freebsd security - Oct 2006 - iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability

Bill Moran wrote:
> This report seems pretty vague.  I'm unsure as to whether the alleged
> "bug" gives the user any more permissions than he'd already
have?  Anyone
> know any details?
This is a local denial of service bug, which was fixed 6 weeks ago in HEAD
and RELENG_6.  There is no opportunity for either remote denial of service
or any privilege escalation.
> VI. VENDOR RESPONSE
> 
> "The policy of the FreeBSD Security Team is that local denial of
service
> bugs not be treated as security issues; it is possible that this problem
> will be corrected in a future Erratum."
If there was any potential for
(a) privilege escalation,
(b) disclosure of potentially sensitive information, or
(c) denial of service by a non-authenticated attacker,
we would have issued a security advisory.

Colin Percival

Bill Moran wrote:
> Colin Percival <cperciva@freebsd.org> wrote:
>> This is a local denial of service bug, which was fixed 6 weeks ago in
HEAD
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> That was what I expected.  Section III seems to hint that it could be
> used by an unprivilidged user to crash or lock a system.
Yes.  An unprivileged user who is able to execute code on an affected system
can cause a kernel panic.  There are a variety of reasons for not treating
bugs like this as security issues; the strongest reason imho is that if one
of your users is making a system crash, you can disable his account and call
the police.
> BTW, are you going to be at NYCBSDCon?
No -- I only go to conferences if I have a paper to present.

Colin Percival

Colin Percival <cperciva@freebsd.org> wrote:
> Bill Moran wrote:
> > This report seems pretty vague.  I'm unsure as to whether the
alleged
> > "bug" gives the user any more permissions than he'd
already have?  Anyone
> > know any details?
> 
> This is a local denial of service bug, which was fixed 6 weeks ago in HEAD
> and RELENG_6.  There is no opportunity for either remote denial of service
> or any privilege escalation.
> 
> > VI. VENDOR RESPONSE
> > 
> > "The policy of the FreeBSD Security Team is that local denial of
service
> > bugs not be treated as security issues; it is possible that this
problem
> > will be corrected in a future Erratum."
> 
> If there was any potential for
> (a) privilege escalation,
> (b) disclosure of potentially sensitive information, or
> (c) denial of service by a non-authenticated attacker,
> we would have issued a security advisory.
That was what I expected.  Section III seems to hint that it could be
used by an unprivilidged user to crash or lock a system.  I suspect they
used it as root to crash/lock the OS.  But I don't need any bugs to do
that as root, so it doesn't really count as a security issue.

BTW, are you going to be at NYCBSDCon?  If so, seek me out -- I owe you
a beer at the least.

As always, thanks for the quick response.

-- 
Bill Moran

That seem right to you?

        Jubal Early

Colin Percival <cperciva@freebsd.org> writes:
>> "The policy of the FreeBSD Security Team is that local denial of
service
>> bugs not be treated as security issues; it is possible that this
problem
>> will be corrected in a future Erratum."
>
> If there was any potential for
> (a) privilege escalation,
> (b) disclosure of potentially sensitive information, or
> (c) denial of service by a non-authenticated attacker,
> we would have issued a security advisory.
I am missing this information on <http://www.freebsd.org/security/>.

The site does not say wich bugs are treated as security issue and
which are not. Perhaps these three points above can be added to the
website.