| Topic: |
Kernel memory disclosure in ifconf() |
|
|
| Category: |
core |
| Module: |
sys_net |
| Announced: |
2005-04-15 |
| Credits: |
Ilja van Sprundel |
| Affects: |
All FreeBSD 4.x releases
All FreeBSD 5.x releases prior to 5.4-RELEASE |
Corrected:
2005-04-15 01:51:44 UTC (RELENG_5, 5.4-STABLE)
2005-04-15 01:52:03 UTC (RELENG_5_4, 5.4-RELEASE)
2005-04-15 01:52:25 UTC (RELENG_5_3, 5.3-RELEASE-p9)
2005-04-15 01:52:40 UTC (RELENG_4, 4.11-STABLE)
2005-04-15 01:52:57 UTC (RELENG_4_11, 4.11-RELEASE-p3)
2005-04-15 01:53:14 UTC (RELENG_4_10, 4.10-RELEASE-p8)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
The SIOCGIFCONF ioctl allows a user process to ask the kernel to produce
a list of the existing network interfaces and copy it into a buffer
provided by the user process.
II. Problem Description
In generating the list of network interfaces, the kernel writes into a
portion of a buffer without first zeroing it. As a result, the prior
contents of the buffer will be disclosed to the calling process.
III. Impact
Up to 12 bytes of kernel memory may be disclosed to the user process.
Such memory might contain sensitive information, such as portions of
the file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way. For example, a terminal buffer might include a user-entered
password
IV. Workaround
No known workaround.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the
correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.10, 4.11,
and 5.3 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 4.x]
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf4.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf4.patch.asc
[FreeBSD 5.3]
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf5.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:04/ifconf5.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html>
and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch
Path Revision
--------------------------------------------------------------------------------------------------------
| RELENG_4 |
| |
src/sys/net/if.c |
1.85.2.29 |
| RELENG_4_11 |
| |
src/UPDATING |
1.73.2.91.2.4 |
| |
src/sys/conf/newvers.sh |
1.44.2.39.2.7 |
| |
src/sys/net/if.c |
1.85.2.28.2.1 |
| RELENG_4_10 |
| |
src/UPDATING |
1.73.2.90.2.9 |
| |
src/sys/conf/newvers.sh |
1.44.2.34.2.10 |
| |
src/sys/net/if.c |
1.85.2.25.2.1 |
| RELENG_5 |
| |
src/sys/net/if.c |
1.199.2.15 |
| RELENG_5_4 |
| |
src/UPDATING |
1.342.2.24.2.3 |
| |
src/sys/net/if.c |
1.199.2.14.2.1 |
| RELENG_5_3 |
| |
src/UPDATING |
1.342.2.13.2.12 |
| |
src/sys/conf/newvers.sh |
1.62.2.15.2.14 |
| |
src/sys/net/if.c |
1.199.2.7.2.3 |
--------------------------------------------------------------------------------------------------------
|
Security Advisory 
Postfix - "Krok po kroku" v1.1
sdi.sh
uEagle 1.0p1
