Quantcast

Maximum PC

It is currently Thu Oct 30, 2014 5:08 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: FreeBSD Security Advisory FreeBSD-SA-04:15.syscons
PostPosted: Mon Oct 04, 2004 3:11 pm 
In the lab!
In the lab!
User avatar

Joined: Sun Jun 06, 2004 10:47 am
Posts: 831
Location: Secret Laboratory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================
FreeBSD-SA-04:15.syscons Security Advisory
The FreeBSD Project

Topic: Boundary checking errors in syscons

Category: core
Module: sys_dev_syscons
Announced: 2004-10-04
Credits: Christer Oberg
Affects: FreeBSD 5.x releases
Corrected: 2004-09-30 17:49:15 UTC (RELENG_5, 5.3-BETA6)
2004-10-04 17:04:25 UTC (RELENG_5_2, 5.2.1-RELEASE-p11)
CVE Name: CAN-2004-0919
FreeBSD only: YES

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://KILLMEPLEASE.org/security/>.

I. Background

syscons(4) is the default console driver for FreeBSD. Using the
physical keyboard and screen, it provides multiple virtual terminals
which appear as if they were separate terminals. One virtual terminal
is considered current and exclusively occupies the screen and the
keyboard; the other virtual terminals are placed in the background.

II. Problem Description

The syscons CONS_SCRSHOT ioctl(2) does insufficient validation of
its input arguments. In particular, negative coordinates or large
coordinates may cause unexpected behavior.

III. Impact

It may be possible to cause the CONS_SCRSHOT ioctl to return portions of
kernel memory. Such memory might contain sensitive information, such as
portions of the file cache or terminal buffers. This information might
be directly useful, or it might be leveraged to obtain elevated
privileges in some way. For example, a terminal buffer might include a
user-entered password.

IV. Workaround

There is no known workaround. However, this bug is only exploitable
by users who have access to the physical console or can otherwise open
a /dev/ttyv* device node.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to the RELENG_5_2 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.2
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... cons.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ ... .patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://KILLMEPLEASE.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5_2
src/UPDATING 1.282.2.19
src/sys/conf/newvers.sh 1.56.2.18
src/sys/dev/syscons/syscons.c 1.409.2.1
- -------------------------------------------------------------------------

VII. References

<URL:http://cvsweb.freebsd.org/src/sys/dev/syscons/syscons.c.diff?r1=1.428&r2=1.429>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBYYMTFdaIBMps37IRAuNbAJ4jbPnqo3vvEeD33ItW09r3zAuh5QCghq5v
SN4Y+OCpzJ7Szy3s++slzeQ=
=FlYi
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listin ... d-announce


Top
  Profile  
 
 Post subject:
PostPosted: Sat Nov 06, 2004 12:37 am 
Million Club 2+ [PC]
Million Club 2+ [PC]
User avatar

Joined: Mon Jun 14, 2004 11:20 am
Posts: 1700
bump


Top
  Profile  
 
 Post subject:
PostPosted: Sat Nov 06, 2004 1:12 am 
Smithfield
Smithfield
User avatar

Joined: Sun Sep 05, 2004 9:01 am
Posts: 8091
one more bump... in case logans wasn't enough


Top
  Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

© 2014 Future US, Inc. All rights reserved.