New year, new security advisories!
So things have become a bit silent here, which is due
to reallife - my apologies. Still, I'd like to wish
everyone following this here a Happy New Year 2018!
And with this, a few new security advisories have
34C3 talk: Are all BSDs created equally?
I haven't seen this mentioned on the NetBSD mailing lists,
and this may be of interest to some -
there was a talk about security bugs in the various BSDs at the 34th Chaos
In summary, many reasons for bugs are shown in many areas of the kernel
(system calls, file systems, network stack, compat layer, ...), and what has
happened after they were made known to the projects.
As a hint, NetBSD still has a number of Security Advisories to publish, it
seems. Anyone wants to help out the security team? :-)
[Tags: 34c3, Security]
Catching up: audio-mixing, arm, x86 and amd64 platform improvements and security
A few noteworthy things have happened in NetBSD land,
and being lazy I will collect them in one blog posting.
Here we go:
- In-kernel audio mixing:
So far, NetBSD's audio device can only be opened once.
If more than one application wants to play sound, the first one wins.
This is suboptimal if you want to (say) play some MP3s
but also get some occasional noise from your webbrowser.
Now, Nathanial Sloss has made a stab at this, providing
several implementation choices. Challenges in the task
are that sounds with different quality (sampling rate,
mono/stereo etc.) need to be brought to one common
quality before mixing and passing on to the actual audio
hardware. Further fun is added by the delay this process
See the discussion on tech-kern
for all the gory details!
- Freescale i.MX7 support:
Ryo Shimizu has committed support for the
Freescale i.MX7 processor
and the Atmark Techno Armadillo-IoT G3 board.
his posting to port-arm (dmesg included),
UART, Ethernet, USB, SDHC, RTC, GPIO, WDOG and MULTIPROCESSOR work.
Interesting thing of the platform is that is has
two Cortex-A7 cores and one Cortex-M4 core, the latter without
MMU. Ideas on how to use the latter are welcome! :)
- PIE binaries with PaX, ASLR+MPROTECT are now the default for i386.
ASLR and MPROTECT can be turned off either globally
or per-binary if any problems should arise. Be sure to
document those exceptions in your risk management! :-)
- Platform improvements for
amd64. For amd64, Maxime Villard writes:
- I cleaned up the asm code and fixed several comments, which makes the
boot process much easier to understand.
- I fixed the alignment for the text segment, so that it can be covered by
more large pages  - thereby reducing TLB contention.
- I fixed a bug in the way the secondary CPUs are launched , which
caused them to crash if they tried to access an X-less page.
- I took rodata out of the text+rodata chunk, and put it in the data+bss+
PRELOADED_MODULES+BOOTSTRAP_TABLES chunk . rodata was no longer large
page optimized, and had RWX permissions.
- I retook rodata out of the rodata+data+bss+PRELOADED_MODULES+
BOOTSTRAP_TABLES chunk, and made the kernel map it independently without
the W permision .
- I made the kernel map rodata without the X permission, by using the NOX
bit on its pages  (now that the secondary CPUs could handle that
- I took the data+bss chunk out of the data+bss+PRELOADED_MODULES+
BOOTSTRAP_TABLES chunk, and made the kernel map it independently without
X permission .
- I made the kernel remap rodata and data+bss with large pages and proper
permissions  - which reduces once again TLB contention.
See Maxime's posting to tech-kern
for all the footnotes. Likewise, Maxime also
tackled i386, and besides the changes from amd64, here is
the list of changes from his email:
- on non-PAE i386, NOX does not exist. Therefore the mappings all have an
additional X permission. To benefit from X-less mappings, your CPU must
support PAE, and your kernel must be GENERIC_PAE.
- the segments are not large-page-aligned, which means that probably some
parts of the segments are still mapped with normal pages. It is still more
optimized than it used to be, but not as much as amd64 is.
[Tags: aslr, audio, dmesg, freescale, imx7, mprotect, pax, pie, Security]
Two more NetBSD Security Advisories: compatibility layers, Bozohttpd
Two more security advisories have been released:
[Tags: bozohttpd, compat, Security]
NetBSD Security Advisories: ntp, libXfont, calendar
NetBSD has released a number of security advisories:
See the advisories for more information on
NetBSD releases that are and are not affected,
the severity of the vulnerability as well as the date
by which which NetBSD release branch was fixed.
- 2016-001: Multiple vulnerabilities in ntp daemon
- 2016-002: BDF file parsing issues in libXfont
- 2016-003: Privilege escalation in calendar(1)
The advisories also contain an abstract of the problem
as well as in-depth technicals with solutions and
workarounds. Go and have a look!
[Tags: calendar, ntp, Security]
BSDsec - Deadsimple BSD Security Advisories and Announcements
there is now a new website that aims at providing a central point
of information for BSD related security information.
It covers general and security related announcements from
From DiscoverBSD: ``I take SA and A, and publish them on BSDSec.net website. Aim for website is to be very simple, intuitive and mobile-whatever frendly. Tags are available for better search (in case you want only FreeBSD). I also publish on Twitter. Discussion is available via Reddit.
All process is done by my application, so I do not need to do anything.
How it works?
App is open-source, built with Ruby on Rails. I will write details in my next post, as well with how-to on contributing and so. I have few ideas and anyone is welcome to join me and make this app better! ''
Check out BSDSec!
Two new NetBSD security advisories: ntpd, libXfont
Two new NetBSD security advisories have been published:
See the advisories for technical details, workarounds and
proper solutions to fix the problems.
All this is fixed in NetBSD-current, patches are available
for the NetBSD 5 and 6 releases with their corresponding
- NetBSD Security Advisory 2014-001: Stack buffer overflow in libXfont:
``A stack buffer overflow in parsing of BDF font files in libXfont was
found that can easily be used to crash X programs using libXfont,
and likely could be exploited to run code with the privileges of
the X program (most nostably, the X server, commonly running as root).
This vulnerability has been assigned CVE-2013-6462.''
- NetBSD Security Advisory 2014-002: ntpd used as DDoS amplifier:
``An administrative query function is getting used by
attackers to use ntp servers as traffic amplifiers.
The new version no longer offers this query option.''
[Tags: ntp, Security, X]
NetBSD 6.0.1 security/bugfix released
The NetBSD Project is pleased to announce NetBSD 6.0.1, the first security/bugfix update of the NetBSD 6.0 release branch. It represents a selected subset of fixes deemed important for security or stability reasons.
To save you from searching, here is the list of relevant changes
from the release notes:
expat: Fix CVE-2012-1147, CVE-2012-1148 and CVE-2012-0876.
BIND: Address CVE-2012-5688: Named could die on specific queries
with dns64 enabled.
posix_spawn(): Fix processes with attributes.
Resolve races between vget() and vrele() resulting in vget()
returning dead vnodes.
Prevent crash when unsupported fd's are used with kevent.
Fix "atomic fragments" for IPv6.
ipf: Fix alignment issues in ipmon.
npf: handle delayed checksums in the network stack.
smbfs: Make smbfs actually work on big-endian ports.
ciss(4): don't try to handle sensors if there aren't any.
Work around a possible gcc bug generating bad assembler code.
Disable C1E on AMD K8 CPUs, to prevent freeze during boot.
Prevent a memory corruption issue that locks up a Xen DomU,
and can potentially cause file system corruption.
Fix: Xen Dom0 NetBSD kernel could crash by adding duplicate
The complete list of changes can be found in the
file in the top level directory of the NetBSD 6.0.1 release tree.
Update to tzdata2012j.
cdb: don't refuse to open databases without entries or keys.
Address graphics corruption in recent Cairo, manifested most
commonly by certain rendered text sections appearing as solid
rectangular blocks of color.
Complete source and binaries for NetBSD 6.0.1 are available for download at many sites around the world. A list of download sites providing FTP, AnonCVS, SUP, and other services may be found at
P.S.: Don't miss out on the
end of NetBSD 2012 fundraise!
[Tags: Release, Security]
Latest IPfilter merged into NetBSD-current
Darren Reed is the author if IPfilter and also a NetBSD developer.
IPfilter is one of the packet filters available in NetBSD,
and the latest version (5.1.1) was imported into NetBSD-current
by darren. Citing from
his mail to tech-net,
there are a few interesting changes and new features:
``To start with, the man pages for ipf(5) and ipnat(5) have been
rewritten from scratch to make them easier to understand and
thus easier to use the various features in IPFilter. In addition
there is now an ipmon(5) that supports delivery of log messages to
different destinations - including generating SNMP traps messages.
There are a few new actions that can be used with ipnat.conf. The
one that will be of most interest to people is "rewrite" which
supports translation of both the source and destination address
with a single rule. Use of an rdr/map combination is no longer
required. There are also some others that are more experimental.
One of those is a "divert" action that takes a packet and puts an
IP + UDP header on the front, allowing "raw packets" to be delivered
to any socket. Similarly, replies from that socket have the relevant
header data removed.
There are a few extras for ipf.conf, most notably it now allows
for defining limits on how many different hosts/networks can have
a state entry in the state table for each rule. IPFilter 5.1.1 also
supports specifying a filter rule group for the filtering of ICMP
packets that match an entry in the state table. Additionally, there
is a new rule - "decapsulate". This has been designed to allow
filtering on "inner headers" of packets that have been encapsulated
in clear text. It will, for example, allow filtering on IPv4 headers
inside of IPv6 packets (or vice versa.)
It is no longer required to have a separate ipf6.conf file. Both
IPv4 and IPv6 packets can be used in the same file. For those that
have separate files today, they should not interfere with each other
unless you have "block in all" for IPv4 and "pass in all" for IPv6
or similar. In that case, the "block in all" will affect IPv6 traffic.
This is a reflection of the internal design where there is now only
a single list of filter rules, not one for each protocol. Check the
man page for ipf.conf for more details.''
[Tags: ipfilter, Security]
The timing of security advisories
It's an old debate on when to release a security advisory:
It should be released as early as possible to give people a
chance to fix, but at the same time the fixing should be in
a coordinated way. "Coordinated" means a fair chance for
professional sysadmins to deploy a fix during working hours,
and not in the middle of the night on a weekend. Or on the
day before chistmas eve. But what if there's a pressing reason,
maybe an exploit in the wild?
currently has such a problem, and I think it's fair that
Colin Percival as the FreeBSD Security Officer did release
the advisory, even if it's in a sub-optimal timeframe.
For those NetBSD uses wondering if there's a similar problem
in NetBSD's telnetd: Apparenly an unchecked argument can cause
memory corruption by a memcpy length parameter overflow in sub-option processing (for terminal type, size etc.).
This was fixed in NetBSD thanks to a hints from Colin.
There's no NetBSD Security Advisory yet,
but people still using telnetd in production networks may
consider rebuilding libtelnet and telnetd.
So, to those of you who have moved to SSH: Happy Holidays!
To the rest: Happy Updating! :-)
Grab the RSS-feed,
or go back to my regular NetBSD page
Disclaimer: All opinion expressed here is purely my own.
No responsibility is taken for anything.