From nobody Wed Sep 4 23:36:57 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf615yfRz5VrbZ for ; Wed, 04 Sep 2024 23:36:57 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf614cGKz42vs; Wed, 4 Sep 2024 23:36:57 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493017; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=0dFL40DG7Pao9Pxo5I7AZ9hbuEvwEXKYBc7m151gRek=; b=WrngpqM7wbQX9N9oxFhWfeHjvqdXmF5KXDzKeU/MF5Xo4D1RyWGQVi7hU+08Fz2TXe0D3q 57wVdRef5Z3QBFamX0w8Xx71pFgdJWVR/rIuk1lu7koVOugf5tIlNx/cLoQqZfoYjF8p99 Gp7nRawj0l6ms/8P3kRWoriJgyHbrI2FOJrtfLPfbr3jmyWjh0P9fhXV9fJmiClRwnak2B TJTjKzWfQwGNUMaPcc+D2MVeIJr3/3Sp8n0t0RuWQqjXyMlfYiqIwMpK8SmpljpsJPmSzU Zm/gTlUTiWih3mCyxXGzY8S/VSH/gB9UBnv1D/Our1fz2B5ioZUb8oo7T1cmNQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493017; a=rsa-sha256; cv=none; b=DxKio29Nu6D09JRwsaAhWbhQkmIhSDw5sw2ah9tAqADXPMONaGo0EjxzWcj+x3tY1J3lJR fGDGM922NTrtYdQGC9+2xNFJPMEVRa2LUH7I3dbf+F9v0K165YpMBYp1IdYjrn7l3r9uEj H8wpLMGZvrQU/jxqWywJ6tWGVOXw1hb1RXc8bIyyEtcWFhcI55VcR84Wxhq2mFH5Ts6fMT yxt+tDAz8z/jw1aHaHAZFS8kLEOZIyfeiRKpub/aQRtYKY/rYc0wVC/Gw2XLYkiaA3X8gc myogGNEXdbaSPVv2FRInelKZUivZDtClJ+ZXo/NA8s75wTB8Y/678SllDrCekg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493017; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=0dFL40DG7Pao9Pxo5I7AZ9hbuEvwEXKYBc7m151gRek=; b=tfzkCjqfwF7GuhOqQ4vvnRHJ4L7fCoqTyOn0j56N5O7zuxZRiXgcB9GX8z7FIerQL6hHDX WiyQ2X/7DcSbXH/M8vnINmMiARuMdr9FDWjLmMNXPDGLlf/IL+m0VuH5+ZfvfT1FVnL+IL O2iYpGYT69UL+VQCpMuDiPElxN3E1as0VnPRigFYMqr29IMBWZa1hdyY1Fi/FLNoO+dbY5 OmK5Z86CrG+fiJqy4+hHTyEoR3MZUdwFWYxZumFq+nNC8+LteDfDsnBpsm/GpLkXHygXzE bD60l7oTRSECzReSKFM9OylNncw8Xx6oiP9jJPlBlJMbqRLOoplDoXMalPxc3g== Received: by freefall.freebsd.org (Postfix, from userid 945) id 744FB27419; Wed, 04 Sep 2024 23:36:57 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-24:15.calendar Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20240904233657.744FB27419@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:36:57 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:15.calendar Errata Notice The FreeBSD Project Topic: cron(8) / periodic(8) session login Category: core Module: periodic Announced: 2024-09-04 Affects: All supported versions of FreeBSD. Corrected: 2024-08-08 20:07:04 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:34:23 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:10 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-08-08 20:07:07 UTC (stable/13, 13.4-STABLE) 2024-08-14 03:37:16 UTC (releng/13.4, 13.4-BETA3) 2024-09-04 20:29:38 UTC (releng/13.3, 13.3-RELEASE-p6) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background periodic(8) is run via cron(8) as root to perform periodic system functions to be executed on a daily, weekly, or monthly basis. II. Problem Description periodic(8) jobs are typically run in a context as the `root` user, but an erratum in calendar(1) may clobber the login session of both cron(8) and periodic(8) to a non-`root` user if the daily calendar job is enabled with `daily_calendar_enable=YES`. III. Impact Mail sent after calendar(1) has run in the daily periodic run will have a non-root sender on the envelope. This includes security jobs as well as other cron jobs that may be run after the daily job has concluded. IV. Workaround No workaround is available. Systems that have not explicitly enabled the daily calendar job are not affected. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:15/calendar.patch # fetch https://security.FreeBSD.org/patches/EN-24:15/calendar.patch.asc # gpg --verify calendar.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 33708452aaab stable/14-n268432 releng/14.1/ 86d01789bf41 releng/14.1-n267709 releng/14.0/ d94dbaa516e0 releng/14.0-n265431 stable/13/ 3a9010c98b3d stable/13-n258228 releng/13.4/ 7088bf662d46 releng/13.4-n258220 releng/13.3/ eab94c0fbb78 releng/13.3-n257447 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY53AACgkQbljekB8A Gu+FxA/+JUfcaaoOhPcS8VabJS4UKYKH3S703qTSqaR1KsHj+nKXj5eSWCyGA4KI C4p+9C4H7shzgO4SF18+HR679i+y0QNayEpEv9MkUsuYfevx3t8+E7joOH10usi1 g92EPpAUYM5Cb0NpsjFS8gQk18qRlY76asdQlA+b8RDB0gU7lJkDTxrT4TUtJqKP ysAa2ZruGuJbZpZlVPY/JLA9/liwBZcq6fij1g4dyQke6PbvTkoWxFD/3+/ufKXu mWW+VsYxldNQRIJF9+8SuIcGTkDUr4HAP7EPYYKU8prX39lsAN0fA7oQO0ohvQ1b 20Oglq4PYQTEzv16KbAGZdByEzH2Tnzoz8jkaUeIfgnQrHEZbiaqckixi3bUOzPV SJ037qikttpxVXrs6qxehl1f9tMLXFlbRSOrVrxg+YSb8Xy0nxRvdNwuJ+1OS2bD DoPDXs3BVtecKrArDrZcbFcvzNbNiESZGRlFBI7hiy8DQFNFT755n1NnIDxjDerW Qo9MELlWerWyP2djzS+C5YeTe3HPMw8dRbPORRKBD65+dXDn+W53TeJdVY/uwN/O B9l/RRehDTB4pj79J6689h3mPSBgMC0tS33Nv1Xm42+58JPb9hP+RzHQkNVJcrxk RDpKKxgJjTm5hQ+U8TMN+YOfWJnrEGk+mSWK8Vk96C0JQJSd0lI= =Z1hr -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:09 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6F6p5fz5VrV6 for ; Wed, 04 Sep 2024 23:37:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6F4HfBz431P; Wed, 4 Sep 2024 23:37:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493029; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=sihM7hW09+/9+/fX1cUNOsRBMikmj092y5/RDYDM4so=; b=yRjPjrloRMTy+6v4w/RA3tMwTF1bYcd6xoNbb/mw7YLup6ND8loqU2GKPgH0zvabG1wOsA X1E3+OvHUtuRe1u+j2YZUf/+iwrdxTEhW7u2uYMelrKscXF5PcBsugcM9oB0sYbCQ9ryB1 +F7S6jpoo1fZDoNlSfDt60Sk1/t5+g/vVdCZ/5DO8BPxbkP/+oTrYYorozerJzEBfuJCGd p69D5FPiaAZIa2xlkwR6GjTTWGKjgCsnA80LrfksBqijQVdZ4ioOpiJKuE5zhhLrkK/2nQ zjTX5hNVNUPYOYxRGaioJHvIiWe3k5zRj8WT0yAB7qPh6l6jfp/j2MTND/41Uw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493029; a=rsa-sha256; cv=none; b=q/4ZKc46O7pb3zG6PDSNUbP0Sd4QbL3en9xhzVXJCm99PwrVR4dU3oLs5sFwG3oOuR7lWB wSVMDn2BKBD2XKb1OD+ljhqwxPJg1NGvgkh4VIRTxp5npgHa+1asANmwckw8L0UssQ1iAV XFhNKGT2DC1GSQ2XpLjrSnfPqZdXMnrFXSjJ4u+mCoCTBBJX6oHmVx2jNQl4l0Ep1ekJmO fmFbXxykUpdnG2UtuGm61q3Jbd42ZUQJzXhhO+OaNOc/PusIU8ii9NPD4r+y/WCT1cl8KJ efdWuTH/hoAkmwFcmEjYgn9PIBU96dOrt2v6J5xr4RxB5c9yQAbKJ1dK4qLmGg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493029; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=sihM7hW09+/9+/fX1cUNOsRBMikmj092y5/RDYDM4so=; b=fMZkkqrEQ5kjxVwBe1nEXkW8LQSrq2qK3lV09qABO/mtFNPrUpKoOGFUVX+W1gFAFzL79N xidhtoQptQ6iqgleSCKVPxyl3kYY15jh2JbqkHUq7wuVF77v7X4eP7F48vnpL7R9osisNu 1wbuY3b0XqPj5s+cStMpCWqR9ZMgYH6sgvWPYpHuy0qd1tvSJ6EabRsxcc+LmQ6XilHrkt OY9/tOMrJJMQ6H8x3e4VCNvLXMpg9M3TFIHnzgsjZnd2JwHopVQz9SJX7kDk7uioZ8EeBq mIHdmtNWmGpSzuiu4j/d+VtoOPaoeEVaYpXWUDY+A4us03V56yvOja17VG+msQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 88E97273B6; Wed, 04 Sep 2024 23:37:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:09.libnv Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233709.88E97273B6@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:09 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:09.libnv Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in libnv Category: core Module: libnv Announced: 2024-09-04 Credits: Taylor R Campbell (NetBSD, CVE-2024-45287) Synacktiv (CVE-2024-45287, CVE-2024-45288) Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 12:24:56 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:27 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:12 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 12:24:12 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:13:10 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:40 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-45287, CVE-2024-45288 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libnv (also called nvlist) is a general-purpose library designed for storing name-value pairs. This library can serve as an Inter-Process Communication (IPC) framework, enabling processes to exchange data. For example, it is used in libcasper to communicate between privileged and unprivileged processes. Additionally, libnv can function as an interface for communication between userland and kernel. Originally, libnv was inspired by OpenZFS nvlist. However, the implementations are separate. This advisory is only about base system implementation of libnv, not a OpenZFS one. II. Problem Description CVE-2024-45287 is a vulnerability that affects both the kernel and userland. A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. CVE-2024-45288 is a vulnerability that affects both the kernel and userland. A missing null-termination character in the last element of an nvlist array string can lead to writing outside the allocated buffer. III. Impact It is possible for an attacker to overwrite portions of memory (in userland or the kernel) as the allocated buffer might be smaller than the data received from a malicious process. This vulnerability could result in privilege escalation or cause a system panic. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch # fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch.asc # gpg --verify libnv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . d) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9c2ef102166e stable/14-n268655 releng/14.1/ d87f821959fb releng/14.1-n267696 releng/14.0/ b219ce1c5a93 releng/14.0-n265433 stable/13/ 03bef9971d73 stable/13-n258309 releng/13.4/ 3aa9be7e3334 releng/13.4-n258240 releng/13.3/ 33b4e2361c82 releng/13.3-n257449 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54cACgkQbljekB8A Gu8YLRAAmpVVVib8RgEj0bKS5qNLwujEssMIO96LS73txcFGm/Iy+QJA/N/SRtDL lnKRi0ya90pBmXXhX03Uei+O/nBAFxkCxCukuQ36bauJrA74RFgn/8ZK63RbvdDE K+xAyK71FXLTr+wGqyzv0xOxNA60dl14WiyaLCUX++0DU3EesmVD508wIL7Ls/bS 5g5vllxmELV2zXYXY/DbEVHS/i2YRCs8ftasa92uXVgOibODVpL/GSXy1QHyykNQ ODAmGjs+p0xf2JDJa2qvokMh4WS4HkGe4W/TcJueTiSbsdOrDDhOV/n0QTgwt1rQ zq2QQU3tk2unYjhQrR6ZvHTbFCKc7G3BVFCPAZ6fSthq834EoCr2LUGyYhU+bLZ6 SweQfCP48ExjIqvDzQqMOlvp9rMiLbxpjkdDcsml4zhD2GE+byuT6RSRBqq3tBvT 893YoIiW1m069DnAQxh1Zlewsk/BZFeeXBHZdk4Ik5KYFCwCabV3HLFa9hA1/iKx 5ITULL0gZgZKBQ9IbpkL45q9mcDHXrVuMPfA0a3bb38rpoK5uof25+oKSGGvWyDA plGXuEh5Sltmx0lOdY2O70j8pLh7bVJCyo5rYDhObzQlWiajUx1pH3M9DePbI+Rk Z+Gby0zKpXzgSfHSiSyfVPgDMa83yDpiozRMszjpvApB7h/hekQ= =yX5r -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:14 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6M0wtWz5VrC0 for ; Wed, 04 Sep 2024 23:37:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6L5SVgz43Mv; Wed, 4 Sep 2024 23:37:14 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493034; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=m1Cpd1Aj0GPEezgbQ0x/T2BZ/WefwsqLvSzT6p8WWe8=; b=mAhUT/Tsf1QeKys6lSkLSwoA1bKreVKesq/6IgOiFb1mAjbVG5Z5kkwiAAUDv6GLFTgVaD mtoHSVhJxV4Qc1QIOLCEWuYsDtfJQaDYivJv2JM0NqsiKDdjW4KXSikJxoQsiuQERciV+s plZ5EAcTHQBjhJrjh65E+FnYeBdAMjo3OKNwzWEFQzbzi6PkbCI3EKhOBm4CMMYl0+cAOB iILVnVz9EZqvFZG1m/ES3f4UMr1FvArjmo536L76pKtReOcn6BKwngsvM9QlT9QZ0E87a2 3ROkRL8dC5fZ9swk/zHwU6bU2CH34rwqi2jzMzzkucVndIR3AhtVN4kfye7V4A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493034; a=rsa-sha256; cv=none; b=dxnP2LWwcOF2VmjwugO3O/0mA6ui6GgBEoHtx8eiWvVS0nTm05AenwtggKvJEMf2EXTdiq OFdpuyeS3i7s4WOtCb/MuoVE0oK4XuTZnoPweawXHbeiYDkedmHLWTTapzdqE2IuxfzNvX gjCu+ixCUJ84uqXynU54+80DZ3UTAdQ6uU1gM4bdjAu4GIf5q9QJILzuVi12csqqP9NOQX A7jigPT2ey5oS87eO1lvQdSuR8vJFLVypk2LaqqzbQdgQO25rvUi8+jluVDq1MsLTdZ7yp 2DMblNk9YLPO67ndSh2FojLUEttHATNR+Tm0NMNRTYH0rXH0zqaNAfIZNrewHg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493034; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=m1Cpd1Aj0GPEezgbQ0x/T2BZ/WefwsqLvSzT6p8WWe8=; b=a44oV8Sy17Jt4ziPCC6RVrSCYezlb0F2H1H43FZKEQcvy1kuDak5UeCB62hPhtYLxFW4yA DPayakAUxb71/mX2moMXXoSL3WqndC1/QTKKZYFNMR1Z63smzAsY8F2BgP3hX2/ntCzQ76 8YRdsBOhZrhRvB43PK63hFuK/wzr4rqwGTv1u8SeH587CGkhrMde5hgQ6jBv32ZvHnq8+S lbknOccPbObVg9P0aG80vV6p2nN+VFCETm8WxdCD4Pn2ggqrx84bNyGsjH1tDkBUI4iEp+ OG/hkcXBxSp1RTpSJVmWpW/O9O1SdMnFX/x8VT3pdZM1/918lAFjN59UXo2UEA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 745C6271F1; Wed, 04 Sep 2024 23:37:14 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:10.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233714.745C6271F1@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:14 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:10.bhyve Security Advisory The FreeBSD Project Topic: bhyve(8) privileged guest escape via TPM device passthrough Category: core Module: bhyve Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: FreeBSD 14.x Corrected: 2024-09-04 15:42:29 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:28 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:13 UTC (releng/14.0, 14.0-RELEASE-p10) CVE Name: CVE-2024-41928 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that runs guest operating systems inside a virtual machine. II. Problem Description bhyve can be configured to provide access to the host's TPM device, where it passes the communication through an emulated device provided to the guest. This may be performed on the command-line by starting bhyve with the `-l tpm,passthru,/dev/tpmX` parameters. The MMIO handler for the emulated device did not validate the offset and size of the memory access correctly, allowing guests to read and write memory contents outside of the memory area effectively allocated. III. Impact Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. IV. Workaround No workaround is available, but guests that do not use TPM passthrough are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Guest operating systems exposing the TPM device need to be restarted for the correction to be applied. (i.e., their corresponding bhyve process needs to be terminated and started again) Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the corresponding bhyve processes, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 6ce4821f0859 stable/14-n268656 releng/14.1/ eab723be7542 releng/14.1-n267697 releng/14.0/ 429f200688ca releng/14.0-n265434 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The corresponding part of the security audit report as provided by Synacktiv will be published in due course. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54kACgkQbljekB8A Gu9vGg//YkEx8/3PWE8GUfdwfGrzMD+bpXoJViBIW+CX4tYYDU05CzF9i/FbB93B 629nWU4HMmTrQfARtpC/VCRASz+v6kSJvsOwt2120GVx5SUuFkP2nw3fCWdH5tqu c/M4GRT2Brl4ZJFZGdfXCKYvGKnw68qhuX6CWFhXgAPAlj2VHNCluElriGMsuPs9 mmu6/YX5vwVps8dj1XJqx8TFv81PXyatBbzmDi4VMpeBkcM6RBjzDl3C9XVh2k9S ahPVp9yW/bXLS2U5GA+rTK4PNIJukZ5tRb2DXH3g5Ku9l6s2l3b8oof6kNifhwf7 1L8QeTYabkeeGgCfpKmQb7ouZoAHw2fe6M64X/IAkWM46XejiV0mzRokjrG9VIPf Ushi7hnEbI7Kzxw/H280R/lgsQh/o8+fF+3iFDij/GPKoWlLVy4WnLluihXkE2Xd wlFxD80CKVxGi18JBjCIo7sFrLPuec1rGPn9sULCf2Yi5TnRnBYp9OzD7wSx5zIR ohm6zKfajdyVlis9HLm1Xee4B7dEEbZWn6seo3DclCTIO22esN3Kjs8ovSyv1KFn B0m0bR8YbJ0qVT/jDYdWkZmJW/EmmZpMMAN91G0q+M9m8Od4e81iQZknvujPsw+I QjM5FlKvEuYXjt2tMxP35Dq8PXdl3jvY0fqTNrkCpuzKK0q76sM= =VI0d -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:17 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6P6nwBz5Vrl6 for ; Wed, 04 Sep 2024 23:37:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6P4nyqz43Yb; Wed, 4 Sep 2024 23:37:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493037; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=d1Tm1gpEaqcTY7U571clUDT/ADVHp2ijW7RSnlwFASw=; b=SbokOI0a+StjsUf9Xzg/wIgpHVQD80or0gUROkY7OTsMA32IOcVQWVRi+Za4hmpNdBn598 vnH6ZXU08kVQY6U8n4nUNckWaCae5iBw7OxFI6EQvlve4dbuy9vO8ikr9v7FkC0C39yfN3 zgDrJM3qsCCn5EGUzaI5DNM2/sTedOdNRVajsUjBOxypFgC/LsIOJ0xSq9HvDQ3/d1vkqG Ype58mI+bcvnN6EbcnAEkUstzEOXpK+73FuwrIjyX5VCdFMuILeCV0CYSd2SkDmjQpgVxV v6cp9sz+f/0/ALpLgBWsPyn20C05G6G3A3Jmag/ucGBuGJSbY577WtOYzJB/TQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493037; a=rsa-sha256; cv=none; b=KPLm3vNYDqOgaYpOYEzGhu8IfOLClfIvXKFEDPAyS1CwfvjZEZ6u6cfitlx/QEmJe3awtZ YWy94ogepHcPHP5MmsV4vKTRHm9oswbyuzI31k1hsq+ndBwAhfsz0d0YvD/i8hs5hTaCq1 qPInPB5tAN+xPuY54AVG2GY8r6ekrEfdrgYFUQCGDgo3JRVscD3xNcIzBfvA5vHRT5NUqr CJkAljAorf9lnIcw9heh3mYJ69A9M0EvipC4CmQkP0ccdrfc9wWqbiByNl+m76pmp68AuY cizv+S14R/mN75GzQlWEXGDQJufT5wzdE6pUg77mfsZPT+HRSbvVh0O14N1Rnw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493037; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=d1Tm1gpEaqcTY7U571clUDT/ADVHp2ijW7RSnlwFASw=; b=Q27ifp+wLROQdma2NkVUvh2P09iIgFqdnk2G7uynU2IatmaFiOweGsSNDejqzpAuKCq/S8 uSMktAbzrEM1wI3EUkNcf6Cwerm1sDa7/BRCnzN/jgVPVVRCATQbBxtXrSZQpf/VKHbIZo JpWw5BdTEyoMuae8Cq0KiDzyC2R4SN+kjJloDiUrocPH2doc408b5bg0lds0kJtiHTNtAA iKWzSr/lECip6Xb+8lNiBwJVSgVDM5HqUv+yjHwe8JbJUWlL+y+5+Oe6gS0MUQxtZaWad4 siR+FL3TtR7I0AFBqAmBoBuWd2K+gWZAjwAYS8Pb/pO+hOuSuOng2gDmqDy3AA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 8DE622733A; Wed, 04 Sep 2024 23:37:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:11.ctl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233717.8DE622733A@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:17 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:11.ctl Security Advisory The FreeBSD Project Topic: Multiple issues in ctl(4) CAM Target Layer Category: core Module: ctl Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 15:51:07 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:33 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:18 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 15:53:53 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:58:25 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:45 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-8178, CVE-2024-42416, CVE-2024-43110, CVE-2024-45063 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ctl subsystem provides SCSI target devices emulation. The bhyve(8) hypervisor and ctld(8) iSCSI target daemon make use of ctl. II. Problem Description Several vulnerabilities were found in the ctl subsystem. The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing (CVE-2024-45063). The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it (CVE-2024-8178). The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory (CVE-2024-42416). The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace (CVE-2024-43110). Guest virtual machines in the bhyve hypervisor can send SCSI commands to the corresponding kernel driver via the virtio_scsi interface. This provides guests with direct access to the vulnerabilities covered by this advisory. The CAM Target Layer iSCSI target daemon ctld(8) accepts incoming iSCSI connections, performs authentication and passes connections to the kernel ctl(4) target layer. III. Impact Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. IV. Workaround No workaround is available. bhyve VMs that do not make use of virtio_scsi (for instance, via `bhyve -s NN,virtio-scsi,...`), and hosts that do not export iSCSI targets, are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The system should be rebooted in order to effectively mitigate the issue with certainty. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3, 14.0, 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch.asc # gpg --verify ctl.patch.asc [FreeBSD 13.4] # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch.asc # gpg --verify ctl-13.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 803e0c2ab29b stable/14-n268660 releng/14.1/ d30ffde0806e releng/14.1-n267701 releng/14.0/ 4c60b8289d0e releng/14.0-n265438 stable/13/ c8afc072690f stable/13-n258314 releng/13.4/ 004298792002 releng/13.4-n258243 releng/13.3/ 639494a3c1e6 releng/13.3-n257453 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The corresponding part of the security audit report as provided by Synacktiv will be published in due course. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54sACgkQbljekB8A Gu9gEBAArLEF2hSMAo63riezMWcREkF+3r7GfgOmKNq1CWFgfA/ikjZKxIxAojEj il6LBgEPQl7jhcC/eG2/U80gze5AtSsQpdCN5DgaQa4rrq4C8dIu8Q8DI/ZGkkAD 1oFQ5iz9IW0fszjCgwvdnEZt0wEvcMi8d3GzJddouVVxPgcTatw0VbMZWH9ZrpFA pwgybyntTE3IG1DqOmFWqjZmjV55BESlphp3LoheWYR21iGwuMsZWBWZ7+c9IK2j 6RP7ZBN6F/IEr0Np0G22iqUcgQOyA20zL1EJPq93Hp7OdxTMLSgggg1zq3GMEZi6 A8rjLHmiC6SIIjv7cFohU6vHHrUQkvkx1U0xmtI32StHowKf/Mn5wL8e+i+5g/JE vPG6vmFRDUvMqWjB/GK0atyZ7pFHMX9s75NcI7q846Rg0IW9birlgFfqZEQOndH+ O4AM2oQWOENg9FavMkZ9ScaR2/m2wQR8c4H3BLmAz6Q4R2+QQAjlDu2DtsLWFEeW 3DNna0/Lw67yDXv2+hJcj+WwQxxWBW3yEz6OVVdszdOofLy8eyUXHo2XGUFJZQKG ZpplFPuvq1ZEci544hRDmjGhdKH9h6UoUAOiZQz9vJbx0GyCnhiunyIcM9gN+Rmk KGP0t+jEDaMjkAWsu5w0qju68cFMRwEP1E+fT5atsmvnzQR+Zqo= =eocJ -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:20 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6T4xPCz5Vrhv for ; Wed, 04 Sep 2024 23:37:21 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6S6kL2z43GG; Wed, 4 Sep 2024 23:37:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493040; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WVhedY1QcnK9jX3fE7k0D6aYtPhVxZCdJRVfQhAZcLU=; b=qYte1uo+Cm2Xsu653qrOm+7e+2SJhbalbAmsPP3savYcdS4gsyMVE5aLIz/zP3f/NaIIso endLbhukPpuC6lDfz4ZodY2zn0+qEk09Zynt7qEMq0J6JMceG1zeMUCxq5H0M1divGH9h2 cBtWW/GALZ3oCT2JOA06s6VqoL7mb+w12sWEx++Vrl8ZxgM+rM1XRZyPMr9H0m2xkIH0qY oChKtTjrwca1o7cHLB+TIVCVcBqfDnS14IR3rLrMcwe1sJ083YavbQE3bnrLDYf2EYeeKk 4XZf7dJJebNhcMqsQW5aEHo5WjPw4TbADd6gd4+3sKmQgbCHJJqIclCp0/Qkiw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493040; a=rsa-sha256; cv=none; b=DocE5JhhBoU09htd2TmOYjWOqAbBB26Jw3Rb+2OHmVv9iTd/hGg3nznXmi0M3bifKtCw/C 4Xtuh4Ll+a58i7RMd4UOG5bcC+3A3gAuIS0jlXLYAJx4Vwp+MpvrDhS2C6T1N/mkm3uK3r G85HBPotyetC0cXgMSaNL8UJaJ6jLwaAV63ElZmqZyqjvdHfXt7bCrPeY0wA6ch99D2Hda 67WFWKp2DeRSk4LID6nlxRy4cAeJOtLvPg/k9ok4BVP87nUXQJJ1ihvsDwu9oOvIFRqUMj LFFnMy4R/sUgSLeqVFbjrvoh9V5XP4N4HSVojk+sW9IvQ1YAnWxp83w/iU0x6w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493040; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WVhedY1QcnK9jX3fE7k0D6aYtPhVxZCdJRVfQhAZcLU=; b=fIcQVYaeSvdFfZJJgNuS7uh5EtahwKfPEwJTriQzLAO5nRZDB0HO9orW2FR40vhWZjH5G7 /+F/zFL2Dfh3Fn4lUeLTD6nL183o9MtAF8+agVIxa8QvERDypdWsN8vJR9as5Pb1DWNasl mqlfs7NldSgB7iyM8z4hjy9oI/Rz8fW9iWClevsz8A9L6CGD2GRa4ZkgyFfTs1gaM8SsMz BD9o7nYWiZiMb8Hw/K+l8Hhy2aOPFlpSYcOOJrkq1zcfkI7H9oD75nnwiCV8FgSKKzkwYF SS0AbbmpH9evBKV6om+LZcC23UvgpRSeL9Iu5BgKyXATc+D+r28Y26N7H8EW0Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id DD8872724B; Wed, 04 Sep 2024 23:37:20 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:12.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233720.DD8872724B@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:20 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:12.bhyve Security Advisory The FreeBSD Project Topic: bhyve(8) privileged guest escape via USB controller Category: core Module: bhyve Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 15:42:30 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:34 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:19 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 15:45:38 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:58:26 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:46 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-32668 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that runs guest operating systems inside a virtual machine. II. Problem Description bhyve can be configured to emulate devices on a virtual USB controller (XHCI), such as USB tablet devices. An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. III. Impact A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. IV. Workaround No workaround is available, but VMs that do not make the XHCI device available to the guest (via `bhyve -s xhci,...`) are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Guest operating systems emulating USB devices with XHCI need to be restarted for the correction to be applied. (i.e., their corresponding bhyve process needs to be terminated and started again) Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the corresponding bhyve processes, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 90af1336ed5e stable/14-n268657 releng/14.1/ bb245c142075 releng/14.1-n267702 releng/14.0/ 1d01a6c11210 releng/14.0-n265439 stable/13/ 5920b7e6eea1 stable/13-n258311 releng/13.4/ b3f0e555781c releng/13.4-n258244 releng/13.3/ 5d6576f4f000 releng/13.3-n257454 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The corresponding part of the security audit report as provided by Synacktiv will be published in due course. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY544ACgkQbljekB8A Gu+rCw/9FKPcF1L1kRh6J9Y6TLEmMIQx95YwodI4O11KMjgEL3wnz36p/Mrkrj8Z g8h2+OBmqdr8NegyKHIuOHo8j9M892dnZpGWjyCgtbpnc57rXZhm83DDzRQ2r9OP 7yOWftWjgje1cyTphlFAr2p6IWg6z+6UicGwmeV17FSaG5rPjWuYoOOt63kzk3NA 0viDPIgLpoyGRCaiXa/sdoM2YQH9FxzKEC2yeURF/mLSPEFhaMO6SS8nrxmRC9Wc f8DP5G00I3RPjAQ5ehXc5n0z88SHGKJc/dstI4jSzguyBNO8HQtCD6HC6uEo0ACV EEJ80FJ+TOfZ9fhHkyEpGfMxwsAjpzud0zZWKV8+4jeY3kIp94g8MCKrHkLr6hXL 0+DMBsdqNS3T7lPzIimhJ7cwk/fXVQvUWu3rGBO33l3IUK0BWz/o3cTARTPEl/Zi MMBETwn+ga6JioRBTmmOMazufAyA3Nlf/eRzIc9RGTUBjoqnY0jHzdwfPI8hDKXR 1bi1Rii8IcAmaHvMkGww6PJOkRTV8uyuW6JZ2te8V8PC5ojdUniYq5JN6mbrkpOR RIYt3f16o6ANZ9qgMqmq2gdBBnJ80LDkQa71FV1bDf9g/LEd5aDynloaZb5D3EMp 0J0ZIPKKy/qprhVzEjxROzhLzNH0bJy6yaQhoxPY3QLzU78qrE4= =nYwM -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:24 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6Y0Lz2z5VrjJ for ; Wed, 04 Sep 2024 23:37:25 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6X5PJtz43gC; Wed, 4 Sep 2024 23:37:24 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493044; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WBP+DwqDy2+AM/34xnxVjlSHebu3ry1kv9fzTmE6S6g=; b=CTzWELgbn4OaoV6tCL3BjR0ROfvKcwmJevHlgFS03qRt2B/oui7Na6T9ali7wNSEjj6FXw XiWC34m8CQ3XFc+hCaY3iDjjNyiZADBxs3k6YlNLfYFALc5QngsoHYYCc1gn/rdj2o4XVS 6ODlKCzxg1rn77LBpwOblOEa13w4hvmS7CGimXoR9vzL0OU6/MbbPd1Qjyw/JeL80gDc3o IjeJveUAhdHU2j8t2hHChomw01lJqGdgfYzwZEA/2dVncfHySNELKcPqFTOJgrFAr2xNwD sCML2aluh1dpoyIXFD77w/EaUhF+acyIkM8zN+5vlRVu0jeBQmhPonAVtJg2Pw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493044; a=rsa-sha256; cv=none; b=CC/rPsebUlaIgBDY9T8LWS/qJGpgrMn4+i27uaP701rZyZ7fB4mergkoFzTaOnoxI0G5lf IzmbVW+5rWehOpn4nKJNOaqn0K7WT5SgSGsmO7KIOYZzp+FHoVcie8V3v7BXwp5PtububD axQKFqJ9825/pPhSYn9ZBIl9znWEK8jdUhuPRjYr/stXn5Piv0TH8YdXaVVTknKr6aU5Cn MAImF01xPZzYlwwiawBbirLfzYDfO401L3mxgqoeFMo9Ig9u6PioTjp89SvPt2mKKCLH6G ugHzlI29iYZPMM/jjSawLXwkaVHvodGKABKso9Q4Vzd5IvM60jHrGvvWzXQ0Tg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493044; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WBP+DwqDy2+AM/34xnxVjlSHebu3ry1kv9fzTmE6S6g=; b=C6ZCfcsHW6EE/p3ZaFnLA8Gjf3RVnhwQdVwqiKpQcebivNnc3tT9JPeW5qzX91Sj+BZf0q iURKcpSTIIZs2TMwwA5dp0XnID6ql4cEZrBB6XFXmhiNIrccRKlvmbQmQVhC62bPDg474B N/uCKdLcmzIoUTnqZlgWTD/KW19SvywbkpThjnHDwoV+1e67kyONeTAZv/P9Wf7bI1yuEv yVIthQzz/0cu95ohsg8tjUPyU2bnbe2/a36Cvdjx8109m6D9x2JW4PwBJ5HbrZaVwxHMFR nRIB+X2jh4FCnbJnkOjyiBlAYvggUtb55QJooUkRrzzoqWFZ300BMgIDoXRZzA== Received: by freefall.freebsd.org (Postfix, from userid 945) id B1489271F7; Wed, 04 Sep 2024 23:37:24 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:13.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233724.B1489271F7@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:24 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:13.openssl Security Advisory The FreeBSD Project Topic: Possible DoS in X.509 name checks in OpenSSL Category: contrib Module: openssl Announced: 2024-09-03 Credits: David Benjamin (Google) Affects: FreeBSD 14.x Corrected: 2024-09-03 17:09:21 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:35 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:20 UTC (releng/14.0, 14.0-RELEASE-p10) CVE Name: CVE-2024-6119 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. Basic certificate chain validation is not affected. The issue only occurs when an application also specifies an expected DNS name, Email address or IP address. III. Impact Applications affected by the problem may result in a termination, leading to a denial of service. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch # fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch.asc # gpg --verify openssl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 5946b0c6cbc7 stable/14-n268645 releng/14.1/ 9a5a7c90d5e5 releng/14.1-n267703 releng/14.0/ abd3a7939117 releng/14.0-n265440 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55AACgkQbljekB8A Gu/qxQ/9H4Iaao+a5X4aXiV1iU+fT2KSli8fMZKeRw/OOIAztSOHZp7go0noAX65 SVwsb0fShwqAfDpeZhSjzMjpMmfkwQUkRbMK1SD+zLznSmC1McKF/EIAWrMwr78z zDLv497wh26tY+3CUZJQPwkodTvkHnwU0jeUSTjHqC+lOQeOcQ9HwL0T4FsHw4HF BJEX/k6uabpXsQe4H9U8C3MbUlOxiKfwFZAxDBhei2zZN/kfAY63iQhVH6/Ls5BG ei7TcEF2e6ylhdaLcCxpArRrdql1VQ4SanAGVW4MQ/2s3YpxQYweKGMg4VSZvqXt 07mBlNHcLepsHK1/qXhDqO/UMO5QsSsH1trwiohmZRQZJp4wXFsGhc102dezDbun TEJutKpNsojvWQ01IFcykCkvH2AAGXHJTB8H3jVXhBIU6DuqcmjVc8WXbrdN0vX8 KcZgI7S5PyQ0WF+ESqR5MHGXx7Qr9uZPKSMvPq0/g2d+6G52/Yw4oZ3rZtqU34iO uLq+FApa0Ema3jzxhq89c9oybfADpBDmYsAfqfMqexS+nIuPjeUpcv9gCukr2Of3 rJDxx2hF/1c/hd83Pp7MKBT/x/4E3vombPjeNeP/sBLhXFSKiVxUDYGYgm6yw3GA E7rv33ZJ09RaDGp9jbYaV5rOuEWAZpy42X/LsHjI9W3v0sGCJvU= =JDHd -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:29 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6f26VVz5Vrmj for ; Wed, 04 Sep 2024 23:37:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6f0F5mz43rQ; Wed, 4 Sep 2024 23:37:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493050; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WmMlfa3aJUKbFkAieYG9YzTkYWRyO+FAm6pw0xJdeak=; b=RDYMW8Jy9ore27HIP7nSBTpCQXiLue2aW09ITFG0Ioq4fd4uPz8fK72ZIiOREXBvUtyjFY EHpIU9cY84aW7SEU4WoJ8uzhsffvU8FxAjmn5lYCgNlz9KhPKREOZJbpMYIBvfnZxKY00v 6ROiecTGcQBpu4lrBFOgfTzMvSsPmUqCmojVPnu8WRpmpNFsx7G68VedHXjZX0OGEfVepe awe0639J80JsfpMCiwY200zIhsmaaySWRSZ9DmOCgR/xkwK4Pdw4oKGRfT/lJgO059E7LA GzK4md80ecU/APH0Am/50quttRZ0lSiIbBwhKBpSL4b9rLA8uy372qKuYDM6Wg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493050; a=rsa-sha256; cv=none; b=jCz9pqoY1AK24qEe5fuoVHQKQb1atPtdx2jQdo88AqXcf8zdpyrLF4WmNPTsabNWCg17ji T7mDpiAjtCSztRK3/0ehwyFs7Dnh9F19prmMaTYxDavdQeEH9UVYeJrREwAE5FR0FL0ynG axHlsBbHCVXRUbb9Yt91RW1ddXt5c9vvZ4O9ubtMY+0kvlyLNaJZWk/KY5oTI59DPX6ISP hDwC8aqPPkGgbgejRlBudc3FfFbfCOmr0Gaq+U8LaOxPSNaq/m9M0FM4bFlk1uo9OBxHsY cYkW4RIeaChcOzxHqh84aDo8p2ZMyFbQBMRvUGSwM/QBxBqGhT0lH6AeiBALiQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493050; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WmMlfa3aJUKbFkAieYG9YzTkYWRyO+FAm6pw0xJdeak=; b=xPeJH7hYC5Gy7EYo2EbPG9GCJXLUs9juO2oUHpTh+DbXFfznnVMS6PDpPhRx9e/QxIVphV 2QGdpxrPdIpWHf5zaBIYp1OoC//cfpjihAOVyyRuOB63xc15kkreMDSmtIXbyFunr4NDsS h99GMakr/jx2TviobyekrgqiEqp5JQRA02kB1++uNacZcxRhk3mgJImY2l3lGMOMY6a451 tQSUuetsLGq0ISqspZMJbhNfzVC2BvYM/2eXDprhI81PTBNpPwujOPTEpANJzuPTbZlX5o BICjSyT9vgqI2iy2olrv66dSpnHc7GZxXkqrqj3CUdJOOzFnBVG/Szju7he7Cg== Received: by freefall.freebsd.org (Postfix, from userid 945) id E2159274AB; Wed, 04 Sep 2024 23:37:29 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:14.umtx Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233729.E2159274AB@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:29 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:14.umtx Security Advisory The FreeBSD Project Topic: umtx Kernel panic or Use-After-Free Category: core Module: kern Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 16:00:58 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:40 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:24 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 16:05:17 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:58:30 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:50 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-43102 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The _umtx_op(2) system call provides support for the implementation of synchronization primitives between threads, and is used by the 1:1 Threading Library (libthr, -lthr) to implement IEEE Std 1003.1-2001 (“POSIX.1”) pthread locks, like mutexes, condition variables and so on. In particular, its UMTX_OP_SHM operation provides support for anonymous shared memory associated to a particular physical address, which is used to implement process-shared mutexes (PTHREAD_PROCESS_SHARED). II. Problem Description Concurrent removals of such a mapping by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. III. Impact A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:14/umtx.patch # fetch https://security.FreeBSD.org/patches/SA-24:14/umtx.patch.asc # gpg --verify umtx.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 4938f554469b stable/14-n268665 releng/14.1/ f4a2dbb81603 releng/14.1-n267707 releng/14.0/ 37823ca38148 releng/14.0-n265444 stable/13/ a73a70472c47 stable/13-n258319 releng/13.4/ 7739dab97433 releng/13.4-n258248 releng/13.3/ 8fd0fa88b5a6 releng/13.3-n257458 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55IACgkQbljekB8A Gu9grQ/+J7wLENdAwj/vclXgEwiqMtVBud/oWWXL6/h8YzSCOGRW88NsGrhkS+I4 ykWVdCcTvOqP8FvArarQVTfmMD/dQvAZZciHMkYDrQhjd7BwBuWVkLe1YdA1VR0o TT5gVclbJFJP3kvC+ivusN+hVn8Iacb0bvLn47/7pBKL96cCx1aTcP9XtHJqPZAr W80C5+4Z6qE0bUcCZ5lT8/6XvBtQNiD7otA7h5vBGMoIlBHgrxvYIz+QxAoOJ9Ke DvwNKjAm1nYrgiAzAF7lgPWLe6TxYxfYVcyEdm2UJnVpZqldnZevjIFD4DgaijKF dPT99EJdgkDQMqaiRM4VqlkcQvzZC/MatV9ypcStoRvQhQZczemLZdEVcf2luEdo r6RLvCGQPiSbeANc2DV/J35oX/Zwr9KN29ttkOqisVfadIba2LXANUiAF/x3SReo B/Gyilla4SU42obSaDuOe7fuDxj1HS4vAcJ03BQP0VfMNFkUaqb6ZoXioWhgtHAO E1zRIJcht1Ad2mEJtMid51co40g1Gd0lcxgEF0UOaIm5gTbYGKD+9tiOBaxvXlxC eDiKChtB31XWmfnuK4fSKh28dfyu+ltRUVsmQbakpQyufWx/RhSk3neZs44SNrwq SEX5SZ9Rt+E8uBZYU/rDzP2N6cd9ayMANCanuh2GPjorf15Em3g= =/sml -----END PGP SIGNATURE-----