Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0866 -- UNIRAS Brief 907/05
NetBSD 2.0.3
2 November 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: NetBSD 2.0.3
Publisher: UNIRAS
Operating System: NetBSD
Impact: Denial of Service
Modify Arbitrary Files
Reduced Security
Access: Existing Account
CVE Names: CAN-2005-2969 CAN-2005-2495 CAN-2005-0753
CAN-2005-0469 CAN-2005-0468
- --------------------------BEGIN INCLUDED TEXT--------------------
- ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) Briefing Notice - 907/05 dated 01.11.05 Time: 14:10
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------
Title
=====
NetBSD 2.0.3
Detail
======
The NetBSD Project is pleased to announce that update 2.0.3 of the NetBSD
operating system is now available as a source only update.
About NetBSD 2.0.3
- ------------------
NetBSD 2.0.3 is the third security/critical update of the NetBSD 2.0 release
branch. This represents a selected subset of fixes deemed critical in nature
for stability or security reasons.
All fixes in security/critical updates (ie, NetBSD 2.0.2, 2.0.3, etc)
are cumulative, so this latest update contains all such fixes since the
NetBSD 2.0 release. These fixes will also appear in future
releases (NetBSD 2.1, 2.2, etc), together with other less-critical fixes
and feature enhancements.
Complete source for NetBSD 2.0.3 is available for download at many sites around
the world. A list of download sites providing FTP, AnonCVS, SUP, and other
services is provided at the end of this announcement; the latest list of
available download sites may also be found at:
http://www.NetBSD.org/mirrors/
About NetBSD
- ------------
The NetBSD operating system is a full-featured, open source, UNIX-like
operating system descended from the Berkeley Networking Release 2 (Net/2),
4.4BSD-Lite, and 4.4BSD-Lite2. NetBSD runs on 54 different system
architectures featuring 17 machine architectures across 17 distinct CPU
families, and is being ported to more.
NetBSD is a highly integrated system. In addition to its highly portable,
high performance kernel, NetBSD features a complete set of user utilities,
compilers for several languages, the X Window System, firewall software and
numerous other tools, all accompanied by full source code. The NetBSD
Packages Collection contains over 5000 packages and binary package releases
for a number of platforms are currently in progress.
More information on the goals of the NetBSD Project can be procured from the
NetBSD web site at:
http://www.NetBSD.org/Goals/
NetBSD is free. All of the code is under non-restrictive licenses, and may be
used without paying royalties to anyone. Free support services are available
via our mailing lists and web site. Commercial support is available from a
variety of sources; some are listed at:
http://www.NetBSD.org/gallery/consultants.html
More extensive information on NetBSD is available from the NetBSD web site:
http://www.NetBSD.org/
NetBSD is the work of a diverse group of people spread around the world. The
`Net' in our name is a tribute to the Internet, which enables us to
communicate and share code, and without which the project would not exist.
Major Changes Between 2.0.2 and 2.0.3
- -----------------------------------
The detailed list of changes can be found in the CHANGES-2.0.3 files in the
top level doc directory of the NetBSD 2.0.3 source tree.
A summary list of changes is as follows:
Kernel
o Drop the big lock in upcallret() on powerpc to prevent hangs with
pthreads on SMP systems.
o Fix "sleep forever" issue raise on sparc64 systems.
o For powerpc don't enable interrupts while calling trap() if the trap-
ping frame didn't have them enabled either. Prevents crashes on some
G4 based systems.
o Prevent random panics on process exit where calls to knote_fdclose()
were being done on incorrect file descriptors.
o Remove code assuming kernfs supports mmap as it does not.
o Prevent a panic where disk interrupts could be enabled while the
ATACH_TH_RUN flag is still set.
o In pmap_enter(), preset the mod/ref bits based on the flags argument
to avoid possible data loss.
o Make sure buffer sizes are initialized correctly even when the pause
state is explicitly set. Avoids crashes on some audio hardware.
o Fix memory leak in uipc_usrreq calls.
o Make PCI cards work on NetBSD-mappc systems with a "Grackle" bridge.
o Avoids deadlocks in the alpha pmap code between pmap_activate() and
it's use of sched_lock.
o Protect the ipsec ioctls from negative offsets to prevent panics in
m_copydata().
o The maximum file size on MS-DOS filesystems is 4 GB - 1 byte, so
don't bother trying to write files bigger than this. Just return
EFBIG to caller, rather than panic()ing later.
o Range check calls correctly in freebsd compat code to prevent data
corruption and possible crashes.
o Handle MMX faults as floating exceptions. Matlab full functional
again.
Networking
o Prevent panics where it was possible to end up with a negative RTT.
o When adding or deleting multicast addresses, only change the address
filter if the interface is marked RUNNING.
o Fix the HPC1 transmit logic on sgimips which was previously not work-
ing.
o Make sure to purge prefixes from the ND list or else panics can
result.
o Avoid an optimization in m_pulldown to avoid a prepend to the next
mbuf in the chain if the result would still not have all data conti-
nous. Prevents panics under certain circumstances.
o Prevent a panic on sun3 where NULL could be de-referenced in the case
of #if NBPFILTER == 0
o Fix a possible data/pool corruption in the icmp6 code where possibly
free'd data is reused.
File system
o Fix a silent truncation problem that could cause corruption with
large FFSv1 file systems.
o In ext2 check that we are not the pagedaemon as getblk() can return
NULL in this case.
Security
o Fix buffer overflows in telnet(1) identified in CAN 2005-0468 and
2005-0469.
o Make verified exec functional again by using UIO_SYSSPACE for NDINIT.
o Prevent possible buffer overruns in telnetd(8) by removing static
local variables so its easier to correctly use strlcpy.
o Prevent buffer overflows in cvs(1) by updating to version 1.11.20 in
response to CAN-2005-0753.
o IPsec-AH was always calculated using the same key in AES-XCBC-MAC.
o Return correct error on all zero length codes in libz.
o Prevent vulnerability in cvs(1) reported in SA16553.
o Simplify code in procfs to check for a negative uio_offset at the
beginning and check for attempts to write to init sooner and in all
cases.
o Don't allow negative offsets when reading the message buffer, because
it can allow reading arbitrary kernel memory.
o Remove unsafe /tmp file creation for the file.0 target when using
imake(1)
o Fix security hole in Xserver(1) reported in CAN-2005-2495.
o Fix openssl 2.0 rollback, CAN-2005-2969.
System administration and user tools
o Install xdm scripts as executable so that xdm will function and not
consume 100% cpu.
o In user(8) be consistent when deleting a non-existent group - tell if
the group is non-existent.
o Correctly set LOGNAME in new environment when using su(1)
o In amd(8) embed machine and cpu architecture correctly from target
host environment, not from build host.
o Fix bug in sh(1) on big endian systems where underflowing a buffer
when evaluating output from a back tick substitution can cause a
crash.
Miscellaneous
o Update copyright to 2005.
o Update to tzdata2005n. Lots of fixes, including most recently the
leap second at the end of 2005 and the U.S. DST changes taking effect
in 2007.
o Add support for ffsv2 to amd64 boot floppies.
Please note that at the moment, sysinst will not assist you in installing
pre-built third-party binary packages or the pkgsrc system itself. See the
NetBSD packages collection documentation:
http://www.NetBSD.org/Documentation/software/packages.html
Acknowledgments
- ---------------
The NetBSD Foundation would like to thank all those who have contributed code,
hardware, documentation, funds, colocation for our servers, web pages and
other documentation, release engineering, and other resources over the years.
More information on the people who make NetBSD happen is available at:
http://www.NetBSD.org/People/
We would like to especially thank the University of California at Berkeley and
the GNU Project for particularly large subsets of code that we use. We would
also like to thank the Internet Software Consortium and the Helsinki
University of Technology for current colocation services.
About the NetBSD Foundation
- ---------------------------
The NetBSD Foundation was chartered in 1995, with the task of overseeing core
NetBSD project services, promoting the project within industry and the open
source community, and holding intellectual property rights on much of the
NetBSD code base. Day-to-day operations of the project are handled by
volunteers.
As a non-profit organisation with no commercial backing, The NetBSD
Foundation depends on donations from its users, and we would like to ask
you to consider making a donation to the NetBSD Foundation in support of
continuing production of our fine operating system.
Donations can be done via PayPal (paypal@NetBSD.org) and are fully
tax-deductible in the US. If you would prefer not to use PayPal, or
would like to make other arrangements, please contact
<finance-exec@NetBSD.org>.
NetBSD mirror sites
- -------------------
Please use a mirror site close to you.
* FTP - http://www.NetBSD.org/mirrors/#ftp
* Anonymous CVS - http://www.NetBSD.org/mirrors/#anoncvs
* SUP - http://www.NetBSD.org/mirrors/#sup
* CVSup - http://www.NetBSD.org/mirrors/#cvsup
- ----------------------------------------------------------------------------------
- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of NetBSD for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ2g7JCh9+71yA2DNAQLtggP/SaKYNRPs9S0PrkHKt4Bm0UDKfYj7IUDj
Zn579iP5tP6cTadD8mxYDmPIDzKV1ZFoGSFVpWLTYi6tlCn09jtepBV3QZNelyf3
wsimB4DsyloH065+lN6SW2gi6z4/84y48UcJ5mDJfxthg960f58d1Py/Q6YtGqb4
wLpnuDqphAo=
=Qwxs
-----END PGP SIGNATURE-----