FreeBSD closes vulnerabilities
The developers of the FreeBSD open source operating system have resolved vulnerabilities which allowed attackers to crash affected systems remotely using a single network packet. In addition, local users were able to access protected information.
When the KAME project implementation of the IPv6 and IPsec protocols processes specially crafted IPv6 packets with IPComp
headers a null pointer dereference can occur. This causes the operating system to crash, but it doesn't seem to enable attackers to inject any code. The flaw can be exploited in FreeBSD 5.5 if IPv6 and IPSec have been compiled into the kernel. No other versions are mentioned by the developers in their security advisory.
Another vulnerability allows local users to access file contents for which they have write, but not read privileges. The flaw is due to the sendfile
system function not checking the relevant access privileges. Affected by this flaw are FreeBSD versions 5 up to 7.0.
The developers have now patched these vulnerabilities. Administrators can integrate the patches in the usual way and are advised to act as soon as possible, especially for FreeBSD 5.5.
See also:
- IPsec null pointer dereference panic, FreeBSD developers' security advisory
- sendfile(2) write-only file permission bypass, FreeBSD developers' error description
(mba)