COMMAND

	Race condition between debug hook and exec  setuid  may  lead  to  local
	root

SYSTEMS AFFECTED

	 All released versions of FreeBSD 4.x prior to 4.5-RELEASE

	 FreeBSD 4.4-STABLE prior to the correction date

	

PROBLEM

	Logan  Gabriel,  Robert  Watson  and  Dag-Erling  Smørgrav  reported  in
	FreeBSD advisory FreeBSD-SA-02:08 :
	

	When a process is started from a set-user-ID or set-group-ID binary,  it
	is marked so that attempts to attach to it with  debugging  hooks  fail.
	To allow such attachments would allow a user to subvert the process  and
	gain elevated privileges.
	

	A race condition exists in the FreeBSD exec system call  implementation.
	It is possible for a user to attach a debugger to a process while it  is
	exec\'ing, but before the kernel has  determined  that  the  process  is
	set-user-ID or set-group-ID.

SOLUTION

	Download the relevant patch from the following location:
	

	[FreeBSD 4.4-STABLE, or RELENG_4_3 and RELENG_4_4 security branches]

	

	ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch

	ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec.patch.asc

	

	[FreeBSD 4.3-RELEASE only]

	

	ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch

	ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:08/exec-43R.patch.asc