Subject: NetBSD Security Note 20061214-1: Kernel memory leakage in firewire interface
To: None <current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: current-users
Date: 12/14/2006 22:15:04
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		NetBSD Security Note 20061214-1
		===============================

Topic:	    Kernel memory leakage in firewire interface

A kernel memory disclosure bug has been found in the NetBSD firewire
interface.

This issue has been assigned CVE-2006-6013.

On the 15th of November 2006 a posting was made to a public list
which detailed a "NetBSD all versions FireWire IOCTL kernel integer 
overflow information disclousure."

http://www.securityfocus.com/archive/1/451637/30/0/threaded

The advisory listed "NetBSD all versions" as being affected.  Upon
further investigation this was found not to be the case and there
are a number of other details that should be taken into account
when trying to assess this issue:

* This issue impacts NetBSD-current before November 16 2006.  If
  you are running NetBSD-current sources after this date you have the
  fix included in the kernel.

* This issue impacts the NetBSD-4 branch before December 3, 2006.
  NetBSD 4.0_BETA2 contains the fix.

* No current NetBSD releases are impacted e.g. NetBSD 2* and NetBSD 3*.

* Although a complete list is not currently available we do not
  believe that all architectures are impacted by this bug.

* The fw nodes are not created by default in /dev in a NetBSD 
  installation.

* When the fw* nodes are created using MAKEDEV, they are created with mode
  660 and ownership is set to root:operator.

We recommend that all users of NetBSD-current upgrade their sources
to after November 16 2006.  In addition to this all users of NetBSD-4
should update to sources after December 3 2006.


Thanks To
=========

Joerg Sonnenberger
Martin Husemann
Quentin Garnier
Elad Efrat
Jaromir Dolecek
Manuel Bouyer 


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2006, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SN20061214-1.txt,v 1.1 2006/12/14 20:13:17 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)

iQCVAwUBRYGx5T5Ru2/4N2IFAQJVYAP/XLaRP8n1vvOZmiHUO153Eb0nNm5vWeRL
lEgOiIt3qor23fmyGmfz/ZjVTxMkIHeTICW29ie5W/2+sCn2ak863AInJysiGEoI
Hy9cCI6crmDYiCGRnz+pbkiKhFe7wwj/TjmTOPgEyd+P+5oPZAluFDhOx6bqmtsS
lw7s4sdYI6o=
=F0dl
-----END PGP SIGNATURE-----