OpenBSD Journal

[SECURITY] Kernel Patch 14 Available

Contributed by jose on from the patch--p0-<-file.patch dept.

The OpenBSD team has released patch 014 , which fixes a set of issues in system calls. According to errata.html ,
An insufficient boundary check in the select(2) system calls allows an attacker to overwrite kernel memory and execute arbitrary code in kernel context.
The patch has been rolled into 3.1-stable, is also available as patch 31 for OpenBSD-3.0 users. Directions on how to apply the patch are in the patchfile itself.

Update Looks like poll(2) is not affected, and Niels Provos has posted a security advisory about this , as well.

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    Yeah, I'm begging to think that a way to update a system without compiling source is a good idea. I just installed a 3.1 box, and now I'm spending all day patching and compiling it.

    Comments
    1. By Anonymous Coward () on

      If you "just installed" it, then you should be patching and compiling it once.

    2. By jose () on http://www.monkey.org/~jose/

      yep. if you installed either -stable or a snapshot, you should only have to recompile your kernel once for this.

    3. By Anonymous Coward () on

      Most everyone that has more than one or two boxes makes stable snapshots. It makes updating much easier.

    4. By Anonymous Coward () on

      can you ftp install -stable or anything, or do you have to do it via cvs?

      Comments
      1. By Josh () josh@greentechnologist.org on http://www.greentechnologist.org

        I'm going to suggest that the *best* way to follow this stuff is to subscribe to source-changes@openbsd.org. You filter out 98% of the messages and occasionally you'll see a tag like OPENBSD_3_0 or OPENBSD_3_1. When *that* happens you know the CVS repository has changed and don't have the overhead of doing a nightly cvs update. From there it's up to you on how to handle it. That might be doing a 'make build' from /usr/src, it might be browsing to http://www.openbsd.org/errata.html to see what happened (and which parts need recompiling).

        It's the least resource intensive way to keeping up to date.

  2. By Anonymous Coward () on

    mmmm

    how many more have been _introduced_ into OpenBSD?

    Comments
    1. By Anonymous Coward () on

      Go run something else.
      Go bitch on someone else's boards.

    2. By Anonymous Coward () on

      And there were 2 recent bugs in FreeBSD that didn't affect OpenBSD or NetBSD (ffs and kqueue).

      Comments
      1. By Anonymous Coward () on

        seems to suggest the above topic to me :)

    3. By Anonymous Coward () on

      FreeBSD not vulnerable since 1996, NetBSD not vulnerable since 1997. Hi Theo! :)

      Comments
      1. By emcis () on

        Anonymous Coward says it all.

  3. By Anonymous Coward () on

    I'm starting to think that maybe the Hurd is onto something. For the Hurd, all these things (tcp/ip, ethernet drivers, almost everything) is run in userland. The kernel only does the minimum necessary to let these userland procs work together. The big drawback of this is that it means you have to do a lot of messaging and even worse a lot of context switching to get anything done, so there is a performance hit, but it helps with fault isolation.

    We make fun of dumb OSes like Windows for having the gui built into the kernel, but in some sense, having nfs, or even tcp/ip itself built into the kernel is equally dumb, from a design point of view. There were performance reasons why things had to be done that way but I'm not sure if it matters anymore.

    I'm looking forward to being able to try out the Hurd on production stuff, as a possible alternative to OpenBSD, for some uses.

    Comments
    1. By Bruce () on

      The big drawback of this is that it means you have to do a lot of messaging and even worse a lot of context switching to get anything done, so there is a performance hit, but it helps with fault isolation.

      I see this all the time and usually don't bother responding to it any more, but since I'm procrastinating on my work...

      Context switching is not necessarily expensive. QNX's operating systems over the years have always been designed with extremely small kernels (like 8kB or so) which essentially only handle message passing, and exceptionally fast context switches.

      I worked with QNX back when the 386 was a good desktop. (Yes, I'm *that* old. Older, even.) XENIX was limited to 30 context switches per second, while QNX handled switches on the order of 10 or 20 microseconds. Have a look at their table of times for their current kernel on modern embedded processors at:
      http://www.qnx.com/products/ps_neutrino/features.html

      Conclusion? Context switches are slow on most OSes because they weren't designed or optimised for speed, not because they couldn't be.

      Comments
      1. By Anonymous Coward () on

        Thanks for the info on that. The standard wisdom is that context switching is slow on a x86 arch, but maybe that standard wisdom isn't wisdom. Speaking of alternative OSes, the other one that I'm excited about is EROS. It is designed with capabilities from the ground up.

      2. By Anonymous Coward () on

        Interesting thought, I've seen QNX around for quite some time. I'm wondering why nobody has tried to use it on a PDA. It seems better suited for the task than Linux or WinCE. Does anybody know of any ports or hacks?

  4. By Anonymous Coward () on

    I run OpenBSD on my one Internet-accessible server because I don't believe I'm knowledgeable enough to lock down a Linux or FreeBSD server, and frankly I don't have the time to learn it all. I want 'secure by default'.

    I also recognize that there are going to be bugs impacting security no matter how talented and well-intentioned the core developers may be, so I'm not about to get upset about bugs like many people posting here.

    What would really make me happy, though, would be if I could buy CDs of the fully patched 'stable' branch between full CD releases. No fancy graphics or stickers, perhaps no ports or packages, just the core OS as fixed-up as possible on one CD. Put it in a sleeve to reduce costs further. Maybe burn it in a CD writer, if the market for this service is too small. Or serve the binaries over the net, with checksums delivered separately.

    I know source code is the religion here, but am I the only person who would appreciate the OpenBSD equivalent to 'Windows Update'?

    Comments
    1. By pachamama () on

      yep. the only one.

      seriously, just compile from source. maybe you'll learn something (only say this because of your stated reason for running OpenBSD).

    2. By Anonymous Coward () on

      Absolutely, and since time is money, I'm willing to pay for it. Let the pros get it to compile, and let me get on with my real work. We are talking a $ opportunity here.

    3. By Anonymous Coward () on

      An OpenBSD Windowsupdate would be a godsend. I have 3 servers, all of which are different versions of OpenBSD or FreeBSD. 2.7, 2.9, 3.1 and 4.6 FreeBSD.

      I run STABLE and Generic Kernel...

      A quick and easy update that I can run nightly from cron would be wonderful.

      Call me troll... I don't care.

    4. By Anonymous Coward () on

      I would be very inclined to buy ready-to-install CDs. There have been enough critical bugs lately that it's a pain to deal with them all. In fact I would buy an OpenBSD subscription if there were such a thing.

    5. By Gerardo Santana Gómez Garrido () santana@openbsd.org.mx on http://www.openbsd.org.mx/~santana/

      That's what binary patches will solve. I've been busy solving real life problems, but I'm updating the binary patches subsystem very soon (I've got some new resources for this purpose).

  5. By Anonymous Coward () on

    Isn't it good idea to open up a ftp server which would be able to serve binaries or at least patched binaries for those who doesn't have possibility to compile its locally?

    Comments
    1. By Anonymous Coward () on

      This would probably cut into CD sales pretty bad.....So I'm fairy confident that some asshole (Mr. Reed or Mr. de Joode) will throw some up on an ftp and spam misc@ about it soon enough.

    2. By 9370 () on

      For some platforms:

      http://www.trilug.org/~mike/OpenBSD/

  6. By anonymous () me@you.com on mailto:me@you.com

    I see that ever since the OpenSSH was trojaned, the primary ftp site and all other mirrors are stuck with a July 31 snapshot build of -current (at least for i386... haven't checked other arch's). Anyone heard when this will be updated? Or for that matter, anyone know if anything's been done to tighten things up on the site?

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]