Salut, Please ignore this advisory for now as it contains errors. I was falsely under the impression that it did not. It will be released again once these errors have been taken care of. I am deeply sorry for my failure to provide a good service on this matter. On Wed, Aug 27, 2014 at 09:35:42AM +0000, NetBSD Security Officer wrote: > NetBSD Security Advisory 2014-009 > ================================= > > Topic: Multiple vulnerabilities in the execve system call > > > Version: NetBSD-current: source prior to Fri, Feb 14th 2014 > NetBSD 6.1 - 6.1.3: affected > NetBSD 6.1.4: not affected > NetBSD 6.0 - 6.0.4: affected > NetBSD 6.0.5: not affected > NetBSD 5.1 - 5.1.4: not affected > NetBSD 5.2 - 5.2.2: not affected > > Severity: Local DoS > > Fixed: NetBSD-current: Fri, Feb 14th 2014 > NetBSD-6-0 branch: Fri, Feb 14th 2014 > NetBSD-6-1 branch: Fri, Feb 14th 2014 > NetBSD-6 branch: Fri, Feb 14th 2014 > > Teeny versions released later than the fix date will contain the fix. > > Please note that NetBSD releases prior to 5.1 are no longer supported. > It is recommended that all users upgrade to a supported release. > > > Abstract > ======== > > The execve system call is affected by two vulnerabilities: > 1) A memory leak in the kernel could cause a local (un)privileged user > to use up kernel memory via a bogus ELF binary, and thus to freeze - or > eventually panic - the system. > 2) A bug in the kernel could lead to a use-after-free condition when > loading a binary or a script, which would allow a local (un)privileged > user to crash the system. > > > Technical Details > ================= > > 1) When trying to execute an ELF binary, the kernel looks up the > corresponding "interpreter" (in case of native dynamic ELF binaries: the > dynamic linker ld.elf_so). If this interpreter cannot be accessed > appropriately, or if it is bogus, a structure allocated to hold special > information on this interpreter was not freed. > If a standard toolchain is installed, a local user can easily create > such broken binaries by passing the -dynamic-linker switch to the linker. > > 2) When executing a binary via execve(), the kernel computes the new > user stack size, and returns an error if this size exceeds the maximum > architecture-defined stack size or the maximum stack size allowed by the > calling process through rlimit. However, the variable in charge of hold- > ing the error code returned was not properly initialised, causing the > kernel to keep setting up the new process environment and use data that > was already freed. > Both the new stack size and the rlimit stack size are approximately > user-controllable, which makes it easy to trigger from a local user. > > > Solutions and Workarounds > ========================= > > For all NetBSD versions, you need to obtain fixed kernel sources, > rebuild and install the new kernel, and reboot the system. > > The fixed source may be obtained from the NetBSD CVS repository. > The following instructions briefly summarise how to upgrade your > kernel. In these instructions, replace: > > ARCH with your architecture (from uname -m), > KERNCONF with the name of your kernel configuration file and > VERSION with the file version below > > File versions containing the fixes: > > FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0 > ---- ---- -------- ---------- ---------- > sys/kern/exec_elf.c > 1.55 1.37.2.2 1.37.2.1.6.1 1.37.2.1.4.1 > sys/kern/kern_exec.c > 1.403 1.339.2.9 1.339.2.6.2.2 1.339.2.5.4.3 > > To update from CVS, re-build, and re-install the kernel: > > # cd src > # cvs update -d -P -r VERSION sys/kern/exec_elf.c > # cvs update -d -P -r VERSION sys/kern/kern_exec.c > # ./build.sh kernel=KERNCONF > # mv /netbsd /netbsd.old > # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd > # shutdown -r now > > For more information on how to do this, see: > > http://www.NetBSD.org/guide/en/chap-kernel.html > > > Thanks To > ========= > > Thanks to Maxime Villard, who found the issues and provided fixes. > > > Revision History > ================ > > 2014-08-27 Initial release > > > More Information > ================ > > Advisories may be updated as new information becomes available. > The most recent version of this advisory (PGP signed) can be found at > > http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-009.txt.asc > > Information about NetBSD and NetBSD security can be found at > http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . > > > Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. > Redistribution permitted only in full, unmodified form. > > $NetBSD: NetBSD-SA2014-009.txt,v 1.1 2014/08/27 00:19:19 tonnerre Exp $ > > Tonnerre
Attachment:
pgp7aLZRixa2N.pgp
Description: PGP signature