The FreeBSD Security Team has issued the following security warning:
FreeBSD-SA-09:06.ktimer – Local privilege escalation
In FreeBSD 7.0, support was introduced for per-process timers as defined in the POSIX realtime extensions. This allows a process to have a limited number of timers running at once, with various actions taken when each timer reaches zero.
II. Problem Description
An integer which specifies which timer a process wishes to operate upon is not properly bounds-checked.
An unprivileged process can overwrite an arbitrary location in kernel memory. This could be used to change the user ID of the process (in order to “become root”), to escape from a jail, or to bypass security mechanisms
in other ways.
No workaround is available, but systems without untrusted local users are not vulnerable.
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or RELENG_7_0 security branch dated after the correction date.
For instructions on how to patch your system click here.