diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-08:03.sendfile.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-08:03.sendfile.asc | 150 |
1 files changed, 0 insertions, 150 deletions
diff --git a/share/security/advisories/FreeBSD-SA-08:03.sendfile.asc b/share/security/advisories/FreeBSD-SA-08:03.sendfile.asc deleted file mode 100644 index d8f7866c36..0000000000 --- a/share/security/advisories/FreeBSD-SA-08:03.sendfile.asc +++ /dev/null @@ -1,150 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -============================================================================= -FreeBSD-SA-08:03.sendfile Security Advisory - The FreeBSD Project - -Topic: sendfile(2) write-only file permission bypass - -Category: core -Module: sys_kern -Announced: 2008-02-14 -Credits: Kostik Belousov -Affects: All supported versions of FreeBSD -Corrected: 2008-02-14 11:45:00 UTC (RELENG_7, 7.0-PRERELEASE) - 2008-02-14 11:45:41 UTC (RELENG_7_0, 7.0-RELEASE) - 2008-02-14 11:46:08 UTC (RELENG_6, 6.3-STABLE) - 2008-02-14 11:46:41 UTC (RELENG_6_3, 6.3-RELEASE-p1) - 2008-02-14 11:47:06 UTC (RELENG_6_2, 6.2-RELEASE-p11) - 2008-02-14 11:47:39 UTC (RELENG_6_1, 6.1-RELEASE-p23) - 2008-02-14 11:49:39 UTC (RELENG_5, 5.5-STABLE) - 2008-02-14 11:50:28 UTC (RELENG_5_5, 5.5-RELEASE-p19) -CVE Name: CVE-2008-0777 - -For general information regarding FreeBSD Security Advisories, -including descriptions of the fields above, security branches, and the -following sections, please visit <URL:http://security.FreeBSD.org/>. - -I. Background - -The sendfile(2) system call allows a server application (such as a -HTTP or FTP server) to transmit the contents of a file over a network -connection without first copying it to application memory. High -performance servers such as the Apache HTTP Server and ftpd use sendfile. - -II. Problem Description - -When a process opens a file (and other file system objects, such as -directories), it specifies access flags indicating its intent to read, -write, or perform other operations. These flags are checked against -file system permissions, and then stored in the resulting file -descriptor to validate future operations against. - -The sendfile(2) system call does not check the file descriptor access -flags before sending data from a file. - -III. Impact - -If a file is write-only, a user process can open the file and use -sendfile to send the content of the file over a socket, even though the -user does not have read access to the file, resulting in possible -disclosure of sensitive information. - -IV. Workaround - -No workaround is available, but systems are only vulnerable if -write-only files exist, which are not widely used. - -V. Solution - -Perform one of the following: - -1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or -7.0-PRERELEASE, or to the RELENG_7_0, RELENG_6_3, RELENG_6_2, -RELENG_6_1, or RELENG_5_5 security branch dated after the correction -date. - -2) To patch your present system: - -The following patches have been verified to apply to FreeBSD 5.5, 6.1, -6.2, 6.3, and 7.0 systems. - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. - -[FreeBSD 6.2, 6.3, and 7.0] -# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile.patch -# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile.patch.asc - -[FreeBSD 6.1] -# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile61.patch -# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile61.patch.asc - -[FreeBSD 5.5] -# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile55.patch -# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile55.patch.asc - -b) Apply the patch. - -# cd /usr/src -# patch < /path/to/patch - -c) Recompile your kernel as described in -<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the -system. - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in FreeBSD. - -Branch Revision - Path -- ------------------------------------------------------------------------- -RELENG_5 - src/sys/kern/kern_descrip.c 1.243.2.11 -RELENG_5_5 - src/UPDATING 1.342.2.35.2.20 - src/sys/conf/newvers.sh 1.62.2.21.2.21 - src/sys/kern/kern_descrip.c 1.243.2.9.2.1 -RELENG_6 - src/sys/kern/kern_descrip.c 1.279.2.16 - src/sys/kern/uipc_syscalls.c 1.221.2.5 -RELENG_6_3 - src/UPDATING 1.416.2.37.2.5 - src/sys/conf/newvers.sh 1.69.2.15.2.4 - src/sys/kern/kern_descrip.c 1.279.2.15.2.1 - src/sys/kern/uipc_syscalls.c 1.221.2.4.4.1 -RELENG_6_2 - src/UPDATING 1.416.2.29.2.15 - src/sys/conf/newvers.sh 1.69.2.13.2.14 - src/sys/kern/kern_descrip.c 1.279.2.9.2.1 - src/sys/kern/uipc_syscalls.c 1.221.2.4.2.1 -RELENG_6_1 - src/UPDATING 1.416.2.22.2.26 - src/sys/conf/newvers.sh 1.69.2.11.2.25 - src/sys/kern/kern_descrip.c 1.279.2.6.2.1 - src/sys/kern/uipc_syscalls.c 1.221.2.1.2.1 -RELENG_7 - src/sys/kern/kern_descrip.c 1.313.2.1 - src/sys/kern/uipc_syscalls.c 1.259.2.2 -RELENG_7_0 - src/UPDATING 1.507.2.3.2.3 - src/sys/kern/kern_descrip.c 1.313.4.1 - src/sys/kern/uipc_syscalls.c 1.259.4.2 -- ------------------------------------------------------------------------- - -VII. References - -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0777 - -The latest revision of this advisory is available at -http://security.FreeBSD.org/advisories/FreeBSD-SA-08:03.sendfile.asc ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.8 (FreeBSD) - -iD8DBQFHtC0DFdaIBMps37IRAqp8AJ91+flnCIUSvKoFQyXfD1YTnPnuqgCcDiPJ -SR4X1dNFENsHMq9ROrQhr1c= -=TX1R ------END PGP SIGNATURE----- |