Subject: NetBSD Security Advisory 2005-008: Heap memory corruption in FreeBSD compat code
To: None <netbsd-announce@netbsd.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: netbsd-announce
Date: 11/08/2005 09:58:21
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2005-008
		 =================================

Topic:		Heap memory corruption in FreeBSD compat code

Version:	NetBSD-current:	source prior to September 13, 2005
		NetBSD 2.1:	not affected
		NetBSD 2.0.3:	not affected
		NetBSD 2.0.2:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6.2:	affected
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected

Severity:	local denial of service, local root compromise

Fixed:		NetBSD-current:		September 13, 2005
		NetBSD-3 branch:	September 13, 2005
						(3.0 will include the fix)
		NetBSD-2.0 branch:	September 13, 2005
						(2.0.3 includes the fix)
		NetBSD-2 branch:	September 13, 2005
						(2.1 includes the fix)
		NetBSD-1.6 branch:	September 14, 2005
						(1.6.3 will include the fix)


Abstract
========

Due to insufficient length checking in FreeBSD compatibility code, it is
possible for a user to cause an integer overflow, resulting in a local
denial of service and potentially local root compromise.


Solutions and Workarounds
=========================

Kernels with FreeBSD binary emulation are affected, including the
default GENERIC kernel install.  There is no workaround for this
issue.  Users of affected NetBSD versions are highly recommended to
upgrade their kernel.

The following instructions describe how to upgrade your kernel by updating
your source tree and rebuilding and installing a new version of
the kernel.

Systems running NetBSD of the affected branches, using sources earlier
than the fix date should be upgraded.

The following files need to be updated from CVS:
	src/sys/compat/freebsd/freebsd_misc.c

To update from CVS, re-build, and re-install the kernel:
	# cd src
	# cvs update -d -P sys/compat/freebsd/freebsd_misc.c
	# ./build.sh kernel=GENERIC
	# mv /netbsd /netbsd.old
	# cp sys/arch/`machine`/compile/obj/GENERIC/netbsd /netbsd
	# shutdown -r now


Thanks To
=========

Christer Oeberg discovered and reported this issue.
Christos Zoulas fixed the code.


Revision History
================

	2005-10-31	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2005-008.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-008.txt,v 1.10 2005/10/31 06:43:09 gendalia Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iQCVAwUBQ2fKfj5Ru2/4N2IFAQISyAP+Oau9ytksViieV0U/1FoLqcsHQYxeDjKp
AafwviGUVMi9fB7tBw9z1Kvc/a/s4W7HzhmsAwNSRNvbpoKCiJaNC+8812/Q42Gp
vfcdy25EtZc7ALFTiOX6eBtj6WrFyHwLnT4ARukGap0sjIIqx/OLZjmMwQfx+O0j
mURB2urapu0=
=ErcI
-----END PGP SIGNATURE-----