The FreeBSD Security Team has issued the following security warning:

FreeBSD-SA-09:06.ktimer – Local privilege escalation

I. Background

In FreeBSD 7.0, support was introduced for per-process timers as defined in the POSIX realtime extensions. This allows a process to have a limited number of timers running at once, with various actions taken when each timer reaches zero.

II. Problem Description

An integer which specifies which timer a process wishes to operate upon is not properly bounds-checked.

III. Impact

An unprivileged process can overwrite an arbitrary location in kernel memory. This could be used to change the user ID of the process (in order to “become root”), to escape from a jail, or to bypass security mechanisms
in other ways.

IV. Workaround

No workaround is available, but systems without untrusted local users are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or RELENG_7_0 security branch dated after the correction date.

For instructions on how to patch your system click here.