Bug#483152: kfreebsd-7: Multiple CVEs issued

Package: kfreebsd-7
Severity: important
Tags: security

Hi

A few CVEs have been issued against kfreebsd-7. It would be great, if
one of the maintainers could pick them up and judge about them. Maybe it
is worth filling seperate bugreports with higher severity, but I'll
leave that to you guys for now :)

If you fix any of these issues via an upload, please do not forget to
mention the CVE id in the changelog.

CVE-2008-0177:

The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME
project before 20071201 does not properly check the return value of the
m_pulldown function, which allows remote attackers to cause a denial of
service (system crash) via an IPv6 packet with an IPComp header.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0177


CVE-2008-0216:

The ptsname function in FreeBSD 6.0 through 7.0-PRERELEASE does not
properly verify that a certain portion of a device name is associated
with a pty of a user who is calling the pt_chown function, which might
allow local users to read data from the pty from another user.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0216


CVE-2008-0217:

The script program in FreeBSD 5.0 through 7.0-PRERELEASE invokes
openpty, which creates a pseudo-terminal with world-readable and
world-writable permissions when it is not run as root, which allows
local users to read data from the terminal of the user running script.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0217


CVE-2008-0777:

The sendfile system call in FreeBSD 5.5 through 7.0 does not check the
access flags of the file descriptor used for sending a file, which
allows local users to read the contents of write-only files.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0777


CVE-2008-1146:

A certain pseudo-random number generator (PRNG) algorithm that uses XOR
and 3-bit random hops (aka "Algorithm X3"), as used in OpenBSD 2.8
through 4.2, allows remote attackers to guess sensitive values such as
DNS transaction IDs by observing a sequence of previously generated
values. NOTE: this issue can be leveraged for attacks such as DNS cache
poisoning against OpenBSD's modification of BIND.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1146


CVE-2008-1147:

A certain pseudo-random number generator (PRNG) algorithm that uses XOR
and 2-bit random hops (aka "Algorithm X2"), as used in OpenBSD 2.6
through 3.4, Mac OS X 10 through 10.5.1, FreeBSD 4.4 through 7.0, and
DragonFlyBSD 1.0 through 1.10.1, allows remote attackers to guess
sensitive values such as IP fragmentation IDs by observing a sequence of
previously generated values. NOTE: this issue can be leveraged for
attacks such as injection into TCP packets and OS fingerprinting.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1147


CVE-2008-1148:

A certain pseudo-random number generator (PRNG) algorithm that uses ADD
with 0 random hops (aka "Algorithm A0"), as used in OpenBSD 3.5 through
4.2 and NetBSD 1.6.2 through 4.0, allows remote attackers to guess
sensitive values such as (1) DNS transaction IDs or (2) IP fragmentation
IDs by observing a sequence of previously generated values. NOTE: this
issue can be leveraged for attacks such as DNS cache poisoning,
injection into TCP packets, and OS fingerprinting.
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1148


CVE-2008-1391:

Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x,
and probably other BSD and Apple Mac OS platforms allow
context-dependent attackers to execute arbitrary code via large values
of certain integer fields in the format argument to (1) the strfmon
function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro;
and (2) the printf function, related to left_prec and right_prec.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1391

Cheers
Steffen



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

http://security.freebsd.org/advisories/FreeBSD-SA-08:04.ipsec.asc
FreeBSD 5.5 only


> CVE-2008-0216:
>
> The ptsname function in FreeBSD 6.0 through 7.0-PRERELEASE does not
> properly verify that a certain portion of a device name is associated
> with a pty of a user who is calling the pt_chown function, which might
> allow local users to read data from the pty from another user.
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0216

http://security.freebsd.org/advisories/FreeBSD-SA-08:01.pty.asc
Userspace bug, does not affect kfreebsd-x.


> CVE-2008-0217:
>
> The script program in FreeBSD 5.0 through 7.0-PRERELEASE invokes
> openpty, which creates a pseudo-terminal with world-readable and
> world-writable permissions when it is not run as root, which allows
> local users to read data from the terminal of the user running script.
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0217

http://security.freebsd.org/advisories/FreeBSD-SA-08:01.pty.asc
Userspace bug, does not affect kfreebsd-x.

> CVE-2008-0777:
>
> The sendfile system call in FreeBSD 5.5 through 7.0 does not check the
> access flags of the file descriptor used for sending a file, which
> allows local users to read the contents of write-only files.
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0777

http://security.freebsd.org/advisories/FreeBSD-SA-08:03.sendfile.asc
fixed in
   kfreebsd-7 (7.0-1)
   kfreebsd-6 (6.3-3)




There is not (yet) FreeBSD Security Advisory.


Looks like userspace bug, should not affect kfreebsd-x.

Petr




--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...