From nobody Tue Oct 3 23:03:59 2023 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S0YKW6l7Mz4w70t for ; Tue, 3 Oct 2023 23:03:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S0YKW5m94z3HQn; Tue, 3 Oct 2023 23:03:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696374239; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=cwFbAXBShrNMpth4vLAYvSHrdkBxV35tu4qoJoQjOaM=; b=CpabHoUk96a1ZOzRqQUH01kELHOYkJzCauOdN2+2gLW3o1q0ZQV/10ZMXrsIiz/U8scBSp 1NU2GZLRSgIUueC88euP3KkoJaSC2c3VUyTLw9n5EIBwQmp0zs+k0bJVTTfmfMcbZ0U7pj EgjNv9lpuhCLUHsEEUe3IV59U6xse5A3O60xBu/1cS303aNHxSRfacon5Ax1rLn5EivvZD ayfqe2XIU3asXzTMGmBD2qz84S/XomOiYxXCIMvWuXC3uMl0uXdafYc5ZGFHpApU8D05Hs 6bGkJkFW3OQvpsEjQeq+JrjWokqLAHPgy4KHbC2EQOATP1e+xC91X8gUheXszA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696374239; a=rsa-sha256; cv=none; b=tHIHo1HGAD3NwbK+J52jZYru1/ygPEl5z7MJDjQENB0aFevSQ0tSIN6RFHUuQTiJG8++wv KhKa6G/6VHmRMAcaXIijC7bX209j6ivEqkO20f5gR+7tEbMveb43FkIO1InA77js/3jGtd lx19ifJU990+KmVD4KD76y1iDpCaIu3lhhrUI7hT8ir5DRwTOVLM23lw46mOvbGVEecjbQ EmQ4LYnpG0xF7lYwtlVGnZbrSApW8WiTsGbaijhc3mxd07SgQVmfQkZhKGp1QtD0FRvyQR AI1cJN8cKDzBqZYRnWJTpBKoWLpO0C3jHes7L1nuJCX6bbewpGAdCwTDk1HLzw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696374239; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=cwFbAXBShrNMpth4vLAYvSHrdkBxV35tu4qoJoQjOaM=; b=sSjBmhdxmFkqTEqYVvlYO2V39hERHPzWNtOAcRSjfLID2z39ffElXAYK/lT8yp6i03Wmho 4d/2s5ITgGln5O2HoP53v2O7PtEAfqYoMWz12qNF8xI0jSLZ9BNlI1Aqa5jeYTsKGfII5r sukPmxW3vpZLgxK/xM/mcOnYGbkeMT77ddsnuiTwncSdmdD9gdO0/MfwTpT1F6pcV1Tta0 7hPxnpVvTDr58xSbaLDNBuSNgEjO/mMtYFQi1Hp6Ru05uUlEsz/vVDcVnMh9LfKFmUneWv QFYQ8+C8SSqI8zcd1jKdLva28mtRUs9GiRvveGAqOR6042gZ1JtJXfyfXKVl2Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id A366413490; Tue, 3 Oct 2023 23:03:59 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:12.msdosfs Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20231003230359.A366413490@freefall.freebsd.org> Date: Tue, 3 Oct 2023 23:03:59 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:12.msdosfs Security Advisory The FreeBSD Project Topic: msdosfs data disclosure Category: core Module: msdosfs (FAT) file system driver Announced: 2023-10-03 Credits: Maxim Suhanov Affects: All supported versions of FreeBSD. Corrected: 2023-07-18 05:46:13 UTC (stable/13, 13.2-STABLE) 2023-10-03 21:23:40 UTC (releng/13.2, 13.2-RELEASE-p4) 2023-09-11 18:51:21 UTC (stable/12, 12.4-STABLE) 2023-10-03 22:15:40 UTC (releng/12.4, 12.4-RELEASE-p6) CVE Name: CVE-2023-5368 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The msdosfs driver provides read and write access to MS-DOS (FAT) file systems. Systems may be configured to allow unprivileged users to have read and write access to mounted msdosfs file systems. II. Problem Description In certain cases using the truncate or ftruncate system call to extend a file size populates the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes. III. Impact A user with write access to files on a msdosfs file system may be able to read unintended data (for example, from a previously deleted file). IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.2] # fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.13.2.patch # fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.13.2.patch.asc # gpg --verify msdosfs.13.2.patch.asc [FreeBSD 12.4] # fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.12.4.patch # fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.12.4.patch.asc # gpg --verify msdosfs.12.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 868f3eadc5e0 stable/13-n255824 releng/13.2/ 7d08a7e6908b releng/13.2-n254635 stable/12/ r373207 releng/12.4/ r373233 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclUoACgkQbljekB8A Gu9CSw/9G+9cwxNruCQaEOcNGCIUdOe9itmZzVJKVtIIWqXZhq+unXRS0D2YDMdA EKkfGj6GYaPnFlRe7T3cfrqUFhlNMb4Na5SW0wJp8HUqhKzKB4/SNZSs+iXNQE2z WdhYFl582Gg2+vuoije4Z9Idl0WYPqXHXyRC7TCtSwUHDwRsU9jA6g/GNM0X+0dl mOzFxFSSGoORF5aJYtp91KeNwGdNwORc75k6xxMWGGDc0sba9Fbupfrjc/XQ8SaQ tYil3Eomh/cbYOKneppGQo9ohY+PAC1u/2XxRBxXYFCDtNLed4SGEWp4pLKjq2QM X8jkDooTPLwDiVaM6Cps54PmUI3YBrYKSpt3Z1SdTHWyh0hDtpAJb/1f/sPUu90D oWCiFI5p6oZjFNJxskZZ8T6xFgjqiII70ULfHQ3GxGhMZ0Pe5QyzmqIFGvkn0UtX uGechgeL+jwqnyviIFyfVTGORmbcWj60WHajUAVUbb5aF/WV5QS0XDOLhTFkeY/P WQjOBFAH/pf93ahUnA0NuDqAe5yX/3NEXLzMg8bnSBDJRIPRWsPfIE3lqWl0zNmD sdtsugBS74zTM3MUn/Lq5MdtozuvEWK6Hs60i1wuiTMT39X8oE89r5LLVgTyc0Tj 2nML+7TKutMqWgeRvYsXBp6VtEiZd9Qc6nx8FWtSq8UMODa57C8= =T0YO -----END PGP SIGNATURE----- From nobody Tue Oct 3 23:04:05 2023 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S0YKd2r7Vz4w6HR for ; Tue, 3 Oct 2023 23:04:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S0YKd1z2Bz3Hcm; Tue, 3 Oct 2023 23:04:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696374245; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=z3mkaK1hGpKJ46Wug8FNyr1K0ba+H0fZLqh2fiZS5do=; b=OrMRxeLbX7wyDRmuWyWVxp4Vp+Kn1cm52oQjU7q4s1pmjgmfQGKxhXwC/NM02p8BpbUZIA Y042vQiRpdmJWlKhNXiGRkamIVk9qJu2FVY/hshHv/7Ot1Hie6fBi5/rpFpatwAmNoro7G uJQNvIQR0Ft+QJQeItY5ttk3cjEOotB/+WeMTO7wiuAKmVs5lvnhxdrbxCN5MjNJBVlbAi D9rbIlu3OWnDfMbit/gtpNlzm0WBXoKOLmSgatzeabELsC/Mhcq5/h8Bjir5ULsGKo9U+M eChr9JV//NDy4o1hU7XUitSu5VB9FmLP2NTnB3p3Coi46i0H7IfwrM96E2t+mw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696374245; a=rsa-sha256; cv=none; b=IEr1yMxGnWXu6kpqRgEBXCb0sOWZvfOttEAAgO8kjUDJo2TYdK0E8FKZy7krOw9SE+2Oyo /Z1jN0/GqPnC6/TowQeNavCPEnTmmqUl6U8PfpNTULq5Wyiw++KeUibXYtzdBUb4N3B6NM LM0Xb+THJyejSiEknwCBF26CH4A+9zVVn8DLbdn5TFo5DQvi/iItVxgYyDNPNhenNS7ady BBdb3GThYfshWDB5qCy2DnPHbCfyEvDQxqCc2SjwFI06JXDfvDPHiSY82cI3QzJ68Mh/kC lJxabs32c8XSMCL1hB1VGHbUS/9FzsenAAyw5C8Nze6TiJxyJ142jPzN7LVrng== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696374245; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=z3mkaK1hGpKJ46Wug8FNyr1K0ba+H0fZLqh2fiZS5do=; b=VV40LlUW4bDSQLTtlFkrMol0AYNQNpWZNoQ6RbiLbTKDF2r4GWxtiaF8TRvCBMqm3dGrBI zpVJcin6fCqZPprKk4Z7RisV91uNZcSlsyXXIzBQVTQdK3fzAZ+1MorGPHPjh7IWKrMnz+ Ngkd995hLatZAm9qZBJBOlCRIZas9RqoR08L7SHmB+jCCngXOz+KxCvBR3RpgeUXucwyZW 7IteiJ9vdGjABi3P4ot0HYYbYW6hbaXU32rrCeCu4r/DRZufInZxKslyp22F+qI9k3k151 rvDT29RxgiqxiTwRKZIHasj4VfyG/JsQCasnThBpNVppf0kozAnYzPxsENiADQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 296CC132E0; Tue, 3 Oct 2023 23:04:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:13.capsicum Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20231003230405.296CC132E0@freefall.freebsd.org> Date: Tue, 3 Oct 2023 23:04:05 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:13.capsicum Security Advisory The FreeBSD Project Topic: copy_file_range insufficient capability rights check Category: core Module: capsicum Announced: 2023-10-03 Credits: David Chisnall Affects: FreeBSD 13.2 Corrected: 2023-10-02 16:00:27 UTC (stable/13, 13.2-STABLE) 2023-10-03 21:24:41 UTC (releng/13.2, 13.2-RELEASE-p4) CVE Name: CVE-2023-5369 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Capsicum is a lightweight OS capability and sandbox framework. It provides two kernel primatives, capability mode and capabilities. Capabilities limit operations that can be performed on file descriptors. copy_file_range is a system call that performs a kernel copy of a byte range from one file to another or within one file. copy_file_range accepts optional pointers to offsets for the input and output file descriptors. II. Problem Description The syscall checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the syscall must additionally require the CAP_SEEK capability. III. Impact A sandboxed process with only read or write but no seek capability on a file descriptor may be able to read data from or write data to an arbitrary location within the file corresponding to that file descriptor. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-23:13/capsicum.patch # fetch https://security.FreeBSD.org/patches/SA-23:13/capsicum.patch.asc # gpg --verify capsicum.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 3f0ce63828dc stable/13-n256458 releng/13.2/ 2d23f6c33431 releng/13.2-n254636 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclU0ACgkQbljekB8A Gu/a3Q//aXO1+HdImFnqAzKEto8E97DEv6vB2HUZAoxrmwSX9VNjkrIo9Z9+LRyL q7WXMcok1OPQCCE3ad+g05eqXwnmJ55CpToP/jEXrOOZRDInK0Z5owZbwVpmyAmW zF/+xoEjcw90H7ReIQQ3+TNGDf025tCoXlTQKdzWtNN6BcY3px4zuDYHPUKgMwSv XJDrjYWBzBede00CnlolwmsBorjvZvRMfllTIpiVTlmtD73s+sRDI7rc768MY0RZ gCplCL9S9EkIGL8XJhDWB2+TsG7nvwrUII5M2u0Db252IK7nmgty4l03PtYotx4p jH/a3oXWKeqExGHJaqNcaUwS6xdu+pvMRuJgY4mH6rd+uvOMbC5jvac3FopSlmXq aVIctA2LCRomyYmVDsWXIGLcBT5cAOhsqkrw+JE0kA/k2Pl6NDNK7HNgo6Fj01TR lVf91A1mTsDJxfymU4SWB/KGgImAnR9e7gHUo4gLZCNyYXvcnFa/ntHoswNZ+12L e/b4+PnHts2X4/+I4K6qdF522yzF/vpyF6UjfwAGtT6qmbmGyW9VbDcn6TIL9I3p IDKJCWeHPBfyspWua2hCUIi3/EwpSFvIECPad3hFT6cej1pZ6hfJt8XT0ma82QGp ocbh3tb3E1phSGvgZitk8J0oyWDehuck3YfZ+6nHMwzPBgmr6Lo= =lS69 -----END PGP SIGNATURE-----