Integer overflow in the f_count counter in FreeBSD before 4.2 through 5.0 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via multiple calls to (1) fpathconf and (2) lseek, which do not properly decrement f_count through a call to fdrop.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freebsd | Freebsd | 1.1.5.1 (including) | 1.1.5.1 (including) |
| Freebsd | Freebsd | 2.1.0 (including) | 2.1.0 (including) |
| Freebsd | Freebsd | 2.1.5 (including) | 2.1.5 (including) |
| Freebsd | Freebsd | 2.1.6 (including) | 2.1.6 (including) |
| Freebsd | Freebsd | 2.1.6.1 (including) | 2.1.6.1 (including) |
| Freebsd | Freebsd | 2.1.7 (including) | 2.1.7 (including) |
| Freebsd | Freebsd | 2.1.7.1 (including) | 2.1.7.1 (including) |
| Freebsd | Freebsd | 2.2 (including) | 2.2 (including) |
| Freebsd | Freebsd | 2.2-current (including) | 2.2-current (including) |
| Freebsd | Freebsd | 2.2.1 (including) | 2.2.1 (including) |
| Freebsd | Freebsd | 2.2.2 (including) | 2.2.2 (including) |
| Freebsd | Freebsd | 2.2.3 (including) | 2.2.3 (including) |
| Freebsd | Freebsd | 2.2.4 (including) | 2.2.4 (including) |
| Freebsd | Freebsd | 2.2.5 (including) | 2.2.5 (including) |
| Freebsd | Freebsd | 2.2.6 (including) | 2.2.6 (including) |
| Freebsd | Freebsd | 2.2.7 (including) | 2.2.7 (including) |
| Freebsd | Freebsd | 2.2.8 (including) | 2.2.8 (including) |
| Freebsd | Freebsd | 3.1 (including) | 3.1 (including) |
| Freebsd | Freebsd | 3.2 (including) | 3.2 (including) |
| Freebsd | Freebsd | 3.3 (including) | 3.3 (including) |
| Freebsd | Freebsd | 3.4 (including) | 3.4 (including) |
| Freebsd | Freebsd | 3.5 (including) | 3.5 (including) |
| Freebsd | Freebsd | 3.5.1-release (including) | 3.5.1-release (including) |
| Freebsd | Freebsd | 4.2 (including) | 4.2 (including) |
| Freebsd | Freebsd | 4.3 (including) | 4.3 (including) |
| Freebsd | Freebsd | 4.3-release (including) | 4.3-release (including) |
| Freebsd | Freebsd | 4.4 (including) | 4.4 (including) |
| Freebsd | Freebsd | 4.5 (including) | 4.5 (including) |
| Freebsd | Freebsd | 4.5-release (including) | 4.5-release (including) |
| Freebsd | Freebsd | 4.6 (including) | 4.6 (including) |
| Freebsd | Freebsd | 4.6-release (including) | 4.6-release (including) |
| Freebsd | Freebsd | 4.7 (including) | 4.7 (including) |
| Freebsd | Freebsd | 4.7-release (including) | 4.7-release (including) |
| Freebsd | Freebsd | 4.9-releng (including) | 4.9-releng (including) |
| Freebsd | Freebsd | 4.10 (including) | 4.10 (including) |
| Freebsd | Freebsd | 4.10-release (including) | 4.10-release (including) |
| Freebsd | Freebsd | 4.10-release_p8 (including) | 4.10-release_p8 (including) |
| Freebsd | Freebsd | 4.10-releng (including) | 4.10-releng (including) |
| Freebsd | Freebsd | 4.11 (including) | 4.11 (including) |
| Freebsd | Freebsd | 4.11-release_p3 (including) | 4.11-release_p3 (including) |
| Freebsd | Freebsd | 4.11-releng (including) | 4.11-releng (including) |
| Freebsd | Freebsd | 4.11-stable (including) | 4.11-stable (including) |
| Freebsd | Freebsd | 5.0 (including) | 5.0 (including) |
References
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:44.filedesc.asc
- http://archives.neohapsis.com/archives/bugtraq/2003-01/0057.html
- http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0006.html
- http://secunia.com/advisories/7821
- http://www.iss.net/security_center/static/10993.php
- http://www.pine.nl/press/pine-cert-20030101.txt
- http://www.securityfocus.com/archive/1/305308/30/26420/threaded
- http://www.securityfocus.com/bid/6524
- http://www.securitytracker.com/id?1005898
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:44.filedesc.asc
- http://archives.neohapsis.com/archives/bugtraq/2003-01/0057.html
- http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0006.html
- http://secunia.com/advisories/7821
- http://www.iss.net/security_center/static/10993.php
- http://www.pine.nl/press/pine-cert-20030101.txt
- http://www.securityfocus.com/archive/1/305308/30/26420/threaded
- http://www.securityfocus.com/bid/6524
- http://www.securitytracker.com/id?1005898