OpenBSD Journal

3.8 errata, authpf and perl

Contributed by marco on from the security-fixing dept.

Lot's of people mentioned this.

Two security fixes are there: OpenBSD 3.8 errata

002: SECURITY FIX: January 5, 2006   All architectures
Do not allow users to trick suid programs into re-opening files via /dev/fd.
A source code patch exists which remedies this problem.

001: SECURITY FIX: January 5, 2006   All architectures
A buffer overflow has been found in the Perl interpreter with the sprintf function which may be exploitable under certain conditions.
A source code patch exists which remedies this problem.

Perl's one is CVE-2005-3962.

(Comments are closed)


Comments
  1. By Rembrandt (84.188.235.87) on

    Sorry but there are MORE Patches then those 2 things.
    At least 1-2 are critical.

    Everybody who downloads the Src from any FTP and does a simple CVS-Update (-rOPENBSD_3_8) will notice a lot more patches.
    The worst thing I mention was a patch for something critical wich is still NOT listed (related to ssl).

    So you better do not trust this Website.


    Kind regards,
    Rembrandt

    Comments
    1. By djm@ (203.217.30.86) on

      You have been told the different between -STABLE and patches published to www too many times to count. Don't you get it?

      Comments
      1. By Justin (216.17.75.77) on

        I am not really sure how http://www.openbsd.org/stable.html can be made to be any more clear. Right at the top of that page:

        What is the patch branch?

        Starting with 2.7, OpenBSD provides a source tree that contains important patches and fixes (i.e. those from the errata plus others which are obvious and simple, but do not deserve an errata entry) and makes it available via CVS in addition to the current source.

      2. By Rembrandt (82.94.251.206) on

        I'm talking about a SSL-Fix wich owns also an own CEV...
        But if such things are just "normal" Patches for the stable branch:

        Yes I never get it.. seams so.
        Maybe I'm blind or just stupid.. don't know.

        But maybe it simply just sucks to see security related patches wich are not listed. And I don't mean patches to fix any crashs of any xyz-NICs.

        Comments
        1. By djm@ (203.217.30.86) on

          So you don't like our policy for publishing fixes in patches? Then use -STABLE and stop complaining. Everything you are after is there.

    2. By Anonymous Coward (67.64.89.177) on

      You are sooooooooooooooooooooooooooooo dumb and irritating. Why don't you run something more that's more your level?

      Something like this seems a good candidate.

      Comments
      1. By Anonymous Coward (69.70.207.240) on

        Does it run OpenBSD? ;-)

        Comments
        1. By Anonymous Coward (142.166.105.158) on

          Only if you want do the leg work, and adapt the port from NetBSD =)

      2. By Rembrandt (82.174.96.141) on

        Ok.. let's explain it a way even YOU is able to understand:

        3.8_BASE -> 3.8 (Stable):

        P src/gnu/usr.bin/perl/globvar.sym
        P src/gnu/usr.bin/perl/makedef.pl
        P src/gnu/usr.bin/perl/op.c
        P src/gnu/usr.bin/perl/opcode.h
        P src/gnu/usr.bin/perl/opcode.pl
        P src/gnu/usr.bin/perl/patchlevel.h
        P src/gnu/usr.bin/perl/perl.h
        P src/gnu/usr.bin/perl/sv.c
        P src/lib/libssl/src/ssl/s23_srvr.c
        P src/sys/conf/newvers.sh
        P src/sys/dev/ic/ami.c
        P src/sys/dev/ic/ciss.c
        P src/sys/dev/pci/ami_pci.c
        P src/sys/dev/raidframe/rf_openbsdkintf.c
        P src/sys/isofs/cd9660/cd9660_vfsops.c
        P src/sys/kern/kern_clock.c
        P src/sys/kern/kern_descrip.c
        P src/sys/kern/kern_exec.c
        P src/sys/kern/kern_time.c
        P src/sys/kern/vfs_bio.c
        P src/sys/kern/vfs_subr.c
        P src/sys/netinet/ip_carp.c
        P src/sys/sys/proc.h
        P src/usr.sbin/authpf/authpf.c
        P src/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c

        Just check your beloved errata-Website.
        I would miss:

        src/lib/libssl/src/ssl/s23_srvr.c
        http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/s23_srvr.c
        CAN-2005-2969

        src/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
        http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
        fixes CAN-2005-2700

        Just two things wich proof that all you belive in is crap...
        The errata-Website is a piece of junk, useless for all those who relying on it to patch their System because they'll miss at least 2 Patches wich are not that unimportent.


        Rembrandt

        Comments
        1. By Anonymous Coward (84.193.129.186) on

          >Ok.. let's explain it a way even YOU is able to understand:
          try your best...

          >3.8_BASE -> 3.8 (Stable):
          [snip]
          >P src/lib/libssl/src/ssl/s23_srvr.c
          >P src/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
          >
          >Just check your beloved errata-Website.
          >I would miss:
          >
          >src/lib/libssl/src/ssl/s23_srvr.c
          >http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/s23_srvr.c
          >CAN-2005-2969
          >
          >src/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
          >http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
          >fixes CAN-2005-2700
          [snip]

          You were saying?

          Comments
          1. By Echo Shell (192.75.238.222) on

            Whooo HA HA HA HA HA HA HA....

            *Holding stomach and crying on floor*

            I LOVE it when I read these things!!!!


            -Echo Shell
            Adjunct Apprentice

    3. By m (62.141.24.81) on

      In spite I'm sorry I must agree with you. Last time I started to have feeling that is something wrong with OpenBSD not with the system but with the community of people which sourrounds it. It seems that the developers do not want to admit bugs in OpenBSD and it's just for the statistics of the most secure OS and cute motto - Only one remote hole.... Past showed that at least the motto is wrong, it is not so long when was a serrious bug found in OpenSSH which ran in default installation in the time. I hope it's only my feeling but if so... Why I see lies about OpenBSD motto? Why I can't find more detailed descriptions of problems. I think that two sentences about a security bug is not very much. If is it OpenBSD really so secure, why all this fears?

      Comments
      1. By Anonymous Coward (142.166.105.158) on

        It isn't even worth the trouble to refute this critism, since you are probably just a troll. If you are new, and really do not understand I suggest you go to the website and read more carefully. Otherwise, feel free to go run *your favourite OS*, whatever it is -- we won't be hurt.

        Comments
        1. By m (62.141.24.65) on

          As usuall, just insults but no facts. And no I'm not new, I like OpenBSD - system I bought all releases. But these kind of arrogance and egoism of people around OpenBSD is something horrible. It seems that no one can stand any criticism and everybody is right without any fact or evidence. From my side here is a fact. http://secunia.com/advisories/9746/ and now the motto: Only one remote hole in the default install, in more than 8 years! So now stand the criticism because that's it.

          Comments
          1. By Anonymous Coward (213.84.84.111) on

            You probably do not realize that what you quote is the single remote hole, as mentioned in the slogan. Or do you know any other?

            Comments
            1. By m (62.141.24.65) on

              Try to look here: http://web.archive.org/web/20021210103040/http://www.openbsd.org/index.html This is from year 2002, and you can see - Only one hole in 7 years. Just a reminder bug in OpenSSH was found in 2003. In fact I don't really care about thing like this. I care about quality and yes OpenBSD is great OS. I understand that in every piece of SW are bugs and it is normal, OpenBSD is almost without them :) But what I can't really understand why I have to see lies? It's for a press for rumour? I don't know but I know that every lie like this only destroys this great OS.

              Comments
              1. By Anonymous Coward (213.84.84.111) on

                Oops, I mixed things up. Still you should learn the difference between a vulnerability and and a potential vulnerability.

              2. By djm@ (203.58.120.11) on

                You must be referring to the OpenSSH buffer.c bugd fixed around the 3.7.1 release. As far as I can tell, these were never found to be any thing more than a remote crash on OpenBSD (a harmless one too, as OpenSSH is a forking server).

              3. By djm@ (203.58.120.11) on

                Further to this, your accusations that OpenBSD "hushes up" security vulnerabilities are completely absurd when our CVS tree, the source-changes mailing list and our bug tracker are all completely open to the world.

                If you don't like the level of detail included in the patch descriptions, that is too bad, but to extrapolate from that to an accusation that we try to cover over bugs is unfair and obviously wrong.

                Comments
                1. By Rembrandt (195.169.149.213) on

                  Yes maybe I'm not that fair.
                  I've to angree with that because it's my attitude.

                  But even you must have to angree that there 2 more importent Patches and that those Patches are NOT listed.

                  It happened more then one time and it simply still sucks that such things still happen.


                  Don't missunderstand me.
                  I like OpenBSD, I love it...
                  The more it makes me sad that errata-Website is wrong again and again (every 2 Releases you can beat there's at least 1 Bug wich is NOT listed there even security-related).

                  I mean YOU (the developers) fixed it. So why isn't it listed?
                  And I don't mean the usual things wich will get patched too.
                  So if you don't wanna list src/sys/dev/ic/ciss.c you don#t have to because it's not security-related.
                  *my oppinion*
                  But if you claim to develop one of the most secure OSs wich are avaiable you should at least list all security related Patches and just the latest Patches.
                  */my oppinion*


                  And this happens again and again...


                  "Our Websites/Bug-Tracking-Reports/xyz is free for everybody"
                  Yes it is. But does everybody has the time to check every CVS-Comment?
                  So it's even more importent that the errata-Website is correct.


                  Kind regards,
                  Rembrandt

              4. By Rembrandt (82.174.96.141) on

                Quality you said?
                The NFS-Implementation is a piece of shit and does errors all the day long.

                Use NFS with TCP and shut down the NFS-Server.
                I'll beat your Console on your OpenBSD-Client will hang if you try to do a simple ls in the NFS-Mount even the server is powered on again and even you specified a timeout. You simply loose your tty until you kill the process.

                You need to reboot the NFS-Client. Is that the "Quality" you're talking about?

                Hey well it's a perfect Firewall-System but as "secure" Workstation it isn't that good.

                Also that the errata-Website misses Patches is not NEW...


                OpenBSD is even that secure that your wsmoused dies if you're switching from a console to X and vice versa. Just try it.. it will die after some switches.

                Just some things wich are NOT knew, wich are KNOWN (NFS is brocken since 3.6).


                Compare my listing in another reply above (wich deals with the patches).
                Even you'll maybe have to angree that at least the other 2 Patches should get noticed because they're not in 3_8_BASE so every Server applying just the patches at the errata will miss at least 2 Patches for sure.

                Rembrandt

                Comments
                1. By Anonymous Coward (69.173.129.197) on

                  It is fine to point out areas where a free operating system has problems, but you shouldn't act mad about it. A bunch of people decide to put something together for free and without pay. Yeah, some of their work is not that great. Other parts are really great. Help them out. Have you been testing? Submitting bug reports?

                  Comments
                  1. By Rembrandt (198.252.201.22) on

                    Well yeah maybe I wasn't that fair.

                    But back to the roots.
                    2 Patches are missing, they where patches, they where not listed at the errata-Website and it wasn't the first time.

                    And such things are not related to the "manpower".
                    Because there was enought manpower to list 2 of 4 Patches so there should be enought manpower to list them all.


                    Rembrandt

                    Comments
                    1. By Anonymous Coward (145.238.2.120) on

                      > But back to the roots.
                      > 2 Patches are missing, they where patches, they where not listed at
                      > the errata-Website and it wasn't the first time.

                      I don't understand what you mean ???
                      There are only 2 patches in:
                      ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.8/common/

                      ... so why sould they list 4 ?

                      Comments
                      1. By Rembrandt (212.227.108.114) on

                        2 Patches wich are listed plus:

                        src/lib/libssl/src/ssl/s23_srvr.c
                        http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/s23_srvr.c
                        CAN-2005-2969

                        src/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
                        http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
                        CAN-2005-2700


                        Rembrandt

                        Comments
                        1. By Anonymous Coward (145.238.2.120) on

                          Those are not patches but changes to 3.8-stable.
                          Not everything that goes under -stable becomes a patch.

          2. By tedu (71.139.175.127) on

            how many remote holes have there been in the default install? name them. all of them.

    4. By Anonymous Coward (81.84.108.22) on

      hey Rembrandt, are you a painter?

      Comments
      1. By Rembrandt (82.94.251.206) on

        Yes I am...

        But currently I'm in a bad mood because of the rrata-Website wich simply lies because it misses 2 Patches.
        And this isn't the first time...


        Rembrandt

        Comments
        1. By Brad (216.138.195.228) brad at comstyle dot com on

          Point out which patches are supposedly missing.

          Comments
          1. By Anonymous Coward (198.252.201.22) Rembrandt on

            I did, please see above.

        2. By Anonymous Coward (82.155.144.130) on

          oh, I see. Do you know the difference between white and black?

  2. By Anonymous Coward (62.252.32.11) on

    Are OpenBSD 3.6 and 3.7 affected by the suid bug?

    Comments
    1. By Miod Vallat (82.101.10.6) miod@ on

      The SUID patch is not exactly a bug. We just believe that the /dev/fd
      mechanism could be abused, so its usage has been restricted for sxid binaries.

      The diff is valid on older OpenBSD versions as well, since this is not a regression.

      Comments
      1. By Anonymous Coward (62.252.32.11) on

        Thanks a lot for that info :).

  3. By Anonymous Coward (84.9.42.8) on

    # 004: RELIABILITY FIX: January 13, 2006 i386 architecture
    Constrain i386_set_ioperm(2) so even root is blocked from accessing the ioports unless the machine is running at lower securelevels or with an open X11 aperture.
    A source code patch exists which remedies this problem.

    # 003: RELIABILITY FIX: January 13, 2006 i386 architecture
    Change the implementation of i386 W^X so that the "execute line" can move around. Before it was limited to being either at 512MB (below which all code normally lands) or at the top of the stack. Now the line can float as mprotect(2) and mmap(2) requests need it to. This is now implemented using only GDT selectors instead of the LDT so that it is more robust as well.
    A source code patch exists which remedies this problem.

    Comments
    1. By Anonymous Coward (84.9.42.8) on

      lol sorry for the noise just noticed the new (maybe i just never saw it before) errata section on the main page ;)

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]