In association with heise online

30 November 2007, 12:13

Security updates for FreeBSD

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of FreeBSD report the discovery of two vulnerabilities in system tools included with their operating system. Insufficient checking of the path indicators .. and . when GNU tar opens tar archives allows attackers to overwrite files on a system with the victim's rights. The hole has been known for some three months. As a workaround, the developers recommend using bsdtar, which has been the standard tar tool since FreeBSD 5.3 anyway. Nevertheless, a patch has now been made available for GNU tar.

There also turns out to be a problem with the internal state tracking used in the pseudo-random number generators random and urandom, which apparently allows attackers to access previously generated random numbers. The report says, however, that access to the system is required if attackers want to bypass security mechanisms using this vulnerability. All FreeBSD versions are affected. A patch has been released to remedy the problem.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit