Description

When decompressing data, the run-length encoded values are not adequately sanity-checked, allowing for an integer overflow.

III. Impact

An attacker who can cause maliciously chosen inputs to be decompressed can cause the decompressor to crash. It is suspected that such an attacker can cause arbitrary code to be executed, but this is not known for certain.

Note that some utilities, including the tar archiver and the bspatch binary patching utility (used in portsnap and freebsd-update) decompress bzip2-compressed data internally; system administrators should assume that their systems will at some point decompress bzip2-compressed data even if they never explicitly invoke the bunzip2 utility.”

To avoid potential problems, you need to upgrade.

FreeBSD Security Advisory (mbuf)

The FreeBSD Security Team have identified a little bug in FreeBSD where a lost mbuf flag can result in data loss.

“I. Background

An mbuf is a basic unit of memory management in the FreeBSD kernel inter-process communication and networking subsystem. Network packets and socket buffers are dependent on mbufs for their storage.

Data can be embedded directly in mbufs, or mbufs can instead reference external buffers. The sendfile(2) system call uses external mbuf storage to directly map the contents of a file into a chain of mbufs for
transmission purposes. The mbuf object supports a read-only flag that must be honored to prevent modification or writes to buffer data in cases like these.

II. Problem Description

The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages
for the transmitted file being modified, causing data corruption.

III. Impact

This data corruption can be exploited by an local attacker to escalate their privilege by carefully controlling the corruption of system files. It should be noted that the attacker can corrupt any file they have read
access to.”

For a workaround and steps to fix this, have a look at the announcement

FreeBSD 7.2 EoL coming soon

On June 30th, FreeBSD 7.2 will reach its End of Life and will no longer be supported by the FreeBSD Security Team. Users of this release are strongly encouraged to upgrade to FreeBSD 7.3 before that date; FreeBSD 7.3 will be supported until the end of March 2012. Please note that since FreeBSD 7.1 has been designated for ‘Extended’ support, it will continue to be supported until the end of January 2011, i.e., FreeBSD 7.1 will be supported longer than FreeBSD 7.2.

The End of Life date for FreeBSD 7.2 was originally announced as May 31, but was delayed by one month in accordance with Security Team policy in order to allow a 3 month window between the release of FreeBSD 7.3 and the End of Life of FreeBSD 7.2 to allow time for systems to be upgraded.

The freebsd-update(8) utility can be used to upgrade i386 and amd64 systems from 7.2-RELEASE (or 7.2-RELEASE-pX for some X) to 7.3-RELEASE using binary updates (i.e., without compiling from source) as described in the 7.3-RELEASE announcement; given an adequate internet connection, this process usually takes 15 minutes or less.

More: FreeBSD 7.2 EoL coming soon

FreeBSD Errata: Deadlock in ULE scheduler

A problem has been identified with the FreeBSD 7 series ULE Scheduler :

FreeBSD has two schedulers: the classic 4BSD scheduler and a newer, more SMP-aware scheduler called ULE. The 4BSD scheduler was the default scheduler until FreeBSD 7.0. Starting with FreeBSD 7.1 the default scheduler is ULE.

The scheduler is responsible for allocating CPU time to threads and assigning threads to CPUs. Runnable threads (i.e. threads which arenot waiting for a blocking operation, such as an I/O operation, memory allocation or lock acquisition, to complete) are assigned to a CPU and placed in that CPU’s run queue. Each thread and each CPU’s run queue is protected by a separate lock.

II. Problem Description

When a thread is reassigned from one CPU to another, the scheduler first acquires the thread’s lock, then releases the source CPU’s run queue lock. The scheduler then acquires the target CPU’s run queue lock and holds the lock while it adds the thread to the queue and signals the target CPU. Finally it reacquires the source CPU’s run queue lock before unlocking the thread. A thread on the target CPU, having been notified of the reassigned thread’s arrival on the target CPU’s run queue, will then acquire the thread’s lock before switching it in.

Read the whole errata

For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit http://security.freebsd.org

FreeBSD 7.x & 8.x Root Exploit Patched!

A security bug in the latest version of FreeBSD can be exploited to grant unprivileged users complete control over the operating system, a German researcher discovered.

The flaw is present in FreeBSD 8.0 and is known to affect versions 7.1 and 7.2.

“A short time ago a “local root” exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root.

Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues — in short, use at your own risk (even more than usual).” (source)

More information and the patch can be found here.

The run-time link-editor, rtld, links dynamic executable with their needed libraries at run-time. It also allows users to explicitly load libraries via various LD_ environmental variables.

II. Problem Description

When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing.

III. Impact

An unprivileged user who can execute programs on a system can gain the privileges of any setuid program which he can run. On most systems configurations, this will allow a local attacker to execute code as the root user.

FreeBSD FIFO resource leak

Researches Chitti Nimmagadda and Dorr H. Clark of Santa Clara University seem to have discovered and reported a bug in usr/src/sys/fs/fifofs/fifo_vnops.c of FreeBSD 8.0-STABLE release as reported on the FreeBSD bugs mailinglist.

We believe we have identified a significant resource leak present in 6.x, 7.x, and 8.x. We believe this is a regression versus FreeBSD 4.x which appears to do the Right Thing ™.

We have a test program (see below) which will run the system out of sockets by repeated exercise of the failing code path in the kernel.

Our proposed fix is applied to the file usr/src/sys/fs/fifofs/fifo_vnops.c

If interested in (FreeBSD) code, have a look here for more info.

FreeBSD Security Advisories (devfs, pipe, null)

The FreeBSD Security Team has issued the following security warnings:

FreeBSD-SA-09:14.devfs – Devfs / VFS NULL pointer race condition
FreeBSD-SA-09:13.pipe – kqueue pipe race conditions
FreeBSD-EN-09:05.null – No zero mapping feature

For background info, problem description, impact, workaround and solutions, have a look at the individual advisory pages.