SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   OS (UNIX)  >   FreeBSD Kernel Vendors:   FreeBSD
FreeBSD Kernel ioctl() Functions May Disclose Kernel Memory to Local Users
SecurityTracker Alert ID:  1015541
SecurityTracker URL:  http://securitytracker.com/id/1015541
CVE Reference:   CVE-2006-0379, CVE-2006-0380   (Links to External Site)
Date:  Jan 25 2006
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.4, 6.0
Description:   A vulnerability was reported in the FreeBSD kernel. A local user can obtain portions of kernel memory.

A buffer allocated from the kernel stack may not be properly initialized before being copied to user-controlled memory [CVE-2006-0379].

A logic error in determining the appropriate buffer length may cause too much data to be copied to user-controlled memory [CVE-2006-0380].

The vendor credits Xin LI and Karl Janmar with reporting these vulnerabilities.
Impact:   A local user can obtain portions of kernel memory.
Solution:   The vendor has provided the following solution information [quoted]:

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the
RELENG_6_0 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.4 and 6.0
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.4-STABLE and 6.0-STABLE]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem.patch.asc

[FreeBSD 6.0-RELEASE]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem60.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem60.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

The vendor's advisory is available at:

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:06.kmem.asc
Vendor URL:  www.freebsd.org/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Wed, 25 Jan 2006 10:13:09 GMT
Subject:  FreeBSD Security Advisory FreeBSD-SA-06:06.kmem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-06:06.kmem                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Local kernel memory disclosure

Category:       core
Module:         kernel
Announced:      2006-01-25
Credits:        Xin LI, Karl Janmar
Affects:        FreeBSD 5.4-STABLE and FreeBSD 6.0
Corrected:      2006-01-25 10:00:59 UTC (RELENG_6, 6.0-STABLE)
                2006-01-25 10:01:26 UTC (RELENG_6_0, 6.0-RELEASE-p4)
                2006-01-25 10:01:47 UTC (RELENG_5, 5.4-STABLE)
CVE Name:       CVE-2006-0379, CVE-2006-0380

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The network sub-system commonly utilizes the ioctl(2) mechanism to pass
information regarding the current state and statistics of logical and
physical network devices.

II.  Problem Description

A buffer allocated from the kernel stack may not be completely
initialized before being copied to userland. [CVE-2006-0379]

A logic error in computing a buffer length may allow too much data to
be copied into userland. [CVE-2006-0380]

III. Impact

Portions of kernel memory may be disclosed to local users.  Such
memory might contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in
some way.  For example, a terminal buffer might include a user-entered
password.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE or 6-STABLE, or to the
RELENG_6_0 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.4 and 6.0
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.4-STABLE and 6.0-STABLE]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem.patch.asc

[FreeBSD 6.0-RELEASE]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem60.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:06/kmem60.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_5
  src/sys/net/if_bridge.c                                        1.23.2.7
RELENG_6
  src/sys/net/if_bridge.c                                       1.11.2.24
RELENG_6_0
  src/UPDATING                                              1.416.2.3.2.9
  src/sys/conf/newvers.sh                                    1.69.2.8.2.5
  src/sys/net/if_bridge.c                                   1.11.2.12.2.4
  src/sys/net80211/ieee80211_ioctl.c                         1.25.2.3.2.2
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0380

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:06.kmem.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFD105UFdaIBMps37IRArxMAJ9fS+dok28f9PsFvJwH8fUkkVOiawCfV6HM
+qRRPaBQCOX9XRXwB35y7h8=
=pLt2
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org"


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC