Main Vulnerability Database SB2013092304

SB2013092304 - Information disclosure in FreeBSD

Published: September 23, 2013 Updated: August 10, 2020

Security Bulletin ID SB2013092304

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2013-5666)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The sendfile system-call implementation in sys/kern/uipc_syscalls.c in the kernel in FreeBSD 9.2-RC1 and 9.2-RC2 does not properly pad transmissions, which allows local users to obtain sensitive information (kernel memory) via a length greater than the length of the file.

Remediation

Install update from vendor's website.

References

http://osvdb.org/97142
http://svnweb.freebsd.org/base?view=revision&revision=255442
http://www.freebsd.org/security/advisories/FreeBSD-SA-13%3a11.sendfile.asc
http://www.securitytracker.com/id/1029013