Date: Tue, 24 Jun 2014 19:29:17 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r45118 - in head/share: security/advisories security/patches/EN-14:07 security/patches/EN-14:08 security/patches/SA-14:15 security/patches/SA-14:16 xml Message-ID: <201406241929.s5OJTHRm000711@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Tue Jun 24 19:29:17 2014 New Revision: 45118 URL: http://svnweb.freebsd.org/changeset/doc/45118 Log: Add SA-14:15.iconv, SA-14:16.file, EN-14:07.pmap and EN-14:08.heimdal. Added: head/share/security/advisories/FreeBSD-EN-14:07.pmap.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-14:08.heimdal.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:15.iconv.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:16.file.asc (contents, props changed) head/share/security/patches/EN-14:07/ head/share/security/patches/EN-14:07/pmap.patch (contents, props changed) head/share/security/patches/EN-14:07/pmap.patch.asc (contents, props changed) head/share/security/patches/EN-14:08/ head/share/security/patches/EN-14:08/heimdal.patch (contents, props changed) head/share/security/patches/EN-14:08/heimdal.patch.asc (contents, props changed) head/share/security/patches/SA-14:15/ head/share/security/patches/SA-14:15/iconv.patch (contents, props changed) head/share/security/patches/SA-14:15/iconv.patch.asc (contents, props changed) head/share/security/patches/SA-14:16/ head/share/security/patches/SA-14:16/file-8.4.patch (contents, props changed) head/share/security/patches/SA-14:16/file-8.4.patch.asc (contents, props changed) head/share/security/patches/SA-14:16/file.patch (contents, props changed) head/share/security/patches/SA-14:16/file.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-14:07.pmap.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-14:07.pmap.asc Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,129 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:07.pmap Errata Notice + The FreeBSD Project + +Topic: Bug with PCID implementation + +Category: core +Module: kernel +Announced: 2014-06-24 +Credits: Henrik Gulbrandsen +Affects: FreeBSD 10.0-RELEASE +Corrected: 2014-03-04 21:51:09 UTC (stable/10, 10.0-STABLE) + 2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +Process-context identifiers (PCIDs) are a facility in modern x86 +processors, which tags TLB entries with the Id of the address space +and allows to avoid TLB invalidation on the context switch. + +II. Problem Description + +Due to bug in the handling of the mask of the CPU set where the given +address space could have cached TLB entries, stale mappings could be +seen by multithreaded programs. + +III. Impact + +Applications, most notably Java, which makes heavy use of threads may +randomly crash due to the inconcistency. + +IV. Workaround + +Systems that do not run have a CPU that supports the Process-Context +Identifiers feature are not affected. + +The system administrator can add the following to /boot/loader.conf +which disables Process-Context Identifiers to workaround this problem: + + vm.pmap.pcid_enabled="0" + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.0] +# fetch http://security.FreeBSD.org/patches/EN-14:07/pmap.patch +# fetch http://security.FreeBSD.org/patches/EN-14:07/pmap.patch.asc +# gpg --verify pmap.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r262753 +releng/10.0/ r267829 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:07.pmap.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnAbYP/iZKU3SSwHwWPzYa03ZwgW4u +54MigJuV/wyOfJj2ZZuOXTaYZP1miRgFr7mn9OWkA6slWHLAVkmN9fWrUU8tRPjJ +UDVhnbToVYIcmW2tEH5lZ5y1Stt178NZTeMo26jgkWhj74RZ10OIFdSuNlNUQGSr +djanCdgpnGL+odml+rQcGAAKKH97PchQ6r9IivNgE6mnGhGvzOjQOSdxioBLew14 +w5Ua3k4nn/4hYi4RMPJ/vAlPdJHVsnZb8kRWhf4Ncj19IkvJ8EO6PmnHCbdGmV1I +cvqVFxXPGGA/A+O9E+1S+54SWotivpgjSujuQFFmvuzBbPhlt/Hmtn6YwljNG4+e +V6MsMRPMHVoIhOCBv9xfCHgyajA7jgbRGqQkMWxwKPVLjmk2NWOsbGBjHMFHnqYn +87Sh7crbFffNGwqGJgn+vXSXeNZ/95EWSBE0/B4KfqPeX6XCJI/C/sMRl0ATKa7C +k227J0olXKKUInLEq7tS1nLS0IKlWLF5WiRFx7DOa4DKLBcLZkYKTu3ATJySQ4V3 +hDNDpubB3/94ug1slRNWDYGxzaZq0ctUTubxsHW7a0iYQi/PkssCT/8jVAdsx8hq +S1DjGZiFAKLOiJUSvPfONdwodORyEyMB+z37EfgeHKKqnjJXgSEtmnmI+7sT8hlR +FhXX1XQOBUtPxF+MY4bT +=vNzu +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-14:08.heimdal.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-14:08.heimdal.asc Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,166 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:08.heimdal Errata Notice + The FreeBSD Project + +Topic: gss_pseudo_random interoperability issue + +Category: contrib +Module: heimdal +Announced: 2014-06-24 +Credits: Marc Dionne, Nico Williams, and Benjamin Kaduk +Affects: All supported versions of FreeBSD prior to 9.2-RELEASE. +Corrected: 2013-12-16 06:52:30 UTC (stable/9, 9.2-STABLE) + 2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9) + 2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16) + 2013-12-16 06:56:38 UTC (stable/8, 8.4-STABLE) + 2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +Heimdal provides an implementation of Kerberos 5, the Generic Security +Service API (GSS-API), and the krb5 GSS-API mechanism. The GSS-API is +an abstract API that provides a unified interface for security services +that wraps many underlying security mechanisms. Application protocols +using the GSS-API exchange context tokens to establish a security context. +Once the security context has successfully been established, it can be +used to checksum and/or encrypt messages between the two parties of +the context, securely generate an identical pseudorandom bitstring at +both endpoints, and other security-related functionality. + +Kerberos 5 permits the use of different encryption types for encryption +keys; part of the specification for each encryption type is a pseudo-random +function that uses an encryption key and some optional seed data to +produce a pseudo-random bitstring of a fixed length. The GSS_Pseudo_random +function uses an established security context and some optional seed +data to produce a pseudo-random bitstring of (nearly) arbitrary lengh. +The specification for GSS_Pseudo_random for the krb5 mechanism (RFC 4402) +uses a counter mode to produce the arbitrary length output from the +fixed-length output of the underlying enctype's pseudo-random output. + +II. Problem Description + +RFC 4402 specifies that the counter which is prepended to the seed data +must be encoded in network (big-endian) byte order before being input to the +encryption type's pseudo-random function. All released versions of Heimdal +that include a GSS_Pseudo_random implementation for the krb5 mechanism +encode the counter as a little-endian integer. + +III. Impact + +Only applications using the GSS_Pseudo_random functionality with the krb5 +mechanism are affected; the number of such applications is believed to +be small. (RFC 4402 was published in 2006.) Since the first value +used for the counter is zero, the first block of output is correct, but +the second and all subsequent blocks of output are incorrect. +Old versions of Heimdal will interoperate over the network with each +other, but will not interoperate with MIT krb5 peers or other implementations +of RFC 4402, if producing more than one block of pseudo-random output. +For the commonly used AES encryption types, the first 128 bits of output +are correct but the subsequent output differs. + +IV. Workaround + +Applications which do not use the GSS_Pseudo_random functionality +are not affected. + +Applications which can reduce their pseudo-random needs to a single +block length (e.g., 128 bits for AES) will interoperate with all +known implementations. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch +# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch.asc +# gpg --verify heimdal.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +3) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r259452 +releng/8.4/ r267832 +stable/9/ r259451 +releng/9.1/ r267831 +releng/9.2/ r267831 +stable/10/ r259447 +releng/10.0/ r259758 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The discussion of this interoperability issue in the IETF kitten working +group archives may be found here: +http://www.ietf.org/mail-archive/web/kitten/current/msg04479.html + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:08.heimdal.asc + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnk2wP/RXxr1lgWeKY1wCusB/wlkLO +6cVsvZwIkvTvKNglkqY4dEvJJ1mdy25xP2yoft+ChM9ugTiGs5gfxsROXLCufobP +0ycnbl0pxL00aNwU3nXaejPhfblwwLmnwZAb3JuxF795BH/7z4a9vdC0mEn86RbQ +efeu3hqxJJxDL65xUntlgzWiFSWB+DZUjBU9DAFWlOPnbVR2T3n5w4sFSWMDtmv+ +AxqKjNVLgIHQKECTYjyFV2UjXCn6Np2m0dWHSpYM5MsdSaUolOqDRRxzAK5LKHg0 +ieHTf1OgBpfe/iBuSwybtEv/4cagDvN82Vsni8MbLEeDMa4DSsKorea1SIrCTcBv +CW4ugln7bBWgm3hnCEIWsy0wwhSVQetGFjYgimZySI5/nO2Jnh1Ung705MPCYpb7 ++X+G/oLqp04Bq81sWY4KFN8cfcmM2fQyL0zYOS72VPjXEvwcHnsbjZ/yO8eekO+J +oxkd8FaXR4b21HCh5cdlwWNNU4mu9wId8CLJW0y9l15zloTQvjW8+MSlEhAm9KUl +nYq/qHGiLTvxmsHlnQumay8lhtRJf0r3pNih+xchxy7JCVeu84aZHSIDrklZoiAr +LjOWagYFP9qHqhmmRxVoHKBeHgUaDWiJ9J0a0R44GadowrstYT7cYCzfSQr1KkDz +HPlEHgAxXm0shG0bbEA5 +=tTXE +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:15.iconv.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:15.iconv.asc Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:15.iconv Security Advisory + The FreeBSD Project + +Topic: iconv(3) NULL pointer dereference and out-of-bounds array access + +Category: core +Module: libc/iconv +Announced: 2014-06-24 +Credits: Manuel Mausz, Tijl Coosemans +Affects: FreeBSD 10.0 +Corrected: 2014-03-04 12:43:10 UTC (stable/10, 10.0-STABLE) + 2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6) +CVE Name: CVE-2014-3951 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The iconv(3) API allows converting text data from one character set +encoding to another. Applications first open a converter between two +encodings using iconv_open(3) and then convert text using iconv(3). +HZ is an encoding of the GB2312 character set used for simplified +Chinese characters. VIQR is an encoding for Vietnamese characters. + +II. Problem Description + +A NULL pointer dereference in the initialization code of the HZ module and +an out of bounds array access in the initialization code of the VIQR module +make iconv_open(3) calls involving HZ or VIQR result in an application crash. + +III. Impact + +Services where an attacker can control the arguments of an iconv_open(3) +call can be caused to crash resulting in a denial-of-service. For example, +an email encoded in HZ may cause an email delivery service to crash if it +converts emails to a more generic encoding like UTF-8 before applying +filtering rules. + +IV. Workaround + +No workaround is available, but systems that do not process untrusted +Chinese or Vietnamese input are not affected by this vulnerability. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.0] +# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch +# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch.asc +# gpg --verify iconv.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r262731 +releng/10.0/ r267829 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3951>; + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:15.iconv.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnmqsP/1VXkGjjBB34Qh43HGxmVofB +8Zfkc19nQtHvQaS+wAUfm10Onu2QJUPPm5OZL+kYYxJs1G4/VLTDTl/7cHBkCoA0 +abdDpRbtG6CMHfnaARpMOAkg+uvHl41pjHgr+mi4TRYivzSNp+qfw8BsPJ21DAS6 +Om6H6m+ggHjTXrtniBtQ+os2wfxbGGMJQzL94QC+tyzzFTEknIt8lgn6hboh99eV +pQb8WnSRCPuyiw+hKHdOOS7er7ZCIy9l0VWWfyJzcZP3/W5q6qSNCdnMUNZsTk0L +ruiUrhRjookK6/3VKb+9/YMfpB8xuQad2fk2mbQZkaxdSVJyFIfOI6Y9PJYbx9BP +Z7Bp0qyEGs+5/CZhiSwr2E/3k7kNe+30dvbPE0SBw9JNS4T0FyzlRUM4Y8s843Lf +GUcacSLcgCv8DUU517GmTL+UvnE+dajppr/vueRTC2T0mj8OX1qukq1Rjs9RpZkc +l2ajo3TbMZjwwivEsJEI2706tqv2v7+xON6WrZbUvbXlp4Kw7v01pS2Z3DFIeK8d +D9H80XuBIM6ZvMUd3NZHBGBjcxYEHvB5hM26ceCAP/ZvOSa4jp8vVQcPVONwj55n +RvX+K66t3yGiRznjhUUL+/8T9ulcI8TomgKL+U3UXasinYU9F4v55yXRugYvgnig +jh8e1kgmRt2rt5ZLthe5 +=Wr8S +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:16.file.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:16.file.asc Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,161 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:16.file Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in file(1) and libmagic(3) + +Category: contrib +Module: file +Announced: 2014-06-24 +Affects: All supported versions of FreeBSD. +Corrected: 2014-06-24 19:04:55 UTC (stable/10, 10.0-STABLE) + 2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6) + 2014-06-24 19:04:55 UTC (stable/9, 9.3-PRERELEASE) + 2014-06-24 19:05:19 UTC (releng/9.3, 9.3-RC2) + 2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9) + 2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16) + 2014-06-24 19:04:55 UTC (stable/8, 8.4-STABLE) + 2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13) +CVE Name: CVE-2012-1571, CVE-2013-7345, CVE-2014-1943, CVE-2014-2270 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The file(1) utility attempts to classify file system objects based on +filesystem, magic number and language tests. + +The libmagic(3) library provides most of the functionality of file(1) +and may be used by other applications. + +II. Problem Description + +A specifically crafted Composite Document File (CDF) file can trigger an +out-of-bounds read or an invalid pointer dereference. [CVE-2012-1571] + +A flaw in regular expression in the awk script detector makes use of +multiple wildcards with unlimited repetitions. [CVE-2013-7345] + +A malicious input file could trigger infinite recursion in libmagic(3). +[CVE-2014-1943] + +A specifically crafted Portable Executable (PE) can trigger out-of-bounds +read. [CVE-2014-2270] + +III. Impact + +An attacker who can cause file(1) or any other applications using the +libmagic(3) library to be run on a maliciously constructed input can +the application to crash or consume excessive CPU resources, resulting +in a denial-of-service. + +IV. Workaround + +No workaround is available, but systems where file(1) and other +libmagic(3)-using applications are never run on untrusted input are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.1, 9.2, 9.3, 10.0] +# fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch +# fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch.asc +# gpg --verify file.patch.asc + +[FreeBSD 8.4] +# fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch +# fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch.asc +# gpg --verify file.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r267828 +releng/8.4/ r267832 +stable/9/ r267828 +releng/9.1/ r267831 +releng/9.2/ r267831 +releng/9.3/ r267830 +stable/10/ r267828 +releng/10.0/ r267829 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1571>; + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345>; + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943>; + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270>; + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:16.file.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnaLsP/jwrr5b1qZ9tObnN3FXwzEjD +jNHa3AJKHXgrYGzF8yNrZElhE48f02sr9dEXqIw/E5eElcVhi38RBEkwblE8Nj2H +M5bzEwVS7kWPcAl1vBno1rFTHutUTOSSopBGgwlNAlWSFnr1iFIIU9dQ6kcGCnBj +LvMx5kTSyZ707kArRrFjrDeYlPLSE/vSBOC00TqReS+3Q9By1IH5kUWesDWr+3Gk +lvW/JzSTcyOicrGR6vRHiLn9+NKojd6pV3hqV/uxuth1OxRtiGPeodL6CyvkipMo +rKjTgXEY2KluBGV9ff+rbeARLfUh2PDJ9Z5BfF7O8ZyMZpKkcw6MFRRfJ0xgtUZK +vpF0u8NVMIZhHLSJ9q1Roij2POxeOETNXG2bGKtVu8pqhJ14DvMfPgamsQLhzKRX +vBN1Gw+3RctJrQpF9HvYFOsKlfzcWyka82lw5GSsDYGH2TamU00CTQmx/5PW+WVo +xV3C17Wj8AkmRYWeC4IzkTiZ8avVOZ+TMyJKRhL6EGBT3ramu8BFdV8oZOcHHpR/ +rAI6eZcFtNuwKuvfqHZmh84GicHDkMHXy6OiyCYUW9uNdWl7nUPMMxp/zEA6gtay +ozVedGIIrhYkfQAJRcRAcnEBYqcBVkCD/rKXJtdALl3RDQrediRaz0nWE2bJ/qs3 +bHjS6vu9VS/3z0+pEYri +=5Ihe +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-14:07/pmap.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:07/pmap.patch Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,13 @@ +Index: sys/amd64/amd64/pmap.c +=================================================================== +--- sys/amd64/amd64/pmap.c (revision 267572) ++++ sys/amd64/amd64/pmap.c (working copy) +@@ -367,7 +367,7 @@ static int pmap_flags = PMAP_PDE_SUPERPAGE; /* fla + + static struct unrhdr pcid_unr; + static struct mtx pcid_mtx; +-int pmap_pcid_enabled = 1; ++int pmap_pcid_enabled = 0; + SYSCTL_INT(_vm_pmap, OID_AUTO, pcid_enabled, CTLFLAG_RDTUN, &pmap_pcid_enabled, + 0, "Is TLB Context ID enabled ?"); + int invpcid_works = 0; Added: head/share/security/patches/EN-14:07/pmap.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:07/pmap.patch.asc Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTqc/GAAoJEO1n7NZdz2rnhbEP/2pckDzyxx2dvtY4VXOHwykV +K8Wb0m8o2x6IpHx/lqvToBX77VneknAmfc6yNxldMTmBq5sLA4kuLp9EkH7iuFtV +k1XcDWWGaoyLEK6Ur2f/CQOE9t0Qig5i6hVNbWCYzmjNZZGGE4Xd60rSSyQ1QN28 +JNoopI5p/wGWkDlDbw5f+foXBfbuOx1t1XWgEPRbxAXnvc6f3QBi7HQEu7GWWu04 +o5bn7+42zv3ij6aJ/zMb818Ml5cp1zeGT9VkSN17yqEdzmF+5C32caUp4qiiA5+n +gTR56RISYT+85xK+4AXdv3kZE5ZSQlsA8wLquKDiRVNFvqH7ly6v21JbWEfJBwyz +4iCA5I9A/Bp8z5ScouupkPimMEKCmSFwpE/Ww914x5bOaYl4xsXUQzBKs2nIWaao +u7sR7HxW0bq9pK1iVR2kU2md+65vq98HHO1xi1wQ8Aqw9Gt3CKklubiOf36qilUE +FCxBtumgOkHP8HWSE4oKFqLqx3GPV2j2BMSZiUE/x7gfd86FF6/fyx01NIekMpny +Osp5rXA5jnKgHJC8M6sF/+Xag1kBaIur5wNtaPSsQASmiXs4yXY29zH3sX4AxA2n +0fS1fItiM/US30TPGbcT0YEU8FR/CHDchUD2FjbjxntU4VSBUrnsK+ydRWiL+M0e +q4qZ9kLz2/HzBYG54HiI +=XjDR +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-14:08/heimdal.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:08/heimdal.patch Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,13 @@ +Index: crypto/heimdal/lib/gssapi/krb5/prf.c +=================================================================== +--- crypto/heimdal/lib/gssapi/krb5/prf.c (revision 267806) ++++ crypto/heimdal/lib/gssapi/krb5/prf.c (working copy) +@@ -117,7 +117,7 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, + num = 0; + p = prf_out->value; + while(desired_output_len > 0) { +- _gsskrb5_encode_om_uint32(num, input.data); ++ _gsskrb5_encode_be_om_uint32(num, input.data); + ret = krb5_crypto_prf(context, crypto, &input, &output); + if (ret) { + OM_uint32 junk; Added: head/share/security/patches/EN-14:08/heimdal.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:08/heimdal.patch.asc Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTqc/GAAoJEO1n7NZdz2rneCAP/Ay62O3KiG8sQoCgH/3aTcV2 +k0OhOBxvRsTAaiOy5EVT+BMtZWymDBWiiFZueL6jpYEy3LthqAmguj9KMWC0k6ni +a6ETu8IzPWjqmYodqcPEM0dfDsovSzDxP2iAdKwcCrY379d/7hPvmhVR2IMt7oXj +7aeu1zDZtubw5SkpS9Vy6X8yynuz3caxqaUjmRuumonZ+isrQxeC8taXQP/nFIs1 +F71Il7LluEf9Abieh9R1m6mVftABGju9TSvmzHtjuBd0jzInBpegDlxeD3sw4mqa +TWHKABsd9DqEnghkTN3f0CQ+ba8/KEcN5hR+xpjWGw+8GjilkE5JswIM8W9iQK61 +BIim1dwS4WwLxIxgQtaHwSXrWq5yVrSFwq3sy5yUCa/dZVr4U+vlr4YHZtEw0V+H +MUh8/3087XlLskNVA7zYQMyjO0f0BUVB5V28VZQJnrywPzHCP/ZHCKboqTmGA5t6 +19MaloslnSpCp73T+ooQ+aiv5j8FGKJfhXOKHkrrj6wocNq1iqsc0coVWv3TtN1J +GAM00xKyxQLe2nVP+EPQJt1uDdNvcPfXCbNzzQbyW4wnRklBuXqIKKeZn/vYTIYE +x0oPHPPgAihot6gP2ZZRclT0kpqdJWFGw6fjsBJINBrMPAlClwPUQtelUkueaxtz +PGj8k8GVtsFOjgvqsRfb +=QKVG +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:15/iconv.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:15/iconv.patch Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,175 @@ +Index: lib/libc/iconv/citrus_prop.c +=================================================================== +--- lib/libc/iconv/citrus_prop.c (revision 267591) ++++ lib/libc/iconv/citrus_prop.c (working copy) +@@ -339,7 +339,7 @@ name_found: + + static int + _citrus_prop_parse_element(struct _memstream * __restrict ms, +- const _citrus_prop_hint_t * __restrict hints, void ** __restrict context) ++ const _citrus_prop_hint_t * __restrict hints, void * __restrict context) + { + int ch, errnum; + #define _CITRUS_PROP_HINT_NAME_LEN_MAX 255 +@@ -435,8 +435,7 @@ _citrus_prop_parse_variable(const _citrus_prop_hin + if (ch == EOF || ch == '\0') + break; + _memstream_ungetc(&ms, ch); +- errnum = _citrus_prop_parse_element( +- &ms, hints, (void ** __restrict)context); ++ errnum = _citrus_prop_parse_element(&ms, hints, context); + if (errnum != 0) + return (errnum); + } +Index: lib/libc/iconv/citrus_prop.h +=================================================================== +--- lib/libc/iconv/citrus_prop.h (revision 267591) ++++ lib/libc/iconv/citrus_prop.h (working copy) +@@ -42,7 +42,7 @@ typedef struct _citrus_prop_hint_t _citrus_prop_hi + + #define _CITRUS_PROP_CB0_T(_func_, _type_) \ + typedef int (*_citrus_prop_##_func_##_cb_func_t) \ +- (void ** __restrict, const char *, _type_); \ ++ (void * __restrict, const char *, _type_); \ + typedef struct { \ + _citrus_prop_##_func_##_cb_func_t func; \ + } _citrus_prop_##_func_##_cb_t; +@@ -52,7 +52,7 @@ _CITRUS_PROP_CB0_T(str, const char *) + + #define _CITRUS_PROP_CB1_T(_func_, _type_) \ + typedef int (*_citrus_prop_##_func_##_cb_func_t) \ +- (void ** __restrict, const char *, _type_, _type_); \ ++ (void * __restrict, const char *, _type_, _type_); \ + typedef struct { \ + _citrus_prop_##_func_##_cb_func_t func; \ + } _citrus_prop_##_func_##_cb_t; +Index: lib/libiconv_modules/BIG5/citrus_big5.c +=================================================================== +--- lib/libiconv_modules/BIG5/citrus_big5.c (revision 267591) ++++ lib/libiconv_modules/BIG5/citrus_big5.c (working copy) +@@ -170,7 +170,7 @@ _citrus_BIG5_check_excludes(_BIG5EncodingInfo *ei, + } + + static int +-_citrus_BIG5_fill_rowcol(void ** __restrict ctx, const char * __restrict s, ++_citrus_BIG5_fill_rowcol(void * __restrict ctx, const char * __restrict s, + uint64_t start, uint64_t end) + { + _BIG5EncodingInfo *ei; +@@ -189,7 +189,7 @@ static int + + static int + /*ARGSUSED*/ +-_citrus_BIG5_fill_excludes(void ** __restrict ctx, ++_citrus_BIG5_fill_excludes(void * __restrict ctx, + const char * __restrict s __unused, uint64_t start, uint64_t end) + { + _BIG5EncodingInfo *ei; +@@ -235,7 +235,6 @@ static int + _citrus_BIG5_encoding_module_init(_BIG5EncodingInfo * __restrict ei, + const void * __restrict var, size_t lenvar) + { +- void *ctx = (void *)ei; + const char *s; + int err; + +@@ -257,9 +256,9 @@ _citrus_BIG5_encoding_module_init(_BIG5EncodingInf + } + + /* fallback Big5-1984, for backward compatibility. */ +- _citrus_BIG5_fill_rowcol((void **)&ctx, "row", 0xA1, 0xFE); +- _citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0x40, 0x7E); +- _citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0xA1, 0xFE); ++ _citrus_BIG5_fill_rowcol(ei, "row", 0xA1, 0xFE); ++ _citrus_BIG5_fill_rowcol(ei, "col", 0x40, 0x7E); ++ _citrus_BIG5_fill_rowcol(ei, "col", 0xA1, 0xFE); + + return (0); + } +Index: lib/libiconv_modules/HZ/citrus_hz.c +=================================================================== +--- lib/libiconv_modules/HZ/citrus_hz.c (revision 267591) ++++ lib/libiconv_modules/HZ/citrus_hz.c (working copy) +@@ -65,8 +65,8 @@ typedef enum { + } charset_t; + + typedef struct { ++ int start; + int end; +- int start; + int width; + } range_t; + +@@ -503,12 +503,12 @@ _citrus_HZ_encoding_module_uninit(_HZEncodingInfo + } + + static int +-_citrus_HZ_parse_char(void **context, const char *name __unused, const char *s) ++_citrus_HZ_parse_char(void *context, const char *name __unused, const char *s) + { + escape_t *escape; + void **p; + +- p = (void **)*context; ++ p = (void **)context; + escape = (escape_t *)p[0]; + if (escape->ch != '\0') + return (EINVAL); +@@ -520,7 +520,7 @@ static int + } + + static int +-_citrus_HZ_parse_graphic(void **context, const char *name, const char *s) ++_citrus_HZ_parse_graphic(void *context, const char *name, const char *s) + { + _HZEncodingInfo *ei; + escape_t *escape; +@@ -527,7 +527,7 @@ static int + graphic_t *graphic; + void **p; + +- p = (void **)*context; ++ p = (void **)context; + escape = (escape_t *)p[0]; + ei = (_HZEncodingInfo *)p[1]; + graphic = malloc(sizeof(*graphic)); +@@ -589,13 +589,13 @@ _CITRUS_PROP_HINT_END + }; + + static int +-_citrus_HZ_parse_escape(void **context, const char *name, const char *s) ++_citrus_HZ_parse_escape(void *context, const char *name, const char *s) + { + _HZEncodingInfo *ei; + escape_t *escape; + void *p[2]; + +- ei = (_HZEncodingInfo *)*context; ++ ei = (_HZEncodingInfo *)context; + escape = malloc(sizeof(*escape)); + if (escape == NULL) + return (EINVAL); +Index: lib/libiconv_modules/VIQR/citrus_viqr.c +=================================================================== +--- lib/libiconv_modules/VIQR/citrus_viqr.c (revision 267591) ++++ lib/libiconv_modules/VIQR/citrus_viqr.c (working copy) +@@ -431,7 +431,6 @@ static int + _citrus_VIQR_encoding_module_init(_VIQREncodingInfo * __restrict ei, + const void * __restrict var __unused, size_t lenvar __unused) + { +- const mnemonic_def_t *p; + const char *s; + size_t i, n; + int errnum; +@@ -455,7 +454,10 @@ _citrus_VIQR_encoding_module_init(_VIQREncodingInf + return (errnum); + } + } +- for (i = 0;; ++i) { ++ /* a + 1 < b + 1 here to silence gcc warning about unsigned < 0. */ ++ for (i = 0; i + 1 < mnemonic_ext_size + 1; ++i) { ++ const mnemonic_def_t *p; ++ + p = &mnemonic_ext[i]; + n = strlen(p->name); + if (ei->mb_cur_max < n) Added: head/share/security/patches/SA-14:15/iconv.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:15/iconv.patch.asc Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnGpkP/0rm6huVPDIo3qTvfuXyKVvX +MGbc8+35EfDSUxAYLkQIJxiEF88+chJrEqyivP311+IMFUXdyplQvXQiZcTKXdPp +hYVa7wCeC7BbdXILiw+hi9J5TI4QiE+b4Kmn83DIS/iYols4tRpUVXN4OCFaO3BR +oW5RuCI/VBVqwUm+3pZhz1GuzPOmZo+8KxdHk3nmSmoad6SNvPB0W3QY53P2J96E +8euOJGM/38QWav2g7QsQeI+MAx2jcxUmRIQVfCblfXG1O0izNjuC8hjqJptSvBpc +uvJAhQxptludfAa7/ZnW4ws/dJz4ekNSlerjRpNiXE0Hr2r2TAM8cFwG9AbVThga +wZ8+rHFOC30kIJ6uvZbpTPHNSHxu4pVyOOoh4Tfr1xpDqb/3ktSXfXX6bgXPrhMI +PdBVVACYGbdurQU8Z65JbMmNx96Sl79w8mOHrMSeVS3pRL7FtJ4J+c8sOLyiaouM +kIf+vbqSPHRqpkCtmmKP6QM+qrfhrlzmYwyNTE2pKautaGNCyAMY3lrKhbEr7llK +L4YZ9/9Z6ivZZZDhAZbzcJrWQOuW0wmt7E2CyC1TOHOBjI6202J/++ZWSmmsexWF +mWNai/3IqCGd24unHHxdrTUSw+b99pL+HAgAdTQZ2dg3Qh/qC0PAcICBoWDgS0sM +Q34JUXT4cVpCqHeFhPkp +=gJzF +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:16/file-8.4.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:16/file-8.4.patch Tue Jun 24 19:29:17 2014 (r45118) @@ -0,0 +1,1891 @@ +Index: contrib/file/ascmagic.c +=================================================================== +--- contrib/file/ascmagic.c (revision 267806) ++++ contrib/file/ascmagic.c (working copy) +@@ -151,7 +151,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, + if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL) + goto done; + if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf), +- TEXTTEST)) != 0) ++ 0, TEXTTEST)) != 0) + goto done; + else + rv = -1; +Index: contrib/file/cdf.c +=================================================================== +--- contrib/file/cdf.c (revision 267806) ++++ contrib/file/cdf.c (working copy) +@@ -24,15 +24,18 @@ + * POSSIBILITY OF SUCH DAMAGE. + */ + /* +- * Parse composite document files, the format used in Microsoft Office +- * document files before they switched to zipped xml. ++ * Parse Composite Document Files, the format used in Microsoft Office ++ * document files before they switched to zipped XML. + * Info from: http://sc.openoffice.org/compdocfileformat.pdf ++ * ++ * N.B. This is the "Composite Document File" format, and not the ++ * "Compound Document Format", nor the "Channel Definition Format". + */ + + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: cdf.c,v 1.30 2009/05/06 14:29:47 christos Exp $") ++FILE_RCSID("@(#)$File: cdf.c,v 1.49 2012/02/20 20:04:37 christos Exp $") + #endif + + #include <assert.h> +@@ -44,6 +47,9 @@ + #include <string.h> + #include <time.h> + #include <ctype.h> ++#ifdef HAVE_LIMITS_H ++#include <limits.h> ++#endif + + #ifndef EFTYPE + #define EFTYPE EINVAL +@@ -51,10 +57,6 @@ + + #include "cdf.h" + +-#ifndef __arraycount +-#define __arraycount(a) (sizeof(a) / sizeof(a[0])) +-#endif +- + #ifdef CDF_DEBUG + #define DPRINTF(a) printf a, fflush(stdout) + #else +@@ -68,19 +70,21 @@ static union { + + #define NEED_SWAP (cdf_bo.u == (uint32_t)0x01020304) + +-#define CDF_TOLE8(x) (NEED_SWAP ? cdf_tole8(x) : (uint64_t)(x)) +-#define CDF_TOLE4(x) (NEED_SWAP ? cdf_tole4(x) : (uint32_t)(x)) +-#define CDF_TOLE2(x) (NEED_SWAP ? cdf_tole2(x) : (uint16_t)(x)) ++#define CDF_TOLE8(x) ((uint64_t)(NEED_SWAP ? _cdf_tole8(x) : (uint64_t)(x))) ++#define CDF_TOLE4(x) ((uint32_t)(NEED_SWAP ? _cdf_tole4(x) : (uint32_t)(x))) ++#define CDF_TOLE2(x) ((uint16_t)(NEED_SWAP ? _cdf_tole2(x) : (uint16_t)(x))) ++#define CDF_GETUINT32(x, y) cdf_getuint32(x, y) + ++ + /* + * swap a short + */ +-uint16_t +-cdf_tole2(uint16_t sv) ++static uint16_t ++_cdf_tole2(uint16_t sv) + { + uint16_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[1]; + d[1] = s[0]; + return rv; +@@ -89,12 +93,12 @@ static union { + /* + * swap an int + */ +-uint32_t +-cdf_tole4(uint32_t sv) ++static uint32_t ++_cdf_tole4(uint32_t sv) + { + uint32_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[3]; + d[1] = s[2]; + d[2] = s[1]; +@@ -105,12 +109,12 @@ static union { + /* + * swap a quad + */ +-uint64_t +-cdf_tole8(uint64_t sv) ++static uint64_t ++_cdf_tole8(uint64_t sv) + { + uint64_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[7]; + d[1] = s[6]; + d[2] = s[5]; +@@ -122,11 +126,41 @@ static union { + return rv; + } + ++/* *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201406241929.s5OJTHRm000711>