FreeBSD Security Advisory 1/30/2003

alpha

Verified User
Joined
Dec 21, 2003
Messages
30
Just a heads up for those of you who run FreeBSD 5.1-RELEASE or 5.2-RELEASE:

Topic: _ _ _ _ _mksnap_ffs clears file system options

Category: _ _ _ core
Module: _ _ _ _ mksnap_ffs
Announced: _ _ _2004-01-30
Credits: _ _ _ _Kimura Fuyuki <[email protected]>
_ _ _ _ _ _ _ _ Wiktor Niesiobedzki <[email protected]>
Affects: _ _ _ _FreeBSD 5.1-RELEASE
_ _ _ _ _ _ _ _ FreeBSD 5.2-RELEASE
Corrected: _ _ _2004-01-27 19:33:16 UTC (RELENG_5_1, 5.1-RELEASE-p12)
_ _ _ _ _ _ _ _ 2004-01-29 22:54:31 UTC (RELENG_5_2, 5.2-RELEASE-p1)
CVE Name: _ _ _ CAN-2004-0099
FreeBSD only: _ YES

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. _ Background

Mounted filesystems can have a variety of flags set on them. _Some
flags affect performance and reliability, while others enable or
disable particular security-related features such as the ability to
execute a binary stored on the filesystem or the use of access control
lists to complement normal Unix file permissions.

The mksnap_ffs(8) command creates a `snapshot' of a filesystem. _A
`snapshot' is a static representation of the state of the filesystem
at a particular point in time. _Snapshots have a variety of uses,
but their primary purpose is to make it possible to run fsck(8) and
dump(8) on live filesystems.

II. _Problem Description

The kernel interface for creating a snapshot of a filesystem is the
same as that for changing the flags on that filesystem. _Due to an
oversight, the mksnap_ffs(8) command called that interface with only
the snapshot flag set, causing all other flags to be reset to the
default value.

III. Impact

A regularly scheduled backup of a live filesystem, or any other
process that uses the mksnap_ffs(8) command (for instance, to provide
a rough undelete functionality on a file server), will clear any flags
in effect on the filesystem being snapshot. _Possible consequences
depend on local usage, but can include disabling extended access
control lists or enabling the use of setuid executables stored on an
untrusted filesystem.

The mksnap_ffs(8) command is normally only available to the superuser
and members of the `operator' group. _There is therefore no risk
of a user gaining elevated privileges directly through use of the
mksnap_ffs(8) command unless it has been intentionally made available
to unprivileged users.

IV. _Workaround

Do not use the mksnap_ffs(8) command, nor the -L option of the dump(8)
command.

It is recommended that you delete the mksnap_ffs(8) command from your
system to prevent accidental use:

# rm /sbin/mksnap_ffs

V. _ Solution

Do one of the following:

1) Upgrade your vulnerable system to the RELENG_5_1 or RELENG_5_2
security branch dated after the correction date.

NOTE WELL: Due to release engineering in progress at the time of this
_ _ _ _ _ _writing, the RELENG_5_2 security branch (5.2-RELEASE-p1)
_ _ _ _ _ _also includes numerous other critical bug fixes, most of
_ _ _ _ _ _which are not security related. _Please read src/UPDATING
_ _ _ _ _ _for details on these changes.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.1 systems]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:01/mksnap_ffs_5_1.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:01/mksnap_ffs_5_1.patch.asc

[FreeBSD 5.2 systems]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:01/mksnap_ffs_5_2.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:01/mksnap_ffs_5_2.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch <_/path/to/patch
# cd /usr/src/sbin/mksnap_ffs
# make obj &&_make depend &&_make &&_make install

You are strongly encouraged to verify that all your filesystems have
the correct flags set. _The mount(8) command can list currently mounted
filesystems and flags. _Run the following command as root:

# mount

VI. _Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Revision
_ Path
- -------------------------------------------------------------------------
RELENG_5_1
_ src/sbin/mksnap_ffs/mksnap_ffs.c _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _1.2.2.1
_ src/sys/conf/newvers.sh _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 1.50.2.14
RELENG_5_2
_ src/sbin/mksnap_ffs/mksnap_ffs.c _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _1.5.2.1
_ src/sys/conf/newvers.sh _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _1.56.2.3
 
Back
Top