FreeBSD Security Advisory (mountd)

The FreeBSD Security Team has identified a security bug in mountd.

I. Background

The mountd(8) daemon services NFS mount requests from other client machines. When mountd is started, it loads the export host addresses and options into the kernel using the mount(2) system call.

II. Problem Description

While parsing the exports(5) table, a network mask in the form of “-network=netname/prefixlength” results in an incorrect network mask being computed if the prefix length is not a multiple of 8.

For example, specifying the ACL for an export as “-network″ would result in a netmask of being used instead of the correct netmask of

III. Impact

When using a prefix length which is not multiple of 8, access would be granted to the wrong client systems.

For a workaround and solution, check out the security advisory: FreeBSD Security Advisory (mountd)

FreeBSD Security Advisory (openssl)

The FreeBSD Security Team has identified a security bug in openssl:

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

II. Problem Description

A race condition exists in the OpenSSL TLS server extension code parsing when used in a multi-threaded application, which uses OpenSSL’s internal caching mechanism. The race condition can lead to a buffer overflow.

A double free exists in the SSL client ECDH handling code, when processing specially crafted public keys with invalid prime numbers.

III. Impact

For affected server applications, an attacker may be able to utilize the buffer overflow to crash the application or potentially run arbitrary code with the privileges of the application.

It may be possible to cause a DoS or potentially execute arbitrary in the context of the user connection to a malicious SSL server.

To find out more about the impact, a work-around and solution, check out the advisory page: FreeBSD Security Advisory (openssl)

FreeBSD Security Advisory (pseudofs)

The FreeBSD Security Team has identified a little bug in FreeBSD with speudofs:

I. Background

pseudofs offers an abstract API for pseudo file systems which is utilized by procfs(5) and linprocfs(5). It provides generic file system services such as ACLs, extended attributes which interface with VFS and which are otherwise onerous to implement. This enables pseudo file system authors to add this functionality to their file systems with minimal effort.

II. Problem Description

The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked.

To find out more about the impact, a work-around and solution, check out the advisory page:

FreeBSD Security Advisory (pseudofs)

FreeBSD Security Advisory (bzip2)

The FreeBSD Security Team have identified a little bug in FreeBSD with the integer overflow in bzip2 decompression:

I. Background

“The bzip2/bunzip2 utilities and the libbz2 library compress and decompress files using an algorithm based on the Burrows-Wheeler transform. They are generally slower than Lempel-Ziv compressors such as gzip, but usually
provide a greater compression ratio.

II. Problem Description

When decompressing data, the run-length encoded values are not adequately sanity-checked, allowing for an integer overflow.

III. Impact

An attacker who can cause maliciously chosen inputs to be decompressed can cause the decompressor to crash. It is suspected that such an attacker can cause arbitrary code to be executed, but this is not known for certain.

Note that some utilities, including the tar archiver and the bspatch binary patching utility (used in portsnap and freebsd-update) decompress bzip2-compressed data internally; system administrators should assume that their systems will at some point decompress bzip2-compressed data even if they never explicitly invoke the bunzip2 utility.”

To avoid potential problems, you need to upgrade.

FreeBSD Security Advisory (mbuf)

The FreeBSD Security Team have identified a little bug in FreeBSD where a lost mbuf flag can result in data loss.

“I. Background

An mbuf is a basic unit of memory management in the FreeBSD kernel inter-process communication and networking subsystem. Network packets and socket buffers are dependent on mbufs for their storage.

Data can be embedded directly in mbufs, or mbufs can instead reference external buffers. The sendfile(2) system call uses external mbuf storage to directly map the contents of a file into a chain of mbufs for
transmission purposes. The mbuf object supports a read-only flag that must be honored to prevent modification or writes to buffer data in cases like these.

II. Problem Description

The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages
for the transmitted file being modified, causing data corruption.

III. Impact

This data corruption can be exploited by an local attacker to escalate their privilege by carefully controlling the corruption of system files. It should be noted that the attacker can corrupt any file they have read
access to.”

For a workaround and steps to fix this, have a look at the announcement

FreeBSD 7.2 EoL coming soon

On June 30th, FreeBSD 7.2 will reach its End of Life and will no longer be supported by the FreeBSD Security Team. Users of this release are strongly encouraged to upgrade to FreeBSD 7.3 before that date; FreeBSD 7.3 will be supported until the end of March 2012. Please note that since FreeBSD 7.1 has been designated for ‘Extended’ support, it will continue to be supported until the end of January 2011, i.e., FreeBSD 7.1 will be supported longer than FreeBSD 7.2.

The End of Life date for FreeBSD 7.2 was originally announced as May 31, but was delayed by one month in accordance with Security Team policy in order to allow a 3 month window between the release of FreeBSD 7.3 and the End of Life of FreeBSD 7.2 to allow time for systems to be upgraded.

The freebsd-update(8) utility can be used to upgrade i386 and amd64 systems from 7.2-RELEASE (or 7.2-RELEASE-pX for some X) to 7.3-RELEASE using binary updates (i.e., without compiling from source) as described in the 7.3-RELEASE announcement; given an adequate internet connection, this process usually takes 15 minutes or less.

More: FreeBSD 7.2 EoL coming soon

FreeBSD Errata: Deadlock in ULE scheduler

A problem has been identified with the FreeBSD 7 series ULE Scheduler :

FreeBSD has two schedulers: the classic 4BSD scheduler and a newer, more SMP-aware scheduler called ULE. The 4BSD scheduler was the default scheduler until FreeBSD 7.0. Starting with FreeBSD 7.1 the default scheduler is ULE.

The scheduler is responsible for allocating CPU time to threads and assigning threads to CPUs. Runnable threads (i.e. threads which arenot waiting for a blocking operation, such as an I/O operation, memory allocation or lock acquisition, to complete) are assigned to a CPU and placed in that CPU’s run queue. Each thread and each CPU’s run queue is protected by a separate lock.

II. Problem Description

When a thread is reassigned from one CPU to another, the scheduler first acquires the thread’s lock, then releases the source CPU’s run queue lock. The scheduler then acquires the target CPU’s run queue lock and holds the lock while it adds the thread to the queue and signals the target CPU. Finally it reacquires the source CPU’s run queue lock before unlocking the thread. A thread on the target CPU, having been notified of the reassigned thread’s arrival on the target CPU’s run queue, will then acquire the thread’s lock before switching it in.

Read the whole errata

For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit

FreeBSD 7.x & 8.x Root Exploit Patched!

A security bug in the latest version of FreeBSD can be exploited to grant unprivileged users complete control over the operating system, a German researcher discovered.

The flaw is present in FreeBSD 8.0 and is known to affect versions 7.1 and 7.2.

“A short time ago a “local root” exploit was posted to the full-disclosure mailing list; as the name suggests, this allows a local user to execute arbitrary code as root.

Normally it is the policy of the FreeBSD Security Team to not publicly discuss security issues until an advisory is ready, but in this case since exploit code is already widely available I want to make a patch available ASAP. Due to the short timeline, it is possible that this patch will not be the final version which is provided when an advisory is sent out; it is even possible (although highly doubtful) that this patch does not fully fix the issue or introduces new issues — in short, use at your own risk (even more than usual).” (source)

More information and the patch can be found here.

The run-time link-editor, rtld, links dynamic executable with their needed libraries at run-time. It also allows users to explicitly load libraries via various LD_ environmental variables.

II. Problem Description

When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing.

III. Impact

An unprivileged user who can execute programs on a system can gain the privileges of any setuid program which he can run. On most systems configurations, this will allow a local attacker to execute code as the root user.