Bug#483152: kfreebsd-7: Multiple CVEs issued

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 483152@bugs.debian.org
Subject: Bug#483152: kfreebsd-7: Multiple CVEs issued
From: Petr Salinger <Petr.Salinger@seznam.cz>
Date: Tue, 27 May 2008 19:16:21 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.62.0805271900010.25784@sci.felk.cvut.cz>
Reply-to: Petr Salinger <Petr.Salinger@seznam.cz>, 483152@bugs.debian.org
In-reply-to: <[🔎] 20080527142556.29439.59314.reportbug@hannah>
References: <[🔎] 20080527142556.29439.59314.reportbug@hannah>

A few CVEs have been issued against kfreebsd-7. It would be great, if
one of the maintainers could pick them up and judge about them. Maybe it
is worth filling seperate bugreports with higher severity, but I'll
leave that to you guys for now :)

If you fix any of these issues via an upload, please do not forget to
mention the CVE id in the changelog.

CVE-2008-0177:

The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME
project before 20071201 does not properly check the return value of the
m_pulldown function, which allows remote attackers to cause a denial of
service (system crash) via an IPv6 packet with an IPComp header.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0177


http://security.freebsd.org/advisories/FreeBSD-SA-08:04.ipsec.asc
FreeBSD 5.5 only

CVE-2008-0216:

The ptsname function in FreeBSD 6.0 through 7.0-PRERELEASE does not
properly verify that a certain portion of a device name is associated
with a pty of a user who is calling the pt_chown function, which might
allow local users to read data from the pty from another user.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0216


http://security.freebsd.org/advisories/FreeBSD-SA-08:01.pty.asc
Userspace bug, does not affect kfreebsd-x.

CVE-2008-0217:

The script program in FreeBSD 5.0 through 7.0-PRERELEASE invokes
openpty, which creates a pseudo-terminal with world-readable and
world-writable permissions when it is not run as root, which allows
local users to read data from the terminal of the user running script.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0217


http://security.freebsd.org/advisories/FreeBSD-SA-08:01.pty.asc
Userspace bug, does not affect kfreebsd-x.

CVE-2008-0777:

The sendfile system call in FreeBSD 5.5 through 7.0 does not check the
access flags of the file descriptor used for sending a file, which
allows local users to read the contents of write-only files.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0777


http://security.freebsd.org/advisories/FreeBSD-SA-08:03.sendfile.asc
fixed in
  kfreebsd-7 (7.0-1)
  kfreebsd-6 (6.3-3)

CVE-2008-1146:

A certain pseudo-random number generator (PRNG) algorithm that uses XOR
and 3-bit random hops (aka "Algorithm X3"), as used in OpenBSD 2.8
through 4.2, allows remote attackers to guess sensitive values such as
DNS transaction IDs by observing a sequence of previously generated
values. NOTE: this issue can be leveraged for attacks such as DNS cache
poisoning against OpenBSD's modification of BIND.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1146

CVE-2008-1147:

A certain pseudo-random number generator (PRNG) algorithm that uses XOR
and 2-bit random hops (aka "Algorithm X2"), as used in OpenBSD 2.6
through 3.4, Mac OS X 10 through 10.5.1, FreeBSD 4.4 through 7.0, and
DragonFlyBSD 1.0 through 1.10.1, allows remote attackers to guess
sensitive values such as IP fragmentation IDs by observing a sequence of
previously generated values. NOTE: this issue can be leveraged for
attacks such as injection into TCP packets and OS fingerprinting.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1147


CVE-2008-1148:

A certain pseudo-random number generator (PRNG) algorithm that uses ADD
with 0 random hops (aka "Algorithm A0"), as used in OpenBSD 3.5 through
4.2 and NetBSD 1.6.2 through 4.0, allows remote attackers to guess
sensitive values such as (1) DNS transaction IDs or (2) IP fragmentation
IDs by observing a sequence of previously generated values. NOTE: this
issue can be leveraged for attacks such as DNS cache poisoning,
injection into TCP packets, and OS fingerprinting.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1148



There is not (yet) FreeBSD Security Advisory.

CVE-2008-1391:

Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x,
and probably other BSD and Apple Mac OS platforms allow
context-dependent attackers to execute arbitrary code via large values
of certain integer fields in the format argument to (1) the strfmon
function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro;
and (2) the printf function, related to left_prec and right_prec.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1391


Looks like userspace bug, should not affect kfreebsd-x.

Petr

Reply to:

References:
- Bug#483152: kfreebsd-7: Multiple CVEs issued
  - From: Steffen Joeris <steffen.joeris@skolelinux.de>

Prev by Date: Bug#483152: kfreebsd-7: Multiple CVEs issued
Next by Date: Processed: Re: Bug#477588: kfreebsd-7: bashism in debian/rules
Previous by thread: Bug#483152: kfreebsd-7: Multiple CVEs issued
Next by thread: Bug#477587: Bug#477588: kfreebsd-7: bashism in debian/rules
Index(es):
- Date
- Thread