From nobody Mon Dec 22 20:17:49 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dZqFg1bZPz6LXV4
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Mon, 22 Dec 2025 20:17:59 +0000 (UTC)
	(envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smarthost1.sentex.ca", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dZqFd5xlCz3wxf
	for <freebsd-security@freebsd.org>; Mon, 22 Dec 2025 20:17:57 +0000 (UTC)
	(envelope-from mike@sentex.net)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net
Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19])
	by smarthost1.sentex.ca (8.18.1/8.18.1) with ESMTPS id 5BMKHoAY027619
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL)
	for <freebsd-security@freebsd.org>; Mon, 22 Dec 2025 15:17:50 -0500 (EST)
	(envelope-from mike@sentex.net)
Received: from [IPV6:2607:f3e0:0:4:8878:3fe3:dbff:f34f] ([IPv6:2607:f3e0:0:4:8878:3fe3:dbff:f34f])
	by pyroxene2a.sentex.ca (8.18.1/8.15.2) with ESMTPS id 5BMKHn2w089045
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO)
	for <freebsd-security@freebsd.org>; Mon, 22 Dec 2025 15:17:49 -0500 (EST)
	(envelope-from mike@sentex.net)
Content-Type: multipart/alternative;
 boundary="------------h0WKsurm8gHXlns8Xz2U3oos"
Message-ID: <a4d9a76b-3812-475e-9f2f-b885c5f5960a@sentex.net>
Date: Mon, 22 Dec 2025 15:17:49 -0500
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
From: mike tancsa <mike@sentex.net>
Subject: FreeBSD-SA-25:12.rtsold.asc clarification needed
Autocrypt: addr=mike@sentex.net; keydata=
 xsBNBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP
 xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s
 +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW
 yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH
 VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB
 AAHNHW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+wsCOBBMBCAA4FiEEmuvCXT0aY6hs
 4SbWeVOEFl5WrMgFAl+pQfkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeVOEFl5W
 rMiN6ggAk3H5vk8QnbvGbb4sinxZt/wDetgk0AOR9NRmtTnPaW+sIJEfGBOz47Xih+f7uWJS
 j+uvc9Ewn2Z7n8z3ZHJlLAByLVLtcNXGoRIGJ27tevfOaNqgJHBPbFOcXCBBFTx4MYMM4iAZ
 cDT5vsBTSaM36JZFtHZBKkuFEItbA/N8ZQSHKdTYMIA7A3OCLGbJBqloQ8SlW4MkTzKX4u7R
 yefAYQ0h20x9IqC5Ju8IsYRFacVZconT16KS81IBceO42vXTN0VexbVF2rZIx3v/NT75r6Vw
 0FlXVB1lXOHKydRA2NeleS4NEG2vWqy/9Boj0itMfNDlOhkrA/0DcCurMpnpbM7ATQRcsMzk
 AQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4axtKRSG1
 t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1qzAJweEt
 RdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6cLm0EiHPO
 l5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5o9KKu4O7
 gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQABwsB2BBgB
 CAAgFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAl+pQfkCGwwACgkQeVOEFl5WrMiVqwf9GwU8
 c6cylknZX8QwlsVudTC8xr/L17JA84wf03k3d4wxP7bqy5AYy7jboZMbgWXngAE/HPQU95NM
 aukysSnknzoIpC96XZJ0okLBXVS6Y0ylZQ+HrbIhMpuQPoDweoF5F9wKrsHRoDaUK1VR706X
 rwm4HUzh7Jk+auuMYfuCh0FVlFBEuiJWMLhg/5WCmcRfiuB6F59ZcUQrwLEZeNhF2XJV4KwB
 Tlg7HCWO/sy1foE5noaMyACjAtAQE9p5kGYaj+DuRhPdWUTsHNuqrhikzIZd2rrcMid+ktb0
 NvtvswzMO059z1YGMtGSqQ4srCArju+XHIdTFdiIYbd7+jeehg==
X-Scanned-By: MIMEDefang 2.86
X-Spamd-Bar: --
X-Spamd-Result: default: False [-2.41 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-0.996];
	NEURAL_HAM_LONG(-0.99)[-0.995];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32];
	RCVD_IN_DNSWL_LOW(-0.20)[2607:f3e0:0:1::12:from,199.212.134.19:received];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	NEURAL_SPAM_SHORT(0.08)[0.082];
	DMARC_NA(0.00)[sentex.net];
	RCPT_COUNT_ONE(0.00)[1];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_TLS_ALL(0.00)[];
	TO_DN_EQ_ADDR_ALL(0.00)[];
	FREEFALL_USER(0.00)[mike];
	FROM_HAS_DN(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	ARC_NA(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	MIME_TRACE(0.00)[0:+,1:+,2:~]
X-Rspamd-Queue-Id: 4dZqFd5xlCz3wxf

This is a multi-part message in MIME format.
--------------h0WKsurm8gHXlns8Xz2U3oos
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Just trying to better understand this issue as it says no work around is 
available yet if ipv6 is disabled, this seems like a work around ?

No workaround is available.  Users not using IPv6, and IPv6 users that do not
configure the system to accept router advertisement messages, are not affected.
A network interface listed by ifconfig(8) accepts router advertisement messages
if the string "ACCEPT_RTADV" is present in the nd6 option list.


The issue seems to be in userland with the patch being
--- usr.sbin/rtsold/rtsol.c.orig
+++ usr.sbin/rtsold/rtsol.c

And more specifically, to be vulnerable, does rtsold need to be actually running ? Or does the program get called by the kernel somehow. ie. I need
rtsold_enable="YES" in /etc/rc.conf
and seeing
ACCEPT_RTADV
in ifconfig is not actually sufficient to be vulnerable to this ?

Is patching the userland daemon enough ? It seems to be

"Restart the applicable daemons, or reboot the system."


     ---Mike

--------------h0WKsurm8gHXlns8Xz2U3oos
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html>
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Just trying to better understand this issue as it says no work
      around is available yet if ipv6 is disabled, this seems like a
      work around ? </p>
    <pre
style="color: rgb(0, 0, 0); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; overflow-wrap: break-word; white-space: pre-wrap;">No workaround is available.  Users not using IPv6, and IPv6 users that do not
configure the system to accept router advertisement messages, are not affected.
A network interface listed by ifconfig(8) accepts router advertisement messages
if the string "ACCEPT_RTADV" is present in the nd6 option list.


The issue seems to be in userland with the patch being
--- usr.sbin/rtsold/rtsol.c.orig
+++ usr.sbin/rtsold/rtsol.c

And more specifically, to be vulnerable, does rtsold need to be actually running ? Or does the program get called by the kernel somehow. ie. I need 
rtsold_enable="YES" in /etc/rc.conf
and seeing 
ACCEPT_RTADV
in ifconfig is not actually sufficient to be vulnerable to this ?

Is patching the userland daemon enough ? It seems to be

"Restart the applicable daemons, or reboot the system."</pre>
    <p><br>
    </p>
    <p>    ---Mike</p>
  </body>
</html>

--------------h0WKsurm8gHXlns8Xz2U3oos--