A vulnerability in the memory management of FreeBSD's network subsystem allows authenticated users to edit files for which they only have read privileges. The sendfile command uses mbuf memory to buffer the content of the file to be transmitted. Although the mbuf object supports a read-only flag, this flag is not transmitted correctly when mbuf buffer references are duplicated. An advisory by the FreeBSD developers states that users can consequently access security-relevant system files and obtain permanent root-level privileges when data is transmitted via sendfile and the loopback interface.

The problem affects FreeBSD version 7.x and later. The developers recommend that users update to the 7-STABLE or 8-STABLE production versions. The RELENG_8_1, RELENG_8_0, RELENG_7_3, and RELENG_7_1 developer versions have since been updated.

(crve)