From nobody Tue Oct 29 21:32:36 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XdNl90BTkz5bx85 for ; Tue, 29 Oct 2024 21:32:37 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XdNl86BdHz4YXq; Tue, 29 Oct 2024 21:32:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237556; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ESBQzxvzkK4gQdAgQ2WYAJnMeGTsBSaNTbKIGTFQGak=; b=RlrTw8+vcPj443vKNrEVNUkJayh7c6F28CW6O1jBRCLh37FTMIFLqUP6EN6dHLYb0fruHh r4iwqbR4Hv1SQyQJqQlDsSgwHzpUZogJDUgvVDG5HPLhbzKz4eE/jPPHSTLSBX/pGQQdvf NsRpmTxpYglaFw4Z73yg0J4/ZPrcLHHbW3oI+hg9GTALR8fQazsHTDp22/uramW62HjFZ6 w5Ii+H8SkKmvOAz+xic6tq+9uGJToGDagt7lpUcrTzytH+TYPnMhzudGZD7IhT3tZVcmyS JLZTn1EAUcuquUwbdJTxEoqmkMmwzE3WTgtkmtsFqs4dc1nDixR8fzqQG8b+vA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237556; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ESBQzxvzkK4gQdAgQ2WYAJnMeGTsBSaNTbKIGTFQGak=; b=rIM71iZFiWwJT3utnxZ9KXvmu4memhmOLIylM8kb0ANszHucpedQtqjGAkjTCFoNQkWAl9 1NATOU0jY7C3xieSBmZ894pTXwaJNeyUmrxm3EYQq+7LWCE9FnE6y0+V0yu6E9W8Z5SQCc t+Sc6awKW3LaiokarqMyPVnx/6/lLoOqPvCRsxxC/E8FcpoEtD0zKv5gaQXy9XFejNNHfq jxtWUd16AQmf/mQmukffh1krONBqpWL0TnbNm01fdxBc+qdlVVjlR/i841h9Frpe8fR8bA veAw6PxQ6GznrsbCRiKF3wosIxp3n5v/BSAkU3ByDrU7amZc5ZzkVzA0ibWKyg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730237556; a=rsa-sha256; cv=none; b=aIIr0JUVe+Cf8Z4KU92VGq2kYKH3Pj1beGlRTMDEIBaRZQQpp72FrUyxVU+TFdWOH9Xezd PJp9R823puc4rK+KRr9hI5irvRpp//I1VouNi4MdXydmFMgZJpYMit8ESbjgKnxrXNTDca 3P+QATqNJJW/V9tOmcLQcB90YhECzLamZIBp+M8ytcdbxt/AlIsz7W+5H7P1D879kkqWBs Gf+CBoRjT5BsQLWDE/oRf2p+VguNE7W85sSgYJeldRiggf69xtGUEKxivTpz4Cy0UENEfy kaSZqfs+rUAg+2T2iRKADZneUw51jx7rZ8XZ6AP4TviZ2geHO8HiBCqy78gxxg== Received: by freefall.freebsd.org (Postfix, from userid 945) id B9E469155; Tue, 29 Oct 2024 21:32:36 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-24:17.pam_xdg Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20241029213236.B9E469155@freefall.freebsd.org> Date: Tue, 29 Oct 2024 21:32:36 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:17.pam_xdg Errata Notice The FreeBSD Project Topic: XDG runtime directory's file descriptor leak at login Category: core Module: pam_xdg Announced: 2024-10-29 Credits: Olivier Certner Affects: FreeBSD 14.1 Corrected: 2024-09-03 13:28:58 UTC (stable/14, 14.1-STABLE) 2024-10-29 18:57:01 UTC (releng/14.1, 14.1-RELEASE-p6) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pam_xdg(8) is a PAM module which sets up directories and environment variables per the XDG Base Directory Specification[1]. In particular, it creates a per-user directory to contain non-essential runtime files and sets the environment variable XDG_RUNTIME_DIR to point to it. II. Problem Description As a user logs in, if the per user XDG_RUNTIME_DIR directory already exists, a file descriptor to that directory is leaked in the calling process. III. Impact This leaked directory file descriptor is inherited by all descendant processes that do not explicitly close it. In particular, it prevents an administrator from using jexec(8) or launching a new jail via jail(8), as both commands use the jail_attach(2) system call which fails with EPERM if the calling process has an open directory in its file descriptor table, as a security measure to prevent jail escape. This file descriptor leak is normally harmless from a security standpoint as the XDG_RUNTIME_DIR directory's content is usually readable and modifiable only by its owner and its group. IV. Workaround Shell primitives can close the leaking file descriptor before running jexec(8) or jail(8). For sh-like shells, use 'exec X>&-', where X is the number of the leaked file descriptor obtained with 'fstat -p $$' Alternatively, use a login program or shell that closes all inherited file descriptors for root such as sudo(8) or csh(1). Lastly, on machines not running a Freedesktop-based GUI desktop or some that can set XDG_RUNTIME_DIR by itself (e.g., KDE), disable pam_xdg(8) completely by commenting the corresponding lines in '/etc/pam.d/system' and '/etc/pam.d/xdm'. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is advised following the upgrade, or a logout/re-login of your jail working sessions if practical. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is advised following the upgrade, or a logout/re-login of your jail working sessions if practical. 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:17/pam_xdg.patch # fetch https://security.FreeBSD.org/patches/EN-24:17/pam_xdg.patch.asc # gpg --verify pam_xdg.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . A reboot is advised following the upgrade, or a logout/re-login of your jail working sessions if practical. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9e8d504bb5a1 stable/14-n268630 releng/14.1/ accf8cee6dd0 releng/14.1-n267726 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References [1] [2] The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCMACgkQbljekB8A Gu8//xAAtTW3AJdvvbA58EUdBkz1mb60dhJ0DCBRiE+4kTApym8+PNvzRAib4i5R RiZGx/axXvUmP1qVKCgpYjaf3D/vrbBEk4bqrCcgZlPVEWbSm1jrLzFjZNr7vYUn AxCaF4RpzkAAku6qV8BuQal2cVpCRt0Ad5CkFArdp8KqeVyZIIf3yM2UQn4nzrxf ycZF1GWzvh/izIK2zmaxFVNzYToz4l6qj0Y5t0Mi4OhSq3J63gHv4UhH+/Fn0mnT fkd90lCrAQIgu6BZbg9FBJn76y7itSuyIu2MeZdklXnnqTBgFWh+7Wd+79Fq7iHT dAuQo4znIJAw5Z5J4rAAm8aqP4joozJoI3xJhP8U4qpj5FYOEn/yJiZmnETUwyh5 AcNuiRrjJKieskmr0yruGbwVS+dtkNWQcVSgfUWVL77vv/t9ui7c8Ezjkn5amicP 17m4NmO+HYW/X5ST7FqBx7nrT8c5wMzsiHCtCEpz53oeWUvnPLGz9TKCXUTAbMUU IG99B+1pvA4IFOjZ1xO2xKowueekqQLOTavby/tV0aatgkAFlWZKXIDYMV/XEVdL /eHij8kT2hoooQdhxuj8jvpKKFIcPqiLF5RTDkhNyXOKZvXSXiC2bgAWLa+pQi8/ PpKIeWH29fJpQ2hF/b+fKzF7NjYgCs1ZzGrLWC+ziMnthNzzR9s= =yn4N -----END PGP SIGNATURE----- From nobody Tue Oct 29 21:32:53 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XdNlV0bRFz5bwtR for ; Tue, 29 Oct 2024 21:32:54 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XdNlT6m1jz4Z1B; Tue, 29 Oct 2024 21:32:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237573; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=N5qnJJ9FwvqiiOBFTedu1oHUvI02vR4hJzhl/AxannM=; b=WZMgIL3ydRiXLrFY3TBxH5NlazNNjxrK1aLvXlqHPupyFnifDKXCgsnjc4idEiVQ7GWOcc CE3BHkkJ2dm9zG7A95CalGf2EXlKCV86EnIJfcbJEmE/VID4z1sAssZIP95BENsRdAkwT1 usR/2o3NgDhqR5WEm8XEW+xiN+2n1BHRC3lNuX7jGTFLtCzVGehcegbYrz2HqDJQYvb266 ygPveLPjClhJK9mTBLO8B133PNcaUHHsERcSYfQQ/tMasLfTa4rPW7VB0ji+pC+NEP3ytZ MrHK/nnbpnntQX8/+OyEarhgVT4tlu2XhU/vK/JCv9i4VmiLeIz071fysXmqtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237573; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=N5qnJJ9FwvqiiOBFTedu1oHUvI02vR4hJzhl/AxannM=; b=bjYXenAjZEnicEu+h4Lqt0TIJy0sc5E/eOwom4+GdwJcham/V7in/0jMk70vWvdVP27AOE EnmP7toqdXzS8DVAFbFzNi4RmMwNbjs7brIOi4aPdhHf7vMoOOhRgiRGWR+Sl7vuWQLUOv Ov1vosrX4xPI+j13PQ6FFE9KHI7G1n3FKhg3/yoZEXth/DRAsQVYvotRie4rZSDR9dUCfj /TwhaC+GztNu9MlQrSdDikhneH6r/ucmZwrKj7a2ljwkvRLxGTvtyt3DFfSdnU522Xnvbk 6zk7NzsU0alMn3L6Ql+AbsOuACUL7CoXn29J29ExUaBCtVZfxqW2iz540rkDpw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730237573; a=rsa-sha256; cv=none; b=Tkw2a/l2zB51QgfBbDRgUm1ZzvywE3U5Z2bMvemhPeHR4mTgIQAlmAgD7SE0RCpW/Gg9XH TUtJaRilhhavyZo5lUTo1KEU/YOgrKkQwbNtO7pyiV8prnZNdTgb03faA1DEMw1jfRZRYA 8fk42Fw43bsTm44ZeHRjYbLAAiMxfprPLkGdcQyMvkiWJADbQ7CHZteyCYj05+1/zGXzLi atvPeIv0vjH7l1tEryaWLiqe2EJfOqh1r/2h4D3TR4CUxuuDG+OX2H7UNcSH2Kh8EPIWNE Zlb/RoB72K9nB40TnHDxYLSnEE50ykBaucmlOxa6A1ZPxIj5AkfZuQQJQJ886Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id D2E119157; Tue, 29 Oct 2024 21:32:53 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:17.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20241029213253.D2E119157@freefall.freebsd.org> Date: Tue, 29 Oct 2024 21:32:53 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:17.bhyve Security Advisory The FreeBSD Project Topic: Multiple issues in the bhyve hypervisor Category: core Module: bhyve Announced: 2024-10-29 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-10-19 15:42:15 UTC (stable/14, 14.1-STABLE) 2024-10-29 18:45:36 UTC (releng/14.1, 14.1-RELEASE-p6) 2024-10-19 15:43:46 UTC (stable/13, 13.4-STABLE) 2024-10-29 18:49:55 UTC (releng/13.4, 13.4-RELEASE-p2) 2024-10-29 18:53:41 UTC (releng/13.3, 13.3-RELEASE-p8) CVE Name: CVE-2024-51562, CVE-2024-51563, CVE-2024-51564, CVE-2024-51565, CVE-2024-51565 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that runs guest operating systems inside a virtual machine. II. Problem Description Several vulnerabilities were found in the bhyve hypervisor's device models. The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over- read from a guest-controlled value. (CVE-2024-51562) The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition. (CVE-2024-51563) A guest can trigger an infinite loop in the hda audio driver. (CVE-2024-51564) The hda driver is vulnerable to a buffer over-read from a guest-controlled value. (CVE-2024-51565) The NVMe driver queue processing is vulernable to guest-induced infinite loops. (CVE-2024-51565) III. Impact Malicious guest virtual machines may be able to perform a denial of service (DoS) of the bhyve host, and may read memory within the bhyve process that they should not be able to access. IV. Workaround No workaround is available. Virtual machines that provide none of the NVMe, virtio, and hda devices to the guest are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart bhyve processes, or reboot the system. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:17/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-24:17/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable bhyve processes, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 86ba5941b132 stable/14-n269162 releng/14.1/ fcd9a2d8a5bd releng/14.1-n267723 stable/13/ df1a36fdfae6 stable/13-n258536 releng/13.4/ 5d07a7e902fa releng/13.4-n258265 releng/13.3/ adb7b541aea1 releng/13.3-n257475 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCUACgkQbljekB8A Gu/RJhAA5oWfn9F1Tdmwwl5CFbvIjSmHcWdDsTbQ66DrL8HcinrNoBSdhr2xuAQK mxsWuUI1V4Wb9Yp0EXjpNB2ZIpjDbEionVK7BEZJ2D09TCi1CFS84CiTdqBlkJ/A 2K+eQD6BAG+wKu0yRlqu2wA8RgUWob8ORZ9PFyT4XH23OT4F60WUhPJ+917cqCru Ye7hKcSy/xaL0J95ZOG+qeuTf9RbBeQ4f+Sq2ERbtPXVRcBs3x2PEjg1ptuKNmst Hbvg+fIsfGWf99r50EhBP2yPJ/jNZBhYJ5gX+zdJsyuXRnJwnv2P6WNxFKoh2I2n RI4L3rJ7hJVPURhXZ3fkmiQ8qW/VxrR+2H4YxjuD2U7KQg22ZxCCFNFfN7gYI63U 8/shw6Ez5OQqVyXl/+uD0/P6pnscKsQz9zNix7kI+G9meBZLnyA1/eGB0iFQVjYg NxepUWheMsraLX1ytURtI2lY8pr26Fd4xtY0mKpV13ohL59nQZ79fIeot50m8WMP ++zqqErJa/9mk6MSZ/xXHWUbPLmQmuNyHere4kqvd4dTLLMOe17WB7NrPJch2S23 BCcnfZNGwP9iPY27CHRStAYI2OIj2iL7oe2Z7jnh+afpcX3r5isxqZf3R6pw7C2a fDPHVTfKJ951yBloejhXJcPXdwgYMZ+8nd2MVafrIYD7dTZfCrU= =BYuX -----END PGP SIGNATURE----- From nobody Tue Oct 29 21:32:58 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XdNlZ54XWz5bwqP for ; Tue, 29 Oct 2024 21:32:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XdNlZ3Ncyz4Z1s; Tue, 29 Oct 2024 21:32:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237578; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=U4XOjEyKHHbIlncgkC12Mh9LwCmC2LPf2dmOvMBUFHc=; b=VFxgnqpftvwoaw4BuWP8BwQS8Ws7sGQ6nDfQpPvilVwaVkfy4HFbsNd+jF0qlddx67+OQ2 IZk49Sw0afNbF5pw9aM5hMTPWRPvXEc65hKJBWlas8u3qz/BJ4zU1fyu4piwUyXmXEGxQi PHm7fEcuxCihkK6aIfXqHhEfz7lRuPTPOd+SH8hJ9iIGghS8+SjVWXdOsIK44rQ0M4HRME 5ueZMMxnel/dJ8EjmUlk+fePBNMh3ZEvmoOkM4LYVgb4HlNfX+uRGwtvIUwf68PG+yTEr1 PLV/+EfuMC5+jSXylYrQmACTtpkb5vkf+wnc1dSATtqde6EF3Ucp9lrUOvBxYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237578; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=U4XOjEyKHHbIlncgkC12Mh9LwCmC2LPf2dmOvMBUFHc=; b=gbC4WrFsqlrHQ5eNPMM8Dvkf+frhNwsf8X9iEuvDBPQ8WZ1gwT2ldD+Ppk6BWfi3cXgd5n k15Qeo5EzZ/TsOymx5mlOcqd3C4RP7JKdDdsZql1aLLh3wTPCj4c7HMrQAOw+8z9TPrWrE XlG/hyRy+ZYbKFciwwbNsD4hTy9P05eu+k1tL4My60337m0CKT5vXhI/a6n7GII8J58GKB pA80yvAMF5INQKfXY3sRoxoIaOsmwi1/FvOuayajfZ71m3uFikNyvrzTesgV2su9/J9ltu kq4mioT6XjqaMidj4+UxDE4dOyhlPQckiPk4QvlRFNEisNwmqHVn+AWlGUc8lw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730237578; a=rsa-sha256; cv=none; b=a3c8RYeivmGAuzfMoKvyziN2m2JS00HComPkGNLjPCbiiOzP/4oSESIFaMY0uqpZh/vTMV U3HBroIlhjZ6zsnn3df6kbyJ4EHWjdU5xB7y/xP/CIsQMKgMg9S1bqnw5qjdGgtcGKhCXh kCcsdWvyWIVCcimtgSo+5n6qKZVgGsICX8Yt8GYnn4Qb6ufBo4pRp56FaxQtZOFm05KX3k hQdrHJiNRiQLFK2ekVJmOCTbJ9ZqcnPMMOEoEdXPLNpe61b8B26I9QHsyYJu95YPO6nugK rgyfqXwOXNGOfhE5EjbMYp8hzbDSEU/QSS4maWk6mEyKjmocH+hbwonpmsgVIg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 5FF83921B; Tue, 29 Oct 2024 21:32:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:18.ctl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20241029213258.5FF83921B@freefall.freebsd.org> Date: Tue, 29 Oct 2024 21:32:58 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:18.ctl Security Advisory The FreeBSD Project Topic: Unbounded allocation in ctl(4) CAM Target Layer Category: core Module: ctl Announced: 2024-10-29 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-10-11 15:53:17 UTC (stable/14, 14.1-STABLE) 2024-10-29 18:45:37 UTC (releng/14.1, 14.1-RELEASE-p6) 2024-10-11 15:53:53 UTC (stable/13, 13.4-STABLE) 2024-10-29 18:49:56 UTC (releng/13.4, 13.4-RELEASE-p2) 2024-10-29 18:53:42 UTC (releng/13.3, 13.3-RELEASE-p8) CVE Name: CVE-2024-39281 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ctl subsystem provides SCSI target devices emulation. The bhyve(8) hypervisor and ctld(8) iSCSI target daemon make use of ctl. II. Problem Description The command ctl_persistent_reserve_out allows the caller to specify an arbitrary size which will be passed to the kernel's memory allocator. III. Impact A malicious guest could cause a Denial of Service (DoS) on the host. IV. Workaround No workaround is available. Systems not using virtio_scsi(4) or ctld(8) are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:18/ctl.patch # fetch https://security.FreeBSD.org/patches/SA-24:18/ctl.patch.asc # gpg --verify ctl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 2e7f4728fa73 stable/14-n269070 releng/14.1/ a8df23541444 releng/14.1-n267724 stable/13/ 367d8c86a182 stable/13-n258514 releng/13.4/ e389eb99fb63 releng/13.4-n258266 releng/13.3/ 9867aebc1d04 releng/13.3-n257476 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCcACgkQbljekB8A Gu86VhAArJMRQcCCLdF1dflUMBKXROmUUZRHZg/fDS6QvGgZXQ0vKaGsHYjdNS2Z oM+RgfsE98CU5FoiqBNdJNlAMX9+/JSN1h2wPD3UJfk/j6TLbj78RMcNnfG9OGSb /J626CnpcIz/9ORSVb5FRSe3Ac+aS19Gh7g4wY9RY/sRA2tR9+8A96JdD3nQCkAQ +oEiB3sNfo9rTxVNtPV7J47HwLcHecfqmUNp1fJ4eWs2utebyG0IoLWI6SlFrx81 peBImJvVZviZVesEeibTT/nBcbuugq9pGUp5EqVcoZM5VHqN/DIm3uI1jpNzAyvR NBoFBBI6+DxUfw3D1MFP6s341Ixmz1UBhqlGewhAryKTGT1Pm0ong69vH96hAEDT Q8OnigHESE94O76u61NsaQydjcqnC1gRw0NkRl7FNja4tLDKxKQ72P0tPSYyFSNp h7V2F+1g6EbMxWpb19KEjYIF6AAv4ijUc1DseW0NITteofufcm+yytvksOQGKbDm Vx8m+6ONqVSs09Bi7bIG0n5yF1qjFyLkWfKs/FiJF5tfu9bdXpm6VG32KSBsaF/2 O/0h6OKIyHHqOaKr9NgBt78gAknwPdi083ir7HIihzkaGfoMLhkyyss3G+cOa45I G3bfpjyQSpqwVgypP9KEogFU0Cb51GkKK3Hed4GyZ88c6C+QcAA= =ew5T -----END PGP SIGNATURE----- From nobody Tue Oct 29 21:33:02 2024 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XdNlf4lQbz5bwws for ; Tue, 29 Oct 2024 21:33:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XdNlf121dz4ZCF; Tue, 29 Oct 2024 21:33:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237582; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=HwrI+bpPUfZi/JvpO9jJzY6vhB16ZWf7/y44tVhvFeg=; b=N18qK+M4O/spwP7Vte52wrY2htV9n9OV3Jw9c20h8HDn3kWKHUGOkQ0V+4twUcjCsHRFhg tCELeBFvqfRTWM+ajTVcmaGdyXpuoqlh1OqjY36n8+xeZlnNrRXL4kk8o91ayM26cbJw72 LLlp1xkh68h8q9VhGY+CVdBvjJdYmkZl06mEWS0TvJR8IvWYDD6ujHkBoF+/vtTgjTTq8o inp7hQdHwP46ST22pmB0G4kTMwWSedcSpHddOTivf9K0VghrhkV+96mgPPnM6WCYYzO09F BDL725kUNNZm/dx6WHkn9uUz5eCsUa03B4UI2VpDSgyfk86OWS0E4b/mNsI4ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730237582; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=HwrI+bpPUfZi/JvpO9jJzY6vhB16ZWf7/y44tVhvFeg=; b=H5mfz1AvHRCp2cKsYkVKx3QxlwhVsZUXoEB3jiLDXgKvRifBCfuODi2rRv1JDVpJesDDDu Ly3WYZeQa4jVZN+f+cQK9MwEnvEqfizZnckaZ1WRTGNVFz/I0gdNmetrxy9NCy5zRbI6We xU9mhFiDOOuo0fa9swA0q+dNvfXWKFufxBXlHuMJKihoMr4v2mz7Ukk/x9nr6XirBn9gHE jfrWuDeS2sr7lysmE9f3qCPndtjXJwokZNrbVWamNBMBLGqGZ4feYIwj/OsGoxx7gthyS9 gYAOCvpqfqeV3WRuLP0OrOqmIZbbk4hTZ+AhKA+KfHwO/f2CWgpL4c5T5IntCA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730237582; a=rsa-sha256; cv=none; b=tBHJvuyHvmA/P/l9GdKXgcYQGJMunpdKyZw2IE2qxZxs3riQnJ8Vv//WJ3fu3FkLO4/byp v3u85uY3aw7vWXxWp+0WS8YgTb9atnrCJsTD0KTCeMkNN1kQhIcHfkkcJNMGNZg8g3nHzi 6FnJIOWIW3aYBJcMNtweKTdpNuzfFyyuas9rbHDFM8mfn67dl9677A40JmeEPehAU5i2fN Rp7ykX6YNqZS7WSxy9idX6M3kQsw4EANjk+/Vfm6KykhPUGw4o7zYknMp9+fo9X4UxoR/u mCgjJqB1VVTMrZzIAs1pcgLbTszBW8pdP/wmsM/SX7mEWWGkgfcPUm4MQRj4DQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 17AA09298; Tue, 29 Oct 2024 21:33:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:19.fetch Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20241029213302.17AA09298@freefall.freebsd.org> Date: Tue, 29 Oct 2024 21:33:02 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:19.fetch Security Advisory The FreeBSD Project Topic: Certificate revocation list fetch(1) option fails Category: core Module: fetch Announced: 2024-10-29 Credits: Franco Fichtner Affects: All supported versions of FreeBSD. Corrected: 2024-10-09 11:49:32 UTC (stable/14, 14.1-STABLE) 2024-10-29 18:57:00 UTC (releng/14.1, 14.1-RELEASE-p6) 2024-10-09 11:50:06 UTC (stable/13, 13.4-STABLE) 2024-10-29 18:57:13 UTC (releng/13.4, 13.4-RELEASE-p2) 2024-10-29 18:57:30 UTC (releng/13.3, 13.3-RELEASE-p8) CVE Name: CVE-2024-45289 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Fetch is utility used to retrieve file(s) from URL(s) specified on the command line. It supports a --crl option to specify a certificate revocation list which contains peer certificates which have been revoked. II. Problem Description The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option. III. Impact Fetch would still connect to a host presenting a certificate included in the revocation file passed to the --crl option. IV. Workaround The certificate revocation list file can be specified by the SSL_CRL_FILE fetch(3) environment variable rather than using the --crl option to fetch(1). V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:19/fetch.patch # fetch https://security.FreeBSD.org/patches/SA-24:19/fetch.patch.asc # gpg --verify fetch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 51676e0a3bd3 stable/14-n269041 releng/14.1/ 0e8bf366e6c5 releng/14.1-n267725 stable/13/ 484724578422 stable/13-n258502 releng/13.4/ 51f6c450d991 releng/13.4-n258267 releng/13.3/ 9f1314a30b4a releng/13.3-n257477 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCkACgkQbljekB8A Gu/0RQ//fm2B2XPZPiGADBhuNeC8NsVwFqzNh/Nrxj2bUCel44kU4yGRZ0jADOD+ URW+0LDs+rOhIV2cw6fZDUwN+/dblFjZiKpQHJF42A1M90hNRfPArbCh6X2h8EAq C4Kr6M6tUByfMX2Hf0aj/QNVrar/hirNhM8ZwDXVMxDj+aBSHSUqZCzfgeTy4/nn 9DJKOaxJ6WKE9OmAEUhSNoPF6AP+ZzU0aOQCs9tUn+OqKDTxLwn0vXSTPaPw4FcR YYYIeiIKpqLhZxPhDnLh/Z/J4AleXPLZeL8VFKemopYk5Fi6HOG/f8UjC/GYoFp/ eHlEY7H1/aRUYJ6FWm4p/cGfxdJOWmkcJax6VQwBNKX23bEzQh9+4RlnE5cPbAio w4XeQybgitic/NeKhI8Jt/aFnVQah2i+O/PQRFCsDDVJGqRnjVw7+6Zvl4zEDoTP Xx96PXGCW3UZyNgqDo2jgZman1P5GLKtZg6FmGKlc/IrqijVnWfh06fI5nZ7Bo1z b8DiCGSQ/W2cL+d2ILj0illAU9g7JO3MDJOl/lchSUTg4XLUI+G201HaR9wRxSo0 SXYq23CG4Nll6b8tdC6EEnOoc4RgyQIJv+N/oML8enJ15x7teXG+JlWIf0rM2qkf Bxn8hBawdfshzuIkLf2X0J6rm8MBj/s9O3j87oD1C37dqp+E4Uo= =CEwj -----END PGP SIGNATURE-----