-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

   ESB-2001.120 -- FreeBSD Security Advisory FreeBSD-SA-01:30.ufs-ext2fs
               UFS/EXT2FS allows disclosure of deleted data
                               27 March 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                ufs/ext2fs
Vendor:                 FreeBSD
Operating System:       FreeBSD
                        BSD
                        Linux
Impact:                 Access Privileged Data
Access Required:        Existing Account

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:30                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          UFS/EXT2FS allows disclosure of deleted data

Category:       kernel
Module:         ufs/ext2fs
Announced:      2001-03-22
Credits:        Sven Berkvens <sven@berkvens.net>, Marc Olzheim <zlo@zlo.nu>
Affects:        All released versions of FreeBSD 3.x, 4.x.
                FreeBSD 3.5-STABLE prior to the correction date.
                FreeBSD 4.2-STABLE prior to the correction date.
Corrected:      2000-12-22 (FreeBSD 3.5-STABLE)
                2000-12-22 (FreeBSD 4.2-STABLE)
FreeBSD only:   NO

I.   Background

UFS is the Unix File System, used by default on FreeBSD systems and
many other UNIX variants.  EXT2FS is a filesystem used by default on
many Linux systems, which is also available on FreeBSD.

II.  Problem Description

There exists a data consistency race condition which allows users to
obtain access to areas of the filesystem containing data from deleted
files.  The filesystem code is supposed to ensure that all filesystem
blocks are zeroed before becoming available to user processes, but in
a certain specific case this zeroing does not occur, and unzeroed
blocks are passed to the user with their previous contents intact.
Thus, if the block contains data which used to be part of a file or
directory to which the user did not have access, the operation results
in unauthorized access of data.

All versions of FreeBSD 3.x and 4.x prior to the correction date
including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this
problem.  This problem is not specific to FreeBSD systems and is
believed to exist on many filesystems.

This problem was corrected prior to the forthcoming release of FreeBSD
4.3.

III. Impact

Unprivileged users may obtain access to data which was part of deleted
files.

IV.  Workaround

None appropriate.

V.   Solution

Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE
after the respective correction dates.

To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:30/fs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:30/fs.patch.asc

Verify the detached PGP signature using your PGP utility.

This patch has been verified to apply against FreeBSD 3.5.1-RELEASE,
FreeBSD 4.1.1-RELEASE and FreeBSD 4.2-RELEASE.  It may or may not
apply to older, unsupported releases.

# cd /usr/src
# patch -p < /path/to/patch

Rebuild and reinstall your kernel as described in the FreeBSD handbook
at the following URL:

  http://www.freebsd.org/handbook/kernelconfig.html

and reboot for the changes to take effect.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBOrpp2lUuHi5z0oilAQEXFwQAjIKJPtcwJOW2nyLkkIl9Ma59xpuOWEHL
gZr7KQ6xi2KVH8D6Jztt8gaF+Qb3HRyq8BQUzqL20f+O8yfr8IyX0w5OWu1VkEYu
ctKKwhMRtd+Cc4L9Y56Ck3DhK5CgDwCVUlThNShR8/omKFd+pWulYcaIdKwTzZIe
aCnSgvTvAHU=
=Jn5m
- -----END PGP SIGNATURE-----


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOsB/Mih9+71yA2DNAQEaqgP/Ypu4kg6KKwY4xxxuic8XpV/sJvb75yhI
74zr1n1W9bOAyfXbrfQwR7AxCyZxrHapIdyYfSOLV2SlfN2aO8f8VCSjCBAPMrlF
H64pIIAS0KBsITV0TIG6n4uzLAXVdY477gt/dFNmNEj8AsiyD25zlN/oNqFG3c1n
9l0vmXTFxsA=
=B9Np
-----END PGP SIGNATURE-----