from the integer-overflows dept.
(Pasting from security-announce and Todd Miller's original message.) It is possible for root to raise the value of the seminfo.semmns
and seminfo.semmsl sysctls to values sufficiently high such that
an integer overflow occurs. This can allow root to write to kernel
memory irrespective of the security level. The default security
level on OpenBSD is 1 ("secure mode") which does not allow writing
to /dev/mem and /dev/kmem. It may be possible for a root user
to exploit this bug to reduce the security level itself.
The impact of this bug is quite low for most systems since it is
only useful to an attacker who already has root on the local system
with the expertise to modify the running kernel.
Thanks to blexim for finding this bug and notifying us.
The problem has been fixed in the OpenBSD 3.3-stable branch.
In addition, a patch is available for OpenBSD 3.3:
This bug affects OpenBSD 3.3 only.
(Comments are closed)
Brad () brad at comstyle dot com
mailto:brad at comstyle dot com