[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security relevant pf bug in recent -current
The problem described below only affects -current systems updated within a
recent, narrow time frame. 3.4-stable, 3.4-release and earlier are NOT
affected in any way.
A bug was introduced in pfctl with pfctl_parser.c CVS revision 1.188 and
has been fixed with revision 1.189.
1.188 (bug) commited Thu Jan 22 13:32:00 2004 UTC
1.189 (fix) commited Sun Jan 25 18:47:15 2004 UTC
pfctl built from the affected source revision loads rules with incorrect
address masks, yet pfctl -sr shows seemingly correct rules. Rule
evaluation will have unexpected results, rules containing specific
addresses match any address. For instance
pass in on $ext_if from 220.127.116.11 to any port ssh keep state
might match any source address, not just 18.104.22.168. Depending on
whether this is used in pass or block rules, pf will pass connections
which should be blocked or block connections which should be passed
according to the filter policy.
If you are using -current pf, please make sure you are not using pfctl
built from pfctl_parser.c 1.188, for instance with
$ head -n 1 /usr/src/sbin/pfctl/pfctl_parser.c
If this shows 1.188, you can fix the problem by updating the file to
-current and rebuilding pfctl (a rebuild of the kernel or other userland
parts is not needed). I'm not sure whether the previous snapshots
contained this, but there are new fixed snapshots already, in case you're
not building from source.