Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19140
HistoryFeb 16, 2008 - 12:00 a.m.

FreeBSD Security Advisory FreeBSD-SA-08:03.sendfile

2008-02-1600:00:00
vulners.com
8
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:03.sendfile Security Advisory
The FreeBSD Project

Topic: sendfile(2) write-only file permission bypass

Category: core
Module: sys_kern
Announced: 2008-02-14
Credits: Kostik Belousov
Affects: All supported versions of FreeBSD
Corrected: 2008-02-14 11:45:00 UTC (RELENG_7, 7.0-PRERELEASE)
2008-02-14 11:45:41 UTC (RELENG_7_0, 7.0-RELEASE)
2008-02-14 11:46:08 UTC (RELENG_6, 6.3-STABLE)
2008-02-14 11:46:41 UTC (RELENG_6_3, 6.3-RELEASE-p1)
2008-02-14 11:47:06 UTC (RELENG_6_2, 6.2-RELEASE-p11)
2008-02-14 11:47:39 UTC (RELENG_6_1, 6.1-RELEASE-p23)
2008-02-14 11:49:39 UTC (RELENG_5, 5.5-STABLE)
2008-02-14 11:50:28 UTC (RELENG_5_5, 5.5-RELEASE-p19)
CVE Name: CVE-2008-0777

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/&gt;.

I. Background

The sendfile(2) system call allows a server application (such as a
HTTP or FTP server) to transmit the contents of a file over a network
connection without first copying it to application memory. High
performance servers such as the Apache HTTP Server and ftpd use sendfile.

II. Problem Description

When a process opens a file (and other file system objects, such as
directories), it specifies access flags indicating its intent to read,
write, or perform other operations. These flags are checked against
file system permissions, and then stored in the resulting file
descriptor to validate future operations against.

The sendfile(2) system call does not check the file descriptor access
flags before sending data from a file.

III. Impact

If a file is write-only, a user process can open the file and use
sendfile to send the content of the file over a socket, even though the
user does not have read access to the file, resulting in possible
disclosure of sensitive information.

IV. Workaround

No workaround is available, but systems are only vulnerable if
write-only files exist, which are not widely used.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or
7.0-PRERELEASE, or to the RELENG_7_0, RELENG_6_3, RELENG_6_2,
RELENG_6_1, or RELENG_5_5 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
6.2, 6.3, and 7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.2, 6.3, and 7.0]

fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile.patch

fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile.patch.asc

[FreeBSD 6.1]

fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile61.patch

fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile61.patch.asc

[FreeBSD 5.5]

fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile55.patch

fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile55.patch.asc

b) Apply the patch.

cd /usr/src

patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html&gt; and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path

RELENG_5
src/sys/kern/kern_descrip.c 1.243.2.11
RELENG_5_5
src/UPDATING 1.342.2.35.2.20
src/sys/conf/newvers.sh 1.62.2.21.2.21
src/sys/kern/kern_descrip.c 1.243.2.9.2.1
RELENG_6
src/sys/kern/kern_descrip.c 1.279.2.16
src/sys/kern/uipc_syscalls.c 1.221.2.5
RELENG_6_3
src/UPDATING 1.416.2.37.2.5
src/sys/conf/newvers.sh 1.69.2.15.2.4
src/sys/kern/kern_descrip.c 1.279.2.15.2.1
src/sys/kern/uipc_syscalls.c 1.221.2.4.4.1
RELENG_6_2
src/UPDATING 1.416.2.29.2.15
src/sys/conf/newvers.sh 1.69.2.13.2.14
src/sys/kern/kern_descrip.c 1.279.2.9.2.1
src/sys/kern/uipc_syscalls.c 1.221.2.4.2.1
RELENG_6_1
src/UPDATING 1.416.2.22.2.26
src/sys/conf/newvers.sh 1.69.2.11.2.25
src/sys/kern/kern_descrip.c 1.279.2.6.2.1
src/sys/kern/uipc_syscalls.c 1.221.2.1.2.1
RELENG_7
src/sys/kern/kern_descrip.c 1.313.2.1
src/sys/kern/uipc_syscalls.c 1.259.2.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.3
src/sys/kern/kern_descrip.c 1.313.4.1
src/sys/kern/uipc_syscalls.c 1.259.4.2

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0777

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:03.sendfile.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)

iD8DBQFHtC0DFdaIBMps37IRAqp8AJ91+flnCIUSvKoFQyXfD1YTnPnuqgCcDiPJ
SR4X1dNFENsHMq9ROrQhr1c=
=TX1R
-----END PGP SIGNATURE-----

Related

seebug 1
ubuntucve 1
openvas 2
securityvulns 1
prion 1
cve 1
freebsd_advisory 1
seebug
seebug
FreeBSD sendfile(2)ๅ‡ฝๆ•ฐๅชๅ†™ๆ–‡ไปถๆƒ้™็ป•่ฟ‡ๅฎ‰ๅ…จ้™ๅˆถๆผๆดž
2008-02-20 00:00:00
ubuntucve
ubuntucve
CVE-2008-0777
2008-02-15 00:00:00
openvas
openvas
FreeBSD Security Advisory (FreeBSD-SA-08:03.sendfile.asc)
2008-09-04 00:00:00
FreeBSD Security Advisory (FreeBSD-SA-08:03.sendfile.asc)
2008-09-04 00:00:00
securityvulns
securityvulns
FreeBSD sendfile&#40;&#41; privilege escalation
2008-02-16 00:00:00
prion
prion
Code injection
2008-02-15 02:00:00
cve
cve
CVE-2008-0777
2008-02-15 02:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-08:03.sendfile
2008-02-14 00:00:00
JSON
Related for SECURITYVULNS:DOC:19140
seebug1ubuntucve1openvas2securityvulns1prion1cve1freebsd_advisory1