Subject: Reference counting bug in shmat(2)

A reference counting bug exists in the shmat(2) system call that
could be used by an attacker to write to kernel memory under certain
circumstances.

The bug, found by Joost Pol, could be used to gain elevated privileges
and has been successfully exploited under FreeBSD.

Patches for OpenBSD 3.4 and 3.3 respectively are also available:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/010_sysvshm.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/015_sysvshm.patch

The patch is already present in OpenBSD-current as well as in the
3.3 and 3.4 -stable branches.

For more information on the bug, see Joost Pol's description at:
    http://www.pine.nl/press/pine-cert-20040201.txt