[olug] Fw: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-04:03.jail

Brian Roberson roberson at olug.org
Fri Feb 27 19:09:59 UTC 2004


----- Original Message ----- 
From: "FreeBSD Security Advisories" <security-advisories at freebsd.org>
To: "FreeBSD Security Advisories" <security-advisories at freebsd.org>
Sent: Friday, February 27, 2004 12:32 PM
Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-04:03.jail


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
============================================================================
=
> FreeBSD-SA-04:03.jail                                       Security
Advisory
>                                                           The FreeBSD
Project
>
> Topic:          Jailed processes can attach to other jails
>
> Category:       core
> Module:         kernel
> Announced:      2004-02-25
> Credits:        JAS Group (http://www.cs.mu.oz.au/jas/)
> Affects:        FreeBSD 5.1-RELEASE
>                 FreeBSD 5.2-RELEASE
> Corrected:      2004-02-19 23:26:39 UTC (RELENG_5_2, 5.2.1-RC2)
>                 2004-02-25 20:03:35 UTC (RELENG_5_1, 5.1-RELEASE-p14)
> CVE Name:       CAN-2004-0126
> FreeBSD only:   YES
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit
> <URL:http://www.freebsd.org/security/>.
>
> I.   Background
>
> The jail(2) system call allows a system administrator to lock up a
> process and all its descendants inside a closed environment with very
> limited ability to affect the system outside that environment, even
> for processes with superuser privileges.  It is an extension of, but
> far more stringent than, the traditional Unix chroot(2) system call.
>
> The jail_attach(2) system call, which was introduced in FreeBSD 5
> before 5.1-RELEASE, allows a non-jailed process to permanently move
> into an existing jail.
>
> II.  Problem Description
>
> A programming error has been found in the jail_attach(2) system call
> which affects the way that system call verifies the privilege
> level of the calling process.  Instead of failing immediately if the
> calling process was already jailed, the jail_attach(2) system call
> would fail only after changing the calling process's root directory.
>
> III. Impact
>
> A process with superuser privileges inside a jail could change its
> root directory to that of a different jail, and thus gain full read
> and write access to files and directories within the target jail.
>
> IV.  Workaround
>
> No workaround is available.
>
> V.   Solution
>
> Do one of the following:
>
> 1) Upgrade your vulnerable system to 5.2.1-RELEASE, or to the
> RELENG_5_2 or RELENG_5_1 security branch dated after the correction
> date.
>
> OR
>
> 2) Patch your present system:
>
> The following patch has been verified to apply to FreeBSD 5.1 and 5.2
> systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:03/jail.patch
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:03/jail.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI.  Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch                                                           Revision
>   Path
> - ------------------------------------------------------------------------
-
> RELENG_5_2
>   src/sys/kern/kern_jail.c                                       1.34.2.1
> RELENG_5_1
>   src/UPDATING                                                 1.251.2.16
>   src/sys/conf/newvers.sh                                       1.50.2.16
>   src/sys/kern/kern_jail.c                                       1.33.2.1
> - ------------------------------------------------------------------------
-
>
> VII. References
>
> <URL:http://www.cs.mu.oz.au/jas/>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (FreeBSD)
>
> iD8DBQFAP4xVFdaIBMps37IRArw1AJ9jNZIsJHYlKt+NEsOgp5cti/Cs+gCdFa0j
> 3cvPHMce6awUESculjC3Z/I=
> =LQo0
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to
"freebsd-announce-unsubscribe at freebsd.org"
>



More information about the OLUG mailing list