Technical discussion regarding security issues in NetBSD

NetBSD Security Officer | 2 Feb 2010 20:04

Picon

Updated: NetBSD Security Advisory 2010-001: File system module autoloading Denial of Service attack


		 NetBSD Security Advisory 2010-001
		 =================================

Topic:		File system module autoloading Denial of Service attack

Version:	NetBSD-current:		affected prior to 2009-12-19 20:28:27 UTC
		NetBSD 5.0.1:		not affected
		NetBSD 5.0:		not affected
		NetBSD 4.0.*:		not affected
		NetBSD 4.0:		not affected

Severity:	Local Denial of Service

Fixed:		NetBSD-current:		Dec 19, 2009

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A coding error in the NetBSD VFS code allows a local attacker to
crash the local system by passing a soon-to-be-unmapped pointer
as a file system name to the mount system call.

Technical Details
=================

When entering the mount_get_vfsops() function, the string "fstype",

(Continue reading)

NetBSD Security Officer | 2 Feb 2010 20:04

Picon

Updated: NetBSD Security Advisory 2010-002: OpenSSL TLS renegotiation man in the middle vulnerability


		 NetBSD Security Advisory 2010-002
		 =================================

Topic:		OpenSSL TLS renegotiation man in the middle vulnerability

Version:	NetBSD-current:		affected prior to 2009-12-04
		NetBSD 5.0:		affected
		NetBSD 4.0.*:		affected
		NetBSD 4.0:		affected
		pkgsrc:			openssl package prior to 0.9.8l

Severity:	Information disclosure

Fixed:		NetBSD-current:		Dec 03, 2009
		NetBSD-5-0 branch:	Jan 12, 2010
		NetBSD-5 branch:	Jan 12, 2010
		NetBSD-4-0 branch:	Jan 12, 2010
		NetBSD-4 branch:	Jan 12, 2010
		pkgsrc 2009Q4:		openssl-0.9.8l corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

An error in the OpenSSL TLS session renegotiation allows a remote
attacker to intercept communication and conduct a Man-in-the-Middle
attack on TLS sessions.

(Continue reading)

NetBSD Security Officer | 3 Feb 2010 14:02

Picon

NetBSD Security Advisory 2010-003: azalia(4)/hdaudio(4) negative mixer index panic


		 NetBSD Security Advisory 2010-003
		 =================================

Topic:		azalia(4)/hdaudio(4) negative mixer index panic

Version:	NetBSD-current:		affected prior to 2010-01-21
		NetBSD 5.0.*:		affected
		NetBSD 5.0:		affected
		NetBSD 4.0.*:		affected
		NetBSD 4.0:		affected

Severity:	Local system crash

Fixed:		NetBSD-current:		Jan 21, 2010
		NetBSD-5-0 branch:	Jan 22, 2010
		NetBSD-5 branch:	Jan 22, 2010
		NetBSD-4-0 branch:	Jan 22, 2010
		NetBSD-4 branch:	Jan 22, 2010

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A signedness issue in the azalia(4) and hdaudio(4) drivers allows a
local attacker to cause a kernel panic.

Technical Details

(Continue reading)

David Holland | 15 Feb 2010 21:44

Picon

less's .lesshst misfeature

With the last update to less it (and more along with it) grew a
misfeature where it saves all the patterns you search for within files
to ~/.lesshst for future retrieval.

This is a security/privacy hazard; search strings are expected to be
transient and process-private, and writing them to disk creates the
potential for unwanted disclosures. Writing them to a network-mounted
home directory, meanwhile, can disclose everything the user is doing
to anyone who happens to be listening; this is highly undesirable.

This misfeature can only be disabled by setting an environment
variable, which is a poor method of configuration under the best of
circumstances and fails rather drastically for e.g. running
single-user.

I already patched the code a while back so that attempting to defeat
the feature by e.g. linking /root/.lesshst -> /dev/null no longer
trashes the system.

However, it's been suggested, and several people have concurred, that
it ought to be disabled by default. This is easy to do.

The cost of disabling it by default, however, is that the behavior
diverges from upstream. Are we willing to buy into this? I think we
should, at least for more if not for less.

--

-- 
David A. Holland
dholland <at> netbsd.org

(Continue reading)

Taylor R Campbell | 15 Feb 2010 22:09

Re: less's .lesshst misfeature

I was disappointed to discover the feature a couple of years ago, and
have always disabled it since then.  I am but a mere user of NetBSD,
but in case my opinion counts for anything, I should be happy to see
it disabled by default (and even happier to see it disabled upstream).

(I am not subscribed to these lists, so please cc me in replies.)

Jan Schaumann | 16 Feb 2010 03:39

Re: less's .lesshst misfeature

David Holland <dholland <at> netbsd.org> wrote:

> I already patched the code a while back so that attempting to defeat
> the feature by e.g. linking /root/.lesshst -> /dev/null no longer
> trashes the system.

This, btw, was one of the more obscure bugs I've encountered.  Figuring
out why /dev/null had mode 0700 (or similar) and the various things that
broke was so bizarre that when I found out it was related to the version
of less, I immediately declared that one of my favorite software bugs of
all times.

> However, it's been suggested, and several people have concurred, that
> it ought to be disabled by default. This is easy to do.
> 
> The cost of disabling it by default, however, is that the behavior
> diverges from upstream. Are we willing to buy into this? I think we
> should, at least for more if not for less.

I'd say: Disable it for both and raise the issue with upstream.

Thanks!

-Jan

Marc Balmer | 16 Feb 2010 12:46

Picon

Re: less's .lesshst misfeature

Am 15.02.10 21:44, schrieb David Holland:
> With the last update to less it (and more along with it) grew a
> misfeature where it saves all the patterns you search for within files
> to ~/.lesshst for future retrieval.
> 
> This is a security/privacy hazard; search strings are expected to be
> transient and process-private, and writing them to disk creates the
> potential for unwanted disclosures. Writing them to a network-mounted
> home directory, meanwhile, can disclose everything the user is doing
> to anyone who happens to be listening; this is highly undesirable.
> 
> This misfeature can only be disabled by setting an environment
> variable, which is a poor method of configuration under the best of
> circumstances and fails rather drastically for e.g. running
> single-user.
> 
> I already patched the code a while back so that attempting to defeat
> the feature by e.g. linking /root/.lesshst -> /dev/null no longer
> trashes the system.
> 
> However, it's been suggested, and several people have concurred, that
> it ought to be disabled by default. This is easy to do.
> 
> The cost of disabling it by default, however, is that the behavior
> diverges from upstream. Are we willing to buy into this? I think we
> should, at least for more if not for less.

I am all for your proposal.  Disable it.

(Continue reading)

Paul Goyette | 16 Feb 2010 19:26

Re: less's .lesshst misfeature

On Tue, 16 Feb 2010, Constantine A. Murenin wrote:

> I like my tcsh's searchable history, but for less and more, — I agree,
> it better be disabled.

I have to agree here.  Esppecially since tsch at least gives you a 
'history -c' command to clear the history (no remembering the name of 
the .file).

-------------------------------------------------------------------------
|   Paul Goyette   | PGP DSS Key fingerprint: |  E-mail addresses:      |
| Customer Service | FA29 0E3B 35AF E8AE 6651 |  paul at whooppee.com   |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net |
| Kernel Developer |                          | pgoyette at netbsd.org  |
-------------------------------------------------------------------------

Greg Troxel | 26 Feb 2010 17:47

Picon

password change logging


NetBSD doesn't currently log successful password changes or unsuccessful
attempts to change passwords.  Sometimes IT rules require this, and it
seems to be of general interest when running a tight ship.  Password
changes are rare, so this is hardly log noise compared to every ssh
connection and login.

Richard Hansen (also of BBN) wrote the following patch.  I've compiled
it on netbsd-5 on several arches and tested on i386.  It applied to
current cleanly and built find for amd64.

I'd like to commit this.  Any objections or encouragement?

Index: usr.bin/passwd/local_passwd.c
===================================================================
RCS file: /cvsroot/src/usr.bin/passwd/local_passwd.c,v
retrieving revision 1.33
diff -u -p -r1.33 local_passwd.c
--- usr.bin/passwd/local_passwd.c	17 Apr 2009 20:25:08 -0000	1.33
+++ usr.bin/passwd/local_passwd.c	26 Feb 2010 16:41:04 -0000
 <at>  <at>  -53,6 +53,7  <at>  <at>  __RCSID("$NetBSD: local_passwd.c,v 1.33 
 #include <unistd.h>
 #include <util.h>
 #include <login_cap.h>
+#include <syslog.h>

 #include "extern.h"

 <at>  <at>  -72,6 +73,10  <at>  <at>  getnewpasswd(struct passwd *pw, int min_
 	    strcmp(crypt(getpass("Old password:"), pw->pw_passwd),

(Continue reading)

Christos Zoulas | 26 Feb 2010 17:54

Re: password change logging

In article <rmiaauw54he.fsf <at> fnord.ir.bbn.com>,
Greg Troxel  <gdt <at> ir.bbn.com> wrote:
>-=-=-=-=-=-
>
>
>NetBSD doesn't currently log successful password changes or unsuccessful
>attempts to change passwords.  Sometimes IT rules require this, and it
>seems to be of general interest when running a tight ship.  Password
>changes are rare, so this is hardly log noise compared to every ssh
>connection and login.
>
>Richard Hansen (also of BBN) wrote the following patch.  I've compiled
>it on netbsd-5 on several arches and tested on i386.  It applied to
>current cleanly and built find for amd64.
>
>I'd like to commit this.  Any objections or encouragement?

I like this a lot!

christos

Group

gmane.os.netbsd.devel.security.

Search Archive

Page

1 | 2

Articles in period: 11

February 2010

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

[GSoC 2013] Implement file system flags to scrub data blocks before de (30 Apr 2013)
regarding project to"Implement file system flags to scrub data blocks (14 Apr 2013)
Google Summer of Code 2013. (13 Apr 2013)
OpenCrypto swcrypto(4) enhancements (10 Apr 2013)
NetBSD Security Advisory 2013-003: RNG Bug May Result in Weak Cryptogr (30 Mar 2013)
ECDSA and key leaks due to RNG problems. (25 Mar 2013)
Updated NetBSD Security Advisory 2013-003: RNG Bug May Result in Weak (7 Mar 2013)
NetBSD Security Advisory 2013-003: Pseudo-Random bits weaker than expe (27 Feb 2013)
NetBSD Security Advisory 2013-004: Vulnerabilities in grep (27 Feb 2013)
NetBSD Security Advisory 2013-002: kqueue related kernel panic trigger (27 Feb 2013)
You have (1) new ecard! (26 Feb 2013)
You have (1) new ecard! (8 Feb 2013)
Invitation to Bid - Jared #2528 - Evansville, IN (30 Jan 2013)
Notice of Addendum #: 1 - Oregon Park District (29 Jan 2013)
Invitation to Bid - Spencer Gifts #205 - St. Clair Square (29 Jan 2013)
NetBSD Security Advisory 2013-001: kernel panic triggered from userlan (29 Jan 2013)
Your Blue Book Network Project Leads ( MREF#188430675 ) (27 Jan 2013)
� Last day to save on our website presence package (25 Jan 2013)
Analyst Report: Understanding Responsive Design (25 Jan 2013)
Your Blue Book Network Project Leads ( MREF#188213540 ) (24 Jan 2013)
Invitation to Bid - Fuzzy's Taco (24 Jan 2013)

Archives

2	May 2013
6	April 2013
3	March 2013
6	February 2013
16	January 2013
6	December 2012
28	November 2012
6	October 2012
4	September 2012
2	August 2012
20	July 2012
12	June 2012
4	May 2012
4	April 2012
10	March 2012
16	December 2011
2	November 2011
2	October 2011
1	September 2011
7	August 2011
1	July 2011
3	June 2011
1	May 2011
16	April 2011
2	March 2011
3	February 2011
3	January 2011
2	December 2010
13	November 2010
9	October 2010
10	September 2010
3	August 2010
4	July 2010
1	June 2010
9	April 2010
1	March 2010
11	February 2010
7	January 2010
10	December 2009
2	November 2009
1	October 2009
1	August 2009
12	July 2009
11	June 2009
8	May 2009
7	April 2009
38	March 2009
10	February 2009
19	January 2009
3	December 2008
16	November 2008
11	October 2008
2	September 2008
17	August 2008
18	July 2008
14	June 2008
16	May 2008
6	April 2008
7	March 2008
7	February 2008
37	January 2008
27	December 2007
12	November 2007
12	October 2007
3	September 2007
11	August 2007
12	July 2007
50	June 2007
7	May 2007
2	April 2007
12	March 2007
73	February 2007
32	January 2007
55	December 2006
61	November 2006
28	October 2006
37	September 2006
71	August 2006
18	July 2006
8	June 2006
6	May 2006
22	April 2006
97	March 2006
59	February 2006
111	January 2006
45	December 2005
45	November 2005
41	October 2005
54	September 2005
113	August 2005
107	July 2005
46	June 2005
27	May 2005
87	April 2005
163	March 2005
21	February 2005
30	January 2005
9	December 2004
73	November 2004
10	October 2004
4	September 2004
8	August 2004
62	June 2004
85	May 2004
35	April 2004
28	March 2004
15	February 2004
12	December 2003
21	November 2003
23	October 2003
246	September 2003
27	August 2003
16	July 2003
58	June 2003
22	May 2003
20	April 2003
36	March 2003
3	February 2003
31	January 2003
27	December 2002
56	November 2002
179	October 2002
67	September 2002
87	August 2002
92	July 2002
143	June 2002
87	May 2002
75	April 2002
1	March 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template