diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-02:35.ffs.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-02:35.ffs.asc | 137 |
1 files changed, 0 insertions, 137 deletions
diff --git a/share/security/advisories/FreeBSD-SA-02:35.ffs.asc b/share/security/advisories/FreeBSD-SA-02:35.ffs.asc deleted file mode 100644 index a71b9b3ce8..0000000000 --- a/share/security/advisories/FreeBSD-SA-02:35.ffs.asc +++ /dev/null @@ -1,137 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-02:35.ffs Security Advisory - The FreeBSD Project - -Topic: local users may read and write arbitrary blocks on - an FFS filesystem - -Category: core -Module: kernel -Announced: 2002-08-05 -Credits: Matt Dillon <dillon@FreeBSD.org>, - Ian Dowse <iedowse@FreeBSD.org>, - Tor Egge <tegge@FreeBSD.org> -Affects: All releases of FreeBSD up to and including 4.6.1-RELEASE-p4 - 4.6-STABLE prior to the correction date -Corrected: 2002-06-23 22:34:52 UTC (RELENG_4) - 2002-07-31 17:55:22 UTC (RELENG_4_6) - 2002-07-31 17:55:11 UTC (RELENG_4_5) - 2002-07-31 17:54:57 UTC (RELENG_4_4) -FreeBSD only: YES - -I. Background - -The Berkeley Fast File System (FFS) is the default filesystem used by -FreeBSD. - -II. Problem Description - -A bug in the calculation of the maximum permitted FFS file size -allows users to create files that are larger than FreeBSD's virtual -memory system can handle. The integer overflows that result when such -files are accessed may map filesystem metadata into the user file, -permitting access to arbitrary filesystem blocks. - -The bug is encountered only on FFS filesystems with a block size of -16k or greater on the i386 architecture, or 32k or greater on the -alpha architecture. Also, the filesystem must have at least 6 blocks -of free space, and the user must have write access to at least one -file in the filesystem. - -The default FreeBSD FFS filesystem block size was changed from 8k to -16k on all architectures just before 4.5-RELEASE. - -III. Impact - -Local attackers may cause a denial of service by simply corrupting the -filesystem. A local attacker may also be able to read and write -arbitrary files on local filesystems, allowing them to gain superuser -privileges. - -FFS filesystems with a block size less than 16k (on the i386 -architecture) or 32k (on the alpha architecture), such as those -created using the default FFS filesystem block size prior to -4.5-RELEASE, are not vulnerable. - -The following command can be used to determine the block size -used on a given filesystem: - - # dumpfs /some/filesystem | grep '^bsize' - -IV. Workaround - -On filesystems with 16k blocks, the bug cannot be exploited when a -process has a file size resource limit (RLIMIT_FSIZE) of 63 MB or -less. This can be most easily accomplished by modifying -/etc/login.conf so that the appropriate login classes (typically -`default') contain a field entry such as the following: - - :filesize=63m:\ - -After editing /etc/login.conf, the corresponding capability database -must be rebuilt with the following command: - - # cap_mkdb /etc/login.conf - -Please see login.conf(5) for details. Note that this will not affect -currently running processes, nor new processes started by users who -are already logged in. - -The corresponding limit appropriate for filesystems with 32k or larger -blocks is not known at this time, and might be smaller or larger than -63 MB. - -It is the responsibility of applications such as `login' and `sshd' to -read and honor login.conf. Be aware that 3rd party applications that -provide login functionality may or may not honor login.conf. - -V. Solution - -1) Upgrade your vulnerable system to 4.6-STABLE; or to any of the -RELENG_4_6 (4.6.1-RELEASE-p5), RELENG_4_5 (4.5-RELEASE-p14), or -RELENG_4_4 (4.4-RELEASE-p21) security branches dated after the -respective correction dates. - -2) To patch your present system: - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. The following patch -has been tested to apply to all FreeBSD 4.x releases. - -# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:35/ffs.patch -# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:35/ffs.patch.asc - -b) Recompile your kernel as described in -http://www.freebsd.org/handbook/kernelconfig.html and reboot the -system. - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in FreeBSD. - -Path Revision - Branch -- ------------------------------------------------------------------------- -sys/ufs/ffs/ffs_vfsops.c - RELENG_4 1.117.2.10 - RELENG_4_6 1.117.2.9.2.1 - RELENG_4_5 1.117.2.7.2.1 - RELENG_4_4 1.117.2.3.2.1 -sys/conf/newvers.sh - RELENG_4_6 1.44.2.23.2.10 - RELENG_4_5 1.44.2.20.2.15 - RELENG_4_4 1.44.2.17.2.20 -- ------------------------------------------------------------------------- - ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.0.7 (FreeBSD) - -iQCVAwUBPU8ML1UuHi5z0oilAQGkWQP/fJvzkrl2ptG87Qn2pIa24kLyax5WCnca -uPhq9JxIhXIxAqdIZcrEbbTyeRo/ygtsLzxDKOP0G+A2VxilVL9Ld3a32OSM+nzM -uiSnVHTIxPtmkyZnwdmyTcrBki290p/W3LnZhxzfAt1vdIRD+ibOkBXNAaXFxDRz -T1UzIarVqgM= -=wq5s ------END PGP SIGNATURE----- |