svn commit: r41519 - in head/share: security/advisories security/patches/SA-13:05 xml
Dag-Erling Smørgrav
des at FreeBSD.org
Mon Apr 29 20:53:59 UTC 2013
Author: des
Date: Mon Apr 29 20:53:58 2013
New Revision: 41519
URL: http://svnweb.freebsd.org/changeset/doc/41519
Log:
Fix a bug that allows NFS clients to issue READDIR on files.
PR: kern/178016
Security: CVE-2013-3266
Security: FreeBSD-SA-13:05.nfsserver
Approved by: so
Added:
head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc (contents, props changed)
head/share/security/patches/SA-13:05/
head/share/security/patches/SA-13:05/nfsserver.patch (contents, props changed)
head/share/security/patches/SA-13:05/nfsserver.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc Mon Apr 29 20:53:58 2013 (r41519)
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:05.nfsserver Security Advisory
+ The FreeBSD Project
+
+Topic: Insufficient input validation in the NFS server
+
+Category: core
+Module: nfsserver
+Announced: 2013-04-29
+Credits: Adam Nowacki
+Affects: All supported versions of FreeBSD.
+Corrected: 2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE)
+ 2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8)
+ 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1)
+ 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1)
+ 2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE)
+ 2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3)
+CVE Name: CVE-2013-3266
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+The Network File System (NFS) allows a host to export some or all of its
+file systems so that other hosts can access them over the network and mount
+them as if they were on local disks. FreeBSD includes server and client
+implementations of NFS.
+
+FreeBSD 8.0 and onward has two NFS implementations: the original CSRG
+NFSv2 and NFSv3 implementation and a new implementation which also
+supports NFSv4.
+
+FreeBSD 9.0 and onward uses the new NFS implementation by default.
+
+II. Problem Description
+
+When processing READDIR requests, the NFS server does not check that
+it is in fact operating on a directory node. An attacker can use a
+specially modified NFS client to submit a READDIR request on a file,
+causing the underlying filesystem to interpret that file as a
+directory.
+
+III. Impact
+
+The exact consequences of an attack depend on the amount of input
+validation in the underlying filesystem:
+
+ - If the file resides on a UFS filesystem on a little-endian server,
+ an attacker can cause random heap corruption with completely
+ unpredictable consequences.
+
+ - If the file resides on a ZFS filesystem, an attacker can write
+ arbitrary data on the stack. It is believed, but has not been
+ confirmed, that this can be exploited to run arbitrary code in
+ kernel context.
+
+Other filesystems may also be vulnerable.
+
+IV. Workaround
+
+Systems that do not provide NFS service are not vulnerable. Neither
+are systems that do but use the old NFS implementation, which is the
+default in FreeBSD 8.x.
+
+To determine which implementation an NFS server is running, run the
+following command:
+
+# kldstat -v | grep -cw nfsd
+
+This will print 1 if the system is running the new NFS implementation,
+and 0 otherwise.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch
+# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc
+# gpg --verify nfsserver.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r250058
+releng/8.3/ r250059
+releng/8.4/ r250062
+stable/9/ r250060
+releng/9.1/ r250061
+- -------------------------------------------------------------------------
+
+VII. References
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc
+-----BEGIN PGP SIGNATURE-----
+
+iEYEARECAAYFAlF+18oACgkQFdaIBMps37J1PACgm+zcbGd6xF1hkpvFVJbbwR0Q
+9PoAnivbP1R0qXFyTlF/t3+sUYcxBtfQ
+=polM
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-13:05/nfsserver.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-13:05/nfsserver.patch Mon Apr 29 20:53:58 2013 (r41519)
@@ -0,0 +1,13 @@
+Index: sys/fs/nfsserver/nfs_nfsdport.c
+===================================================================
+--- sys/fs/nfsserver/nfs_nfsdport.c (revision 249651)
++++ sys/fs/nfsserver/nfs_nfsdport.c (working copy)
+@@ -1568,6 +1568,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd, int isdg
+ nd->nd_repstat = NFSERR_BAD_COOKIE;
+ #endif
+ }
++ if (!nd->nd_repstat && vp->v_type != VDIR)
++ nd->nd_repstat = NFSERR_NOTDIR;
+ if (nd->nd_repstat == 0 && cnt == 0) {
+ if (nd->nd_flag & ND_NFSV2)
+ /* NFSv2 does not have NFSERR_TOOSMALL */
Added: head/share/security/patches/SA-13:05/nfsserver.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-13:05/nfsserver.patch.asc Mon Apr 29 20:53:58 2013 (r41519)
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iEYEABECAAYFAlF+1+sACgkQFdaIBMps37J22ACeM6TTZjh94AhbnwqTaCfcMjnO
+F74AnAiX1rUC1Zvo3XU42efklaBo6F1g
+=yQwz
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Mon Apr 29 16:02:00 2013 (r41518)
+++ head/share/xml/advisories.xml Mon Apr 29 20:53:58 2013 (r41519)
@@ -14,6 +14,14 @@
<name>2</name>
<advisory>
+ <name>FreeBSD-SA-13:05.bind</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-13:04.bind</name>
+ </advisory>
+
+ <advisory>
<name>FreeBSD-SA-13:04.bind</name>
</advisory>
More information about the svn-doc-all
mailing list