Dear Security Team, Please could we upload to wheezy-security with the attached debdiff.
A bug allows local privilege escalation, from any non-privileged user to root. I've verified it myself on Debian GNU/kFreeBSD (and that the fix works) with a test procedure in [1], but already a more 'weaponised' PoC was posted to a public forum on 2013-06-18. [1]: http://bugs.debian.org/712664#24 Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog --- kfreebsd-9-9.0/debian/changelog 2013-05-01 13:59:20.000000000 +0100 +++ kfreebsd-9-9.0/debian/changelog 2013-06-20 15:29:54.000000000 +0100 @@ -1,3 +1,12 @@ +kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high + + * Team upload. + * Upload for wheezy-security + * Pick SVN 251902 from FreeBSD 9-STABLE to fix SA-13:06 / CVE-2013-2171: + Privilege escalation via mmap (Closes: #712664) + + -- Steven Chamberlain <ste...@pyro.eu.org> Wed, 19 Jun 2013 20:36:54 +0100 + kfreebsd-9 (9.0-10+deb70.1) wheezy-security; urgency=high * Upload for wheezy-security diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch --- kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 1970-01-01 01:00:00.000000000 +0100 +++ kfreebsd-9-9.0/debian/patches/SA-13_06.mmap.patch 2013-06-19 20:49:15.000000000 +0100 @@ -0,0 +1,28 @@ +Description: + Fix a bug that allowed a tracing process (e.g. gdb) to write + to a memory-mapped file in the traced process's address space + even if neither the traced process nor the tracing process had + write access to that file. [13:06] + (CVE-2013-2171) +Origin: vendor, http://security.freebsd.org/patches/SA-13:06/mmap.patch +Bug: http://security.freebsd.org/advisories/FreeBSD-SA-13:06.mmap.asc +Bug-Debian: http://bugs.debian.org/712664 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=251902 + +Index: kfreebsd-9-9.0/sys/vm/vm_map.c +=================================================================== +--- kfreebsd-9-9.0.orig/sys/vm/vm_map.c 2011-07-06 21:06:44.000000000 +0100 ++++ kfreebsd-9-9.0/sys/vm/vm_map.c 2013-06-18 13:39:13.104790989 +0100 +@@ -3704,6 +3704,12 @@ + vm_map_unlock_read(map); + return (KERN_PROTECTION_FAILURE); + } ++ if ((fault_typea & VM_PROT_COPY) != 0 && ++ (entry->max_protection & VM_PROT_WRITE) == 0 && ++ (entry->eflags & MAP_ENTRY_COW) == 0) { ++ vm_map_unlock_read(map); ++ return (KERN_PROTECTION_FAILURE); ++ } + + /* + * If this page is not pageable, we have to get it for all possible diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series --- kfreebsd-9-9.0/debian/patches/series 2013-05-01 13:21:35.000000000 +0100 +++ kfreebsd-9-9.0/debian/patches/series 2013-06-19 20:49:15.000000000 +0100 @@ -9,6 +9,7 @@ svn239447_SCTP_DoS.patch SA-12_08.linux.patch SA-13_05.nfsserver.patch +SA-13_06.mmap.patch # Other patches that might or might not be mergeable 001_misc.diff
