FreeBSD FIFO resource leak

Researches Chitti Nimmagadda and Dorr H. Clark of Santa Clara University seem to have discovered and reported a bug in usr/src/sys/fs/fifofs/fifo_vnops.c of FreeBSD 8.0-STABLE release as reported on the FreeBSD bugs mailinglist.

We believe we have identified a significant resource leak present in 6.x, 7.x, and 8.x. We believe this is a regression versus FreeBSD 4.x which appears to do the Right Thing ™.

We have a test program (see below) which will run the system out of sockets by repeated exercise of the failing code path in the kernel.

Our proposed fix is applied to the file usr/src/sys/fs/fifofs/fifo_vnops.c

If interested in (FreeBSD) code, have a look here for more info.

FreeBSD Security Advisories (ntp, ipv6, pipe)

The FreeBSD Security Team has issued the following security warnings:

For background info, problem description, impact, workaround and solutions, have a look at the individual advisory pages.

FreeBSD Security Advisory (ktimer)

The FreeBSD Security Team has issued the following security warning:

FreeBSD-SA-09:06.ktimer – Local privilege escalation

I. Background

In FreeBSD 7.0, support was introduced for per-process timers as defined in the POSIX realtime extensions. This allows a process to have a limited number of timers running at once, with various actions taken when each timer reaches zero.

II. Problem Description

An integer which specifies which timer a process wishes to operate upon is not properly bounds-checked.

III. Impact

An unprivileged process can overwrite an arbitrary location in kernel memory. This could be used to change the user ID of the process (in order to “become root”), to escape from a jail, or to bypass security mechanisms
in other ways.

IV. Workaround

No workaround is available, but systems without untrusted local users are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or RELENG_7_0 security branch dated after the correction date.

For instructions on how to patch your system click here.

FreeBSD Security Advisory (telnetd)

The FreeBSD Security Team has issued the following security warning:

FreeBSD-SA-09:05.telnetd – telnetd code execution vulnerability

I Background

The FreeBSD telnet daemon, telnetd(8), implements the server side of the TELNET virtual terminal protocol. It has been disabled by default in FreeBSD since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is strongly recommended that the SSH protocol be used instead. The FreeBSD telnet daemon can b enabled via the /etc/inetd.conf configuration file and the inetd(8) daemon.

The TELNET protocol allows a connecting client to specify environment variables which should be set in any created login session; this is used, for example, to specify terminal settings.

II. Problem Description

In order to prevent environment variable based attacks, telnetd(8) “scrubs” its environment; however, recent changes in FreeBSD’s environment-handling code rendered telnetd’s scrubbing inoperative, thereby allowing potentially harmful environment variables to be set.

For a workaround, solution and patch etc go here

FreeBSD Security Advisories (openssl & lukemftpd)

FreeBSD LogoThe FreeBSD Team has issued 2 security warnings:


I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

II. Problem Description

The EVP_VerifyFinal() function from OpenSSL is used to determine if a digital signature is valid. The SSL layer in OpenSSL uses EVP_VerifyFinal(), which in several places checks the return value incorrectly and treats verification errors as a good signature. This is only a problem for DSA and ECDSA keys.

III. Impact

For applications using OpenSSL for SSL connections, an invalid SSL certificate may be interpreted as valid. This could for example be used by an attacker to perform a man-in-the-middle attack.

Other applications which use the OpenSSL EVP API may similarly be affected.

For a workaround, solution and patch etc go here



I. Background

lukemftpd(8) is a general-purpose implementation of File Transfer Protocol (FTP) server that is shipped with the FreeBSD base system. It is not enabled in default installations but can be enabled as either an inetd(8) server,
or a standard-alone server.

A cross-site request forgery attack is a type of malicious exploit that is mainly targeted to a web browser, by tricking a user trusted by the site into visiting a specially crafted URL, which in turn executes a command which performs some privileged operations on behalf of the trusted user on the victim site.

II. Problem Description

The lukemftpd(8) server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command.

III. Impact

This could, with a specifically crafted command, be used in a cross-site request forgery attack.

FreeBSD systems running lukemftpd(8) server could act as a point of privilege escalation in an attack against users using web browser to access trusted FTP sites.

For a workaround, solution and patch etc go here


For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit