From nobody Tue Sep 3 11:44:26 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WykLb3Lv4z5Ms4n for ; Tue, 03 Sep 2024 11:44:39 +0000 (UTC) (envelope-from crispy.james.watt@gmail.com) Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WykLZ4L07z4PX9 for ; Tue, 3 Sep 2024 11:44:38 +0000 (UTC) (envelope-from crispy.james.watt@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=UQIycCFk; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of crispy.james.watt@gmail.com designates 2a00:1450:4864:20::329 as permitted sender) smtp.mailfrom=crispy.james.watt@gmail.com Received: by mail-wm1-x329.google.com with SMTP id 5b1f17b1804b1-42c2e50ec13so27251775e9.0 for ; Tue, 03 Sep 2024 04:44:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725363877; x=1725968677; darn=freebsd.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=PrNGidzC7EI7xxQYTVJvVh8x56IuOmKIF5pwqDjri2c=; b=UQIycCFkf/P76a10gJuekY3FYH1h6gIM757IRGgh+jI5VSR2soTnnhqPh1VXAu2T2L 2eTUNe8MfLcoV5TjwV8vrDn5PMaOTwH8EawKZYZKJABU4R5uYAXJnKD/P6sKU/igH9gu ZwuEMWOgw0S3arBbghPmD4bETPjtk5pRyivBpsti8wXCz4zJB5os4+Dqn7+hOjoMy2mv k1aJGYoRiEfSGQ+7b7nNMzsxlaBhNNWp2R/46AIihePZN0ffAOTvglIdBONJRysnZxTP FcuOEynbH4AYNZiXriblZADvADxjFi7AAvG2B/zljiLgnKA1JwHIQcV9XAUDlhMoh/k8 BATw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725363877; x=1725968677; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=PrNGidzC7EI7xxQYTVJvVh8x56IuOmKIF5pwqDjri2c=; b=OQckZY0txBHc+xMJBRVO7TNEFD1bVhFGvTcb1aSP3+Uc+wmd9ul4cxXicIQHOBm2f+ 8e3QL2sXOPUQ42wPDh9HFxlv94GKMaA0/KjOQrZhwR5O51aqbDekApm/uSyfxmV3HFm+ 1tdrrWfGEeULSZiBHbv3Wu8c2X022jtBgV0adTAT8lw/CI1k+a8WQOAp6CVoG4C4as/U GwJW5fiO/TSqTFRIdEXmuG1EldiDubshGZ4EeXDWpP7+LqyuiNxjHB5VXPkY5nM1Z+V5 G8rM36IITZHZXH1VCC/ZenEUEPMwpZLNXuMJGEGM7+zoxq7s+DmwkwVZVfD1uJHpDFwI z4aA== X-Gm-Message-State: AOJu0YyrJYD4/gQEOjL2fCnW62ZveWHxEmkeVvYQpYczocbJgpTBJgkh xL4NGjCmtx0DHk4oliRcmt4HG1taKCEIHjsm2cJvZXdXmFmFmXsGqaVBlk3Z7h/IOFhKP8FnB93 QAykemj4kUi4A+2JSqwlhH25jWp+0aAbA X-Google-Smtp-Source: AGHT+IEpjQKt+hFG40+JQ61WI/r1ibf4EHH+2cMAKnqLduN/cHvdv8T9UOhvHc2rNP68rrnnZycCwWqCX/bZpUT7rsA= X-Received: by 2002:a05:600c:1ca0:b0:424:a2be:c161 with SMTP id 5b1f17b1804b1-42bbb216f26mr104585275e9.20.1725363876543; Tue, 03 Sep 2024 04:44:36 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 From: James Watt Date: Tue, 3 Sep 2024 19:44:26 +0800 Message-ID: Subject: Security Vulnerability - Action Required: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability may in your project To: freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="000000000000f8454006213594d3" X-Spamd-Bar: -- X-Spamd-Result: default: False [-3.00 / 15.00]; URI_COUNT_ODD(1.00)[17]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ARC_NA(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TAGGED_FROM(0.00)[]; MISSING_XM_UA(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::329:from] X-Rspamd-Queue-Id: 4WykLZ4L07z4PX9 --000000000000f8454006213594d3 Content-Type: text/plain; charset="UTF-8" Hi, there we have detected that your project may be vulnerable to ILoop with Unreachable Exit Condition ('Infinite Loop') in the function of ` ppp_hdlc ` in the file of ` contrib/tcpdump/print-ppp.c ` . It shares similarities to a recent CVE disclosure [CVE-2024-2397]( https://nvd.nist.gov/vuln/detail/CVE-2024-2397) in the https://github.com/the-tcpdump-group/tcpdump **The source vulnerability information is as follows:** > Vulnerability Detail: > CVE Identifier: CVE-2024-2397 > Description: Due to a bug in packet data buffers management, the PPP printer in tcpdump can enter an infinite loop when reading a crafted DLT_PPP_SERIAL .pcap savefile. This problem does not affect any tcpdump release, but it affected the git master branch from 2023-06-05 to 2024-03-21. > Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-2397 > Patch: https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience! Best regards, James --000000000000f8454006213594d3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi, there
=C2=A0 =C2=A0we have detected that your proje= ct may be vulnerable to ILoop with Unreachable Exit Condition ('Infinit= e Loop') in the function of ` ppp_hdlc ` in the file of ` contrib/tcpdu= mp/print-ppp.c ` . It shares similarities to a recent CVE disclosure [CVE-2= 024-2397](https://nvd.nist.gov/vuln/detail/CVE-2024-2397) in the=C2= =A0https://github.com/the-tcpdump-group/tcpdump

**The source vul= nerability information is as follows:**

> Vulnerability Detail:> CVE Identifier: CVE-2024-2397
> Description:=C2=A0Due to a bug= in packet data buffers management, the PPP printer in tcpdump can enter an= infinite loop when reading a crafted DLT_PPP_SERIAL .pcap savefile. This p= roblem does not affect any tcpdump release, but it affected the git master = branch from 2023-06-05 to 2024-03-21.
> Reference:=C2=A0https://nvd= .nist.gov/vuln/detail/CVE-2024-2397
> Patch:=C2=A0https://github.com/the-tcpdump-group/tcpdu= mp/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2

<= br>Would you help to check if this bug is true? If it's true, I'd l= ike to open a PR for that if necessary. Thank you for your effort and patie= nce!

Best regards,
James=C2=A0=C2=A03D""
--000000000000f8454006213594d3-- From nobody Tue Sep 3 15:53:26 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wyqsk0Z1sz5TSrY for ; Tue, 03 Sep 2024 15:53:30 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wyqsj3BR1z56fP for ; Tue, 3 Sep 2024 15:53:29 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=quarantine) header.from=cschubert.com; spf=pass (mx1.freebsd.org: domain of cy.schubert@cschubert.com designates 3.97.99.32 as permitted sender) smtp.mailfrom=cy.schubert@cschubert.com Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTPS id lTyJsQgUh9TOUlVqSsXgXS; Tue, 03 Sep 2024 15:53:28 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id lVqRsblqRGvSVlVqSsE54P; Tue, 03 Sep 2024 15:53:28 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=FpSm/Hrq c=1 sm=1 tr=0 ts=66d730f8 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=kj9zAlcOel0A:10 a=EaEq8P2WXUwA:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=Ntg_Zx-WAAAA:8 a=s9e2T47jAAAA:8 a=NIO6eqGWrWBsO9KYZwEA:9 a=CjuIK1q_8ugA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 a=RUfouJl5KNV7104ufCm4:22 a=CxX688lCtmX4rDtm-yj2:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id C6C8D157 for ; Tue, 03 Sep 2024 08:53:26 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id C282E207; Tue, 03 Sep 2024 08:53:26 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: freebsd-security@freebsd.org Subject: OpenSSL Security Advisory (fwd) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 03 Sep 2024 08:53:26 -0700 Message-Id: <20240903155326.C282E207@slippy.cwsent.com> X-CMAE-Envelope: MS4xfEtCRdEUOhRIqqnXzE9c9gYOU4/lsN2SmYSio1LsszBEYlC7JI74dabIHp2ys3RsjEwEIEdW5yMyPNlFPNxT+yS0BodhELoqJenKS5Pn3Z+yjpjXnO1a Hl+5pozKIdcXkzAO+YPGZq5fgmaVmWTwnz/5iNarMCMtxrbBAeRzueBWXeM84lwzh/Aek8ItTaChu9LvFr9YUkAfJW4SC0M+3iI= X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.56 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.955]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[cschubert.com,quarantine]; R_SPF_ALLOW(-0.20)[+ip4:3.97.99.32/31]; RWL_MAILSPIKE_VERYGOOD(-0.20)[3.97.99.32:from]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_THREE(0.00)[4]; REPLYTO_EQ_FROM(0.00)[] X-Rspamd-Queue-Id: 4Wyqsj3BR1z56fP Is this something we need to concern ourselves with? -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0 ------- Forwarded Message Date: Tue, 03 Sep 2024 17:48:34 +0200 From: Tomas Mraz To: openssl-project , openssl-users , openssl-announce@openssl.org Subject: OpenSSL Security Advisory - --=-Tb6QWSUhNjkYHW+t2XR3 Content-Type: text/plain; charset="UTF-8" OpenSSL Security Advisory [3rd September 2024] ============================================== Possible denial of service in X.509 name checks (CVE-2024-6119) =============================================================== Severity: Moderate Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a "reference identifier" (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue. OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue. OpenSSL 3.3 users should upgrade to OpenSSL 3.3.2 OpenSSL 3.2 users should upgrade to OpenSSL 3.2.3 OpenSSL 3.1 users should upgrade to OpenSSL 3.1.7 OpenSSL 3.0 users should upgrade to OpenSSL 3.0.15 This issue was reported on 16th June 2024 by David Benjamin (Google), reiterating an AddressSanitizer issue raised on 30th September 2021. The fix was developed by Viktor Dukhovni. General Advisory Notes ====================== URL for this Security Advisory: https://openssl-library.org/news/secadv/20240903.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://openssl-library.org/policies/general/security-policy/ - -- You received this message because you are subscribed to the Google Groups "open ssl-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-announce+unsubscribe@openssl.org. - --=-Tb6QWSUhNjkYHW+t2XR3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part - -----BEGIN PGP SIGNATURE----- iQJGBAABCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmbXL9ISHHRvbWFzQG9w ZW5zc2wub3JnAAoJEFJ0ZqIcp55t3tMP/iX+ChDF+5bG9INwMmRW7JPW8HQD4MOS glVR1LlB7Rn2tzQ5brwUnoR5Q6kgYhfAx+7bCeqqdAyJO/NZIqgbzyHJINBupjZ/ POaBLLT3m6JlzX/8b7C1syM9+YWxx06g4PCsAJvjyWm04oCIGC8scepV/686Ot5y yUcko3Kxte6w9xXoSYRPS+e8FTyGVCcFReZyO/pgbAXU2WV1J1pHjqKjUSVQ7u6N Yl1XYaMvhB612G/aTl1RbUXDFYUFi/ExHkrCsTdV6/j7tSLp+EwR4awz5wy/WbC3 JREUVYcCw8oY6KX13YR+A6t0gLbL8tc1W08gI2x6yOa/ojSLlGkeETikgU4bCy0U VUcZCcWK9P3zqv7horuQXZIjMGl4dOR7el2KC+EsC3iMu1xoSVgwAyyhViq1CY8G DEHpOiuJW0KeXoZUASwHc0OyAFtGhR//ybdEBKbGwKQuYvxi8Mgd/tNhBphvKPWC ITB9R6kp9vcm2SK6saaXMrvt4UpisLM9k+2yteLIJxckqgBaCiUGW3ShMAn5BTM1 ps/LIouXT7WR9y8xROQ4W82ozlb/JK2Z+QTVKwrKMQ+5/IKmaqI06MrcPyu6OKgB 3zZs7vxVDl7Ul1+dM2OV1C2Bw9ir/dMOtpbxZY5HYaZG87Ch0m/R5sFKHgbxKnUl kA7jwz5HuD25 =sAhI - -----END PGP SIGNATURE----- - --=-Tb6QWSUhNjkYHW+t2XR3-- ------- End of Forwarded Message From nobody Tue Sep 3 17:40:54 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WytGH1v7Xz5TfTT for ; Tue, 03 Sep 2024 17:41:27 +0000 (UTC) (envelope-from henrichhartzer@tuta.io) Received: from mail.w13.tutanota.de (mail.w13.tutanota.de [185.205.69.213]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mail.tutanota.de", Issuer "Sectigo ECC Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WytGG2Yttz4CZk for ; Tue, 3 Sep 2024 17:41:26 +0000 (UTC) (envelope-from henrichhartzer@tuta.io) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tuta.io header.s=s1 header.b=PCc9mcmO; dmarc=pass (policy=quarantine) header.from=tuta.io; spf=pass (mx1.freebsd.org: domain of henrichhartzer@tuta.io designates 185.205.69.213 as permitted sender) smtp.mailfrom=henrichhartzer@tuta.io Received: from tutadb.w10.tutanota.de (w10.api.tuta.com [IPv6:fd:ac::d:10]) by mail.w13.tutanota.de (Postfix) with ESMTP id D148F1CD5763; Tue, 3 Sep 2024 19:40:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1725385254; s=s1; d=tuta.io; h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender; bh=C6sCyPWEYaNrOS5X7UN8urZzY9GCZ9trmn6tabQGisM=; b=PCc9mcmOtB9U1Stk+a3L/FlbFUwnjtwR+kMfdus2jz5VwWb/HJDCyY1kEkd42Sye TxQjxkb72drcXDIguME62xB9+98yMOiJXLBMAI6tExBbl0WgsgmOqVAQhx/ByvVSoBO gng0F3WBVYqLuJRy8DpwTJxuJagsc4ZxksqRpdLZGMGqbfL65PUgcRwhZpNlNUAzTzn h6Km3kYB91pMwv6DpTEHOCGqBOZXP4tE2rBHDyS9G6szb43jzOOp8STHe4I7dJqBDX3 3/kBKGAlfTncyJlgnIdyUtVXvygzb20QgwXt42Ot3ERW2agRX5wsJcprnOHOlJr4q4O drRgWKvi3g== Date: Tue, 3 Sep 2024 19:40:54 +0200 (CEST) From: henrichhartzer@tuta.io To: James Watt Cc: Freebsd Security Message-ID: In-Reply-To: References: Subject: Re: Security Vulnerability - Action Required: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability may in your project List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.20 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[tuta.io,quarantine]; R_DKIM_ALLOW(-0.20)[tuta.io:s=s1]; R_SPF_ALLOW(-0.20)[+ip4:185.205.69.0/24]; RWL_MAILSPIKE_VERYGOOD(-0.20)[185.205.69.213:from]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; FROM_NO_DN(0.00)[]; ASN(0.00)[asn:210909, ipnet:185.205.69.0/24, country:DE]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_TO(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TAGGED_RCPT(0.00)[]; TO_DN_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[tuta.io:+] X-Rspamd-Queue-Id: 4WytGG2Yttz4CZk Hi, there > =C2=A0 =C2=A0we have detected that your project may be vulnerable to ILoo= p with Unreachable Exit Condition ('Infinite Loop') in the function of ` pp= p_hdlc ` in the file of ` contrib/tcpdump/print-ppp.c ` . It shares similar= ities to a recent CVE disclosure [CVE-2024-2397](> https://nvd.nist.gov/vul= n/detail/CVE-2024-2397> ) in the=C2=A0> https://github.com/the-tcpdump-grou= p/tcpdump > > **The source vulnerability information is as follows:** > > > Vulnerability Detail: > > CVE Identifier: CVE-2024-2397 > > Description:=C2=A0Due to a bug in packet data buffers management, the P= PP printer in tcpdump can enter an infinite loop when reading a crafted DLT= _PPP_SERIAL .pcap savefile. This problem does not affect any tcpdump releas= e, but it affected the git master branch from 2023-06-05 to 2024-03-21. > > Reference:=C2=A0> https://nvd.nist.gov/vuln/detail/CVE-2024-2397 > > Patch:=C2=A0> https://github.com/the-tcpdump-group/tcpdump/commit/b9811= ef5bb1b7d45a90e042f81f3aaf233c8bcb2 > > > Would you help to check if this bug is true? If it's true, I'd like to op= en a PR for that if necessary. Thank you for your effort and patience! > > Best regards, > James=C2=A0=C2=A0 > > Hi James, I can't speak authoritatively here at all. Not a committer to src or anythi= ng like that, nor a FreeBSD security expert. I do appreciate your concern for FreeBSD, though! And I think this was merg= ed in already: https://cgit.freebsd.org/src/commit/contrib/tcpdump/print-pp= p.c?id=3Df8860353d4f4c25bacdae5bc1cfb7a95edc9bfe0 Might be worth having another glance over it. I don't see an advisory publi= shed, but I'm not sure if that was pushed into a release or not. https://www.freebsd.org/security/advisories/ Thanks! -Henrich From nobody Wed Sep 4 08:41:47 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzGFJ4c7fz5TRDF for ; Wed, 04 Sep 2024 08:41:56 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Received: from gaoxing.magnetkern.de (gaoxing.magnetkern.de [IPv6:2a01:4f8:c012:f130::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4WzGFH44WDz4Rth for ; Wed, 4 Sep 2024 08:41:55 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of jbe-mlist@magnetkern.de designates 2a01:4f8:c012:f130::1 as permitted sender) smtp.mailfrom=jbe-mlist@magnetkern.de Received: from titanium.fritz.box (p200300c26f20ef00264bfefffe54b09c.dip0.t-ipconnect.de [IPv6:2003:c2:6f20:ef00:264b:feff:fe54:b09c]) by gaoxing.magnetkern.de (Postfix) with ESMTPSA id 351605F0E6 for ; Wed, 4 Sep 2024 10:41:50 +0200 (CEST) Date: Wed, 4 Sep 2024 10:41:47 +0200 From: Jan Behrens To: freebsd-security@freebsd.org Subject: Privileges using security tokens through PC/SC-daemon Message-Id: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.54 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.94)[-0.938]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_NO_TLS_LAST(0.10)[]; ONCE_RECEIVED(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[magnetkern.de]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4WzGFH44WDz4Rth Hello, I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set "pcscd_enable" to "YES" in "/etc/rc.conf". My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected to it. When I create an unprivileged user account and log in from a remote machine (through ssh), then this unprivileged user account can use "ykman" to access my security key and, for example, list stored credentials, generate one-time tokens, erase or temporariliy block the device (by providing a wrong PIN), or even effectively brick it (if no configuration password is set). As far as I understand, polkit should prohibit this. pcsc-lite installs a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy" with the following contents: ------------ The PCSC-lite Project https://pcsclite.apdu.fr/ Access to the PC/SC daemon Authentication is required to access the PC/SC daemon no no yes Access to the smart card Authentication is required to access the smart card no no yes ------------ Changing "allow_active" from "yes" to "no" and restarting "pcscd" has no impact either. I don't understand what is going on, but this behavior doesn't seem to be correct. A non-privileged user (that isn't even member of group "u2f") should not gain access to a security token plugged into the machine. Is this behavior reproducible by others, or maybe just a configuration mistake by me? I previously mentioned this issue here: https://forums.FreeBSD.org/threads/94605/post-670209 Kind Regards, Jan Behrens From nobody Wed Sep 4 13:27:46 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzNbG032Mz5Tv5v for ; Wed, 04 Sep 2024 13:27:54 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Received: from CH1PR09CU001.outbound.protection.outlook.com (mail-northcentralusazlp170110003.outbound.protection.outlook.com [IPv6:2a01:111:f403:c105::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzNbD4cDwz40G7 for ; Wed, 4 Sep 2024 13:27:52 +0000 (UTC) (envelope-from stephen.wall@redcom.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=redcom.com header.s=selector1 header.b="baC6n/BP"; dmarc=pass (policy=none) header.from=redcom.com; spf=pass (mx1.freebsd.org: domain of stephen.wall@redcom.com designates 2a01:111:f403:c105::3 as permitted sender) smtp.mailfrom=stephen.wall@redcom.com; arc=pass ("microsoft.com:s=arcselector10001:i=1") ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=D3/9j9BElaRhFcVpasG133G8LQPvnuvKG/OVoO+PMwymDoeuSH+gt57Sl7a1qKdc//DM/3LJtbSyFd1lk8o0L3KmJvi2VfnPwRFTXtI2Toe95RDxfbhHzLANaoUOEHT8bZRPZFKs4Zu9aXcKhVlTPybgguU8cJ0QknpmSesBTYXNyK0yh6Diu0PsOQDY1ZjaFg953KBohzyeBjplVkExHBK8ClUOY0gtZuyGDCm7tejNYNuvKtLZaj6BEipMnByhO4eY/8vgjXjOme8oyt4/nckx5okdyrONTosmEwrIc5U099qOlorBT6ic2W5/CWscItc5uKMAf7qd/88iSOC4aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9NZM87f51/4Vjq1KgoC2eBbmaQreDBe9PPFMm8yezuQ=; b=xudzVYfe2xOvbs4cbALDxgYNLajLhEcSkcS7QlkWhL/+jLQxiZF36fxxcGdJ1ulhOhBf6kWmAS9ohGE3lTmg5obA9OYHfCXUx4Bt9GXyFN+ccA0Ht7NDxEjoN6tQpSZNjy6fVCGjNy1aXfIPdj5VSqLbVDwCUkjFxoCARWuOg4AtY76Sg0v5O4qBF+RDepLkTFtWkzEMyFjN/Ucc8Plp+pLQqDDYHnBKxU9VXoMIoOiUAKjPiF1vXa0IH9TD+JIhrpv8U22HeBy0g407YB2sR4Z5B4XFaylHrX8eONUz85ZwA9dIpzTNqKFZaW+8WZiJPzqWdagNzbtG4tGfk4j0KQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=redcom.com; dmarc=pass action=none header.from=redcom.com; dkim=pass header.d=redcom.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redcom.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9NZM87f51/4Vjq1KgoC2eBbmaQreDBe9PPFMm8yezuQ=; b=baC6n/BPHMlpjEHXM1R8SJ3GRc5v27UfWxM+09gWJwjw72gzL9dycGj88c5hlswrBGkVKjEHzGaBbJJdoNjg9oDkIgXv6RMj+ZwOzI1nWkhKxYbYsfwlsf6PsndzaDfoHeD/Epaud1t3hNRCTTonF2zZIrk72xnlJoYpzihqpubD/qB5VOrQJrI72+rybNFeb7gV8qYBS7JgnWkScOm9OWfHt5eND0YXuP5VT2hxioCjIqJ/b6I94wwBDHn/S7gppqmUGGHmVPJJdn7K0oFn2tyR+OhlIhRZ2g4gLkWkh4uQrnd3hpdqdQcNQwwg9J4gSJaqN4WzQv6XC8ng7956lQ== Received: from MW4PR09MB9284.namprd09.prod.outlook.com (2603:10b6:303:1f2::12) by PH8PR09MB9072.namprd09.prod.outlook.com (2603:10b6:510:17e::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.27; Wed, 4 Sep 2024 13:27:47 +0000 Received: from MW4PR09MB9284.namprd09.prod.outlook.com ([fe80::7849:d1ba:7ac7:46e]) by MW4PR09MB9284.namprd09.prod.outlook.com ([fe80::7849:d1ba:7ac7:46e%7]) with mapi id 15.20.7918.024; Wed, 4 Sep 2024 13:27:46 +0000 From: "Wall, Stephen" To: "freebsd-security@freebsd.org" Subject: RE: OpenSSL Security Advisory (fwd) Thread-Topic: OpenSSL Security Advisory (fwd) Thread-Index: AQHa/hl4zV56ZljFdUy36M2b7qJch7JHnKeg Date: Wed, 4 Sep 2024 13:27:46 +0000 Message-ID: References: <20240903155326.C282E207@slippy.cwsent.com> In-Reply-To: <20240903155326.C282E207@slippy.cwsent.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR09MB9284:EE_|PH8PR09MB9072:EE_ x-ms-office365-filtering-correlation-id: 4272724d-5fc8-4bb6-e16b-08dccce55d79 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|41320700013|38070700018; x-microsoft-antispam-message-info: =?utf-8?B?OEtBVXlqMysvalcwaTRXQUpORitlZERQRGtzWXlHVGNrZk1zcFZVY0t1bWdz?= =?utf-8?B?QjRSL1ZNNUlQVlZLNFBRdDNBOFZqdWx2VGNxVmtSMzF2RHdjaExHYzNnRk1K?= =?utf-8?B?WjlxRlVyVU90TktlUVJUTHQrZ3IyNlZqcWtqclNRYXRjVU52YTJHdHFZZUFM?= =?utf-8?B?blNUOEZFSk8ra1NrYzV4clkvdWxTaFlENE9US3RLOW4xT1pKNzJxLzBzd1pG?= =?utf-8?B?c1hhTjRBQUhSY3JBMU03RjcwOURxQ1U2bkVGVmFGS1RzVE5xaUJXME8wSklv?= =?utf-8?B?QXBqeVNoRlBDRUNvbEZSZmFNSm9QZHFMTm5FcHpEeXg3NjUxempCWnZNRWl1?= =?utf-8?B?eWRpUWpKRWJBQUd6cURsSGF3RjZFRCtuZmJ6SmdKSTZhTDNodTR0aTNLRUtG?= =?utf-8?B?d1g1OFYvZERMTXVDVHgybzhEZXIxaWE3ai9DR1MvemR3a0pHNUMxWnA3SWtE?= =?utf-8?B?bGk3VFVsN0VoWXJ3VGRWS1hQbjFpa2VUTkpNcytNMDBxN2ZhN0hxMlRmSWVR?= =?utf-8?B?NHVoYmZHSlJvRUJWTWhFbTVlSmR4OEdrRTY4VU9JUXRxSTVEbDZMS2F2RGFB?= =?utf-8?B?M3ZzZVJpZzV5ZEx1TnE1RVdRMmFmMGNNVUxicG1NTEwrUitBUGIzMmQwUVJZ?= =?utf-8?B?Ui9yWFB4eFV3RldjTUFVdmdVbUpBMjVqbVQwNGM5a2dXNlZxTkJxSzJPbnB0?= =?utf-8?B?bVRrcUs4bG1zUSt0U3hHMU9id0RyNDBpdisvQ0VBM0NYZFpkcW5rY0crQ1NE?= =?utf-8?B?aHZPV2VNOElsbnBsWWc1ZitJRWgvdkk2NmlZT3hhdms4ZFlNbVBJdHIwWVdl?= =?utf-8?B?YkQyblhaN2F2b3RUaGxvTnlEUHQ4RGtYUzgrbUZUTzdrMUpsZG9rSDBwY09D?= =?utf-8?B?cVJnck9MSlV2SHlYZmZWbGxDS241cWhGMVFGQVQ5QmZsWTZUVGJ0NTloL0Nz?= =?utf-8?B?UFNSOGxMNTdaSG1hQVhkUHVYOU8xSGZiUWdyMWFqNnU5a0VWTGYrRHhURlMv?= =?utf-8?B?eE9LUW5FdnhjWXZIbmt5YjlUckxBSGdnZkRtVHRLdGVvaTRQcjNrazlTbU9k?= =?utf-8?B?M1BvaWdkWjdIN3JMMEpGeU9mWUVLL1lUdk05V25rZW5vTXpoUmRhZ3RPWmN4?= =?utf-8?B?TTQ5VWIzelZ1TTNnV1NsRG9JeE90ZWt4VSswdlJVOWp1OVdVckVyb1hwQnJI?= =?utf-8?B?OGtISGZLR0lZa2Fiak5sM3c4aXFQaTRFcnpmK3o3RGtiaHk2ak9weUZ3N0FE?= =?utf-8?B?bTl0ZnkwaTRVaGwvb1M3YWZxMVhFaHhzaW9Cd1AwU2FGWUVzemRoUzFidTYy?= =?utf-8?B?YUVSd1hVNUdtOHFrbDdQT1g3NXNJVTUvNXhUcnkrTEZaRkNLb0pGeWtOVitK?= =?utf-8?B?MGErMEpzSVh2SUFlODh1cjQwcG1VY2dYbEdZRTI1MHdaUURKUHhzZWxleWda?= =?utf-8?B?aU9uNXByVGlBNng5dHZHM3hrdVFmcDdKRVJVSkNiNk82SDRITWtPUTVHUitZ?= =?utf-8?B?OC9GU0FXYXI4SFgzbkdJZTMrcWtJZzNMVmIrMUp2SkljYUNGTGNzLzVGamdt?= =?utf-8?B?ak40elNoRlJvL0QwUlRXYmFrUy9nWVh2azhWSTdoaW1XbUZCTWJXRGZySjFK?= =?utf-8?B?NTFGTDFtajNSelh5ZFJOUUlxWDgyMlNWcUVJblo5L0xRZm9iS0liQzN2S1VM?= =?utf-8?B?cmV4TTJWQmEwU0xUMGZBTlBFdFgyUWhHSG80ekU4bkczd2hWVmRwZnpRbjh4?= =?utf-8?B?dnA1MVlvMVltbm8rQUhuK2V6MzUyb1VVQmljU3NGTy8ydTJVb2prY2hwNVlM?= =?utf-8?B?dkpxL3E2N0lpaGVVVXowVmduRUhhbTdVSWtTZklZVDV3NVFPRmdONVByTnFH?= =?utf-8?B?NFY2bVJ0bFhmR0U1Ymg2ZVFmZXJ6RVFQK0IrcjJGNWcxb0E9PQ==?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR09MB9284.namprd09.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(41320700013)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?bkJSaEVDQVpjY0hFeWpKNzVOSVBQSTZEL200UGx3aFZncFZaTkM2cmVnSE1x?= =?utf-8?B?Zy9BN0pTMFREYm5NV2g4dGtMamFURVBkcEJMWE9kNGdNTVhqeFl6SVd2VEE3?= =?utf-8?B?UzVYd1VUcERTTU1iNnhMYVFQVXFDeFdwWnV2VE9HNGNqK3pRSTZFK3Z0cjRY?= =?utf-8?B?bTdrY3lRMWw1eHhkcE1zZEhPUm5tMnlxZEExRHBnaGRkM0hLU2piYXNsOUxJ?= =?utf-8?B?ajhkcmh4STdDc1cwL3QyR3o1WG1FbjhQTGxrcFBkcUNMK25tVXN0aS9nSWYy?= =?utf-8?B?UEsxUDlQQ1h2U1oxZGhoT3MxcWh5MFpTZmlRd2JZYk1wU25qdVljTDM3UUlS?= =?utf-8?B?bklocmFNSjlDUHIzcWV5OWNJTUdaajExVFhrSkpZNWdUbk9pNnRPNDJPNmYw?= =?utf-8?B?RndlZHZYVk5UVkNPYmwzVGxTRzZocFRJSXVXMWtBWVZBeDliaWpPNmtqSStZ?= =?utf-8?B?bWtLMGdBU1N3N3U2ZlRCcjUrK09nMmJrNmtUTTVtTlJ5eGlxczlobloyYm9N?= =?utf-8?B?RXB5NFpsNVk4RTVoTjIzc2hyc2N3ZlA5MlEwMWVKZTVkT29WZFppc0I0UGVI?= =?utf-8?B?Z0F4NTltd20xbzd4QlltcklRZkdiSE5tL0xzVGk3OGh4OEU4bEpuNEZoU1h5?= =?utf-8?B?dVBoOTJkSnAxYmFncG1xcG8yd2RMM0pkbU5PUGk2MmlYZGVDQWdSang0RHVX?= =?utf-8?B?b20wWEEwZGFlcU9keXZsendXU1FKb1lXUTBibVo2WnNuLzFZL00xTDN3R3k0?= =?utf-8?B?NmpCYjBhQWVabGtSYkpxZ2ttUXJzUmhUTXo0VDl6TEd2dVV5T28ra1d2NFcw?= =?utf-8?B?TmFzYVVDdlhrSEdNc0hiUzBWYmNRS2hERWdwMTFmMnJzWWduY0ZqbXRnVUxW?= =?utf-8?B?aTVDK1NJNEN1TkVZNnNvU2hQM3VWd29oVk9KVmtNd241NG55ZThVMGlxdVVN?= =?utf-8?B?TG9lVUxUbUEzeHIxRm9qeWJYR1R4SVRUZ0dQVXltbGFUWk9mSGh2bnozSVFy?= =?utf-8?B?YUFXNFFwb3RlN2VDRTVrbzR5b3hsUndkdGVUdlB3YTJQMDRlQTBzMmM4UVVj?= =?utf-8?B?V1pkK3pNNzVXNVMzaDNVNDlHdm8yQy9rVEtwOHpKOGxKR0ZsVnNjRk95Q283?= =?utf-8?B?Mk56MGJLQnVPbXY1Z0FEemhFN2FzZ1F6ZUNQcTFnQ2t5Qmw2c1VlWUhxMXlR?= =?utf-8?B?YzFGNitBTWhpRVJjMC9hZ2tMdGtMYXNVN2lvUjlzN1phZkFTeDhTdXdEaDJK?= =?utf-8?B?SHpTTTE2d095MU9ZdVRBVlJ6OXpKbDJBbU9CUzAybzRNcmRWQm4wUVpZZzZq?= =?utf-8?B?RUVCbGNyM2VpVjJEM250YWM5UVV5c0FRQUFaTlhIb2ZaaXJDalA4Ni9peUxK?= =?utf-8?B?ZDdFTWlmTjNDVFBtL3pzVmdjdFA3eHkrRWFqRTNHVXNxV000emxhTVlMK0ds?= =?utf-8?B?elJ6TXVmMVRsUVhsZ2hCKzE1V1ZkVnJhWHJyaTRObFhWaCtJVTBxUWlmMGZ2?= =?utf-8?B?RnllOGlOd2NtTHV5TXBpTWlnemF5bFJreDlxYWJiMWF6SDg4L0lIQ1NkNHd5?= =?utf-8?B?dWtTMm0yT2xCQ1JBWUFwSlFiRVhOZTBtTDVCbndtOW5xazRYQ3J4Z2F2UjEz?= =?utf-8?B?NzBYdXBCYWJSdlBwaXJBWlJiM0xRVTAxQWNIUVh0My9oMlJZRVpCZFhSTlNz?= =?utf-8?B?VkNhazRYdFFWZ3VFK25wL1UyeEdkcitTVzd4OXlHWVBsbFhFViszU2d4SEhW?= =?utf-8?B?NGdDQ3hOOUwzM0ZQNmZMZDNhQ3ZzVFlZT05rVXN0aFlTVjh5eFUzOWxYL3RM?= =?utf-8?B?ZGJEZ0J0Yy82cUN1SW5TQXkxY3FrWEJqN0l4a290KzJQa0p4UXdYN2dLdVNk?= =?utf-8?B?OGlJNGY0eE5keE5vS1BXclZ6NHpBY2dDU1UxSVhPZDgzVzlPYUFLeVNBaTRy?= =?utf-8?B?MFY2NmMyeTlYd0N5VEFML0lxV0lpMVUzUWIzcUVORnkvOHB2MndwNEV5eHNQ?= =?utf-8?B?NnkwMnFBVEFJZld4ZlV4Ymx0QU0zZVFYeEFHSEVidFVSYzJxWW9pb3lRcWZt?= =?utf-8?B?SzR3dTlRbDVkMTBkMHZhY0d3VDZISmgvTDRpQ0VhNUp1Q05IbmdmMHFNZHhk?= =?utf-8?Q?QXeU=3D?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 X-OriginatorOrg: redcom.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR09MB9284.namprd09.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4272724d-5fc8-4bb6-e16b-08dccce55d79 X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Sep 2024 13:27:46.7564 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 86200ba5-6348-4d6f-bdd7-96f43e8d9247 X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR09MB9072 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.89 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_BASE64_TEXT_BOGUS(1.00)[]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector10001:i=1]; NEURAL_HAM_SHORT(-0.99)[-0.995]; DMARC_POLICY_ALLOW(-0.50)[redcom.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f403:c000::/51]; R_DKIM_ALLOW(-0.20)[redcom.com:s=selector1]; MIME_BASE64_TEXT(0.10)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[redcom.com:+]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2a01:111:f403:c105::3:from] X-Rspamd-Queue-Id: 4WzNbD4cDwz40G7 Pj4gUG9zc2libGUgZGVuaWFsIG9mIHNlcnZpY2UgaW4gWC41MDkgbmFtZSBjaGVja3MgKENWRS0y MDI0LTYxMTkpDQo+IElzIHRoaXMgc29tZXRoaW5nIHdlIG5lZWQgdG8gY29uY2VybiBvdXJzZWx2 ZXMgd2l0aD8NCg0KU2luY2Ugbm8gb25lIGVsc2UgaXMgY2hpbWluZyBpbiwgSSdsbCBwcm92aWRl IG15IGZlZWJsZSB0aG91Z2h0cy4gIEFzIEkgcmVhZCBpdCwgaXQgcHJpbWFyaWx5IGFmZmVjdHMg b3V0Z29pbmcgVExTIGNvbm5lY3Rpb25zLiAgSS5lLiwgY3VybCwgd2dldCwgZXQgYWwsIGFuZCBw b3NzaWJseSAoYW5kIG1vcmUgaW1wb3J0YW50bHkgSU1PKSBhcGFjaGUvbmdpbnggcHJveHlpbmcg dG8gYW5vdGhlciBzZXJ2ZXIuICBTcGVjdWxhdGluZyBoZXJlOiB0aGlzIGNvdWxkIGFmZmVjdCBo aWdoIHZvbHVtZSB3ZWIgc2VydmljZXMgd2hlcmUgc2VjdXJpdHkgaXMgZW5vdWdoIG9mIGEgY29u Y2VybiB0aGF0IHRoZSBvcGVyYXRvcnMgaGF2ZSBlbmFibGVkIGNlcnRpZmljYXRlIG5hbWUgY2hl Y2tzLg0KDQpBcyBhIGNvbW1lcmNpYWwgdXNlciBvZiBGcmVlQlNEIHdpdGggc2VjdXJpdHkgY29u c2Npb3VzIGN1c3RvbWVycywgSSB3b3VsZCBjZXJ0YWlubHkgbGlrZSB0byBzZWUgaXQgZml4ZWQg aW4gYSBGcmVlQlNEIHBhdGNoIHJlbGVhc2UsIGJ1dCBpbiBhbGwgaG9uZXN0eSB3ZSBjb3VsZCBl YXNpbHkgZW5vdWdoIGFwcGx5IHRoZSBvcGVuc3NsIHBhdGNoZXMgdG8gb3VyIEZyZWVCU0Qgc291 cmNlIHRyZWUgb3Vyc2VsdmVzLg0KDQotIFN0ZXZlIFdhbGwNCg== From nobody Wed Sep 4 13:31:21 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzNgR5ZqNz5Tv6P for ; Wed, 04 Sep 2024 13:31:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzNgR30bmz423C for ; Wed, 4 Sep 2024 13:31:31 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.18.1/8.18.1) with ESMTPS id 484DVL0M096635 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Wed, 4 Sep 2024 09:31:21 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:9c9:603b:4c6:5070] ([IPv6:2607:f3e0:0:4:9c9:603b:4c6:5070]) by pyroxene2a.sentex.ca (8.18.1/8.15.2) with ESMTPS id 484DVJOh079945 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 4 Sep 2024 09:31:20 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <69b5814d-20a9-4142-8a4c-81ba04936502@sentex.net> Date: Wed, 4 Sep 2024 09:31:21 -0400 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: OpenSSL Security Advisory (fwd) To: "Wall, Stephen" , "freebsd-security@freebsd.org" References: <20240903155326.C282E207@slippy.cwsent.com> Content-Language: en-US From: mike tancsa Autocrypt: addr=mike@sentex.net; keydata= xsBNBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAHNHW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+wsCOBBMBCAA4FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAl+pQfkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeVOEFl5W rMiN6ggAk3H5vk8QnbvGbb4sinxZt/wDetgk0AOR9NRmtTnPaW+sIJEfGBOz47Xih+f7uWJS j+uvc9Ewn2Z7n8z3ZHJlLAByLVLtcNXGoRIGJ27tevfOaNqgJHBPbFOcXCBBFTx4MYMM4iAZ cDT5vsBTSaM36JZFtHZBKkuFEItbA/N8ZQSHKdTYMIA7A3OCLGbJBqloQ8SlW4MkTzKX4u7R yefAYQ0h20x9IqC5Ju8IsYRFacVZconT16KS81IBceO42vXTN0VexbVF2rZIx3v/NT75r6Vw 0FlXVB1lXOHKydRA2NeleS4NEG2vWqy/9Boj0itMfNDlOhkrA/0DcCurMpnpbM7ATQRcsMzk AQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4axtKRSG1 t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1qzAJweEt RdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6cLm0EiHPO l5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5o9KKu4O7 gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQABwsB2BBgB CAAgFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAl+pQfkCGwwACgkQeVOEFl5WrMiVqwf9GwU8 c6cylknZX8QwlsVudTC8xr/L17JA84wf03k3d4wxP7bqy5AYy7jboZMbgWXngAE/HPQU95NM aukysSnknzoIpC96XZJ0okLBXVS6Y0ylZQ+HrbIhMpuQPoDweoF5F9wKrsHRoDaUK1VR706X rwm4HUzh7Jk+auuMYfuCh0FVlFBEuiJWMLhg/5WCmcRfiuB6F59ZcUQrwLEZeNhF2XJV4KwB Tlg7HCWO/sy1foE5noaMyACjAtAQE9p5kGYaj+DuRhPdWUTsHNuqrhikzIZd2rrcMid+ktb0 NvtvswzMO059z1YGMtGSqQ4srCArju+XHIdTFdiIYbd7+jeehg== In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.86 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA] X-Rspamd-Queue-Id: 4WzNgR30bmz423C On 9/4/2024 9:27 AM, Wall, Stephen wrote: >>> Possible denial of service in X.509 name checks (CVE-2024-6119) >> Is this something we need to concern ourselves with? > Since no one else is chiming in, I'll provide my feeble thoughts. As I read it, it primarily affects outgoing TLS connections. I.e., curl, wget, et al, and possibly (and more importantly IMO) apache/nginx proxying to another server. Speculating here: this could affect high volume web services where security is enough of a concern that the operators have enabled certificate name checks. > > As a commercial user of FreeBSD with security conscious customers, I would certainly like to see it fixed in a FreeBSD patch release, but in all honesty we could easily enough apply the openssl patches to our FreeBSD source tree ourselves. It seems to be worked on.  The fix is already in the tree as of yesterday. https://cgit.freebsd.org/src/commit/?id=fbd465f263400d3bc6c1a5c30857a76738c64396 I imagine there will be a SA in the near future.     ---Mike From nobody Wed Sep 4 15:44:13 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzRck0FkDz5V7Cl for ; Wed, 04 Sep 2024 15:44:22 +0000 (UTC) (envelope-from henrichhartzer@tuta.io) Received: from mail.w13.tutanota.de (mail.w13.tutanota.de [185.205.69.213]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mail.tutanota.de", Issuer "Sectigo ECC Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzRcj4m07z4RYj for ; Wed, 4 Sep 2024 15:44:21 +0000 (UTC) (envelope-from henrichhartzer@tuta.io) Authentication-Results: mx1.freebsd.org; none Received: from tutadb.w10.tutanota.de (w10.api.tuta.com [IPv6:fd:ac::d:10]) by mail.w13.tutanota.de (Postfix) with ESMTP id 31D031D37B04; Wed, 4 Sep 2024 17:44:13 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1725464653; s=s1; d=tuta.io; h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender; bh=GbtzfycO97u4+FI0lhwMFeA5JkqYiv+PHZziPwrEb+k=; b=e2OjVulHDKU9sFNiEMFFcIOwoEeTIBJ5DkWXOTwFUZGkQx7JnRVX3JMfsnzc5vIe jqU+2gllchnQdnQf4Z/fdtbejMGG5TBEgfQhF6vWvOUEcEUhAr59kYfvrjvvDXndVSl 3MG/0dSrruMtNL+8tqBsFKDe+HCitgY5YZSf2x78HJjJMumGsHsqsrcVUid7oHNf0JF FqyP1uM55sVa9bTsgAXwktoTI14JQUz9a6eDX2ihCUMrwO99vlyNJ+uduwskhRk05iy qXzHrVL8htLuWkCotqQjQF6j2abm9hJ4eiMona4zjaFmXD/HcwtJEekNZokJ6OwmB3f AKmCopkZjQ== Date: Wed, 4 Sep 2024 17:44:13 +0200 (CEST) From: henrichhartzer@tuta.io To: Jan Behrens Cc: Freebsd Security Message-ID: In-Reply-To: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> Subject: Re: Privileges using security tokens through PC/SC-daemon List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:210909, ipnet:185.205.69.0/24, country:DE] X-Rspamd-Queue-Id: 4WzRcj4m07z4RYj Hi Jan, I have never used Yubikeys on FreeBSD and can't offer a whole lot of insight. I installed security/yubikey-manager-qt. ykman doesn't appear to be setuid, which was my first thought. Since it's not setuid, is there a /dev device for the Yubikey has global read (and write?) access? I'm not aware if/how policykit is involved here. -Henrich Sep 4, 2024, 08:42 by jbe-mlist@magnetkern.de: > Hello, > > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set > "pcscd_enable" to "YES" in "/etc/rc.conf". > > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected > to it. When I create an unprivileged user account and log in from a > remote machine (through ssh), then this unprivileged user account can > use "ykman" to access my security key and, for example, list stored > credentials, generate one-time tokens, erase or temporariliy block the > device (by providing a wrong PIN), or even effectively brick it (if no > configuration password is set). > > As far as I understand, polkit should prohibit this. pcsc-lite installs > a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy" > with the following contents: > > ------------ > > "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" > "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> > > The PCSC-lite Project > https://pcsclite.apdu.fr/ > > > > Access to the PC/SC daemon > Authentication is required to access the PC/SC daemon > > no > no > yes > > > > > Access to the smart card > Authentication is required to access the smart card > > no > no > yes > > > > > ------------ > > Changing "allow_active" from "yes" to "no" and restarting "pcscd" has > no impact either. > > I don't understand what is going on, but this behavior doesn't seem to > be correct. A non-privileged user (that isn't even member of group > "u2f") should not gain access to a security token plugged into the > machine. > > Is this behavior reproducible by others, or maybe just a configuration > mistake by me? > > I previously mentioned this issue here: > https://forums.FreeBSD.org/threads/94605/post-670209 > > Kind Regards, > Jan Behrens > From nobody Wed Sep 4 16:08:07 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzS8P138Wz5V9jH for ; Wed, 04 Sep 2024 16:08:21 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzS8N6B6cz4ck8 for ; Wed, 4 Sep 2024 16:08:20 +0000 (UTC) (envelope-from tomek@cedro.info) Authentication-Results: mx1.freebsd.org; none Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-6d7073a39dcso8499107b3.1 for ; Wed, 04 Sep 2024 09:08:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; t=1725466100; x=1726070900; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=vU+FUiCj0/dL/+f+PtnukLwSiA2+9CKZpQbGUqTxd1g=; b=d4afuA5XOltOij8yaDf5F6iZarHd2w+rhyk+iFgWcP7WMoPNsoZS18d0596G61iQJW X+eaMovGu3Eupj1Je0EVx41fCO+TlVr/9aaNodzdqZ3R8/Q61258vQPyOhTKe5BVf103 OVfzdu9IHfOPAXa3MDe4VuHMFbHhYWz8GpL+FtYbqBm2GinwD/0wDA9OPWLMSNrbGrwP G1SujQLVT/kl8w6/M9Si/UorAIAid2GMNYdt+bhMUePnTwd0QWuRDUyma02GxV5kSRJb fwGBp/CTHqpZNDttxNY3GqPqwE7lHwOm37HCCKImcJ9mraVsEqcGZ2nsr5syKnW5eMsr WmWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725466100; x=1726070900; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vU+FUiCj0/dL/+f+PtnukLwSiA2+9CKZpQbGUqTxd1g=; b=VqxL+vXJO+chYWTo8zL4cMVPmqGkCSrXIz1xv2DS4ovYG3d66VGnClQ+iyLIyU8igu sfnpX/f4mnOy3nbw5W1DATd5ZSw9ECEfoUHPFy7Afr9jzlXxYzaQf08f7Ji0svDyovEB n37hwU1/jCgd6n6OpkcM3/MSceCL9z15bYmOY2gPxBFdh+b/pnRoA7eM3a/RiJ4XRspl V0EzlD6WXkKg4jUYxT5zPFqQCRZ2EbRGs/r1ii9sVn9ny/ojYcgoojsEdBMOvo909zw6 osbor1Wiq8FR64XKNFoc3yAWcZ8KAfRjhN7Ds/1EvKYTX1pFonKEf60mPQ5AKlhaz4KM O5Xw== X-Gm-Message-State: AOJu0Yw5t5SbVvcy1F8c3zVBTpCo4N5AcnKRdW4jNVOM85oL6xfrBsUX uSxeSfjVHV/wa4FoJTG+Ya41G74Vsb9w1XoxBqp6n+Fq5GxFcM7SFTbmLdSHwehonPzQYM5An24 = X-Google-Smtp-Source: AGHT+IEamJEYCjFnYAB1gqsU9o6i/k4t3vGzmc5DhsM9V1/YOyhNZZR0KhCmn5r1/nQFRbpkNIh6ww== X-Received: by 2002:a05:690c:39a:b0:6b7:f467:e0f5 with SMTP id 00721157ae682-6db25f8e164mr19259427b3.9.1725466099789; Wed, 04 Sep 2024 09:08:19 -0700 (PDT) Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com. [209.85.128.180]) by smtp.gmail.com with ESMTPSA id 00721157ae682-6d2d3fa3c35sm24429587b3.51.2024.09.04.09.08.19 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 Sep 2024 09:08:19 -0700 (PDT) Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-6cdae28014dso7731297b3.1 for ; Wed, 04 Sep 2024 09:08:19 -0700 (PDT) X-Received: by 2002:a05:690c:690a:b0:618:691b:d261 with SMTP id 00721157ae682-6db25fa1e96mr19630717b3.13.1725466098811; Wed, 04 Sep 2024 09:08:18 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> In-Reply-To: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> From: Tomek CEDRO Date: Wed, 4 Sep 2024 18:08:07 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Privileges using security tokens through PC/SC-daemon To: Jan Behrens Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4WzS8N6B6cz4ck8 On Wed, Sep 4, 2024 at 10:42=E2=80=AFAM Jan Behrens wrote: > Hello, > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set > "pcscd_enable" to "YES" in "/etc/rc.conf". > > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected > to it. When I create an unprivileged user account and log in from a > remote machine (through ssh), then this unprivileged user account can > use "ykman" to access my security key and, for example, list stored > credentials, generate one-time tokens, erase or temporariliy block the > device (by providing a wrong PIN), or even effectively brick it (if no > configuration password is set). If the YubiKey is plugged to the USB port on the host where you run ykman then usb read/write permissions may be the problem? If the YubiKey is plugged to your local machine, you use gpg-agent to ssh to a remote machine, and on that remote machine you can make ykman to work on your local machine's YubiKey thats magic. By the way there is a loud bug in various YubiKey tokens that allows cloning the physical tokens and/or private key access/recovery caused by bug in Infineon's library [1]. [1] https://www.yubico.com/support/security-advisories/ysa-2024-03/ --=20 CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From nobody Wed Sep 4 16:10:26 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzSC4121fz5V9XS for ; Wed, 04 Sep 2024 16:10:40 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzSC33WJkz4fKJ for ; Wed, 4 Sep 2024 16:10:39 +0000 (UTC) (envelope-from tomek@cedro.info) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b=WelLOQqE; dmarc=none; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2607:f8b0:4864:20::b34) smtp.mailfrom=tomek@cedro.info Received: by mail-yb1-xb34.google.com with SMTP id 3f1490d57ef6-e1a74ee4c75so5708297276.3 for ; Wed, 04 Sep 2024 09:10:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; t=1725466238; x=1726071038; darn=freebsd.org; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VjYH2qBgIcooZ+0kXQzhKULRd4zC2BcKhXDtFzM35TU=; b=WelLOQqE7UtxkMCZ5va40c57w1XpJQ23BZiwcgxO2MtAMkbUwYCvCWM0rVNZ72XPwQ tI6Rr0Aoe4XUS/W3evUWBYjvkPuLX4BACOmYjFTVRpGmnsC0NnBKnPs3ZaIt6Cjo7+4A 97ys1qo3oA77iGW+2d118nqsq+a92z0SaVDv2YrO18tVwwHWmXlOcgFp3yrr310I1pGH EVpg7m9FZNtIMpG0xfp9wsoxaQyJt9WNbtG1hNUEYZGn3q61UhfHrx8MDuAn3dh3ZOgK HyjOnFoR/l5cl0hT4wb1hif2dsnW2H8r5P4AjO6W0+hUHEVDDGyFnhlv9JOTsMxmLMnC hxsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725466238; x=1726071038; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VjYH2qBgIcooZ+0kXQzhKULRd4zC2BcKhXDtFzM35TU=; b=QeV3qGhpc+ZgY2dl/bpXaspiWsVINfH4w779hW/6w6IFNIC4UBEWBrfFNGVxEogWpO CqC3iXMMceHvKTmA7QLR+zD/vXQK3ie7UdEI2fG7HOIXRdWhjfh8QGazfkoSs/ThB2xP UdO4vCellVusuQqYCcvUlo2uiOOuWZSs+oQL0J5VfVzyZu18pyEdhOixjSlzBX4NVMkF Ly2mVbvwZu6AHIJWd2niAxRgxeM87tVpm+jV8PDIZfAhign9Q6acQ+FopW8+tLd5uCDB dwAMNNuF7BKXPZV4KSd/HYecKnClDfLxhEUBWV5FCfcS0ZRbdqIBd3Pb2edCJK4dpmZ4 2rRw== X-Gm-Message-State: AOJu0Yzj8dogGRuWX2d7r2kaXqZe5hfb5+eSuHB9Te+Xx/GR6S5EmCBr 0yu4SJFZP3lX0806TYFHSUEgz3RoF8bB/siSAbnyiYlUKVPn7g/41r6R++urFz7oh/0/kyXssis = X-Google-Smtp-Source: AGHT+IEd3KBBKP/HJlY4WmOreifDklAgQt1VilL9ho6l1oUVNKnqrRHkszEtT25JClewJgiY4ze+Wg== X-Received: by 2002:a05:6902:2191:b0:e1c:fd10:3c6b with SMTP id 3f1490d57ef6-e1cfd103df3mr6075265276.33.1725466238286; Wed, 04 Sep 2024 09:10:38 -0700 (PDT) Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com. [209.85.128.178]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e1aaf18a29asm1387136276.28.2024.09.04.09.10.37 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 Sep 2024 09:10:37 -0700 (PDT) Received: by mail-yw1-f178.google.com with SMTP id 00721157ae682-6daf1c4aa86so20040187b3.3 for ; Wed, 04 Sep 2024 09:10:37 -0700 (PDT) X-Received: by 2002:a05:690c:dca:b0:62c:e939:2ffe with SMTP id 00721157ae682-6d40ee57cdcmr231539657b3.7.1725466236901; Wed, 04 Sep 2024 09:10:36 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 From: Tomek CEDRO Date: Wed, 4 Sep 2024 18:10:26 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: [YubiKey/YubiHSM] Security Advisory YSA-2024-03 Infineon ECDSA Private Key Recovery To: freebsd-security Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.30 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; R_SPF_NA(0.00)[no SPF record]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MIME_TRACE(0.00)[0:+]; MISSING_XM_UA(0.00)[]; ARC_NA(0.00)[]; DMARC_NA(0.00)[cedro.info]; TO_DN_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b34:from,209.85.128.178:received]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[cedro.info:+] X-Rspamd-Queue-Id: 4WzSC33WJkz4fKJ For anyone using the Yubico tokens :-) https://www.yubico.com/support/security-advisories/ysa-2024-03/ Published Date: 2024-09-03 Tracking IDs: YSA-2024-03 CVE: In Process CVSS Severity: 4.9 Summary A vulnerability was discovered in Infineon=E2=80=99s cryptographic library, which is utilized in YubiKey 5 Series, and Security Key Series with firmware prior to 5.7.0 and YubiHSM 2 with firmware prior to 2.4.0. The severity of the issue in Yubico devices is moderate. An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys. The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key. See Affected Use Cases and Mitigations for more details. The moderate vulnerability primarily impacts FIDO use cases because the FIDO standard relies on the affected functionality by default. YubiKey PIV and OpenPGP applications and YubiHSM 2 usage may also be impacted depending on configuration and algorithm choices by the end user. As part of ongoing improvements in Yubico products and to reduce exposure to our supply chain, the dependency on Infineon=E2=80=99s cryptographic library has been removed in favor of Yubico=E2=80=99s own cryptographic library. For more details by use case, see Affected Use Cases below: Not Affected Products YubiKey 5 Series version 5.7.0 and newer YubiKey 5 FIPS Series 5.7 and newer (FIPS submission in process) YubiKey Bio Series versions 5.7.2 and newer Security Key Series versions 5.7.0 and newer YubiHSM 2 versions 2.4.0 and newer YubiHSM 2 FIPS versions 2.4.0 and newer Affected YubiKey 5 Series versions prior to 5.7 YubiKey 5 FIPS Series prior to 5.7 YubiKey 5 CSPN Series prior to 5.7 YubiKey Bio Series versions prior to 5.7.2 Security Key Series all versions prior to 5.7 YubiHSM 2 versions prior to 2.4.0 YubiHSM 2 FIPS versions prior to 2.4.0 How To Tell If You Are Affected Identify YubiKey Version To identify the YubiKey, use Yubico Authenticator to identify the model and version of the YubiKey. The series and model of the key will be listed in the upper left corner of the Home screen. In the following example, the YubiKey is a YubiKey 5C NFC version 5.7.0. Identify YubiHSM 2 Version Using the YubiHSM SDK, connect to the YubiHSM 2 and use the get deviceinfo command with the following steps: $ yubihsm-connector -d $ yubihsm-shell $ yubihsm> connect $ yubihsm> get deviceinfo Affected Use Cases and Mitigations This issue is a side-channel vulnerability in the ECDSA implementation in the Infineon cryptographic library. In the YubiKey and YubiHSM, ECDSA is used for generating cryptographic signatures based on elliptic curves. ECDSA is heavily used in FIDO, however this could also impact PIV and OpenPGP use cases if ECC keys are used. YubiHSM 2 signing and attestation may also be impacted if ECC keys are used. A sophisticated attacker could use this vulnerability to recover ECDSA private keys. An attacker requires physical possession and the ability to observe the vulnerable operation with specialized equipment to perform this attack. In order to observe the vulnerable operation, the attacker may also require additional knowledge such as account name, account password, device PIN, or YubiHSM authentication key. YubiKey FIDO Authentication An attacker with physical possession of the YubiKey could recover FIDO credentials. In order to exploit this issue against credentials made with strict user verification requirements via credential protection policy userVerificationRequired, an attacker would also need to have possession of the user verification (UV) factor as well (i.e. PIN or biometric). In order to exploit this issue against credentials made with credential protection policy userVerificationOptionalWithCredentialIDList would require either the user verification factor (PIN or biometric) or the FIDO credentialID. The FIDO credentialID can be obtained by observing a relying party prompt for the YubiKey credential. For example, if a relying party requires username, password, and a FIDO credential, the attacker would need username and password in order to proceed far enough into the authentication workflow to discover the FIDO credentialID. However, if a relying party only requires username before prompting for a FIDO credential, then an attacker only needs the username in order to discover the FIDO credentialID. Organizations may consider using identity provider settings to lessen session length and require more frequent FIDO authentication. Frequent usage of the YubiKey can help identify lost or stolen YubiKeys more quickly and reduce the window of exposure for attackers in the event of a lost or stolen YubiKey. For more details around FIDO controls, see the related support article. Attestation Attestation is built-in to the FIDO and WebAuthn protocols. This feature enables each relying party to use a cryptographically verified chain of trust from the device=E2=80=99s manufacturer to choose which secur= ity keys to trust. This feature is shown as allow lists and disallow lists of AAGUIDs in an identity provider that may be customizable for organizations. An attacker could exploit this issue to create a fraudulent YubiKey using the recovered attestation key. This would produce a valid FIDO attestation statement during the make credential resulting in a bypass of an organization=E2=80=99s authenticator model preference controls for affected YubiKey versions. Organizations relying on FIDO attestation to ensure genuine YubiKeys are in use may consider supplementing FIDO login with other credentials such as YubiOTP or RSA attestation statements from PIV or OpenPGP. For more information about FIDO attestation and detailed instructions, see the related support article. YubiKey PIV and OpenPGP Signing An attacker could duplicate elliptic curve signing keys. For PIV signing keys, the attacker requires a PIN to perform and observe a signing operation. The attacker may require the PIN in the OpenPGP use case depending on the OpenPGP PIN configuration. Users can mitigate by using RSA signing keys. For more information about PIV and OpenPGP configuration options as well as detailed instructions, see the related support article. Attestation YubiKeys are all made with a PIV attestation certificate and a separate OpenPGP attestation certificate. These are signed by Yubico CAs and can be used to produce a cryptographic statement that a PIV or OpenPGP key was created on the YubiKey. By default both the PIV attestation certificate and OpenPGP attestation certificate are RSA keys, if a user has replaced the key(s) with their own elliptic curve key(s), an attacker could produce a valid attestation statement for a key made outside of the YubiKey. The attacker does not require the PIN to perform and observe an attestation operation. Users can mitigate by using RSA attestation certificates and using OpenPGP options to require PIN for signing. YubiHSM For all YubiHSM cases, the attacker would also require an authentication key that has the appropriate capabilities to perform signing actions with the affected elliptic curve key. There are authentication methods available on the YubiHSM 2. One is using a password and the other is using YubiHSM Auth which stores an authentication key in a YubiKey. Authenticating to a YubiHSM with either method does not rely on ECDSA and is unaffected by this issue. For more information about HSM configuration and detailed instructions, see the related support article. Signing An attacker could duplicate elliptic curve signing keys. The attacker would need to be able to authenticate to the HSM with sufficient capabilities to perform signing actions. Users can mitigate by using RSA signing keys. Attestation If a user is attesting with their own elliptic curve key instead of the Yubico provided YubiHSM attestation key an attacker could produce a valid attestation statement for a key made outside of the YubiHSM. The attacker requires an authentication key with sign attestation capabilities to perform and observe an attestation operation. Users can mitigate by using RSA attestation certificates. Additional Resources Support Article: https://support.yubico.com/hc/en-us/articles/1570574988444= 4 Research: https://ninjalab.io/eucleak/ Severity Yubico has rated this issue as Moderate. It has a CVSS score of 4.9 Acknowledgements On April 19, 2024, Dr. Thomas Roche from NinjaLab notified Yubico of this security issue. We thank them for reporting it and working with us under coordinated vulnerability disclosure. Timeline April 19, 2024 NinjaLab informs Yubico of their research May 21, 2024Yubico releases YubiKey 5.7 September 2, 2024Yubico announces YubiHSM 2.4 September 3, 2024Yubico releases advisory YSA-2024-03 --=20 CeDeROM, SQ7MHZ, http://www.tomek.cedro.info From nobody Wed Sep 4 16:50:55 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzT5b4RyBz5VDhg for ; Wed, 04 Sep 2024 16:50:59 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Received: from gaoxing.magnetkern.de (gaoxing.magnetkern.de [IPv6:2a01:4f8:c012:f130::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4WzT5b27k5z4lR9 for ; Wed, 4 Sep 2024 16:50:59 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Authentication-Results: mx1.freebsd.org; none Received: from titanium.fritz.box (p200300c26f20ef00264bfefffe54b09c.dip0.t-ipconnect.de [IPv6:2003:c2:6f20:ef00:264b:feff:fe54:b09c]) by gaoxing.magnetkern.de (Postfix) with ESMTPSA id 27BAA5F400; Wed, 4 Sep 2024 18:50:58 +0200 (CEST) Date: Wed, 4 Sep 2024 18:50:55 +0200 From: Jan Behrens To: henrichhartzer@tuta.io, Tomek CEDRO , Freebsd Security Subject: Re: Privileges using security tokens through PC/SC-daemon Message-Id: <20240904185055.708f90e8d3478bd10f51242b@magnetkern.de> In-Reply-To: References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE] X-Rspamd-Queue-Id: 4WzT5b27k5z4lR9 Answering two e-mails in one (hope that's okay). On Wed, 4 Sep 2024 17:44:13 +0200 (CEST) henrichhartzer@tuta.io wrote: > Hi Jan, > > I have never used Yubikeys on FreeBSD and can't offer a whole lot of insight. > > I installed security/yubikey-manager-qt. ykman doesn't appear to be setuid, which was my first thought. I forgot to mention which package I used for "ykman". I use package "py311-yubikey-manager-5.2.0", but this issue should apply to any software using the PC/SC-daemon. > > Since it's not setuid, is there a /dev device for the Yubikey has global read (and write?) access? It doesn't need setuid. As far as I understand, it accesses the pcscd through "/var/run/pcscd.comm". I didn't find any configuration option to restrict access to that socket. > > I'm not aware if/how policykit is involved here. Apparently polkit is supposed to manage under which circumstances pcscd allows access to the device (but that doesn't seem to be working properly). > > -Henrich Regards Jan P.S.: Also answering CEDRO's e-mail below: On Wed, 4 Sep 2024 18:08:07 +0200 Tomek CEDRO wrote: > If the YubiKey is plugged to the USB port on the host where you run > ykman then usb read/write permissions may be the problem? See above. This goes through /var/run/pcscd.comm (and then supposedly through polkit). > > If the YubiKey is plugged to your local machine, you use gpg-agent to > ssh to a remote machine, and on that remote machine you can make ykman > to work on your local machine's YubiKey thats magic. Not my scenario though. I logged into the machine with the security key from a separate machine (that has no security key inserted). > > By the way there is a loud bug in various YubiKey tokens that allows > cloning the physical tokens and/or private key access/recovery caused > by bug in Infineon's library [1]. > > [1] https://www.yubico.com/support/security-advisories/ysa-2024-03/ > > -- > CeDeROM, SQ7MHZ, http://www.tomek.cedro.info Yep, also noted on the forum: https://forums.FreeBSD.org/threads/94605/post-670262 It's a different class of attack though. Kind regards, Jan > > Sep 4, 2024, 08:42 by jbe-mlist@magnetkern.de: > > > Hello, > > > > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set > > "pcscd_enable" to "YES" in "/etc/rc.conf". > > > > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected > > to it. When I create an unprivileged user account and log in from a > > remote machine (through ssh), then this unprivileged user account can > > use "ykman" to access my security key and, for example, list stored > > credentials, generate one-time tokens, erase or temporariliy block the > > device (by providing a wrong PIN), or even effectively brick it (if no > > configuration password is set). > > > > As far as I understand, polkit should prohibit this. pcsc-lite installs > > a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy" > > with the following contents: > > > > ------------ > > > > > "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" > > "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> > > > > The PCSC-lite Project > > https://pcsclite.apdu.fr/ > > > > > > > > Access to the PC/SC daemon > > Authentication is required to access the PC/SC daemon > > > > no > > no > > yes > > > > > > > > > > Access to the smart card > > Authentication is required to access the smart card > > > > no > > no > > yes > > > > > > > > > > ------------ > > > > Changing "allow_active" from "yes" to "no" and restarting "pcscd" has > > no impact either. > > > > I don't understand what is going on, but this behavior doesn't seem to > > be correct. A non-privileged user (that isn't even member of group > > "u2f") should not gain access to a security token plugged into the > > machine. > > > > Is this behavior reproducible by others, or maybe just a configuration > > mistake by me? > > > > I previously mentioned this issue here: > > https://forums.FreeBSD.org/threads/94605/post-670209 > > > > Kind Regards, > > Jan Behrens > > > From nobody Wed Sep 4 22:58:23 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzdFZ2Svpz5VY4V for ; Wed, 04 Sep 2024 22:58:26 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Received: from gaoxing.magnetkern.de (gaoxing.magnetkern.de [IPv6:2a01:4f8:c012:f130::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4WzdFY41H8z4vgn for ; Wed, 4 Sep 2024 22:58:25 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of jbe-mlist@magnetkern.de designates 2a01:4f8:c012:f130::1 as permitted sender) smtp.mailfrom=jbe-mlist@magnetkern.de Received: from titanium.fritz.box (p200300c26f20ef00264bfefffe54b09c.dip0.t-ipconnect.de [IPv6:2003:c2:6f20:ef00:264b:feff:fe54:b09c]) by gaoxing.magnetkern.de (Postfix) with ESMTPSA id D75675F4CF for ; Thu, 5 Sep 2024 00:58:25 +0200 (CEST) Date: Thu, 5 Sep 2024 00:58:23 +0200 From: Jan Behrens To: freebsd-security@freebsd.org Subject: Re: Privileges using security tokens through PC/SC-daemon Message-Id: <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> In-Reply-To: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.60 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_LONG(-1.00)[-0.998]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_NO_TLS_LAST(0.10)[]; ONCE_RECEIVED(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[magnetkern.de]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4WzdFY41H8z4vgn I think I may have found the problem. If I'm right, it is an issue of pcsc-lite in combination with FreeBSD. Looking into pcsc-lite's file "src/auth.c", we find: #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) ... #else unsigned IsClientAuthorized(int socket, const char* action, const char* reader) { (void)socket; (void)action; (void)reader; return 1; } #endif See: https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 If I'm not mistaken, SO_PEERCRED is not set by the build system and it is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults to simply assume that any client is always authorized. Not good. I wasn't able to get the build working, so maybe someone can check if my guess is correct. Kind regards, Jan Behrens On Wed, 4 Sep 2024 10:41:47 +0200 Jan Behrens wrote: > Hello, > > I'm using packages "pcsc-lite-2.2.2,2" and "polkit-124_3" and set > "pcscd_enable" to "YES" in "/etc/rc.conf". > > My computer has a YubiKey 5 NFC with firmware version 5.7.1 connected > to it. When I create an unprivileged user account and log in from a > remote machine (through ssh), then this unprivileged user account can > use "ykman" to access my security key and, for example, list stored > credentials, generate one-time tokens, erase or temporariliy block the > device (by providing a wrong PIN), or even effectively brick it (if no > configuration password is set). > > As far as I understand, polkit should prohibit this. pcsc-lite installs > a file "/usr/local/share/polkit-1/actions/org.debian.pcsc-lite.policy" > with the following contents: > > ------------ > > "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" > "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> > > The PCSC-lite Project > https://pcsclite.apdu.fr/ > > > > Access to the PC/SC daemon > Authentication is required to access the PC/SC daemon > > no > no > yes > > > > > Access to the smart card > Authentication is required to access the smart card > > no > no > yes > > > > > ------------ > > Changing "allow_active" from "yes" to "no" and restarting "pcscd" has > no impact either. > > I don't understand what is going on, but this behavior doesn't seem to > be correct. A non-privileged user (that isn't even member of group > "u2f") should not gain access to a security token plugged into the > machine. > > Is this behavior reproducible by others, or maybe just a configuration > mistake by me? > > I previously mentioned this issue here: > https://forums.FreeBSD.org/threads/94605/post-670209 > > Kind Regards, > Jan Behrens > From nobody Wed Sep 4 23:14:56 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzdcg0zfKz5VZck for ; Wed, 04 Sep 2024 23:14:59 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzdcg0CYFz40Mf for ; Wed, 4 Sep 2024 23:14:59 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725491699; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4ei5kmAYMbzLOmkKScEtRXU8/57P8A2eDzp4mEyTI2A=; b=effhXA2i1jO8rIbYhpL5yMeeCbg5a1+MI/A4ovdQ9u08+3DtV0jTpAl4+sL3oAnktBA3Zg LX6MGqr3u4cTqhqO20rQXFp+gmMkup+xHF+KXXU00ueZpvBci60D+UzbGgcsqm9M2lYx/V +56+4U0HU5mmqnEfHRNwLVG50n3kwzx+Yt+2r/IXtF3UTbEm7gvdWZvDXMr9SwQ0mv5aGf dL/gEQCwtagZNCphM2di80ESZVvdtq4Kiapcmk899ASJW9NDh/Hv08Mj+GjTjub3uE31R6 JP3yUUCBYSjmq+m+VxSwEr1z8HbsRLlEwl5+TsMIZgYX6J9+BRjyMlrcYZLdWg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725491699; a=rsa-sha256; cv=none; b=X8SGLUMoHcpbUx+LE02hHAePDe0ONpzjpTSHmiDmDyAy0UWxbf/qRmLnTbImnK58ltlEnI /sAnavUc07yK4Gbw0KWdanW8lBrLqUcg2NJhYkXX8orsizgDX8Lxh0aRoqCYgwOSLtRahH TtXuE42iKAaBsrYIkxSehvVoGbNvU+KsVu7z1+e427+Ql27luvzw+kAs54VyWsS4144lzL lwUh3165b8MF0RT764CGHkT2p+CTNitqAIkFPio+VIyS3sc/AMZ36GNd9U94TTINV2/x/M aEjM9zbXJxH4ohuclAq+q6+DqODsLsgSOFgvBSUxs59Er58b1SqfxD0wCnVVLg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725491699; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4ei5kmAYMbzLOmkKScEtRXU8/57P8A2eDzp4mEyTI2A=; b=vyjKHKVOPr7sSTrz1XZnamFhx7DGmD1rH2x2rd1Z+UjoPajG/+mIsGW8j6AmX+eKfcCp7a lg9sSP5RkAYlnvGqc8IO4/ySNDbULYT7HveVFOlOdDJbbqgC8ct7qqf1TOTeqv0flLDHFK hFF/4S2MCOTttXvMdkFiSXc0yNocMwm+uM6Qs+fHs+/rFZe1wMXowNbSCY25KJyg03u9wI GcGFSMV3htSmCP5MGzlIm81hvdyQUzKExJUQiiaUW92R5II/BBmqjLs9xrOxHTd7ZNa2wh ceU/OQjSenycU7/U6eT4ma39QLxVf8mg63kXgCuaxZJSjeyYz5hOTuTm89rkMg== Received: from [10.9.4.95] (unknown [209.182.120.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Wzdcf5T95zbsC for ; Wed, 4 Sep 2024 23:14:58 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> Date: Wed, 4 Sep 2024 18:14:56 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Privileges using security tokens through PC/SC-daemon To: freebsd-security@freebsd.org References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> Content-Language: en-US From: Kyle Evans In-Reply-To: <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 9/4/24 17:58, Jan Behrens wrote: > I think I may have found the problem. If I'm right, it is an issue of > pcsc-lite in combination with FreeBSD. > > Looking into pcsc-lite's file "src/auth.c", we find: > > #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) > ... > #else > unsigned IsClientAuthorized(int socket, const char* action, const char* reader) > { > (void)socket; > (void)action; > (void)reader; > > return 1; > } > > #endif > > See: > https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 > > If I'm not mistaken, SO_PEERCRED is not set by the build system and it > is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults > to simply assume that any client is always authorized. Not good. > > I wasn't able to get the build working, so maybe someone can check if > my guess is correct. > > Kind regards, > Jan Behrens > Right, that'd be a problem. Something like this might work, but I haven't even build tested it: https://people.freebsd.org/~kevans/pcsc-auth.diff It could be cleaned up a little bit if it works. Thanks, Kyle Evans From nobody Wed Sep 4 23:37:09 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6F6pGpz5VrXF for ; Wed, 04 Sep 2024 23:37:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6F4kXYz43Jt; Wed, 4 Sep 2024 23:37:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493029; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=sihM7hW09+/9+/fX1cUNOsRBMikmj092y5/RDYDM4so=; b=FvjMlMqSpgkzfqQEWvOSUVBGMOS7pSCQbI5ibur83+RUF1q22ha3ACYrrqvBx3fi047vt9 jGAimDwX2yqnTsGkUmgSGGqWZif/LRp4Cj9wc1GtZaK1puXnzFVcJjWbMxE/l7/g5Y3QlS 0DOlpMVJqk5QW7ggCOlz8+glSjwaFOL5M3QRTM3gieZaVsjkOsBcgdBjBoQxWn0JvTgw9m y1qIyazlQ+IOz9CVuBC1dscXJhO7UOaey1xPP0GlGDgNOCOyzx8i7bYintm4wkB/B5RCIt +hhgNsvsYtNB6Fu5PxJ0IFUvQ0APoZi3L4mGvrgtGqXk4aUrbzMFqS0w+Mieyg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493029; a=rsa-sha256; cv=none; b=majinnDtN0mNW3yej2eAZWyNkKF+Z6U+BGMYadTCWW12v0QD4HEpx+4DeGZeHJ0fhQXJI/ NngystQK5j8TBnyqQyc5ZKOLqw8MQ/ipfAY7iMttAWsFFaYUKrB5SUx7sYaM8/dEdiuSkc 4hR7NzpK9wKJO+/UuARGy2FjdufdtpswjdOKpjTgGKwyiS6H51jfonVFEoC+S2QkgaEfkD yhBFPA0pgde1IhKZwb9HjLwYckeNiNujDFJ/GZpo66Yj3UbnCxtGqG/wh30rAqFX+9+l98 okwIMVU70mwR3MhqDvStHZ/m/xr4uOLB4cNJ+kD2M872QIwBIIFxY5Ls3iJrNw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493029; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=sihM7hW09+/9+/fX1cUNOsRBMikmj092y5/RDYDM4so=; b=tJztZvH+S6GErsYKDGjgt2nGGKH08t5WwngAOAiA98itle2+P9dF+TgOLrQn3oNwjvhLaR gBD0MNRjxI4ILLY3xcsGbzvjWI2jwR2+bZy8HLuZpYsxXUkow1W+cPwXJ8y/HwAssKl4yp UxAvf2uWF4Wyp3K5y8Aw0+oIbsknwiynm/ZTmqbErGjc9M0oCj/UFDPTR1zwVaump6YPDf 8MnWQWMxU3N+5O8o9HjG6jHz6cTjsjzZpNdk5IOGrmHlZWA4RNESc2UmJElrvcCGy/VJR0 8Gw43w8hIn/r8k7Bfb0Qck4haaiMxhKBxU+fj3YKM/L27Llb5xdukCZTcPwRrg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 8F089274A2; Wed, 04 Sep 2024 23:37:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:09.libnv Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233709.8F089274A2@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:09 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:09.libnv Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in libnv Category: core Module: libnv Announced: 2024-09-04 Credits: Taylor R Campbell (NetBSD, CVE-2024-45287) Synacktiv (CVE-2024-45287, CVE-2024-45288) Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 12:24:56 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:27 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:12 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 12:24:12 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:13:10 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:40 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-45287, CVE-2024-45288 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libnv (also called nvlist) is a general-purpose library designed for storing name-value pairs. This library can serve as an Inter-Process Communication (IPC) framework, enabling processes to exchange data. For example, it is used in libcasper to communicate between privileged and unprivileged processes. Additionally, libnv can function as an interface for communication between userland and kernel. Originally, libnv was inspired by OpenZFS nvlist. However, the implementations are separate. This advisory is only about base system implementation of libnv, not a OpenZFS one. II. Problem Description CVE-2024-45287 is a vulnerability that affects both the kernel and userland. A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. CVE-2024-45288 is a vulnerability that affects both the kernel and userland. A missing null-termination character in the last element of an nvlist array string can lead to writing outside the allocated buffer. III. Impact It is possible for an attacker to overwrite portions of memory (in userland or the kernel) as the allocated buffer might be smaller than the data received from a malicious process. This vulnerability could result in privilege escalation or cause a system panic. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch # fetch https://security.FreeBSD.org/patches/SA-24:09/libnv.patch.asc # gpg --verify libnv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . d) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 9c2ef102166e stable/14-n268655 releng/14.1/ d87f821959fb releng/14.1-n267696 releng/14.0/ b219ce1c5a93 releng/14.0-n265433 stable/13/ 03bef9971d73 stable/13-n258309 releng/13.4/ 3aa9be7e3334 releng/13.4-n258240 releng/13.3/ 33b4e2361c82 releng/13.3-n257449 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54cACgkQbljekB8A Gu8YLRAAmpVVVib8RgEj0bKS5qNLwujEssMIO96LS73txcFGm/Iy+QJA/N/SRtDL lnKRi0ya90pBmXXhX03Uei+O/nBAFxkCxCukuQ36bauJrA74RFgn/8ZK63RbvdDE K+xAyK71FXLTr+wGqyzv0xOxNA60dl14WiyaLCUX++0DU3EesmVD508wIL7Ls/bS 5g5vllxmELV2zXYXY/DbEVHS/i2YRCs8ftasa92uXVgOibODVpL/GSXy1QHyykNQ ODAmGjs+p0xf2JDJa2qvokMh4WS4HkGe4W/TcJueTiSbsdOrDDhOV/n0QTgwt1rQ zq2QQU3tk2unYjhQrR6ZvHTbFCKc7G3BVFCPAZ6fSthq834EoCr2LUGyYhU+bLZ6 SweQfCP48ExjIqvDzQqMOlvp9rMiLbxpjkdDcsml4zhD2GE+byuT6RSRBqq3tBvT 893YoIiW1m069DnAQxh1Zlewsk/BZFeeXBHZdk4Ik5KYFCwCabV3HLFa9hA1/iKx 5ITULL0gZgZKBQ9IbpkL45q9mcDHXrVuMPfA0a3bb38rpoK5uof25+oKSGGvWyDA plGXuEh5Sltmx0lOdY2O70j8pLh7bVJCyo5rYDhObzQlWiajUx1pH3M9DePbI+Rk Z+Gby0zKpXzgSfHSiSyfVPgDMa83yDpiozRMszjpvApB7h/hekQ= =yX5r -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:14 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6M0vnzz5Vrf7 for ; Wed, 04 Sep 2024 23:37:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6L50Hzz43CY; Wed, 4 Sep 2024 23:37:14 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493034; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=m1Cpd1Aj0GPEezgbQ0x/T2BZ/WefwsqLvSzT6p8WWe8=; b=dFMiuTqjTL1M50DYnlZeyNgYdP/RZOLVyal/ziC5iL91xT1gLC5QGUu8WaNOfmOfjdKXMH M1udxlKzLzuWgjtjSggjglWe3YhUFARRz2DO4C2KLh7atBFLCQCY7vyiaA0pgYuXEBMd9V fDL+8VOO2GLNpk6s3mJyJ3v6DFAbGbg0FHPfuxVxIxMwMUOFtOQDjvEalGbjv275tZM4gP zpfiM+LKxcGtaLek3jjjh6AFept0Cvy283+RVdW6E7B9nl0F80uYM/nzbEqJjOXhz5sHxb FIpQSDPBbPQMBQhWcjWHIaWxbPfLYNib0T3qfOFg4qGRmWi2ZEc/1IrxbYbOVw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493034; a=rsa-sha256; cv=none; b=IIHyXO5BLxi//l2vWBM0i5Iv8Dczjbt8g9PgnATJQZqTLRLlckDxM7q+6o0HQU1rlLk30K 3YbkpecmZcFPJQYlFhSpvnPXqr89hzQELB1jjekuZH6r/i1xzfiJFMEmWjckKCYFOK9gUY P5DYszsFrj7ePYmmhXAtoEKQkb4cLAkm0oEFJ3yPXtvPWSkVYZsjNhSQBkUvuHilu9f1Sr sE9VDWmKc9aH5T0/oRmlChuger1BpOBpxdF7fwv9ZDnl/Mv6E+5i5JJ1p3clu3L5x4kNu+ 21mk6GzfJb5LblJD6eWjZC0RNhLaRzoqFN79Z0taocmsV5xpNM/CiK0oSPnBJg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493034; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=m1Cpd1Aj0GPEezgbQ0x/T2BZ/WefwsqLvSzT6p8WWe8=; b=VezPzb7b73SzlJNXf7BwX/d4wzugSCVxUvaKLRe48wjoFUVloS0Y717nUI1RoQu/CGo3Gx YiCJgESu6JyKmoFluqkeRuPQzVRF8s9S2M+PBIu9OstfG4AvzyVE4UjMnqLSrHbDLl7wIS uP9KeqniRyzCGZc/t3vf2rX0pFife8HJtr1sCeBdMHXMU599b7euEk7Qu7BCDuAzIBIqzB wa7BbNzmh+1z9sJBEU6iB2JXRl4nvst8DCLEsNujJY7k5mUG7Jfx0VzhXKCp1DLBoOgmJ8 SxQd5KuSc7USbj6owiTnO/wx6E1hGXfp3F6y3hJgjqyNJix5OhrMoqcHdVNUOw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 7C7B427502; Wed, 04 Sep 2024 23:37:14 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:10.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233714.7C7B427502@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:14 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:10.bhyve Security Advisory The FreeBSD Project Topic: bhyve(8) privileged guest escape via TPM device passthrough Category: core Module: bhyve Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: FreeBSD 14.x Corrected: 2024-09-04 15:42:29 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:28 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:13 UTC (releng/14.0, 14.0-RELEASE-p10) CVE Name: CVE-2024-41928 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that runs guest operating systems inside a virtual machine. II. Problem Description bhyve can be configured to provide access to the host's TPM device, where it passes the communication through an emulated device provided to the guest. This may be performed on the command-line by starting bhyve with the `-l tpm,passthru,/dev/tpmX` parameters. The MMIO handler for the emulated device did not validate the offset and size of the memory access correctly, allowing guests to read and write memory contents outside of the memory area effectively allocated. III. Impact Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. IV. Workaround No workaround is available, but guests that do not use TPM passthrough are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Guest operating systems exposing the TPM device need to be restarted for the correction to be applied. (i.e., their corresponding bhyve process needs to be terminated and started again) Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-24:10/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the corresponding bhyve processes, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 6ce4821f0859 stable/14-n268656 releng/14.1/ eab723be7542 releng/14.1-n267697 releng/14.0/ 429f200688ca releng/14.0-n265434 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The corresponding part of the security audit report as provided by Synacktiv will be published in due course. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54kACgkQbljekB8A Gu9vGg//YkEx8/3PWE8GUfdwfGrzMD+bpXoJViBIW+CX4tYYDU05CzF9i/FbB93B 629nWU4HMmTrQfARtpC/VCRASz+v6kSJvsOwt2120GVx5SUuFkP2nw3fCWdH5tqu c/M4GRT2Brl4ZJFZGdfXCKYvGKnw68qhuX6CWFhXgAPAlj2VHNCluElriGMsuPs9 mmu6/YX5vwVps8dj1XJqx8TFv81PXyatBbzmDi4VMpeBkcM6RBjzDl3C9XVh2k9S ahPVp9yW/bXLS2U5GA+rTK4PNIJukZ5tRb2DXH3g5Ku9l6s2l3b8oof6kNifhwf7 1L8QeTYabkeeGgCfpKmQb7ouZoAHw2fe6M64X/IAkWM46XejiV0mzRokjrG9VIPf Ushi7hnEbI7Kzxw/H280R/lgsQh/o8+fF+3iFDij/GPKoWlLVy4WnLluihXkE2Xd wlFxD80CKVxGi18JBjCIo7sFrLPuec1rGPn9sULCf2Yi5TnRnBYp9OzD7wSx5zIR ohm6zKfajdyVlis9HLm1Xee4B7dEEbZWn6seo3DclCTIO22esN3Kjs8ovSyv1KFn B0m0bR8YbJ0qVT/jDYdWkZmJW/EmmZpMMAN91G0q+M9m8Od4e81iQZknvujPsw+I QjM5FlKvEuYXjt2tMxP35Dq8PXdl3jvY0fqTNrkCpuzKK0q76sM= =VI0d -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:17 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6P6lmVz5VrZM for ; Wed, 04 Sep 2024 23:37:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6P4nxBz43W1; Wed, 4 Sep 2024 23:37:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493037; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=d1Tm1gpEaqcTY7U571clUDT/ADVHp2ijW7RSnlwFASw=; b=ysC0Evq1xlFtu5/Pr3iGX58PyQ0NdQTqp+SRGOsKDoLoT8nsS683SwOKd64ywnP7KPhGiN 3RE9jVF3nN1cNKbce6LRB5KFN5d4uBMSMxRIgV73iCYym7TqEzkXuQKASJQ3eV5hCran30 dqelwmb0RxFj69OQcU0MoT/bO72wwkA5Rf91DK/PKiPueNao2iJOxlRpQt5WlrD2jETNk7 d/WqGQOqWfFsovEYBcukl/CS/NLUBwjKYSrUML0OaoM+pYkzQERqKYdsnrhfn2GUVK0HZm u4FYhKzYJx+2IhCQ1YaD9h5be+hoEDGNghVvs8PfsRSzISzJIeqI+yPkI2407Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493037; a=rsa-sha256; cv=none; b=alRlKe6RpvE5dCNa3R5QYO0YRcYmLeeXakqHl0wj6VBszdVf0TO4ymwt7XFWRvHhZ8HzTH 7osomG/I6jc7nlibuUU3vc/wSpDzotA9aQ7Cr/rd/En6SET4XRviCKaSEIZoThCBZGYbeC 6/nqgh2qOx+XSVdia9TCNw6mPkRagpSdZd3deCdyRN0tcc1hcSnreRLiuDScSLJihig05W D70Ur9Ir095nxxiBfvyT4C5iG6OGwDPUN22MmOiUcxrsjFzMslOHbYvxuqOmjz9364BMsX Qb23I5ClwBp7OXX7ylbc8pQQx7baKsca3LD/sJN3IDx7lFvcWUnuUSy6ih/puA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493037; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=d1Tm1gpEaqcTY7U571clUDT/ADVHp2ijW7RSnlwFASw=; b=SBPlGFbrjfb3EVOOz0IBue+HUorSl9WR18NjmNdMPe4zPjvz8m/PQPE1O8z1eFUZDQ/uP9 LY361dJDVxWkE0r57OW66uiZm/xg6OCaVe7KqZRmjRluV+MURbAudDuTDE5QJ4BaYjY/lE cMoD+w6TjSUbThaWM0uHhIAkz6PYbGRGKWoasuuLMFgqVfrgqDVAPsei3GhrR1f7gZ44do 97jamPeiLAbdcUR4lO8wzsDAOu217yIelRaWT6f21f87nMrcwNhtH1xCexWS+cZGoYO+i8 cADuyYnwoaYae0vWBbtO2/xXgj8q6AIM5wTMUplYLb4u+EwPY8yTGAfPgtfxrg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 9345D27503; Wed, 04 Sep 2024 23:37:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:11.ctl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233717.9345D27503@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:17 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:11.ctl Security Advisory The FreeBSD Project Topic: Multiple issues in ctl(4) CAM Target Layer Category: core Module: ctl Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 15:51:07 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:33 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:18 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 15:53:53 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:58:25 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:45 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-8178, CVE-2024-42416, CVE-2024-43110, CVE-2024-45063 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ctl subsystem provides SCSI target devices emulation. The bhyve(8) hypervisor and ctld(8) iSCSI target daemon make use of ctl. II. Problem Description Several vulnerabilities were found in the ctl subsystem. The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing (CVE-2024-45063). The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it (CVE-2024-8178). The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory (CVE-2024-42416). The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace (CVE-2024-43110). Guest virtual machines in the bhyve hypervisor can send SCSI commands to the corresponding kernel driver via the virtio_scsi interface. This provides guests with direct access to the vulnerabilities covered by this advisory. The CAM Target Layer iSCSI target daemon ctld(8) accepts incoming iSCSI connections, performs authentication and passes connections to the kernel ctl(4) target layer. III. Impact Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. IV. Workaround No workaround is available. bhyve VMs that do not make use of virtio_scsi (for instance, via `bhyve -s NN,virtio-scsi,...`), and hosts that do not export iSCSI targets, are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The system should be rebooted in order to effectively mitigate the issue with certainty. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.3, 14.0, 14.1] # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl.patch.asc # gpg --verify ctl.patch.asc [FreeBSD 13.4] # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch # fetch https://security.FreeBSD.org/patches/SA-24:11/ctl-13.4.patch.asc # gpg --verify ctl-13.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 803e0c2ab29b stable/14-n268660 releng/14.1/ d30ffde0806e releng/14.1-n267701 releng/14.0/ 4c60b8289d0e releng/14.0-n265438 stable/13/ c8afc072690f stable/13-n258314 releng/13.4/ 004298792002 releng/13.4-n258243 releng/13.3/ 639494a3c1e6 releng/13.3-n257453 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The corresponding part of the security audit report as provided by Synacktiv will be published in due course. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY54sACgkQbljekB8A Gu9gEBAArLEF2hSMAo63riezMWcREkF+3r7GfgOmKNq1CWFgfA/ikjZKxIxAojEj il6LBgEPQl7jhcC/eG2/U80gze5AtSsQpdCN5DgaQa4rrq4C8dIu8Q8DI/ZGkkAD 1oFQ5iz9IW0fszjCgwvdnEZt0wEvcMi8d3GzJddouVVxPgcTatw0VbMZWH9ZrpFA pwgybyntTE3IG1DqOmFWqjZmjV55BESlphp3LoheWYR21iGwuMsZWBWZ7+c9IK2j 6RP7ZBN6F/IEr0Np0G22iqUcgQOyA20zL1EJPq93Hp7OdxTMLSgggg1zq3GMEZi6 A8rjLHmiC6SIIjv7cFohU6vHHrUQkvkx1U0xmtI32StHowKf/Mn5wL8e+i+5g/JE vPG6vmFRDUvMqWjB/GK0atyZ7pFHMX9s75NcI7q846Rg0IW9birlgFfqZEQOndH+ O4AM2oQWOENg9FavMkZ9ScaR2/m2wQR8c4H3BLmAz6Q4R2+QQAjlDu2DtsLWFEeW 3DNna0/Lw67yDXv2+hJcj+WwQxxWBW3yEz6OVVdszdOofLy8eyUXHo2XGUFJZQKG ZpplFPuvq1ZEci544hRDmjGhdKH9h6UoUAOiZQz9vJbx0GyCnhiunyIcM9gN+Rmk KGP0t+jEDaMjkAWsu5w0qju68cFMRwEP1E+fT5atsmvnzQR+Zqo= =eocJ -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:20 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6T2pZsz5Vrr2 for ; Wed, 04 Sep 2024 23:37:21 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6T09Fwz43Lc; Wed, 4 Sep 2024 23:37:21 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493041; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WVhedY1QcnK9jX3fE7k0D6aYtPhVxZCdJRVfQhAZcLU=; b=Ps/DqWbvF1sg0/18wxWC4QLY1EZaKt2RpHGNM4lBfRqzXET1jY3TsqYJTEFDyJecPHWTan +nsGVORGm27CfiEB4c5a5cdOuuTqdDtCQu4t4BW6cHI8FRhcQQmvhoHGbqlzKQ3/TB+ZnW rCL0Cv7tREkHRH6hi7POGk+Go2O7QDYBxwrOF0K++a4QfM7rmVFT8wEmPJmbaveedvctte kxVASFFZfMRvQ+g1gmZNfziHfj5Iz548oPYuAIJ9iCqohyoOzvM1GPDO9k/UI+ZaR2rtI1 3nk/5YE3XojuPdT9mo6Qd27YzYpM0jjBD43tocmcI1LCr0VT3STqOLU845k0xQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493041; a=rsa-sha256; cv=none; b=YkUDJKAfReZIFeB4yNHv/ipcnTzNrX4XO6dXMDPZY2pIp+ksFEkCld7Rz1xNvYrWtm3c/v vd18YUmSveNNn0bs3Re0gxiwPHNgLEQdKsdA7z9Bm9mrJchP7WY03LeYq1x9VNmaI7sogQ nnuWOXAkHHDgOHaYXPr95TK8O0a11dMOzp4xF3xlbFXUZWEA6FGbuG+rxTO7pwMcbZVnvb FUq39DTb7xox5gzt0w7FBbusLHZCU0fKkmzD91ldklxJKkuAnysnCFwNQF0Fp1KOl31I4t OF01Hly/k+0vIK8A0uYSbfx0wOznpeAqYYT13Ytx3+o+sszJcvuc4cODv06rLg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493041; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WVhedY1QcnK9jX3fE7k0D6aYtPhVxZCdJRVfQhAZcLU=; b=AgPlqCsrgYHu0tv90loxScK5zLN3vcCWCKsE3T/Lg4oBV4t2aK0DYvHridTL8JZ8ZRNTi9 TDSRwlJGB4n4Ag2LdOvkgnuGvyqxgZnvNjNXvMwoVO22ND4xPJoGHOBROoPRpGiqqanbPz 9LiXoiZXcoaxREnsvjbcLWhKyDcpS6DYkTpUIDrvEHrExuRkd5N/bCFhuKZCSezUhhRt4i CFYxmd8PR9PS/aAyDtFQGn0I26/THxrEkMkHJnUbQ9vW5l+CXRJXd8E33JgFvibqDpGxUO e9fTYRzYzXlCnJEebnufQhbHLAR/foc5xtjn9NJAIh7pQt58oXN3R1q8AYezDg== Received: by freefall.freebsd.org (Postfix, from userid 945) id E39C6271F6; Wed, 04 Sep 2024 23:37:20 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:12.bhyve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233720.E39C6271F6@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:20 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:12.bhyve Security Advisory The FreeBSD Project Topic: bhyve(8) privileged guest escape via USB controller Category: core Module: bhyve Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 15:42:30 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:34 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:19 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 15:45:38 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:58:26 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:46 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-32668 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bhyve(8) is a hypervisor that runs guest operating systems inside a virtual machine. II. Problem Description bhyve can be configured to emulate devices on a virtual USB controller (XHCI), such as USB tablet devices. An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. III. Impact A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. IV. Workaround No workaround is available, but VMs that do not make the XHCI device available to the guest (via `bhyve -s xhci,...`) are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Guest operating systems emulating USB devices with XHCI need to be restarted for the correction to be applied. (i.e., their corresponding bhyve process needs to be terminated and started again) Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-24:12/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the corresponding bhyve processes, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 90af1336ed5e stable/14-n268657 releng/14.1/ bb245c142075 releng/14.1-n267702 releng/14.0/ 1d01a6c11210 releng/14.0-n265439 stable/13/ 5920b7e6eea1 stable/13-n258311 releng/13.4/ b3f0e555781c releng/13.4-n258244 releng/13.3/ 5d6576f4f000 releng/13.3-n257454 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The corresponding part of the security audit report as provided by Synacktiv will be published in due course. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY544ACgkQbljekB8A Gu+rCw/9FKPcF1L1kRh6J9Y6TLEmMIQx95YwodI4O11KMjgEL3wnz36p/Mrkrj8Z g8h2+OBmqdr8NegyKHIuOHo8j9M892dnZpGWjyCgtbpnc57rXZhm83DDzRQ2r9OP 7yOWftWjgje1cyTphlFAr2p6IWg6z+6UicGwmeV17FSaG5rPjWuYoOOt63kzk3NA 0viDPIgLpoyGRCaiXa/sdoM2YQH9FxzKEC2yeURF/mLSPEFhaMO6SS8nrxmRC9Wc f8DP5G00I3RPjAQ5ehXc5n0z88SHGKJc/dstI4jSzguyBNO8HQtCD6HC6uEo0ACV EEJ80FJ+TOfZ9fhHkyEpGfMxwsAjpzud0zZWKV8+4jeY3kIp94g8MCKrHkLr6hXL 0+DMBsdqNS3T7lPzIimhJ7cwk/fXVQvUWu3rGBO33l3IUK0BWz/o3cTARTPEl/Zi MMBETwn+ga6JioRBTmmOMazufAyA3Nlf/eRzIc9RGTUBjoqnY0jHzdwfPI8hDKXR 1bi1Rii8IcAmaHvMkGww6PJOkRTV8uyuW6JZ2te8V8PC5ojdUniYq5JN6mbrkpOR RIYt3f16o6ANZ9qgMqmq2gdBBnJ80LDkQa71FV1bDf9g/LEd5aDynloaZb5D3EMp 0J0ZIPKKy/qprhVzEjxROzhLzNH0bJy6yaQhoxPY3QLzU78qrE4= =nYwM -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:24 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6Y0Kdqz5VrjH for ; Wed, 04 Sep 2024 23:37:25 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6X5X5Bz43hx; Wed, 4 Sep 2024 23:37:24 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493044; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WBP+DwqDy2+AM/34xnxVjlSHebu3ry1kv9fzTmE6S6g=; b=Gy7Abu2Rhpkb2E0D7BuiUAhNdW0Gc6/DEZnSG8NDEJA9xvzvY1ec7T6IaaGnIkZZ1D8L3K mEt3jkeZ5nMDdGQAjGhHIa1vfIanJFKgisPTHvHXLHL2P0/U5/30wzwnUeTSvB7QSOzHL5 7fErzSfJarxTf/jdGHFE6YlYshPA/RVkA9g8r0ult0qXhmKLw0iplkNVqBfydoI0jgV2in tOUftq9izXt6AYlg4rliD29YfNUFbN4vG4bnZGIavRHgZkeBEM+nI6LGiqh5p3Da+N5dtb JVhVYTwW0VYzEZyy+x7qBMF87qQ3Uv/SPMH+M3LIDuNP2NsQNS0VwfwjOAeq4w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493044; a=rsa-sha256; cv=none; b=f5LrauEoyKJ4ybyKnausKfx0LbLBQDyNEo0DgItybP2boluJmmfomogNYNnUABUH0iPfgS 6CMT1/PNsMMPV5oIGxdUvSrJ0sffQ0wINP1ed4k/wR/Uw9Hq3+D080pr9Ivk5ZVvRKsgaZ uFTUhLDpxYwpR3b9aZIcBzLuXds538i89agRnxjK3lBvm/JHyyXejQX9K43Dau4sI7nCd9 757T09OvyPzeHF9PTImBUuodSzQh63r6FXAW1fezwa0cX/1M9WypXWC2BGiNVIiro74YY3 rr9JfZsC1QV2OvfvpG6Rnbiog2vd46Ne2j8bxdQdWfv8466sZt8+9ecOtzn8+A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493044; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WBP+DwqDy2+AM/34xnxVjlSHebu3ry1kv9fzTmE6S6g=; b=wVxHCUcujf7WkhEdTTS9+GqN2T86YCQ91HNbbp4aOA7/jaNAttn9ieEomOqWD9KvdqjmC2 YMuPI6CbMgouvPbnw4K41Wn7ytIIqjAcqZlc1fBMzwt1wGF2bDugTEN7M0gunBtfaIuSz6 YX6hjw0OGnau521TIwaqu7xmZdt1lLGYmXJmK8jSBwXp0pjOBeGX7pygMTMuesklVKVPAy fHbgf8lSdYR++Xk6ZZgUQwcIzJU3e6iRHcucCwER70wNvjPclzFf920jyAwnDgNBJLBWGB v+eBaIB2T1HAlrtLXG9b9Wp/HB4u2Qq21EFyVTug0NAExG0eibbKmHiXQBbsdg== Received: by freefall.freebsd.org (Postfix, from userid 945) id B62BF2724C; Wed, 04 Sep 2024 23:37:24 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:13.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233724.B62BF2724C@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:24 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:13.openssl Security Advisory The FreeBSD Project Topic: Possible DoS in X.509 name checks in OpenSSL Category: contrib Module: openssl Announced: 2024-09-03 Credits: David Benjamin (Google) Affects: FreeBSD 14.x Corrected: 2024-09-03 17:09:21 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:35 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:20 UTC (releng/14.0, 14.0-RELEASE-p10) CVE Name: CVE-2024-6119 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. Basic certificate chain validation is not affected. The issue only occurs when an application also specifies an expected DNS name, Email address or IP address. III. Impact Applications affected by the problem may result in a termination, leading to a denial of service. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch # fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch.asc # gpg --verify openssl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 5946b0c6cbc7 stable/14-n268645 releng/14.1/ 9a5a7c90d5e5 releng/14.1-n267703 releng/14.0/ abd3a7939117 releng/14.0-n265440 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55AACgkQbljekB8A Gu/qxQ/9H4Iaao+a5X4aXiV1iU+fT2KSli8fMZKeRw/OOIAztSOHZp7go0noAX65 SVwsb0fShwqAfDpeZhSjzMjpMmfkwQUkRbMK1SD+zLznSmC1McKF/EIAWrMwr78z zDLv497wh26tY+3CUZJQPwkodTvkHnwU0jeUSTjHqC+lOQeOcQ9HwL0T4FsHw4HF BJEX/k6uabpXsQe4H9U8C3MbUlOxiKfwFZAxDBhei2zZN/kfAY63iQhVH6/Ls5BG ei7TcEF2e6ylhdaLcCxpArRrdql1VQ4SanAGVW4MQ/2s3YpxQYweKGMg4VSZvqXt 07mBlNHcLepsHK1/qXhDqO/UMO5QsSsH1trwiohmZRQZJp4wXFsGhc102dezDbun TEJutKpNsojvWQ01IFcykCkvH2AAGXHJTB8H3jVXhBIU6DuqcmjVc8WXbrdN0vX8 KcZgI7S5PyQ0WF+ESqR5MHGXx7Qr9uZPKSMvPq0/g2d+6G52/Yw4oZ3rZtqU34iO uLq+FApa0Ema3jzxhq89c9oybfADpBDmYsAfqfMqexS+nIuPjeUpcv9gCukr2Of3 rJDxx2hF/1c/hd83Pp7MKBT/x/4E3vombPjeNeP/sBLhXFSKiVxUDYGYgm6yw3GA E7rv33ZJ09RaDGp9jbYaV5rOuEWAZpy42X/LsHjI9W3v0sGCJvU= =JDHd -----END PGP SIGNATURE----- From nobody Wed Sep 4 23:37:29 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzf6f26D4z5Vrmh for ; Wed, 04 Sep 2024 23:37:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzf6f0BH5z43jr; Wed, 4 Sep 2024 23:37:30 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493050; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WmMlfa3aJUKbFkAieYG9YzTkYWRyO+FAm6pw0xJdeak=; b=NPsF5hAdCigsMj3GK5SnAv1K4Uxcc/dxgiclJV577ZWbt75RH4qV0xnEInhvp5oilL4cue hlIrOFTICA25CfyFU5zUYwdLSiXzMtJpNnkPd4cIRzxxLqVw3WyQmnZv9ls4nS8YCDNgGp pvrgOvsfYGEG4Q+lkQwg35euJXPPVU0es296s5BwbUck9byKMCxJRqPJUMaqAv3wE7G9XN AYvdN1JlmXfQE83RNX8EQb5+/YKCUlNw4Ke5OXIE0X+XZz2+PMXrsay2zVd4Q+15Elvv1/ jb5RQ4PtoxKa4K1qzXOPSOi/SS7zsUAXMEYG1rGAEdUCefa5OLT32MT2F3aYEQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725493050; a=rsa-sha256; cv=none; b=Ng7xOlxwKwwnUx9WjW9LJ6UCoRb/hRtEtmvccGup4GRZHX9lPGLeomWHOUwmypRaEVctxa MfdKYPTts9XgeRNtDCW0BdklnshVqLClndfvA+0VBfOEy3LJtUKF5ITo3B5AHhON/T3mxk ufn1UWnE8WYDGlI8+vQWo4fCYEQ4gPUGCmMKqCfWS37Qs1VIgHRJMUnPPE+mrKH1Uhl6U2 kaAPn2fExRXKNT83E4bRAEKI7UdF0IQfnJ2fn+H5RVrkLfbVUQzuUbw2UoapNcWdukOOXO 7stpk0rVNDVaquWJYP0RsYQ14/6Y9rBFQk1CW4Uf9zf0OQrm/wZR0kpOGG3aag== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725493050; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=WmMlfa3aJUKbFkAieYG9YzTkYWRyO+FAm6pw0xJdeak=; b=M7+9AdsF3f/6o7J6277/oel5JyMir/SgzaXw+sCpF77P2QrfqolnYgrkxsz/aa/NRD62Dp ngdPnHLElod6w6oyI6XXggTk+nzJWjKJR3T46haQlDOsWph7ptNx52lu79Tk+qcNyGuaoE kMJtI7JpLsk28SDMQKRq4WwocK+UPk+rrs3XrmXtpHo3FOBvtP6XaLijcE10OYRFQu+/v7 +s5QBVJid81P+g6A6AfDM8tkV4+9GDrOg53cnAcYHm9xELqK2kkUoWKLvZay3HJQHX9XEG ycp4VvE4kWhM56ztarFnOqg/IxWXFC8P7mkTMF5W4uuKKHmrivq8JEW2io+7+w== Received: by freefall.freebsd.org (Postfix, from userid 945) id E4F1A272DC; Wed, 04 Sep 2024 23:37:29 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-24:14.umtx Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20240904233729.E4F1A272DC@freefall.freebsd.org> Date: Wed, 04 Sep 2024 23:37:29 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-24:14.umtx Security Advisory The FreeBSD Project Topic: umtx Kernel panic or Use-After-Free Category: core Module: kern Announced: 2024-09-04 Credits: Synacktiv Sponsored by: The FreeBSD Foundation, The Alpha-Omega Project Affects: All supported versions of FreeBSD. Corrected: 2024-09-04 16:00:58 UTC (stable/14, 14.1-STABLE) 2024-09-04 21:07:40 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-04 20:54:24 UTC (releng/14.0, 14.0-RELEASE-p10) 2024-09-04 16:05:17 UTC (stable/13, 13.4-STABLE) 2024-09-04 19:58:30 UTC (releng/13.4, 13.4-RC2-p1) 2024-09-04 20:29:50 UTC (releng/13.3, 13.3-RELEASE-p6) CVE Name: CVE-2024-43102 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The _umtx_op(2) system call provides support for the implementation of synchronization primitives between threads, and is used by the 1:1 Threading Library (libthr, -lthr) to implement IEEE Std 1003.1-2001 (“POSIX.1”) pthread locks, like mutexes, condition variables and so on. In particular, its UMTX_OP_SHM operation provides support for anonymous shared memory associated to a particular physical address, which is used to implement process-shared mutexes (PTHREAD_PROCESS_SHARED). II. Problem Description Concurrent removals of such a mapping by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. III. Impact A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:14/umtx.patch # fetch https://security.FreeBSD.org/patches/SA-24:14/umtx.patch.asc # gpg --verify umtx.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 4938f554469b stable/14-n268665 releng/14.1/ f4a2dbb81603 releng/14.1-n267707 releng/14.0/ 37823ca38148 releng/14.0-n265444 stable/13/ a73a70472c47 stable/13-n258319 releng/13.4/ 7739dab97433 releng/13.4-n258248 releng/13.3/ 8fd0fa88b5a6 releng/13.3-n257458 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmbY55IACgkQbljekB8A Gu9grQ/+J7wLENdAwj/vclXgEwiqMtVBud/oWWXL6/h8YzSCOGRW88NsGrhkS+I4 ykWVdCcTvOqP8FvArarQVTfmMD/dQvAZZciHMkYDrQhjd7BwBuWVkLe1YdA1VR0o TT5gVclbJFJP3kvC+ivusN+hVn8Iacb0bvLn47/7pBKL96cCx1aTcP9XtHJqPZAr W80C5+4Z6qE0bUcCZ5lT8/6XvBtQNiD7otA7h5vBGMoIlBHgrxvYIz+QxAoOJ9Ke DvwNKjAm1nYrgiAzAF7lgPWLe6TxYxfYVcyEdm2UJnVpZqldnZevjIFD4DgaijKF dPT99EJdgkDQMqaiRM4VqlkcQvzZC/MatV9ypcStoRvQhQZczemLZdEVcf2luEdo r6RLvCGQPiSbeANc2DV/J35oX/Zwr9KN29ttkOqisVfadIba2LXANUiAF/x3SReo B/Gyilla4SU42obSaDuOe7fuDxj1HS4vAcJ03BQP0VfMNFkUaqb6ZoXioWhgtHAO E1zRIJcht1Ad2mEJtMid51co40g1Gd0lcxgEF0UOaIm5gTbYGKD+9tiOBaxvXlxC eDiKChtB31XWmfnuK4fSKh28dfyu+ltRUVsmQbakpQyufWx/RhSk3neZs44SNrwq SEX5SZ9Rt+E8uBZYU/rDzP2N6cd9ayMANCanuh2GPjorf15Em3g= =/sml -----END PGP SIGNATURE----- From nobody Thu Sep 5 00:00:14 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzfd21nNRz5W0Hw for ; Thu, 05 Sep 2024 00:00:22 +0000 (UTC) (envelope-from roy@rjcc.net) Received: from sender4-op-o12.zoho.com (sender4-op-o12.zoho.com [136.143.188.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wzfd14Zvbz4rnC for ; Thu, 5 Sep 2024 00:00:21 +0000 (UTC) (envelope-from roy@rjcc.net) Authentication-Results: mx1.freebsd.org; none ARC-Seal: i=1; a=rsa-sha256; t=1725494417; cv=none; d=zohomail.com; s=zohoarc; b=UwIWyoLwfvSlGGng7WBbTrQ35BbHGnwFlxcqX5MJgnZ+yaHwkw3RTwt2DOkOZGokg71a2BCa4pB8TXNj3MeoMdNd2QpXyzYWqR5tNykRrFGbVAspw6nYuQxKeHncmxjvtCuU+5nW5vhvB5Qoc0QkC5kObhQKaQ7qmBmRbtEvlVQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1725494417; h=Content-Type:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=3A5lErqEtwKDlC+2w7utmkXvqT2eANFe43EzLS4TRVA=; b=LePOtA7T/Wo5qKSBvu4Rw1azfgg72+ENSJwk422GfuANFY0BVpYGgV7WIsI3cosTI4ZFw6zgUQF5yv6QPjegQIYBpWE2dsUUYfJ2icepH2zNdNh0Ob7IcJ7MC9p25iR1Q+LUGu4fIBBvuXXr6LfSdDqlHEXn5dlWK89yX3H2xkw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=rjcc.net; spf=pass smtp.mailfrom=roy@rjcc.net; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1725494417; s=zoho; d=rjcc.net; i=roy@rjcc.net; h=Date:Date:From:From:To:To:Message-Id:Message-Id:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Reply-To:Cc; bh=3A5lErqEtwKDlC+2w7utmkXvqT2eANFe43EzLS4TRVA=; b=DVswWplEeJkAJNKG0BcfNnydBcJriV8xJKvQ/O40IdUF8bpCdde77p5/sKIUwztz I45pcxxbOXGmLIlPuJ+3KdOKBe3ebw1sR3DB/UZz5xP1I8siy+Buj8MC4dEoNFPRhBy A9tkRoeeS4wNaD+NievbWrIQiUL0jXtqjDZIc1wU= Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1725494414735113.35870869725807; Wed, 4 Sep 2024 17:00:14 -0700 (PDT) Date: Wed, 04 Sep 2024 20:00:14 -0400 From: "Roy J. Meyers III" To: "Freebsd security" Message-Id: <191bf7b4d8b.ff637171130769.1597532176720296497@rjcc.net> In-Reply-To: <20240904233724.B62BF2724C@freefall.freebsd.org> References: <20240904233724.B62BF2724C@freefall.freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:13.openssl List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_313599_213137764.1725494414731" User-Agent: Zoho Mail X-Mailer: Zoho Mail X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:2639, ipnet:136.143.188.0/23, country:US] X-Rspamd-Queue-Id: 4Wzfd14Zvbz4rnC ------=_Part_313599_213137764.1725494414731 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =20 =20 Unsubscribe=C2=A0=C2=A0=C2=A0=C2=A0 - Roy ---- On Wed, 04 Se= p 2024 19:37:24 -0400 FreeBSD Security Advisories wrote ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 =3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= FreeBSD-SA-24:13.openssl Security Advis= ory The FreeBSD P= roject Topic: Possible DoS in X.509 name checks in OpenSSL Categ= ory: contrib Module: openssl Announced: 2024-09-03 Credi= ts: David Benjamin (Google) Affects: FreeBSD 14.x Corrected: = 2024-09-03 17:09:21 UTC (stable/14, 14.1-STABLE) 2024-= 09-04 21:07:35 UTC (releng/14.1, 14.1-RELEASE-p4) 2024-09-0= 4 20:54:20 UTC (releng/14.0, 14.0-RELEASE-p10) CVE Name: CVE-2024-611= 9 For general information regarding FreeBSD Security Advisories, including= descriptions of the fields above, security branches, and the following sec= tions, please visit . I. Background = FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is= a collaborative effort to develop a robust, commercial-grade, full-feature= d Open Source toolkit for the Transport Layer Security (TLS) protocol. It = is also a general-purpose cryptography library. II. Problem Description = Applications performing certificate name checks (e.g., TLS clients checking= server certificates) may attempt to read an invalid memory address when co= mparing the expected name with an otherName subject alternative name of an = X.509 certificate. Basic certificate chain validation is not affected. The= issue only occurs when an application also specifies an expected DNS name,= Email address or IP address. III. Impact Applications affected by the pr= oblem may result in a termination, leading to a denial of service. IV. Wo= rkaround No workaround is available. V. Solution Upgrade your vulnerab= le system to a supported FreeBSD stable or release / security branch (relen= g) dated after the correction date. Perform one of the following: 1) To u= pdate your vulnerable system via a binary patch: Systems running a RELEASE= version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform o= n FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-= update fetch # freebsd-update install 2) To update your vulnerable system = via a source code patch: The following patches have been verified to apply= to the applicable FreeBSD release branches. a) Download the relevant patc= h from the location below, and verify the detached PGP signature using your= PGP utility. # fetch https://security.FreeBSD.org/patches/SA-24:13/openss= l.patch # fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch= .asc # gpg --verify openssl.patch.asc b) Apply the patch. Execute the fol= lowing commands as root: # cd /usr/src # patch < /path/to/patch c) Recomp= ile the operating system using buildworld and installworld as described in = . Restart all daemons= that use the library, or reboot the system. VI. Correction details This= issue is corrected as of the corresponding Git commit hash in the followin= g stable and release branches: Branch/path Has= h Revision - ------------------------------------------= ------------------------------- stable/14/ 594= 6b0c6cbc7 stable/14-n268645 releng/14.1/ 9a5a= 7c90d5e5 releng/14.1-n267703 releng/14.0/ abd3a= 7939117 releng/14.0-n265440 - --------------------------------------------= ----------------------------- Run the following command to see which files= were modified by a particular commit: # git show --stat Or= visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a = working tree (for comparison against nNNNNNN in the table above), run: # g= it rev-list --count --first-parent HEAD VII. References The latest revision of this advisory= is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffd= cgYM7bljekB8AGu8FAmbY55AACgkQbljekB8A Gu/qxQ/9H4Iaao+a5X4aXiV1iU+fT2KSli8fM= ZKeRw/OOIAztSOHZp7go0noAX65 SVwsb0fShwqAfDpeZhSjzMjpMmfkwQUkRbMK1SD+zLznSmC= 1McKF/EIAWrMwr78z zDLv497wh26tY+3CUZJQPwkodTvkHnwU0jeUSTjHqC+lOQeOcQ9HwL0T4= FsHw4HF BJEX/k6uabpXsQe4H9U8C3MbUlOxiKfwFZAxDBhei2zZN/kfAY63iQhVH6/Ls5BG ei= 7TcEF2e6ylhdaLcCxpArRrdql1VQ4SanAGVW4MQ/2s3YpxQYweKGMg4VSZvqXt 07mBlNHcLeps= HK1/qXhDqO/UMO5QsSsH1trwiohmZRQZJp4wXFsGhc102dezDbun TEJutKpNsojvWQ01IFcykC= kvH2AAGXHJTB8H3jVXhBIU6DuqcmjVc8WXbrdN0vX8 KcZgI7S5PyQ0WF+ESqR5MHGXx7Qr9uZP= KSMvPq0/g2d+6G52/Yw4oZ3rZtqU34iO uLq+FApa0Ema3jzxhq89c9oybfADpBDmYsAfqfMqex= S+nIuPjeUpcv9gCukr2Of3 rJDxx2hF/1c/hd83Pp7MKBT/x/4E3vombPjeNeP/sBLhXFSKiVxU= DYGYgm6yw3GA E7rv33ZJ09RaDGp9jbYaV5rOuEWAZpy42X/LsHjI9W3v0sGCJvU=3D =3DJDHd= -----END PGP SIGNATURE----- =20 =20 =20 =20 =20 ------=_Part_313599_213137764.1725494414731 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =
Unsubscribe 



  &= nbsp; - Roy




---- O= n Wed, 04 Sep 2024 19:37:24 -0400 FreeBSD Security Advisories<security-= advisories@freebsd.org> wrote ----

-----BEGI= N PGP SIGNED MESSAGE-----
Hash: SHA512

=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
FreeBSD-SA= -24:13.openssl Security Advisory
= The FreeBSD Project =

Topic: Possible DoS in X.509 name checks in OpenSSL
=
Category: contrib
Module: openssl
Announced: = 2024-09-03
Credits: David Benjamin (Google)
Affects: = FreeBSD 14.x
Corrected: 2024-09-03 17:09:21 UTC (stable/14, 14.1-= STABLE)
2024-09-04 21:07:35 UTC (releng/14.1, 14.1-RELE= ASE-p4)
2024-09-04 20:54:20 UTC (releng/14.0, 14.0-RELE= ASE-p10)
CVE Name: CVE-2024-6119

For general information= regarding FreeBSD Security Advisories,
including descriptions of the f= ields above, security branches, and the
following sections, please visi= t <URL:https= ://security.FreeBSD.org/>.

I. Background

FreeBSD= includes software from the OpenSSL Project. The OpenSSL Project is a
= collaborative effort to develop a robust, commercial-grade, full-featured <= br>Open Source toolkit for the Transport Layer Security (TLS) protocol. It= is
also a general-purpose cryptography library.

II. Problem = Description

Applications performing certificate name checks (e.g.,= TLS clients checking
server certificates) may attempt to read an inval= id memory address when
comparing the expected name with an otherName su= bject alternative name of an
X.509 certificate.

Basic certific= ate chain validation is not affected. The issue only occurs
when an app= lication also specifies an expected DNS name, Email address or IP
addre= ss.

III. Impact

Applications affected by the problem may = result in a termination, leading to
a denial of service.

IV. = Workaround

No workaround is available.

V. Solution
=
Upgrade your vulnerable system to a supported FreeBSD stable or
re= lease / security branch (releng) dated after the correction date.

= Perform one of the following:

1) To update your vulnerable system = via a binary patch:

Systems running a RELEASE version of FreeBSD o= n the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can= be updated via the freebsd-update(8)
utility:

# freebsd-updat= e fetch
# freebsd-update install

2) To update your vulnerable = system via a source code patch:

The following patches have been ve= rified to apply to the applicable
FreeBSD release branches.

a)= Download the relevant patch from the location below, and verify the
de= tached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-24:13/openssl.patch
# fet= ch https://security.FreeBSD.org/patches/SA-24:13/openssl= .patch.asc
# gpg --verify openssl.patch.asc

b) Apply the p= atch. Execute the following commands as root:

# cd /usr/src
#= patch < /path/to/patch

c) Recompile the operating system using= buildworld and installworld as
described in <URL:https://www.Fre= eBSD.org/handbook/makeworld.html>.

Restart all daemons that= use the library, or reboot the system.

VI. Correction details
This issue is corrected as of the corresponding Git commit hash in t= he
following stable and release branches:

Branch/path = Hash Revision
- ---------------= ----------------------------------------------------------
stable/14/ = 5946b0c6cbc7 stable/14-n268645
releng/14= .1/ 9a5a7c90d5e5 releng/14.1-n267703
releng= /14.0/ abd3a7939117 releng/14.0-n265440
- -= ------------------------------------------------------------------------
Run the following command to see which files were modified by a
= particular commit:

# git show --stat <commit hash>

= Or visit the following URL, replacing NNNNNN with the hash:

<UR= L:https://cgit.freebsd.org/src/commit/?id=3DNNNNNN>

To = determine the commit count in a working tree (for comparison against
nN= NNNNN in the table above), run:

# git rev-list --count --first-par= ent HEAD

VII. References

<URL:https://www.cve.org/= CVERecord?id=3DCVE-2024-6119>

The latest revision of this a= dvisory is available at
<URL:https://securit= y.FreeBSD.org/advisories/FreeBSD-SA-24:13.openssl.asc>
-----BEGI= N PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FA= mbY55AACgkQbljekB8A
Gu/qxQ/9H4Iaao+a5X4aXiV1iU+fT2KSli8fMZKeRw/OOIAztSO= HZp7go0noAX65
SVwsb0fShwqAfDpeZhSjzMjpMmfkwQUkRbMK1SD+zLznSmC1McKF/EIAW= rMwr78z
zDLv497wh26tY+3CUZJQPwkodTvkHnwU0jeUSTjHqC+lOQeOcQ9HwL0T4FsHw4H= F
BJEX/k6uabpXsQe4H9U8C3MbUlOxiKfwFZAxDBhei2zZN/kfAY63iQhVH6/Ls5BG
= ei7TcEF2e6ylhdaLcCxpArRrdql1VQ4SanAGVW4MQ/2s3YpxQYweKGMg4VSZvqXt
07mBlN= HcLepsHK1/qXhDqO/UMO5QsSsH1trwiohmZRQZJp4wXFsGhc102dezDbun
TEJutKpNsojv= WQ01IFcykCkvH2AAGXHJTB8H3jVXhBIU6DuqcmjVc8WXbrdN0vX8
KcZgI7S5PyQ0WF+ESq= R5MHGXx7Qr9uZPKSMvPq0/g2d+6G52/Yw4oZ3rZtqU34iO
uLq+FApa0Ema3jzxhq89c9oy= bfADpBDmYsAfqfMqexS+nIuPjeUpcv9gCukr2Of3
rJDxx2hF/1c/hd83Pp7MKBT/x/4E3v= ombPjeNeP/sBLhXFSKiVxUDYGYgm6yw3GA
E7rv33ZJ09RaDGp9jbYaV5rOuEWAZpy42X/L= sHjI9W3v0sGCJvU=3D
=3DJDHd
-----END PGP SIGNATURE-----


------=_Part_313599_213137764.1725494414731-- From nobody Thu Sep 5 00:17:50 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzg1D1dsQz5W45t for ; Thu, 05 Sep 2024 00:17:52 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Received: from gaoxing.magnetkern.de (gaoxing.magnetkern.de [167.235.225.147]) by mx1.freebsd.org (Postfix) with ESMTP id 4Wzg1C6JDLz4Gtf; Thu, 5 Sep 2024 00:17:51 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Authentication-Results: mx1.freebsd.org; none Received: from titanium.fritz.box (p200300c26f20ef00264bfefffe54b09c.dip0.t-ipconnect.de [IPv6:2003:c2:6f20:ef00:264b:feff:fe54:b09c]) by gaoxing.magnetkern.de (Postfix) with ESMTPSA id DB5EA5F62D; Thu, 5 Sep 2024 02:17:52 +0200 (CEST) Date: Thu, 5 Sep 2024 02:17:50 +0200 From: Jan Behrens To: Kyle Evans Cc: freebsd-security@freebsd.org Subject: Re: Privileges using security tokens through PC/SC-daemon Message-Id: <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> In-Reply-To: <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:167.235.0.0/16, country:DE] X-Rspamd-Queue-Id: 4Wzg1C6JDLz4Gtf On Wed, 4 Sep 2024 18:14:56 -0500 Kyle Evans wrote: > On 9/4/24 17:58, Jan Behrens wrote: > > I think I may have found the problem. If I'm right, it is an issue of > > pcsc-lite in combination with FreeBSD. > > > > Looking into pcsc-lite's file "src/auth.c", we find: > > > > #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) > > ... > > > > [...] > > > > See: > > https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 > > > > If I'm not mistaken, SO_PEERCRED is not set by the build system and it > > is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults > > to simply assume that any client is always authorized. Not good. > > > > I wasn't able to get the build working, so maybe someone can check if > > my guess is correct. > > > > Kind regards, > > Jan Behrens > > > > Right, that'd be a problem. Something like this might work, but I > haven't even build tested it: > > https://people.freebsd.org/~kevans/pcsc-auth.diff > > It could be cleaned up a little bit if it works. > > Thanks, > > Kyle Evans > While that would fix things for FreeBSD, I still think it's not a good idea to default to "always grant access" when a C macro is missing. This could lead to unnoticed security vulnerabilities on other platforms as well. Maybe a better approach would be to make pcscd refuse to startup without --disable-polkit on those platforms where Polkit or socket authentication is not available/implemented. (And also add the fixes for FreeBSD like you suggested, so this does not apply to FreeBSD.) Regards Jan From nobody Thu Sep 5 02:26:52 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzjtL3Vb8z5WVSB for ; Thu, 05 Sep 2024 02:27:06 +0000 (UTC) (envelope-from crispy.james.watt@gmail.com) Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzjtK5V9Rz4fb9 for ; Thu, 5 Sep 2024 02:27:05 +0000 (UTC) (envelope-from crispy.james.watt@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b="CD5iE6/4"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of crispy.james.watt@gmail.com designates 2a00:1450:4864:20::32c as permitted sender) smtp.mailfrom=crispy.james.watt@gmail.com Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-428e0d184b4so1093255e9.2 for ; Wed, 04 Sep 2024 19:27:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725503224; x=1726108024; darn=freebsd.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=xakDfVNdOiJG87BJ3SvmsjWP/lIb8ATFd8C/NpNF734=; b=CD5iE6/4grNP3K2NJ8YjZ/BMfVeGQSR+WaAoj9HQznxZY5hjwHHGMWSKlF/Ku8XmJ3 WLAlV73LHwi4hVb0ixIkvup5JVaRnOzTyp1mbi6brgceqsWAfO6tdAW/7hQa7MxeGeuR Gmh/CTNDbNHdp0Oj86HonOtw0Ls0WHkByBVnYJGlfVK8Eb1K9UNG4LZV755YhJOnN8Nv LPdJ4hWystrj6B5Endm4QDLegVbrc5QCKJCJFZfEuwVMRLDhIxiGBCS+rqWXD6mLsLSl Ps6681oaatalSn2M5BAdgBi5FqfMZQyPe61yaMFBEEgXiJOYwqfTDSzF5i9Xuah7QZxR CZNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725503224; x=1726108024; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=xakDfVNdOiJG87BJ3SvmsjWP/lIb8ATFd8C/NpNF734=; b=nTCXI5ptZifkP1r3cIFlEQE51ylynIGyzDFOONzJRajx/N9q5SImDTE29rDZcaL9O0 nYUSrE1ydsLr8UV9wvlsE6OfOvq91wxNB0c/dtjiNaitKjiJqWQOC0ZnrtoGbD0wMCK9 t2Qq8lsx9PD6a+WD6bSkSolog6fVbeFC3o2KZXVcPhLq2nujhGUqAYuknHC/T6lEPec4 m5ha8JZJ34JV2BSQt0bM24GIOxqa7YdcUDFdnA11awKk+rK3gGH1AIlYNakj76D/qPCC i8i0KCGONxAtdam++zPPNH7mBIBpBTPCcsUlYJkWPQA+/myM5T0usWOjlQiGRIG+i3sp U+Sw== X-Gm-Message-State: AOJu0YxeJmpYJbXjHjoYpVjanRv894S0TE2slITu6y0uRwZHmbuI9YaO svIBLG9M5GF/9UgE7KkRKYUlga8czbu3rDd25saPLkZ8y+iQFgKFLa5OKLtuaCJQhQNy2pytNXY gcY0ZQ53KH9aI2TLm8M8GlGkaCPtM6QV4 X-Google-Smtp-Source: AGHT+IHzH22Y00031Z4930et6SYkQgM6P1sMUmwIyzwKk+C/Mk6VBnRfDQm5s36bv5EofO0tly2HnzeLED8jHB0lVlo= X-Received: by 2002:a05:600c:4f4b:b0:426:629f:1556 with SMTP id 5b1f17b1804b1-42c7b5f0cf8mr99250565e9.31.1725503223002; Wed, 04 Sep 2024 19:27:03 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 From: James Watt Date: Thu, 5 Sep 2024 10:26:52 +0800 Message-ID: Subject: =?UTF-8?Q?Security_vulnerability=E2=80=94_action_required=EF=BC=9Aplease_u?= =?UTF-8?Q?pdate_openssh_in_you_project_of_releng=2F14=2E0_to_9=2E6p1_like_br?= =?UTF-8?Q?anch_master?= To: freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="000000000000aa7d58062156069d" X-Spamd-Bar: -- X-Spamd-Result: default: False [-3.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; URI_COUNT_ODD(1.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCPT_COUNT_ONE(0.00)[1]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TAGGED_FROM(0.00)[]; MISSING_XM_UA(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::32c:from] X-Rspamd-Queue-Id: 4WzjtK5V9Rz4fb9 --000000000000aa7d58062156069d Content-Type: text/plain; charset="UTF-8" Hi, we have detected that your project of release/14.0 is vulnerable to the CVE-2023-51384 which is caused by the lower version of openssh, maybe you need to update it? Best regards, James --000000000000aa7d58062156069d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,
=C2=A0 we have detected that your project of relea= se/14.0 is vulnerable to the=C2=A0 CVE-2023-51384 which is caused by the lower version of openssh, maybe you n= eed to update it?

Best regards,
James3D""
--000000000000aa7d58062156069d-- From nobody Thu Sep 5 02:58:23 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzkZT47Xzz5Td7x for ; Thu, 05 Sep 2024 02:58:25 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzkZT37h6z4ln6; Thu, 5 Sep 2024 02:58:25 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725505105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kS8k14oi0z8dxa3iAlFl59ZA39eDHl1vePCUjyFHIa8=; b=joK48dTSCN0whCFyGcrmTcb7xdLSQe318Hi6z9qC9saaU9x/3r/sL8DsclN836xysPJtU/ 2OSYoS5Kxe7P9AbjPuGsUmEafYcqkZvZc0T68O2supkFft6JssqONm+dK3mGJ3ahZtHS84 Eakd5fYupYBNYSvyNw3kGS0+grilGgK7ONEkMpilP3I36m4kOFHRxg1r2qzCvDpy1soqUe dwawAI5sZKzGknGQDpQxHt0DAWSmtHxKzQ/VEeMuw+QHApqL7he868CYldzZeSzUaLP4j1 gNp6oqIxNFkEj+vMTjcAfUisOVEkPT5lFn/RjOcbJteUZvuvj0RYj1yqAiAlFg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725505105; a=rsa-sha256; cv=none; b=WPxPbG0NmnVTJYSERGdLGyfpqmOPUnnqHXic3RXr7CQzN65nWnh0R3McdghaQ1GY2TjXBY xqkTonnXzkvxTcY6dImOeyQlmao0OiIXTBAx0D9lQpU4UEFNpVAFUBB8xAgrY2weiDFRy1 IvHDfCjPOoLBbNZAT/28BoXSKAhsCEuMPJNwLVarq6+wkuZxLgfz7j6ugFaVwo1JUGdCQu QzRsTrGfjvngN1ISgRNbuRSRVF6QFwR1ku5Yz+lzXrRsIFNrcU3BUKkL1Hp4VAdieyOB/j DtKB9K05xnxmCb3MTi4IVcNrNvFBsEQR0yDr2/dFa9k8kz+WtPWl1nPKDKu9UA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725505105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kS8k14oi0z8dxa3iAlFl59ZA39eDHl1vePCUjyFHIa8=; b=uIqVEfd+RpKDqr/hsaIjv6FnIHO0CxqgJfFfFOBFawx7SucLDXHFbSvWkX2vxOqxOoyrl+ zsf+jC+uA8K7h0juy0/1PLjtaj8l1i2OZ6LXxtm3W6ZhDA2W2mv6UZEmapzqpryJBwpu7Z x1rHLwunqwjM5sI//tmIhu3ugbylsNn+83lFV7NC0su9lGHbuv0oeaWaBIW68nZ2GQHKDN ZHF73ye1Sx66oJBqbKB9S95ysfy3NJttK1oZWByiXJQcQlLFDiMBDiLWWEYXMo+PyC5UXN dAnB9Lo+tCq/Vk8TeTQUCJn4f5s8LkgGJckEPXtc3zqjjSoIlcDp2DgDkdrOKw== Received: from [10.9.4.95] (unknown [209.182.120.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4WzkZT0xd3zgT1; Thu, 5 Sep 2024 02:58:25 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: <5e49667e-daf5-4c37-bc59-83ad8806c945@FreeBSD.org> Date: Wed, 4 Sep 2024 21:58:23 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Privileges using security tokens through PC/SC-daemon To: Jan Behrens Cc: freebsd-security@freebsd.org References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> Content-Language: en-US From: Kyle Evans In-Reply-To: <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 9/4/24 19:17, Jan Behrens wrote: > On Wed, 4 Sep 2024 18:14:56 -0500 > Kyle Evans wrote: > >> On 9/4/24 17:58, Jan Behrens wrote: >>> I think I may have found the problem. If I'm right, it is an issue of >>> pcsc-lite in combination with FreeBSD. >>> >>> Looking into pcsc-lite's file "src/auth.c", we find: >>> >>> #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) >>> ... >>> >>> [...] >>> >>> See: >>> https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 >>> >>> If I'm not mistaken, SO_PEERCRED is not set by the build system and it >>> is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults >>> to simply assume that any client is always authorized. Not good. >>> >>> I wasn't able to get the build working, so maybe someone can check if >>> my guess is correct. >>> >>> Kind regards, >>> Jan Behrens >>> >> >> Right, that'd be a problem. Something like this might work, but I >> haven't even build tested it: >> >> https://people.freebsd.org/~kevans/pcsc-auth.diff >> >> It could be cleaned up a little bit if it works. >> >> Thanks, >> >> Kyle Evans >> > > While that would fix things for FreeBSD, I still think it's not a good > idea to default to "always grant access" when a C macro is missing. > This could lead to unnoticed security vulnerabilities on other > platforms as we I don't have a strong opinion about this, but my I-spent-five-minutes-looking-at-PCSC assessment would tend to agree. > Maybe a better approach would be to make pcscd refuse to startup > without --disable-polkit on those plnatforms where Polkit or socket > authentication is not available/implemented. (And also add the fixes > for FreeBSD like you suggested, so this does not apply to FreeBSD.) > I have a stronger opinion here- polkit is a build-time configuration option, and it absolutely should not build if there's no sane IsClientAuthorized implementation for the platform. Failing open when the software has lead you to believe that a policy will be doing access control is a complete tragedy that, IMO, is probably more of an oversight than an intentional decision. Thanks, Kyle Evans From nobody Thu Sep 5 03:00:08 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wzkcb1sHzz5Td9m for ; Thu, 05 Sep 2024 03:00:15 +0000 (UTC) (envelope-from roy@rjcc.net) Received: from sender4-op-o12.zoho.com (sender4-op-o12.zoho.com [136.143.188.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzkcX5W4Xz4mt8 for ; Thu, 5 Sep 2024 03:00:12 +0000 (UTC) (envelope-from roy@rjcc.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=rjcc.net header.s=zoho header.b=IZfUZxmR; dmarc=none; spf=pass (mx1.freebsd.org: domain of roy@rjcc.net designates 136.143.188.12 as permitted sender) smtp.mailfrom=roy@rjcc.net; arc=pass ("zohomail.com:s=zohoarc:i=1") ARC-Seal: i=1; a=rsa-sha256; t=1725505210; cv=none; d=zohomail.com; s=zohoarc; b=ntJgPfB+tRIbn+LXsnQpjCmclueLAz7EZJxr2OCu9Pq9PM8O6oeTAmkG+nxRNOafHaklz3sKM7qKBeXG7Vy2juOMh+k3PiZoqRcZckwEq0bQXBxKXFBazRtdtCou2e/Es4/cffsOj7ibS+d7TJBcpRWx3ev8h+ZxZ3Qy8HW1ZyQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1725505210; h=Content-Type:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=pzFxIzyTSldpDfBbbytAYxLP2uKbD7rAjpwEZxJisyc=; b=doCDSeIbPPz2WexX484IGpU4yVbfCBfSjmggirMWb+Tf9pqulejK8u43nsvR5kIVzt45gO70jBnxYCGABHWjU3TTpuOOa1xGAOE9Zs7MzyyyM1bU/TPouRemnwSO0MI+uI+HJpC2VeE1BuCspnsleBRh1G7A9ehxAJnV/hwPzcA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=rjcc.net; spf=pass smtp.mailfrom=roy@rjcc.net; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1725505210; s=zoho; d=rjcc.net; i=roy@rjcc.net; h=Date:Date:From:From:To:To:Message-Id:Message-Id:Subject:Subject:MIME-Version:Content-Type:Reply-To:Cc; bh=pzFxIzyTSldpDfBbbytAYxLP2uKbD7rAjpwEZxJisyc=; b=IZfUZxmRTEo2DgfljId73XCMVQSqOWkQfpJo/6gJOMtsOfVTI1/jYBO2q4CzS7XF lgTHBFFfgmbwF8k2B0F0AYf4Vt+CrppNtQhhrBLvshmbGU5nu6MG5reu0/IPn8ByklD 2wit2NjF2xFu0VYEbw1LoIy/kLTJ8q/MhVav0a6M= Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1725505208370992.460556886813; Wed, 4 Sep 2024 20:00:08 -0700 (PDT) Date: Wed, 04 Sep 2024 23:00:08 -0400 From: "Roy J. Meyers III" To: "Freebsd security" Message-Id: <191c0200030.1291c755a135809.2428653685342024794@rjcc.net> Subject: Unsubscribe List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_324678_504733667.1725505208368" User-Agent: Zoho Mail X-Mailer: Zoho Mail X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.42 / 15.00]; ARC_ALLOW(-1.00)[zohomail.com:s=zohoarc:i=1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.93)[-0.934]; R_SPF_ALLOW(-0.20)[+ip4:136.143.188.0/24]; R_DKIM_ALLOW(-0.20)[rjcc.net:s=zoho]; RWL_MAILSPIKE_GOOD(-0.10)[136.143.188.12:from]; ONCE_RECEIVED(0.10)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; XM_UA_NO_VERSION(0.01)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:2639, ipnet:136.143.188.0/23, country:US]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[rjcc.net]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[136.143.188.12:from]; TO_DN_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DKIM_TRACE(0.00)[rjcc.net:+] X-Rspamd-Queue-Id: 4WzkcX5W4Xz4mt8 ------=_Part_324678_504733667.1725505208368 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit ------=_Part_324678_504733667.1725505208368 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: 7bit








------=_Part_324678_504733667.1725505208368-- From nobody Thu Sep 5 03:32:03 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzlKK2mtSz5Tkpq for ; Thu, 05 Sep 2024 03:32:05 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzlKK2D6Zz4sJc for ; Thu, 5 Sep 2024 03:32:05 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725507125; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5LldNLhEcOCXG4+xqYVzdTnKYjNYB/98Wrp9xcTpX0s=; b=DoMFiQ0GNDPj0NdAAFzwM+pzL8FxXm54pNOFmjF2c8jDyqkSOx/6lVgKqlUIKVcY1GMjO8 Rj8WJj5O9kw4EMiPBElneo28X6Fn/ojmDbbEeT/De4M1gNsieELyF39vbzc+VaETqRA4iZ joRkDuK4hGqbWTzHBjwbNeF6wR7wSznkUXxWtWZdbwPluFcePX6q4xV1kvUlPtR3xu5Sm5 kid1Q6hcXV5nQm52sSD8CTIIDkGDhg22X2cPpBfeCS2RRwiGGvFAsweLQD4Blgli4hili1 qFIdYZR6j2xYj8/jmMMjpT7lZb+NqgbphN1kMYaChKOec50udErWOIFEcDCL2A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725507125; a=rsa-sha256; cv=none; b=tTVNHpUf+268ww1xbySIWOXG/H+lprUMQmGjAroujKpueA13DJSOGu/eAGjnyeByCpjoXG MJxHERtgRyD2H8De5J9oG35xacBFE4RWytsLE/S7bA+WKK8NlDMpa73IVv5CUHZSA4VeJv oRqTydMKy6/+pFVkCTRxeymSqUoGTGxGR/clxM00w15qHKSEH7t8+tnj2AkBOVUyZ6PeYI GCgDbIVFYVAgLytWaFjmxOyQlD6IQiX6q4mDZSBlwNuw30TVPb5oLM5+w27TnzGTk8aot2 yYsd33xFrJLYZNIQprOxSvtBbUI3BPySy1UMGoD9zV+CbzeMPGYXPMSEGBr15g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725507125; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5LldNLhEcOCXG4+xqYVzdTnKYjNYB/98Wrp9xcTpX0s=; b=TuZ36tEFyULQGZL4bAVUAJxGXoOoD1Q/ZvjhY5TF6pRu6D70lWtgME7+gqlAGJQZ1Cuskc cTZ/ROxpy1iCDO37Ek0pOEtQsZ3u/Cepr9MvO6fsYSuSV4s5seDFrHyTgtLl2fPlOX00Ri Xvc6qg4tq/MitaonDjIUqpoLqpHU/f+t6iw6pFwY48vwk4U98mZ2Jhb8Sp5Xjl6794GA04 BmCqHHxC0Zi0H5Sdg5bUUD3NeS3X7/fU0hDA4NMEAV2eb1yfobyI/WEsy8gGPkATV0XNYU 6jxzrsFXUpYyinbjHftVB1jLYlj2o4cnW1AbCb3qBrqOitqrNXqvK74SK64bHw== Received: from [10.9.4.95] (unknown [209.182.120.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4WzlKK0hYpzhG7 for ; Thu, 5 Sep 2024 03:32:04 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: Date: Wed, 4 Sep 2024 22:32:03 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Privileges using security tokens through PC/SC-daemon To: freebsd-security@freebsd.org References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> <5e49667e-daf5-4c37-bc59-83ad8806c945@FreeBSD.org> Content-Language: en-US From: Kyle Evans In-Reply-To: <5e49667e-daf5-4c37-bc59-83ad8806c945@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 9/4/24 21:58, Kyle Evans wrote: > On 9/4/24 19:17, Jan Behrens wrote: >> On Wed, 4 Sep 2024 18:14:56 -0500 >> Kyle Evans wrote: >> >>> On 9/4/24 17:58, Jan Behrens wrote: >>>> I think I may have found the problem. If I'm right, it is an issue of >>>> pcsc-lite in combination with FreeBSD. >>>> >>>> Looking into pcsc-lite's file "src/auth.c", we find: >>>> >>>> #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) >>>> ... >>>> >>>> [...] >>>> >>>> See: >>>> https://github.com/LudovicRousseau/PCSC/blob/da69dda356dc79300a997631f94efed7190d30a6/src/auth.c#L54 >>>> >>>> If I'm not mistaken, SO_PEERCRED is not set by the build system and it >>>> is not defined on FreeBSD (but only on Linux). Then pcsc-lite defaults >>>> to simply assume that any client is always authorized. Not good. >>>> >>>> I wasn't able to get the build working, so maybe someone can check if >>>> my guess is correct. >>>> >>>> Kind regards, >>>> Jan Behrens >>>> >>> >>> Right, that'd be a problem.  Something like this might work, but I >>> haven't even build tested it: >>> >>> https://people.freebsd.org/~kevans/pcsc-auth.diff >>> >>> It could be cleaned up a little bit if it works. >>> >>> Thanks, >>> >>> Kyle Evans >>> >> >> While that would fix things for FreeBSD, I still think it's not a good >> idea to default to "always grant access" when a C macro is missing. >> This could lead to unnoticed security vulnerabilities on other >> platforms as we > > I don't have a strong opinion about this, but my > I-spent-five-minutes-looking-at-PCSC assessment would tend to agree. > >> Maybe a better approach would be to make pcscd refuse to startup >> without --disable-polkit on those plnatforms where Polkit or socket >> authentication is not available/implemented. (And also add the fixes >> for FreeBSD like you suggested, so this does not apply to FreeBSD.) >> > > I have a stronger opinion here- polkit is a build-time configuration > option, and it absolutely should not build if there's no sane > IsClientAuthorized implementation for the platform.  Failing open when > the software has lead you to believe that a policy will be doing access > control is a complete tragedy that, IMO, is probably more of an > oversight than an intentional decision. > I've posted a pull request now: https://github.com/LudovicRousseau/PCSC/pull/209 > Thanks, > > Kyle Evans > From nobody Thu Sep 5 04:27:06 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzmY645xqz5Tx89 for ; Thu, 05 Sep 2024 04:27:22 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mr85p00im-zteg06021501.me.com (mr85p00im-zteg06021501.me.com [17.58.23.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzmY55r7Mz50qQ for ; Thu, 5 Sep 2024 04:27:21 +0000 (UTC) (envelope-from gordon@tetlows.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=sig1 header.b=FrL4QCIc; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 17.58.23.183 as permitted sender) smtp.mailfrom=gordon@tetlows.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1725510439; bh=nmMGgLKeP+gE1PoZLgrJbI1oNKe9mTxJp2+yxlx+hmo=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=FrL4QCIcV/MbW4SzDjJOyMZoEAmrPcP/kD01nwD6oFr/Yz/3Vq9TkNClAspm/CVW1 OU1AjMuzJmgrDzAeDYcG0KrLpv70ml1R0SREa+olRA1iXVX9ZNYbq1AdCRkdGUVfzB XId4yb1P3B3946DxNM3DyJ32Vk+bBthCqoTsFfLyp3bSABJ7q1wtAzT17lHaxojvbK lFDooYXreY1BCDqypl0xPq2WlNQJIK0VVtYSZSZtDZnqGRsw34Qz/ge2wOY2aBvTBk xV0sZD0+HVu6K+viRh9YEtQjMpQf4xKaTlofacK3BpecynZHpZ2ZCOGdOULPFJ7h+4 XOCL960KdaSZQ== Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-zteg06021501.me.com (Postfix) with ESMTPSA id C8B4C2793CE0; Thu, 5 Sep 2024 04:27:18 +0000 (UTC) From: Gordon Tetlow Message-Id: <0FBD4AF8-D3E6-41F6-8B3B-32B0B56005E5@tetlows.org> Content-Type: multipart/signed; boundary="Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\)) Subject: =?utf-8?Q?Re=3A_Security_vulnerability=E2=80=94_action_required?= =?utf-8?Q?=EF=BC=9Aplease_update_openssh_in_you_project_of_releng/14=2E0_?= =?utf-8?Q?to_9=2E6p1_like_branch_master?= Date: Wed, 4 Sep 2024 21:27:06 -0700 In-Reply-To: Cc: freebsd-security@freebsd.org To: James Watt References: X-Mailer: Apple Mail (2.3776.700.51) X-Proofpoint-ORIG-GUID: HR_agvKWLCWaK7--BNHkBpTF_1IY6aGl X-Proofpoint-GUID: HR_agvKWLCWaK7--BNHkBpTF_1IY6aGl X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-05_03,2024-09-04_01,2024-09-02_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 suspectscore=0 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 bulkscore=0 clxscore=1030 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2409050030 X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.03 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.93)[-0.930]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=sig1]; R_SPF_ALLOW(-0.20)[+ip4:17.58.0.0/16]; MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[17.58.23.183:from]; ONCE_RECEIVED(0.10)[]; HAS_ATTACHMENT(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; DKIM_TRACE(0.00)[tetlows.org:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:714, ipnet:17.58.16.0/20, country:US]; FREEFALL_USER(0.00)[gordon]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; APPLE_MAILER_COMMON(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[17.58.23.183:from]; TAGGED_RCPT(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[] X-Rspamd-Queue-Id: 4WzmY55r7Mz50qQ --Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F Content-Type: multipart/alternative; boundary="Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA" --Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Sep 4, 2024, at 7:26=E2=80=AFPM, James Watt = wrote: >=20 > Hi, > we have detected that your project of release/14.0 is vulnerable to = the CVE-2023-51384 which is caused by the lower version of openssh, = maybe you need to update it? >=20 > Best regards, > James >=20 Hi James, We (secteam) try to avoid wholesale upgrade of OpenSSH in our release = branches. As such, we take a risk-based approach on what we pull into = the tree. Given this particular CVE is related to ssh-agent with a = specific set of circumstances (multiple PKCS#11 keys with destination = constraints), we opted not to publish an update for it. Users who want = to defend from this particular CVE could either use the OpenSSH from = ports/pkg or directly upgrade to 14.1-RELEASE. Lastly, given that 14.0-RELEASE is going out of support at the end of = this month, this will be overcome by events pretty shortly. On an unrelated note, your note says that =E2=80=9Cwe=E2=80=9D have = detected the old version. Out of curiosity, do you represent a broader = organization? Your email address being hosted on gmail.com = makes it difficult to know. Thanks, Gordon Hat: security-officer --Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On Sep = 4, 2024, at 7:26=E2=80=AFPM, James Watt = <crispy.james.watt@gmail.com> wrote:

Hi,
  = we have detected that your project of release/14.0 is vulnerable to = the  CVE-2023-51384 which is caused by the lower version of openssh, maybe = you need to update it?

Best = regards,
James
3D""

Hi James,

We = (secteam) try to avoid wholesale upgrade of OpenSSH in our release = branches. As such, we take a risk-based approach on what we pull into = the tree. Given this particular CVE is related to ssh-agent with a = specific set of circumstances (multiple PKCS#11 keys with destination = constraints), we opted not to publish an update for it. Users who want = to defend from this particular CVE could either use the OpenSSH from = ports/pkg or directly upgrade to = 14.1-RELEASE.

Lastly, given that 14.0-RELEASE = is going out of support at the end of this month, this will be overcome = by events pretty shortly.

On an unrelated note, = your note says that =E2=80=9Cwe=E2=80=9D have detected the old version. = Out of curiosity, do you represent a broader organization? Your email = address being hosted on gmail.com makes it difficult to = know.

Thanks,
Gordon
Hat: = security-officer
= --Apple-Mail=_D7581936-181D-4031-B703-2781A07F8ACA-- --Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmbZMxoACgkQ5fe8y6O9 3fjhggf/VMLfW1OiUznWHaDcTCkFiVn/1Xb8K1Dct1O8RQR+9V/keTzLV6/eR78y +0MfI4PXflPttNxRykqbN+RBXgdjyNfrZaJNTDRq+QhzjtoQAeoOXDZfnc6wI45I V+0jUDu69M2FBOQ377loG7gWotrOL3uKNmNyqEnG5qx7lEH/Sm1t8+fO5DVCD2wH U6Jl7baQeX5ESiuq+t3flEohwfdgDrZoJJds3D8wmRAToyF+cBgUSNpN1qfeSekv 6yJjH6DcQlO8y3WNLMuSyl4052ohNts5u/cxJIet8WZ8vaw/+sfxXzf6FpYudl+4 wH3hgPz7mFwtXl3UDRIitLs1Q1ksZA== =ofLF -----END PGP SIGNATURE----- --Apple-Mail=_ED78297A-5A96-4197-8B9A-7D8925FF794F-- From nobody Thu Sep 5 08:03:04 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzsL44LXVz5VrCH for ; Thu, 05 Sep 2024 08:03:08 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Received: from gaoxing.magnetkern.de (gaoxing.magnetkern.de [167.235.225.147]) by mx1.freebsd.org (Postfix) with ESMTP id 4WzsL42BVlz4cpK; Thu, 5 Sep 2024 08:03:08 +0000 (UTC) (envelope-from jbe-mlist@magnetkern.de) Authentication-Results: mx1.freebsd.org; none Received: from titanium.fritz.box (p200300c26f20ef00264bfefffe54b09c.dip0.t-ipconnect.de [IPv6:2003:c2:6f20:ef00:264b:feff:fe54:b09c]) by gaoxing.magnetkern.de (Postfix) with ESMTPSA id B4D6C5F749; Thu, 5 Sep 2024 10:03:08 +0200 (CEST) Date: Thu, 5 Sep 2024 10:03:04 +0200 From: Jan Behrens To: Kyle Evans Cc: freebsd-security@freebsd.org Subject: Re: Privileges using security tokens through PC/SC-daemon Message-Id: <20240905100304.5c2d6ea478b6887d978250f8@magnetkern.de> In-Reply-To: References: <20240904104147.8c1e74632b2c6d4f6a759ee6@magnetkern.de> <20240905005823.3f7aa990a66c5f40d4eb4a8b@magnetkern.de> <92f328f3-0f74-441a-840b-fdc3ae71fe0b@FreeBSD.org> <20240905021750.6716898b6d52e08b0287940b@magnetkern.de> <5e49667e-daf5-4c37-bc59-83ad8806c945@FreeBSD.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:167.235.0.0/16, country:DE] X-Rspamd-Queue-Id: 4WzsL42BVlz4cpK On Wed, 4 Sep 2024 22:32:03 -0500 Kyle Evans wrote: > On 9/4/24 21:58, Kyle Evans wrote: > > On 9/4/24 19:17, Jan Behrens wrote: > >> On Wed, 4 Sep 2024 18:14:56 -0500 > >> Kyle Evans wrote: > >> > >>> On 9/4/24 17:58, Jan Behrens wrote: > >>>> I think I may have found the problem. If I'm right, it is an issue of > >>>> pcsc-lite in combination with FreeBSD. > >>>> > >>>> Looking into pcsc-lite's file "src/auth.c", we find: > >>>> > >>>> #if defined(HAVE_POLKIT) && defined(SO_PEERCRED) > >>>> ... > >>>> > >>>> [...] > >>> [...] > > [...] > > I've posted a pull request now: > > https://github.com/LudovicRousseau/PCSC/pull/209 > Great! Thanks for the work! Jan From nobody Fri Sep 6 01:08:25 2024 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X0J594Pmlz5VYBM for ; Fri, 06 Sep 2024 01:08:29 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X0J593xV7z4dNR; Fri, 6 Sep 2024 01:08:29 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725584909; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zmOOZyq81wK6PKbNIN5qnogpenez3YTY0c0BRTHbNAU=; b=ELGM0Ee+coO7rz7uqA8GBlqgeSDoEPq4faWzTOaQSv2MGIHMIHtw8heZwC4mkoRx41nYXX nDnRfJ47I1asRR1SVy9Z5CSk7x2Wmfi6agIg58Kwrr1NrEqy4a4rP84Zumz9UX2jMz7kAa aKYcNokZd/OLLeTxDDxuZXfrK3dxdrjpfzZQrxNFzP5rgwWY0x242lA5eOLg5ojg1rBp8H MpaMUzK9VzCuteF11MCemP9fO+j9wdRqnYxAZlSegVOy+WOKfhSIsa1R66bcUiqNUlKWG+ 5ZjccVaG/NuHLv8TQB82iAoYRFz6RpA3gT2oDINLeDXrnIG1ua6mmEdxRyoskQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725584909; a=rsa-sha256; cv=none; b=nWjHty5b6gErSLwYf7gatqZsId7lPrV5SkjCLUsMN7r8wNlTbBs/BYBgOkYAAzGUg413mc uXJ2LTRoJMGJ8IiuPBbe9Imq/LaYVYsnn/seR8r5c1WrUpWFVBq4wBHltzvaZPo3BKKJhN ropEYnw3PhzRanVB57WHYav9QR5VMoKoSOzlgfUNQWDm/E6BbULiR4bVD3pjw+Xy1Od6BE z2KKbAm469ntbEgrcaFyeWDdfH6W953G6rrmfbkfsQ+oBj4qqAx0JmrRu0bQ1rwnvYV7Ra gCU2nYKVdstOj6kM6TD2461dvUlc+YlUdbn56mBCwTRgSqINfRWTqdaFlVECNA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725584909; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zmOOZyq81wK6PKbNIN5qnogpenez3YTY0c0BRTHbNAU=; b=P2rMIGBS9nFpkYDlMSV9TN9TfLoNNQomkIVozTl7aZ4JfCZe9PBUWJ1y4ZPL+Nptb4pkTs El9nicTYxtOlXHlBI98vAzjpO/Y8/MtMx5omZlQ4GsR9Abxz+k0kq+LDS5S4E/gyDQ8kfC dxvD6xcbjVosDs930l29BuN8Usp9DeXJ9BJxSTEKF+/MXJ+IMDBfW0gOTKyEzbOdwiSzEW L66UBJamdY23jXG/gyd+TlgGVXtfGlfW2xd2F5rDZr0ewRJn07xEIuCNH/603s7/+yf8IP Sdnsp2hZPi9zDAxXG2heQGLgv23X7XYVLXo/pkKtN8re82KOOKPX92rxgd355w== Received: from fauth2-smtp.messagingengine.com (fauth2-smtp.messagingengine.com [103.168.172.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4X0J593Ckzz1NbS; Fri, 6 Sep 2024 01:08:29 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from phl-compute-07.internal (phl-compute-07.phl.internal [10.202.2.47]) by mailfauth.phl.internal (Postfix) with ESMTP id 3F7291200068; Thu, 5 Sep 2024 21:08:29 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-07.internal (MEProxy); Thu, 05 Sep 2024 21:08:29 -0400 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrudeitddggedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhephffvvefufffokfgjfhggtgfgsehtkehmtdertdej necuhfhrohhmpefrhhhilhhiphcurfgrvghpshcuoehphhhilhhiphesfhhrvggvsghsug drohhrgheqnecuggftrfgrthhtvghrnhepkeehhfeltdevieeukeehteevueffvdfhteek keehtdevudffieffveetvddukedvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg hmpehmrghilhhfrhhomhepphhhihhlihhpodhmvghsmhhtphgruhhthhhpvghrshhonhgr lhhithihqdduudeiiedviedvgeekqddvfeehudektddtkedqphhhihhlihhppeepfhhrvg gvsghsugdrohhrghesthhrohhusghlvgdrihhspdhnsggprhgtphhtthhopedvpdhmohgu vgepshhmthhpohhuthdprhgtphhtthhopeifohhllhhmrghnsegsihhmrghjohhrihhthi drohhrghdprhgtphhtthhopehfrhgvvggsshguqdhsvggtuhhrihhthiesfhhrvggvsghs ugdrohhrgh X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 5 Sep 2024 21:08:28 -0400 (EDT) From: Philip Paeps To: Garrett Wollman Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-24:14.umtx Date: Fri, 06 Sep 2024 09:08:25 +0800 X-Mailer: MailMate (1.14r6059) Message-ID: <1FA4B2B4-BFEA-46AA-8917-7FA4C61E68E9@freebsd.org> In-Reply-To: <202409052330.485NUM3l093810@hergotha.csail.mit.edu> References: <202409052330.485NUM3l093810@hergotha.csail.mit.edu> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 2024-09-06 07:30:22 (+0800), Garrett Wollman wrote: > On Wed, 04 Sep 2024 23:37:29 +0000 (UTC), FreeBSD Security Advisories > said: >> Library (libthr, -lthr) to implement IEEE Std 1003.1-2001 >> (“POSIX.1”) pthread > > The current version of the standard is 1003.1-2024, released just a > few months ago. > > There are some hiccups with the transposition into ISO, so there isn't > an ISO/IEC 9945-1:2024 yet (and might not be, depending on how things > are resolved in ISO/IEC JTC 1). > > No need to update the advisory but whatever tool generated this text > should be updated. I believe this was copied from the _umtx_op(2) manual page. That's usually where we source the background sections of advisories and errata. Philip