From owner-svn-ports-all@freebsd.org Thu Aug 11 21:34:01 2016 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 382E2BB69BD; Thu, 11 Aug 2016 21:34:01 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 013EF18CE; Thu, 11 Aug 2016 21:34:00 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u7BLY0dT095417; Thu, 11 Aug 2016 21:34:00 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u7BLY0RB095413; Thu, 11 Aug 2016 21:34:00 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201608112134.u7BLY0RB095413@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Thu, 11 Aug 2016 21:34:00 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r420108 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 21:34:01 -0000 Author: feld Date: Thu Aug 11 21:33:59 2016 New Revision: 420108 URL: https://svnweb.freebsd.org/changeset/ports/420108 Log: Add missing FreeBSD SA entries from 2016 to vuxml Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Aug 11 21:27:28 2016 (r420107) +++ head/security/vuxml/vuln.xml Thu Aug 11 21:33:59 2016 (r420108) @@ -58,6 +58,581 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + FreeBSD -- Heap vulnerability in bspatch + + + FreeBSD + 10.310.3_6 + 10.210.2_20 + 10.110.1_37 + 9.39.3_45 + + + + +

Problem Description:

The implementation of bspatch does not check for a + negative value on numbers of bytes read from the diff and + extra streams, allowing an attacker who can control the + patch file to write at arbitrary locations in the heap.

This issue was first discovered by The Chromium Project + and reported independently by Lu Tung-Pin to the FreeBSD + project.

Impact:

An attacker who can control the patch file can cause a + crash or run arbitrary code under the credentials of the + user who runs bspatch, in many cases, root.

+ + + + CVE-2014-9862 + FreeBSD-SA-16:25.bspatch + + + 2016-07-25 + 2016-08-11 + + + + + FreeBSD -- Multiple vulnerabilities of ntp + + + FreeBSD + 10.310.3_5 + 10.210.2_19 + 10.110.1_36 + 9.39.3_44 + + + + +

Problem Description:

Multiple vulnerabilities have been discovered in the NTP + suite:

The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that + could cause ntpd to crash. [CVE-2016-4957, Reported by + Nicolas Edet of Cisco]

An attacker who knows the origin timestamp and can send + a spoofed packet containing a CRYPTO-NAK to an ephemeral + peer target before any other response is sent can demobilize + that association. [CVE-2016-4953, Reported by Miroslav + Lichvar of Red Hat]

An attacker who is able to spoof packets with correct + origin timestamps from enough servers before the expected + response packets arrive at the target machine can affect + some peer variables and, for example, cause a false leap + indication to be set. [CVE-2016-4954, Reported by Jakub + Prokes of Red Hat]

An attacker who is able to spoof a packet with a correct + origin timestamp before the expected response packet arrives + at the target machine can send a CRYPTO_NAK or a bad MAC + and cause the association's peer variables to be cleared. + If this can be done often enough, it will prevent that + association from working. [CVE-2016-4955, Reported by + Miroslav Lichvar of Red Hat]

The fix for NtpBug2978 does not cover broadcast associations, + so broadcast clients can be triggered to flip into interleave + mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red + Hat.]

Impact:

Malicious remote attackers may be able to break time + synchronization, or cause the ntpd(8) daemon to crash.

+ + + + CVE-2016-4953 + CVE-2016-4954 + CVE-2016-4955 + CVE-2016-4956 + CVE-2016-4957 + FreeBSD-SA-16:24.ntp + + + 2016-06-04 + 2016-08-11 + + + + + FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer + + + FreeBSD-kernel + 10.310.3_4 + 10.210.2_18 + 10.110.1_35 + 9.39.3_43 + + + + +

Problem Description:

The implementation of historic stat(2) system call does + not clear the output struct before copying it out to + userland.

Impact:

An unprivileged user can read a portion of uninitialised + kernel stack data, which may contain sensitive information, + such as the stack guard, portions of the file cache or + terminal buffers, which an attacker might leverage to obtain + elevated privileges.

+ + + + FreeBSD-SA-16:21.43bsd + + + 2016-05-31 + 2016-08-11 + + + + + FreeBSD -- Kernel stack disclosure in Linux compatibility layer + + + FreeBSD-kernel + 10.310.3_4 + 10.210.2_18 + 10.110.1_35 + 9.39.3_43 + + + + +

Problem Description:

The implementation of the TIOCGSERIAL ioctl(2) does not + clear the output struct before copying it out to userland.

The implementation of the Linux sysinfo() system call + does not clear the output struct before copying it out to + userland.

Impact:

+ + + + FreeBSD-SA-16:20.linux + + + 2016-05-31 + 2016-08-11 + + + + + FreeBSD -- Incorrect argument handling in sendmsg(2) + + + FreeBSD-kernel + 10.310.3_3 + 10.210.2_17 + 10.110.1_34 + + + + +

Problem Description:

Incorrect argument handling in the socket code allows + malicious local user to overwrite large portion of the + kernel memory.

Impact:

Malicious local user may crash kernel or execute arbitrary + code in the kernel, potentially gaining superuser privileges.

+ + + + CVE-2016-1887 + FreeBSD-SA-16:19.sendmsg + + + 2016-05-17 + 2016-08-11 + + + + + FreeBSD -- Buffer overflow in keyboard driver + + + FreeBSD-kernel + 10.310.3_3 + 10.210.2_17 + 10.110.1_34 + 9.39.3_42 + + + + +

Problem Description:

Incorrect signedness comparison in the ioctl(2) handler + allows a malicious local user to overwrite a portion of the + kernel memory.

Impact:

A local user may crash the kernel, read a portion of + kernel memory and execute arbitrary code in kernel context. + The result of executing an arbitrary kernel code is privilege + escalation.

+ + + + CVE-2016-1886 + FreeBSD-SA-16:18.atkbd + + + 2016-05-17 + 2016-08-11 + + + + + FreeBSD -- Incorrect argument validation in sysarch(2) + + + FreeBSD-kernel + 10.210.2_14 + 10.110.1_31 + 9.39.3_39 + + + + +

Problem Description:

A special combination of sysarch(2) arguments, specify + a request to uninstall a set of descriptors from the LDT. + The start descriptor is cleared and the number of descriptors + are provided. Due to invalid use of a signed intermediate + value in the bounds checking during argument validity + verification, unbound zero'ing of the process LDT and + adjacent memory can be initiated from usermode.

Impact:

This vulnerability could cause the kernel to panic. In + addition it is possible to perform a local Denial of Service + against the system by unprivileged processes.

+ + + + CVE-2016-1885 + FreeBSD-SA-16:15.sysarch + + + 2016-03-16 + 2016-08-11 + + + + + FreeBSD -- Multiple OpenSSL vulnerabilities + + + FreeBSD + 10.210.2_13 + 10.110.1_30 + 9.39.3_38 + + + + +

Problem Description:

A cross-protocol attack was discovered that could lead + to decryption of TLS sessions by using a server supporting + SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA + padding oracle. Note that traffic between clients and + non-vulnerable servers can be decrypted provided another + server supporting SSLv2 and EXPORT ciphers (even with a + different protocol such as SMTP, IMAP or POP3) shares the + RSA keys of the non-vulnerable server. This vulnerability + is known as DROWN. [CVE-2016-0800]

A double free bug was discovered when OpenSSL parses + malformed DSA private keys and could lead to a DoS attack + or memory corruption for applications that receive DSA + private keys from untrusted sources. This scenario is + considered rare. [CVE-2016-0705]

The SRP user database lookup method SRP_VBASE_get_by_user + had confusing memory management semantics; the returned + pointer was sometimes newly allocated, and sometimes owned + by the callee. The calling code has no way of distinguishing + these two cases. [CVE-2016-0798]

In the BN_hex2bn function, the number of hex digits is + calculated using an int value |i|. Later |bn_expand| is + called with a value of |i * 4|. For large values of |i| + this can result in |bn_expand| not allocating any memory + because |i * 4| is negative. This can leave the internal + BIGNUM data field as NULL leading to a subsequent NULL + pointer dereference. For very large values of |i|, the + calculation |i * 4| could be a positive value smaller than + |i|. In this case memory is allocated to the internal BIGNUM + data field, but it is insufficiently sized leading to heap + corruption. A similar issue exists in BN_dec2bn. This could + have security consequences if BN_hex2bn/BN_dec2bn is ever + called by user applications with very large untrusted hex/dec + data. This is anticipated to be a rare occurrence. + [CVE-2016-0797]

The internal |fmtstr| function used in processing a "%s" + formatted string in the BIO_*printf functions could overflow + while calculating the length of a string and cause an + out-of-bounds read when printing very long strings. + [CVE-2016-0799]

A side-channel attack was found which makes use of + cache-bank conflicts on the Intel Sandy-Bridge microarchitecture + which could lead to the recovery of RSA keys. [CVE-2016-0702]

s2_srvr.c did not enforce that clear-key-length is 0 for + non-export ciphers. If clear-key bytes are present for these + ciphers, they displace encrypted-key bytes. [CVE-2016-0703]

s2_srvr.c overwrites the wrong bytes in the master key + when applying Bleichenbacher protection for export cipher + suites. [CVE-2016-0704]

Impact:

Servers that have SSLv2 protocol enabled are vulnerable + to the "DROWN" attack which allows a remote attacker to + fast attack many recorded TLS connections made to the server, + even when the client did not make any SSLv2 connections + themselves.

An attacker who can supply malformed DSA private keys + to OpenSSL applications may be able to cause memory corruption + which would lead to a Denial of Service condition. + [CVE-2016-0705]

An attacker connecting with an invalid username can cause + memory leak, which could eventually lead to a Denial of + Service condition. [CVE-2016-0798]

An attacker who can inject malformed data into an + application may be able to cause memory corruption which + would lead to a Denial of Service condition. [CVE-2016-0797, + CVE-2016-0799]

A local attacker who has control of code in a thread + running on the same hyper-threaded core as the victim thread + which is performing decryptions could recover RSA keys. + [CVE-2016-0702]

An eavesdropper who can intercept SSLv2 handshake can + conduct an efficient divide-and-conquer key recovery attack + and use the server as an oracle to determine the SSLv2 + master-key, using only 16 connections to the server and + negligible computation. [CVE-2016-0703]

An attacker can use the Bleichenbacher oracle, which + enables more efficient variant of the DROWN attack. + [CVE-2016-0704]

+ + + + CVE-2016-0702 + CVE-2016-0703 + CVE-2016-0704 + CVE-2016-0705 + CVE-2016-0797 + CVE-2016-0798 + CVE-2016-0799 + CVE-2016-0800 + FreeBSD-SA-16:12.openssl + + + 2016-03-10 + 2016-08-11 + + + + + FreeBSD -- Linux compatibility layer issetugid(2) system call + + + FreeBSD-kernel + 10.210.2_11 + 10.110.1_28 + 9.39.3_35 + + + + +

Problem Description:

A programming error in the Linux compatibility layer + could cause the issetugid(2) system call to return incorrect + information.

Impact:

If an application relies on output of the issetugid(2) + system call and that information is incorrect, this could + lead to a privilege escalation.

+ + + + CVE-2016-1883 + FreeBSD-SA-16:10.linux + + + 2016-01-27 + 2016-08-11 + + + + + FreeBSD -- Insecure default snmpd.config permissions + + + FreeBSD + 10.210.2_9 + 10.110.1_26 + 9.39.3_33 + + + + +

Problem Description:

The SNMP protocol supports an authentication model called + USM, which relies on a shared secret. The default permission + of the snmpd.configiguration file, /etc/snmpd.config, is + weak and does not provide adequate protection against local + unprivileged users.

Impact:

A local user may be able to read the shared secret, if + configured and used by the system administrator.

+ + + + CVE-2015-5677 + FreeBSD-SA-16:06.bsnmpd + + + 2016-01-14 + 2016-08-11 + + + + + FreeBSD -- TCP MD5 signature denial of service + + + FreeBSD-kernel + 10.210.2_9 + 10.110.1_26 + 9.39.3_33 + + + + +

Problem Description:

A programming error in processing a TCP connection with + both TCP_MD5SIG and TCP_NOOPT socket options may lead to + kernel crash.

Impact:

A local attacker can crash the kernel, resulting in a + denial-of-service.

A remote attack is theoretically possible, if server has + a listening socket with TCP_NOOPT set, and server is either + out of SYN cache entries, or SYN cache is disabled by + configuration.

+ + + + CVE-2016-1882 + FreeBSD-SA-16:05.tcp + + + 2016-01-14 + 2016-08-11 + + + + + FreeBSD -- Linux compatibility layer setgroups(2) system call + + + FreeBSD-kernel + 10.210.2_9 + 10.110.1_26 + 9.39.3_33 + + + + +

Problem Description:

A programming error in the Linux compatibility layer + setgroups(2) system call can lead to an unexpected results, + such as overwriting random kernel memory contents.

Impact:

It is possible for a local attacker to overwrite portions + of kernel memory, which may result in a privilege escalation + or cause a system panic.

+ + + + CVE-2016-1881 + FreeBSD-SA-16:04.linux + + + 2016-01-14 + 2016-08-11 + + + + + FreeBSD -- Linux compatibility layer incorrect futex handling + + + FreeBSD-kernel + 10.210.2_9 + 10.110.1_26 + 9.39.3_33 + + + + +

Problem Description:

A programming error in the handling of Linux futex robust + lists may result in incorrect memory locations being + accessed.

Impact:

It is possible for a local attacker to read portions of + kernel memory, which may result in a privilege escalation.

+ + + + CVE-2016-1880 + FreeBSD-SA-16:03.linux + + + 2016-01-14 + 2016-08-11 + + + + + FreeBSD -- SCTP ICMPv6 error message vulnerability + + + FreeBSD-kernel + 10.210.2_9 + 10.110.1_26 + 9.39.3_33 + + + + +

Problem Description:

A lack of proper input checks in the ICMPv6 processing + in the SCTP stack can lead to either a failed kernel assertion + or to a NULL pointer dereference. In either case, a kernel + panic will follow.

Impact:

A remote, unauthenticated attacker can reliably trigger + a kernel panic in a vulnerable system running IPv6. Any + kernel compiled with both IPv6 and SCTP support is vulnerable. + There is no requirement to have an SCTP socket open.

IPv4 ICMP processing is not impacted by this vulnerability.

+ + + + CVE-2016-1879 + FreeBSD-SA-16:01.sctp + + + 2016-01-14 + 2016-08-11 + + + FreeBSD -- rpcbind(8) remote denial of service [REVISED]