From owner-freebsd-security-notifications@freebsd.org Wed Jul 3 00:49:21 2019 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36E6615E26A5 for ; Wed, 3 Jul 2019 00:49:21 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 95B3F77F2C; Wed, 3 Jul 2019 00:49:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 63C761A7C6; Wed, 3 Jul 2019 00:49:20 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:09.iconv Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190703004920.63C761A7C6@freefall.freebsd.org> Date: Wed, 3 Jul 2019 00:49:20 +0000 (UTC) X-Rspamd-Queue-Id: 95B3F77F2C X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.89 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.98)[-0.983,0]; NEURAL_HAM_SHORT(-0.91)[-0.911,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2019 00:49:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:09.iconv Security Advisory The FreeBSD Project Topic: iconv buffer overflow Category: core Module: libc Announced: 2019-07-02 Credits: Andrea Venturoli , NetFence Affects: All supported versions of FreeBSD. Corrected: 2019-07-03 00:01:38 UTC (stable/12, 12.0-STABLE) 2019-07-03 00:00:39 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-07-03 00:03:14 UTC (stable/11, 11.3-PRERELEASE) 2019-07-03 00:00:39 UTC (releng/11.3, 11.3-RC3-p1) 2019-07-03 00:00:39 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The iconv(3) API converts text data from one character encoding to another and is available as part of the standard C library (libc). II. Problem Description With certain inputs, iconv may write beyond the end of the output buffer. III. Impact Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library function and the nature of possible attacks will depend on the way in which iconv is used by applications or daemons. IV. Workaround No workaround is available. Stack canaries (-fstack-protector), which are enabled by default, provide a degreee of defense against code injection but not against denial of service. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart any potentially affected daemons. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch # fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch.asc # gpg --verify iconv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r349622 releng/12.0/ r349621 stable/11/ r349624 releng/11.3/ r349621 releng/11.2/ r349621 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK8qg//bXSYMJQUBC0POTT5zGXSAmXfKjxbCi4N67cfTrQkEvW672QX4Jw9smkK D3PwyQs8QWIwsXL69rRgKDFHhPplOmTkx1vaPrA3DckYliwNvLRV3I6G2bRnx3E3 DoAyDmBvFK5lJWa3WxbCpeJA69yZ/JbX1Yw6HsRLk74hGkfvlkruKkfxsNjXzaq4 0+d+ZYs/vRDmIW5/R/bYy1+iyDamyCMl2xXtlZBKrGe6lhj8Vi4/evJjipFtskc2 RnGKolNoZQc03pgX0QS2JZDb+ay23elkOCbhYPqGr1f++M95oOktX3epsJNSH++u pmJ72FNRsnZSVFxoX7o14eh4k6OGYIvGFSkXQ9VG1NV7PQO8VZAQk9gw264O/1Mi 2aW88e78GLallQOg32VM+Ybys9MamBHByiYRz+GXhh91gg9WPJK5Imt0ExUuukGn SS65SW1AhO72xC2eplbM0pQY0FNn8l+QA4XjhqNfW03gPSvPwbdYhbSDXm9bgV3W +VnW2R0tekgiD3glf9GwXMKizostS67jvpJyEDqvx3A1Dx3R2sJ27/6c5HDLpJss hrhEbqnJhudl10gQTdK9hkFg1LeqxFCYhsw0NDb7PgRWeu3MZcLP6pO3wy/aacfd OyGJWeqTzKZ4o596OyrTsYIa75MymN3/PkdfDYfRMU0GdAo+acQ= =ItWl -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed Jul 3 00:49:25 2019 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6595915E26EF for ; Wed, 3 Jul 2019 00:49:25 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D475477F3A; Wed, 3 Jul 2019 00:49:24 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 8A5411A7D5; Wed, 3 Jul 2019 00:49:24 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:10.ufs Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190703004924.8A5411A7D5@freefall.freebsd.org> Date: Wed, 3 Jul 2019 00:49:24 +0000 (UTC) X-Rspamd-Queue-Id: D475477F3A X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.89 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.98)[-0.983,0]; NEURAL_HAM_SHORT(-0.91)[-0.911,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2019 00:49:25 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:10.ufs Security Advisory The FreeBSD Project Topic: Kernel stack disclosure in UFS/FFS Category: core Module: Kernel Announced: 2019-07-02 Credits: David G. Lawrence Affects: All supported versions of FreeBSD. Corrected: 2019-05-10 23:45:16 UTC (stable/12, 12.0-STABLE) 2019-07-02 00:02:16 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-05-10 23:46:42 UTC (stable/11, 11.2-STABLE) 2019-07-02 00:02:16 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5601 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Berkeley Fast File System (FFS) is an implementation of the UNIX File System (UFS) filesystem used by FreeBSD. II. Problem Description A bug causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. This data can be viewed by any user with read access to the directory. Additionally, a malicious user with write access to a directory can cause up to 254 bytes of kernel stack memory to be exposed. III. Impact Some amount of the kernel stack is disclosed and written out to the filesystem. IV. Workaround No workaround is available but systems not using UFS/FFS are not affected. V. Solution Special note: This update also adds the -z flag to fsck_ffs to have it scrub the leaked information in the name padding of existing directories. It only needs to be run once on each UFS/FFS filesystem after a patched kernel is installed and running. Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system and run: # fsck -t ufs -f -p -T ufs:-z to clean up your existing filesystems. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch.asc # gpg --verify ufs.12.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch.asc # gpg --verify ufs.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system and run: # fsck -t ufs -f -p -T ufs:-z to clean up your existing filesystems. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r347474 releng/12.0/ r349623 stable/11/ r347475 releng/11.2/ r349623 - ------------------------------------------------------------------------- Note: This patch was applied to the stable/11 branch before the branch point for releng/11.3. As such, no patch is needed for any 11.3-BETA or -RC. To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJgRhAAic+yb4boY5k2TotBe9xBBO2VEGwvcolARpvUg+78ya4RGh1d3FBH5R36 N6uEvaAclrRsPHnDSeCD3BVmQkWBzD5a7t+z+m5Siye+01mA4XjKycNDl9BXm7sT t01GP7TPBmaJZ45RPqT4M/iB1Ulud0kdKvi/apwDLbqJrbzcuxyBNs+wiQhbG2Ip 07REBqabnsL8dV2ysPtBlHd1nxyNyyF8EzkDUKYUWDnwPxzlrfrJAt+F7sneRrPf tL3UsN+qh3JThI39CjFWPllVRv412QCFBDmGXHdbm+mWrxIecX5pUEoLfQQLJ82x 03TOYbZpu4d4CvgeSEXl3VkbHl6F6u/ii8ls/7aUDNnZcHWamraP84aJpLBG2cUa ExDDL6K0x1LMhlGWxjGr0qp2ObdQ0sKTgQZ/RUmJO4pc4zuPc0yY3jOv4U+kP2G/ znHEVVRs8/X95OYA0fdvnG0rOdcKGdqKEDxeTvFhyvxM372erT/dMz9flGnptA51 30eAwyKmzj5Mzpo5y/NARyGLRTfOB2F6++BFrlqbsKCXcyK1R5jtxu1TLaliPvA/ Aux8D4OQHIXIGk/sVQSJKOO4oH6U7S2aNtYTxaYHAJrtbC9udnyjVau2txlObEZr pCbd+a02Btid0bBRUSFYugl4XHtakTVvtu93Fa19wASYDnZJIUE= =uUz9 -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed Jul 3 00:49:29 2019 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 300FB15E271F for ; Wed, 3 Jul 2019 00:49:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7493477F46; Wed, 3 Jul 2019 00:49:28 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 5C86A1A7E0; Wed, 3 Jul 2019 00:49:28 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-19:11.cd_ioctl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20190703004928.5C86A1A7E0@freefall.freebsd.org> Date: Wed, 3 Jul 2019 00:49:28 +0000 (UTC) X-Rspamd-Queue-Id: 7493477F46 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.89 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.98)[-0.983,0]; NEURAL_HAM_SHORT(-0.91)[-0.911,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US]; NEURAL_HAM_LONG(-1.00)[-0.999,0] X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.29 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2019 00:49:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-19:11.cd_ioctl Security Advisory The FreeBSD Project Topic: Privilege escalation in cd(4) driver Category: core Module: kernel Announced: 2019-07-02 Credits: Alex Fortune Affects: All supported versions of FreeBSD. Corrected: 2019-07-03 00:11:31 UTC (stable/12, 12.0-STABLE) 2019-07-02 00:03:55 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-07-03 00:12:50 UTC (stable/11, 11.3-PRERELEASE) 2019-07-02 00:03:55 UTC (releng/11.3, 11.3-RC3-p1) 2019-07-02 00:03:55 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5602 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The cd(4) driver implements a number of ioctls to permit low-level access to the media in the CD-ROM device. The Linux emulation layer provides a corresponding set of ioctls, some of which are implemented as wrappers of native cd(4) ioctls. These ioctls are available to users in the operator group, which gets read-only access to cd(4) devices by default. II. Problem Description To implement one particular ioctl, the Linux emulation code used a special interface present in the cd(4) driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read access to a cd(4) device to arbitrarily overwrite kernel memory when some media is present in the device. III. Impact A user in the operator group can make use of this interface to gain root privileges on a system with a cd(4) device when some media is present in the device. IV. Workaround devfs.conf(5) and devfs.rules(5) can be used to remove read permissions from cd(4) devices. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch.asc # gpg --verify cd_ioctl.12.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch.asc # gpg --verify cd_ioctl.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r349628 releng/12.0/ r349625 stable/11/ r349629 releng/11.3/ r349625 releng/11.2/ r349625 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK+nBAAqVz2kEviqpD6wTqwmDexacApQ8aRrnxUDA/PSU/ZStdU3/E3OHAEwMOr k3qNBbMYUO5alXyLfe9Gv2iP2eTD8QP6xafMiwvcMxS2aJe6ieRmRTLUbep0QBEN weIaafjvIlLElJTWb9Rr5CTUs6sSdq7Jc84dHPHSOQehhkCFydTdHCaYtvRS2tg1 YYyzMdTlT1VRCL3Rb6iHkqLG7JKX1fTLsPxXGqv/IjYAcDREZjVNhxjvcsQsMQxD 2tTBDVZZLJBOHshGg/kyCRB++d36JNED0kb7/lfohGBvZS6wtmbe9z3a1+S4MN9i sxNdLc4a/Qr3iP4SzgGf6YuD/BmXg/7HWZnBj220VncVHYjQThAZih0VDUSy9zBy EplpqcRYebzvAQkq63e2LE66rveX58L7KAzZDG2QJUrPDJAfxgdc1fslgm/+/Yck /lHVG8gxJNr+tpC80vKxssS7WhNUnd1zThKa2D5rrFnsWUR5da66mxJelUrq+vPT bhs/nHOzqqXpojh+j/8a6q8Wi2CDSGnJ9vtt0FZu7SG0/r7hlUAAuI0o9VJV/Uh4 CyJeVlJ65+4bUm+k9qFBxsmd7S08f1Z6UND8/1ffFOYm4POVJcRa1wUswYjXPfjp Sf0rZ5vCq8TG7EOcdMHqHBgAumx3gAXj+I73Lwm73vnP4jMoqmw= =Bc/8 -----END PGP SIGNATURE-----