OpenBSD Journal

Security Fix for i386

Contributed by grey on from the unfortunately delayed announcements dept.

Thanks to Alexandre Belloni for writing in on this announcement that we missed earlier:

More stringent checking should be done in the copy(9) functions to prevent their misuse.
The patch may be downloaded here for 3.6 and here for 3.5. As always, be sure to check for any additional details.

(Comments are closed)

  1. By Anonymous Coward ( on


    1. By Bert ( thrashbluegrass at antisocial dot com on

      Since, judging by your leetspeak, you're probably a linux zealot coming by to gloat, let's take a look at two recent security advisories for linux:

      Linux kernel i386 SMP page fault handler privilege escalation

      "Locally exploitable flaw has been found in the Linux page fault handler code that allows users to gain root privileges if running on multiprocessor machine."

      "pwned" indeed.

      PaX privilege elevation security bug

      "unprivileged users can execute arbitrary code with the privileges of the target in any program they or other users can execute it is definitely exploitable for local users,remote exploitability depends on how much control one can have over executable file mappings in the target"

      Double "pwnage;" not only is it a local (and possibly remote) exploit, it was contained in a security patch.

      Not claiming superiority, just reminded of something some carpenter said about motes and planks.

      1. By Anonymous Coward ( on


        1. By Bert ( thrashbluegrass at antisocial dot com on

          You got cornholed?

  2. By Brian ( on

    Does anyone know of another advisory or better description of the problem (and hopefully its impact?)?

    1. By tedu ( on

      local user root

      1. By Anonymous Coward ( on

        ??? Could you care to clarify what you mean?

        1. By Anonymous Coward ( on

          local user: someone who can login to a shell on your openbsd machine.
          root: "master-user" (UID 0)(default firstname Charlie) which has access to everything on your openbsd install.

          local user root (exploit): a way for a local user to exploit an error in the code of a programm to gain root-privileges.

          code is fixed, update as usual, be secure.

          and as usual: you don't give out shell access to someone you don't trust. even on openbsd.

      2. By danz ( on

        How reading beyond $VM_MAXUSER_ADDRESS can lead to uid 0 ?
        Just curiosity.

        1. By tedu ( on

          not reading, writing.

    2. By eMKo ( on

      I see a little problem in bug advisores. OpenBSD is very secure OS and I can't still understand why bugs details are so short. Just look at Microsoft Security Bulletins. You know exactly where was the problem, what was the impact and you have big piece of usefull information. Why in OpenBSD there are only few rows?

      1. By Anonymous Coward ( on

        Writing long, detailed security advisories takes time, lots of time. Time which is better spent doing other things. OpenBSD tries to release patches asap when a vulnerability is discovered. And unlike Microsoft, I've never seen an OpenBSD patch suddenly break my machine, so whenever there's a new patch, just patch :-)

      2. By Anonymous Coward ( on

        The explanation is in the patch.

        1. By eMKo ( on

          Do you think? I don't think that every administrator is a strong programmer to understand the patch. Yes advisories takes time to write them, but because you have source codes it shouldn't be problem to make a good advisories for good programmers. And maybe you have never seen broken patch in OpenBSD but I haven't seen OpenBSD on 95% desktop PC of ordinary users with hundreds applications.

          1. By Anthony ( on

            Usually the errata page has a description of what the bug can cause. This one doesn't, it just says that the patch prevents unspecified "misuse". The patch file just contains just instructions to apply it and the patch itself. There's not sufficient information in the patch file to figure out what the consequences of the bug are. OpenBSD patches to -STABLE don't generally break things (Theo takes a fairly dim view of that), so it's a good idea to simply apply them regardless of what they are. However, I agree that more information would be nice.

            1. By danz ( on

              i386 people who don't use the kernel can safely skip this patch.

              1. By Anthony ( on

                I don't know why you got modded down for that... it was funny.

              2. By gwyllion ( on

                Not true. The same problem applies to amd64 and was just fixed in the tree by tedu. I think we will see an errata entry for this soon.

            2. By Norbert ( on

              this may be the i386 issue discovered by the freebsd team lately?

              1. By tedu ( on


              2. By Noryungi ( on

                Yep, it looks like the same issue is in FreeBSD. And, according to NetBSD-security, a related problem is also present in NetBSD/i386.

                Link: NetBSD Tech-Security Archive.

                1. By Anonymous Coward ( on

                  That's so fun, openbsd claims to be pro security, and people from netbsd find the security issues. You guys plain suck.

                  1. By gwyllion ( on

                    Did you actually read the thread on the NetBSD security mailing list? Some NetBSD guy just found out that a bug which is fixed by OpenBSD more than 4 weeks ago (Feb 10) is also a security problem for NetBSD! The complete opposite of what you claim/believe...

            3. By JP ( on

              So, we, the average paranoid OpenBSD user, should blindly trust on theo's (as a person like everybody else) patches to correct a misinformed security issue? How can the "average administrator" measure the risk level if it doesn't get any details regarding the issue itself?

              1. By Lars Hansson ( on

                Are you volunteering to become the openbsd security officer with the responsability of writing and releasing security bulletings?

              2. By wob ( on

                You are MORE than welcome to read the source code to see what changed. Obviously MS does not publish their source code out in the open, so they have to write an elaborate description. The OpenBSD developers do an awesome job of writing clean and coherent source code, you should try reading it to understand what was truly fixed.

              3. By tedu ( on

                if you don't trust us to make a patch that works, and you can't read the patch itself to verify it works, why would you trust us to write a bulletin that says the patch works?

                1. By JP ( on

                  That was not the question. Some patches are critical than others, depending on the purpose of the machine. Providing more information about the security thread itself (as could be found on FreeBSD/NetBSD Ml's) can make the difference between taking down immediatly a dozen servers to upgrade or just schedule an "after-hours" update.
                  Also, more information of the vulnerability can help the administrator evaluate the extent of the damage it might be caused, and what applications may or may not rely on that specific vulnerable functions.
                  For those who replyed that patchmakers don't have time to write full reports, I agree to some extent. Nobody (well, not me) is asking for full reports, but if you look at the patches page you'll see that every other patch has a more useful description than this specific one.

      3. By Nick Holland ( on

        What do you want to see that isn't there?
        At least, that will REALLY change your life?

        It's a bug. We felt it important enough to put in errata. It's in a function which "copy data from user-space to kernel-space or vice-versa". What more do you want?

        MS Advisories tend to be wordy, but like IE error message screens, lots of words, very little content.

        1. By Anonymous Coward ( on

          You mister, you're a real fag

        2. By Brian ( on

          > What more do you want?

          An educated guess as to the severity of the issue or its impact? I don't think that it would have taken much more effort to state that it was thought that the bug could be exploited by local users to gain root privledges. I sure would have appreciated it and I'm sure others would have to.

          1. By djm@ ( on

            We aren't blackhats, so we don't sit around and develop exploits to see how far these bugs can be pushed.

            1. By Brian ( on

              Right, but you did think that it could be possible to exploit it for local root privledges?

      4. By djm@ ( on

        Would writing an essay for each bug change whether or not you applied the patches?

        1. By Anthony R ( on

          It might change whether I restart right now or after everyone goes home.

      5. By Anonymous Coward ( on

        What part of "011: SECURITY FIX" is difficult to understand?

        The patch addresses a SECURITY PROBLEM. If you don't PATCH, you are vulnerable. Do you ignore a patch when its header says "SECURITY FIX"?

  3. By Anonymous Coward ( on

    Hmmmmm....hunk rejected....

    1. By Anonymous Coward ( on

      Don't flatter youself. You're just rejected, not a hunk.

  4. By Anonymous Coward ( on

    Another reason why openbsd sucks.

    1. By Matthias Kilian ( on

      They fix a problem before it really hits.

      Of course, this completely sucks -- fixing problems after allready beeing exploited is much more exciting.

      [Just in case someone doesn't get it: this was sarcasm]


    2. By morf ( on

      i presume since you feel that way, that this will be your last comment on this website.

    3. By Anonymous Coward ( on

      And what do you use that's so better?

    4. By Anonymous Coward ( on

                    +-------------------+             .:\:\:/:/:.
                    |   PLEASE DO NOT   |            :.:\:\:/:/:.:
                    |  FEED THE TROLLS  |           :=.' -   - '.=:
                    |                   |           '=(\ 9   9 /)='
                    |                   |              (  (_)  )
                    |                   |              /`-vvv-'\
                    +-------------------+             /         \
                            |  |        @@@          / /|,,,,,|\ \
                            |  |        @@@         /_//  /^\  \\_\
              @x@@x@        |  |         |/         WW(  (   )  )WW
              \||||/        |  |        \|           __\,,\ /,,/__
               \||/         |  |         |          (______Y______)

  5. By bob ( on

    thnx for the info, and thenx the openbsd-team for fixing!

    best bob


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]