[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 436/05 - FreeBSD - Three Security Advisories



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 436/05 dated 09.06.05  Time: 15:20  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
FreeBSD - Three Security Advisories:
     1.  Infinite loops in tcpdump protocol decoding [FreeBSD-SA-05:10]
     2.  gzip directory traversal and permission race vulnerabilities [FreeBSD-SA-05:11]
     3.  BIND 9 DNSSEC remote denial of service vulnerability [FreeBSD-SA-05:12]


Detail
====== 

Security advisory summaries:

     1.  Several tcpdump protocol decoders contain programming errors which can
         cause them to go into infinite loops. An attacker can inject specially 
         crafted packets into the network which, when processed by tcpdump, could 
         lead to a denial-of-service.

     2.  The first problem is that gzip does not properly sanitize filenames
         containing "/" when uncompressing files using the -N command line
         option.  The second problem is that gzip does not set permissions on newly
         extracted files until after the file has been created and the file
         descriptor has been closed.
  
     3.  On systems with DNSSEC enabled, a remote attacker may be able to inject
         a specially crafted packet that will cause the internal consistency test
         to trigger, and named(8) to terminate.  As a result, the name server
         will no longer be available to service requests.


Security advisory content follows:

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:10.tcpdump                                    Security Advisory
                                                          The FreeBSD Project

Topic:          Infinite loops in tcpdump protocol decoding

Category:       contrib
Module:         tcpdump
Announced:      2005-06-09
Credits:        "Vade 79", Simon L. Nielsen
Affects:        FreeBSD 5.3-RELEASE and FreeBSD 5.4-RELEASE
Corrected:      2005-06-08 21:26:27 UTC (RELENG_5, 5.4-STABLE)
                2005-06-08 21:27:44 UTC (RELENG_5_4, 5.4-RELEASE-p2)
                2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16)
CVE Name:       CAN-2005-1267, CAN-2005-1278, CAN-2005-1279, CAN-2005-1280

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The tcpdump utility is used to capture and examine network traffic.

II.  Problem Description

Several tcpdump protocol decoders contain programming errors which can
cause them to go into infinite loops.

III. Impact

An attacker can inject specially crafted packets into the network
which, when processed by tcpdump, could lead to a denial-of-service.
After the attack, tcpdump would no longer capture traffic, and would
potentially use all available processor time.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4
or RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3 and
5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:10/tcpdump.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:10/tcpdump.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/tcpdump/tcpdump
# make obj && make depend && make && make install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- - -------------------------------------------------------------------------
RELENG_5
  src/contrib/tcpdump/print-bgp.c                             1.1.1.5.2.1
  src/contrib/tcpdump/print-isoclns.c                            1.12.2.1
  src/contrib/tcpdump/print-ldp.c                             1.1.1.1.2.1
  src/contrib/tcpdump/print-rsvp.c                            1.1.1.1.2.1
RELENG_5_4
  src/UPDATING                                            1.342.2.24.2.11
  src/sys/conf/newvers.sh                                   1.62.2.18.2.7
  src/contrib/tcpdump/print-bgp.c                             1.1.1.5.6.1
  src/contrib/tcpdump/print-isoclns.c                            1.12.6.1
  src/contrib/tcpdump/print-ldp.c                             1.1.1.1.6.1
  src/contrib/tcpdump/print-rsvp.c                            1.1.1.1.6.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.19
  src/sys/conf/newvers.sh                                  1.62.2.15.2.21
  src/contrib/tcpdump/print-bgp.c                             1.1.1.5.4.1
  src/contrib/tcpdump/print-isoclns.c                            1.12.4.1
  src/contrib/tcpdump/print-ldp.c                             1.1.1.1.4.1
  src/contrib/tcpdump/print-rsvp.c                            1.1.1.1.4.1
- - -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1280
http://marc.theaimsgroup.com/?l=bugtraq&m=111454406222040
http://marc.theaimsgroup.com/?l=bugtraq&m=111454461300644

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:10.tcpdump.asc
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCqBbUFdaIBMps37IRAlxdAJ9AsT7o5k1woMpE3DlC+HBebZlLKACfYFjD
0VOBWDzUFdR8IErJEYU2+9w=
=1cKJ
- -----END PGP SIGNATURE-----




2.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:11.gzip                                       Security Advisory
                                                          The FreeBSD Project

Topic:          gzip directory traversal and permission race vulnerabilities

Category:       contrib
Module:         gzip
Announced:      2005-06-09
Credits:        Ulf Harnhammar, Imran Ghory
Affects:        All FreeBSD releases
Corrected:      2005-06-08 21:26:27 UTC (RELENG_5, 5.4-STABLE)
                2005-06-08 21:27:44 UTC (RELENG_5_4, 5.4-RELEASE-p2)
                2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16)
                2005-06-08 21:29:53 UTC (RELENG_4, 4.11-STABLE)
                2005-06-08 21:30:43 UTC (RELENG_4_11, 4.11-RELEASE-p10)
                2005-06-08 21:31:16 UTC (RELENG_4_10, 4.10-RELEASE-p15)
CVE Name:       CAN-2005-0988, CAN-2005-1228

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

gzip is a file compression utility.

II.  Problem Description

Two problems related to extraction of files exist in gzip:

The first problem is that gzip does not properly sanitize filenames
containing "/" when uncompressing files using the -N command line
option.

The second problem is that gzip does not set permissions on newly
extracted files until after the file has been created and the file
descriptor has been closed.

III. Impact

The first problem can allow an attacker to overwrite arbitrary local
files when uncompressing a file using the -N command line option.

The second problem can allow a local attacker to change the
permissions of arbitrary local files, on the same partition as the one
the user is uncompressing a file on, by removing the file the user is
uncompressing and replacing it with a hardlink before the uncompress
operation is finished.

IV.  Workaround

Do not use the -N command line option on untrusted files and do not
uncompress files in directories where untrusted users have write
access.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the
RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, and 5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:11/gzip.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:11/gzip.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/gzip
# make obj && make depend && make && make install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- - -------------------------------------------------------------------------
RELENG_4
  src/gnu/usr.bin/gzip/gzip.c                                    1.10.2.1
RELENG_4_11
  src/UPDATING                                             1.73.2.91.2.11
  src/sys/conf/newvers.sh                                  1.44.2.39.2.14
  src/gnu/usr.bin/gzip/gzip.c                                   1.10.26.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.16
  src/sys/conf/newvers.sh                                  1.44.2.34.2.17
  src/gnu/usr.bin/gzip/gzip.c                                   1.10.24.1
RELENG_5
  src/gnu/usr.bin/gzip/gzip.c                                    1.11.2.1
RELENG_5_4
  src/UPDATING                                            1.342.2.24.2.11
  src/sys/conf/newvers.sh                                   1.62.2.18.2.7
  src/gnu/usr.bin/gzip/gzip.c                                    1.11.6.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.19
  src/sys/conf/newvers.sh                                  1.62.2.15.2.21
  src/gnu/usr.bin/gzip/gzip.c                                    1.11.4.1
- - -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228
http://marc.theaimsgroup.com/?l=bugtraq&m=111271860708210
http://marc.theaimsgroup.com/?l=bugtraq&m=111402732406477

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:11.gzip.asc
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCqBbGFdaIBMps37IRAttLAJ41WPmKXczZAZgrBGBP1GorSM7E1gCfc8w9
KFbns+zs2umrId0mCg1SjVk=
=6MzW
- -----END PGP SIGNATURE-----




3.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:12.bind9                                      Security Advisory
                                                          The FreeBSD Project

Topic:          BIND 9 DNSSEC remote denial of service vulnerability

Category:       core
Module:         bind9
Announced:      2005-06-09
Credits:        Internet Systems Consortium
Affects:        FreeBSD 5.3
Corrected:      2005-03-23 18:16:29 UTC (RELENG_5, 5.3-STABLE)
                2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16)
CVE Name:       CAN-2005-0034

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is the Internet domain name server.  DNS Security
Extensions (DNSSEC) are additional protocol options that add
authentication and integrity to the DNS protocols.

DNSSEC is not enabled by default in any FreeBSD release.  A system
administrator must take special action to enable DNSSEC.

II.  Problem Description

A DNSSEC-related validator function in BIND 9.3.0 contains an
inappropriate internal consistency test.  When this test is triggered,
named(8) will exit.

III. Impact

On systems with DNSSEC enabled, a remote attacker may be able to inject
a specially crafted packet that will cause the internal consistency test
to trigger, and named(8) to terminate.  As a result, the name server
will no longer be available to service requests.

IV.  Workaround

DNSSEC is not enabled by default, and the "dnssec-enable" directive is
not normally present.  If DNSSEC has been enabled, disable it by
changing the "dnssec-enable" directive to "dnssec-enable no;" in the
named.conf(5) configuration file.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_3
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:12/bind9.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:12/bind9.patch.asc

b) Execute the following commands as root:

# cd /usr/src/
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- - -------------------------------------------------------------------------
RELENG_5
  src/contrib/bind9/lib/dns/validator.c                       1.1.1.1.2.2
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.19
  src/sys/conf/newvers.sh                                  1.62.2.15.2.21
  src/contrib/bind9/lib/dns/validator.c                   1.1.1.1.2.1.2.1
- - -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0034
http://www.kb.cert.org/vuls/id/938617
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://www.isc.org/index.pl?/sw/bind/bind9.php

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:12.bind9.asc
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCqBbfFdaIBMps37IRAiphAKCG8CX6eNFMNQYhahAER4gFVFc54wCfRZye
2C6LIcrq47xn5SRRV3T9ZL4=
=gFcD
- -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of FreeBSD for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQqhQi4pao72zK539AQEDcAP/dT7ipttoZHbVU4iHzu9/rFQgHRlOqJ8E
IQQKfkLK5HFvR1O6D7ppohmWMa8iGC/wPILuA2f6dvuZ8gWGKrsH+I80LFRVkVcI
mSuZ0r+SJAVTiQRUMSveenkjt2HNtRjK+N+Jn/tkdfa2KcR4XM3x2Y8S3Rhhmr/2
3szNlbLUG6s=
=4yar
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________