From owner-doc-jp-work@jp.FreeBSD.org Tue May 14 00:39:26 2002
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) id g4DFdQ419304;
	Tue, 14 May 2002 00:39:26 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from eos.ocn.ne.jp (eos.ocn.ne.jp [210.190.142.171])
	by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet id g4DFdPf19299
	for <doc-jp-work@jp.FreeBSD.org>; Tue, 14 May 2002 00:39:25 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from mail.allbsd.org (p10062-adsao04hon-acca.tokyo.ocn.ne.jp [61.214.216.62])
	by eos.ocn.ne.jp (OCN) with ESMTP id AAA00168
	for <doc-jp-work@jp.FreeBSD.org>; Tue, 14 May 2002 00:39:24 +0900 (JST)
Received: from localhost (alph.allbsd.org [192.168.0.10])
	by mail.hrslab.org (8.12.3/3.7W/DomainMaster) with ESMTP id g4DFcI5B006542
	for <doc-jp-work@jp.FreeBSD.org>; Tue, 14 May 2002 00:38:19 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Date: Tue, 14 May 2002 00:37:51 +0900 (JST)
Message-Id: <20020514.003751.74753577.hrs@eos.ocn.ne.jp>
To: doc-jp-work@jp.FreeBSD.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <20020507.180834.68158100.y-koga@jp.FreeBSD.org>
References: <20020506.025406.123977084.hrs@eos.ocn.ne.jp>
	<20020506.114621.18306082.y-koga@jp.FreeBSD.org>
	<20020507.180834.68158100.y-koga@jp.FreeBSD.org>
X-Mailer: Mew version 2.1 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Tue_May_14_00:37:51_2002_031)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+020417
X-Sequence: doc-jp-work 347
Subject: [doc-jp-work 347] Re: ANNOUNCE: FreeBSD Security Advisory
 FreeBSD-SA-02:23.stdio
Errors-To: owner-doc-jp-work@jp.FreeBSD.org
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hrs@eos.ocn.ne.jp

----Next_Part(Tue_May_14_00:37:51_2002_031)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 $BH?1~CY$/$F$4$a$s$J$5$$!#(B
 $B$3$,$5$s$N=$@50F$r:N$jF~$l$?2~D{HG$G$9!#(B

  # $B%a%$%s%^%7%s$N%G%#%9%/$,8N>c$7$F(B
  # $BI|5l$K<j4V<h$C$F$^$7$?!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@eos.ocn.ne.jp>
|                         <hrs@FreeBSD.org> (FreeBSD Project)

Index: 02:20
===================================================================
RCS file: /home/cvs/private/hrs/announce-jp/FreeBSD-SA/02:20,v
retrieving revision 1.2
diff -d -u -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.2 02:20
--- 02:20	5 May 2002 17:47:29 -0000	1.2
+++ 02:20	13 May 2002 15:30:38 -0000
@@ -60,15 +60,15 @@
 Two related problems with syncache were triggered when syncookies were
 implemented.
 
-syncookies $B$,<BAu$5$l$?;~!"(Bsyncache $B$K(B 2 $B<oN`$NLdBj$,H/@8$7$^$7$?!#(B
+syncookies $B$,<BAu$5$l$?$3$H$K$h$j!"(Bsyncache $B$KFs$D$NLdBj$,H/@8$7$^$7$?!#(B
 
 1) When a SYN was accepted via a syncookie, it used an uninitialized
 pointer to find the TCP options for the new socket.  This pointer may
 be a null pointer, which will cause the machine to crash.
 
-1) syncookie $B7PM3$G(B SYN $B$r<uM}$7$?;~!"?75,%=%1%C%H$N(B TCP $B%*%W%7%g%s$r(B
+1) syncookie $B7PM3$G(B SYN $B%Q%1%C%H$r<u$1$H$C$?;~!"?75,%=%1%C%H$N(B TCP $B%*%W%7%g%s$r(B
 $BD4$Y$k$?$a$K;H$o$l$k%]%$%s%?$,=i4|2=$5$l$F$$$^$;$s!#$3$N%]%$%s%?$O(B
-$B%^%7%s%/%i%C%7%e$N860x$H$J$k!"(Bnull $B%]%$%s%?$G$"$k2DG=@-$,$"$j$^$9!#(B
+$B%^%7%s%/%i%C%7%e$N860x$H$J$k(B null $B%]%$%s%?$G$"$k2DG=@-$,$"$j$^$9!#(B
 
 2) A syncache entry is created when a SYN arrives on a listen socket.
 If the application which created the listen socket was killed and
@@ -82,9 +82,9 @@
 $B0l$D$KBP$7$F!"%(%s%H%j$,0l$D@8@.$5$l$^$9!#(Blisten $B%=%1%C%H$r@8@.$7$?(B
 $B%"%W%j%1!<%7%g%s$,(B kill $B$5$l!":F<B9T$5$l$?(B --- $B$D$^$j!"$=$N(B
 $B%"%W%j%1!<%7%g%s$O0[$J$k(B inpcb ($BLuCm(B: $B%+!<%M%kFbIt$G%=%1%C%H$N4IM}$K(B
-$B;HMQ$5$l$F$$$k(B Protocol Control Block, $B6qBNE*$K$O(B struct inpcb $B$N$3$H(B) $B$G(B
+$B;HMQ$5$l$F$$$k(B Protocol Control Block$B!"6qBNE*$K$O(B struct inpcb $B$N$3$H(B) $B$G(B
 listen $B%=%1%C%H$r:F@8@.$9$k(B --- $B>l9g$r9M$($F$_$^$7$g$&!#$=$N8e$K(B
-syncache $B%(%s%H%j$H0lCW$7$?(B ACK ($B$"$k$$$O=EJ#$7$?(B SYN) $B$,FO$$$?$H$9$k$H!"(B
+syncache $B%(%s%H%j$H0lCW$7$?(B ACK ($B$"$k$$$O=EJ#$7$?(B SYN) $B%Q%1%C%H$,FO$$$?$H$9$k$H!"(B
 $B$=$N%Q%1%C%H$O8E$$(B inpcb $B%]%$%s%?$r;2>H$9$k$3$H$K$J$j$^$9!#$=$N;~$N(B
 $B%]%$%s%?$NCM$K$b$h$j$^$9$,!"$=$N%]%$%s%?;2>H$K$h$C$F%7%9%F%`$,(B
 $B%/%i%C%7%e$9$k2DG=@-$,$"$j$^$9!#(B
@@ -92,8 +92,8 @@
 Because syncache/syncookies support was added prior to the release of
 FreeBSD 4.5-RELEASE, no other releases are affected.
 
-syncache $B$*$h$S(B syncookies $B5!G=$O(B FreeBSD 4.5-RELEASE $B$N8x3+$h$jA0$K(B
-$BDI2C$5$l$?$?$a!"B>$N%j%j!<%9$K$O1F6A$"$j$^$;$s!#(B
+syncache $B$*$h$S(B syncookies $B5!G=$O(B FreeBSD 4.5-RELEASE $B$N8x3+$NA0$K(B
+$BDI2C$5$l$?$b$N$G$9!#$7$?$,$C$F!"$=$l0J30$N%j%j!<%9$K$O1F6A$"$j$^$;$s!#(B
 
 
 III. $B1F6AHO0O(B - Impact
@@ -108,7 +108,7 @@
 The first issue described may be worked around by disabling syncookies
 using sysctl.  Issue the following command as root:
 
-$B:G=i$K@bL@$7$?LdBj$O(B sysctl $BJQ?t$r;H$C$F(B syncookies $B$rL58z2=$9$k$3$H$G(B
+$B:G=i$K@bL@$7$?LdBj$O(B sysctl $B$r;H$C$F(B syncookies $B$rL58z2=$9$k$3$H$G(B
 $B2sHr$9$k$3$H$,2DG=$G$9!#$=$l$K$O(B root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B
 
   # sysctl -w net.inet.tcp.syncookies=0
Index: 02:21
===================================================================
RCS file: /home/cvs/private/hrs/announce-jp/FreeBSD-SA/02:21,v
retrieving revision 1.1
diff -d -u -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.1 02:21
--- 02:21	5 May 2002 17:47:29 -0000	1.1
+++ 02:21	13 May 2002 15:30:10 -0000
@@ -30,7 +30,7 @@
 FreeBSD-SA-02:21.tcpip                                      Security Advisory
                                                                 FreeBSD, Inc.
 
-$B%H%T%C%/(B:	$B7PO)@)8f%F!<%V%k$K$*$1$k%a%b%j%j!<%/LdBj(B
+$B%H%T%C%/(B:	$B7PO)I=$K$*$1$k%a%b%j%j!<%/LdBj(B
                 (routing table memory leak)
 
 $BJ,N`(B:		core
@@ -56,11 +56,11 @@
 indicates how many existing connections use that entry; when the
 reference count reaches zero, the entry is removed from the table.
 
-TCP/IP $B%9%?%C%/$N7PO)@)8f%F!<%V%k$K$O!"$5$^$6$^$J08@h$KE~C#$9$k(B
+TCP/IP $B%9%?%C%/$N7PO)I=$K$O!"$5$^$6$^$J08@h$KE~C#$9$k(B
 $B$?$a$N>pJs$,5-O?$5$l$F$$$^$9!#$"$k%[%9%H$KBP$7$F=i$a$F(B TCP $B@\B3$r(B
 $B3NN)$9$k;~!"$=$N%[%9%H$KBP$7$FJ#@=7PO)(B ("cloned route") $B$H(B
 $B8F$P$l$k%(%s%H%j$,!"@_Dj:Q$_$N7PO)$N0l$D$+$i<+F0E*$K@8@.$5$l$F(B
-$B7PO)@)8f%F!<%V%k$KDI2C$5$l$^$9!#3F!9$N%(%s%H%j$K$O!"$=$N%(%s%H%j$r(B
+$B7PO)I=$KDI2C$5$l$^$9!#3F!9$N%(%s%H%j$K$O!"$=$N%(%s%H%j$r(B
 $BMxMQ$7$F$$$k@\B3$,8=:_$$$/$D$"$k$+$r<($9;2>H%+%&%s%?$,$"$j$^$9!#(B
 $B$=$N%+%&%s%?$,(B 0 $B$K$J$k$H!"$=$N%(%s%H%j$O7PO)%F!<%V%k$+$i:o=|$5$l$^$9!#(B
 
@@ -72,10 +72,10 @@
 table entry to never be decremented.  Thus, memory allocated for the
 routing table entry was never deallocated.
 
-ip_output() $B$K$*$$$F!"$"$k(B ICMP echo $B1~Ez%a%C%;!<%8$r=hM}$9$k:]!"(B
-$B7PO)@)8f%F!<%V%k$N;2>H%+%&%s%H$,A}2C$7$F$7$^$&%P%0$,4^$^$l$F$$$^$7$?!#(B
+ip_output() $B$K$*$$$F!"$"$k(B ICMP $B%(%3!<1~Ez%a%C%;!<%8$r=hM}$9$k:]$K(B
+$B7PO)I=$N;2>H%+%&%s%H$,A}2C$7$F$7$^$&%P%0$,4^$^$l$F$$$^$7$?!#(B
 $B$3$NA}2C$7$?;2>H%+%&%s%H$O@dBP$K8:>/$7$J$$$?$a!"$3$N%(%s%H%jMQ$K(B
-$B3NJ]$5$l$?%a%b%j$b2rJ|$5$l$^$;$s!#(B
+$B3NJ]$5$l$?%a%b%j$O2rJ|$5$l$^$;$s!#(B
 
 
 III. $B1F6AHO0O(B - Impact
@@ -89,8 +89,8 @@
 
 $B$3$N%P%0$O%j%b!<%H$+$i$N%5!<%S%9K832967b$KMxMQ$G$-$k2DG=@-$,$"$j$^$9!#(B
 $B967b<T$O!"$*$=$i$/(B ($B$?$H$($P(B TCP $B$N7PO)$NJ#@=F0:n$rMxMQ$9$k(B
-$B$J$I$7$F(B) $B7PO)@)8f%F!<%V%k$K?7$7$$%(%s%H%j$r:n@.$7!":#2s$N%P%0$r(B
-$BMxMQ$7$F7PO)%(%s%H%j$r2rJ|ITG=$K$9$k$3$H$,2DG=$G$9!#$3$&$$$&J}K!$rMQ$$$F(B
+$B$J$I$7$F(B) $B7PO)I=$K?7$7$$%(%s%H%j$r:n@.$7!":#2s$N%P%0$r(B
+$BMxMQ$7$F7PO)%(%s%H%j$r2rJ|ITG=$K$9$k$3$H$,2DG=$G$9!#$3$NJ}K!$rMQ$$$k$H(B
 $B967bBP>]$H$J$C$?%7%9%F%`$N%a%b%j$r8O3i$5$;$k$3$H$,$G$-$^$9!#(B
 
 
@@ -100,7 +100,7 @@
 messages.
 
 $B%Q%1%C%H%U%#%k%?(B (ipf(8) $B$b$7$/$O(B ipfw(8) $B;2>H(B) $B$r;H$$!"(B
-ICMP echo $B%a%C%;!<%8$r<u$1IU$1$J$$$h$&$K$7$^$9!#(B
+ICMP $B%(%3!<%a%C%;!<%8$r<u$1IU$1$J$$$h$&$K$7$^$9!#(B
 
 
 V.   $B2r7h:v(B - Solution
Index: 02:23
===================================================================
RCS file: /home/cvs/private/hrs/announce-jp/FreeBSD-SA/02:23,v
retrieving revision 1.1
diff -d -u -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.1 02:23
--- 02:23	5 May 2002 17:47:29 -0000	1.1
+++ 02:23	13 May 2002 15:29:01 -0000
@@ -64,7 +64,7 @@
 retain their state during an exec.
 
 $B?7$7$$%W%m%;%9$K$*$1$k%U%!%$%k5-=R;R$O$9$Y$F!"?F%W%m%;%9$+$i(B
-$BJ#@=$5$l$?$b$N$G$9!#$3$l$i$N%U%!%$%k5-=R;R$O!V(Bexec $B;~$K(B close $B$9$k(B
+$BJ#@=$5$l$?$b$N$G$9!#$3$l$i$N%U%!%$%k5-=R;R$O!V(Bexec $B;~$K%/%m!<%:$9$k(B
 (close-on-exec)$B!W$H%^!<%/$5$l$F$$$J$$8B$j!"(Bexec $BCf$bB8:_$7B3$1$^$9!#(B
 
 All POSIX systems assign file descriptors in sequential order,
@@ -74,9 +74,10 @@
 guaranteed to be 2 (standard error).
 
 $B$9$Y$F$N(B POSIX $B%7%9%F%`$G$O%U%!%$%k5-=R;R$r!";HMQ$7$F$$$J$$:G$b>.$5$$?tCM$+$i(B
-$B=gHV$K3d$jEv$F$^$9!#$?$H$($P!"?7$7$/(B exec $B$5$l$?%W%m%;%9$,(B open $B>uBV$K$"$k(B
-0 $B$H(B 1 $B$N%U%!%$%k5-=R;R$*$h$S!"(Bclose $B>uBV$K$"$k%U%!%$%k5-=R;R$r;}$C$F$$$?(B
-$B$H$9$k$H!"?7$7$$%U%!%$%k5-=R;R$OI,$:(B 2 ($BI8=`%(%i!<=PNO(B) $B$K$J$j$^$9!#(B
+$B=gHV$K3d$jEv$F$^$9!#$?$H$($P!"?7$7$/(B exec $B$5$l$?%W%m%;%9$K$*$$$F!"(B
+$B%U%!%$%k5-=R;R(B 0 $B$H(B 1 $B$,%*!<%W%s$5$l$F$$$F!"%U%!%$%k5-=R;R(B 2 $B$,(B
+$B%/%m!<%:$5$l$F$$$k>l9g!"$=$N%W%m%;%9$,%U%!%$%k$r%*!<%W%s$9$k$H!"(B
+$B$=$N?7$7$$%U%!%$%k5-=R;R$O(B 2 ($BI8=`%(%i!<=PNO(B) $B$K$J$k$3$H$,J]>Z$5$l$F$$$^$9!#(B
 
 
 II.  $BLdBj$N>\:Y(B - Problem Description
@@ -91,14 +92,14 @@
 opportunity for privilege escalation.
 
 set-user-id, set-group-id $B$5$l$F$$$k%W%m%0%i%`$O9b$$8"8B$GF0:n$7$^$9!#(B
-$B$=$N$h$&$J%W%m%0%i%`$,(B stdio $B%U%!%$%k5-=R;R$N$$$/$D$+$,(B close $B$5$l$?(B
-$B>uBV$G<B9T$5$l$?>l9g!"%W%m%0%i%`$O%U%!%$%k$r!"I8=`F~NO$+I8=`=PNO!"(B
-$B$"$k$$$OI8=`%(%i!<=PNO$H$$$C$?0U?^$7$J$$%U%!%$%k5-=R;R$r;H$C$F(B open $B$7$F(B
-$B$7$^$&2DG=@-$,$"$j$^$9!#$^$?!"$=$N%W%m%0%i%`$O$=$N8e!"$=$N0U?^$7$J$$7A$G(B
-open $B$7$?%U%!%$%k$+$i%G!<%?$rFI$_9~$s$@$j!"%U%!%$%k$K=q$-9~$s$@$j$9$k$+$b(B
-$BCN$l$^$;$s!#2>$K$=$N%U%!%$%k$,DL>o0lHL%f!<%6$N8"8B$G$O(B open $B$G$-$J$$(B
-$B%U%!%$%k$G$"$C$?$H$9$k$H!"$3$l$O9b$$8"8B$rF@$k$?$a$KMxMQ$G$-$k(B
-$B2DG=@-$,$"$j$^$9!#(B
+$B$=$N$h$&$J%W%m%0%i%`$,(B stdio $B%U%!%$%k5-=R;R$N$$$/$D$+$,%/%m!<%:$5$l$?(B
+$B>uBV$G<B9T$5$l$?>l9g!"$=$N%W%m%0%i%`$,%U%!%$%k$r%*!<%W%s$9$k$H!"(B
+$B$=$N%U%!%$%k$,I8=`F~NO$dI8=`=PNO!"$"$k$$$OI8=`%(%i!<=PNO$K0U?^$;$:$K(B
+$B7k$S$D$$$F$7$^$&2DG=@-$,$"$j$^$9!#$=$&$J$k$H!"$=$N%W%m%0%i%`$OITE,@Z$K(B
+$B$=$N%U%!%$%k$+$i%G!<%?$rFI$_9~$s$@$j!"%G!<%?$r%U%!%$%k$K=q$-9~$s$@$j(B
+$B$9$k$+$b$7$l$^$;$s!#2>$K$=$N%U%!%$%k$,DL>o0lHL%f!<%6$N8"8B$G$O(B
+$B%*!<%W%s$G$-$J$$%U%!%$%k$G$"$C$?$H$9$k$H!"$3$l$O9b$$8"8B$r(B
+$BF@$k$?$a$KMxMQ$G$-$k2DG=@-$,$"$j$^$9!#(B
 
 
 III. $B1F6AHO0O(B - Impact



----Next_Part(Tue_May_14_00:37:51_2002_031)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="02:20"
Content-Transfer-Encoding: 7bit

FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-02:20 (2002-04-16)
 * syncache/syncookies denial of service
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:20.syncache
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Tue, 16 Apr 2002 14:03:49 -0700 (PDT)
  Message-Id: <200204162103.g3GL3nT44369@freefall.freebsd.org>
  X-Sequence: announce-jp 965

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)
=============================================================================
FreeBSD-SA-02:20                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	syncache/syncookies $B$K$*$1$k%5!<%S%9K832(B
                (syncache/syncookies denial of service)
                
$BJ,N`(B:		core
$B%b%8%e!<%k(B:	net
$B9pCNF|(B:		2002-04-16
$B%/%l%8%C%H(B:	Alan Judge <Alan.Judge@eircom.net>
                Dima Ruban <dima@FreeBSD.org>
$B1F6AHO0O(B:	FreeBSD 4.5-RELEASE
                FreeBSD 4.4-STABLE (2001-12-14 19:53:01 UTC $B0J9_(B)
                FreeBSD 4.5-STABLE ($B=$@5F|$h$jA0(B) 
$B=$@5F|(B:		2002-02-20 16:48:49 UTC (RELENG_4)
                2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1)
FreeBSD $B$K8GM-$+(B:	YES


I.   $BGX7J(B - Background

The SYN cache ("syncache") and SYN cookie mechanism ("syncookie") are
features of the TCP/IP stack intended to improve resistance to a class
of denial of service attacks known as SYN floods.

SYN cache ("syncache") $B$*$h$S(B SYN cookie $B5!9=(B ("syncookie") $B$H$O!"(B
SYN flood $B$H$7$FCN$i$l$k!"$"$k<o$N%5!<%S%9K832967b$KBP$9$kBQ@-$r(B
$B8~>e$5$;$k$?$a$N!"(BTCP/IP $B%9%?%C%/$N5!G=$G$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

Two related problems with syncache were triggered when syncookies were
implemented.

syncookies $B$,<BAu$5$l$?$3$H$K$h$j!"(Bsyncache $B$KFs$D$NLdBj$,H/@8$7$^$7$?!#(B

1) When a SYN was accepted via a syncookie, it used an uninitialized
pointer to find the TCP options for the new socket.  This pointer may
be a null pointer, which will cause the machine to crash.

1) syncookie $B7PM3$G(B SYN $B%Q%1%C%H$r<u$1$H$C$?;~!"?75,%=%1%C%H$N(B TCP $B%*%W%7%g%s$r(B
$BD4$Y$k$?$a$K;H$o$l$k%]%$%s%?$,=i4|2=$5$l$F$$$^$;$s!#$3$N%]%$%s%?$O(B
$B%^%7%s%/%i%C%7%e$N860x$H$J$k(B null $B%]%$%s%?$G$"$k2DG=@-$,$"$j$^$9!#(B

2) A syncache entry is created when a SYN arrives on a listen socket.
If the application which created the listen socket was killed and
restarted --- and therefore recreated the listen socket with a
different inpcb --- an ACK (or duplicate SYN) which later arrived and
matched the existing syncache entry would cause a reference to the old
inpcb pointer.  Depending on the pointer's contents, this might result
in a system crash.

2) syncache $B$G$O!"(Blisten $B$7$F$$$k%=%1%C%H$KE~Ce$9$k(B SYN $B%Q%1%C%H(B
$B0l$D$KBP$7$F!"%(%s%H%j$,0l$D@8@.$5$l$^$9!#(Blisten $B%=%1%C%H$r@8@.$7$?(B
$B%"%W%j%1!<%7%g%s$,(B kill $B$5$l!":F<B9T$5$l$?(B --- $B$D$^$j!"$=$N(B
$B%"%W%j%1!<%7%g%s$O0[$J$k(B inpcb ($BLuCm(B: $B%+!<%M%kFbIt$G%=%1%C%H$N4IM}$K(B
$B;HMQ$5$l$F$$$k(B Protocol Control Block$B!"6qBNE*$K$O(B struct inpcb $B$N$3$H(B) $B$G(B
listen $B%=%1%C%H$r:F@8@.$9$k(B --- $B>l9g$r9M$($F$_$^$7$g$&!#$=$N8e$K(B
syncache $B%(%s%H%j$H0lCW$7$?(B ACK ($B$"$k$$$O=EJ#$7$?(B SYN) $B%Q%1%C%H$,FO$$$?$H$9$k$H!"(B
$B$=$N%Q%1%C%H$O8E$$(B inpcb $B%]%$%s%?$r;2>H$9$k$3$H$K$J$j$^$9!#$=$N;~$N(B
$B%]%$%s%?$NCM$K$b$h$j$^$9$,!"$=$N%]%$%s%?;2>H$K$h$C$F%7%9%F%`$,(B
$B%/%i%C%7%e$9$k2DG=@-$,$"$j$^$9!#(B

Because syncache/syncookies support was added prior to the release of
FreeBSD 4.5-RELEASE, no other releases are affected.

syncache $B$*$h$S(B syncookies $B5!G=$O(B FreeBSD 4.5-RELEASE $B$N8x3+$NA0$K(B
$BDI2C$5$l$?$b$N$G$9!#$7$?$,$C$F!"$=$l0J30$N%j%j!<%9$K$O1F6A$"$j$^$;$s!#(B


III. $B1F6AHO0O(B - Impact

Legitimate TCP/IP traffic may cause the machine to crash.

$B@55,$N(B TCP/IP $B%H%i%U%#%C%/$K$h$j!"%^%7%s$,%/%i%C%7%e$9$k2DG=@-$,$"$j$^$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

The first issue described may be worked around by disabling syncookies
using sysctl.  Issue the following command as root:

$B:G=i$K@bL@$7$?LdBj$O(B sysctl $B$r;H$C$F(B syncookies $B$rL58z2=$9$k$3$H$G(B
$B2sHr$9$k$3$H$,2DG=$G$9!#$=$l$K$O(B root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

  # sysctl -w net.inet.tcp.syncookies=0

However, there is no workaround for the second issue.

$B$?$@$7!"FsHVL\$NLdBj$K$O2sHrJ}K!$,$"$j$^$;$s!#(B


V.   $B2r7h:v(B - Solution

1) Upgrade your vulnerable system to 4.5-STABLE or the RELENG_4_5
security branch dated after the respective correction dates.

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B 4.5-STABLE$B!"$b$7$/$O(B
   RELENG_4_5 $B%;%-%e%j%F%#%V%i%s%A$K%"%C%W%0%l!<%I$9$k!#(B

2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#0J2<$N>l=j$+$iBP1~$9$k=$@5%Q%C%A$r(B
   $B%@%&%s%m!<%I$7!"(Broot $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc

This patch has been verified to apply to 4.5-RELEASE only.

$B$3$N=$@5%Q%C%A$O(B FreeBSD 4.5-RELEASE $B$K$N$_!"E,MQ2DG=$J$3$H$,(B
$B3NG'$5$l$F$$$^$9!#(B

PGP $B%f!<%F%#%j%F%#$r;H$C$F(B PGP $B=pL>$r3NG'$7$^$9!#(B

Execute the following commands as root:

$B$=$7$F(B root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# cd /usr/src
# patch -p < /path/to/patch

Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.

$B$=$N8e(B http://www.freebsd.org/handbook/kernelconfig.html $B$K(B
$B5-:\$5$l$F$$$k<j=g$K$7$?$,$C$F%+!<%M%k$r:F9=C[!&:F%$%s%9%H!<%k$7!"(B
$BJQ99$rM-8z2=$9$k$?$a$K%7%9%F%`$r:F5/F0$7$F$/$@$5$$!#(B


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.

$B<!$NI=$O!":#2s=$@5$5$l$?(B FreeBSD $B$K4^$^$l$k3F%U%!%$%k$N%j%S%8%g%sHV9f$G$9!#(B

Path                                                             Revision
  Branch
$B%Q%9L>(B                                                          $B%j%S%8%g%s(B
  $B%V%i%s%A(B
- -------------------------------------------------------------------------
src/sys/conf/newvers.sh
  RELENG_4_5                                                1.44.2.20.2.2
src/sys/netinet/tcp_syncache.c
  RELENG_4                                                        1.5.2.5
  RELENG_4_5                                                  1.5.2.4.2.1
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

<URL:http://www.FreeBSD.org/cgi/query-pr.cgi?pr=34658>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/02:20,v 1.3 2002/05/13 15:33:42 hrs Exp $

----Next_Part(Tue_May_14_00:37:51_2002_031)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="02:21"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-02:21.tcpip (2002-04-17)
 * routing table memory leak
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Wed, 17 Apr 2002 12:23:42 -0700 (PDT)
  Message-Id: <200204171923.g3HJNgm58892@freefall.freebsd.org>
  X-Sequence: announce-jp 966

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-02:21.tcpip                                      Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	$B7PO)I=$K$*$1$k%a%b%j%j!<%/LdBj(B
                (routing table memory leak)

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	net
$B9pCNF|(B:		2002-04-17
$B%/%l%8%C%H(B:	Jayanth Vijayaraghavan <jayanth@FreeBSD.org>
                Ruslan Ermilov <ru@FreeBSD.org>
$B1F6AHO0O(B:	FreeBSD 4.5-RELEASE
                $B=$@5F|$h$jA0!"(B2001-12-07 09:23:11 UTC $B0J9_$N(B
                    FreeBSD 4-STABLE 
$B=$@5F|(B:		2002-03-22 16:54:19 UTC (RELENG_4)
                2002-04-15 17:12:08 UTC (RELENG_4_5)
FreeBSD $B$K8GM-$+(B:	YES


I.   $BGX7J(B - Background

The TCP/IP stack's routing table records information about how to
reach various destinations.  The first time a TCP connection is
established with a particular host, a so-called "cloned route" entry
for that host is automatically derived from one of the predefined
routes and added to the table.  Each entry has a reference count that
indicates how many existing connections use that entry; when the
reference count reaches zero, the entry is removed from the table.

TCP/IP $B%9%?%C%/$N7PO)I=$K$O!"$5$^$6$^$J08@h$KE~C#$9$k(B
$B$?$a$N>pJs$,5-O?$5$l$F$$$^$9!#$"$k%[%9%H$KBP$7$F=i$a$F(B TCP $B@\B3$r(B
$B3NN)$9$k;~!"$=$N%[%9%H$KBP$7$FJ#@=7PO)(B ("cloned route") $B$H(B
$B8F$P$l$k%(%s%H%j$,!"@_Dj:Q$_$N7PO)$N0l$D$+$i<+F0E*$K@8@.$5$l$F(B
$B7PO)I=$KDI2C$5$l$^$9!#3F!9$N%(%s%H%j$K$O!"$=$N%(%s%H%j$r(B
$BMxMQ$7$F$$$k@\B3$,8=:_$$$/$D$"$k$+$r<($9;2>H%+%&%s%?$,$"$j$^$9!#(B
$B$=$N%+%&%s%?$,(B 0 $B$K$J$k$H!"$=$N%(%s%H%j$O7PO)%F!<%V%k$+$i:o=|$5$l$^$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

A bug was introduced into ip_output() wherein the processing of an
ICMP echo reply message would cause a reference count on a routing
table entry to never be decremented.  Thus, memory allocated for the
routing table entry was never deallocated.

ip_output() $B$K$*$$$F!"$"$k(B ICMP $B%(%3!<1~Ez%a%C%;!<%8$r=hM}$9$k:]$K(B
$B7PO)I=$N;2>H%+%&%s%H$,A}2C$7$F$7$^$&%P%0$,4^$^$l$F$$$^$7$?!#(B
$B$3$NA}2C$7$?;2>H%+%&%s%H$O@dBP$K8:>/$7$J$$$?$a!"$3$N%(%s%H%jMQ$K(B
$B3NJ]$5$l$?%a%b%j$O2rJ|$5$l$^$;$s!#(B


III. $B1F6AHO0O(B - Impact

This bug could be exploited to effect a remote denial of service
attack.  An attacker could cause new routing table entries (for
example, by taking advantage of TCP's route cloning behavior) and
then utilize this bug to cause the route entry to never be
deallocated.  In this fashion, the target system's memory can be
exhausted.

$B$3$N%P%0$O%j%b!<%H$+$i$N%5!<%S%9K832967b$KMxMQ$G$-$k2DG=@-$,$"$j$^$9!#(B
$B967b<T$O!"$*$=$i$/(B ($B$?$H$($P(B TCP $B$N7PO)$NJ#@=F0:n$rMxMQ$9$k(B
$B$J$I$7$F(B) $B7PO)I=$K?7$7$$%(%s%H%j$r:n@.$7!":#2s$N%P%0$r(B
$BMxMQ$7$F7PO)%(%s%H%j$r2rJ|ITG=$K$9$k$3$H$,2DG=$G$9!#$3$NJ}K!$rMQ$$$k$H(B
$B967bBP>]$H$J$C$?%7%9%F%`$N%a%b%j$r8O3i$5$;$k$3$H$,$G$-$^$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo
messages.

$B%Q%1%C%H%U%#%k%?(B (ipf(8) $B$b$7$/$O(B ipfw(8) $B;2>H(B) $B$r;H$$!"(B
ICMP $B%(%3!<%a%C%;!<%8$r<u$1IU$1$J$$$h$&$K$7$^$9!#(B


V.   $B2r7h:v(B - Solution

1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or
the RELENG_4_5 security branch dated after the respective correction
dates.

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B 4.5-STABLE, 4.5-RELEASE-p3,
   $B$b$7$/$O(B RELENG_4_5 $B%;%-%e%j%F%#%V%i%s%A$N$$$:$l$+$K%"%C%W%0%l!<%I$9$k!#(B

2) To patch your present system:

2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

a) $B0J2<$N>l=j$+$iBP1~$9$k=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(B
   PGP $B%f!<%F%#%j%F%#$r;H$C$F(B PGP $B=pL>$r3NG'$7$^$9!#(B

[4.5-RELEASE,
 4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc

b) Execute the following commands as root:
b) root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.

c) http://www.freebsd.org/handbook/kernelconfig.html $B$K(B
$B5-:\$5$l$F$$$k<j=g$K$7$?$,$C$F%+!<%M%k$r:F9=C[!&:F%$%s%9%H!<%k$7!"(B
$BJQ99$rM-8z2=$9$k$?$a$K%7%9%F%`$r:F5/F0$7$F$/$@$5$$!#(B


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

$B<!$NI=$O!":#2s=$@5$5$l$?(B FreeBSD $B$K4^$^$l$k3F%U%!%$%k$N%j%S%8%g%sHV9f$G$9!#(B

Path                                                             Revision
  Branch
$B%Q%9L>(B                                                          $B%j%S%8%g%s(B
  $B%V%i%s%A(B
- -------------------------------------------------------------------------
sys/netinet/ip_icmp.c
  RELENG_4                                                      1.39.2.16
  RELENG_4_5                                                1.39.2.14.2.1
sys/netinet/ip_mroute.c
  RELENG_4                                                       1.56.2.4
  RELENG_4_5                                                 1.56.2.3.2.1
sys/netinet/ip_output.c
  RELENG_4                                                      1.99.2.29
  RELENG_4_5                                                1.99.2.24.2.1
- -------------------------------------------------------------------------


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/02:21,v 1.2 2002/05/13 15:33:42 hrs Exp $

----Next_Part(Tue_May_14_00:37:51_2002_031)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: inline; filename="02:23"
Content-Transfer-Encoding: 7bit


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-02:23.stdio (2002-04-22)
 * insecure handling of stdio file descriptors
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Mon, 22 Apr 2002 11:01:35 -0700 (PDT)
  Message-Id: <200204221801.g3MI1Z996493@freefall.freebsd.org>
  X-Sequence: announce-jp 971

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r9T$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-02:23.stdio                                      Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:	stdio $B%U%!%$%k5-=R;R$K$*$1$k%;%-%e%j%F%#E*$KITE,@Z$J=hM}LdBj(B
                (insecure handling of stdio file descriptors)

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kernel
$B9pCNF|(B:		2002-04-22
$B%/%l%8%C%H(B:	Joost Pol <joost@pine.nl>
$B1F6AHO0O(B:	4.5-RELEASE $B$r4^$`!"$3$l$^$G$N$9$Y$F$N(B FreeBSD $B%j%j!<%9(B
                $B=$@5F|$h$jA0$N(B 4.5-STABLE
$B=$@5F|(B:		2002-04-21 13:06:45 UTC (RELENG_4)
                2002-04-21 13:08:57 UTC (RELENG_4_5)
                2002-04-21 13:10:51 UTC (RELENG_4_4)
FreeBSD $B$K8GM-$+(B:	NO


I.   $BGX7J(B - Background

By convention, POSIX systems associate file descriptors 0, 1, and 2
with standard input, standard output, and standard error,
respectively.  Almost all applications give these stdio file
descriptors special significance, such as writing error messages to
standard error (file descriptor 2).

POSIX $B%7%9%F%`$G$O8E$/$+$i!"%U%!%$%k5-=R;R(B 0, 1, 2 $B$r$=$l$>$l(B
$BI8=`F~NO!"I8=`=PNO!"I8=`%(%i!<=PNO$K3d$jEv$F$F$$$^$9!#$[$\$9$Y$F$N(B
$B%"%W%j%1!<%7%g%s$O!"$3$l$i$N(B stdio $B%U%!%$%k5-=R;R$r!"$?$H$($P(B
$B%(%i!<%a%C%;!<%8$rI8=`%(%i!<=PNO(B ($B%U%!%$%k5-=R;R(B 2) $B$K=q$-=P$9$J$I!"(B
$BFCJL$J0UL#$r;}$D$b$N$H$7$F07$C$F$$$^$9!#(B

In new processes, all file descriptors are duplicated from the parent
process.  Unless these descriptors are marked close-on-exec, they
retain their state during an exec.

$B?7$7$$%W%m%;%9$K$*$1$k%U%!%$%k5-=R;R$O$9$Y$F!"?F%W%m%;%9$+$i(B
$BJ#@=$5$l$?$b$N$G$9!#$3$l$i$N%U%!%$%k5-=R;R$O!V(Bexec $B;~$K%/%m!<%:$9$k(B
(close-on-exec)$B!W$H%^!<%/$5$l$F$$$J$$8B$j!"(Bexec $BCf$bB8:_$7B3$1$^$9!#(B

All POSIX systems assign file descriptors in sequential order,
starting with the lowest unused file descriptor.  For example, if a
newly exec'd process has file descriptors 0 and 1 open, but file
descriptor 2 closed, and then opens a file, the new file descriptor is
guaranteed to be 2 (standard error).

$B$9$Y$F$N(B POSIX $B%7%9%F%`$G$O%U%!%$%k5-=R;R$r!";HMQ$7$F$$$J$$:G$b>.$5$$?tCM$+$i(B
$B=gHV$K3d$jEv$F$^$9!#$?$H$($P!"?7$7$/(B exec $B$5$l$?%W%m%;%9$K$*$$$F!"(B
$B%U%!%$%k5-=R;R(B 0 $B$H(B 1 $B$,%*!<%W%s$5$l$F$$$F!"%U%!%$%k5-=R;R(B 2 $B$,(B
$B%/%m!<%:$5$l$F$$$k>l9g!"$=$N%W%m%;%9$,%U%!%$%k$r%*!<%W%s$9$k$H!"(B
$B$=$N?7$7$$%U%!%$%k5-=R;R$O(B 2 ($BI8=`%(%i!<=PNO(B) $B$K$J$k$3$H$,J]>Z$5$l$F$$$^$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

Some programs are set-user-id or set-group-id, and therefore run with
increased privileges.  If such a program is started with some of the
stdio file descriptors closed, the program may open a file and
inadvertently associate it with standard input, standard output, or
standard error.  The program may then read data from or write data to
the file inappropriately.  If the file is one that the user would
normally not have privileges to open, this may result in an
opportunity for privilege escalation.

set-user-id, set-group-id $B$5$l$F$$$k%W%m%0%i%`$O9b$$8"8B$GF0:n$7$^$9!#(B
$B$=$N$h$&$J%W%m%0%i%`$,(B stdio $B%U%!%$%k5-=R;R$N$$$/$D$+$,%/%m!<%:$5$l$?(B
$B>uBV$G<B9T$5$l$?>l9g!"$=$N%W%m%0%i%`$,%U%!%$%k$r%*!<%W%s$9$k$H!"(B
$B$=$N%U%!%$%k$,I8=`F~NO$dI8=`=PNO!"$"$k$$$OI8=`%(%i!<=PNO$K0U?^$;$:$K(B
$B7k$S$D$$$F$7$^$&2DG=@-$,$"$j$^$9!#$=$&$J$k$H!"$=$N%W%m%0%i%`$OITE,@Z$K(B
$B$=$N%U%!%$%k$+$i%G!<%?$rFI$_9~$s$@$j!"%G!<%?$r%U%!%$%k$K=q$-9~$s$@$j(B
$B$9$k$+$b$7$l$^$;$s!#2>$K$=$N%U%!%$%k$,DL>o0lHL%f!<%6$N8"8B$G$O(B
$B%*!<%W%s$G$-$J$$%U%!%$%k$G$"$C$?$H$9$k$H!"$3$l$O9b$$8"8B$r(B
$BF@$k$?$a$KMxMQ$G$-$k2DG=@-$,$"$j$^$9!#(B


III. $B1F6AHO0O(B - Impact

Local users may gain superuser privileges.  It is known that the
`keyinit' set-user-id program is exploitable using this method.  There
may be other programs that are exploitable.

$B%m!<%+%k%f!<%6$O%9!<%Q%f!<%68"8B$rF@$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9!#(B
`keyinit' $B$H$$$&(B set-user-id $B$5$l$?%W%m%0%i%`$O!"$3$N<jK!$G0-MQ2DG=$J$3$H$,(B
$BH=L@$7$F$$$^$9!#$*$=$i$/!"B>$N%W%m%0%i%`$K$bF1MM$K0-MQ$,2DG=$J$b$N$,(B
$BB8:_$9$k$H;W$o$l$^$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

None.  The set-user-id bit may be removed from `keyinit' using the
following command, but note that there may be other programs that can
be exploited.

$B$"$j$^$;$s!#<!$N%3%^%s%I$r<B9T$9$k$3$H$G(B `keyinit' $B$+$i(B set-user-id $B%S%C%H$r(B
$B<h$j=|$/$3$H$,2DG=$G$9$,!"$*$=$i$/B>$K$b0-MQ2DG=$J%W%m%0%i%`$OB8:_$9$k$G$7$g$&!#(B

# chmod 0555 /usr/bin/keyinit


V.   $B2r7h:v(B - Solution

1) Upgrade your vulnerable system to 4.5-STABLE; or to either of the
RELENG_4_5 (4.5-RELEASE-p4) or RELENG_4_4 (4.4-RELEASE-p11) security
branches dated after the respective correction dates.

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B 4.5-STABLE, $B$b$7$/$O(B
   $B=$@5F|0J9_$N(B RELENG_4_5 (4.5-RELEASE-p4), RELENG_4_4 (4.4-RELEASE-p11)
   $B%;%-%e%j%F%#%V%i%s%A$N$$$:$l$+$K%"%C%W%0%l!<%I$9$k!#(B

2) To patch your present system:
2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
a) $B0J2<$N>l=j$+$iBP1~$9$k=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(B
   PGP $B%f!<%F%#%j%F%#$r;H$C$F(B PGP $B=pL>$r3NG'$7$^$9!#(B

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:23/stdio.patch.asc

b) Execute the following commands as root:
b) root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.
c) http://www.freebsd.org/handbook/kernelconfig.html $B$K(B
$B5-:\$5$l$F$$$k<j=g$K$7$?$,$C$F%+!<%M%k$r:F9=C[!&:F%$%s%9%H!<%k$7!"(B
$BJQ99$rM-8z2=$9$k$?$a$K%7%9%F%`$r:F5/F0$7$F$/$@$5$$!#(B


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.
$B<!$NI=$O!":#2s=$@5$5$l$?(B FreeBSD $B$K4^$^$l$k3F%U%!%$%k$N%j%S%8%g%sHV9f$G$9!#(B

Path                                                             Revision
  Branch
$B%Q%9L>(B                                                          $B%j%S%8%g%s(B
  $B%V%i%s%A(B
- -------------------------------------------------------------------------
sys/sys/filedesc.h
  RELENG_4                                                       1.19.2.4
  RELENG_4_5                                                 1.19.2.3.6.1
  RELENG_4_4                                                 1.19.2.3.4.1
sys/kern/kern_exec.c
  RELENG_4                                                     1.107.2.14
  RELENG_4_5                                               1.107.2.13.2.1
  RELENG_4_4                                                1.107.2.8.2.2
sys/kern/kern_descrip.c
  RELENG_4                                                      1.81.2.11
  RELENG_4_5                                                 1.81.2.9.2.1
  RELENG_4_4                                                 1.81.2.8.2.1
sys/conf/newvers.sh
  RELENG_4_5                                                1.44.2.20.2.5
  RELENG_4_4                                               1.44.2.17.2.10
- -------------------------------------------------------------------------


VII. $B;29M;qNA(B - References

PINE-CERT-20020401 <URL:http://www.pine.nl/advisories/pine-cert-20020401.txt>


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
 http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/02:23,v 1.2 2002/05/13 15:33:42 hrs Exp $

----Next_Part(Tue_May_14_00:37:51_2002_031)----
