Allele Security Alert
ASA-2019-00470
Identifier(s)
ASA-2019-00470, CVE-2019-5603, FreeBSD-SA-19:15.mqueuefs
Title
Reference count overflow in mqueue filesystem
Vendor(s)
The FreeBSD Project
Product(s)
FreeBSD
Affected version(s)
All supported versions of FreeBSD
Fixed version(s)
2019-07-23 21:12:32 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:55:16 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-23 21:15:28 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:55:16 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:55:16 UTC (releng/11.3, 11.3-RELEASE-p1)
Proof of concept
Unknown
Description
System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file.
A local user can use this flaw to obtain access to files, directories, sockets etc. opened by processes owned by other users. If obtained struct file represents a directory from outside of user’s jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.
Technical details
Unknown
Credits
Mateusz Guzik
Reference(s)
FreeBSD-SA-19:15.mqueuefs
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc
mqueuefs.patch
https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch
In some error cases we previously leaked a stuct file.
https://svnweb.freebsd.org/base?view=revision&revision=r350261
Fix reference count overflow in mqueuefs.
https://svnweb.freebsd.org/base?view=revision&revision=r350284
Fix reference count overflow in mqueuefs.
https://svnweb.freebsd.org/base?view=revision&revision=r350263
CVE-2019-5603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603
CVE-2019-5603
https://nvd.nist.gov/vuln/detail/CVE-2019-5603
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 1, 2019