From owner-freebsd-security@freebsd.org Mon Aug 5 08:25:52 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BDDADBD743 for ; Mon, 5 Aug 2019 08:25:52 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from cu01176b.smtpx.saremail.com (cu01176b.smtpx.saremail.com [195.16.151.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4629nq36tYz4NMf for ; Mon, 5 Aug 2019 08:25:50 +0000 (UTC) (envelope-from borjam@sarenet.es) Received: from [172.16.8.147] (unknown [192.148.167.11]) by proxypop01.sare.net (Postfix) with ESMTPA id 4F2EF9DDCC7; Mon, 5 Aug 2019 10:25:47 +0200 (CEST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: Old Stuff From: Borja Marcos In-Reply-To: Date: Mon, 5 Aug 2019 10:25:45 +0200 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Robert Simmons X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: 4629nq36tYz4NMf X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=sarenet.es; spf=pass (mx1.freebsd.org: domain of borjam@sarenet.es designates 195.16.151.151 as permitted sender) smtp.mailfrom=borjam@sarenet.es X-Spamd-Result: default: False [-4.93 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:195.16.151.0/24]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.999,0]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[151.151.16.195.list.dnswl.org : 127.0.10.0]; DMARC_POLICY_ALLOW(-0.50)[sarenet.es,none]; IP_SCORE(-2.63)[ip: (-7.13), ipnet: 195.16.128.0/19(-3.46), asn: 3262(-2.60), country: ES(0.04)]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3262, ipnet:195.16.128.0/19, country:ES]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Aug 2019 08:25:52 -0000 > On 24 Jul 2019, at 18:57, Robert Simmons wrote: >=20 > I wonder if FreeBSD should drop support for 32bit? Clean out and = remove all > of it. It should make the code base easier to maintain, cleaner, and = safer. Keeping 32 and 64 bit code has an interesting side effect. It kinda = forces to keep some discipline, same as keeping big endian and little endian code. It can be a bit of a pain in = the ass but it forces you to be more careful. > In this same vein, let's deprecate and remove things like telnet and = ftp. I don=E2=80=99t understand why. Both tools can be useful in certain = situations. For instance telnet is the most immediate way to check wether a service is working and a bunch of = important Internet protocols were actually designed so that they could be tested with a simple = telnet.=20 =46rom a different point of view, ssh can be more prone to buffer = overflows due to more complex code ;) Borja. From owner-freebsd-security@freebsd.org Tue Aug 6 18:32:12 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 17ED0C7A4F for ; Tue, 6 Aug 2019 18:32:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4633Bz706Rz4KbM; Tue, 6 Aug 2019 18:32:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id E8D66EE14; Tue, 6 Aug 2019 18:32:11 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190806183211.E8D66EE14@freefall.freebsd.org> Date: Tue, 6 Aug 2019 18:32:11 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 18:32:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:19.mldv2 Security Advisory The FreeBSD Project Topic: ICMPv6 / MLDv2 out-of-bounds memory access Category: core Module: net Announced: 2019-08-06 Credits: CJD of Apple Affects: All supported versions of FreeBSD. Corrected: 2019-08-06 17:13:41 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:11:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-06 17:15:46 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:11:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:11:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5608 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background MLDv2 is the Multicast Listener Discovery protocol, version 2. It is used by IPv6 routers to discover multicast listeners. II. Problem Description The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. III. Impact A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic. IV. Workaround No workaround is available. Systems not using IPv6 are not affected. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Reboot for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2, FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch.asc # gpg --verify mldv2.11.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch.asc # gpg --verify mldv2.12.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r350648 releng/12.0/ r350644 stable/11/ r350650 releng/11.3/ r350644 releng/11.2/ r350644 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLzTA/+OyyukXWH7rfwMhOlpD60UH4hxN3purvdNeBe4ZxlYvtf8gSUzS1VbK5r NR9D2HiYRlmaePOil5myan6cVkrKoANoWTrQsCcsFLe6KKbiKlQDx/btbENmCMsR VoS0ZPx3l9iGuVUwDk6k1JXwKCcO3U3dCDYEI941hEKxYadR+twUP3JOceg8Zn0h oODXW7LcPXWQKAyFc0Kun1VrjrUGdRGfqk30joR20GP2IjgQceFHKUbiOyBbbIjW +UVvp2wPBxXvcXNPTpcIpTW5UGJBHCT2OsDulh7hqpiWf78VE8BoksKAvDjtI4i0 15fmwn7tmQ3aGWK3WoaKWUOXZUlKrxRQDzGyAZ3LzOqPWhv12tJjNJhjnRmCVLfo +F4I/MHzPgjitZhv8gfn+MRiPG4E1ueAYnPQWiR3qRCLQGhemVdKZIAVnYg6NGpQ Jgsr1QS8/3GHZ8yrMXUOSNOSuiMmRHbI9915vVzu+hWkfnrCcSr3uVkJeQvx4CZJ gdTL083Knnkdo4IPOdHWnQjGfrv2rGRyvCJ88m/DIC6hw4weR1LyFWMEHeJCEcJl 5LHiVWmOUJE4ltJXrRoXwxuh9Dia0Mq6KfNA0343JFpQF9rdt3JQ/54FPGtK6NUO LyX5a42RIKRxWNTN+ADrSk8czbHFIg8MfTwpjiRGx2rYtxjp1qU= =WaXC -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Aug 6 18:32:04 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1E7D0C7A48 for ; Tue, 6 Aug 2019 18:32:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4633Br04GXz4KZh; Tue, 6 Aug 2019 18:32:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id EF4BCEE09; Tue, 6 Aug 2019 18:32:03 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190806183203.EF4BCEE09@freefall.freebsd.org> Date: Tue, 6 Aug 2019 18:32:03 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 18:32:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:18.bzip2 Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in bzip2 Category: contrib Module: bzip2 Announced: 2019-08-06 Affects: All supported versions of FreeBSD. Corrected: 2019-07-04 07:29:18 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:09:47 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-07-04 07:32:25 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:09:47 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:09:47 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2016-3189, CVE-2019-12900 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The bzip2(1)/bunzip2(1) utilities and the libbz2 library compress and decompress files using an algorithm based on the Burrows-Wheeler transform. They are generally slower than Lempel-Ziv compressors such as gzip, but usually provide a greater compression ratio. The bzip2recover utility extracts blocks from a damaged bzip2(1) file, permitting partial recovery of the contents of the file. II. Problem Description The decompressor used in bzip2 contains a bug which can lead to an out-of-bounds write when processing a specially crafted bzip2(1) file. bzip2recover contains a heap use-after-free bug which can be triggered when processing a specially crafted bzip2(1) file. III. Impact An attacker who can cause maliciously crafted input to be processed may trigger either of these bugs. The bzip2recover bug may cause a crash, permitting a denial-of-service. The bzip2 decompressor bug could potentially be exploited to execute arbitrary code. Note that some utilities, including the tar(1) archiver and the bspatch(1) binary patching utility (used in portsnap(8) and freebsd-update(8)) decompress bzip2(1)-compressed data internally; system administrators should assume that their systems will at some point decompress bzip2(1)-compressed data even if they never explicitly invoke the bunzip2(1) utility. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart daemons if necessary. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch # fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch.asc # gpg --verify bzip2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r349717 releng/12.0/ r350643 stable/11/ r349718 releng/11.3/ r350643 releng/11.2/ r350643 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt09fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJWEQ//dBiFwPCKcUaeSBuM9opVUxWzFYrpWdYwwagQXzNqO3Z77Vi2hHQnfpkD bM8WgWwChOJmlTja7sjnF+QjoV9/elzYhFrD6q0W1nLZ2XHcXyHrbFLMJ+CrvCWR AuVCEkmT2fchE/5c71l/v8I452EpGZG7P0fwG1bpf84p1PFLl3esfeo8+CzN1x2h YLnvfp69/tC18LR0/yozRUuFSqoYBhbnJsclB1JkrGx0fPOcE9y3sudVhBIDbH7h nYSTJl/KkTHf6tbJVXWUVr5gJzCgGvvhUer49RCdJMAwj6hKYT49vWnOFl1T8DAL +co0ZzTiKoCdrrrguijh4QTEUe4UAGS3PPAwhUiOu+y8Bry06/U565uO9y9iILef M5oYTbM7h/TErPxSE421fWeexeK0seCHqmj/rO1Yf7RkRvLg/QaJk5YWM0KoP3NH QQRdX8qNiy4liEqGvJwfUdNcVXA3d7BKifl6MKH+5/2i5B23wHItIeuIGYo5LgdI mnH59L5wylhWGa0Dc+N9fP0jFvBfk7/4a0joXYIQ7/KDQg0X+WdiGZ/mzZ4GEisX hwI2laAh/oyksInrMcLCbvgWql+lrUvK3ltHo17U+wrMeb+8btDLR5T/9XlLPWGp s101XS6ewcwpZ8g5uBtlFBLmp8BGkALTAJtwwqJ2eoLfLYCXq3I= =3O6m -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Aug 6 18:32:19 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3C0A8C7A59 for ; Tue, 6 Aug 2019 18:32:19 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4633C70LFSz4Kbk; Tue, 6 Aug 2019 18:32:19 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 046C5EE21; Tue, 6 Aug 2019 18:32:19 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:20.bsnmp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190806183219.046C5EE21@freefall.freebsd.org> Date: Tue, 6 Aug 2019 18:32:19 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 18:32:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:20.bsnmp Security Advisory The FreeBSD Project Topic: Insufficient message length validation in bsnmp library Category: contrib Module: bsnmp Announced: 2019-08-06 Credits: Guido Vranken Affects: All supported versions of FreeBSD. Corrected: 2019-08-06 16:11:16 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:12:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-06 16:12:43 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:12:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:12:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5610 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The bsnmp software library is used for the Internet SNMP (Simple Network Management Protocol). As part of this it includes functions to handle ASN.1 (Abstract Syntax Notation One). II. Problem Description A function extracting the length from type-length-value encoding is not properly validating the submitted length. III. Impact A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in a denial of service. IV. Workaround No workaround is available. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch # fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch.asc # gpg --verify bsnmp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r350637 releng/12.0/ r350646 stable/11/ r350638 releng/11.3/ r350646 releng/11.2/ r350646 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1lfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKtBBAAltxFzxuMqWCgJoL9SemLRQxGGk0hRFdN5b78mgVdk2lfDgVz8U7mVM6v XbcCa4lIy7wMYpUdEySAZLR2ENt0xdpx7oQ6lAg5fnnvrUvom4wU9ruxEs5txFVL K6RaJnQJyOkI2c/LYvI/ZYmuc29/Nt3p/DvVe7wq86taoqUufN11MXkrRHgn68N3 7vewixzWpqH5L/aY2qP1d+Xe3QmHX0IcFqeo4U3/3G4wUGRCfHtaENY4w5eUbCa2 1Qk0oS9iUdX1IJjM5l1ccoFqsjbcO6vNS337qeYNKhLspXMQPwoS0K0HfB6LKt1D dCBFoXu/qUFjf3qqbpcqGEFrFPZjlNmC4R0Ngx1rfZ1t1dXbj83NOOE1okd3Gb/V TPDU/jzwt+/6DE6ryNQpeanPdim83w/j+qeA0UaTyxlbj+oSz1gU9Ckaauf+9peI GT8TPnrgmFlYg2tkYl4tbq5LtRstPGZYguqEt5SHCxBOg3dxByMPzikSFUL9oNxS 9GX7JZT36J20f62hG8Watp2y3W0QsMjJpxF9OojRU6B15Z4Q2aCht4F6DnvEkVfN 1GvS5NAHPHU09TniSgYK3ThkoYrLYykhsXPmJmETV7DU1Qhny1p8H0NwIwB20DEm AOAcYzLhiXHGpniE5y+MT9Pvt3BDBt36k6WgZ4eZ4RWuzGOumiU= =rH6X -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Tue Aug 6 18:32:25 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 931F2C7A5E for ; Tue, 6 Aug 2019 18:32:25 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4633CF3Td5z4Kjv; Tue, 6 Aug 2019 18:32:25 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 706A0EE31; Tue, 6 Aug 2019 18:32:25 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:21.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190806183225.706A0EE31@freefall.freebsd.org> Date: Tue, 6 Aug 2019 18:32:25 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 18:32:25 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:21.bhyve Security Advisory The FreeBSD Project Topic: Insufficient validation of guest-supplied data (e1000 device) Category: core Module: bhyve Announced: 2019-08-06 Credits: Reno Robert Affects: All supported versions of FreeBSD. Corrected: 2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5609 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that supports running a variety of guest operating systems in virtual machines. bhyve(8) includes an emulated Intel 82545 network interface adapter ("e1000"). II. Problem Description The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets. When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage. III. Impact A misbehaving bhyve guest could overwrite memory in the bhyve process on the host. IV. Workaround Only the e1000 device model is affected; the virtio-net device is not affected by this issue. If supported by the guest operating system presenting only the virtio-net device to the guest is a suitable workaround. No workaround is available if the e1000 device model is required. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart any affected virtual machines. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable virtual machines, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r350619 releng/12.0/ r350647 stable/11/ r350619 releng/11.3/ r350647 releng/11.2/ r350647 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cL0qA//ZdapXUMl6KuuvtZIveMZgNdMVLYaqB1K8yHXO5udd58fTsH6+Khei0LT gYGxDEJkHinM1EWy688xE+PSzb9twmEmawW4N4WMhWB9oMoTuLQ5E4Zm9my1TdDh ducK6Q4GqOojIXJ0LtHDqs9qveAfkgB6L6jmLt/1jpZelLupte3S+bPmI4yta7ge 7k54V9GcN05i7wX2TaZA7H3ROQziW537ZeoRB8BQwt7bekFw2uBfO9s0CWcJZPnG +0D6QEsRqbtYMJr5RkUCc1y4qaqnWBBn/Zyyr0P+bXZklU/IW2GJTDWNObXN7DPE NOhuVY7PQHN6jv3u+nKa1AY7mjI3zBo009iAfPQFCb9Kn08tJ2A9WrExEMwZdcbI nXVqCRdp7xCSPO73vjNv4btzvAU7iwbaBkpGFs721cH72ImvmXi7TwepPEAul0do VwKYMxhStZtoDQhEea1eq41KNvqxmA/mkbEjpKcTZCUJq7xVyV4uaVme3Uq45uaa mKMWx+Gg09A2Y5NfSCiz9AGuMkIGn05hKIOK39yAG159uTks60Ybsw/bOnE9WnMJ 5igcI+U6utIMi2M6nH4rn/wKBYM9cHWmQLfo6kECUi2CCTmR5VL8BTJ/8vHCqXi1 vCcAPacKYAROsvGQyynSVLiXJAXOrc8/VyoXRHC5cAapVeParcw= =0XzG -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Aug 7 17:06:20 2019 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 623B3B13EF for ; Wed, 7 Aug 2019 17:06:20 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 463dFS1z0Kz41t2 for ; Wed, 7 Aug 2019 17:06:20 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [192.168.43.26] ([192.168.43.26]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTP id x77H6ITg057233 for ; Wed, 7 Aug 2019 13:06:18 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2 To: freebsd-security@freebsd.org References: <20190806183211.EE35BEE16@freefall.freebsd.org> From: Mike Tancsa Openpgp: preference=signencrypt Autocrypt: addr=mike@sentex.net; prefer-encrypt=mutual; keydata= mQENBEzcA24BCACpwI/iqOrs0GfQSfhA1v6Z8AcXVeGsRyKEKUpxoOYxXWc2z3vndbYlIP6E YJeifzKhS/9E+VjhhICaepLHfw865TDTUPr5D0Ed+edSsKjlnDtb6hfNJC00P7eoiuvi85TW F/gAxRY269A5d856bYrzLbkWp2lKUR3Bg6NnORtflGzx9ZWAltZbjYjjRqegPv0EQNYcHqWo eRpXilEo1ahT6nmOU8V7yEvT2j4wlLcQ6qg7w+N/vcBvyd/weiwHU+vTQ9mT61x5/wUrQhdw 2gJHeQXeDGMJV49RT2EEz+QVxaf477eyWsdQzPVjAKRMT3BVdK8WvpYAEfBAbXmkboOxABEB AAG0HG1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5jYT6JATgEEwECACIFAkzcA24CGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJXHwM2kc8rX+sMH/2V6pTBKsQ5mpWWLgs6wVP2k BC+6r/YKNXv9Rw/PrC6+9hTbgA+sSjJ+8gxsCbJsOQXZrxF0x3l9oYdYfuKcwdwXFX1/FS8p HfBeDkmlH+dI709xT9wgrR4dS5aMmKp0scPrXPIAKiYVOHjOlNItcLYTEEWEFBepheEVsgmk GrNbcrHwOx/u4igUQ8vcpyXPyUki+BsftPw8ZQvBU887igh0OxaCR8AurJppQ5UQd63r81cX E1ZjoFoWCaGK/SjPb/OhpYpu5swoZIhOxQbn7OtakYPsDd5t2A5KhvjI8BMTnd5Go+2xsCmr jlIEq8Bi29gCcfQUvNiClevi13ifmnm5AQ0ETNwDbgEIALWGNJHRAhpd0A4vtd3G0oRqMBcM FGThQr3qORmEBTPPEomTdBaHcn+Xl+3YUvTBD/67/mutWBwgp2R5gQOSqcM7axvgMSHbKqBL 9sd1LsLw0UT2O5AYxv3EwzhG84pwRg3XcUqvWA4lA8tIj/1q4Jzi5qOkg1zxq4W9qr9oiYK5 bBR638JUvr3eHMaz/Nz+sDVFgwHmXZj3M6aE5Ce9reCGbvrae7H5D5PPvtT3r22X8SqfVAiO TFKedCf/6jbSOedPN931FJQYopj9P6b3m0nI3ZiCDVSqeyOAIBLzm+RBUIU3brzoxDhYR8pz CJc2sK8l6YjqivPakrD86bFDff8AEQEAAYkBHwQYAQIACQUCTNwDbgIbDAAKCRCVx8DNpHPK 1+iQB/99aqNtez9ZTBWELj269La8ntuRx6gCpzfPXfn6SDIfTItDxTh1hrdRVP5QNGGF5wus N4EMwXouskva1hbFX3Pv72csYSxxEJXjW16oV8WK4KjKXoskLg2RyRP4uXqL7Mp2ezNtVY5F 9nu3fj4ydpHCSaqKy5xd70A8D50PfZsFgkrsa5gdQhPiGGEdxhq/XSeAAnZ4uVLJKarH+mj5 MEhgZPEBWkGrbDZpezl9qbFcUem/uT9x8FYT/JIztMVh9qDcdP5tzANW5J7nvgXjska+VFGY ryZK4SPDczh74mn6GI/+RBi7OUzXXPgpPBrhS5FByjwCqjjsSpTjTds+NGIY Organization: Sentex Communications Message-ID: Date: Wed, 7 Aug 2019 13:06:17 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <20190806183211.EE35BEE16@freefall.freebsd.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 463dFS1z0Kz41t2 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.98 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-0.995,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.981,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Aug 2019 17:06:20 -0000 Does anyone have any more details about the implication of this ? e.g. does a daemon need to be listening on a target device ? Is it merely the act of forwarding such packets ? Can a non root user open such a daemon ? Thanks,     ---Mike > ============================================================================= > FreeBSD-SA-19:19.mldv2                                      Security > Advisory >                                                           The FreeBSD > Project > > Topic:          ICMPv6 / MLDv2 out-of-bounds memory access > MLDv2 is the Multicast Listener Discovery protocol, version 2.  It is used > by IPv6 routers to discover multicast listeners. > > II.  Problem Description > > The ICMPv6 input path incorrectly handles cases where an MLDv2 listener > query packet is internally fragmented across multiple mbufs. > > III. Impact > > A remote attacker may be able to cause an out-of-bounds read or write that > may cause the kernel to attempt to access an unmapped page and > subsequently > panic.