MidnightBSD Developer Journal

Sat, 9 Dec 2006

8:42 PM - HTTP downloads

I've setup HTTP downloads on the MidnightBSD website again.  The mirrors are now listed in a table with upload speed estimates when possible.  Its recommended you download from the ISC mirror.

()

Thu, 7 Dec 2006

Wed, 29 Nov 2006

12:50 AM - GNU tar

Teemu Salmela has reported a security issue in GNU tar, which can be
exploited by malicious people to overwrite arbitrary files.

The security issue is caused due to the "extract_archive()" function
in extract.c and the "extract_mangle()" function in mangle.c still
processing the deprecated "GNUTYPE_NAMES" record type containing
symbolic links. This can be exploited to overwrite arbitrary files by
e.g. tricking a user into unpacking a specially crafted tar file.

The security issue is reported in version 1.15.1 and 1.16. Other
versions may also be affected.


---

MidnightBSD mports included 1.15.1 which is vulnerable.

()

11:14 AM - lha vulnerabilities

Several vulnerabilities have been found in archivers/lha. These are similar to the gzip issues found a few months back. MidnightBSD was the first to get an update into ports as OpenBSD, NetBSD's pkgsrc and FreeBSD do not have an update in cvs. Several of the linux distros beat us to it, however.

In the process, I've switched the port over to a maintained version. The original had not been updated since 2000 and had port specific patches up to two years ago. OpenBSD is using this version as well although they haven't updated to p1.

The port was a bit rushed so please report any problems with it.

()

11:14 AM - OpenLDAP mport

OpenLDAP was updated to 2.3.30 to work around some potential security issues. OpenLDAP-sasl-client was added to mports as well.

()

11:14 AM - MSDOSFS fix

msdosfs was patched to handle dates correctly.

()

Tue, 28 Nov 2006

9:52 PM - Dovecot mport

The dovecot port was updated to fix a security issue and simply to catch it up. There were 8 release canidates since the version was added to ports. A few options changed in the config file. The default_mail_env variable changed name and requires a slightly different entry. Consult the new example config for mail_location to fix your paths.

()

Fri, 24 Nov 2006

6:42 PM - Security patches to several mports

I'm in the process of catching up on several security problems with ports. QT was updated to 3.3.7. PHP was updated to 5.2.0. Ruby was patched for a cgi vulnerability.

()

1:24 PM - lang/tcl83, tuxracer, MySQL 5.0.27

I've added the lang/tcl83 port as a dependancy of tuxracer which was also added today. I also added kdehier as a start toward kde in ports. I'm not going to push kde, but some users like some of the applications. GNUstep is still the focus of the project.

Yesterday, I updated MySQL to 5.0.27.

()

1:22 PM - NVIDIA mport

The NVIDIA driver port was updated to fix the buffer overflow vulnerability from some weeks back. I also added x11/nvidia-settings to allow configuration of graphics cards.

glxgears is working great with the new driver although i've noticed a problem with Enemy Territory.

()

Fri, 17 Nov 2006

5:35 PM - New mports

audio/nas, qmake, qt33, python 2.3, and python 2.4 were added to mports today. linux-thunderbird was updated.

()

Thu, 16 Nov 2006

8:40 AM - Vulnerability in Firewire

 Here is an advisory that also affects MidnightBSD.  A patch was added to cvs moments ago.  
--
http://www.kernelhacking.com/rodrigo

Kernel Hacking: If i really know, i can hack

GPG KeyID: 5E90CA19



________________________________________________
Message sent using UebiMiau 2.7.2




FreeBSD all versions FireWire IOCTL kernel integer overflow information disclousure
11/15/2006

Notice
===================
    This bug has been specially discovered for the Month of Kernel Bugs and to
    the Hackers to Hackers Conference III (http://www.h2hc.org.br/en/).


Summary
===================

    Firewire device is enabled by default in the GENERIC kernel.  It defines
    an IOCTL function which can be malicious called passing a negative buffer
    lenght value.  This value will bypass the lenght check (because the value
    is negative) and will be used in a copyout operation.

Systems Affected
===================

    FreeBSD     all versions
    NetBSD      all versions
    DragonFly   all versions
    TrustedBSD* all versions

Impact
===================

    This is a kernel bug and the system can be compromised by local users and 
    important system informations can be discloused (basically, a mem dump  ;)  )

Explanation
===================

    Firewire interface can be tunned.  It provides an ioctl function receiving
    many parameters that can be changed.

    The follow is a code fragment from (FreeBSD - dev/firewire/fwdev.c (fw_ioctl    function) || DragonFlyBSD bus/firewire/fwdev.c (fw_ioctl function) || NetBSD    - dev/ieee1394/fwdev.c (FW_IOCTL function)) file:

	if (crom_buf->len < len)
		len = crom_buf->len;
	else
		crom_buf->len = len;

	err = copyout(ptr, crom_buf->ptr, len);

    We control the crom_buf->len (it's passed as argument to the ioctl function)
    so, passing it as a negative value will bypass this if statement (our value
    is minor than the default one).

    So, our value is used in a copyout function. ptr is defined before this
    copyout as:
	 if ( fwdev == NULL ) {
		...
		ptr = malloc(CROMSIZE, M_FW, M_WAITOK);
		...
	 } else {
		ptr = (void *)&fwdev->csrrom[0];
		...
	}

    This information disclousure lead an attacker dump all the system memory.

Solution
===================

     Attached in this advisory a patch for the FreeBSD 5.5 (it's pretty simple,      so, just need to be little changed to the other BSD's)

Timelife
===================

     11/15/2006 - Advisory Public Disclousure (sorry for the developers, but we 
     are just respecting the Month of Kernel Bugs Timelife)

Acknowledgments
===================

     Filipe Balestra <filipe@balestra.com.br> and Rodrigo Rubira Branco 
     (BSDaemon) <rodrigo@kernelhacking.com> for the discovering, analysis
     and patch.

Contact Information
===================

     You can reach the authors of this advisory by mail or visiting some
     websites:
	http://www.balestra.com.br  -> Personal Website of Filipe
	http://www.risesecurity.org -> RISE Security Research (Rodrigo is member     of the RISE Security Team)
	http://www.kernelhacking.com/rodrigo -> Personal Website of Rodrigo

References
===================

     http://www.kernelhacking.com/bsdadv1.txt -> Actual version of the advisory
     http://www.risesecurity.org/RISE-2006002.txt -> Related issue

Disclaimer (taken from teso-team)
===================

     This advisory does not claim to be complete or to be usable for any
     purpose. Especially information on the vulnerable systems may be
     inaccurate or wrong. The supplied exploit is not to be used for malicious
     purposes, but for educational purposes only.

     This advisory is free for open distribution in unmodified form.



--- dev/firewire/fwdev.c.orig	Fri Oct 13 13:12:49 2006
+++ dev/firewire/fwdev.c	Fri Oct 13 13:13:42 2006
@@ -712,7 +712,7 @@ out:
 			else
 				len = fwdev->rommax - CSRROMOFF + 4;
 		}
-		if (crom_buf->len < len)
+		if (crom_buf->len < len && crom_buf->len > 0)
 			len = crom_buf->len;
 		else
 			crom_buf->len = len;

(1 comment | )

Tue, 14 Nov 2006

1:40 PM - (no subject)

Subversion was updated to the latest release.  This should fix the fetch issue some people were having. 

()

Thu, 9 Nov 2006

10:37 AM - Python 2.2

Python 2.2 was just added to mports. We now have 2.1 and 2.2 working on MidnightBSD. The 2.1 port makes a symlink to /usr/local/bin/python but the 2.2 port does not. If you use a port that requires python like subversion, you will need to manually add the symlink if you choose to use python 2.2

()

10:09 AM - OpenSSH port

OpenSSH port was updated to 4.5p1. Anyone concerned about the possible security issue can install this port.

()

9:11 AM - mports and openssh

A new version of OpenSSH was released. We are researching the need to update the version in base. The fix list states that there were bugs in solaris and a potential security hole that requires additional interference to compromise.

There have been several additions to ports. One of the most recent additions is xinetd.

()

Sat, 4 Nov 2006

1:06 PM - New ports

apr and subversion were added today.  python 2.1 now creates a symlink as python to enable these ports.

()

8:28 AM - Update

The python 2.1 port has been fixed.  We finally have working python on MidnightBSD.  We will attempt to port a recent version of Python soon, but the older version was much easier to get working. 

I will be experimenting with the package build system later today.  If the scripts work with python 2.1 or can easily be back ported, I should be able to build packages on the next snapshot or possibly beta release.  Including packages is a requirement for installing the graphical environment as we want to use ports to ease upgrades and allow us to automate software updates in the future. 

()