The FreeBSD team has released a new security advisory, SA-11:05.unix, and
this note is to assure people that NetBSD is not vulnerable to any
attack based on this vulnerability.
Further information on the advisory can be found in:
http://security.freebsd.org/advisories/FreeBSD-SA-11:05.unix.asc
II. Problem Description
When a UNIX-domain socket is attached to a location using the bind(2)
system call, the length of the provided path is not validated. Later,
when this address was returned via other system calls, it is copied into
a fixed-length buffer.
III. Impact
A local user can cause the FreeBSD kernel to panic. It may also be
possible to execute code with elevated privileges ("gain root"), escape
from a jail, or to bypass security mechanisms in other ways.
As an indication of our commitment to ongoing testing and security
awareness, Christos Zoulas has added a test to the NetBSD regression
test suite to test for error conditions, and ensure no regressions
could occur:
http://mail-index.netbsd.org/source-changes/2011/09/28/msg027654.html
Christos confirmed that NetBSD is not vulnerable to this problem: NetBSD
can create paths up to (and including) 253 characters long. Attempts to
create paths containing 254 chars will fail. accept(2) will only return
paths up to (and including) 104 characters, to avoid buffer overflows in
existing code.
Regards,
Alistair
--
Alistair Crooks
security-officer%NetBSD.org@localhost
Attachment:
pgpTfVK2de_7a.pgp
Description: PGP signature