Subject: NetBSD Security Note 20061214-1: Kernel memory leakage in firewire interface
To: None <current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: current-users
Date: 12/14/2006 22:15:04
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Note 20061214-1
===============================
Topic: Kernel memory leakage in firewire interface
A kernel memory disclosure bug has been found in the NetBSD firewire
interface.
This issue has been assigned CVE-2006-6013.
On the 15th of November 2006 a posting was made to a public list
which detailed a "NetBSD all versions FireWire IOCTL kernel integer
overflow information disclousure."
http://www.securityfocus.com/archive/1/451637/30/0/threaded
The advisory listed "NetBSD all versions" as being affected. Upon
further investigation this was found not to be the case and there
are a number of other details that should be taken into account
when trying to assess this issue:
* This issue impacts NetBSD-current before November 16 2006. If
you are running NetBSD-current sources after this date you have the
fix included in the kernel.
* This issue impacts the NetBSD-4 branch before December 3, 2006.
NetBSD 4.0_BETA2 contains the fix.
* No current NetBSD releases are impacted e.g. NetBSD 2* and NetBSD 3*.
* Although a complete list is not currently available we do not
believe that all architectures are impacted by this bug.
* The fw nodes are not created by default in /dev in a NetBSD
installation.
* When the fw* nodes are created using MAKEDEV, they are created with mode
660 and ownership is set to root:operator.
We recommend that all users of NetBSD-current upgrade their sources
to after November 16 2006. In addition to this all users of NetBSD-4
should update to sources after December 3 2006.
Thanks To
=========
Joerg Sonnenberger
Martin Husemann
Quentin Garnier
Elad Efrat
Jaromir Dolecek
Manuel Bouyer
More Information
================
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SN20061214-1.txt,v 1.1 2006/12/14 20:13:17 adrianp Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)
iQCVAwUBRYGx5T5Ru2/4N2IFAQJVYAP/XLaRP8n1vvOZmiHUO153Eb0nNm5vWeRL
lEgOiIt3qor23fmyGmfz/ZjVTxMkIHeTICW29ie5W/2+sCn2ak863AInJysiGEoI
Hy9cCI6crmDYiCGRnz+pbkiKhFe7wwj/TjmTOPgEyd+P+5oPZAluFDhOx6bqmtsS
lw7s4sdYI6o=
=F0dl
-----END PGP SIGNATURE-----