From owner-freebsd-security@freebsd.org Tue May 31 17:14:20 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 85CB5B5664D for ; Tue, 31 May 2016 17:14:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 7DAA513C5; Tue, 31 May 2016 17:14:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 7CA5C141D; Tue, 31 May 2016 17:14:20 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:20.linux Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160531171420.7CA5C141D@freefall.freebsd.org> Date: Tue, 31 May 2016 17:14:20 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2016 17:14:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:20.linux Security Advisory The FreeBSD Project Topic: Kernel stack disclosure in Linux compatibility layer Category: core Module: linux(4) Announced: 2016-05-31 Credits: CTurt Affects: All supported versions of FreeBSD. Corrected: 2016-05-31 16:57:42 UTC (stable/10, 10.3-STABLE) 2016-05-31 16:55:50 UTC (releng/10.3, 10.3-RELEASE-p4) 2016-05-31 16:55:45 UTC (releng/10.2, 10.2-RELEASE-p18) 2016-05-31 16:55:41 UTC (releng/10.1, 10.1-RELEASE-p35) 2016-05-31 16:58:00 UTC (stable/9, 9.3-STABLE) 2016-05-31 16:55:37 UTC (releng/9.3, 9.3-RELEASE-p43) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. The support is provided for amd64 and i386 machines. II. Problem Description The implementation of the TIOCGSERIAL ioctl(2) does not clear the output struct before copying it out to userland. The implementation of the Linux sysinfo() system call does not clear the output struct before copying it out to userland. III. Impact An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The Linux compatibility layer is not included in the default GENERIC kernel. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot is required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:20/linux.patch # fetch https://security.FreeBSD.org/patches/SA-16:20/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r301055 releng/9.3/ r301049 stable/10/ r301054 releng/10.1/ r301050 releng/10.2/ r301051 releng/10.3/ r301052 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXTcSOAAoJEO1n7NZdz2rnjSMP/AsGK5jda/QlrRrpvKyd3HGr qVsTzro+a2ed2ZlUCamM/JICXfbAit+dOioui+CIN1IKai/mxNPMpIWcPRx1AhDr 3y52MmSzkCqK6QT3tvwYYaG4uOZ3/wbWAJ8EKz2qqYlZ4hkmy24BdvTCGB2SGDgo Nz1P60NWxaqafCwFyb0xz7Lful52txSLIr9mWZzTcSgwNNEscGiMgzXiY64GlWfQ r20udpFrPG5+OOwpFAdR4IImQA7B0AYD064NbzN9A+mJlbhtGguDS3oTkbVBVIbF ldLgDkrFeIv/Jyhvij1q85xfuOxT6eaVJe7qGUaV8v6qQx17VhH8j0sVzn6nh0w9 kly4FB0osyZRQJ7bV7c+FVGECUWRyzSpeo7lx6ICXECuyzcX9U4IxC0oxPcokD3o CEOJkQEjLtMSfKdE143lbyPCtZUMSXtp/CLEUxW7eDCbW89O7p7pv6xTiNLdopVT cpUcF+Y0KepwMrg+jXH8i07yF6QgqRWVziA16821OJ4ThD0RN4MRrWUizl/1J2iD LFGxK8l2U3hP5dhXpYpEHsI2xkU94Lojp0SfngFoylo4Z8UjpQeaR9NG+F3+uR45 Q8aGB3CQe84JZUzFfVN6292AE/4ZMg13iRzKUawV8JBUEWG+MnrtU6a7zwIRVM2F zT2f1EP7488fCSxbmicf =bohu -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue May 31 17:24:20 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1170FB57499 for ; Tue, 31 May 2016 17:24:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 05E571C53; Tue, 31 May 2016 17:24:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id EF0281EBF; Tue, 31 May 2016 17:24:19 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:22.libarchive Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160531172419.EF0281EBF@freefall.freebsd.org> Date: Tue, 31 May 2016 17:24:19 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2016 17:24:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:22.libarchive Security Advisory The FreeBSD Project Topic: Directory traversal in cpio(1) Category: contrib Module: libarchive Announced: 2016-05-31 Credits: Alexander Cherepanov Affects: All supported versions of FreeBSD Corrected: 2016-05-21 09:03:45 UTC (stable/10, 10.3-STABLE) 2016-05-31 16:35:03 UTC (releng/10.3, 10.3-RELEASE-p4) 2016-05-31 16:33:56 UTC (releng/10.2, 10.2-RELEASE-p18) 2016-05-31 16:32:42 UTC (releng/10.1, 10.1-RELEASE-p35) 2016-05-21 09:27:30 UTC (stable/9, 9.3-STABLE) 2016-05-31 16:23:56 UTC (releng/9.3, 9.3-RELEASE-p43) CVE Name: CVE-2015-2304 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The libarchive(3) library provides a flexible interface for reading and writing streaming archive files such as tar(1) and cpio(1), and has been the basis for the FreeBSD implementation of the tar(1) and cpio(1) utilities since FreeBSD 5.3. II. Problem Description The cpio(1) tool from the libarchive(3) bundle is vulnerable to a directory traversal problem via absolute paths in an archive file. III. Impact A malicious archive file being unpacked can overwrite an arbitrary file on a filesystem, if the owner of the cpio process has write access to it. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot is not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-16:22/libarchive-10.patch # fetch https://security.FreeBSD.org/patches/SA-16:22/libarchive-10.patch.asc # gpg --verify libarchive-10.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:22/libarchive-9.patch # fetch https://security.FreeBSD.org/patches/SA-16:22/libarchive-9.patch.asc # gpg --verify libarchive-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r300363 releng/9.3/ r301044 stable/10/ r300361 releng/10.1/ r301046 releng/10.2/ r301047 releng/10.3/ r301048 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXTcSSAAoJEO1n7NZdz2rnpSIQAL4Ao7qcCFcqckTLAwR3UyTe e65MD/dXcD+Zn6XWao5t/nLQRFyzJgD6p3HIahcPMBXdzaYOlYxVfU7wMlw95llZ mKruSMP1rT59zxwyP+aLh34aRMRmVu+/L8xMHThMBNyiIFjhiyLIvzm4+k+/vBHY V1Jc7RdEQr4A19zzhmklCMzttf2M85NggWDraPQfUMyjXwrLDc6Pc1x7w8w8/OAB Jyj9tiu883epPstgk8uKVqRaa96SGcwFt9Rsp8WZf0/rfk21BS2hNnlxrjPhdkAU s5KZnCqudbh4Uv0KRLO0htLTMo2QU0gP0d/QeoLBxaPo2VaXrB6jvv7KhDInIpRe xDQYuc3d/D1m0DkIIjglxKhtunozPdxL3PmzrkY/C3qgFY4RxBCPN60OJ9lTxC15 H6/FVljRpSFUST5goQ9jsAA+oJ6B+dD4sYU6kh1hTkHeCD/EA+QH66YwzZquGi/T 4oDNTLSwgfGH/1OzkkhuWCANvVkWO+EckSVX3/sEaud/Z2zRNV0dELbS2NUs3yGl sbAytECuvMMEx4FsCteLs9yKrTQmC+OrKBkEtUxoCMQi4eQsEGyH26mHM/L9MOP3 dyFP2V1dSd3392sGCvjInb9lxAmw5+by3nPzKVnIUW+jLaICdWFzwWhi7ycHupsU GH8PGGPIFUd81r7gzrF8 =+ZX7 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue May 31 17:24:15 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C676DB5741C for ; Tue, 31 May 2016 17:24:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id BED4A1C11; Tue, 31 May 2016 17:24:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id BDB741EA4; Tue, 31 May 2016 17:24:15 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:21.43bsd Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160531172415.BDB741EA4@freefall.freebsd.org> Date: Tue, 31 May 2016 17:24:15 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2016 17:24:15 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:21.43bsd Security Advisory The FreeBSD Project Topic: Kernel stack disclosure in 4.3BSD compatibility layer Category: core Module: kernel Announced: 2016-05-31 Credits: CTurt Affects: All supported versions of FreeBSD. Corrected: 2016-05-31 16:57:42 UTC (stable/10, 10.3-STABLE) 2016-05-31 16:55:50 UTC (releng/10.3, 10.3-RELEASE-p4) 2016-05-31 16:55:45 UTC (releng/10.2, 10.2-RELEASE-p18) 2016-05-31 16:55:41 UTC (releng/10.1, 10.1-RELEASE-p35) 2016-05-31 16:58:00 UTC (stable/9, 9.3-STABLE) 2016-05-31 16:55:37 UTC (releng/9.3, 9.3-RELEASE-p43) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD has binary compatibility layer with historic 4.3BSD operating system. II. Problem Description The implementation of historic stat(2) system call does not clear the output struct before copying it out to userland. III. Impact An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges. IV. Workaround No workaround is available, but systems not using the 4.3BSD compatibility layer are not vulnerable. The 4.3BSD compatibility layer is not included into the default GENERIC kernel configuration. A custom kernel config that does not have the COMPAT_43 option is also not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is required. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:21/stat.patch # fetch https://security.FreeBSD.org/patches/SA-16:21/stat.patch.asc # gpg --verify stat.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r301055 releng/9.3/ r301049 stable/10/ r301054 releng/10.1/ r301050 releng/10.2/ r301051 releng/10.3/ r301052 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXTcSQAAoJEO1n7NZdz2rn/JYQAKrbMPuSBxDZzMS0iq76R5Gw RPkTZcH5zFqXI6s7WGNLtdV6VgatQtG8WsYdaGn+E+dKqGmIu4xtcIfXS6dgP/fT aqP522x5CbZt2nl3bpQ/vPDnJbEJ/a25nydLjHuCbJP1MqPKCWOJFlt/EOXlqXd4 SptiShq/EDPZgJSODmGp34raAIIeuMHUz2gF8YEBD3Uu8cV6zMHlc1Lj8veI1NJv xKaSK+31HAdAgkP5NKPEXA3Ei553i1tzN8KGgbEeFvsjtNUuqxR8n2nB2XJ3GANb E7Z3byjajZqgYim6tYqobAyZEjrdGInNt8E5XEdrJhsIhzn6mqcdpJsf9yur1xY2 TSNaNNlWGicd1TYuPQjd7LPiqKKdIKO3s7P3vHXhJRvy2vD9B4NfX/kcU1UjJkAI h19iI1B9WbiLakTTJLSn5tcSSIUUNJ3c70jYIoo4WOEHN3x8HvjtaGuH2TK89CA2 tPqkKau4Txd3ikdpNbU6pYDyWAYG+z/cH6F1dYrkchULK8uNP+sEkHai2MYtNv/W Q0CDy46iHBmbYkTwlEDxPkfDEKsiUbm32AgvfwuEAfjszwYuO1+KjZ6oKXwycQz9 gCyNZVfsjSOV5srzVQ2daUmuNkQiua2zt8JX5J64rUJSYx3AkZHOTNxmVEu12K1U RdI/7TaMcgMzkGMlwEv9 =qPmZ -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue May 31 17:24:22 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0682B574EB for ; Tue, 31 May 2016 17:24:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 86CCA1C86; Tue, 31 May 2016 17:24:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 857EB1ED8; Tue, 31 May 2016 17:24:22 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:23.libarchive Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160531172422.857EB1ED8@freefall.freebsd.org> Date: Tue, 31 May 2016 17:24:22 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2016 17:24:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:23.libarchive Security Advisory The FreeBSD Project Topic: Buffer overflow in libarchive(3) Category: contrib Module: libarchive Announced: 2016-05-31 Affects: FreeBSD 9.3 Corrected: 2016-05-21 09:27:30 UTC (stable/9, 9.3-STABLE) 2016-05-31 16:23:56 UTC (releng/9.3, 9.3-RELEASE-p43) CVE Name: CVE-2013-0211 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The libarchive(3) library provides a flexible interface for reading and writing streaming archive files such as tar and cpio, and has been the basis for FreeBSD's implementation of the tar(1) and cpio(1) utilities since FreeBSD 5.3. II. Problem Description An integer signedness error in the archive_write_zip_data() function in archive_write_set_format_zip.c in libarchive(2) could lead to a buffer overflow on 64-bit machines. III. Impact An attacker who can provide input of their choice for creating a ZIP archive can cause a buffer overflow in libarchive(2) that results in a core dump or possibly execution of arbitrary code provided by the attacker. IV. Workaround No workaround is available but 32-bit systems are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot is not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:23/libarchive.patch # fetch https://security.FreeBSD.org/patches/SA-16:23/libarchive.patch.asc # gpg --verify libarchive.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r300363 releng/9.3/ r301044 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXTcSUAAoJEO1n7NZdz2rnjuwP/36GShkMxVtvEF3LeZCtT1bT J0TSoXWpOo8rW61W0VEQ8xxOupIUwpDC2zwvgg0ZuPPbUY1nKYGrql8hixzmyg7n Da7krIxv7guTrpIWumEztS7JAVjZWEW+SfwiXZ7OY+3KHSLcGh5E0MpEvWDy+Ysa 5/fjyaxYV2jHCaXwqNpCHv9ahS3Ca4VMr37E2H+3efdbSzkfUz17nReNjBtk8P76 5teuC/PZ0aXIToOBuP039NPy7Cw42AsgAnEDLayEMIuuq/u4JVmDUONcnjfQ4occ tlCl3tNmk8LR9kotcvkg+7ZDOZ6zq4NHkcpjek8GPqScV2EgY0wixf4Eo2hD4P4x NDo4pkzt5L+6mkJoSc/6zBYiVGLAqGBMDqsaemqBL/aTLH6+W+Bulvr9prfB2EIN EBWfO4zkA3tKAPAZIpCQRzG2FScOjNeH49hy+ISTUWYcWDtNrpYIJdhX+XtsuZIt Swd++AYcvnDJGX8bTPRb8nOlBWqAAscuIJsvyqyRVahmKrG2USECmhvaIN6jPbVq 8dScr0yO0ixzUpnkEMV8GW8kstC5mwCihJ4MG5qDtsWGYybH93N22eHZyOlCqa9J d+V8OzEiVEtGtdDqbThDW3FfuimAm6aShTLxATeJTGbc+mQEdUMjjgAmrvCZxcEZ URXCjA5XayDc0iZySd4r =XTv8 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Thu Jun 2 12:27:31 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50D5DB65868; Thu, 2 Jun 2016 12:27:31 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 190F714ED; Thu, 2 Jun 2016 12:27:31 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1b8Rih-000F0I-Vv; Thu, 02 Jun 2016 15:27:27 +0300 Date: Thu, 2 Jun 2016 15:27:27 +0300 From: Slawa Olhovchenkov To: stable@freebsd.org Cc: freebsd-security@freebsd.org Subject: unbound and ntp issuse Message-ID: <20160602122727.GB75625@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jun 2016 12:27:31 -0000 Default install with local_unbound and ntpd can't be functional with incorrect date/time in BIOS: Unbound requred correct time for DNSSEC check and refuseing queries ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") ntpd don't have any numeric IP of ntp servers in ntp.conf -- only symbolic names like 0.freebsd.pool.ntp.org, as result -- can't resolve (see above, about DNSKEY). IMHO, ntp.conf need to include some numeric IP of public ntp servers. # date Tue Jul 1 20:36:31 MSD 2008 From owner-freebsd-security@freebsd.org Fri Jun 3 18:34:27 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D65AB691FA; Fri, 3 Jun 2016 18:34:27 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id 0D01D1DA3; Fri, 3 Jun 2016 18:34:26 +0000 (UTC) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from lowell-desk.lan (router.lan [172.30.250.2]) by be-well.ilk.org (Postfix) with ESMTP id D1C4D33C1E; Fri, 3 Jun 2016 14:34:19 -0400 (EDT) Received: by lowell-desk.lan (Postfix, from userid 1147) id 4873B39828; Fri, 3 Jun 2016 14:34:19 -0400 (EDT) From: Lowell Gilbert To: Slawa Olhovchenkov Cc: stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: unbound and ntp issuse References: <20160602122727.GB75625@zxy.spb.ru> Date: Fri, 03 Jun 2016 14:34:18 -0400 In-Reply-To: <20160602122727.GB75625@zxy.spb.ru> (Slawa Olhovchenkov's message of "Thu, 2 Jun 2016 15:27:27 +0300") Message-ID: <44lh2mi0k5.fsf@lowell-desk.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jun 2016 18:34:27 -0000 Slawa Olhovchenkov writes: > Default install with local_unbound and ntpd can't be functional with > incorrect date/time in BIOS: > > Unbound requred correct time for DNSSEC check and refuseing queries > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > resolve (see above, about DNSKEY). I can't see how this would happen. DNSSEC doesn't seem to be required in a regular install as far as I can see. Certainly I don't have any problem on any of my systems, and I've never configured an anchor on the internal systems. > IMHO, ntp.conf need to include some numeric IP of public ntp servers. Ouch; that's a terrible idea, for several different reasons. From owner-freebsd-security@freebsd.org Fri Jun 3 19:15:26 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E5A5DB690CC; Fri, 3 Jun 2016 19:15:26 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ACE351EC4; Fri, 3 Jun 2016 19:15:26 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1b8uZ2-000Aje-2Z; Fri, 03 Jun 2016 22:15:24 +0300 Date: Fri, 3 Jun 2016 22:15:24 +0300 From: Slawa Olhovchenkov To: Lowell Gilbert Cc: stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: unbound and ntp issuse Message-ID: <20160603191523.GE75630@zxy.spb.ru> References: <20160602122727.GB75625@zxy.spb.ru> <44lh2mi0k5.fsf@lowell-desk.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44lh2mi0k5.fsf@lowell-desk.lan> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jun 2016 19:15:27 -0000 On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > Slawa Olhovchenkov writes: > > > Default install with local_unbound and ntpd can't be functional with > > incorrect date/time in BIOS: > > > > Unbound requred correct time for DNSSEC check and refuseing queries > > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > resolve (see above, about DNSKEY). > > I can't see how this would happen. DNSSEC doesn't seem to be required in > a regular install as far as I can see. Certainly I don't have any I don't know reasson for enforcing DNSSEC in regular install. I am just select `local_unbound` at setup time and enter `127.0.0.1` as nameserver address. > problem on any of my systems, and I've never configured an anchor on the > internal systems. > > > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > > Ouch; that's a terrible idea, for several different reasons. What else? From owner-freebsd-security@freebsd.org Sat Jun 4 06:57:19 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DDF8B69EB0 for ; Sat, 4 Jun 2016 06:57:19 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 75D22179D; Sat, 4 Jun 2016 06:57:19 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 7532513B5; Sat, 4 Jun 2016 06:57:19 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:24.ntp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160604065719.7532513B5@freefall.freebsd.org> Date: Sat, 4 Jun 2016 06:57:19 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Jun 2016 06:57:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:24.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2016-06-04 Credits: Network Time Foundation and various contributors listed below Affects: All supported versions of FreeBSD. Corrected: 2016-06-03 08:59:21 UTC (stable/10, 10.3-STABLE) 2016-06-04 05:46:52 UTC (releng/10.3, 10.3-RELEASE-p5) 2016-06-04 05:46:52 UTC (releng/10.2, 10.2-RELEASE-p19) 2016-06-04 05:46:52 UTC (releng/10.1, 10.1-RELEASE-p36) 2016-06-03 09:03:10 UTC (stable/9, 9.3-STABLE) 2016-06-04 05:46:52 UTC (releng/9.3, 9.3-RELEASE-p44) CVE Name: CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955 CVE-2016-4956 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Multiple vulnerabilities have been discovered in the NTP suite: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that could cause ntpd to crash. [CVE-2016-4957, Reported by Nicolas Edet of Cisco] An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association. [CVE-2016-4953, Reported by Miroslav Lichvar of Red Hat] An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set. [CVE-2016-4954, Reported by Jakub Prokes of Red Hat] An attacker who is able to spoof a packet with a correct origin timestamp before the expected response packet arrives at the target machine can send a CRYPTO_NAK or a bad MAC and cause the association's peer variables to be cleared. If this can be done often enough, it will prevent that association from working. [CVE-2016-4955, Reported by Miroslav Lichvar of Red Hat] The fix for NtpBug2978 does not cover broadcast associations, so broadcast clients can be triggered to flip into interleave mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red Hat.] III. Impact Malicious remote attackers may be able to break time synchronization, or cause the ntpd(8) daemon to crash. IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce the risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:24/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-16:24/ntp.patch.asc # gpg --verify ntp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r301257 releng/9.3/ r301301 stable/10/ r301256 releng/10.1/ r301301 releng/10.2/ r301301 releng/10.3/ r301301 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.12 (FreeBSD) iQIcBAEBCgAGBQJXUnRyAAoJEO1n7NZdz2rncMMQAIB69xMkhWqoZ+0R2R6MOPAI UWIEPN4fLktiz4oIKP/C/xTsJdonC6+GCKbEb4h+deUOEYPaK5L1RsjvzwjqDKvI 9THtZUBoEcifALOiO1Mkum+1ntCkF+7EK2EXSuF2/wYga/ekVkCPZqLxmUEbL/KG HEa4VCnMv0euAxEbtzix6efNTZV/9O0uUmYlU0wt8WF+YL+p15CyhBIc5YZISpWA izugcLKU8xriFMOiyOIttnIS1pAKERu0Fh9EqlkfFhcmJXl18Oxn10L0qH6uEx/C Rs11KzyJSuOpBl7x5NZi9jsTzlZlI6zqJ9b6Dlj2A8k82oz5p3VUf+CDyDlMZxHo 2PsRPGdYJA98w/dUFucZozt1J4K05dWOnd6oED1bY8bFEb+IhRYYOil/wqiNBJFw Q9B6jB18Olp4PxxMZVX5kXz4j3tzqlt80wY9S/pVOIGjKcbxIHqhB5CFt1UJfsUw BGzJTpYYBvqdS0e3ozO+4QyHBlm4Ure4JFlrb/kBXgLvnBcTfn5e2NMJKhMSvC0B O5Ma1D7E2eYxxHgpUFTJYo+qNrfWsQHPClxOMVXbxUrz/iheEvTaed7tyHtMI5nz vloTNWf4WNWnxYv5meOOSj2lXX5dxT+XpEA+1kmOWdWvOx8nmOWrOUYN6hM191jD e3hZ2X6TAfHd5LIHtb2C =ttlK -----END PGP SIGNATURE-----