FreeBSD セキュリティ勧告 FreeBSD-SA-10:04.jail

山椒魚 (2010年5月29日 20:03) | コメント(0)

5月27日付で、FreeBSDコミュニティからセキュリティ勧告が出ました。

対象は FreeBSD 8.x 系です。

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


=============================================================================

FreeBSD-SA-10:04.jail                                       Security Advisory

                                                          The FreeBSD Project



Topic:          Insufficient environment sanitization in jail(8)



Category:       core

Module:         jail

Announced:      2010-05-27

Credits:        Aaron D. Gifford

Affects:        FreeBSD 8.0

Corrected:      2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE)

                2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3)

CVE Name:       CVE-2010-2022



For general information regarding FreeBSD Security Advisories,

including descriptions of the fields above, security branches, and the

following sections, please visit <URL:http://security.FreeBSD.org/>.



I.   Background



The jail(2) system call allows a system administrator to lock a process

and all of its descendants inside an environment with a very limited

ability to affect the system outside that environment, even for

processes with superuser privileges.  It is an extension of, but

far more powerful than, the traditional UNIX chroot(2) system call.



By design, neither the chroot(2) nor the jail(2) system call modify

existing open file descriptors of the calling process, in order to

allow programmers to make fine grained access control and privilege

separation.



The jail(8) utility creates a new jail or modifies an existing jail,

optionally imprisoning the current process (and future descendants)

inside it.



II.  Problem Description



The jail(8) utility does not change the current working directory while

imprisoning.  The current working directory can be accessed by its

descendants.



III. Impact



Access to arbitrary files may be possible if an attacker managed to obtain

the descriptor of the current working directory before the jail call.

Such descriptor would be inherited by all descendants of the first process

that starts the jail, unless an intermediate process changes the current

working directory inside the jail.



By default, the FreeBSD /etc/rc.d/jail script, which can be enabled

using the jail_* rc.conf(5) variables, is not affected by this issue.

This is due to the default jail flags ("-l -U root") used to start a

jail as these flags will result in jail(8) performing a chdir(2) call.

If the rc.conf(5) variables jail_flags or jail__flags has been

set, and do not include '-l -U root', the jails are affected by the

vulnerability.



IV.  Workaround



Include the "-l -U root" arguments to the jail(8) command when

starting the jail.



V.   Solution



Perform one of the following:



1) Upgrade your vulnerable system to 8-STABLE, or to the RELENG_8_0

security branch dated after the correction date.



2) To update your vulnerable system via a source code patch:



The following patches have been verified to apply to FreeBSD 8.0 systems.



a) Download the relevant patch from the location below, and verify the

detached PGP signature using your PGP utility.



# fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch

# fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch.asc



b) Execute the following commands as root:



# cd /usr/src

# patch < /path/to/patch

# cd /usr/src/usr.sbin/jail

# make obj && make depend && make && make install



3) To update your vulnerable system via a binary patch:



Systems running 8.0-RELEASE on the i386 or amd64 platforms can be

updated via the freebsd-update(8) utility:



# freebsd-update fetch

# freebsd-update install



VI.  Correction details



The following list contains the revision numbers of each file that was

corrected in FreeBSD.



CVS:



Branch                                                           Revision

  Path

- -------------------------------------------------------------------------

RELENG_8

  src/usr.sbin/jail/jail.c                                       1.33.2.2

RELENG_8_0

  src/UPDATING                                              1.632.2.7.2.6

  src/sys/conf/newvers.sh                                    1.83.2.6.2.6

  src/usr.sbin/jail/jail.c                                   1.33.2.1.2.2

- -------------------------------------------------------------------------



Subversion:



Branch/path                                                      Revision

- -------------------------------------------------------------------------

stable/8/                                                         r208586

releng/8.0/                                                       r208586

- -------------------------------------------------------------------------



VII. References



http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2022



The latest revision of this advisory is available at

http://security.FreeBSD.org/advisories/FreeBSD-SA-10:04.jail.asc

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.10 (FreeBSD)



iEYEARECAAYFAkv95RAACgkQFdaIBMps37ImPgCfRS7pcslVSb89JluACMlg8ZBa

PmAAn0jq693qHOXK+Z2ljpQdc+EpTTja

=9o7h

-----END PGP SIGNATURE-----

_______________________________________________



http://lists.freebsd.org/mailman/listinfo/freebsd-announce

カテゴリ:

タグ:

コメントする

検索

このブログ記事について

このページは、山椒魚が2010年5月29日 20:03に書いたブログ記事です。

ひとつ前のブログ記事は「portupgradeでapache-2.2.15_9に更新できない」です。

次のブログ記事は「FreeBSD セキュリティ勧告 FreeBSD-SA-10:05.opie」です。

最近のコンテンツはインデックスページで見られます。過去に書かれたものはアーカイブのページで見られます。

おすすめサイト

おすすめ

サーバ/OS技術書

技術書一般

  • 長沢工:天体の位置計算 増補版

    長沢工:天体の位置計算 増補版

    天体の視位置を計算する「位置天文学」の入門書。ロングセラー。刊行が古いために、具体的計算に使われている星表等の定数は、1984年以前の計算システムによるものである。しかし、現在、新刊で入手可能な同種の書籍は限られており、天体位置計算の考え方が変った訳ではないので、現在でも充分に役立つだろう。

コミック

刊行新巻
既刊

カテゴリ

月別 アーカイブ