damon's notepad

元智半日遊

趁著到新公司報到前的休假日，到桃園元智一趟

看看上次FreeBSD arp sa patch重新開機之後就一直連不上的yzim84網站
元智一館還是差不多，不過旁邊新蓋的那棟蓋得很醜就是了，維持元智建築的一慣風格:p
看了看機器，花了一些時間測試軟硬體之後，發覺有想把整台機器拿去丟掉的衝動
問題真多，網路卡換過之後有時開機網路可以通有時不行，一下又是ram沒接好在響，但根本沒去動到ram，一下是ram test fail @_@
最後還是放棄了，先暫時這樣吧，至少資料都還在，沒問題

FreeBSD完全探索

今天下午在外面閒晃時買的，稍微翻了一下，翻譯的不錯，雖然是以4.5為基礎，不過大部份在5.X上還是通用的重點是比原文版的便宜滿多的XD
原文的大概要一千多，中文版只要六百多還可以打折
一些基礎觀念的部份解釋的滿詳細的，雖然我沒看過原文版的
有興趣踏入FreeBSD的朋友可以買來看看，翻這本時旁邊有另外一本我當初一開始的時候買的另外一本的更新版本，比較一下的感覺是真的有那麼點差距，價格上也差不多，雖然那本現在被我丟在角落，很久沒去動他了
書上compile kernel的部份有點老舊了，對於5.X來說作法上有一些不太一樣，不過觀念上大致上是一樣的

gdm安裝筆記

今天花了一些時間把FreeBSD , Debian都改用gdm登入並裝上gnome2

FreeBSD:cd /usr/ports/x11/gnome2/;make install clean
東西很多，要等一陣子
比較需要注意的是如果是用5.1 release的話，會因為open pam的bug無法正常用gdm登入，所以升級到current吧 :p
安裝完之後/usr/X11R6/etc/rc.d/裡面的gdm.sh.sample直接複製成gdm.sh吧
/etc/profile直接加入
export LC_ALL=zh_TW.Big5
export LANG=zh_TW.Big5
export XMODIFIERS="@im=xcin"
exec /usr/X11R6/bin/xcin2.5 &
重新開機就可以直接用gdm登入，並自動啟動xcin，作法有點dirty :p

Debian unstable:apt-get install gnome
/etc/gdm/locale.conf把底下這行改成這樣
Chinese(Taiwan_R.O.C.) zh_TW.Big5
/etc/gdm/Sessions/Gnome加入
export LC_ALL=zh_TW.Big5
export LANG=zh_TW.Big5
export XMODIFIERS="@im=xcin"
exec /usr/bin/xcin &
/etc/init.d/gdm加入
export LANG=zh_TW.Big5
/etc/init.d/gdm restart
同樣也是有點dirty的作法，參考chihchun的作法 :p
enjoy it

FreeBSD 5.1 p6 arp sa patch problem

今天看到每天跑的cvsup RELENG_5_1有更新，就給他放下去更新，不過下班回到家發現家中nat service掛了@_@

將螢幕接過去server發現console上有錯誤訊息說/etc/hosts裡面有一筆192.168.1.2的記錄，但卻無法透過arp找到這個ip
Sep 25 19:08:40 damon kernel: arplookup 192.168.1.2 failed: host is not on local network
登入之後直接編輯/etc/hosts把除了本機nic所用的ip之外都移除，並重新開機終於一切恢復正常，可能是這個patch的bug也可能不是
詭異的是kernel怎麼會去做arplookup？
我也不知道，別問我XD

kdm安裝完成

今天利用一點休假時間把kdm裝起來了

不過有一些小問題，可能是bug，也可能不是
修改了按鈕的風格可以，修改了使用的顏色卻不行
字型沒辦法在清單中選擇中文字型
其他到是沒問題，只要把能夠正常使用中文kde的.xinitrc直接cp成.xsession
export LC_ALL=zh_TW.Big5
export LANG=zh_TW.Big5
export XMODIFIERS="@im=xcin"
exec xcin &
exec startkde
我的設定檔是這樣.xinitrc .xsession都一樣
在選擇session的時候選擇default，這樣就能夠正常的讀取.xsession中的設定值了
題外話，看過gdm , kdm之後，還是覺得gdm比較符合eye candy，對於佈景主題的support也比較完整方便，不過有一些部份需要自己手動調整有點小麻煩，所以還是選擇簡單的kdm
使用gdm的朋友可以參考chihchun的文章
https://wiki.debian.org.tw/index.php?page=gdm

debian重裝筆記

趁著安裝大會，把機器重整了一次，順便寫一下小筆記好了

安裝系統,一樣用網路安裝,選擇ext3,20g分割成/(400mb) , /var (1g) , /home (1g) , swap (1xx) , /usr (剩下的)
安裝好woody之後，直接升級到unstable
/etc/apt/source.list中有提到stable的地方都改成unstable
apt-get update;apt-get dist-upgrade
換各kernel,怪異的是2.4.22 for k7的kernel image的apm module無法modprobe，所以換成沒問題的版本
apt-get install kernel-image-2.4.21-5-k7
/etc/lilo.conf加入initrd=initrd.img
cd /;lilo -v -v -v;reboot
adduser damon audio
apt-get install x-window-system locales ttf-arphic* xcin xfonts-intl-chinese mozilla-firebird gaim xchat ssh rxvt-ml rcconf xine-ui openoffice.org openoffice.org-l10n-zh-tw openoffice.org-help-zh-tw
安裝完用rcconf把開機不需要的service全都拿掉
/etc/init.d/xxxx stop停掉不需要的service
/etc/apt/source.list把官方的都拿掉改成
deb https://snapshot.debian.net/archive/2003/08/11/debian unstable main contrib non-free
日期的部分就試到可以直接跑apt-get install kde的就好，隨便改
跑完apt-get install kde之後再把/etc/apt/source.list改回來用官方的
apt-get update;apt-get upgrade升級2003/08/11之後更新的kde相關的東西
apt-get install kde-i18n-zhtw安裝一下kde中文
編輯一下平常使用的帳號的.xinitrc
root跟平常使用的帳號的.bashxxxx檔案，讓目錄跟檔案顏色作用並重新登入
startx完成
locales如果沒有產生所要的locale的話就自己手動編輯/etc/locales.gen再重新來吧

新竹交大debian安裝大會圓滿結束

今天感謝BBNS感冒還是努力的為安裝大會學員上課m(_._)m

今天下午的新竹天空有點雲，風也很大，騎著車，帶著沈重pc 到交大，好像該買nb了，pc 這樣搬來搬去真是要人命~_~
交大網路真快，不愧是gb base的網路，用apt-get安裝東西真是超快，可以到2xx kb
雖然參加的人大約只有10幾位，不過還是有幾位很有興趣的學員參加，感謝大家的參與:)
離開交大的時候還看到彩虹喔A_Ay

New FreeBSD, NetBSD security advisories

FreeBSD has formally announced a security advisory entitled "OpenSSH buffer management error" for the now famous OpenSSH advisory (OpenSSH has released a new version 3.7.1 to address this). Everyone is urged to patch their OS, details provided below. NetBSD has issued a similar advisory and fix for this issue (see NetBSD emails below). NetBSD has released two additional security advisories entitled "Kernel memory disclosure via ibcs2" and "Insufficient argument checking in sysctl(2)".

From "FreeBSD Security Advisories"
Subject [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
Date Tue, September 16, 2003 12:17 pm
To "FreeBSD Security Advisories"

--------------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==================================================
===========================
FreeBSD-SA-03:12 Security Advisory
FreeBSD, Inc.

Topic: OpenSSH buffer management error

Category: core, ports
Module: openssh, ports_openssh, openssh-portable
Announced: 2003-09-16
Credits: The OpenSSH Project
Affects: All FreeBSD releases after 4.0-RELEASE
FreeBSD 4-STABLE prior to the correction date
openssh port prior to openssh-3.6.1_1
openssh-portable port prior to openssh-portable-3.6.1p2_1
Corrected: 2003-09-16 16:24:02 UTC (RELENG_4)
2003-09-16 16:27:57 UTC (RELENG_5_1)
2003-09-16 17:34:32 UTC (RELENG_5_0)
2003-09-16 16:24:02 UTC (RELENG_4_8)
2003-09-16 16:45:16 UTC (RELENG_4_7)
2003-09-16 17:44:15 UTC (RELENG_4_6)
2003-09-16 17:45:23 UTC (RELENG_4_5)
2003-09-16 17:46:02 UTC (RELENG_4_4)
2003-09-16 17:46:37 UTC (RELENG_4_3)
2003-09-16 12:43:09 UTC (ports/security/openssh)
2003-09-16 12:43:10 UTC (ports/security/openssh-portable)
CVE: CAN-2003-0693
FreeBSD only: NO

I. Background

OpenSSH is a free version of the SSH protocol suite of network
connectivity tools. OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.

II. Problem Description

When a packet is received that is larger than the space remaining in
the currently allocated buffer, OpenSSH's buffer management attempts
to reallocate a larger buffer. During this process, the recorded size
of the buffer is increased. The new size is then range checked. If
the range check fails, then fatal() is called to cleanup and exit.
In some cases, the cleanup code will attempt to zero and free the
buffer that just had its recorded size (but not actual allocation)
increased. As a result, memory outside of the allocated buffer will
be overwritten with NUL bytes.

III. Impact

A remote attacker can cause OpenSSH to crash. The bug is not believed
to be exploitable for code execution on FreeBSD.

IV. Workaround

Do one of the following:

1) Disable the base system sshd by executing the following command as
root:

# kill `cat /var/run/sshd.pid`

Be sure that sshd is not restarted when the system is restarted
by adding the following line to the end of /etc/rc.conf:

sshd_enable="NO"

AND

Deinstall the openssh or openssh-portable ports if you have one of
them installed.

V. Solution

Do one of the following:

[For OpenSSH included in the base system]

1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1,
RELENG_4_8, or RELENG_4_7 security branch dated after
the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or
4.7-RELEASE-p15, respectively).

2) FreeBSD systems prior to the correction date:

The following patches have been verified to apply to FreeBSD 4.x and
FreeBSD 5.x systems prior to the correction date.

Download the appropriate patch and detached PGP signature from the following
locations, and verify the signature using your PGP utility.

[FreeBSD 4.3 through 4.5]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C.../buffer45.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C...fer45.patch.asc

[FreeBSD 4.6 and later, FreeBSD 5.0 and later]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C.../buffer46.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C...fer46.patch.asc

Execute the following commands as root:

# cd /usr/src
# patch < /path/to/sshd.patch
# cd /usr/src/secure/lib/libssh
# make depend && make all install
# cd /usr/src/secure/usr.sbin/sshd
# make depend && make all install
# cd /usr/src/secure/usr.bin/ssh
# make depend && make all install

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags})

[For the OpenSSH ports]

One of the following:

1) Upgrade your entire ports collection and rebuild the OpenSSH port.

2) Deinstall the old package and install a new package obtained from
the following directory:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/p...table/security/

[other platforms]
Packages are not automatically generated for other platforms at this
time due to lack of build resources.

3) Download a new port skeleton for the openssh or openssh-portable
port from:

https://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/p...ortcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/p...ortcheckout.tgz

Be sure to restart `sshd' after updating.

# kill `cat /var/run/sshd.pid`
# test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD base system and ports collection.

Branch Revision
Path
- -------------------------------------------------------------------------
[Base system]
RELENG_4
src/crypto/openssh/buffer.c 1.1.1.1.2.5
src/crypto/openssh/version.h 1.1.1.1.2.11
RELENG_5_1
src/UPDATING 1.251.2.4
src/crypto/openssh/buffer.c 1.1.1.6.4.1
src/crypto/openssh/version.h 1.20.2.1
src/sys/conf/newvers.sh 1.50.2.5
RELENG_5_0
src/UPDATING 1.229.2.18
src/crypto/openssh/buffer.c 1.1.1.6.2.1
src/crypto/openssh/version.h 1.18.2.1
src/sys/conf/newvers.sh 1.48.2.13
RELENG_4_8
src/UPDATING 1.73.2.80.2.7
src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1
src/crypto/openssh/version.h 1.1.1.1.2.10.2.1
src/sys/conf/newvers.sh 1.44.2.29.2.6
RELENG_4_7
src/UPDATING 1.73.2.74.2.18
src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1
src/crypto/openssh/version.h 1.1.1.1.2.9.2.1
src/sys/conf/newvers.sh 1.44.2.26.2.17
RELENG_4_6
src/UPDATING 1.73.2.68.2.46
src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2
src/crypto/openssh/version.h 1.1.1.1.2.8.2.2
src/sys/conf/newvers.sh 1.44.2.23.2.35
RELENG_4_5
src/UPDATING 1.73.2.50.2.47
src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1
src/crypto/openssh/version.h 1.1.1.1.2.7.2.2
src/sys/conf/newvers.sh 1.44.2.20.2.31
RELENG_4_4
src/UPDATING 1.73.2.43.2.48
src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1
src/crypto/openssh/version.h 1.1.1.1.2.5.2.3
src/sys/conf/newvers.sh 1.44.2.17.2.39
RELENG_4_3
src/UPDATING 1.73.2.28.2.35
src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1
src/crypto/openssh/version.h 1.1.1.1.2.4.2.3
src/sys/conf/newvers.sh 1.44.2.14.2.25
[Ports]
ports/security/openssh-portable/Makefile 1.73
ports/security/openssh-portable/files/patch-buffer.c 1.1
ports/security/openssh/Makefile 1.120
ports/security/openssh/files/patch-buffer.c 1.1
- -------------------------------------------------------------------------

Branch Version string
- -------------------------------------------------------------------------
HEAD OpenSSH_3.6.1p1 FreeBSD-20030916
RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916
RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916
RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916
RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916
RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916
RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916
RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916
RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916
- -------------------------------------------------------------------------

To view the version string of the OpenSSH server, execute the
following command:

% /usr/sbin/sshd -\?

The version string is also displayed when a client connects to the
server.

To view the version string of the OpenSSH client, execute the
following command:

% /usr/bin/ssh -V

VII. References

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0693 to this issue.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/ Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfg
CffMgQ
PW0VvEnS7MMUYyekHuz49ro=
=vcm1
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/li...reebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

==========================
-----BEGIN PGP SIGNED MESSAGE-----

NetBSD Security Advisory 2003-012
=================================

Topic: Out of bounds memset(0) in sshd

Version: NetBSD-current: source prior to September 17, 2003
NetBSD 1.6.1: affected
NetBSD 1.6: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
pkgsrc: packages prior to 3.7.1

Severity: Unknown - Rumours speculate remote root exploitability

Fixed: NetBSD-current: September 17, 2003
NetBSD-1.6 branch: September 17, 2003 (1.6.2 will include the fix)
NetBSD-1.5 branch: September 17, 2003 (1.5.4 will include the fix)
pkgsrc: openssh-3.7.1 corrects this issue

Abstract
========

A buffer overwrite with unknown consequences has been found in OpenSSH.

No evidence to support remote root exploitability has been provided by
any source.

The ssh daemon does not run by default in a NetBSD installation, but is
often enabled by administrators for convenience of remote
administration.

Changes are still being committed to the OpenSSH source distribution. We
will continue to update this advisory as new information becomes
available. Currently, we expect that more patches are likely, so if you
are maintaining a large number of machines, use the workarounds
discussed below if appropriate, and be prepared for further updates.

The NetBSD Project will make binary patchsets available when builds have
completed. This advisory will be updated with details when they are
available.

Technical Details
=================

In NetBSD installations where OpenSSH 3.2.1 and later are used -
including the base system installations of NetBSD-1.6 and later, the
privilege separation feature of OpenSSH is enabled by default. In the
case of this buffer issue, privilege separation may prevent exploitation
of these buffer problems, and this advisory will be updated once any
exploits are demonstrated, whether successfully or not.

Regardless of privilege separation being enabled, this buffer issue
occurs in the child process of sshd, and so any over-zero'd buffer will
not crash the parent service, and will not deny ssh connectivity to the
machine. If the over-zeroing is exploitable, the attacker could of
course shut down the ssh daemon manually.

There is a lot of commotion over this buffer issue. Individuals have
mentioned an increased occurrence of port scans searching for open sshd
services. Since hard facts are not available yet, individuals
will have to decide whether to believe the rumours, and apply patches to
protect against this possible issue, or to use workarounds provided
below, where appropriate, and await further information.

https://www.openssh.com/txt/buffer.adv

https://xforce.iss.net/xforce/alerts/id/144

Solutions and Workarounds
=========================

Workaround: Disable sshd.

If not required, and alternate means of administration, such as consoles
or serial consoles are available, disabling sshd may be acceptable.

Confirm that sshd is running. It is usually configured to start by the
presence of a line in /etc/rc.conf, such as:

sshd=YES

Stop any currently running daemon, with

/etc/rc.d/sshd stop

OR - for a pkgsrc installation:

/usr/pkg/etc/rc.d/sshd stop

Change YES to NO in /etc/rc.conf

Workaround: Constrain hosts which can connect to sshd.

In order to overflow this buffer, a client must be able to connect to
the sshd in question. As a workaround, the tcp wrapper functionality
included in all NetBSD installations of OpenSSH can be used to restrict
connections to a limited list of source IPs.

As an example, populating /etc/hosts.allow with:

sshd : 192.168.1.1

And /etc/hosts.deny with:

sshd : ALL

Will result in only allowing connections from the (RFC 1918, private
network) IP address 192.168.1.1.

Host names may also be used in the hosts.allow file. Lists are comma
separated, as explained in the hosts_access(5) manpage. Review the
manpage hosts_access(5) for further details. If you use hostnames, it
may also be desirable to specify hosts.deny as 'sshd : ALL, PARANOID',
to require the forward and reverse DNS lookups to correspond. This
provides protection in cases where the host you are allowing access from
is on a remote network outside your control, and you wish to protect
against hijacked nameservers.

Another workaround is to prevent network access to only trusted
systems via a perimeter router or firewall, or using IPFilter on the
host itself.

Solution:

The following instructions describe how to upgrade your OpenSSH
binaries by updating your source tree and rebuilding and
installing a new version.

* NetBSD-current:

Systems running NetBSD-current dated from before 2003-09-16
should be upgraded to NetBSD-current dated 2003-09-17 or later.

The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
src/crypto/dist/ssh

To update from CVS, re-build, and re-install ssh related
binaries:

# cd src
# cvs update -d -P crypto/dist/ssh
# cd usr.bin/ssh

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 1.6, 1.6.1:

The binary distribution of NetBSD 1.6 and 1.6.1 are vulnerable.

Systems running NetBSD 1.6 sources dated from before 2003-09-16
should be upgraded from NetBSD 1.6 sources dated 2003-09-17 or
later.

NetBSD 1.6.2 will include the fix.

The following directories need to be updated from the
netbsd-1-6 CVS branch:
src/crypto/dist/ssh

To update from CVS, re-build, and re-install ssh related
binaries:

# cd src
# cvs update -d -P -r netbsd-1-6 crypto/dist/ssh
# cd usr.bin/ssh

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.

Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
from before 2003-09-16 should be upgraded from NetBSD 1.5.*
sources dated 2003-09-17 or later.

The following directories need to be updated from the
netbsd-1-5 CVS branch:
src/crypto/dist/ssh

To update from CVS, re-build, and re-install ssh related
binaries:

# cd src
# cvs update -d -P -r netbsd-1-5 crypto/dist/ssh
# cd usr.bin/ssh

# make cleandir dependall
# make install

Thanks To
=========

Christos Zoulas for the fix to NetBSD-current, Grant Beattie for
pullups to NetBSD release branches.

The Full-Disclosure rumour mill.

Revision History
================

2003-09-17 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/sec...003-012.txt.asc

Information about NetBSD and NetBSD security can be found at
https://www.NetBSD.org/ and https://www.NetBSD.org/Security/.

Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-012.txt,v 1.9 2003/09/17 03:26:25 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see https://www.gnupg.org

iQCVAwUBP2fWHz5Ru2/4N2IFAQHffAP+NgV72mh+qW6208lsAEx3R2+VrFkQtGkm
FSQnMLZR9GmAl95+me3oVuVtQo/qM9aeXJuQi6zREw/oJ2I04dWvG56axss52DAW
r6s9uyGBUmIsU6krImSdTpWXEMAPmQsthpRRY/QKtUp2swJLCZeQWEsOndMnewI8
uI7g0ynBcwM=
=D3tA
-----END PGP SIGNATURE-----

===============

-----BEGIN PGP SIGNED MESSAGE-----

NetBSD Security Advisory 2003-013
=================================

Topic: Kernel memory disclosure via ibcs2

Version: NetBSD-current: source prior to August 7, 2002
NetBSD 1.6.1: not affected
NetBSD 1.6: not affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected

Severity:

Fixed: NetBSD-current: August 7, 2002
NetBSD-1.6 branch: not affected
NetBSD-1.5 branch: August 28, 2002

Abstract
========

The iBCS2 system call translator for statfs(2) erroneously used the
user-supplied length parameter when copying a kernel data structure
into userland. If the length parameter were larger than required,
then instead of copying only the statfs-related data structure,
additional kernel memory would also be made available to the user.

Technical Details
=================

If iBCS2 support were enabled, a malicious user could call the iBCS2
version of statfs(2) with an arbitrarily large length parameter,
causing the kernel to return a large portion of kernel memory. Such
memory might contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way. For example, a terminal buffer might include a user-entered
password.

iBCS2 support is only present on i386/vax GENERIC kernel.

Solutions and Workarounds
=========================

If your kernel configuration file does not contain COMPAT_IBCS2,
your system is not affected.

The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and
installing a new version of kernel.

* NetBSD-current:

Systems running NetBSD-current dated from before 2002-08-06
should be upgraded to NetBSD-current dated 2002-08-07 or later.

The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
src/sys/compat/ibcs2/ibcs2_stat.c
However, because the date of the point fix is way too old, we'd suggest
you to update the whole kernel. The following instruction is for
updating the whole kernel.

To update from CVS, re-build, and re-install the kernel and reboot:
# cd src
# cvs update -d -P sys

# cd sys/ARCH/conf
# config KERNELCONF
# cd ../../compile/KERNELCONF
# make depend; make

# cp netbsd /
# reboot

* NetBSD 1.6, 1.6.1:

The binary distribution of NetBSD 1.6 and 1.6.1 are NOT vulnerable.

* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.

Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
from before 2003-08-27 should be upgraded from NetBSD 1.5.*
sources dated 2003-08-28 or later.

The following directories need to be updated from the
netbsd-1-5 CVS branch:
src/sys/compat/ibcs2/ibcs2_stat.c

To update from CVS, re-build, and re-install the kernel and reboot:

# cd src
# cvs update -d -P -r netbsd-1-5 sys/compat/ibcs2/ibcs2_stat.c

# cd sys/ARCH/conf
# config KERNELCONF
# cd ../../compile/KERNELCONF
# make depend; make

# cp netbsd /
# reboot

Alternatively, apply the following patch (with potential offset
differences):
ftp://ftp.NetBSD.org/pub/NetBSD/sec...013-ibcs2.patch

To patch, re-build and re-install re-install the kernel and reboot:

# cd src/sys/compat/ibcs2
# patch < /path/to/SA2003-013-ibcs2.patch

# make cleandir dependall
# make install

Thanks To
=========

Some of the text are derived from FreeBSD security advisory
FreeBSD-SA-03:10.ibcs2.

The problem in ibcs2_stat.c was pointed out by silvio@qualys.com.

Revision History
================

2003-09-17 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/sec...003-013.txt.asc

Information about NetBSD and NetBSD security can be found at
https://www.NetBSD.org/ and https://www.NetBSD.org/Security/.

Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-013.txt,v 1.4 2003/09/17 02:47:19 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see https://www.gnupg.org

iQCVAwUBP2fWJj5Ru2/4N2IFAQE9wAP/TGHBn/CeZwH3XnVRmc3ef46Za7mKv4Q2
xut0DVEwoVBNadCdBjsBmjivRC48U7fTDu5G/tv2c9innL34Uwt0hwh0skybyKQg
BtrPUJv8ytf9VhkiuHZBc+Vl/VCLS1RhbGelyHje3JcXJRkgB3i3B6WsomzS8YSQ
bJrlaSxPHc4=
=XK3L
-----END PGP SIGNATURE-----

=============

-----BEGIN PGP SIGNED MESSAGE-----

NetBSD Security Advisory 2003-014
=================================

Topic: Insufficient argument checking in sysctl(2)

Version: NetBSD-current: source prior to August 25, 2003
NetBSD 1.6.1: affected
NetBSD 1.6: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected

Severity: local DOS, read protected kernel memory

Fixed: NetBSD-current: August 25, 2003
NetBSD-1.6 branch: August 28, 2003 (1.6.2 will include the fix)
NetBSD-1.5 branch: August 28, 2003

Abstract
========

Three unrelated problems with inappropriate argument handling were
found in the kernel sysctl(2) code, which could be exploited by
malicious local user:

Some sysctl nodes could cause the kernel to dereference a NULL
pointer, resulting in a panic.

Passing the process id of a zombie process could cause the kernel to
dereference invalid process data, and panic.

Other sysctl nodes had an insufficient range check, which could be
abused to read arbitrary locations in kernel memory space.

Technical Details
=================

There are three unrelated problems, found during an effort to rewrite
the present sysctl(2) infrastructure.

1) A pointer variable was used both for pointing user-level address
(sysctl(2) argument) and kernel address, and there was a chance for
a local user to set NULL pointer to the variable.

2) The proc.* sysctl tree could be invoked on a zombie process, but
made assumptions that the processes were in a valid state, and so
could attempt to reference process information that is invalid or
non-existent for zombies. This is no longer possible.

3) Under the proc.curproc.rlimit subtree are a number of nodes
representing the process resource limits, soft and hard. The sysctl
helper used to manipulate these values had an insufficient range
check, and could be used to read values outside of the working copy
of the rlimit structure. Writes were checked more thoroughly, and
could not abuse this problem.

Solutions and Workarounds
=========================

To correct this problem, upgrade of the kernel (and reboot) is
required. There is no practical work-around for systems running the
vulnerable code in the kernel.

The fixes for all of these issues are contained in the one file,
sys/kern/kern_sysctl.c. The following table lists the fixed revisions
and dates of this file for each branch:

CVS branch revision date
------------- ----------- ----------------
HEAD 1.143 2003/08/24
netbsd-1-6 1.108.4.3 2003/08/27
netbsd-1-5 1.73.2.7 2003/08/27

The following instructions describe how to upgrade your kernel
binaries by updating your source tree and rebuilding and installing a
new version of the kernel. In these instructions, replace:

BRANCH with the appropriate CVS branch (from the above table)
ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

# cd src
# cvs update -d -P -r BRANCH sys/kern/kern_sysctl.c
# cd sys/ARCH/conf
# config KERNCONF
# cd ../compile/KERNCONF
# make depend;make
# mv /netbsd /netbsd.old
# cp netbsd /
# reboot

Thanks To
=========

Andrew Brown

Revision History
================

2003-09-17 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/sec...003-014.txt.asc

Information about NetBSD and NetBSD security can be found at
https://www.NetBSD.org/ and https://www.NetBSD.org/Security/.

Copyright 2003, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-014.txt,v 1.12 2003/09/17 02:49:00 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see https://www.gnupg.org

iQCVAwUBP2fWKz5Ru2/4N2IFAQGEnAQAw5QkAzSr6lTP3wH3e8pvrSVWb9jhMxCi
+P96ZYsxkDJNqkU33xtCIIN72GKom2uFOeswNX1qK8QEhfplX0
3/peOjqRZ4L4Kk
f0ECf0xIIr54Kn1JYp/PeUsOPyAAT+I6CCRplB7ZtvPjQ7l7YtYid5smO6szAQjG
I92V/aNY/fs=
=Ch3/
-----END PGP SIGNATURE-----

感謝chihchun處理blog問題:)

中秋節休假前發現在blog.debian.org.tw取消之後blog.linux.org.tw上某些user的blog有問題，感謝chihchun大大犧牲休假時間處理並修復m(_._)m

新竹交大debian安裝大會

新竹交大debian安裝大會

時間:9月21日下午14:00-17:00
地點:交大資工系計中 工程三館三樓
講師:damon , BBNS(交大debian user)
費用:免費
新竹地區的學員有興趣的可以來聽聽看，會場大約可容納40人
不需報名，要安裝的話請自行攜帶pc or nb，會場提供鍵盤、螢幕、滑鼠
講義主要以
https://wiki.debian.org.tw/index.php?page=VMwareInstall_Blue119
這邊的內容為主
有要參加的學員可以先印下來
https://wiki.debian.org.tw/DebianInstallationNotes
您可以在這邊找到安裝磁片檔或是安裝iso檔燒成光碟，並在當天帶去，當天主辦單位無法提供這些
當天的內容大致上為
01.Debain介紹(stable , testing , unstable , main , contrib , non-free)
02.硬體測試
03.安裝教學
04.實機操作
05.X window
06.KDE

前四項由我主講，後面5,6由BBNS主講
歡迎新竹有空的朋友來聽聽看瞭解一下debian