Salut,
Please ignore this advisory for now as it contains errors. I was falsely
under the impression that it did not. It will be released again once these
errors have been taken care of.
I am deeply sorry for my failure to provide a good service on this matter.
On Wed, Aug 27, 2014 at 09:35:42AM +0000, NetBSD Security Officer wrote:
> NetBSD Security Advisory 2014-009
> =================================
>
> Topic: Multiple vulnerabilities in the execve system call
>
>
> Version: NetBSD-current: source prior to Fri, Feb 14th 2014
> NetBSD 6.1 - 6.1.3: affected
> NetBSD 6.1.4: not affected
> NetBSD 6.0 - 6.0.4: affected
> NetBSD 6.0.5: not affected
> NetBSD 5.1 - 5.1.4: not affected
> NetBSD 5.2 - 5.2.2: not affected
>
> Severity: Local DoS
>
> Fixed: NetBSD-current: Fri, Feb 14th 2014
> NetBSD-6-0 branch: Fri, Feb 14th 2014
> NetBSD-6-1 branch: Fri, Feb 14th 2014
> NetBSD-6 branch: Fri, Feb 14th 2014
>
> Teeny versions released later than the fix date will contain the fix.
>
> Please note that NetBSD releases prior to 5.1 are no longer supported.
> It is recommended that all users upgrade to a supported release.
>
>
> Abstract
> ========
>
> The execve system call is affected by two vulnerabilities:
> 1) A memory leak in the kernel could cause a local (un)privileged user
> to use up kernel memory via a bogus ELF binary, and thus to freeze - or
> eventually panic - the system.
> 2) A bug in the kernel could lead to a use-after-free condition when
> loading a binary or a script, which would allow a local (un)privileged
> user to crash the system.
>
>
> Technical Details
> =================
>
> 1) When trying to execute an ELF binary, the kernel looks up the
> corresponding "interpreter" (in case of native dynamic ELF binaries: the
> dynamic linker ld.elf_so). If this interpreter cannot be accessed
> appropriately, or if it is bogus, a structure allocated to hold special
> information on this interpreter was not freed.
> If a standard toolchain is installed, a local user can easily create
> such broken binaries by passing the -dynamic-linker switch to the linker.
>
> 2) When executing a binary via execve(), the kernel computes the new
> user stack size, and returns an error if this size exceeds the maximum
> architecture-defined stack size or the maximum stack size allowed by the
> calling process through rlimit. However, the variable in charge of hold-
> ing the error code returned was not properly initialised, causing the
> kernel to keep setting up the new process environment and use data that
> was already freed.
> Both the new stack size and the rlimit stack size are approximately
> user-controllable, which makes it easy to trigger from a local user.
>
>
> Solutions and Workarounds
> =========================
>
> For all NetBSD versions, you need to obtain fixed kernel sources,
> rebuild and install the new kernel, and reboot the system.
>
> The fixed source may be obtained from the NetBSD CVS repository.
> The following instructions briefly summarise how to upgrade your
> kernel. In these instructions, replace:
>
> ARCH with your architecture (from uname -m),
> KERNCONF with the name of your kernel configuration file and
> VERSION with the file version below
>
> File versions containing the fixes:
>
> FILE HEAD netbsd-6 netbsd-6-1 netbsd-6-0
> ---- ---- -------- ---------- ----------
> sys/kern/exec_elf.c
> 1.55 1.37.2.2 1.37.2.1.6.1 1.37.2.1.4.1
> sys/kern/kern_exec.c
> 1.403 1.339.2.9 1.339.2.6.2.2 1.339.2.5.4.3
>
> To update from CVS, re-build, and re-install the kernel:
>
> # cd src
> # cvs update -d -P -r VERSION sys/kern/exec_elf.c
> # cvs update -d -P -r VERSION sys/kern/kern_exec.c
> # ./build.sh kernel=KERNCONF
> # mv /netbsd /netbsd.old
> # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
> # shutdown -r now
>
> For more information on how to do this, see:
>
> http://www.NetBSD.org/guide/en/chap-kernel.html
>
>
> Thanks To
> =========
>
> Thanks to Maxime Villard, who found the issues and provided fixes.
>
>
> Revision History
> ================
>
> 2014-08-27 Initial release
>
>
> More Information
> ================
>
> Advisories may be updated as new information becomes available.
> The most recent version of this advisory (PGP signed) can be found at
>
> http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-009.txt.asc
>
> Information about NetBSD and NetBSD security can be found at
> http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
>
>
> Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved.
> Redistribution permitted only in full, unmodified form.
>
> $NetBSD: NetBSD-SA2014-009.txt,v 1.1 2014/08/27 00:19:19 tonnerre Exp $
>
>
Tonnerre
Attachment:
pgpzilSZwmseY.pgp
Description: PGP signature