From nobody Wed Jan 12 16:50:14 2022 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id F1A6F19468A1 for ; Wed, 12 Jan 2022 16:50:14 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JYtpZ6Jqqz4Ys8; Wed, 12 Jan 2022 16:50:14 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1642006214; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=i2heb9FW7HS/vs9rz3y2QunA4kbolCGEO1wOJDkhE+M=; b=tEUow5WaIpMlGu6urZM5PXBfnK6n2sYRKfoyojlWUqpsJuTjgXHAtkkGfNa/xBai91iiTa 1icWNISAOqh1l12lqBcnDSIoOBx2S+AjcJQzfOPZ9pAcMErDFq29NrH17Q4haUhI4mUTvY SmttrizJtXRsJ10u2BEUrCE9L4ccwu9jQ7sYIdMJAh/R22W2dPNO0JF8vRr2sEBK4QD6C1 zN/NC/7e9A4xQnh+ECPSVFdgVTDXPSHNu+dczMgW0UT8yguUo0qszVzCoGsGACqM9voENX LWr3kGhkmvqf/Vq1+P5blL4CsRTht5B+fWr4Gz+LUX7tgQibN027QQ3mhutWMQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id C47A221C2; Wed, 12 Jan 2022 16:50:14 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:01.vt Reply-To: freebsd-security@freebsd.org Precedence: bulk Approved: beauty-dew-stylish-enamour Message-Id: <20220112165014.C47A221C2@freefall.freebsd.org> Date: Wed, 12 Jan 2022 16:50:14 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1642006214; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=i2heb9FW7HS/vs9rz3y2QunA4kbolCGEO1wOJDkhE+M=; b=rlD3syXzTVuuJ3z5enqb1rPkR1imWRCtWCEEQy0f15/2ZFyQqn/+PBrTDgCEV6CUU4yYpH jYsHgn0gBeeUyRQbVN6VAl8v+0L5JhTKoZWtlvFZ+YklbfmlJ3MICqard9UxrXz2O91/of yaV/Rl/q/9Hd2IX0X/xdZoNpreXM7nHIP6N65CRrg08xYrJomfddzWFEezmPo7rh8cdlRy pgqrd70qoIoknqj2WOw5j53ymoSSAE+jwYPRD64CTNkEn+Y3PlbIdg1jOA+insNfm/qI5P 9Zp6kyPmzA5vbOHXcNqkTzqDLKtl6UDrdY0m6hQQcbpydIh1RMkNRvZUg+nXXQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1642006214; a=rsa-sha256; cv=none; b=wz0JIhRyaLkZ3rmSvpr0G5pCLNbo2TaLR9HmryIrB5B5Ul1hnoi0wLqJy67ees6WkMCDlp Ztg1+kSlIj9NsiFCwFDaqAXyGvrFOjtYZvWLmH7g1htkQ1gSMpE8CYEFwZMGtshxtkqpx3 5vO6mkuHL3G+EFRd9llgyb1Ltt14zMD9fs8hBWgNAiP4YmwPH30beHPMI+rPqxQsHO8QMC x8gBAqnJM4p7Ev63loEDDsxuAe97kbiQCyjXubOxMqFBmiEmZCY/qoIOEKuULCXEGsEUDn bdR9YYMzQS0dDTfMGspXIVONKlQqiSUgPAaYiFnlsUTdzfbXlXmx0vd6Wu7f4Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:01.vt Security Advisory The FreeBSD Project Topic: vt console buffer overflow Category: kernel Module: vt Announced: 2022-01-11 Credits: Oleg Bulyzhin Affects: FreeBSD 12.2 and FreeBSD 13.0 Corrected: 2021-09-22 18:41:00 UTC (stable/13, 13.0-STABLE) 2022-01-11 18:15:03 UTC (releng/13.0, 13.0-RELEASE-p6) 2021-09-25 18:15:49 UTC (stable/12, 12.2-STABLE) 2022-01-11 18:33:21 UTC (releng/12.2, 12.2-RELEASE-p12) CVE Name: CVE-2021-29632 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD's system console is provided by the vt(4) virtual terminal console driver. II. Problem Description Under certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory. III. Impact Users with access to the system console may be able to cause system misbehaviour. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:01/vt.patch # fetch https://security.FreeBSD.org/patches/SA-22:01/vt.patch.asc # gpg --verify vt.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9352de39c3dc stable/13-n247428 releng/13.0/ 3e0a1e124169 releng/13.0-n244773 stable/12/ r370674 releng/12.2/ r371491 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f4ACgkQ05eS9J6n 5cIgEBAAkXpnKSElsT96dj4RYWJLkqB4+OBkGoOGrsZj8zd5Ei85oohhL38xiYAE jQpSwblgYCqmOxRL4hGgKN6fBPMnc/zXCdZhJzAfgkKXsn4eY5mObN1jus7owsmC RnFNOLSr1VVJZs8H1RAeAjJT2I6DF0oLb/f1u3ik+bPFJ8Y4hvPEliSH7rpzVBq7 hpmiH1HxAArVwtJ15N+7u6vNUce57dWSh4NzPHLduzMRpatPKVqtkC7UJIvqisxl bQTK46MYo454SgbZjRPistwnV9NFKjuKy5Rh38/FURbnBxg8w2HVkabidMy5lJyU geSOvV4wc2LraRdSvJHZlNXu1BJKnPpTpsl6XNr8ePzAl9rRPjZKo8cEBMmTlqK0 KdMeKsf1OfspA/8L6mCpg4NDeOoHktCrICWTi4/E6nGX/e1hZrCXKcxf0KYbhcfO xNvrYtKkCtCbEnbzZbW6rjY/RAmRwwMNngVw2FWRuSWU6BCmfKZndUXFO7aghj6Q JKISfctwtcHWn/QzI2BN9pNWZlzAJ8BfxR+/bV6VJNuRILOhrvgjnUzpies1xv7z GRN9JlpxzqihhlX8JED7jDOm99YflEG0Ep7Cr1OYXLDVx1xxh8dQLCOwl5qjnKgd ELae8IKnUn5pI1Og44AsjY9xWOvxxz28luwFxsbYf+3UMo6M4eE= =hcWy -----END PGP SIGNATURE----- From nobody Tue Aug 9 22:35:26 2022 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2SZQ2Tndz4YRQR for ; Tue, 9 Aug 2022 22:35:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2SZQ1qbgz3Lq9; Tue, 9 Aug 2022 22:35:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084526; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=YswOvJxnYtdaZZYzevfxWJLI07NFwkw26DXChuzGysU=; b=vvSRUdt2rFw6jA6IH2dEWvz6kRd/+BbnKO2z1nu0Z6sf33tV0gjcCpXy1TlCFAzjue4n5M PcREnyVzlqU6UGBOEBGcJvVtBzz9dcJ4j0s7x7z/p+CW9dvyyLW07gK3FVe23Y5Cj43EC+ VQL23zTo03JTYs/UkiuPOl3roDBGgvfkIyw1CFkwUqR0jY+OJB4b00lmSFsDL4OSC+0XYO oseSKq6lScT+EHZN/PvTzTEt74PKd7u9cpTNyjcnplvWB+Tr/uZUT/Hz3volvpLatGksC/ RFIsNGaguw2w1mwl4JzrJ0cVKG3+I4PHK7+/HgPSVLZi6ZQCbPBpYNIGW6eVoA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 232EA1724A; Tue, 9 Aug 2022 22:35:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:09.elf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220809223526.232EA1724A@freefall.freebsd.org> Date: Tue, 9 Aug 2022 22:35:26 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084526; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=YswOvJxnYtdaZZYzevfxWJLI07NFwkw26DXChuzGysU=; b=yH7iakN4yG4VEakeQekT34fa10D6vLObxX9elFnYecdr+no49Av4V2pBgvNbTD7MAgTpXr CBHVThuReJZ8mQ4lvJi8+wjxRLCHlnwDyR6SYs7E8C7e9YGHtnVh4NjlREUgkTjDwVCR7r Nk27/VElgQLIYZblz7+dXYp+5mdvKsJ9wHnAVWH/EtDwG14qTQ+ynFe1VbAsPxYvHu1Vkr 2BVx/P4iDHiFj3NPwDtW4zs3Rk9iNl7sTvJtOMwYNyOmiqunWa3DyP3f3TRB2foC6CHmWl JgV1XDJY1b7Cq846SWiPsjhPpYFgPr2V1nocWetXAJQzCOr4FXDKu3E/+Ddk+Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660084526; a=rsa-sha256; cv=none; b=RgdU5dvVNatEdjQtmX4PbPw2J+Rm89QK1wGuUKdnWfGG6NPur/IjJTtpL4JQXaz/Fls4+B eUoA/LFXrsfWtaFfs118/mY6/lQbOuAHWjx7PUtaH7FYG4P3SxWFBSf3dirBN9R2OA/9BZ psWaJCl1+ouoYFkUrGsoQFYg9HNIhigzZxgNbquwPDGTq383AnTMtC9gFX0qBy3RJQXdt0 twUmcg9ZJZKUMKSoLxt6wKDmKaV8mUFoRmFRawk6cbYtUqUKnIE5LqtONb4q5vnbOwx56+ htrhrNaTx34U0mSFvKIh35l8y/EBlaTaOAzw04tFkJi013LYgrIskhFPAglobQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:09.elf Security Advisory The FreeBSD Project Topic: Out of bound read in elf_note_prpsinfo() Category: core Module: kernel Announced: 2022-08-09 Credits: Josef 'Jeff' Sipek Affects: All supported versions of FreeBSD. Corrected: 2022-08-09 19:47:32 UTC (stable/13, 13.1-STABLE) 2022-08-09 20:00:43 UTC (releng/13.1, 13.1-RELEASE-p1) 2022-08-09 19:59:14 UTC (releng/13.0, 13.0-RELEASE-p12) 2022-08-09 19:57:35 UTC (stable/12, 12.3-STABLE) 2022-08-09 19:59:47 UTC (releng/12.3, 12.3-RELEASE-p6) CVE Name: CVE-2022-23089 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Process information known as "prpsinfo" is written when dumping core of a process as an ELF note. The sbuf family of functions allows one to safely allocate, compose and release strings in kernel or user space. II. Problem Description When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled. III. Impact An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to crash. IV. Workaround The system administrator can workaround this issue by disabling coredump. This can be done by adding: kern.coredump=0 to /etc/sysctl.conf and run `service sysctl start`. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is required after applying the fix. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:09/elf.patch # fetch https://security.FreeBSD.org/patches/SA-22:09/elf.patch.asc # gpg --verify elf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 8a44a2c644fc stable/13-n252079 releng/13.1/ 69a456c0b60b releng/13.1-n250152 releng/13.0/ 056ffc74a769 releng/13.0-n244804 stable/12/ r372376 releng/12.3/ r372380 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmLyz1EACgkQ05eS9J6n 5cJ6tw//VycxB1Il6TKajIo9VQE5lN1M/h1j0fbyUokXWpcGH/+iGl4sLkxtrFuv Ekjshp9AezGgSIWCEdcwx8ck3LUeU0kVhAjcJjI/p+YfSWcWlLTQk13/Z3FsF6pv EK1VjKDiMpZHbddbkvY2q4JKIdO2UXgBYwtshvwHL+Y8Ev2cxvJdQfwtclf+N0Q6 Shgf25XPqkrG9vCJ30ldlJs902PoHKyGUOqU0+4741rcaZBjeF26RQPOXT+z4yQz RpVQvyQ01OnXgXO8X+7hoW83m3C7hNz5KnmX5YLMQCBUgYjBk4edeOlnq1wnRTtW k0qPdkIa5Rj8Yq8k+VP3PMiKezXOmxrmXUV16j64KZM9+r0eNPYx0C8sgkLZSrRe osk57jIYtI0M7fTVNlhMY7uCLFaK3xHb+/Md+ExpCs79ZbH+CxgnU+HPyIIVV4zX RhDRAh/w/MVKcHJM7y2TM6VDDhiLNqWeV9ruMj92ZnkB+QnRqrah53JUlo8PQcFn oDfe/pSGhchpjwyhwHoXTBQNQjUlbm/7iC95D0UdtfuH2eFcSdDq6aWMO5amxui0 Kkm+nswlYIpJsq3Addu2pEEhh2DHIwF9wiz8DKFJ1et+BF+GW+V4XKvXSd8sO7j3 19GK3xtf9cGnYYoPBpNSxuFLP+zcb+1gXTX+N9gG1EqQfXdjMtI= =lK0G -----END PGP SIGNATURE----- From nobody Tue Aug 9 22:35:31 2022 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2SZX1fsSz4YRWC for ; Tue, 9 Aug 2022 22:35:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2SZX0jkCz3MZy; Tue, 9 Aug 2022 22:35:32 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084532; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=PLggPPiTmTIGc61O9vC2bsdgFhLKovXCqaSFsOIwp34=; b=YGjKc4aWdQUH0K5tVnCXMtdKNkknXd7RzDGJS1DczxdZywz6sPbFnTOs18wpFpZN2zemPP WlRG2u2FVtyOg9dvGlrDRceXGXHWH0nhlotpsJiS5VVAy117RcUZ6n2gOKDkfXkov1hf/4 ddLD2PVLZ8Ru/n1UFJh1hgqwVnGs0GPpGrI6+5Cg0k5PgQPeFgkmP0d8IMiO3H1YhfTXXC 1Qu35xyFKD9JdZ1GTySgtTPewjGmN35cs+aFNIU8SBVaqR73Kb9rTx+5N0u8lX/ZSDkhZ8 yatMf1WHxJV+zrMEpnhKKF4vK5/0E1hD0ZiHPQiV35jtMBeM72N34jsz/yYaeg== Received: by freefall.freebsd.org (Postfix, from userid 945) id D949C173A8; Tue, 9 Aug 2022 22:35:31 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:10.aio Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220809223531.D949C173A8@freefall.freebsd.org> Date: Tue, 9 Aug 2022 22:35:31 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084532; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=PLggPPiTmTIGc61O9vC2bsdgFhLKovXCqaSFsOIwp34=; b=dHnEYf5GSpH2bjFAXpon75iqPE/dMEvvYAQf5wxsqckuYNadKEC7r2FJRMt8Tn4KvlBThY IIHExNloEUq68hTbYYs2/c/IOVGEr7fmC5QSxef+e4G1bP3YQGMr2LQvV9YmyeEcUD4xH0 uEOQ9omETiZgYgbf8L/LYkIM3CAqgRzanyGvOqmf9M3MJTmGrMeap5UJlfpjFasLvtJN8z lO8JTTf3s8/XsaMnsC1rVQbaBPU50ZbApiyECo2Lh1nFu1uK5JkTYfnsnojBf0GNZyg66G b+5D6BvwgEWF/N++leNvHqGydwYTOSTej9fSm9c9IK4LzNlEb+j3+g0VVXxiAA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660084532; a=rsa-sha256; cv=none; b=KNTj+7+3+an9nIHxsCYFtViU6D9ky0T/TgzT3Pvl3SPe/GEWbrl3ieulgEQX4Yp5UMrV0Z 61yHoqQCML47EeiEBPoKSw5tH2l/azvq5lrYIwpIpXNd42q5lDJYqvOHbHSOFpkRs4pja/ nRM6NL+XZc+F4RhwPqnqRlxtcQ2FJjwq1a5BzQTEG5/GQUsXT/Byh1nC97CLQUvEfFb8G0 FPSgVrtShGq0OkS3yPx0OgIXHvPlHddB7yShjtAPcdzCZesekoXaV/yKhNMn0EPEOC+MPy DYWFK5ReA8ycNrqHxQTQgOu4t2Ux6Un31zeSLLaxoA+eJOPXlzLUUeZliuJ8Jw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:10.aio Security Advisory The FreeBSD Project Topic: AIO credential reference count leak Category: core Module: kernel Announced: 2022-08-09 Credits: Chris J-D Affects: FreeBSD 12.3, FreeBSD 13.0 Corrected: 2021-10-01 00:32:22 UTC (stable/13, 13.0-STABLE) 2022-08-09 20:00:24 UTC (releng/13.0, 13.0-RELEASE-p12) 2022-06-27 17:27:50 UTC (stable/12, 12.3-STABLE) 2022-08-09 19:59:44 UTC (releng/12.3, 12.3-RELEASE-p6) CVE Name: CVE-2022-23090 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD's aio(4) subsystem implements asynchronous I/O. II. Problem Description The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case. III. Impact An attacker may cause the reference count to overflow, leading to a use after free (UAF). IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.3] # fetch https://security.FreeBSD.org/patches/SA-22:10/aio.12.patch # fetch https://security.FreeBSD.org/patches/SA-22:10/aio.12.patch.asc # gpg --verify aio.12.patch.asc [FreeBSD 13.0] # fetch https://security.FreeBSD.org/patches/SA-22:10/aio.13.patch # fetch https://security.FreeBSD.org/patches/SA-22:10/aio.13.patch.asc # gpg --verify aio.13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9499d3c1e40d stable/13-n247480 releng/13.0/ c864c8cf08a9 releng/13.0-n244801 stable/12/ r372172 releng/12.3/ r372379 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmLyz1EACgkQ05eS9J6n 5cI0ZBAAi90yUPtPxBcshN+DldO6WSuQEWBE5XU+7Ivesns80PMF+QuQ9S/YfurC I0LNfjGe48Q4/CIfixLf3Xsari9IBmHpUPvJS3+TaoxrOLRTLv2uTCZl6mGj1iqL H4ufrtMCbaA830EAKlEfCfI6eY8eDJpKh+he86adW3qNPWewTKGeEK8Mi4st009F DcCcHquy+IC2DnZaeoO+dttKyMoyEJgvo8F0oej8Jg7OBPdW6yTuabutQkuxSur/ JChz+Gn0tKj9qtN6023T/JvDXBKsQVlURbGofHhcm5JkpFFVd0A4+2MLbAO24gJa fnYRJDaWbRHvF0joy3qbZWZ/a3iHHC+yq7jupHoOkP7yULUQRftoj2kdPPZic6eQ XcyZE3rKgk7CHJq1ofg/Ye6WTgEghWjUlp5yrTniL+uWp6YuSVZNKPvXweDpi45M segQvlLoDWG3GEhaRyvaeBkA4v1lLucdkLQCM9bAFPhq5S27lcHPf9r4jiWBR5HB yQKddJZGa5lzsiYhKfX+pJ4rQa3QPN7N1NRygXDp4WRcPCqV3r4owZNJs6rsPkVM c0+wyGZhv4jH8lRrludMeXkiusoYOHEE+hslA+xU3M+19ak7W3DkJZKvEZQgBMNs bobKi/rl0GmAJthxd+vLXmdRK8g50RhPP+Fq80eLct151DDBdd0= =7sbf -----END PGP SIGNATURE----- From nobody Tue Aug 9 22:35:35 2022 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2SZb4c04z4YRnN for ; Tue, 9 Aug 2022 22:35:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2SZb3rv6z3MvX; Tue, 9 Aug 2022 22:35:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084535; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=LfBVSNQ0it1+f/r4SteoTFtVidc6Tr3hYyRi93Xkc2M=; b=w5gXTw0nyMYGqHS3kl1P0UdmENikU2F6bG7LI9O2K6WRT5EH5RxOB7o3e0gDSBhViRohEc opeK7vEHHSqdH5YMuBxRId7Zc/XpJed5/ECplro7InaQqR4yxnaQv2MIgmPpRbEYjZ9lkr DFd7qODG3CCsf8EqExzcEExdnSvOEKByY3ZtP9VK7bknZZ+QgYreGGf3MHSFA6MK293RT8 TwENr3zvaJVpL+kuPOQqSty2AiybF2LzNtQdoqvnjQdOUJeTKIjqLmpKrAwoJwdFVHMRRR p7WaAQRGarQvwVfo0p/tOOETHcpiA9x8DaoDFhJ9AaZY999xw2bLpxR+VwjpRQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 5E29F172BB; Tue, 9 Aug 2022 22:35:35 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:11.vm Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220809223535.5E29F172BB@freefall.freebsd.org> Date: Tue, 9 Aug 2022 22:35:35 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084535; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=LfBVSNQ0it1+f/r4SteoTFtVidc6Tr3hYyRi93Xkc2M=; b=ASlbz21f2YzLi3aNwL3FQz3Q/ELXVWD/WuNjyFMrIJFjYwygzpPXa/CVHDLl8tGvBIMzkA pLs1ybms3rJhb/sjQkozJfydkyXgKNWYa4EG6d6pwiwTiCEzT2VpXNWVbpB3HfT7GHfyfu 9C//NRCueI/piFBU6jS6gYvIIGor69R2wi2t+vvF4C3fBV7gbRYyWxb7FZrd2FwLfNAvxI R5t7BaPGv1wzsiP5iV+vsS8IJ9HboXsIY8j7zbIX63Q0MmNhlA5Vbh0YgvPfFW8cOWHStm 42Ok2BXm0s/3du0EGu8ETo+WPjiFJS819h1dpgxkeD7nCW8Ye8ToTTUJ1nt07w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660084535; a=rsa-sha256; cv=none; b=NZ9JmcI4ZLJHHFXH5lHVICL6JRaBiHZGPt3GDToTLX/+2T4+JO52DoUiwa0IyRHnZzHrSw lP3TZo10Md2+NZEl7ritdvygc2U7O1cHeEQwb6NLEGmt6dmEJnhFQ3CliNVZV+aJotrK4O mTkkUWIAsaQ+/uBDE3giVoBpwwc6mU0wqhRcks61CiwvPmSaasxav5VTPEIEpkM5o+lDAy OB/99g8HpJS5v0UOixn7SiLH8z1w+Y8DS0YU+0Wb4YQJxfbTr8bj1EuuDuBFh2IJnJCqW9 XmSuYsyzJ5wsPKBS42LdCxq6lG5i9jlWOQCLdB8WIMZ4eFCsPvAB3xn5nyGHRg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:11.vm Security Advisory The FreeBSD Project Topic: Memory disclosure by stale virtual memory mapping Category: core Module: vm Announced: 2022-08-09 Credits: Mark Johnston Affects: All supported versions of FreeBSD. Corrected: 2022-08-09 19:47:40 UTC (stable/13, 13.1-STABLE) 2022-08-09 20:01:00 UTC (releng/13.1, 13.1-RELEASE-p1) 2022-08-09 19:59:49 UTC (releng/13.0, 13.0-RELEASE-p12) 2022-08-09 19:57:38 UTC (stable/12, 12.3-STABLE) 2022-08-09 19:59:48 UTC (releng/12.3, 12.3-RELEASE-p6) CVE Name: CVE-2022-23091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Memory mappings shared between processes are a feature of the FreeBSD virtual memory system. They may be established by unprivileged processes with the mmap(2), fork(2), and other system calls. II. Problem Description A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause. III. Impact An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:11/vm.patch # fetch https://security.FreeBSD.org/patches/SA-22:11/vm.patch.asc # gpg --verify vm.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 3ea8c7ad90f7 stable/13-n252080 releng/13.1/ 0c88ecaa1255 releng/13.1-n250153 releng/13.0/ dd349089ff92 releng/13.0-n244805 stable/12/ r372377 releng/12.3/ r372381 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmLyz1EACgkQ05eS9J6n 5cK+mQ//V5ZGy6Hx4dfngafOWuSnC/5usXbu69iKnHQONPVZoVO72ZZKbm1fyMn7 HlDyAfhEtYuh67JNROH7KJUf3lPeHQUd/rfSbTv8usXhxeAu09/kWi74/kviDLd5 5Ocaja6DSN457c4gd6Lght1IrzDjnrL/oR8sHf7QWP0UAPjzi9CAcN5R90e7UP0u J5/w76zl4ApGu4na3CNi3OTCf4xOf4ncosOXFyZHOAsnbyXjjl0qp17MtxDpsvNn xAXOF3PvtFsO8r2MyLqRkcvPZE3n1LNvAPaI5jlVaXS6Nw7enZMqokj8XLmiUxcg FXipr9nhdL+Rihj3JjIY3uSXv7x+ZacET9cM03a9LlI7kSzfuWA+hkiDExfITJZ5 jJFqZ+PV+TvNqXfeatnOC9o2iyW0tAj7j1JPO3NEowdJSh/cpgzDfniDhm5dMA7G TTFyxCrX5ZwhbPgHwKdb6J6oVYc0v8Rlnbb4bIpIeFO/OP0QwAU0f/GnxCeTEoXn 0s26Azsi2l31HKhSha7KVz66IWCdyBjwGApC2lNM9G2zKlD4NXEr976mG9WA09wS jUM290y1uj2igdfq6gcgno37c6xQiAypDpOnOCGAL0+sbPT5ak7y/NFDFppR0uB4 x7USiGEonMNswkKHtaOf7df6RAwNQZG7F+ADwtaMlC/C+c6hlUk= =WXZW -----END PGP SIGNATURE----- From nobody Tue Aug 9 22:35:40 2022 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2SZj3ZdXz4YS2f for ; Tue, 9 Aug 2022 22:35:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2SZj14SDz3NCl; Tue, 9 Aug 2022 22:35:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084541; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=zvZj2P75YII4T/vBzSCrwWRXkfaeqKmdx6X+pkF34Jw=; b=X+rZD2oRXVisFSB/T6bWlYnyIQosi6z9ErSoVQDACS0nVanYQ/SfN2+48YxLSFgTl7iAu8 BuvLwwFK4P5ydyUOsU7CbIMrdc5rikthM27fRMc13chSIqtoIGtOZPWip7YmDy4Sbfywj3 4uve3z4en4rxt3c2cIdBKpjYD/TeiPkFrj+p2Zf4Fp3slWlV1/OuKj/d14teWTSCnC1EAz WyGE5k8kWpBY7UVktDKOrDcJ1LNITlCFz7U+kXTMFMi7Y3A5OPsjye9VOZwZKPGNJukD/n pLUPMyjlwVMu7AnrDAwrD4Lh0ItyiSRvNmyHTBc9CfBvxGy5a6Nj1WanGzEs6w== Received: by freefall.freebsd.org (Postfix, from userid 945) id 02C021733A; Tue, 9 Aug 2022 22:35:40 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:12.lib9p Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220809223541.02C021733A@freefall.freebsd.org> Date: Tue, 9 Aug 2022 22:35:40 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660084541; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=zvZj2P75YII4T/vBzSCrwWRXkfaeqKmdx6X+pkF34Jw=; b=iSApiBXYc+ZdlBj/xqNJPOkU8nUf9vADmC6QBOjanjxhaph8UsACOhfT6yt6OORppm4nVQ nu6w197ftP9W/HhQ1hBnyNaGxgrSHhkWu6RyBnPNLHbWhknciOd9SqKZQmBvmPhJ0KJJ7I MSMSZCTzcYR++kVTshvmxu6+b98JaMtylg28fLbHWeDUZ4V5Gz25v6Fi2m/MDUkYd1gIAt 0uThy3EpBUqqiN3v32h4w0SLMa5oYy50B5wkqm6RjycDk//Z6WkjtTcPGJZ06xVwsSIgDF qzT4p1SMHBUgwroGk/k9BV+Ies2O7klTtccm09W3UVQSyk4cE/1yZKwX4XGELg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660084541; a=rsa-sha256; cv=none; b=jc5qhfRca/j6ofrnQhi2kJvxJNUqHKnk11phQ9JJEEQ+k/oFCR4xt0sBjOAN8M+jWBcmxP 7AOH8gBlk4kapTPBlEYBe8fIuoTbQ454UkBBLnQUgYqyx8bKiY4ihM1Mu3p9k8fHlszxO3 ihgVkulbhQMuVf0d8epQijP9cogbAbb82GwsxWZUBOhehk1751n5RsbjW8XA/5pBZ8Lt9I T/YgXafnEJvJ5Om0h/D4YHMJlvazm+mSJVr/SZTYH1xLpaU+meQYpbh0mFCdvTwG+cP887 9mF58BoJnM3fFyQm/epnw+bMPNbYFcd+Xho0GZpBbDIHTSiV/ZSGlax6gcwWDQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:12.lib9p Security Advisory The FreeBSD Project Topic: Missing bounds check in 9p message handling Category: contrib Module: lib9p Announced: 2022-08-09 Credits: Robert Morris Affects: FreeBSD 13.0 and 13.1 Corrected: 2022-08-09 13:33:14 UTC (stable/13, 13.1-STABLE) 2022-08-09 20:01:13 UTC (releng/13.1, 13.1-RELEASE-p1) 2022-08-09 20:00:03 UTC (releng/13.0, 13.0-RELEASE-p12) CVE Name: CVE-2022-23092 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background lib9p provides an implementation of the 9p file system protocol. It is used by bhyve(8) to provide guest access to a host file system tree via the virtio-9p device model. The FreeBSD base system does not contain any other users of lib9p. II. Problem Description The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. III. Impact The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox. IV. Workaround No workaround is available. Systems not using bhyve's virtio-9p device model are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart any VMs utilizing virtio-9p devices. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:12/lib9p.patch # fetch https://security.FreeBSD.org/patches/SA-22:12/lib9p.patch.asc # gpg --verify lib9p.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart restart any VMs utilizing virtio-9p devices, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ c536045c51da stable/13-n252071 releng/13.1/ 7dfe949791e7 releng/13.1-n250154 releng/13.0/ 70a2cf7bb2e0 releng/13.0-n244806 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmLyz1IACgkQ05eS9J6n 5cI0vxAAoIkoKbB7T2cGS3k4sNM0SCB8/akhccPCVLgDc5aNnCJSD21gSWVY//Qc IoxNgYBiP5Y0t2f8y6pzE4f9IuNRwhiLMAVgNHJgf7oRvsQyUAAqv+kXiXuutYQm qYZOYM6vYk7bw6yLPwyS1S0QPWFZraBA3wRxAXLn3NcU3blKc6psPPqLuqfdR+0a 13s305/lw1uoaMYHtlS5S4rcnZm9uLPVMQZL6NMVtkLjRbuN2vUrZy81zSHVGQUN RAN8qAPXjeD22a5gy7ZIqgt07OjYn331rAPPIpNtADU0vaYzVUkwrilY8ogIIJH2 Be2NPmqbZEWTHFYcOQHWW/16rDXYXx7ZfvHHYzsrId+9G97I/nTMmN8dPeUJTtgh syG6DSsbrYmssfGDXFX/nTdKDcT5UkNE3W3er7+RwQ54d9SlUwuY5SyycPJNBDim 018+Gb3GobScJGwSID+DyYEHxaj9e0WmLC6tpm8ZBlZnUTrdBqxEX+xhfxsm0Yds dPVXHICXebgXzHs9RO5s4eNa+miu3W8QRkbyLmL8ReUHwsWSLS5p91hgOheHji4e 0vO5T99f11+lp1FFw9iLlpo09klsN26nGTJ4/XXtlCjD85GIJINR7JI/Fg1NRF4N S5CmUPVutyvzGPkrNVUI9QwL/O0CEg55KTiqtQKjgjCCHhChZ+0= =ILeT -----END PGP SIGNATURE----- From nobody Tue Aug 30 23:58:03 2022 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MHPQ41Vklz4bbrq for ; Tue, 30 Aug 2022 23:58:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MHPQ36R9Xz3tvp; Tue, 30 Aug 2022 23:58:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661903883; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=6rssDb3T9BBX2U+/3k1dpfkKUxPhuPclLo5guXBvpSk=; b=DC330OktsQ6+yDxgI8RHnijvwaOHDszsLT54Pq1oxB/QqEm/7LPM4nssN3IAClf0vKvDBp SXrFiTszTPoXJkikywa+kLGNtSKAeoek5xSjIGUabDh/kZ6++allJctOMYImotWV7jrQWI uXQg0CKhZEHreERilnR9kW/a5wf9lJ/ase+04Yl+M3QA8acQi8g9odahdD0bpRd1QUDIDm TT49xgkqTNny4ovVgXAIhTdhEEZu4/tcA3kmw2jMW3BIREgQTbUYHy/UbRSOEedRVhZCbZ d8eho41Lc9GOUEVJo38COUSisFXxoSC0h9ootEXfpryPKpDr251dYVWRMNbvjg== Received: by freefall.freebsd.org (Postfix, from userid 945) id BEF1110B7E; Tue, 30 Aug 2022 23:58:03 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:13.zlib Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20220830235803.BEF1110B7E@freefall.freebsd.org> Date: Tue, 30 Aug 2022 23:58:03 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661903883; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=6rssDb3T9BBX2U+/3k1dpfkKUxPhuPclLo5guXBvpSk=; b=VdSbuCmze/XtPZJBfwuskEnbMV/yGOYSIF0S30jrWtkrAQyu9w/asOQomZZE2nzudqNJPF QbZMTRNcuZB23G8hmf0SOmTaNogNYgStGJ23sy91j3TSLfAIN4DIuUx6rPAhg3BqaGNSTx kTQ9lshs5ii4yDmY743fFDT+UfVddB4I4QP9FTgruRKlGcUGbk6UwCyB80dAJFaKDzXyK2 F/S3UmxkWOP3zG1bY5bXJSceJM94w2R3FZ7inOL1etLFjThmXXqOTz0PSUmVuF1ltdGaoB We/bPeEU2/6vj7LCahcP8N6B5ZLvsjnhS5VVMxjeGPcK8eRsEmaQ+4oMyz/0hQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1661903883; a=rsa-sha256; cv=none; b=YgQe+MSXhkDazZoXmlvHQLIpFkn84bk0XOufeHdf9+GkCJ4uCG1ydW1dQtpVdsHxZPSBQr NVeEdvkZv3wCaHahhfJLIricN/k++84rvRZbjCBvYe1p9xgOAraXRSlTsjf0mho59zdNWV qT6YisGxQRDqxiM9d1zwEZWaQCoLAuR/E+8nulM+QAsHTUK/zwErz0qXXOESC2crEoPYus z96H/QOlbQze+9uROQcfEH+ghPflQQoHciP6DB8vbYU75ClYIbGF8hDVWi9zei2GHownoD duO7oLImpr5qHoAueRZiptQvaq20nnkYREaUkVAxYXIPLdVyHgGmtdKNjjT/aQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:13.zlib Security Advisory The FreeBSD Project Topic: zlib heap buffer overflow Category: contrib Module: zlib Announced: 2022-08-30 Credits: Evgeny Legerov of @intevydis Affects: All supported versions of FreeBSD. Corrected: 2022-08-09 14:40:35 UTC (stable/13, 13.1-STABLE) 2022-08-30 23:02:48 UTC (releng/13.1, 13.1-RELEASE-p2) 2022-08-30 22:57:49 UTC (releng/13.0, 13.0-RELEASE-p13) 2022-08-09 14:45:04 UTC (stable/12, 12.3-STABLE) 2022-08-30 23:16:45 UTC (releng/12.3, 12.3-RELEASE-p7) CVE Name: CVE-2022-37434 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background zlib is a software library implementing compression and decompression. It is used in various places in the FreeBSD kernel and userland. II. Problem Description zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. III. Impact Applications that call inflateGetHeader may be vulnerable to a buffer overflow. Note that inflateGetHeader is not used by anything in the FreeBSD base system, but may be used by third party software. IV. Workaround No workaround is available, but applications that do not call inflateGetHeader are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart daemons if necessary. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:13/zlib.patch # fetch https://security.FreeBSD.org/patches/SA-22:13/zlib.patch.asc # gpg --verify zlib.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 10cc2bf5f7a5 stable/13-n252073 releng/13.1/ 289231c9634a releng/13.1-n250156 releng/13.0/ 77cd23716ffb releng/13.0-n244808 stable/12/ r372370 releng/12.3/ r372460 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmMOoG4ACgkQ05eS9J6n 5cIITA//WMND8i3L8agw4QBMZTmL8M6bbbKK+eua7bhH4MNxguruULwcWNoHvhuO +ebgomd4cWlPfY2TJcpd9OCXCjuMGMLvwE6XmPlGzW5DuMdD893wWPdsYJtDK+6p yMSihFyZP+ELWFbLeO3SFedRRKBQiDEmO3X2oOR1Ukj5wjsUOFPv0/dLphyBiq3t 3tn/0O9NfAmyONvHSozoVs34MIFC9Qc/8oxlp5wKjomFn6OifPRwNu4yeWDfVL/c 11IwotsKNTR6QNckdNBwbFC2NwdWfl8Tqv7gbJ3PhXDlzCDC5hOQoIeOol3Nf8et 9+FjCr9y/jTH0tzEHCgevO3U711UZYIu2s+STHTlJRNly/n+2CMG+YOn1XkKtu6A 4x4Pw+YRHl5VesQCNcJOkwVwRiyrirp5yOaaUPhSKo0teykypgV/WS9Z1U0VVfGP xgxJ7ElcT2HoNiz06QUSG374dPyEBKqoZTo/g2tJ0mL17JLW7IAtlUpIHzU475YR 1itARL0z7O3bbUa/h35LxRTCxT2Ojt0qZO9WsS4dIraz2gb8QbHkgUXETnLAx9Ih UwaPrLGkzqpMjkQFASDS+LeacFOZARdxT/tUFwTRCQI27Aujl1OJzy7t0drL5I9f pO529OH4plSsT0x4j89tAUZxIHB2RQet94777vP4T0J5UcBegxc= =y87U -----END PGP SIGNATURE----- From nobody Wed Nov 16 03:17:46 2022 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NBpBz0JrLz4hMRy for ; Wed, 16 Nov 2022 03:17:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NBpBy6ff3z47Ty; Wed, 16 Nov 2022 03:17:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668568666; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=wzo2GBiDzNBsBElCWRQ2b8Psk/jCRpqJ3KvsJI4PKjk=; b=cIwe2/3KiW6JpljIIYwv4jGqE/32p9VQDY5hqzBeQ6XnKenY3sk8VOtl0awhIL+I4YGa93 Jc9UuQhj7uxWrgXdp2FCjSrpt4d5pSKOWfGubDeCjzojdJn/DnBn4cp2aHgqnhZo/ovzwu BqKfwkWU8NKh/PkkRwDr5yLF7uiCV+8WhfqTquwKu1r74Opv3YXR8sY0ohpFGNZ0m68nb+ rOIbCGPy8tQFpk3AqF6gF0Wi8DVm2eLicCokIsyViwLmzYVAvFaWzNpH+OOxVgvH2FB5x6 EGJQwQarPRWdku20CNbnc2kuCu4PVyqt2AoSEiG1E9InF5cDqQtqYcAWmblVhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668568666; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=wzo2GBiDzNBsBElCWRQ2b8Psk/jCRpqJ3KvsJI4PKjk=; b=YssOWvr+0Oj2O5wdZ6B4a+PaENmQMgOp0OdWT1nnu+gisCPjuUVLT1l3J4kw1BYsEXUukN pteJ7+g1N5p8MNfvPK3Sys9m2CSyK/2awKdpd5ulX1OWAKEZAXWw1Bt9qFpblLcXmB0Yqx 8dWFRH5fgKUVfl5RoXJS380ttTvBpdZtSw3hK2Wx20pnmss/9v6FWKDSl8heoxsoeEYayd zVME0wniWe/ZTk/TvKtCswlDQZ1x0oqL539/FXWH4wKBnA7zuXMWCab+MVUngEM+DTM0qT qz4LOcLmREFp0agiDvl3vKQRtERtgx8aqRhvKHI/5X+2BUEDap8JHsGghPxB7g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668568666; a=rsa-sha256; cv=none; b=PaPAL36R1jcI352PH8nudKv1/WOGb7KD0FSbr39V7bqRrkuQCuJo+nHpf7UqSWZaVRmgqa 1EPWqKtpp01yPhxbHh5Jx467xEojxRTMy00dAI4G1KWKt9znTwIaN2MgNd4MlKw7RuE2gI VgFWjTWeYH5dH/LHydGrb2g2tsvUh40BUXcnx7whUU9iVOdgv15Vdfl3ca7wACxuwV9OOE iRHg3FG4ddGy3GLx7LgYN/i+YKfRlShaVbG2IMjrI8vkV6OyCed3mlhRNM23QDjWd0Zy41 OhPrDaVDgy3jL0geAJummPc96f+p/9zYDLxuD1vns7VwNfcr9AStZ4+z8TkEfA== Received: by freefall.freebsd.org (Postfix, from userid 945) id C7626209B7; Wed, 16 Nov 2022 03:17:46 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:14.heimdal Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20221116031746.C7626209B7@freefall.freebsd.org> Date: Wed, 16 Nov 2022 03:17:46 +0000 (UTC) X-ThisMailContainsUnwantedMimeParts: N List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:14.heimdal Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in Heimdal Category: contrib Module: heimdal Announced: 2022-11-15 Affects: All supported versions of FreeBSD. Corrected: 2022-11-15 21:15:35 UTC (stable/13, 13.1-STABLE) 2022-11-16 01:50:27 UTC (releng/13.1, 13.1-RELEASE-p4) 2022-11-15 21:16:56 UTC (stable/12, 12.4-STABLE) 2022-11-16 01:47:57 UTC (releng/12.4, 12.4-RC2-p1) 2022-11-16 01:40:21 UTC (releng/12.3, 12.3-RELEASE-p9) CVE Name: CVE-2019-14870, CVE-2022-3437, CVE-2022-42898, CVE-2022-44640, CVE-2021-44758 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Heimdal implements the Kerberos 5 network authentication protocols. A Key Distribution Center (KDC) is trusted by all principals registered in that administrative "realm" to store a secret key in confidence, of which, the proof of knowledge is used to verify the authenticity of a principal. II. Problem Description Multiple security vulnerabilities have been discovered in the Heimdal implementation of the Kerberos 5 network authentication protocols and KDC. - - CVE-2022-42898 PAC parse integer overflows - - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour - - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors - - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec - - CVE-2019-14870 Validate client attributes in protocol-transition - - CVE-2019-14870 Apply forwardable policy in protocol-transition - - CVE-2019-14870 Always lookup impersonate client in DB III. Impact A malicious actor with control of the network between a client and a service using Kerberos for authentication can impersonate either the client or the service, enabling a man-in-the-middle (MITM) attack circumventing mutual authentication. Note that, while CVE-2022-44640 is a severe vulnerability, possibly enabling remote code execution on other platforms, the version of Heimdal included with the FreeBSD base system cannot be exploited in this way on FreeBSD. IV. Workaround No workaround is available, but only systems using Kerberos are affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is recommended. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is recommended. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:14/heimdal.patch # fetch https://security.FreeBSD.org/patches/SA-22:14/heimdal.patch.asc # gpg --verify heimdal.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the Kerberos, or reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ d0b6550173d2 stable/13-n253097 releng/13.1/ a1e014e89282 releng/13.1-n250170 stable/12/ r372752 releng/12.4/ r372755 releng/12.3/ r372753 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmN0Ud0ACgkQ05eS9J6n 5cKIKA//bRccdsoilKJvyQw9RazwJ0HENGbPF1RdjyG1nmMsp5wG+rqAdnN0LF8p SgEqfZjCx+KXNJBkzblKzduFK9VQ211dbjouwd/BVCbMYemUIs1DqobF6uvYnMbn vhQ2lUtZ46WbgvjXOcfsHakmCV2V2kCzBFsCKCQFPcYSch5n9gGW+I4cfewF8+fB +sjvhz7MDyLaCVB3UpxPUIMc3w/G18zzyhHdhuJOaCrCjf00Mt4Er40ICr+IkRy5 PpwdX60yvwk3uxzzMyIC5zcS3CD6qFUOaSIXfEuGWGl7Wo7MjoCXECE1sbwLVat8 K1FJtNIADZJkURzkgjvp9rHQHwZFkLMawrkyik4apHgGsY2pXktZGhcw/qN2BNNn uo3HILrjbYK5eU5zLU17FS9X5qTurIcqdVJCIklvjNqW7DAuN3K1I9ryat4w5sST ToW5LpLtP9DoI9M9Bh3Mqba629iuXRmQ6LZ6p9EGSFr2i7e3VDEcvMxkGO6Sh8M3 w67FpqWzeQ1RT2q2YL013emKq6C+oYDjMDDejAqH2Wwwae/7yQiNnXBqvokIXmi4 KLupHptt0CPFPOFBLloxXBPenYu/49SRWeUoxBqspQuvCY708j1mUntaVtAFm/ax QElUUEEmcuJhsBzTzBnS82oe7IRwv3NQm55zkOn+DQZ2HjV/GaY= =jmOK -----END PGP SIGNATURE----- From nobody Wed Nov 30 00:46:00 2022 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NML9P1M0wz4j2f6 for ; Wed, 30 Nov 2022 00:46:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NML9P0rSSz47Vl; Wed, 30 Nov 2022 00:46:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669769161; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=w6KDHn3E2A8Xa2AQiCUv1Hl/I3U/ccaaMRsMejP6CLo=; b=q+kaQynHkg6AqRiWorM5+C0gRFHOR+Q8BEv9F2gvjk33LehPMHBvVE9lGF3GRt/jpMzAM7 NRNXtj2BVc7h7IHDeBABVftG8Z/qVBSRfc4sp4l9uRvxseExRzCEbAGHy0KAah9s49GG7a EhwJ0ZHQk+MknWCeNNoWGp9MVAns9KzGQ7hbKLcNdkzpCBghX6Gk4R/p1fyyLZwtmMncOK VQRc0woYN+VmjxdAAZJLiN66V/leZUOnTmPigZxp04S/Km9vTtR3Kk63tjmySPWC4a1iXF PU946cJv4nbVjD2nYU9SGmHpcwhAU2B4CPEjJmsJ6/vGzO1US5hEHdk8CcuRsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669769161; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=w6KDHn3E2A8Xa2AQiCUv1Hl/I3U/ccaaMRsMejP6CLo=; b=ANVsgP7sgzO4ZEsbd9L4cTrBT5PVZYU8FJr1lOWEGh5PaDy2LH/XRlx9lggA/wjv5uXgud tusbx2FySDwKBO9UPwL/RqX7XFsBr/DHOa8zVkx9oKnaGWH+/lQQ6ofBkxvN4zMWcsFJDc Oa9tSZXT7jrG2U0/Mde/Bt59mNvg7RVofFoHuzRv1VHED7+P/ytq91vwDZN6q+V70E6+Sq 60Eac/wUGeNT1dLtrhhGKk6Eg43fKv+YrFAQnHiiNQI98SjrkmL9RQciCb9Yu231qDApnd Z9MILmXPlp3O/SGLZaKQIYhibMTdzlpsS5k77e83E3PALD7Gk0xV4zaIlbDtAA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1669769161; a=rsa-sha256; cv=none; b=auKift14an1e45+B34p7oy/RuQWgSE7kAb/U4kW3v+CbuWGsKC0Ok1fLWyaeGg2TAE1GxT /WowvEIzcfbyJ+7YOJCDsXL1ncY+pXFSxH4yA7dYGVc3gX+jv7gTB4MxzhtmA6FHCPksjV VmShTK+TDiCiuE63S0rcJjB1gJX3K5CG9sI7XqSDwq4WWsMLytlvrSe0+CJ4hfgU1vG5Ms Wb9lo4tInPEaL7/BWUi96xzLKHmAOCP+IqjgJOV2SeYyv6Vl1iQ06910SLgRsNRNmWjVGD CJWQZm6pm0xdJc0Rouh+GEQgi36sMWvVV2QQwcOLoMtuFMA1iX+LdY9WMznohQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 043CE1C623; Wed, 30 Nov 2022 00:46:00 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20221130004601.043CE1C623@freefall.freebsd.org> Date: Wed, 30 Nov 2022 00:46:00 +0000 (UTC) X-ThisMailContainsUnwantedMimeParts: N List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-22:15.ping Security Advisory The FreeBSD Project Topic: Stack overflow in ping(8) Category: core Module: ping Announced: 2022-11-29 Credits: Tom Jones Affects: All supported versions of FreeBSD. Corrected: 2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE) 2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5) 2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE) 2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2) 2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10) CVE Name: CVE-2022-23093 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ping(8) is a program that can be used to test reachability of a remote host using ICMP messages. To send and receive ICMP messages, ping makes use of raw sockets and therefore requires elevated privileges. To make ping's functionality available to unprivileged users, it is installed with the setuid bit set. When ping runs, it creates the raw socket needed to do its work, and then revokes its elevated privileges. II. Problem Description ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header. The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes. III. Impact The memory safety bugs described above can be triggered by a remote host, causing the ping program to crash. It may be possible for a malicious host to trigger remote code execution in ping. The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrainted in how it can interact with the rest of the system at the point where the bug can occur. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch # fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc # gpg --verify ping.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 186f495d4be1 stable/13-n253187 releng/13.1/ 66c7b53d9516 releng/13.1-n250172 stable/12/ r372774 releng/12.4/ r372778 releng/12.3/ r372775 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n 5cIQGw//ZiF50YbtOc7oYgVcJTGlBEAbKWV6OteTDpXWb/OlwkznGxwzrG0DPvWN wHyItOPSAmdxqC4xZUsZh9HNxlim80r5TR1y4BE22Lsg2vL5Ir0h3tcqOKKpHYLS KzNgishF1+J56JeU3TpTjOe5QbXK3EZiw092lH8uSXTp3PqcHxBfFuW9Cjc1Rq/u ewjHWI7zNCMOpGh3w/v14ZxGl3aFusL1jmrcyi5kZub2Pr0N3bUKgS3/3wXfWF6o hcFhl1ChmAwpT/1313LNE7SHPl4HCC5XK4r3w+wniLjOJUhnioOBjay29QLt5O53 0rYaINNvo7ooBSpcPO9ixta+7dqah+uuW3vnFewuahqNCaAGLhMDSPqyZW7KfYgU F7TIDoBRHPHASFb3FOiAAcCNMCvmGl7vFyVoWe0xJ1ion2jqO83R8XOGgnHsPL/l cTYTPdECPMIDMvmfIH9UAbNCzKEYdNjWsXUjFJKkxCBtwUcBRsn1TEu24zU2j9mS hRlY1DAYVy8raYUnQp/f6Llroim5DKyUYpJpeB3j//Fk6KACRnZKsqsSIj9U3OYf KD6zfJ35RrolPHePMPmy6vGPDYFocDo+YQSm1eauwfSeDGnsjBmIdzxahkgEav4Z 5agsPd2naEntMiJkGGgeuYCifEvkCttJbuTn2s+7VkuTap0uTuA= =rown -----END PGP SIGNATURE-----