From nobody Wed Jan 29 21:31:02 2025 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjwLv3C2fz5m301 for ; Wed, 29 Jan 2025 21:31:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YjwLv0bmmz3sH1; Wed, 29 Jan 2025 21:31:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186263; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=w60hGinYKxkxbdyD4AmVxtttCcJEgXqMsTM/GBvSIFM=; b=NNJZJiFr1pWAcSOsKIQq1QPA/qKIpYY/rT3oDYbyMiUGXYqonfyXDa0JS1WOYFtfU3qw5Z 9LPbVjBS7N/eS6jU8eWREZ3jmv6+69GztMoOcz4yGrF2LyVP7K8TPY/4C8pr+1aSwFDBkt hS2nbtYuguK2VMyr4de5INtVK4R0TJkqSNa0+KXD46aFmnCf/OOJAmmY9w5jNGSoGEUx29 TL7Q8DkwUii03lX0U/gqTc3po/T3NODseBp5YloDj7Ba5BbwOShB7+JntqtRcOFMPVfj7l v9aGMcIvDVUTcVkdddcEAjfHBFKOYLyK0LzKwsG+EyNnws+y1jHj/dqIe0OKYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186263; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=w60hGinYKxkxbdyD4AmVxtttCcJEgXqMsTM/GBvSIFM=; b=XWnlRyoiTHlbgI5nC08QjTrNbjjskd4QKcCZuGjY2pbdcw9JKzI/ATgKQDsRRPrn50tmwY AF+jw9VpCqS2ZMOepBN31opbu79YRz7qIB+J0FdHv/tnMq2yrmtqNZ/2QrUU/k2tqPrIN1 rsKujgznlVlDZ1jsjHpA6Wn+JqSMeKcEKutU4QjkIMTlM5BK5s745NyV8f9M4+tpKV1Jcr TbSuYHYpIe78tnXTjfP9a/WGSSRiwqWOP6BRRikJVj8Zxsx9wr19WTymDPqA0FNFGDAkEw tXLvkmIMP6yHtm2KRMLto1ypmOgSkEYFPj467mXDmN5YkowYHcvZ1zDSU/6Fuw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738186263; a=rsa-sha256; cv=none; b=W+S0d9rOS8hgmopnJ+MuveIWDm5D23LaSMpcV61Q5E5iEtpwY8jJ/0I05sYIlVuBfq5M+d wZyLgAbhZfOLYnKZqG6iuKszKGpWx+plPCuIe/1QA8gzPCeiaG8S2btbdXrF4hwQN4c6os phGzmc531Vkr7E+qwh25mYJ0IUcsPbKRJbG9l32WapvOtQ3/3rg9CfAEZLER3c7rHvNkFT 1Bn5PJg3Z2sDU51AGwp5ywIeWYPBzXvy/FhuWZQXJ7IbJGxy3nH6pMpYmlvj7GOBMEbk2N I6i/zoX/f+Y3o0evgmxpT0Kq0i8kX8RSGrQd7hYeDMD1I4rYhPdA7S0RwK+CTw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id EB861257E; Wed, 29 Jan 2025 21:31:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:01.openssh Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20250129213102.EB861257E@freefall.freebsd.org> Date: Wed, 29 Jan 2025 21:31:02 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:01.openssh Security Advisory The FreeBSD Project Topic: OpenSSH Keystroke Obfuscation Bypass Category: contrib Module: openssh Announced: 2025-01-29 Credits: Philippos Giavridis Credits: Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford (University of Cambridge) Affects: FreeBSD 14.1 Corrected: 2024-07-15 18:45:16 UTC (stable/14, 14.2-STABLE) 2025-01-29 18:55:25 UTC (releng/14.1, 14.1-RELEASE-p7) 2024-08-01 15:03:50 UTC (stable/13, 13.4-STABLE) CVE Name: CVE-2024-39894 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. OpenSSH version 9.5 introduced a mechanism to mitigate keystroke timing attacks by "sending interactive traffic at fixed intervals when there is only a small amount of data being sent." II. Problem Description A logic error in the ssh(1) ObscureKeystrokeTiming feature (on by default) rendered this feature ineffective. III. Impact A passive observer could detect which network packets contain real keystrokes, and infer the specific characters being transmitted from packet timing. IV. Workaround No workaround is available. This bug does not affect connections when ObscureKeystrokeTiming was disabled or sessions where no TTY was requested. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.1] # fetch https://security.FreeBSD.org/patches/SA-25:01/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-25:01/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ bf9a275b24f6 stable/14-n268158 releng/14.1/ 88d5d8108711 releng/14.1-n267735 stable/13/ 79853e40abd8 stable/13-n258171 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKgACgkQbljekB8A Gu8WORAAl3zgLVz40e7nhduuV4eZlnvWAc6sruSap5f80ikGLRDfuzgKugWdOvTA i+bSZuZkGPx444uyC0JcN016+oUpd/1Xzr4/KQ7BL0ZYmgxQn/O8jfPbEiSloXpG Vgn8ZXYh1EKilhIw6n79yZN6WSY/gAfMZzeY/R7v1n7WaBnUYaUB8fl94CoTxf1j qQfmngBi6GU52OqirqBI4OYozJ2dkhRK/epvFUxMPGFVKa7wj4GChrQFW+PCyvHE TPg4H37kbSC37LbCn2Y/vjs8WcAr/xI68AGkalANgqVvtIpA0+tO7hn5gqgevbc8 xO1xDvy38mlgX1CIdRD/Ur857z3P23mVfPhHkXX+85mbH/8QRbMJuB88zrhS9pcY V+dq23r0ALRCo8t8Sab5xukZhuK2rxFfXvfF2YT920Vd7LgCsA9MjTCdU/IfNpH0 Ax5Lq1bm4cv9DT47XBRn+0QDZU0TSq0uJ8YLrusfS67ikzdbSBqL3tOAXtz6DeCL UDqSg3Ohw4HFn+DNMOdmESWO/t5LesEY/nB/vGSQYNYQMqlednwAPVhp6D8jvcgE Wi26qTLo4SgcvfDUk4EfDeLp90pgCXkBn5Zo9eTdOlyY/aMzvFcI7EKbsSAkX1Cg zus5DrcA9BTu2Wp9xWTUHLBC65ecHy6/xXSubjL4GCbYcPcjxQI= =oskq -----END PGP SIGNATURE----- From nobody Wed Jan 29 21:31:05 2025 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjwLy4Vy9z5m2ts for ; Wed, 29 Jan 2025 21:31:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YjwLx6xpZz3s8M; Wed, 29 Jan 2025 21:31:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186266; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=BHYAQ1lB/AO2LCnpMzxZrnBbcJ5KRqCymEB6teZRBeo=; b=PEJ1p7akVZPT+pZ+NkzfeOE6p4gfwZvFCNlZBTU1oc4yd5yN6Aj0oddsgt8gPi+yHzAaiF MbHR1EXVMbc6OSmRv/3mn//T/7PJyey9jstioeTlSlDE+rxbcGKKKJ9sL7PI5vFQhoPNl0 hxmI5Gyw5fxDQO+8oAVTMSN5tDoPbdvIVRHzdjNsnPaat77flLBU9VSIcd8rHnQFpCLe0e H5/tgI0r737YmIjRTdumNlrc3vAew3z6v2LoRj8MQn6ehqdpdkGo2X87gJFzJKHp4oYqtr j45udMDBSWWBCCyB/Q4EmFb9PXlRJYNJe1Eb8WbFonG/bLv5BPJaHxoF51XBXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186266; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=BHYAQ1lB/AO2LCnpMzxZrnBbcJ5KRqCymEB6teZRBeo=; b=GX3ZMlt7jIATGgAUTK4mvho09Q4hMLRB+KqHcYdESVlm0S4XNnthmXdcYpsATLNSFOXbia r9e4Pgoe3sTC9xP6AcUKZAyDUCXMNncIljUc9escDemwooDlqX0zOFQhu4tSeVVrtqltcX BWIi8yCJhNM7zpv87w8dbZKqa06Gxs2GVVi06G2tPElREWSRkabAzhd6unvFWFFWtyNlUo 6hO3XH1DwngWluWfzT4Qgttd89Ta/PyJ55M44ld2E/4fRxHDhLeYxyrvVpSiI2cO92zaJG gWbF0sEN3AYtOznhIlOPPjwbKvN4PLWe03Xuoa883GjpDqtxo/tJPIKIV9ecDw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738186266; a=rsa-sha256; cv=none; b=lBKiMgiwTeLE2+kaLsI7RSvc/OwAVk3O+BGUNZUsGc8ZvzAeDjZtEkdFtfkNv8ZH3ryse6 1MAvSHW46fKssJTNfgtNLzOaM8WSOnr5g08VwV21fHIzvyf/YgsiKTPxJjSJke4apqN9r0 Gb8uYms4LhE90xcDaU325lLUip2aZKEt/iv8WP3dgPfBCFicbVnfuc+XNCeqXh1GIiLDKM GkENSNMemnr2nOxpL+uVyYkGnGDtlHiOy3QWE6yDXcFbqPScDD6PsyxeGNzrHeJErb8ShK WFv0XT2bqfo9R+bz0uTXNWWToDr3bq51jb8H68Q94GCDDj9tGJrFUqhtxVsJDg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id E3B3328A1; Wed, 29 Jan 2025 21:31:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:02.fs Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20250129213105.E3B3328A1@freefall.freebsd.org> Date: Wed, 29 Jan 2025 21:31:05 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:02.fs Security Advisory The FreeBSD Project Topic: Buffer overflow in some filesystems via NFS Category: core Module: fs Announced: 2025-01-29 Credits: Kevin Miller Affects: All supported versions of FreeBSD. Corrected: 2025-01-17 13:53:10 UTC (stable/14, 14.2-STABLE) 2025-01-29 18:54:56 UTC (releng/14.2, 14.2-RELEASE-p1) 2025-01-29 18:55:22 UTC (releng/14.1, 14.1-RELEASE-p7) 2025-01-17 14:00:40 UTC (stable/13, 13.4-STABLE) 2025-01-29 18:55:29 UTC (releng/13.4, 13.4-RELEASE-p3) CVE Name: CVE-2025-0373 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides a number of filesystem implementations for different purposes. cd9660 is used to mount ISO 9660 images; tarfs is used to mount POSIX tar archives; ext2fs is used to mount ext2, ext3, and ext4 filesystems. II. Problem Description In order to export a file system via NFS, the file system must define a file system identifier (FID) for all exported files. Each FreeBSD file system implements operations to translate between FIDs and vnodes, the kernel's in-memory representation of files. These operations are VOP_VPTOFH(9) and VFS_FHTOVP(9). On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow. III. Impact A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic. IV. Workaround No workaround is available, however, only systems which export a cd9660, tarfs, or ext2fs filesystem via NFS are affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-25:02/fs-14.patch # fetch https://security.FreeBSD.org/patches/SA-25:02/fs-14.patch.asc # gpg --verify fs-14.patch.asc [FreeBSD 13.x] # fetch https://security.FreeBSD.org/patches/SA-25:02/fs-13.patch # fetch https://security.FreeBSD.org/patches/SA-25:02/fs-13.patch.asc # gpg --verify fs-13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 7a3a0402aeb6 stable/14-n270143 releng/14.2/ faa47d299a0e releng/14.2-n269512 releng/14.1/ c90866090517 releng/14.1-n267732 stable/13/ ee931cf4a49c stable/13-n259016 releng/13.4/ 0365b776f1b1 releng/13.4-n258273 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKoACgkQbljekB8A Gu8JFw/7Bq7C56cUeMwxb6I7BU3U2/DNjKLAR3bymrYqqJberyyyfUtgCcaTyz2q uCOAlK8xSbOVwX4WYb4pygR/uxRCPBaooTLpIZBPTCT5TxyTeLqQWfedeVMgYHgd zkuS4cG97IACiS9Zey6xFO5Rati0QoSuhEf36rvJXO/E7HQHARe954G7FDWvTi3W Snn5MvWYFwCvcL7gtthaoXtxS/FFRv+ht+cv6u/k6BNQXU7QFhF5qfFxM5rFczhO +TTFMoizAxLyirZNPy2n2jg9u+vrh2LKmfwiuMxX3zUeNI8/7yNZJ7ea+VGoRAxh OEXXPLbNPVtJdi6qvZ+3D0HUw/3aRjg/i0/Qe+5KXFC7OLBxksM5vyOC+eAjoyQW Y489eI7B5tV1td52wotZ1bIyt3GHmKtFxOt2kajPaR0vjuaYtdUb85PtT2QGjnRJ XbzmwrCM1YsBKANUHdh7sP5Bx1UI6dlQS2dgRQdbz43378lM1XND3RidioAdbYe6 SyDyFnZPypHaQfZVdlepnYxActqvhKeeq0aWkgqymaeL78sqmF4AARFVSqep8MXL boUkn3tMp1rojKH87Hk8saqRepZfX3DuwONsz++mgKEmqgnb8zKYI0Q4Gq6nYgcr d8UxaWQz1mkiPfaqDvUOmAYWoWIiA+KsfIZIKj7+vrMEH32QzaA= =vbcl -----END PGP SIGNATURE----- From nobody Wed Jan 29 21:33:19 2025 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjwPX4wJ6z5m3Sm for ; Wed, 29 Jan 2025 21:33:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YjwPW59dWz3wdS; Wed, 29 Jan 2025 21:33:19 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186399; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=M0jn+qA0JUOJvgAJj0BPy1SU7alJqC+NIlGtN6PB8Yo=; b=ZGuoPK93BrE4b/lpSmMAkMBxPC2Vr0adpWXDXpl776U4Lthh10/YpVIy+c9luEhkHKE22K DisSAe6PwMyMLnphPsmXlzbo2kRFUnfNfH00lLxzj9bYnLdMOolKut8dhpXSMWSsK5MmBw ntN9tmDQjdOrsXN9wrIGq3gRCkJ/LVtxXJ+N4iloiAW0uY4O4vkcB/R+jhep7cYpOZZm9P fvS1FlOSqkXsQehkKrBcdU4q5sAUWdJzQH9J5hNN6aZZOQddNyJLvTszNSKvpd4pYfCT3c 6P+54IDhln462usW+rzC23i2zJ2XnJfbZn2Vu0o0UXRAQYSeVLmx8jq/5ytfsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738186399; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=M0jn+qA0JUOJvgAJj0BPy1SU7alJqC+NIlGtN6PB8Yo=; b=JCGKmyDtWruIHqw+2eJXrfo32dbuW5Wbuq4Kf2v62H4hB44dobr4EXIxs2kNpwDAEEoQb9 dqTryG+KgpwUMyG+80CChPIV22bGzVanX+V9cfKpfCUG/5qi1ODfFW8mULKVZg02yy1nHW Y/pcYzDgKwvIbvXbpIQMEMwhg4fAoN49YNodJskBUm1+IsMPhQjjpiD8B8WnAi4IjYr63P 2rJd8C05M1kKcbnGDE4VUJ3knc6Z745qPmArsZDRHyuah22CUEgfd8UZebxHI2NC36u4SO HJxWy72w5ndNPwn8IaTi+VXAqsXLrapuvJ5B+5DIEEkQwTA6kAosNDcYL3ofLw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738186399; a=rsa-sha256; cv=none; b=fdau4zUJ6++i5fGTaEu+U/CH79KXDY6AuqYiFwkNLrnXCebJaFuiORDnMtA1cnphNfkMo1 QLOqnfTZkKz8IALG90dOI8VOqvJ0d1+n6pU8JC4bxiLlDpVDkE3fm03OT2HPBlnKVwKuHa DM2GwZ8CjlhHXyqtF+Ft7KcQqZ/5JwLosdCst9KjhpbkLylpX8Jeky8Q/2IbNxv86KJ0RN cPKg50iMCtlEtBNT5gjT7wFaLOlHtu8o+OftHpYUaXk5/NkPVOYbGcYKr7sLkmIaTEsr3q JqhfTAViv64+mAdcSsxoxzx5dq4tne0WT3n1/UcpA9f9+zo7W9rczi+HpZ4fLQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id AA96C27C8; Wed, 29 Jan 2025 21:33:19 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:04.ktrace Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20250129213319.AA96C27C8@freefall.freebsd.org> Date: Wed, 29 Jan 2025 21:33:19 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:04.ktrace Security Advisory The FreeBSD Project Topic: Uninitialized kernel memory disclosure via ktrace(2) Category: core Module: ktrace Announced: 2025-01-29 Credits: Yichen Chai and Zhuo Ying Jiang Li Affects: FreeBSD 14.2 Corrected: 2025-01-20 22:09:53 UTC (stable/14, 14.2-STABLE) 2025-01-29 18:54:50 UTC (releng/14.2, 14.2-RELEASE-p1) CVE Name: CVE-2025-0662 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ktrace utility enables kernel trace logging for the specified processes, commonly used for diagnostic or debugging purposes. The kernel operations that are traced include system calls, namei translations, signal processing, and I/O as well as data associated with these operations. II. Problem Description In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace. III. Impact It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-25:04/ktrace.patch # fetch https://security.FreeBSD.org/patches/SA-25:04/ktrace.patch.asc # gpg --verify ktrace.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 99d5ee8738a3 stable/14-n270190 releng/14.2/ 10f8a9df522f releng/14.2-n269507 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajK4ACgkQbljekB8A Gu84pQ//WXxC3kW+JP6R73oQ3s5hhokCE7FjwlRj6QhkblmgBdRrwwFzkR0nLfSK TUirfyYikaCtw3K/FpAYfm4VSJR3MlFhjUXhU+4KWBnJHf0t6NYEJP6MixsDFMvn IZWZsrLs8Ryl03kKiH3EWfA9KVqx0OI0Cj9LOLo5nBzZjR0auUxYRdNrYuEq4i9n OxMRbB3i5C3oy+I8ZW6fAAyYRb008oLDZmMBluIybCH01B35NQP/iAjpO6HQT5rt fvHlo/kEOGSqBrwcnJXzLiJE4uKtiS4CDBltEN1WpP3N1MBqbLj6GO5uEWQGA73F MhOzeCd3kM+41KQjdtxvIJ9yc0i/m0VLOnBTaKCqAS4bGTOl5FIIZEaY3J3+7dOP wkcdFTOxl9K+RZ5CERAUxoGqgS9r+HOvWBIQcQoD9j4UCBocwyZn8fvp6niK0CWl TR4T7UE8nAiK/QqBQ7DTqKlAkrMC3+FS5XVfw6GXJ7NFMP/HFh/AIE7oEYN+h/rQ JXPmuU9Ml0ZHuy4PLcX16YSX+T+fdNWMxL1eomHE/FUwZoNP2RC0Wi9nGxEKtLun JLGFkfQzuwfIItGYICvvOKw6Ry9Q1WYJFTdrNLCn7upUW0BnXVDVzRz7X68FJgtO uXQGChtW/PfG/KoMY544eX5lL27Kxi5oBNS/VzDtCPG0bHAAgMw= =ErDS -----END PGP SIGNATURE----- From nobody Wed Jan 29 21:45:18 2025 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjwgL5nq2z5m5sH for ; Wed, 29 Jan 2025 21:45:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YjwgL20pNz3HdG; Wed, 29 Jan 2025 21:45:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738187118; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=lXq7DNRYGIfsLJ0Azg1kNELsdync4vCFhzW6BFKRQIk=; b=oqCa1XUKswhHPB/+okZlcJbPhIYcBSuV0nd4EGg0q0g+L2ijClPKHaZ64IMnAJHmQ9Qjft Co33myYzhQ0KpwRN1/X44y8eQrcdVvz+tYmGa8Iczdsl9CX1TY4fsnJU9i1xZAyhu/cmDn lag8Xl9u01bfF6IROonCwbR0imtWfyvSeVtX9zjA6ehM3Op+H0nqfT6ZNM4KmawjW8wI3J oIz4RF0iZp+L1mRSHRIJExHicjm0XP3tL/Jbbqf2jiITi1sGm0KsUdaQUWLymVooBuVnSk AX2RRU8BaPrzCbph8wMbTPeTcznzWMrXpca8XMhnUKFxqkZLmmf+maJQfu5Sng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738187118; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=lXq7DNRYGIfsLJ0Azg1kNELsdync4vCFhzW6BFKRQIk=; b=TfCEfA4jhZ2TfKsCh+D3VKJ5eAs0ap1/AlDoAKiR3WLKS6Ddw0T0rMUkrS9VoKsKmWBtTd sCeAGuY90L/hSmptU5/0vxJ288CbKxGMD1W4IkhqwjiUO3rgIfvtSDN4A9uWohg+4pknNN GXXWxjGQZXlLpIr/JiPovear5izveufT3vrt3OGbK8eK981tsWRoyZGr/avpqehM6dUj4I 8EB2xKs5lu8Rug6DTvqTHx2kQ1qum5sEsrh6BK0mADvRrpkrdAOg0zKak/LDolYf+TF2Ok cKWdS+/CdOXcAcI7UfzLhXy+QXe3A1fRzFSTduTtY8i82FhRIa5f8E2EpNKHQA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738187118; a=rsa-sha256; cv=none; b=L/wEYAhbNOsIwAKCTu2t2a7lHOwzBU8v4tl0kfDiGdqkrWvxG7C9F8v5NAm/9iUnjBAVt3 pdC8EujeW9autYqXX+pwKzrwvd8MuIBirEr3gPkV/6GdlG2sV/pYIVIpaHVVGxkYI1w4oV aTcgfEXPkydqziLt4wnXD5DG7ktMJCl4SEBR8LlFNNGIYxcHgpv99nB3uJuKorfOWQJlql MdYOcjmA4DkvZsSO+zrizu+SExgerInwxVG5hxHfinKMZ4FvztWTayQNbtNEkpAZnylCRF 99h9s7zYyXMOGpLHewKlaFRw9jjE542SxuzvxloajHfy4VxT6ImxuNG8GJ7uNg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id 2A1312EE0; Wed, 29 Jan 2025 21:45:18 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:03.etcupdate Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20250129214518.2A1312EE0@freefall.freebsd.org> Date: Wed, 29 Jan 2025 21:45:18 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:03.etcupdate Security Advisory The FreeBSD Project Topic: Unprivileged access to system files Category: core Module: etcupdate Announced: 2025-01-29 Credits: Christos Chatzaras Affects: All supported versions of FreeBSD. Corrected: 2025-01-28 16:07:18 UTC (stable/14, 14.2-STABLE) 2025-01-29 18:54:57 UTC (releng/14.2, 14.2-RELEASE-p1) 2025-01-29 18:55:26 UTC (releng/14.1, 14.1-RELEASE-p7) 2025-01-28 16:07:34 UTC (stable/13, 13.4-STABLE) 2025-01-29 18:55:30 UTC (releng/13.4, 13.4-RELEASE-p3) CVE Name: CVE-2025-0374 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The etcupdate(8) utility is a tool for managing updates to files that are not updated as part of ‘make installworld’ such as files in /etc. It manages updates by doing a three-way merge of changes made to these files against the local versions. It is also designed to minimize the amount of user intervention with the goal of simplifying upgrades for clusters of machines. II. Problem Description When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd. III. Impact An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved. IV. Workaround No workaround is available. Systems whose files are updated using a mechanism other than etcupdate, such as freebsd-update(8), are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-25:03/etcupdate.patch # fetch https://security.FreeBSD.org/patches/SA-25:03/etcupdate.patch.asc # gpg --verify etcupdate.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 93836ff92be8 stable/14-n270244 releng/14.2/ c55000e7c233 releng/14.2-n269513 releng/14.1/ b8945a926a2f releng/14.1-n267736 stable/13/ 17e935f1f327 stable/13-n259074 releng/13.4/ c1c180910d46 releng/13.4-n258274 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKwACgkQbljekB8A Gu+/Zg//S1n7l9ABmKTrFKWstkDgyNplTyb8VRQ6HQtdAQSa1M5C8MUXt57wjCV0 uOilT3GwT29IzBW2EDe3m8uOGdd3n0Ti6pCn0a11HV/VXqTt7zbbLNSPs7soTWVs oIsig0wmw/oZ2+ZkOvZG19ae99NdLzrV6YSK8NpdnOqwnTiZtN0cxCEdzhAQVznL omYwXjw7todZ1mskECDuaFrw+1R6K2Aw0lpauveNcsGewjV85IML6G3sPKYMJJCq E51LZ/1AfkQ+DDae+BVrGpvocf8YtR1p9Af8nSq16/WKKn4bwsVqFDf+fDpLpHW6 W7P+Ng4KDKMPX7D/ObzTECKJLuhP3f0yZkkOrypIXFC5M34lbmyqJvR4tB7uJeNU uqlD9RNbKY652isbIRZKz5L8gnZpFK0IUTHhcGOpTw8dfF19CsfE2jHoI/7fs8rC RqMRCHo2dlPMP1xHTWfsgS3BYNJgC99CF1VCgpj2PuwQ3tP+CnQ5Ed2tvdTRrPjA /IL3DzH/5hUIhHUPPPnw7m4PHUduXJyG1gvv998oIVw4Q7AXTcTGYU4fLZrEvBY7 r4Zgpy8WkdRYMJHfdlrmSJNf3r2isrVXosw5PLbwBRw1k+V2KlxBRo6YjglbakU/ LEmgLL7D4BrMHUBjqe1m1wff3Urz41tRTQr/IaBjeXxI6jlwDDM= =60Xo -----END PGP SIGNATURE-----