Technical Description

Two vulnerabilities have been identified in FreeBSD, which could be exploited by malicious users to bypass security restrictions and gain knowledge of sensitive information.

The first issue is caused by an error in "openpty" when called by non-root users, which could cause the newly created pseudo-terminal to be world readable and writeable.

The second vulnerability is caused by an error in the "ptsname()" function when extracting characters from the name of a device node in "/dev", which could be exploited by malicious users to read the content of the pty from another user.

Affected Products

FreeBSD 5.x
FreeBSD 6.x
FreeBSD 7.x

Solution

Apply patch for FreeBSD 5.5 :
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty5.patch
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty5.patch.asc

Apply patch for FreeBSD 6.x :
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty6.patch
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty6.patch.asc

Apply patch for FreeBSD 7.0 :
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty7.patch
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty7.patch.asc

References

http://www.vupen.com/english/advisories/2008/0153
http://security.freebsd.org/advisories/FreeBSD-SA-08:01.pty.asc

Credits

Vulnerabilities reported by John Baldwin.

ChangeLog

2008-01-16 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.