From owner-freebsd-security-notifications@freebsd.org Wed Feb 24 06:06:06 2021 Return-Path: Delivered-To: freebsd-security-notifications@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4F74E549EAB for ; Wed, 24 Feb 2021 06:06:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dlllx2MXyz3qMK; Wed, 24 Feb 2021 06:06:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146765; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=7KmwH3Wo18OU22hOzwH4opXaqIGZt9SyWpYax4dT098=; b=bOKUHzQNldEnkXq8Q7/zDStN/2tvKT6+69dmF1fDCqu5hl5WoAIDUJaL+UPGrQNBowv9mb lmFs+EVoGct9a+7yvUWYvMO3BGIeMDMN4Py/NpOV/omKFA71hMbYzTnROmES3yVcs+UnTt KAJNdTYztooIZ0T9MVBnk3qMc9If95SDR6BDbLYBjbh5EXzZcFD8UBNKpaCPApoVTx0H3W 5N6eEFlBo/lPTE1LT5PYuSScvnCbWjpu+8LB5/RPp4tJCzQUz/zHXrWbDuJGY+3aVYfaSY B/YfjQfv0RV0QVIQVR1S1vwcdk1FECUiZE6qP0yRBbywv3NJ4CCatJTCgMlbZw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 30E461BBA7; Wed, 24 Feb 2021 06:06:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:03.pam_login_access Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210224060605.30E461BBA7@freefall.freebsd.org> Date: Wed, 24 Feb 2021 06:06:05 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146765; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=7KmwH3Wo18OU22hOzwH4opXaqIGZt9SyWpYax4dT098=; b=atXiPqOcSQLh9rH0Rx9clrO/7vOdauDpGkidUFKCGaY+OSV9+VjaPHYNue9EvpxvKytB+C h6SON4R5WwrQgVVWUOcjXskOdty5nYsU2a2vzr4XajSmVPxu7s5NUTf8HdKP5J6NqeK5v4 14M8v5z3BStSEnNkFW1jISWnfAIOWgK1VYonLmND7c0Q4224v+3T1j3CRLmiR9TyhFeSTf ZB91f+gks0tUmJ5DJ8J+g0XCOVtRntphjcS41fK3BVW5tSUl794jkc7SzatOvUoNdYWM0G 5WaB1axrwhiFPUxC9vFFAXUfrkrI+ZUL8PRYgzRBLBjKlmjA+hgkL4HLT43e5A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1614146765; a=rsa-sha256; cv=none; b=TB3o5MfYYLkLPqHBB83YITBkKDZ5FSdZ/MKaOO0UZmb7V3InrR75FWQm5zo0yf5SO0aSGx TpIlRk8rjzVLhe8SeSISlq1s/NHzYLya1h0phcpuX15M2nEY68cRqw40xBHSQSKhXBMjaP 28KWvifnKO299g6NKpb9pvAl/pFG/iLlky8cNoGrazwkj5DDtwMEXAe7d8lzQwDSxC3wDU s7eAkrkpbkz7/l9YWnA6mIrlShZQIbqa58poc9dLzRrzKn3jWy6nsKXFLhySceFhl3icZW W/R5fq5RCNfhQigC4VYKAux6QZkSg2Wq2BCgv5cufgHFSo3f7JcP/UpaK402dQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2021 06:06:06 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:03.pam_login_access Security Advisory The FreeBSD Project Topic: login.access fails to apply rules Category: core Module: pam_login_access Announced: 2021-02-24 Affects: All supported versions of FreeBSD. Corrected: 2021-02-24 01:20:53 UTC (stable/13, 13.0-STABLE) 2021-02-24 01:42:42 UTC (releng/13.0, 13.0-BETA3-p1) 2021-02-24 01:40:36 UTC (stable/12, 12.2-STABLE) 2021-02-24 01:44:01 UTC (releng/12.2, 12.2-RELEASE-p4) 2021-02-24 01:39:53 UTC (stable/11, 11.4-STABLE) 2021-02-24 01:41:53 UTC (releng/11.4, 11.4-RELEASE-p8) CVE Name: CVE-2020-25580 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background login.access(5) is a system configuration file allowing administrators to define policy around system login access by specific users and groups. It is implemented by a pam(3) module, pam_login_access(8), and is configured by default for accesses via sshd(8), telnetd(8) and the system console. II. Problem Description A regression in the login.access(5) rule processor has the effect of causing rules to fail to match even when they should not. This means that rules denying access may be ignored. III. Impact The configuration in login.access(5) may not be applied, permitting login access to users even when the system is configured to deny it. IV. Workaround No workaround is available. Systems not relying on login.access(5) to enforce custom login policies are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch # fetch https://security.FreeBSD.org/patches/SA-21:03/pam_login_access.patch.asc # gpg --verify pam_login_access.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/13/ 8cf559d6b9b4782bf67eb868ea480f47fc8c64a4 releng/13.0/ f82cffcf2f44c909bec00d18549826f5d1d62205 stable/12/ r369346 releng/12.2/ r369359 stable/11/ r369345 releng/11.4/ r369351 - ------------------------------------------------------------------------- [FreeBSD 13.x] To see which files were modified by a particular revision, run the following command in a checked out git repository, replacing NNNNNN with the revision hash: # git show --stat NNNNNN Or visit the following URL, replace NNNNNN with the revision hash: [FreeBSD 11.x, FreeBSD 12.x] To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n 5cKg1A/+MKN4Gf9ndHqjEUKiquiUGAE63RJC3wZRpN/GsxP2qLArX4QDOXLJxFZ3 +T+u3lb0vxhhowvp23vFegmQbmWA6ZHI4M+NBsgMnPLTEWkwy4tRTfZDma1Q9j3k RNPJFnzJ5HTKBXtZom/yKcxuXw1JGlqmxuJYfveBEBIN6PmH5nz3qwcRVV8j+gAM 1CtmnWpUVHm8aOqEGhOPr/eNRbAX14S/rdrtETmyyKm7WlYtiFD8GN5Px+eTTZcM khZhyhlpvEPU0tLNahnDGiPBmlr8VpysT0+0ZdGsT6qMME8WQne3pvJeM2HaZs8a ob35quA5tH241NjNBvoYmMj50/UOFS8RZKb6VILX7+PVsYOiuoGKR8ikr6n09SZs LYThBcnWx5Bwcn08DXbd2bPn48aSFnbe0UMTzwrTC0L/5lp2FLv9j+bhwb3gF6W1 9hmRHOb+Cvdxxqw/djFCQsxODC9qZzneRW012PTsEZcwB8UjvG+OEVahz5iOfiGC tXNQ6rdbdTEr7QY+JCx0ngyHkQyDrOEJGd8UTIavr0CiuSdSWzi2zrppqZzvjBIp MENgB7uWf0MvzkYbxqwlRFr+25MLPGPYNfcLR/NnoWZcEuXR9VUL9Nb+ozH1HGs2 oziYLqXp3yvDGrHXdItOz5sVsgsZCZLLVD4SVI7Y31Ctxd6MlcM= =WQ8j -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed Feb 24 06:06:12 2021 Return-Path: Delivered-To: freebsd-security-notifications@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 51131549E6F for ; Wed, 24 Feb 2021 06:06:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dllm40f6Gz3qXR; Wed, 24 Feb 2021 06:06:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146772; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8xi6uBPVHDnzVSGyvXqWMn3fXiNJM2Nlq7qC5vZV7Ks=; b=v7LE1D6XeNv0JcHdW3LD5ygpdwD8lVSQh1nqtbp3VZFR8eF+NcZ/XXwlu8kQLrIJ2Ljcc9 HcQFo0s+d0LHKDwXe0qtwfNMtnSVNJNuegYjaBi3Wb8nYZTs6uMabr+5Vo/A/Cqf0KrZsH n9UQKYz/YKmwgHgEM1OOGVo+LZcyGO1NX9iywdJ8phY82wxmvLHoTZ5vVjeVF1JUrVjbW2 hXzhJ9RDSaD6qs1GC36CVSfJZ7KJwWh0SxFxcrLFBCtrpZ+eJOprwWIFRAXSoofpquX24h XB70umbZ6N7Ny4+yCv9dbfUL5hEUO4W/1jkb5Ubo3PSNlyFOCwFQmhqXGwdzXQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id EADC81BD00; Wed, 24 Feb 2021 06:06:11 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:04.jail_remove Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210224060611.EADC81BD00@freefall.freebsd.org> Date: Wed, 24 Feb 2021 06:06:11 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146772; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8xi6uBPVHDnzVSGyvXqWMn3fXiNJM2Nlq7qC5vZV7Ks=; b=d9J0XNoveInWr7credAhrYMVvudOmVbeXUBpZhV7dsjSKg3h1ojajqGmtz7sZaPhZvccK0 QfjWlb41sA4Uu9/pOPHCxE1bgjQaBnQ0+Dm7ZVFnOsApKQioL6KMP293w0botxeMhreDEo CZep9yK3bMgnaO8wxl6wrOq9LckTSsFLjQLjy/cdflMpExU14mgKB8ffHPiDdWBi86yR/y mbABekID+B6arqyiOTfb+u3bL30tZvKG0n/HPNtOIQhIVe2TadkDifCt7hKy0raBEgc9iz DoH1DV/FC8qDKojKerXGbRHprqsz6fqH3cjBqWuNTczQFByQeHy9uDoo+fD16g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1614146772; a=rsa-sha256; cv=none; b=HL2/Ij9X7Wy9qiE8anCKbZcOVZigcsEtWpbWKr8AnmWLCT2rXAEU3Qd/Vh6eBgw3E5mmVV 9WVIaN+g966NWbFB/L4r6TEspAxEYNNLCG2vLu7/ejd3cPfW2BtdRs8fkvitFlfwFyG5ni lLnEJnDoklEsZHEPZ6IP1N38Wq+Zx8et6g/9+WsadXPUGk+QmB59YZ4Rzgb782K4f+fmQR PyEofpKamDqzIl90teZ3UJ7K/5FahEmCb11wYQbEFVFkb3ksmcNA4R+gFOvK6rkMfcJ9fm YEOFHj7CQ5LO3DyfINXimwFt21d3wge4lSi17PQrXlNMcrQpVTzdsfxa9RoIJg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2021 06:06:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:04.jail_remove Security Advisory The FreeBSD Project Topic: jail_remove(2) fails to kill all jailed processes Category: core Module: jail Announced: 2021-02-24 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2021-02-19 01:22:08 UTC (stable/13, 13.0-STABLE) 2021-02-19 21:53:07 UTC (releng/13.0, 13.0-BETA3-p1) 2021-02-19 21:46:31 UTC (stable/12, 12.2-STABLE) 2021-02-24 01:43:39 UTC (releng/12.2, 12.2-RELEASE-p4) 2021-02-19 21:50:26 UTC (stable/11, 11.4-STABLE) 2021-02-24 01:41:41 UTC (releng/11.4, 11.4-RELEASE-p8) CVE Name: CVE-2020-25581 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. The jail_remove(2) system call, which was introduced in FreeBSD 8.0, allows a non-jailed process to remove a jail, which includes terminating all the processes running in that jail. II. Problem Description Due to a race condition in the jail_remove(2) implementation, it may fail to kill some of the processes. III. Impact A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process may be able to exploit the window during which a devfs filesystem is mounted but the jail's devfs ruleset has not been applied, to access device nodes which are ordinarily inaccessible. If the process is privileged, it may be able to escape the jail and gain full access to the system. IV. Workaround The problem is limited to scenarios where a jail containing an untrusted, privileged process is stopped, and a jail is subsequently started with the same root path. Users not running jails are not affected, and the problem can be avoided by not starting a jail with the same path as a previously stopped jail. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.x] # fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch # fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.13.patch.asc # gpg --verify jail_remove.13.patch.asc [FreeBSD 11.x, FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch # fetch https://security.FreeBSD.org/patches/SA-21:04/jail_remove.patch.asc # gpg --verify jail_remove.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/13/ 894360bacd42f021551f76518edd445f6d299f2e releng/13.0/ 9f00cb5fa8a438e7b9efb2158f2e2edc730badd1 stable/12/ r369312 releng/12.2/ r369353 stable/11/ r369313 releng/11.4/ r369347 - ------------------------------------------------------------------------- [FreeBSD 13.x] To see which files were modified by a particular revision, run the following command in a checked out git repository, replacing NNNNNN with the revision hash: # git show --stat NNNNNN Or visit the following URL, replace NNNNNN with the revision hash: [FreeBSD 11.x, FreeBSD 12.x] To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n 5cK69Q//UI2SeHrGXytm6ScQzCIbFPlUXlhkCX51WSOJmr/LUXpF9bcUhW73qqov /c70VGF876woMXHkbfYnCVdB4ETLIqTbGOl2aw/c8fuwrmFdtyeDEQ4SRRfWgdC4 L6jEgMvB/fMO9e662k19f6RFXrdMspK4rOz3/aowTFbOEvD3Q0HpBUnFbWWg3Iiy I190M0jbytFuZ2EJQ563bbRFFjEafZ51SKYz1FcR3cJAbVo/q75G3uDrjeNhnHxZ 0VqcTGHmF4Lh+RocUeW0v/1wHL8lBpoAKXmo4IL+FhFIR8fjVpKbGSm/IHSueatT Tr6xOg93Ef+sETWVn9Jv26BAU06LEM/ZuXz+HS7T7DwnJJeKa3d74KTJnnGauE24 67OO0i4Fok9Yyy2ArBH8V8mnzdW96dJyHrwdG0UUBddYlEyzArxkUQZyoIdj1Gb1 fns8ndY8t5tky2fxHZG2UMBWwQKBtbMZY027JRylAJWExsG6wH7DcUJ51FpcnbNe r3QvCB+ifOBGzFd2S4PduttxHW+xldWknah8513u9mRNCwnSFbY9ZXTpSeDmJaPo hYAZ2WlDodkaJxbTTMbJ+4fr6wMkmWf32g5pRh+wDfMAd0Wvbzmu/+fUQVf54FNU Qb91AAtVBuIE0J8jKqZxw+dtno+e6etmO1pXoZXvPHUr2N2BJmI= =yxgm -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed Feb 24 06:06:22 2021 Return-Path: Delivered-To: freebsd-security-notifications@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7668054A10B for ; Wed, 24 Feb 2021 06:06:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DllmG0dgzz3qSl; Wed, 24 Feb 2021 06:06:22 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146782; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=kPfuM6zRL2fjOMeeWHb/yv3TU1WxK6K5iAwMwkcQJSI=; b=VkcHhcO4SyKqLWgo5AXCQr32Owk5KozUo57jinCmQGqKDg/CQcGUYKhkV/zc3/x7J2voNn QIVYERhhPiwDCXMLLVRoqIbUGYyVqTHtr4s2hxL1sz2iYM2JoajZIlXKUNVsbp6B3CmFEp aVa+TiNLtasKc7SqCp0QLARjkYjVvodRipYx+09ph8oTTGq7u5UryOUQTL44gqR11pA4tn siteBxEG88taZuEt/IJincJ1mxvENLduEL/4dM8u/zK6dvZz4Ww0//e4UWIxisYJvbEhAj QMAdST70ivXn4PLT8BYxvMHQe8BlvCcp/nnFzIJCQeEbIw4W7T7lxTYG5qaLRw== Received: by freefall.freebsd.org (Postfix, from userid 945) id AC80A1BC9E; Wed, 24 Feb 2021 06:06:21 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:05.jail_chdir Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210224060621.AC80A1BC9E@freefall.freebsd.org> Date: Wed, 24 Feb 2021 06:06:21 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146782; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=kPfuM6zRL2fjOMeeWHb/yv3TU1WxK6K5iAwMwkcQJSI=; b=wx/EzYs5cdIBD5DwOaaCEeW8NFDb98vQp8vg8O0IJaf24jbi5MXJKN+an9Rl+4ucYDhJoq kV7WpwQ61BULtk70+Bq7u4mZ4y01SZ1y2mS5wG4bRy5iE6yb2BGGm+H/+mF1ZVNGeDr2uf 12jICo2pVPMmHQty7xJ7+qPV+L3J0kZFEvc3/fIxwa3qtw1g9aaC8Gg9Ohod22ZhDTlvy6 d6DjRaBhjnjS+dmiQ7WHLtYe9X25LuVKIXOHvLWpePHkZEgwSE+Skiez8tJ8kX7OsLM0K6 6MrFnV32EHHIzlRzCAkAMIkBS2zYQYiGYaN15tRyh5T5Y1hYgWu+Uml2ls7xsw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1614146782; a=rsa-sha256; cv=none; b=W+bi3sEXDW/v5xrUs6pRzz2PZzi3jEcdr/86eWBtMb0smSqEYG8+LV7AOrpZLiAmGDP/gj TIYQkql5cePGvOeLiko+8+aqbcf40dNbSvEqyGxliR8i/JUPDw/6IaPohLu50prHPFotka s73zbPjeeac/uvABEdctQhKL4yKTBCOsSTuMX5ioOitqxLlboUCLiLkKjz1epPQAhCsDyE 2VdhG3hzNOQR3bNRmF8cWRWYzaO3MiGrCsm0lxBVMFPffyE3nAzoukCjQUn+xZfDozvkiO gL6512sApFdGv2Ob3KVk7pjfDfHz4MCp3hTG2hYSSwnMsfKGRdA4Hmwg3YoJ0A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2021 06:06:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:05.jail_chdir Security Advisory The FreeBSD Project Topic: jail_attach(2) relies on the caller to change the cwd Category: core Module: jail Announced: 2021-02-24 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2021-02-22 05:49:40 UTC (stable/13, 13.0-STABLE) 2021-02-22 18:25:23 UTC (releng/13.0, 13.0-BETA3-p1) 2021-02-22 19:03:43 UTC (stable/12, 12.2-STABLE) 2021-02-24 01:43:47 UTC (releng/12.2, 12.2-RELEASE-p4) 2021-02-22 19:08:27 UTC (stable/11, 11.4-STABLE) 2021-02-24 01:41:46 UTC (releng/11.4, 11.4-RELEASE-p8) CVE Name: CVE-2020-25582 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. The jail_attach(2) system call, which was introduced in FreeBSD 5 before 5.1-RELEASE, allows a non-jailed process to permanently move into an existing jail. The ptrace(2) system call provides tracing and debugging facilities by allowing one process (the tracing process) to watch and control another (the traced process). II. Problem Description When a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed. III. Impact A process with superuser privileges running inside a jail could change the root directory outside of the jail, thereby gaining full read and writing access to all files and directories in the system. IV. Workaround No workaround is available, but systems that are not running jails with untrusted root users are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.x] # fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch # fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch.asc # gpg --verify jail_chdir.13.patch.asc [FreeBSD 11.x, FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch # fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch.asc # gpg --verify jail_chdir.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/13/ 5dbb407145c8128753fa30b695bc266dc671e433 releng/13.0/ f3f042d850baaeda1bed19e00c2b3b578644b7e9 stable/12/ r369334 releng/12.2/ r369354 stable/11/ r369335 releng/11.4/ r369348 - ------------------------------------------------------------------------- [FreeBSD 13.x] To see which files were modified by a particular revision, run the following command in a checked out git repository, replacing NNNNNN with the revision hash: # git show --stat NNNNNN Or visit the following URL, replace NNNNNN with the revision hash: [FreeBSD 11.x, FreeBSD 12.x] To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dYACgkQ05eS9J6n 5cKj/xAAjbGc0bV3Ua8PuIFoDk7ADnwNotFV9PlXknWpeM4fXVVrt5EDncMfgHdw XeKHOjzKNocOCtDioDhOcev9hhLeiYJjGHKrOQeKv34hJoufd6Wr0nvLgv/IVlMr iZRVndvG1eBlnkwzlbx0xh1OY9zhffqjEiVkQNxXZV0iz/P2ndG0wP7N/bTG2QW3 1mZmp4Fh9AsbjLPVGyutoLZXiypuroGPLQZrth3n7Cz8HklwyPzoAgPOYx7mMW3D x1Th6kYIEx1aCe+ZBsgOuPsKeZ4SSB5o1w2F5y+mor/rslgQJAppNakBMmyDkSEI UhEqLGNA469P0qonCHhGY83wfkuUedFTuWLrdnh97J7yr+WIn1ik1/jBXxv3+1kS bKivBd/oj6hEFULE7r6T/UVomJjU+dPPBm+ewljJFVib+3zIQsbxauLdqUuqWlob QUkQc4mu7fjVSAMyVbYVrjBAgwQJit0KfX+JSbEcLndmPv1RCK8wnxIf0zbmV2m/ DMg9QGqwfcJkba6Y/JCAFZcl+HUCfEGUqZ7pEqGuwsp3wnMwO7Qg9IAEmDt8i2lf 6kaqAatJ5Reo/D+j6KJFvGCajnEfD0n+jDx8cdJFNY2Zzbo3/lRGd8dque5OEbTA O0UZu2hRv5YMIagMf57WWzGrF+ACtgYbath710IKfVUfP/OiCIM= =/d5L -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed Feb 24 06:06:29 2021 Return-Path: Delivered-To: freebsd-security-notifications@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 543F254A293 for ; Wed, 24 Feb 2021 06:06:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DllmP15cwz3qKV; Wed, 24 Feb 2021 06:06:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146789; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ujJFXQim63KVPjyqPdyKej94pP7DHpiTvMxpnSydYWg=; b=jVQGI+yBLx5CSUT+57+6dtJgM2vuPOeZeV6hGG8raa47kJx+K4/p/bUF7MSXgLe5aL8x/r FWmIlsIuIxju3P7us87bU8TuD+iegOGpLCAQwhKn+PGjmwwnvoKxcobgrCbLYgfdNGiYXc inRs7zV2LBbY7zGpmOLjZq8KCHjPhU6vSd0WyGbOmHPM+MXOg3rZdhTfS9mLrOPRTZF+rg oU7ueW6oHcKZxE4USDy6S33QpVosAXqp2bDRkxPTPPkv+6vWte6nnpE+FvsbwH6JPLVVCz VbsaGMhQ6BotODa/1wfQ5GURiHOF4O2zEc2/SVRWs6p9TeYYSoGKNNIBHEFSgA== Received: by freefall.freebsd.org (Postfix, from userid 945) id A6EF21BD17; Wed, 24 Feb 2021 06:06:28 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-21:06.xen Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20210224060628.A6EF21BD17@freefall.freebsd.org> Date: Wed, 24 Feb 2021 06:06:28 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1614146789; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ujJFXQim63KVPjyqPdyKej94pP7DHpiTvMxpnSydYWg=; b=l/SM50PHDAPKqT0mM7QN2qHL1v7RvH6QLZcW/RL6oq13tVKTAc6dmXqKzbbvOcVVdfu8Gh Xgagl/PCZEGjX03CvVKuW7uO7UbLdjO7oHec+s2nRqS2ou7hx6q5uPCPyOSyHIzqiUcBPL MaDsG7Obi5iQmhYkPNaiJUuUfNmm/UDf3ZAbrd9JsKkSkK4adr65uNrCBZ40QtahblaM88 A94TZcmMiGX6sLqr1r3m/7eF4/sO/GSN+gp78W96s3dG2OWDwbdzUEk7Ccy76tx8SJWFPy kl/W03/08W+JrDAiAcotIX7QON5odULHWn1q/HtC+kRIzrD8/iFHj0nqQ5vUYg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1614146789; a=rsa-sha256; cv=none; b=Rvzjxeu4uHc42C9/4LVEEL4A5rnA/mt9hRuTb4rsy1NwvkhiobUAwXOrN71bp18yMbMJCE rUTwS3jNXuSzbaWnoHrMZb6oXeL9nTxJxZ2K/mJmuydATRPAWvMqeO72MJ3eACsxK/Wv+Z ge2F4JlaZ7mtdLwxHtGJBUfyxMpAzpoR4J0o9o1OXOL/XiizPR/FP0Pkz3I2IfvNnMzdeu 5T3HhWF+Fx3czX5ukfFrksB+mV/ED4+xZyOBgf60b6BpBcM1gcLrADyUEGVvqVnmERWD7J dfaDo+x2lcnowpzUNBEWfoNcV17PQN/31KPT7huaPyHfJyVchLEmuOdIcC5lYA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.34 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2021 06:06:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-21:06.xen Security Advisory The FreeBSD Project Topic: Xen grant mapping error handling issues Category: contrib Module: xen Announced: 2021-02-24 Credits: See Xen XSA-361 for details Affects: All supported versions of FreeBSD. Corrected: 2021-02-23 00:55:14 UTC (stable/13, 13.0-STABLE) 2021-02-24 01:42:35 UTC (releng/13.0, 13.0-BETA3-p1) 2021-02-23 00:58:03 UTC (stable/12, 12.2-STABLE) 2021-02-24 01:43:59 UTC (releng/12.2, 12.2-RELEASE-p4) 2021-02-23 00:59:23 UTC (stable/11, 11.4-STABLE) 2021-02-24 01:41:51 UTC (releng/11.4, 11.4-RELEASE-p8) CVE Name: CVE-2021-26932 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Xen is a type-1 hypervisor which supports FreeBSD as a Dom0 (or host domain). II. Problem Description Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in HVM/PVH mode, the FreeBSD backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. III. Impact A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding backend driver. IV. Workaround No workaround is available. FreeBSD systems not using Xen are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-21:06/xen.patch # fetch https://security.FreeBSD.org/patches/SA-21:06/xen.patch.asc # gpg --verify xen.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/13/ ab3e1bd3c22a222520c23c2793cc39e3a23c9b46 releng/13.0/ ce9af53d0897a1cb926bd244f499fc09b1626b27 stable/12/ r369341 releng/12.2/ r369358 stable/11/ r369342 releng/11.4/ r369350 - ------------------------------------------------------------------------- [FreeBSD 13.x] To see which files were modified by a particular revision, run the following command in a checked out git repository, replacing NNNNNN with the revision hash: # git show --stat NNNNNN Or visit the following URL, replace NNNNNN with the revision hash: [FreeBSD 11.x, FreeBSD 12.x] To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15dcACgkQ05eS9J6n 5cKBJg//aACyR6yp/rs1MaAMj2QIm53y+s1/0qRQmAYTq7QVnMNhauGLIUdd7BPQ O3Gj1fsdpg3iNpKXn20YweUpTQqt4xHxNg+A+cYxexHJ/mepVVnY4OMwWh2est17 2p9Sj3k0vNQ/AdYXELyKW7UA5/tHncFv6EGzdAsGYf4kGUL89bnmWkmcBLR9JZ9a iF83WhKhLe3O7KzkryMzCh72nbHnKicjrgvun4VH4p5/FrjqNjoPESvGhT6hyObK 80aKN610j/ZdDNdjD0wO62IGB8QGzx/hpr3TIIQ05ydGsuurFKJQYwknYL7rbpuf GaINHkQTcB+8aWsqSQxq3HTy3P7hEdA3HDzounpAOtYHk+Ff8ZeuH0ZVtJYXP6FP lbFZoYzXak8odKZp5tNBO8Vu9qiuzthY/ImhZ0d5e+gQ5Bk2Nu68vwie2TGRpLEN EQYIiIS1AnFsEhDx78UuEojUT/UmMIbv7GNyryv2ElThf1uIH86wtXonie8OFjPp EGYu4OS/m+FO5fTcEty5ayEsQI0i4mnj83BBdq8sq2lpQbdJjKDSaykHfJ4PEMKi /WRWiWjlS6fhu+rPC7rJ5b7FoDLXh6hm3uFuD/zNjOmpFFyjNE/O4JCH2zoAdH3C ygVMUqa4qFalsC3vntk2YweBX4D7za95z4oCDwrFBm4ZWGYcwgs= =fN2Q -----END PGP SIGNATURE-----