Contributed by
jose
on
from the integer-overflows dept.
(Pasting from security-announce and Todd Miller's original message.) It is possible for root to raise the value of the seminfo.semmns
and seminfo.semmsl sysctls to values sufficiently high such that
an integer overflow occurs. This can allow root to write to kernel
memory irrespective of the security level. The default security
level on OpenBSD is 1 ("secure mode") which does not allow writing
to /dev/mem and /dev/kmem. It may be possible for a root user
to exploit this bug to reduce the security level itself.
The impact of this bug is quite low for most systems since it is
only useful to an attacker who already has root on the local system
with the expertise to modify the running kernel.
Thanks to blexim for finding this bug and notifying us.
The problem has been fixed in the OpenBSD 3.3-stable branch.
In addition, a patch is available for OpenBSD 3.3:
003_sysvsem.patch
This bug affects OpenBSD 3.3 only.
(Comments are closed)
Comments
By
Fredrik ()
on
Does anywone know why the patch is'nt added to the errata page?
Comments
By
Brad () brad at comstyle dot com
on
mailto:brad at comstyle dot com
It was on the errata page before even being mentioned on O.J.
By
Anonymous Coward ()
on
It is on the errata page, and a mail has been sent to security-announce. The patch wasn't on all mirrors yet when I patched my systems, but I think by now all mirrors will be up-to-date again.
Maybe you're using a HTTP proxy (or your ISP is), that's still serving you an older version of the page.
By Fredrik () on
Comments
By Brad () brad at comstyle dot com on mailto:brad at comstyle dot com
By Anonymous Coward () on
Maybe you're using a HTTP proxy (or your ISP is), that's still serving you an older version of the page.
Comments
By Fredrik () on
A reload and there was the patch