zzz
инвалид умственного труда
владельцам freebsd боксов 7.x & up, не читающим рассылку freebsd-security. вышел эксплоит, позволяющий непривилегированному пользователю получить рута:
From: FreeBSD Security Officer
To: FreeBSD Security Advisories
Subject: Upcoming FreeBSD Security Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
A short time ago a "local root" exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root.
Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues -- in short, use at your own risk (even more than usual).
The patch is at http://people.freebsd.org/~cperciva/rtld.patch
and has SHA256 hash
ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1
I expect a full security advisory concerning this issue will go out on Wednesday December 2nd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)
iEYEARECAAYFAksUbjcACgkQFdaIBMps37LP9ACgljaYCfgVuhD2gd9Natpq4H/9
i48An1mgl+Mih+AWN7J9KZ1rsiEU31IZ
=MPXj
-----END PGP SIGNATURE-----
--
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
NB на 7.0 и 7.1 предлагается накатывать другой патч:
Just to ease other's life: for 7.1 (and 7.0, but it seems to be at EoL now, so there is already no support for it), one should use another patch:
-----
http://codelabs.ru/fbsd/patches/vulns/free...d-unsetenv.diff
SHA256 (freebsd-7.0-rtld-unsetenv.diff) = e5ebbea24073bf644d3bc0c1ba37674a387af656b4c7e583a564a83598930897
SHA1 (freebsd-7.0-rtld-unsetenv.diff) = 24a79be52be0ea00ed0ea279f25efbf597f9c850
-----
Actually, every system that has rtld.c with r190323 or lower, should use this variant -- clearing of LD_ELF_HINTS_PATH was introduced only in r190324.
By the way, if people are using NO_DYNAMIC_ROOT and all setuid executables come from the system itself (no sudo and other stuff from ports or manual installations), such system is obviously safe from this issue -- no dynamic loading takes place. I don't mean that people with such systems shouldn't upgrade, but they probably can do it with a least urgency.
From: FreeBSD Security Officer
To: FreeBSD Security Advisories
Subject: Upcoming FreeBSD Security Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
A short time ago a "local root" exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root.
Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues -- in short, use at your own risk (even more than usual).
The patch is at http://people.freebsd.org/~cperciva/rtld.patch
and has SHA256 hash
ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1
I expect a full security advisory concerning this issue will go out on Wednesday December 2nd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)
iEYEARECAAYFAksUbjcACgkQFdaIBMps37LP9ACgljaYCfgVuhD2gd9Natpq4H/9
i48An1mgl+Mih+AWN7J9KZ1rsiEU31IZ
=MPXj
-----END PGP SIGNATURE-----
--
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
NB на 7.0 и 7.1 предлагается накатывать другой патч:
Just to ease other's life: for 7.1 (and 7.0, but it seems to be at EoL now, so there is already no support for it), one should use another patch:
-----
http://codelabs.ru/fbsd/patches/vulns/free...d-unsetenv.diff
SHA256 (freebsd-7.0-rtld-unsetenv.diff) = e5ebbea24073bf644d3bc0c1ba37674a387af656b4c7e583a564a83598930897
SHA1 (freebsd-7.0-rtld-unsetenv.diff) = 24a79be52be0ea00ed0ea279f25efbf597f9c850
-----
Actually, every system that has rtld.c with r190323 or lower, should use this variant -- clearing of LD_ELF_HINTS_PATH was introduced only in r190324.
By the way, if people are using NO_DYNAMIC_ROOT and all setuid executables come from the system itself (no sudo and other stuff from ports or manual installations), such system is obviously safe from this issue -- no dynamic loading takes place. I don't mean that people with such systems shouldn't upgrade, but they probably can do it with a least urgency.