# The Stack Clash vulnerability



## Maxnix (Jun 21, 2017)

> What is the Stack Clash?
> 
> The Stack Clash is a vulnerability in the memory management of several operating systems. It affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64.  It can be exploited by attackers to corrupt memory and execute arbitrary code.


https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash


----------



## SirDice (Jun 21, 2017)

Link doesn't seem to work. Here's an ArsTechnica article about the same thing: https://arstechnica.com/security/20...le-in-unix-based-oses-isnt-plugged-after-all/

Edit: Link seems to work again. Not sure why it failed for me the first time.


----------



## SirDice (Jun 21, 2017)

Oh, in case you're wondering, security is aware and is currently busy fixing it: https://lists.freebsd.org/pipermail/freebsd-security/2017-June/009334.html

So expect a patch some time soon.


----------



## chrcol (Jun 27, 2017)

FreeBSD tends to be slower than other OS's on addressing security issues, I expect mainly down to having less developers.

Seems a fix is in CURRENT, but no idea when this will be pushed back to STABLE.  It has happened at an awkward time as 11.1 is in the middle of been prepared for release so its possible they may want to wait for that to be released first.

This sysctl will partially mitigate the problem.

'security.bsd.unprivileged_proc_debug=0'


----------



## SirDice (Jun 27, 2017)

chrcol said:


> It has happened at an awkward time as 11.1 is in the middle of been prepared for release so its possible they may want to wait for that to be released first.


It's still in the BETA stage, and although there are code freezes important security fixes usually get implemented before the release.


----------



## fernandel (Jul 2, 2017)

SirDice said:


> It's still in the BETA stage, and although there are code freezes important security fixes usually get implemented before the release.


...and not update still


----------



## CyberCr33p (Jul 12, 2017)

Any news about this?


----------



## SirDice (Jul 12, 2017)

A patch has been committed to HEAD: https://svnweb.freebsd.org/base?view=revision&revision=320317

It should have been MFC'ed already but apparently the issue is difficult to fix properly so it may take a little longer. There's also a lot of work being done with the impending release of 11.1. So I'm guessing they're somewhat pressed for time (there's only so much you can do in a day with a finite number of developers).


----------



## chrcol (Jul 22, 2017)

looks like its still not been backported to STABLE never mind 10.3 or 11.0 release, if required they should delay 11.1 for this as I consider security more important.


----------



## Eric A. Borisch (Jul 22, 2017)

chrcol said:


> looks like its still not been backported to STABLE never mind 10.3 or 11.0 release, if required they should delay 11.1 for this as I consider security more important.



In 11.1: https://svnweb.freebsd.org/base?view=revision&revision=320763


----------



## Nick Evans (Aug 16, 2017)

Still haven't seen fixes for this come through to 11.0 or 10.3 stable. We're edging on 2 months here. Anyone know what the hold up is?


----------



## SirDice (Aug 16, 2017)

FreeBSD 11.0 will probably not be patched. It's going to be EoL fairly soon (three months after the release of 11.1). So you're advised to upgrade to 11.1 instead.

Not sure about 10.3 though. I'm not sure if 10.3 will get patched, the patch may be incorporated into the upcoming 10.4.


----------



## rainer_d (Sep 7, 2017)

So, 11.1 (11.1-RELEASE-p1) was fixed, but 10.x is pending?


----------



## SirDice (Sep 7, 2017)

10-STABLE has it: https://svnweb.freebsd.org/base?view=revision&revision=321717

Which means the upcoming 10.4 will have it too. Can't find anything about 10.3 though. FreeBSD 10.0, 10.1 and 10.2 are EoL.


----------



## rainer_d (Sep 7, 2017)

ok, so upgrade to 10.4 in about a month it is then...

I have a lot of servers with 10.3 (it's about 120-ish servers...), with some jails) and PHP 5.5 - do you think I need to rebuild that particular quarterly cut with 10.4 - if it works at all?

Or can I just freebsd-update to 10.4 and leave everything else as-is?


----------



## SirDice (Sep 7, 2017)

rainer_d said:


> I have a lot of servers with 10.3 (it's about 120-ish servers...), with some jails) and PHP 5.5 - do you think I need to rebuild that particular quarterly cut with 10.4 - if it works at all?


In general you don't need to rebuild everything after a minor upgrade. Won't hurt though. If you have that many servers I highly recommend setting up ports-mgmt/poudriere. Build once, install many. Poudriere will automatically rebuild everything after an upgrade of its build jails (I recommend just removing the old and create a new one though, less error-prone).


----------



## rainer_d (Sep 7, 2017)

I've got a poudriere-server, yes.
Have been using it for quite some time (late 2012/early 2013, going by my builds).

Would be insane managing that many servers otherwise.


----------



## SirDice (Sep 8, 2017)

If you want to upgrade your servers to 10.4 I would recommend deleting the 'old' 10.3 jail in poudriere and create a new jail with the same name but using 10.4. Upgrading them in-place tends to be quite error-prone. Then run a new build run. Poudriere will detect the upgrade and clear existing packages to start fresh, as if `poudriere bulk` was started with the -c option set. This might be a bit unnecessary but it does ensure dependencies are all correct for 10.4.


----------



## rainer_d (Sep 8, 2017)

I've never upgraded a build-jail. I only install the patches in them.
For new major versions, I usually make a new jail, with a new name. This requires me to change the repo-url on the servers, too - but that can be done with a script. So, it's not such a big deal.


----------



## rainer_d (Oct 6, 2017)

10.4 was released, 10.3 is still supported but there's no patch ...


----------



## Amouli (Dec 14, 2018)

Is there a fix for 8.4 and stable 11?


----------



## SirDice (Dec 14, 2018)

FreeBSD 8.4 has been End-of-Life since August 2015, so no.


----------

