Subject: NetBSD Security Advisory 2005-008: Heap memory corruption in FreeBSD compat code
To: None <,>
From: NetBSD Security-Officer <>
List: current-users
Date: 11/08/2005 09:58:10
Hash: SHA1

		 NetBSD Security Advisory 2005-008

Topic:		Heap memory corruption in FreeBSD compat code

Version:	NetBSD-current:	source prior to September 13, 2005
		NetBSD 2.1:	not affected
		NetBSD 2.0.3:	not affected
		NetBSD 2.0.2:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6.2:	affected
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected

Severity:	local denial of service, local root compromise

Fixed:		NetBSD-current:		September 13, 2005
		NetBSD-3 branch:	September 13, 2005
						(3.0 will include the fix)
		NetBSD-2.0 branch:	September 13, 2005
						(2.0.3 includes the fix)
		NetBSD-2 branch:	September 13, 2005
						(2.1 includes the fix)
		NetBSD-1.6 branch:	September 14, 2005
						(1.6.3 will include the fix)


Due to insufficient length checking in FreeBSD compatibility code, it is
possible for a user to cause an integer overflow, resulting in a local
denial of service and potentially local root compromise.

Solutions and Workarounds

Kernels with FreeBSD binary emulation are affected, including the
default GENERIC kernel install.  There is no workaround for this
issue.  Users of affected NetBSD versions are highly recommended to
upgrade their kernel.

The following instructions describe how to upgrade your kernel by updating
your source tree and rebuilding and installing a new version of
the kernel.

Systems running NetBSD of the affected branches, using sources earlier
than the fix date should be upgraded.

The following files need to be updated from CVS:

To update from CVS, re-build, and re-install the kernel:
	# cd src
	# cvs update -d -P sys/compat/freebsd/freebsd_misc.c
	# ./ kernel=GENERIC
	# mv /netbsd /netbsd.old
	# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
	# shutdown -r now

Thanks To

Christer Oeberg discovered and reported this issue.
Christos Zoulas fixed the code.

Revision History

	2005-10-31	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and

Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-008.txt,v 1.10 2005/10/31 06:43:09 gendalia Exp $

Version: GnuPG v1.4.2 (NetBSD)