A race condition between the ptrace(2) and execve(2) system calls allowed
an attacker to modify the memory contents of suid/sgid processes which
could lead to compromise of the super-user account.

Apply by doing:
	cd /usr/src
	patch -p0 < 012_ptrace.patch
And then rebuild your kernel.

Index: sys/kern/kern_exec.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.57
diff -u -u -r1.57 kern_exec.c
--- sys/kern/kern_exec.c	19 Sep 2001 20:50:58 -0000	1.57
+++ sys/kern/kern_exec.c	21 Jan 2002 18:03:16 -0000
@@ -251,6 +251,12 @@
 	extern struct emul emul_native;
 
 	/*
+	 * Cheap solution to complicated problems.
+	 * Mark this process as "leave me alone, I'm execing".
+	 */
+	p->p_flag |= P_INEXEC;
+
+	/*
 	 * figure out the maximum size of an exec header, if necessary.
 	 * XXX should be able to keep LKM code from modifying exec switch
 	 * when we're still using it, but...
@@ -611,6 +617,7 @@
 	if (KTRPOINT(p, KTR_EMUL))
 		ktremul(p, p->p_emul->e_name);
 #endif
+	p->p_flag &= ~P_INEXEC;
 	return (0);
 
 bad:
@@ -629,6 +636,7 @@
 
 freehdr:
 	free(pack.ep_hdr, M_EXEC);
+	p->p_flag &= ~P_INEXEC;
 	return (error);
 
 exec_abort:
@@ -652,6 +660,7 @@
 	exit1(p, -1);
 
 	/* NOTREACHED */
+	p->p_flag &= ~P_INEXEC;
 	return (0);
 }
 
Index: sys/kern/sys_process.c
===================================================================
RCS file: /cvs/src/sys/kern/sys_process.c,v
retrieving revision 1.13
diff -u -u -r1.13 sys_process.c
--- sys/kern/sys_process.c	27 Jun 2001 04:49:47 -0000	1.13
+++ sys/kern/sys_process.c	21 Jan 2002 18:03:16 -0000
@@ -107,6 +107,9 @@
 			return (ESRCH);
 	}
 
+	if ((t->p_flag & P_INEXEC) != 0)
+		return (EAGAIN);
+
 	/* Make sure we can operate on it. */
 	switch (SCARG(uap, req)) {
 	case  PT_TRACE_ME:
Index: sys/miscfs/procfs/procfs_mem.c
===================================================================
RCS file: /cvs/src/sys/miscfs/procfs/procfs_mem.c,v
retrieving revision 1.14
diff -u -u -r1.14 procfs_mem.c
--- sys/miscfs/procfs/procfs_mem.c	19 Sep 2001 18:06:17 -0000	1.14
+++ sys/miscfs/procfs/procfs_mem.c	21 Jan 2002 18:03:16 -0000
@@ -106,6 +106,8 @@
  *	    of the entire system, and the system was not
  *	    compiled with permanently insecure mode turned
  *	    on.
+ *
+ *      (3) It's currently execing.
  */
 int
 procfs_checkioperm(p, t)
@@ -120,6 +122,9 @@
 
 	if ((t->p_pid == 1) && (securelevel > -1))
 		return (EPERM);
+
+	if (t->p_flag & P_INEXEC)
+		return (EAGAIN);
 
 	return (0);
 }
Index: sys/sys/proc.h
===================================================================
RCS file: /cvs/src/sys/sys/proc.h,v
retrieving revision 1.48
diff -u -u -r1.48 proc.h
--- sys/sys/proc.h	22 Aug 2001 10:29:42 -0000	1.48
+++ sys/sys/proc.h	21 Jan 2002 18:03:16 -0000
@@ -246,6 +246,7 @@
 
 #define	P_NOCLDWAIT	0x080000	/* Let pid 1 wait for my children */
 #define	P_NOZOMBIE	0x100000	/* Pid 1 waits for me instead of dad */
+#define P_INEXEC	0x200000	/* Process is doing an exec right now */
 
 /* Macro to compute the exit signal to be delivered. */
 #define P_EXITSIG(p) \