OpenBSD Journal

Reliability Fix - for tcp timestamps.

Contributed by grey on from the can't think of anything clever to write right now dept.

From http://www.openbsd.org/errata.html:

Handle an edge condition in tcp(4) timestamps.

A source code patch exists which remedies this problem may be found here for 3.6 and here for 3.5.

(Comments are closed)


Comments
  1. By Anthony Roberts (68.145.103.21) on

    Now that I've patched and rebooted, what unwanted behavior did this allow?

    Comments
    1. By Anonymous Coward (68.6.193.220) on

      It makes your tcp stack less edgy.

    2. Comments
      1. By Daniel Hartmeier (62.65.145.30) daniel@benzedrine.cx on http://www.benzedrine.cx/dhartmei.html

        Sometimes the vagueness has reasons beyond our control. From the general area of code and the fact that it showed up on errata as stability fix you can safely conclude that the bug allows some remote DoS but not privilege escalation nor code execution, if that's of any help.

        Comments
        1. By Jim (69.182.45.193) on

          "Sometimes the vagueness has reasons beyond our control"

          I apologize for being an idiot... but what does this sentence mean? Are you saying that CERT will not tell you how problems could affect OpenBSD? Or are you saying that an agreement with CERT prevents you from saying how problems affect OpenBSD?

          Comments
          1. By tedu (69.227.45.201) on

            details are not available at this time.

            Comments
            1. By Chas (147.154.235.51) on

              ...that you were tipped off about this problem and fixed it, but other OS platforms on the internet have the same problem and you don't want to make life any harder for them.

              However, when you dissemble regarding the risk and severity of a patch, it does strain our trust in you.

              I am applying this patch, and I know that you have our interests at heart, but please try not to strain this trust in the future. I like buying your CDs and using your OS, and I don't want a reason to go elsewhere.

              Comments
              1. By Chris (24.76.170.207) on

                Out of curiosity, where are you going to go where you'll trust the project *more* than OpenBSD security-wise?

                Comments
                1. By Chas (147.154.235.51) on

                  So tell me, taking OpenBSD into a corporate environment and explaining to an IT manager that you need to reboot for a kernel patch "because they said so" seems like an easy thing to do to you?

                  If Sun tried this, they would be burned at the stake. This is OpenBSD, so we let it slide.

                  Feel free to mod me down more if you like. It doesn't change a thing.

                  Comments
                  1. By Brad (204.101.180.70) brad at comstyle dot com on

                    And if this was Sun then you wouldn't have the patch for another 5 months.

                  2. By tedu (64.173.147.27) on

                    so don't reboot it until all the vendors issue patches and the details are released.

                  3. By Bert (68.50.4.145) on thrashbluegrass@antisocial.com

                    "If Sun tried this, they would be burned at the stake."

                    Sure, they'd be pilloried. And if you look at some of the other comments on the list, so is the OpenBSD team.

                    Microsoft, Red Hat, etc. certainly have a higher standard to be held to, precisely because they charge for support - if you've paid that, you should be able to expect some more verbage from them. How much are you *required* to pay for OpenBSD? As far as I know, the required outlay is the price of your internet connection, which I'm willing to bet you'd have anyway.

                    And, on the subject of verbage, what's your take on "reading the previously supplied link which explains why the developers can't tell you?"

                    From the CERT/CC link provided by Daniel Hartmeier:

                    "All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors."

                    It isn't the OpenBSD team's knowledge to distribute. Be happy that you'll know what it was soon. Be happy that a patch was made (and quickly) before details of the problem became script-kiddie-friendly.

                    And about your complaint concerning telling an IT manager "that you need to reboot for a kernel patch 'because they said so'?" I'd assume that any IT manager worth their salt, seeing a patch distributed for a CERT-issued vulnerability warning from a product's developers, wouldn't need too much prodding in that direction.

                  4. By marco (but not marco@) (149.169.52.82) on

                    first of all, you're not rebooting "because they said so". you're rebooting to fix an error in the kernel's networking stack

                    secondly, show me an it manager that will know what they hell you're talking about when you tell them "it fixes a condition in the kernel's networking stack". if, by some strange act of god, they do know, have them look at the patch themselves

                  5. By Anonymous Coward (128.39.141.245) on

                    I guess others have already pointed out how flawed your comment is, but it is an expression of such staggering ignorance that it really needs to be pointed out again.

                    Sun systems also need to be rebooted for kernel updates. Ditto Win2003 systems, Tru64 systems, Irix systems, and Linux systems. Systems get rebooted, especially when tinkering with or updating the kernel, deal with it.

                    If you or your manager think this is reason enough to throw a screaming, crying flailing fit on the server room floor, or to threaten never to use a particular OS again, then I regard neither of you as employable in an IT technical or managerial role.

                    Mod you down? Its far more entertaining seeing you make an ass out of yourself :)

                  6. By Anonymous Coward (216.231.61.224) on

                    dude, thats just idiotic. look at the source. if you dont know what it does you shouldnt be using openbsd anyway.

                    Comments
                    1. By rene (138.217.52.28) on

                      yeah cause all openbsd users are kernel programmers, maybe you should stop talking and start coding...

              2. By Chad Loder (216.239.134.34) on

                > However, when you dissemble regarding the risk and severity of a patch, it does strain our trust in you.

                > I am applying this patch, and I know that you have our interests at heart, but please try not to strain this trust in the future. I like buying your CDs and using your OS, and I don't want a reason to go elsewhere.

                This is one of the dumbest things I've heard in awhile. The beauty of open source is, if you don't want to trust us then read the patch yourself and it will be obvious what it does. If you aren't capable of understanding the patch, then you'd still have to trust any explanation we gave you. How would that help you?

              3. By Roo (83.146.8.227) darkboong@hotmail.com on

                ... Just look at the patch and work out what's changed. That's one of the pay-offs of open source, it's quite a small patch btw, although you will probably need to do a fair amount of homework to work out what's going on.

                Cheers,
                Roo

    3. By test (12.108.12.64) on sorry

      sorry, just needed to know my ip

      Comments
      1. By tedu (64.173.147.27) on

        www.whatsmyip.org

  2. By halosfan (192.223.243.5) on

    Is there a problem with the security-announce mailing list? This has already been asked recently (not by me), but received no response.

    Comments
    1. By tedu (64.173.147.27) on

      http://marc.theaimsgroup.com/?t=111279860300006&r=1&w=2

    2. By Anonymous Coward (212.143.248.152) on

      http://ethernet.org/~brian/errata/errata.xml
      http://ethernet.org/~brian/errata/errata-rss.xml

      updated every 5 minutes; does ugly "parsing" on errata.html

      i hope this helps.

  3. By Anonymous Coward (207.229.38.13) on

    This patch was released April 1rst. And it is now April 6. I just finished using cvs update -rOPENBSD_3_6 (this morning on April 6). I just checked my copy of the stable source tree - and this patch was NOT included. What could be the reason for it?

    /* $OpenBSD: tcp_input.c,v 1.175.2.3 2005/04/01 15:31:06 brad Exp $

    and the patch

    +++ sys/netinet/tcp_input.c 1 Apr 2005 15:32:53 -0000 1.158.2.5

    My mirror is anoncvs1.usa.openbsd.org IF the date/time is to be trusted, the last time the mirror pulled the file was a little less than 2minutes before the change was commited. Interesting!

    Comments
    1. By tedu (64.173.147.27) on

      the patches are backwards. 3.5 patch is for 3.6, 3.6 patch is for 3.5.

  4. By Anonymous Coward (62.252.32.14) on

    Would anyone care to explain what an "edge condition" is?

    Comments
    1. By Daniel Hartmeier (195.234.187.87) on

      It's not a boundary condition (which has a well-defined meaning in mathematics). Rather, it's a condition (in programming context, as in an if-else-condition) covering an edge case or corner case.

      I guess an example would be a function (in programming context) that returns correct results for typical arguments, and also correctly returns errors when passed completely invalid arguments, but contains a bug that will cause it to return incorrect results (or crash) when arguments are right at the edge of the valid domain, like an off-by-one in argument checking.

      Comments
      1. By Anonymous Coward (213.118.35.44) on

        Thank you. Now to apply the patch :).

      2. By Anonymous Coward (212.143.248.152) on

        now you talk like politicians :)

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]