Skip to content

4.0.3

Choose a tag to compare

View all tags
@laffer1 laffer1 released this 06 Mar 14:20
· 849 commits to master since this release
4.0.3
23c063c

Fix two security vulnerabilities.

The rtsock_msg_buffer() function serializes routing information into a buffer.
As a part of this, it copies sockaddr structures into a sockaddr_storage
structure on the stack.  It assumes that the source sockaddr length field had
already been validated, but this is not necessarily the case, and it's possible
for a malicious userspace program to craft a request which triggers a 127-byte
overflow.

In practice, this overflow immediately overwrites the canary for the
rtsock_msg_buffer() stack frame, resulting in a panic once the function
returns.

Obtained from: FreeBSD

jail security fix -

If two sibling jails are restricted to separate filesystem trees, which is to
say that neither of the two jail root directories is an ancestor of the other,
jailed processes may nonetheless be able to access a shared directory via a
nullfs mount, if the administrator has configured one.

In this case, cooperating processes in the two jails may establish a connection
using a unix domain socket and exchange directory descriptors with each other.

When performing a filesystem name lookup, at each step of the lookup, the
kernel checks whether the lookup would descend below the jail root of the
current process.  If the jail root directory is not encountered, the lookup
continues.

Obtained from: FreeBSD

Full Changelog: 4.0.2...4.0.3

Assets 4
Loading