hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
 
[20180104] New year, new security advisories!
So things have become a bit silent here, which is due to reallife - my apologies. Still, I'd like to wish everyone following this here a Happy New Year 2018! And with this, a few new security advisories have been published:

[Tags: ]


[20180104] 34C3 talk: Are all BSDs created equally?
I haven't seen this mentioned on the NetBSD mailing lists, and this may be of interest to some - there was a talk about security bugs in the various BSDs at the 34th Chaos Communication Congress:

In summary, many reasons for bugs are shown in many areas of the kernel (system calls, file systems, network stack, compat layer, ...), and what has happened after they were made known to the projects.

As a hint, NetBSD still has a number of Security Advisories to publish, it seems. Anyone wants to help out the security team? :-)

[Tags: , ]


[20160521] Catching up: audio-mixing, arm, x86 and amd64 platform improvements and security
A few noteworthy things have happened in NetBSD land, and being lazy I will collect them in one blog posting. Here we go:
  • In-kernel audio mixing: So far, NetBSD's audio device can only be opened once. If more than one application wants to play sound, the first one wins. This is suboptimal if you want to (say) play some MP3s but also get some occasional noise from your webbrowser.

    Now, Nathanial Sloss has made a stab at this, providing several implementation choices. Challenges in the task are that sounds with different quality (sampling rate, mono/stereo etc.) need to be brought to one common quality before mixing and passing on to the actual audio hardware. Further fun is added by the delay this process adds. See the discussion on tech-kern for all the gory details!

  • Freescale i.MX7 support: Ryo Shimizu has committed support for the Freescale i.MX7 processor and the Atmark Techno Armadillo-IoT G3 board. according to his posting to port-arm (dmesg included), UART, Ethernet, USB, SDHC, RTC, GPIO, WDOG and MULTIPROCESSOR work. Interesting thing of the platform is that is has two Cortex-A7 cores and one Cortex-M4 core, the latter without MMU. Ideas on how to use the latter are welcome! :)

  • PIE binaries with PaX, ASLR+MPROTECT are now the default for i386. ASLR and MPROTECT can be turned off either globally or per-binary if any problems should arise. Be sure to document those exceptions in your risk management! :-)

    More information: PaX, PIE, ASLR, MPROTECT.

  • Platform improvements for i386 and amd64. For amd64, Maxime Villard writes:
     - I cleaned up the asm code and fixed several comments, which makes the
       boot process much easier to understand.
     - I fixed the alignment for the text segment, so that it can be covered by
       more large pages [1] - thereby reducing TLB contention.
     - I fixed a bug in the way the secondary CPUs are launched [2], which
       caused them to crash if they tried to access an X-less page.
     - I took rodata out of the text+rodata chunk, and put it in the data+bss+
       PRELOADED_MODULES+BOOTSTRAP_TABLES chunk [3]. rodata was no longer large
       page optimized, and had RWX permissions.
     - I retook rodata out of the rodata+data+bss+PRELOADED_MODULES+
       BOOTSTRAP_TABLES chunk, and made the kernel map it independently without
       the W permision [4].
     - I made the kernel map rodata without the X permission, by using the NOX
       bit on its pages [5] (now that the secondary CPUs could handle that
       properly).
     - I took the data+bss chunk out of the data+bss+PRELOADED_MODULES+
       BOOTSTRAP_TABLES chunk, and made the kernel map it independently without
       X permission [6].
     - I made the kernel remap rodata and data+bss with large pages and proper
       permissions [7] - which reduces once again TLB contention.
    
    See Maxime's posting to tech-kern for all the footnotes. Likewise, Maxime also tackled i386, and besides the changes from amd64, here is the list of changes from his email:
     - on non-PAE i386, NOX does not exist. Therefore the mappings all have an
       additional X permission. To benefit from X-less mappings, your CPU must
       support PAE, and your kernel must be GENERIC_PAE.
     - the segments are not large-page-aligned, which means that probably some
       parts of the segments are still mapped with normal pages. It is still more
       optimized than it used to be, but not as much as amd64 is.
    


[Tags: , , , , , , , , ]


[20160422] Two more NetBSD Security Advisories: compatibility layers, Bozohttpd
Two more security advisories have been released:

[Tags: , , ]


[20160416] NetBSD Security Advisories: ntp, libXfont, calendar
NetBSD has released a number of security advisories:
  • 2016-001: Multiple vulnerabilities in ntp daemon
  • 2016-002: BDF file parsing issues in libXfont
  • 2016-003: Privilege escalation in calendar(1)
See the advisories for more information on NetBSD releases that are and are not affected, the severity of the vulnerability as well as the date by which which NetBSD release branch was fixed.

The advisories also contain an abstract of the problem as well as in-depth technicals with solutions and workarounds. Go and have a look!

[Tags: , , ]


[20140801] BSDsec - Deadsimple BSD Security Advisories and Announcements
Found on DiscoverBSD, there is now a new website that aims at providing a central point of information for BSD related security information. It covers general and security related announcements from NetBSD, FreeBSD, and OpenBSD.

From DiscoverBSD: ``I take SA and A, and publish them on BSDSec.net website. Aim for website is to be very simple, intuitive and mobile-whatever frendly. Tags are available for better search (in case you want only FreeBSD). I also publish on Twitter. Discussion is available via Reddit.

All process is done by my application, so I do not need to do anything.

How it works?

App is open-source, built with Ruby on Rails. I will write details in my next post, as well with how-to on contributing and so. I have few ideas and anyone is welcome to join me and make this app better! ''

Check out BSDSec!

[Tags: ]


[20140108] Two new NetBSD security advisories: ntpd, libXfont
Two new NetBSD security advisories have been published:
  • NetBSD Security Advisory 2014-001: Stack buffer overflow in libXfont:

    ``A stack buffer overflow in parsing of BDF font files in libXfont was found that can easily be used to crash X programs using libXfont, and likely could be exploited to run code with the privileges of the X program (most nostably, the X server, commonly running as root).

    This vulnerability has been assigned CVE-2013-6462.''

  • NetBSD Security Advisory 2014-002: ntpd used as DDoS amplifier:

    ``An administrative query function is getting used by attackers to use ntp servers as traffic amplifiers. The new version no longer offers this query option.''

See the advisories for technical details, workarounds and proper solutions to fix the problems. All this is fixed in NetBSD-current, patches are available for the NetBSD 5 and 6 releases with their corresponding development branches.

[Tags: , , ]


[20121227] NetBSD 6.0.1 security/bugfix released
The NetBSD Project is pleased to announce NetBSD 6.0.1, the first security/bugfix update of the NetBSD 6.0 release branch. It represents a selected subset of fixes deemed important for security or stability reasons.

To save you from searching, here is the list of relevant changes from the release notes:

Security Fixes

  • expat: Fix CVE-2012-1147, CVE-2012-1148 and CVE-2012-0876.
  • BIND: Address CVE-2012-5688: Named could die on specific queries with dns64 enabled.

General kernel

  • posix_spawn(): Fix processes with attributes.
  • Resolve races between vget() and vrele() resulting in vget() returning dead vnodes.
  • Prevent crash when unsupported fd's are used with kevent.

Networking

  • Fix "atomic fragments" for IPv6.
  • ipf: Fix alignment issues in ipmon. (PR#47101)
  • npf: handle delayed checksums in the network stack. (PR#47235)

File systems

  • smbfs: Make smbfs actually work on big-endian ports.

Drivers

  • ciss(4): don't try to handle sensors if there aren't any.

Platforms

  • x86 (i386, amd64):
    • Work around a possible gcc bug generating bad assembler code. (PR#45673)
    • Disable C1E on AMD K8 CPUs, to prevent freeze during boot.
  • xen:
    • Prevent a memory corruption issue that locks up a Xen DomU, and can potentially cause file system corruption. (PR#47056, PR#47057)
    • Fix: Xen Dom0 NetBSD kernel could crash by adding duplicate xenwatches.

Userland fixes

  • Update to tzdata2012j.
  • cdb: don't refuse to open databases without entries or keys.
  • Address graphics corruption in recent Cairo, manifested most commonly by certain rendered text sections appearing as solid rectangular blocks of color.
The complete list of changes can be found in the CHANGES-6.0.1 file in the top level directory of the NetBSD 6.0.1 release tree.

Complete source and binaries for NetBSD 6.0.1 are available for download at many sites around the world. A list of download sites providing FTP, AnonCVS, SUP, and other services may be found at http://www.NetBSD.org/mirrors/.

P.S.: Don't miss out on the end of NetBSD 2012 fundraise!

[Tags: , ]


[20120130] Latest IPfilter merged into NetBSD-current
Darren Reed is the author if IPfilter and also a NetBSD developer. IPfilter is one of the packet filters available in NetBSD, and the latest version (5.1.1) was imported into NetBSD-current by darren. Citing from his mail to tech-net, there are a few interesting changes and new features:

``To start with, the man pages for ipf(5) and ipnat(5) have been rewritten from scratch to make them easier to understand and thus easier to use the various features in IPFilter. In addition there is now an ipmon(5) that supports delivery of log messages to different destinations - including generating SNMP traps messages.

There are a few new actions that can be used with ipnat.conf. The one that will be of most interest to people is "rewrite" which supports translation of both the source and destination address with a single rule. Use of an rdr/map combination is no longer required. There are also some others that are more experimental. One of those is a "divert" action that takes a packet and puts an IP + UDP header on the front, allowing "raw packets" to be delivered to any socket. Similarly, replies from that socket have the relevant header data removed.

There are a few extras for ipf.conf, most notably it now allows for defining limits on how many different hosts/networks can have a state entry in the state table for each rule. IPFilter 5.1.1 also supports specifying a filter rule group for the filtering of ICMP packets that match an entry in the state table. Additionally, there is a new rule - "decapsulate". This has been designed to allow filtering on "inner headers" of packets that have been encapsulated in clear text. It will, for example, allow filtering on IPv4 headers inside of IPv6 packets (or vice versa.)

It is no longer required to have a separate ipf6.conf file. Both IPv4 and IPv6 packets can be used in the same file. For those that have separate files today, they should not interfere with each other unless you have "block in all" for IPv4 and "pass in all" for IPv6 or similar. In that case, the "block in all" will affect IPv6 traffic. This is a reflection of the internal design where there is now only a single list of filter rules, not one for each protocol. Check the man page for ipf.conf for more details.''

[Tags: , ]


[20111224] The timing of security advisories
It's an old debate on when to release a security advisory: It should be released as early as possible to give people a chance to fix, but at the same time the fixing should be in a coordinated way. "Coordinated" means a fair chance for professional sysadmins to deploy a fix during working hours, and not in the middle of the night on a weekend. Or on the day before chistmas eve. But what if there's a pressing reason, maybe an exploit in the wild?

Apparently FreeBSD's telnetd currently has such a problem, and I think it's fair that Colin Percival as the FreeBSD Security Officer did release the advisory, even if it's in a sub-optimal timeframe.

For those NetBSD uses wondering if there's a similar problem in NetBSD's telnetd: Apparenly an unchecked argument can cause memory corruption by a memcpy length parameter overflow in sub-option processing (for terminal type, size etc.). This was fixed in NetBSD thanks to a hints from Colin. There's no NetBSD Security Advisory yet, but people still using telnetd in production networks may consider rebuilding libtelnet and telnetd.

So, to those of you who have moved to SSH: Happy Holidays!
To the rest: Happy Updating! :-)

[Tags: ]


Previous 10 entries

Tags: , 2bsd, 34c3, 3com, 501c3, 64bit, acl, acls, acm, acorn, acpi, acpitz, adobe, adsense, Advocacy, advocacy, advogato, aes, afs, aiglx, aio, airport, alereon, alex, alix, alpha, altq, am64t, amazon, amd64, anatomy, ansible, apache, apm, apple, arkeia, arla, arm, art, Article, Articles, ascii, asiabsdcon, aslr, asterisk, asus, atf, ath, atheros, atmel, audio, audiocodes, autoconf, avocent, avr32, aws, axigen, azure, backup, balloon, banners, basename, bash, bc, beaglebone, benchmark, bigip, bind, blackmouse, bldgblog, blog, blogs, blosxom, bluetooth, board, bonjour, books, boot, boot-z, bootprops, bozohttpd, bs2000, bsd, bsdca, bsdcan, bsdcertification, bsdcg, bsdforen, bsdfreak, bsdmac, bsdmagazine, bsdnexus, bsdnow, bsdstats, bsdtalk, bsdtracker, bug, build.sh, busybox, buttons, bzip, c-jump, c99, cafepress, calendar, callweaver, camera, can, candy, capabilities, card, carp, cars, cauldron, ccc, ccd, cd, cddl, cdrom, cdrtools, cebit, centrino, cephes, cert, certification, cfs, cgd, cgf, checkpointing, china, christos, cisco, cloud, clt, cobalt, coccinelle, codian, colossus, common-criteria, community, compat, compiz, compsci, concept04, config, console, contest, copyright, core, cortina, coverity, cpu, cradlepoint, cray, crosscompile, crunchgen, cryptography, csh, cu, cuneiform, curses, curtain, cuwin, cvs, cvs-digest, cvsup, cygwin, daemon, daemonforums, daimer, danger, darwin, data, date, dd, debian, debugging, dell, desktop, devd, devfs, devotionalia, df, dfd_keeper, dhcp, dhcpcd, dhcpd, dhs, diezeit, digest, digests, dilbert, dirhash, disklabel, distcc, dmesg, Docs, Documentation, donations, draco, dracopkg, dragonflybsd, dreamcast, dri, driver, drivers, drm, dsl, dst, dtrace, dvb, ec2, eclipse, eeepc, eeepca, ehci, ehsm, eifel, elf, em64t, Embedded, embedded, emips, emulate, encoding, envsys, eol, espresso, etcupdate, etherip, euca2ools, eucalyptus, eurobsdcon, eurosys, Events, exascale, ext3, f5, facebook, falken, fan, faq, fatbinary, features, fefe, ffs, filesystem, fileysstem, firefox, firewire, fireworks, flag, flash, flashsucks, flickr, flyer, fmslabs, force10, fortunes, fosdem, fpga, freebsd, freedarwin, freescale, freex, freshbsd, friendlyAam, friendlyarm, fritzbox, froscamp, fsck, fss, fstat, ftp, ftpd, fujitsu, fun, fundraising, funds, funny, fuse, fusion, g4u, g5, galaxy, games, gcc, gdb, gentoo, geode, getty, gimstix, git, gnome, google, google-soc, googlecomputeengine, gpio, gpl, gprs, gracetech, gre, groff, groupwise, growfs, grub, gumstix, guug, gzip, hackathon, hackbench, hal, hanoi, happabsd, hardware, Hardware, haze, hdaudio, heat, heimdal, hf6to4, hfblog, hfs, history, hosting, hotplug, hp, hp700, hpcarm, hpcsh, hpux, html, httpd, hubertf, hurd, i18n, i386, i386pkg, ia64, ian, ibm, ids, ieee, ifwatchd, igd, iij, image, images, imx233, imx7, information, init, initrd, install, intel, interix, internet2, interview, interviews, io, ioccc, iostat, ipbt, ipfilter, ipmi, ipplug, ipsec, ipv6, irbsd, irc, irix, iscsi, isdn, iso, isp, itojun, jail, jails, japanese, java, javascript, jetson, jibbed, jihbed, jobs, jokes, journaling, kame, kauth, kde, kerberos, kergis, kernel, keyboardcolemak, kirkwood, kitt, kmod, kolab, kvm, kylin, l10n, landisk, laptop, laptops, law, ld.so, ldap, lehmanns, lenovo, lfs, libc, license, licensing, linkedin, links, linksys, linux, linuxtag, live-cd, lkm, localtime, locate.updatedb, logfile, logging, logo, logos, lom, lte, lvm, m68k, macmini, macppc, macromedia, magicmouse, mahesha, mail, makefs, malo, mame, manpages, marvell, matlab, maus, max3232, mbr95, mbuf, mca, mdns, mediant, mediapack, meetbsd, mercedesbenz, mercurial, mesh, meshcube, mfs, mhonarc, microkernel, microsoft, midi, mini2440, miniroot, minix, mips, mirbsd, missile, mit, mixer, mobile-ip, modula3, modules, money, mouse, mp3, mpls, mprotect, mtftp, mult, multics, multilib, multimedia, music, mysql, named, nas, nasa, nat, ncode, ncq, ndis, nec, nemo, neo1973, netbook, netboot, netbsd, netbsd.se, nethack, nethence, netksb, netstat, netwalker, networking, neutrino, nforce, nfs, nis, npf, npwr, nroff, nslu2, nspluginwrapper, ntfs-3f, ntp, nullfs, numa, nvi, nvidia, nycbsdcon, office, ofppc, ohloh, olimex, olinuxino, olpc, onetbsd, openat, openbgpd, openblocks, openbsd, opencrypto, opendarwin, opengrok, openmoko, openoffice, openpam, openrisk, opensolaris, openssl, or1k, oracle, oreilly, oscon, osf1, osjb, paas, packages, pad, pae, pam, pan, panasonic, parallels, pascal, patch, patents, pax, paypal, pc532, pc98, pcc, pci, pdf, pegasos, penguin, performance, pexpect, pf, pfsync, pgx32, php, pie, pike, pinderkent, pkg_install, pkg_select, pkgin, pkglint, pkgmanager, pkgsrc, pkgsrc.se, pkgsrcCon, pkgsrccon, Platforms, plathome, pleiades, pocketsan, podcast, pofacs, politics, polls, polybsd, portability, posix, postinstall, power3, powernow, powerpc, powerpf, pppoe, precedence, preemption, prep, presentations, prezi, Products, products, proplib, protectdrive, proxy, ps, ps3, psp, psrset, pthread, ptp, ptyfs, Publications, puffs, puredarwin, pxe, qemu, qnx, qos, qt, quality-management, quine, quote, quotes, r-project, ra5370, radio, radiotap, raid, raidframe, rants, raptor, raq, raspberrypi, rc.d, readahead, realtime, record, refuse, reiserfs, Release, Releases, releases, releng, reports, resize, restore, ricoh, rijndael, rip, riscos, rng, roadmap, robopkg, robot, robots, roff, rootserver, rotfl, rox, rs323, rs6k, rss, ruby, rump, rzip, sa, safenet, san, sata, savin, sbsd, scampi, scheduler, scheduling, schmonz, sco, screen, script, sdf, sdtemp, secmodel, Security, security, sed, segvguard, seil, sendmail, serial, serveraptor, sfu, sge, sgi, sgimips, sh, sha2, shark, sharp, shisa, shutdown, sidekick, size, slackware, slashdot, slides, slit, smbus, smp, sockstat, soekris, softdep, softlayer, software, solaris, sony, sound, source, source-changes, spanish, sparc, sparc64, spider, spreadshirt, spz, squid, ssh, sshfs, ssp, statistics, stereostream, stickers, storage, stty, studybsd, subfile, sudbury, sudo, summit, sun, sun2, sun3, sunfire, sunpci, support, sus, suse, sushi, susv3, svn, swcrypto, symlinks, sysbench, sysctl, sysinst, sysjail, syslog, syspkg, systat, systrace, sysupdate, t-shirt, tabs, talks, tanenbaum, tape, tcp, tcp/ip, tcpdrop, tcpmux, tcsh, teamasa, tegra, teredo, termcap, terminfo, testdrive, testing, tetris, tex, TeXlive, thecus, theopengroup, thin-client, thinkgeek, thorpej, threads, time, time_t, timecounters, tip, tk1, tme, tmp, tmpfs, tnf, toaster, todo, toolchain, top, torvalds, toshiba, touchpanel, training, translation, tso, tty, ttyrec, tulip, tun, tuning, uboot, ucom, udf, ufs, ukfs, ums, unetbootin, unicos, unix, updating, upnp, uptime, usb, usenix, useradd, userconf, userfriendly, usermode, usl, utc, utf8, uucp, uvc, uvm, valgrind, vax, vcfe, vcr, veriexec, vesa, video, videos, virtex, virtualization, vm, vmware, vnd, vobb, voip, voltalinux, vpn, vpnc, vulab, w-zero3, wallpaper, wapbl, wargames, wasabi, webcam, webfwlog, wedges, wgt624v3, wiki, willcom, wimax, window, windows, winmodem, wireless, wizd, wlan, wordle, wpa, wscons, wstablet, X, x.org, x11, x2apic, xbox, xcast, xen, Xen, xfree, xfs, xgalaxy, xilinx, xkcd, xlockmore, xmms, xmp, xorg, xscale, youos, youtube, zaurus, zdump, zfs, zlib

'nuff. Grab the RSS-feed, index, or go back to my regular NetBSD page

Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 26349180
Copyright (c) Hubert Feyrer