[19253] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Fri Feb 16 11:26:21 2001
Message-Id: <200102160822.f1G8MuN15577@cvs.openbsd.org>
Date: Fri, 16 Feb 2001 01:22:55 -0700
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Fri, 16 Feb 2001 17:33:55 +1100."
<14988.51667.711111.233021@passion.geek.com.au>
> Topic: Vulnerability in x86 USER_LDT validation.
> Version: All versions of NetBSD, on the i386 platform ONLY.
> Severity: Local users may execute code with system priveleges
> Fixed: NetBSD-current: January 16, 2001
> NetBSD-1.5 branch: January 17, 2001
> NetBSD-1.4 branch: January 17, 2001
> [...]
> A subtle bug in validation of user-supplied arguments to a syscall
> can allow allow user applications on the i386 platform to transfer
> control to arbitrary addresses in kernel memory, bypassing normal
> system protections.
> [...]
> * OpenBSD has the same bug, in code inherited directly from NetBSD.
This last sentence is incorrect.
OpenBSD does not have the needed option to enable this configured in
any kernel or kernel configuration file we supply; the option is so
poorly documented that noone would compile a kernel with it; no
userland or kernel software that we know of at present requires it;
and thus we are hardpressed to think of a user who might use it.
This bug is `disabled'. (We disabled this feature a very very long
time ago because ... well, nevermind, you've heard it before.)
The problem was fixed at the same time as NetBSD fixed it; we even
told them why it didn't apply to OpenBSD users, and are surprised that
was left out of the advisory. Oh well.
Anyways, it is fixed, and will affect noone. We don't think we're
going to put an advisory up for it.
