From owner-doc-jp-work@jp.FreeBSD.org Tue Mar 30 01:19:32 2004
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id i2TGJW137663;
	Tue, 30 Mar 2004 01:19:32 +0900 (JST)
	(envelope-from owner-doc-jp-work@jp.FreeBSD.org)
Received: from smtp.eos.ocn.ne.jp (eos.ocn.ne.jp [211.6.83.117])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id i2TGJWd37658
	for <doc-jp-work@jp.FreeBSD.org>; Tue, 30 Mar 2004 01:19:32 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from delta.allbsd.org (p21247-adsao12honb4-acca.tokyo.ocn.ne.jp [219.165.29.247])
	by smtp.eos.ocn.ne.jp (Postfix) with ESMTP id C5BAA1C91
	for <doc-jp-work@jp.FreeBSD.org>; Tue, 30 Mar 2004 01:19:31 +0900 (JST)
Received: from localhost (alph.allbsd.org [192.168.0.10])
	by delta.allbsd.org (8.12.9p2/8.12.9) with ESMTP id i2TGHeA2028887
	for <doc-jp-work@jp.FreeBSD.org>; Tue, 30 Mar 2004 01:17:41 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Message-Id: <20040330.011444.74744913.hrs@eos.ocn.ne.jp>
To: doc-jp-work@jp.FreeBSD.org
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
In-Reply-To: <200403291415.i2TEFQHF035994@freefall.freebsd.org>
References: <200403291415.i2TEFQHF035994@freefall.freebsd.org>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 4.0.62 on Emacs 21.3.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Tue_Mar_30_01_14_44_2004_475)--"
Content-Transfer-Encoding: 7bit
Reply-To: doc-jp-work@jp.FreeBSD.org
Precedence: list
Date: Tue, 30 Mar 2004 01:14:44 +0900
X-Sequence: doc-jp-work 847
Subject: [doc-jp-work 847] Re: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory
 FreeBSD-SA-04:06.ipv6
Sender: owner-doc-jp-work@jp.FreeBSD.org
X-Originator: hrs@eos.ocn.ne.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+040307

----Next_Part(Tue_Mar_30_01_14_44_2004_475)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 04:06 $B$G$9!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B

----Next_Part(Tue_Mar_30_01_14_44_2004_475)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="04:06"


FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG(B
=============================================================================
FreeBSD-SA-04:06.ipv6 (2004-03-29)
 * setsockopt(2) IPv6 sockets input validation error
=============================================================================

 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-04:06.ipv6
  From: FreeBSD Security Advisories <security-advisories@FreeBSD.org>
  Date: Mon, 29 Mar 2004 06:15:26 -0800
  Message-Id: <200403291415.i2TEFQHF035994@freefall.freebsd.org>
  X-Sequence: announce-jp 1222

 $B$rF|K\8lLu$7$?$b$N$G$9!#(B

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,!"$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s!#(B
 $B=$@5%Q%C%AEy$NFbMF$,2~$6$s$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B=pL>$N(B
 $B%A%'%C%/$r$*$3$J$&$K$O!"86J8$r;2>H$7$F$/$@$5$$!#(B

 $BF|K\8lLu$*$h$S%_%i!<%5%$%HMxMQ$N>\:Y$K$D$$$F$O!"J8Kv$N!V(BA. FreeBSD
 $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F!W$r$4Mw$/$@$5$$!#(B


                                     [$BK]Lu<T(B: $B:4F#(B $B9-@8(B <hrs@jp.FreeBSD.org>]
--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-04:06.ipv6                                       Security Advisory
                                                          The FreeBSD Project

$B%H%T%C%/(B:	setsockopt(2) $B$K$*$1$k(B IPv6 $B%=%1%C%H$NF~NO8!::ItJ,$N%(%i!<(B
		(setsockopt(2) IPv6 sockets input validation error)

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	kernel
$B9pCNF|(B:		2004-03-29
$B%/%l%8%C%H(B:	Katsuhisa ABE, Colin Percival
$B1F6AHO0O(B:	FreeBSD 5.2-RELEASE
$B=$@5F|(B:		2004-03-29 14:01:33 UTC (RELENG_5_2, 5.2.1-RELEASE-p4)
CVE Name:       CAN-2004-0370
FreeBSD $B$K8GM-$+(B:	YES

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

$B>e5-$N9`L\$d%;%-%e%j%F%#%V%i%s%A!"0J2<$N3F@a$D$$$F$N@bL@$J$I!"(B
FreeBSD $B%;%-%e%j%F%#4+9p$K$D$$$F$N0lHLE*$J>pJs$O!"(B
<URL:http://www.freebsd.org/security/> $B$r$4Mw$/$@$5$$!#(B


I.   $BGX7J(B - Background

IPv6 is a new Internet Protocol, designed to replace (and avoid many of
the problems with) the current Internet Protocol (version 4).  FreeBSD
uses the KAME Project IPv6 implementation.

IPv6 $B$O!"8=:_$N%$%s%?!<%M%C%H%W%m%H%3%k(B ($B%P!<%8%g%s(B 4) $B$rCV$-49$((B ($B$F!"(B
$B4{B8$NLdBjE@$NB?$/$r2sHr$9(B) $B$kL\E*$G@_7W$5$l$?!"%$%s%?!<%M%C%H(B
$B%W%m%H%3%k$N?7$7$$%P!<%8%g%s$G$9!#(BFreeBSD $B$G$O!"(BKAME $B%W%m%8%'%/%H$N(B
IPv6 $B<BAu$,;H$o$l$F$$$^$9!#(B

Applications may manipulate the behavior of an IPv6 socket using the
setsockopt(2) system call.

$B%"%W%j%1!<%7%g%s$O(B setsockopt(2) $B%7%9%F%`%3!<%k$r(B
$B;H$C$F!"(BIPv6 $B%=%1%C%H$NF0:n$rA`:n$9$k$3$H$,$G$-$^$9!#(B


II.  $BLdBj$N>\:Y(B - Problem Description

A programming error in the handling of some IPv6 socket options within
the setsockopt(2) system call may result in memory locations being
accessed without proper validation.  While the problem originates in
code from the KAME Project, it does not affect other operating systems.

setsockopt(2) $B%7%9%F%`%3!<%k$K$*$1$k(B IPv6 $B%=%1%C%H%*%W%7%g%s$N(B
$B0lIt$N=hM}$K$O%W%m%0%i%`>e$N8m$j$,$"$j!"8!::$,E,@Z$K$*$3$J$o$l$F(B
$B$$$^$;$s!#$=$N$?$a!"ITE,@Z$J%a%b%j%"%/%;%9$,H/@8$9$k2DG=@-$,$"$j$^$9!#(B
$B$3$NLdBj$O(B KAME $B%W%m%8%'%/%H$N%3!<%I$KM3Mh$9$k$b$N$G$9$,!"(B
FreeBSD $B0J30$N%*%Z%l!<%F%#%s%0%7%9%F%`$X$N1F6A$O$"$j$^$;$s!#(B


III. $B1F6AHO0O(B - Impact

It may be possible for a local attacker to read portions of kernel
memory, resulting in disclosure of sensitive information.  A local
attacker can cause a system panic.

$B%m!<%+%k$N967b<T$O%+!<%M%k%a%b%j$N0lIt$rFI$_=P$7!"%;%-%e%j%F%#>e=EMW$J(B
$B>pJs$rO31L$5$;$k$3$H$,$G$-$k2DG=@-$,$"$j$^$9!#$^$?!"%m!<%+%k$N967b<T$O!"(B
$B%7%9%F%`$K%Q%K%C%/$rH/@8$5$;$k$3$H$b2DG=$G$9!#(B


IV.  $B2sHrJ}K!(B - Workaround

Do one of the following:
$B<!$N$$$:$l$+$R$H$D$K=>$C$F$/$@$5$$!#(B

1) Disable IPv6 entirely by following these steps:

   $B<!$N<j=g$K=>$C$F!"(BIPv6 $B$r40A4$KL58z2=$9$k!#(B

   - Remove or comment out any lines mentioning `INET6' from your
     kernel configuration file, and recompile your kernel as described
     in <URL:http://www.freebsd.org/handbook/kernelconfig.html>.

   - $B%+!<%M%k@_Dj%U%!%$%k$K$"$k!V(BINET6$B!W$H$$$&9T$r$9$Y$F:o=|$9$k$+(B
     $B%3%a%s%H%"%&%H$7!"(B<URL:http://www.freebsd.org/handbook/kernelconfig.html> $B$K(B
     $B=q$+$l$F$$$k<j=g$K=>$C$F%+!<%M%k$r:F9=C[$9$k!#(B

   - Reboot your system.

   - $B%7%9%F%`$r:F5/F0$9$k!#(B

2) If all untrusted users are confined within a jail(8), ensure that
the security.jail.socket_unixiproute_only sysctl is set to 1 and
verify that no IPv6 sockets are currently open:

2) $B?.Mj$G$-$J$$%f!<%6$r(B jail(8) $B4D6-$K3VN%$7$F$$$k$J$i!"(B
   $B!V(Bsecurity.jail.socket_unixiproute_only$B!W$H$$$&(B sysctl $BJQ?t$,(B 1 $B$K(B
   $B@_Dj$5$l$F$$$F!"8=:_3+$+$l$F$$$k(B IPv6 $B%=%1%C%H$,B8:_$7$J$$$3$H$r(B
   $B3NG'$9$k!#(B


# sysctl security.jail.socket_unixiproute_only=1
# sockstat -6

This will restrict jailed processes to creating UNIX domain, IPv4, and
routing sockets, which are not vulnerable to this problem; note however
that processes inside a jail may still be able to inherit IPv6 sockets
from outside the jail, so this may not be sufficient for all systems.

$B$3$l$O!"(Bjail $B4D6-Fb$N%W%m%;%9$KBP$7$F!"(BUNIX $B%I%a%$%s%=%1%C%H!"(B
IPv4 $B%=%1%C%H!"%k!<%F%#%s%0%=%1%C%H0J30$N%=%1%C%H$N:n@.$r@)8B$7$^$9!#(B
$B$3$l$i(B 3 $B$D$N%=%1%C%H$K$O!":#2s$NLdBj$N1F6A$O$"$j$^$;$s!#$?$@$7!"(B
$B$3$N$h$&$K@_Dj$7$F$b(B jail $B4D6-$NFbIt$N%W%m%;%9$O(B jail $B4D6-$N(B
$B30It$K$"$k(B IPv6 $B%=%1%C%H$r7Q>5$9$k$3$H$,$G$-$k$?$a!"$9$Y$F$N%7%9%F%`$G(B
$B$3$NBP1~$,M-8z$G$"$k$o$1$G$O$J$$$3$H$KCm0U$7$F$/$@$5$$!#(B


V.   $B2r7h:v(B - Solution

Do one of the following:
$B<!$N$$$:$l$+$R$H$D$K=>$C$F$/$@$5$$!#(B

1) Upgrade your vulnerable system to the RELENG_5_2 security branch
dated after the correction date.

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r=$@5F|0J9_$N(B RELENG_5_2 
   $B%;%-%e%j%F%#%V%i%s%A$K%"%C%W%0%l!<%I$9$k!#(B

2) To patch your present system:

2) $B8=:_$N%7%9%F%`$K=$@5%Q%C%A$rE,MQ$9$k!#(B

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

a) $B0J2<$N>l=j$+$i=$@5%Q%C%A$r%@%&%s%m!<%I$7!"(BPGP $B%f!<%F%#%j%F%#$r;H$C$F(B
   PGP $B=pL>$r3NG'$7$^$9!#(B

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:06/ipv6.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:06/ipv6.patch.asc

b) Execute the following commands as root:
b) root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9!#(B

# cd /usr/src
# patch < /path/to/patch
 ($BLuCm(B: /path/to/patch $B$NItJ,$O=$@5%Q%C%A$N%Q%9L>$KCV$-49$($F$/$@$5$$(B)

c) Recompile the kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.
c) <URL:http://www.freebsd.org/handbook/kernelconfig.html>
   $B$K=q$+$l$F$$$k<j=g$K=>$C$F%+!<%M%k$r:F9=C[$7!"%7%9%F%`$r:F5/F0$7$^$9!#(B

d) Install updated kernel headers.
d) $B=$@5$:$_$N%+!<%M%k%X%C%@$r%$%s%9%H!<%k$7$^$9!#(B

# cd /usr/src/include
# make install


VI.  $B=$@5$N>\:Y(B - Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

FreeBSD $B$K$*$$$F:#2s=$@5$5$l$?3F%U%!%$%k$N%j%S%8%g%sHV9f$O!"0J2<$N$H$*$j$G$9!#(B

Branch                                                           Revision
$B%V%i%s%A(B                                                         $B%j%S%8%g%s(B
  Path
  $B%Q%9L>(B
- -------------------------------------------------------------------------
RELENG_5_2
  src/UPDATING                                                 1.282.2.12
  src/sys/netinet6/ip6_output.c                                  1.71.2.2
  src/sys/netinet/ip6.h                                          1.10.2.1
  src/sys/conf/newvers.sh                                       1.56.2.11
- -------------------------------------------------------------------------


A.   FreeBSD $B%;%-%e%j%F%#4+9p(B $BF|K\8lHG$K$D$$$F(B

$BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,(B
$B;29M$N$?$a$KDs6!$9$k$b$N$G$9!#2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

 http://www.FreeBSD.org/ja/security/

$B$K$^$H$a$i$l$F$$$^$9!#(B

$B$?$@$7K]Lu<T$*$h$S(B doc-jp $B$O!"$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b(B
$B$$$?$7$^$;$s$N$G$4Cm0U$/$@$5$$!#F|K\8lLu$K$D$$$F$N$40U8+!"$4MWK>!"(B
$B$*Ld$$9g$o$;Ey$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9!#(B

$B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9!#(B
$B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a!"$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
$B9MN8$9$k$h$&$*4j$$$7$^$9!#(B

$BF|K\$N%_%i!<%5%$%H$rMxMQ$9$k$K$O!"(B
http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K!"(B
ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K!"(B
$B$=$l$>$lCV$-49$($F$/$@$5$$!#(B

$BB>$NCO0h$r4^$`%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

 http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html ($B1QJ8(B)
 http://www.FreeBSD.org/doc/ja_JP.eucJP/books/handbook/mirrors.html ($BF|K\8lLu(B)

$B$K$^$H$a$i$l$F$$$^$9!#(B

$hrs: announce-jp/FreeBSD-SA/04:06,v 1.1 2004/03/29 16:13:46 hrs Exp $

----Next_Part(Tue_Mar_30_01_14_44_2004_475)----
