Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2007 > NetBSD security advisories

March 2007

NetBSD security advisories

ID: 86
Ref: 028/2007
Date: 09 March 2007:15:04:31
Version: 1
Title: NetBSD security advisories
Abstract: Three NetBSD security advisories concerning ktruser; Render and DBE extensions and BIND
Vendors affected: NetBSD
Operating systems affected: NetBSD
Applications affected: NetBSD
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


NetBSD Security Advisory 2007-001
=================================

Topic: Integer overflow in ktruser()

Version: NetBSD-current: source prior to October 22, 2006
NetBSD 4.0_BETA2: not affected
NetBSD 3.1: not affected
NetBSD 3.0.2: not affected
NetBSD 3.0.1: affected
NetBSD 3.0: affected
NetBSD 2.1: affected
NetBSD 2.0.*: affected
NetBSD 2.0: affected

Severity: Local denial of service, Local root compromise

Fixed: NetBSD-current: October 22, 2006
NetBSD-3-0 branch: October 24, 2006
NetBSD-3 branch: October 24, 2006
NetBSD-2-1 branch: February 9, 2007
NetBSD-2-0 branch: February 9, 2007
NetBSD-2 branch: February 9, 2007


Abstract
========

Due to insufficient length checking in ktruser() as used by FreeBSD and Darwin compatibility code, it is possible for a user to cause an integer overflow, resulting in a local denial of service and potentially local root compromise.

This vulnerability has been assigned CVE reference CVE-2007-1273.


Solutions and Workarounds
=========================

Kernels with FreeBSD and/or Darwin binary emulation are affected, including the default GENERIC kernel install. Users of affected NetBSD versions are highly recommended to upgrade their kernel.

Only kernels compiled with the following options are vulnerable to this issue:

options COMPAT_FREEBSD
options COMPAT_DARWIN

As a temporary workaround recompile the kernel with the above options commented out.

For all NetBSD versions, you need to obtain fixed kernel sources, rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.

The following instructions briefly summarise how to upgrade your kernel. In these instructions, replace:

ARCH with your architecture (from uname -m), and
KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

# cd src
# cvs update sys/kern/kern_ktrace.c \
sys/sys/ktrace.h \
sys/compat/freebsd/freebsd_misc.c \
sys/compat/darwin/darwin_iohidsystem.c \
sys/compat/darwin/darwin_ktrace.c
# ./build.sh kernel=KERNCONF
# mv /netbsd /netbsd.old
# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
# shutdown -r now

For more information on how to do this, see:

http://www.NetBSD.org/guide/en/chap-kernel.html


Thanks To
=========

Christer Oberg of BitSec discovered and reported this issue.
Christos Zoulas fixed the code.


Revision History
================

2007-03-08 Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-001.txt.asc

Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2007, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2007-001.txt,v 1.1 2007/03/05 23:33:13 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQCVAwUBRe1o0T5Ru2/4N2IFAQJaagQAmsalluHlg7zDpkvxKPG7NLvgViEIFQIa
GLaaWqlGxsylcYe5Q5QLDUgZBBGazSJMMQULL3yt6l3LoNS2CqT3++BROpspUAKN
8PuImR/XP1frf3w0o8OKSe4i/cYDdt/3uvRydsx4+s3N8+2x6e5QcJ5o0SECDZTz
YON9ZG6ZSec=
=erhT
-----END PGP SIGNATURE-----




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


NetBSD Security Advisory 2007-002
=================================

Topic: Integer overflows in Render and DBE extensions

Version: NetBSD-current: source prior to January 10, 2007
NetBSD 4.0_BETA2: affected
NetBSD 3.1: affected
NetBSD 3.0.*: affected
NetBSD 3.0: affected
NetBSD 2.1: affected
NetBSD 2.0.*: affected
NetBSD 2.0: affected
pkgsrc: xorg-server-6.9.0nb13 and earlier

Severity: Potential local privilege escalation

Fixed: NetBSD-current: January 10, 2007
NetBSD-4 branch: January 11, 2007
NetBSD-3-1 branch: January 11, 2007
NetBSD-3-0 branch: January 11, 2007
NetBSD-3 branch: January 11, 2007
NetBSD-2-1 branch: January 29, 2007
NetBSD-2-0 branch: January 29, 2007
NetBSD-2 branch: January 29, 2007
pkgsrc: xorg-server-6.9.0nb14 corrects the issue


Abstract
========

There are integer overflows present in the Render and DBE extensions as supplied with both XFree86 and X11R7.0. This can
potentially lead to arbitrary code execution. These vulnerabilities can be triggered by a user sending specifically crafted X
protocol requests.

These vulnerabilities have been assigned CVE references CVE-2006-6101,
CVE-2006-6102 and CVE-2006-6103.


Technical Details
=================

There are three separate integer overflows that are present:

* ProcRenderAddGlyphs() function in the Render extension
* ProcDbeGetVisualInfo() function in the DBE extension
* ProcDbeSwapBuffers() function in the DBE extension

Vulnerabilities present can potentially lead to arbitrary code execution.


Solutions and Workarounds
=========================

While X11R7.0 from X.Org is in both the HEAD and netbsd-4 branches it is currently not integrated fully into the base distribution.
No NetBSD releases contain X11R7.0 binaries and as such it is not necessary to rebuild anything from source. The instructions below
will patch the relevant X11R7.0 source files so that if users are experimenting with X11R7.0 it will contain the necessary security
fixes.

A possible temporary workaround for this issue is to disable the DBE and render extensions in your X Server configuration. To do
this under the Modules section of the X Server configuration file comment out the lines containing:

Load "DBE"
Load "render"

For X.Org the configuration file will be xorg.conf and for XFree86 it will be XF86config. This may impact the appearance of
applications run in X Windows.

XFree86-based X servers are included in the NetBSD base distribution, and will need to be rebuilt. The following instructions
describe how to upgrade your XFree86 binaries by updating your source tree and rebuilding and installing a new version of XFree86.

* NetBSD-current:

Systems running NetBSD-current dated from before 2007-01-10
should be upgraded to NetBSD-current dated 2007-01-11 or later.

The following files need to be updated from CVS HEAD:
xfree/xc/programs/Xserver/dbe/dbe.c
xfree/xc/programs/Xserver/render/render.c
xorg/xserver/xorg/dbe/dbe.c
xorg/xserver/xorg/render/render.c

To update from CVS, re-build, and re-install XFree86:

# cd xsrc
# cvs update xfree/xc/programs/Xserver/dbe/dbe.c
# cvs update xfree/xc/programs/Xserver/render/render.c
# cvs update xorg/xserver/xorg/dbe/dbe.c
# cvs update xorg/xserver/xorg/render/render.c
# make build

* NetBSD 3.*:

Systems running NetBSD 3.* sources dated from before
2007-01-11 should be upgraded from NetBSD 3.* sources dated
2007-01-12 or later.

The following files need to be updated from the
netbsd-3, netbsd-3-0 or netbsd-3-1 CVS branch:
xfree/xc/programs/Xserver/dbe/dbe.c
xfree/xc/programs/Xserver/render/render.c

To update from CVS, re-build, and re-install XFree86:

# cd xsrc
# cvs update -r <branch_name> \
xfree/xc/programs/Xserver/dbe/dbe.c
# cvs update -r <branch_name> \
xfree/xc/programs/Xserver/render/render.c
# make build

* NetBSD 2.*:

Systems running NetBSD 2.* sources dated from before
2007-01-29 should be upgraded from NetBSD 2.* sources dated
2007-01-30 or later.

The following files need to be updated from the
netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
xfree/xc/programs/Xserver/dbe/dbe.c
xfree/xc/programs/Xserver/render/render.c

To update from CVS, re-build, and re-install XFree86:

# cd xsrc
# cvs update -r <branch_name> \
xfree/xc/programs/Xserver/dbe/dbe.c
# cvs update -r <branch_name> \
xfree/xc/programs/Xserver/render/render.c
# make build


Thanks To
=========

Sean Larsson of iDefense Labs is credited with the discovery of these issues.


Revision History
================

2007-03-08 Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-002.txt.asc

Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2007, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2007-002.txt,v 1.1 2007/03/05 23:33:14 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQCVAwUBRe1o4j5Ru2/4N2IFAQIgVgP/fsn9JSi36RNyO7XBQgyHl4BN4cfNK15Q
/gr0Lkmp9j/FFj0kxWAZrjxe+eOG9SjMu4K8ifpy+a6PkaOKp7VRPutB6psk5SOa
PdmlU7Rotbnc/aTaOLnIstvlKLApat1hrSMRPoFvLq4rk3k6k+c305Pozqq6r6Wd
Zn/xuygFeVo=
=QkF5
-----END PGP SIGNATURE-----



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


NetBSD Security Advisory 2007-003
=================================

Topic: BIND multiple denial of service vulnerabilities

Version: NetBSD-current: source prior to January 27, 2007
NetBSD 4.0_BETA2: affected
NetBSD 3.1: affected
NetBSD 3.0.*: affected
NetBSD 3.0: affected
NetBSD 2.1: not affected
NetBSD 2.0.*: not affected
NetBSD 2.0: not affected
pkgsrc: bind-9.3.2 and earlier

Severity: Denial of service

Fixed: NetBSD-current: January 27, 2007
NetBSD-4 branch: March 04, 2007
NetBSD-3-1 branch: March 04, 2007
NetBSD-3-0 branch: March 04, 2007
NetBSD-3 branch: March 04, 2007
pkgsrc: bind-9.3.4 corrects the issue


Abstract
========

Two denial of service vulnerabilities have been reported in bind which can cause the name server daemon to crash. The
vulnerabilities relate to the processing of type * (ANY) queries and recursive queries.

The ANY query processing issue has been assigned CVE reference CVE-2007-0493.
The recursive query issue has been assigned CVE reference CVE-2007-0494.


Technical Details
=================

Issue #1: * (ANY) query processing

This issue is relating to the way in which the server processes a type * (ANY) query. In order for this attack to be successful the
query must return multiple RRsets in the answer section. In addition to this the server must be configured with dnssec validation
enabled.

Issue #2: Recursive query handling

This issue is relating to the way in which the server processes recursive queries. The request, in this case, can cause named to
read a freed fetch context. The server needs to be enabled to receive recursive queries in order for this attack to be successful.


Solutions and Workarounds
=========================

If you have not enabled dnssec validation in your name server then you
are not vulnerable to the * (ANY) denial of service attack. Both
vulnerabilities can be mitigated by limiting who can perform specific
queries against the name server.

In particular, it is recommended practice, regardless of this
vulnerability, to accept recursive queries only from local clients who
would be expected to query this nameserver directly, not from unknown
Internet sources. The 'allow-recursion' directive in the options
section of named.conf should be configured with an appropriate address
list, as in the following simple example:

options {
directory "/etc/namedb";
allow-recursion { 1.2.3.4/24; 127.0.0.1/32; ::1; };
};


It is recommended that NetBSD users of vulnerable versions update
their binaries.

The following instructions describe how to upgrade your bind
binaries by updating your source tree and rebuilding and
installing a new version of bind.

* NetBSD-current:

Systems running NetBSD-current dated from before 2007-01-27
should be upgraded to NetBSD-current dated 2007-01-28 or later.

Due to the amount of changes introduced in the BIND upgrade
in CVS HEAD it is recommended that users of NetBSD-current
perform a full system upgrade to sources dated after 2007-01-28.

For more information on how to do this, see:

http://www.netbsd.org/Documentation/current/


* NetBSD 3.*:

Systems running NetBSD 3.* sources dated from before
2007-03-04 should be upgraded from NetBSD 3.* sources dated
2007-03-05 or later.

The following files need to be updated from the
netbsd-3, netbsd-3-0 or netbsd-3-1 branch:
dist/bind/lib/dns/resolver.c
dist/bind/lib/dns/validator.c
dist/bind/lib/dns/include/dns/validator.h
dist/bind/version

To update from CVS, re-build, and re-install bind:

# cd src
# cvs update -r <branch_name> dist/bind/lib/dns/resolver.c
# cvs update -r <branch_name> dist/bind/lib/dns/validator.c
# cvs update -r <branch_name> \
dist/bind/lib/dns/include/dns/validator.h
# cvs update -r <branch_name> dist/bind/version
# cd usr.sbin/bind
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install


Thanks To
=========

The Internet Software Consortium is credited with the discovery and
correction of both issues.


Revision History
================

2007-03-08 Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2007, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2007-003.txt,v 1.2 2007/03/08 19:32:38 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQCVAwUBRfBlAT5Ru2/4N2IFAQKeHAP9EtOMZA2jmJNDuO/HFZF4SIyTMpGjgU0F
5rI1YxDoHD08EnhF7cYSzClJz2auByW33i29c90cFCMCUVt7r8UOAONxKuOd9ClK
M6tFKIlFozHNUrxe90X1L22uFwSMAUQteOZ5n8Fg9N4bNEhsbRqE96/rLatjBIPP
h0BAEpAZcBc=
=7g3k
-----END PGP SIGNATURE-----

______________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

CPNI wishes to acknowledge the contributions of NetBSD for the information
contained in this advisory.
______________________________________________________________________________

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |