From owner-svn-doc-head@freebsd.org Wed Aug 5 22:18:34 2015 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0ED1E9B314E; Wed, 5 Aug 2015 22:18:34 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F14DBF3E; Wed, 5 Aug 2015 22:18:33 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t75MIXET068553; Wed, 5 Aug 2015 22:18:33 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t75MIUTU068495; Wed, 5 Aug 2015 22:18:30 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201508052218.t75MIUTU068495@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 5 Aug 2015 22:18:30 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r47162 - in head/share: security/advisories security/patches/SA-15:18 security/patches/SA-15:19 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Aug 2015 22:18:34 -0000 Author: delphij Date: Wed Aug 5 22:18:29 2015 New Revision: 47162 URL: https://svnweb.freebsd.org/changeset/doc/47162 Log: Add SA-15:18 and SA-15:19. Added: head/share/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-15:19.routed.asc (contents, props changed) head/share/security/patches/SA-15:18/ head/share/security/patches/SA-15:18/bsdpatch.patch (contents, props changed) head/share/security/patches/SA-15:18/bsdpatch.patch.asc (contents, props changed) head/share/security/patches/SA-15:19/ head/share/security/patches/SA-15:19/routed.patch (contents, props changed) head/share/security/patches/SA-15:19/routed.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc Wed Aug 5 22:18:29 2015 (r47162) @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:18.bsdpatch Security Advisory + The FreeBSD Project + +Topic: shell injection vulnerability in patch(1) + +Category: contrib +Module: patch +Announced: 2015-08-05 +Credits: Martin Natano +Affects: FreeBSD 10.x. +Corrected: 2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE) + 2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3) + 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2) + 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1) + 2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17) +CVE Name: CVE-2015-1418 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The patch(1) utility takes a patch file produced by the diff(1) program and +apply the differences to an original file, producing a patched version. + +The patch(1) utility supports patches that uses ed(1) script format, as +required by the POSIX.1-2008 standard. + +ed(1) is a line-oriented text editor. + +II. Problem Description + +Due to insufficient sanitization of the input patch stream, it is possible +for a patch file to cause patch(1) to pass certain ed(1) scripts to the +ed(1) editor, which would run commands. + +III. Impact + +This issue could be exploited to execute arbitrary commands as the user +invoking patch(1) against a specically crafted patch file, which could be +leveraged to obtain elevated privileges. + +IV. Workaround + +No workaround is available, but systems where a privileged user does not +make use of patches without proper validation are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +A reboot is not required after updating. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is not required after updating. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch +# fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch.asc +# gpg --verify bsdpatch.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r286348 +releng/10.1/ r286351 +releng/10.2/ r286350 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAEBCgAGBQJVwoplAAoJEO1n7NZdz2rn8D4QAM0077U1nLiJFIU1VcM9IOKp +GeZ/w9SnkrKqKzAQpq3QS1hmw0TxvP8kuJNuRVFF6M15Woprfxccb8mDxM0ntru4 +t8rq/QLO2jMWopf67Spv6jr6GLLQXkiyRwLEyr7L8a7MbrFwjO1wYt+8GnQ6Nsvn +kNfCnbNKPr1gNYM1XsLS7Ej1kl7aBx3xGQXU4d9HlOs/1X7rnPCnGKuc3ZD2Z/N4 +zu8pV4NMFhWyJsax+FVYEFxwyd2uEb73A35nz/sQhGiwGOCtL424KG+hwj9mnm45 +8f4m+53b6RDcBh6xU41fghMsac2PVCzY2r9GXXXJNlfEa+KnSN8yC+CvtXYEM9BX +9Y5g6i++RVLLT7mwFdG86FjZxSGpDBXlkpZ4I9qiS4YC8MFO4qC7SFzufxtfOcg+ +R+QSj+DWOfeHDcXjEkHGlqTW9poE2EDWXDLwlEoOykh9NLyWl6enYd8ZEI3GUqyJ +FgKiICrs1vUuGhOhTCgjyQjQUc6jaV/GzhLBJfyxz5xYDpr7DIILxJ8uki2FJcHS +tZhlNu6JNqpBlsWNspqjw7NSP2j58Uj0bBdwWvFNX8otQiIXVfkdY8RCjxstq5lT +3bcF6akAFEBx/f/VYM1lswLM/XdbORYC3asLu84BP541EDqdx9d88TeTKNPvyb4Q +sGJ763WSlsoLrQDr8CUt +=iR0L +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-15:19.routed.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:19.routed.asc Wed Aug 5 22:18:29 2015 (r47162) @@ -0,0 +1,164 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:19.routed Security Advisory + The FreeBSD Project + +Topic: routed(8) remote denial of service vulnerability + +Category: core +Module: routed +Announced: 2015-08-05 +Credits: Hiroki Sato +Affects: All supported versions of FreeBSD. +Corrected: 2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE) + 2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3) + 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2) + 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1) + 2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17) + 2015-08-05 22:05:07 UTC (stable/9, 9.3-STABLE) + 2015-08-05 22:05:24 UTC (releng/9.3, 9.3-RELEASE-p22) +CVE Name: CVE-2015-5674 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The routing information protocol (RIP) is an older routing protocol +which, while not as capable as more recent protocols such as OSPF and +BGP, is sometimes preferred for its simplicity and therefore still +used as an interior gateway protocol on smaller networks. + +Routers in a RIP network periodically broadcast their routing table on +all enabled interfaces. Neighboring routers and hosts receive these +broadcasts and update their routing tables accordingly. + +The routed(8) daemon is a RIP implementation for FreeBSD. The +rtquery(8) utility can be used to send a RIP query to a router and +display the result without updating the routing table. + +II. Problem Description + +The input path in routed(8) will accept queries from any source and +attempt to answer them. However, the output path assumes that the +destination address for the response is on a directly connected +network. + +III. Impact + +Upon receipt of a query from a source which is not on a directly +connected network, routed(8) will trigger an assertion and terminate. +The affected system's routing table will no longer be updated. If the +affected system is a router, its routes will eventually expire from +other routers' routing tables, and its networks will no longer be +reachable unless they are also connected to another router. + +IV. Workaround + +Note that this problem does not affect a system on which routed(8) +is not enabled. The routed(8) daemon is not enabled by default. + +Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP +packets with destination port 520 that did not originate on the same +subnet as the destination address. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The routed service has to be restarted after the update. A reboot is +recommended but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +The routed service has to be restarted after the update. A reboot is +recommended but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-15:19/routed.patch +# fetch http://security.FreeBSD.org/patches/SA-15:19/routed.patch.asc +# gpg --verify routed.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/routed.patch + +c) Recompile routed. Execute the following commands as root: + +# cd /usr/src/sbin/routed +# make && make install + +Restart the routed daemon, or reboot the system. + +To restart the affected service after updating the system, either +reboot the system or execute the following command as root: + +# service routed restart + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r286349 +releng/9.3/ r286352 +stable/10/ r286348 +releng/10.1/ r286351 +releng/10.2/ r286350 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAEBCgAGBQJVwoplAAoJEO1n7NZdz2rnMFAP/3HWG6FrFxM3jgMcK7a5+nKP +O6BqVXpFdia0UUN5JlcEZXc89957mXdMXCDqNeTj3CeDc0p9GbPX1zV/vlYoOqhM +eIPwgERbMRFnDRaWm2ClG+aatJvdpeDEioNy8b8tmKq94JcpXIJnwX8dhY3WrMwj +Mc3QBGT08XLImHqNw6d6/0wavFeOZ/3g1ZoloAktsgA9KhTUOai6dUhIbIJzk6gh +0oa4NRkhzRNmUKyHOS6HDrghhQ/kZGtE8joVBxLBljK0Thi0mIZtn3UFGsNAgAWw +7WGAiTN2o8c48IUJosmiGsJ7rV1wCFt5zXrZVCcnq6dr60He16Z2Zwif2tugiTvm +5x9lDbTEnYOTxM38Ya5gMtMf733YgAtoRCkf3ROsnwXukJYVsJXms7Ej4NihoKMd +aYOLDItl+AXUGIyQ44GuUm2955wo9Fb5RlkDSCLAvdgnkPk+k0puLp0MR0B2MOAI +tdKNecRNg0fDR5gJbfdzdjVhsGBZXdYlxo4VjXUXDSZJ+8+jkAg2LA9DTRKIfbgX +BX5GiOhkhIivFlgvSePv0LRuIbgt0H1cxiJdk6OqNS5gROuqwo7wwUnaig8KVKOI +887gfpf7PepYD4xWTo3nAoEcGM0rBwUyq1X3pbx9OJADcqRvOhxfMcHFcCv75uxa +OISkQhkWdZUv6ls76rRu +=p5Rl +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:18/bsdpatch.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:18/bsdpatch.patch Wed Aug 5 22:18:29 2015 (r47162) @@ -0,0 +1,57 @@ +Index: usr.bin/patch/pathnames.h +=================================================================== +--- usr.bin/patch/pathnames.h (revision 286254) ++++ usr.bin/patch/pathnames.h (working copy) +@@ -9,4 +9,4 @@ + + #include + +-#define _PATH_ED "/bin/ed" ++#define _PATH_RED "/bin/red" +Index: usr.bin/patch/pch.c +=================================================================== +--- usr.bin/patch/pch.c (revision 286254) ++++ usr.bin/patch/pch.c (working copy) +@@ -1,4 +1,3 @@ +- + /*- + * Copyright 1986, Larry Wall + * +@@ -1409,6 +1408,7 @@ do_ed_script(void) + char *t; + off_t beginning_of_this_line; + FILE *pipefp = NULL; ++ int continuation; + + if (!skip_rest_of_patch) { + if (copy_file(filearg[0], TMPOUTNAME) < 0) { +@@ -1415,7 +1415,7 @@ do_ed_script(void) + unlink(TMPOUTNAME); + fatal("can't create temp file %s", TMPOUTNAME); + } +- snprintf(buf, buf_size, "%s%s%s", _PATH_ED, ++ snprintf(buf, buf_size, "%s%s%s", _PATH_RED, + verbose ? " " : " -s ", TMPOUTNAME); + pipefp = popen(buf, "w"); + } +@@ -1433,7 +1433,19 @@ do_ed_script(void) + (*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) { + if (pipefp != NULL) + fputs(buf, pipefp); +- if (*t != 'd') { ++ if (*t == 's') { ++ for (;;) { ++ continuation = 0; ++ t = strchr(buf, '\0') - 1; ++ while (--t >= buf && *t == '\\') ++ continuation = !continuation; ++ if (!continuation || ++ pgets(true) == 0) ++ break; ++ if (pipefp != NULL) ++ fputs(buf, pipefp); ++ } ++ } else if (*t != 'd') { + while (pgets(true)) { + p_input_line++; + if (pipefp != NULL) Added: head/share/security/patches/SA-15:18/bsdpatch.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:18/bsdpatch.patch.asc Wed Aug 5 22:18:29 2015 (r47162) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAABCgAGBQJVwoqMAAoJEO1n7NZdz2rnGmIP/2c1n/1iGLa0zLO1GHMP7Fuu +RCjmhJs2EWNnItUevHAf8kv5fYw9re3Dmn+zRPAEQw2ElmaEl7RIbT4ciG33n+ax +nn2CaqaRbwHmVtCQhvWAy0Rb8DOl0zvdw2eJxj4UxqTrXex7IDIZgdKJX5JtkY/A +W8w5ZB5x/7f6lcVUv85wUiBCYKCdrUFyfxwxeqUuCZ1fXhX5Y/7eDEZW7OmAox3R +6y87nwucjaisnctSeMSL8xRsIPW2P9wsIHxWm/8ixWsC7rdhRIBqtIpLTBO+jZEI +W87nUUL082nFKp3bvMHnCc2gtwhBu0VzFpCEAXD/ggotOXvMDx+d0td0BFnRcmZZ +xly4bED85SGz6RbS06eDB3ZG0aOzRzpm7PNRrzR/YDkbbadOprVJvMWav1iCurvJ +rf3ABrgt4Vb8aN5reAwmUjmDesNy6CP5u9UimFEUF+fWrwFvLiGkTl6NkHTCBP34 +HWAX4FpeeJbvt0yYJS+8+nv2qns0myd+UQjc9OjOMDTcw1DX9RoBBTe+K3JQlslx +uZwek6v/ahT2yblN92x2Di8ayEwQlRsPkKAKKFYtfwO6hRrQtYkPDwNSZ+MnQF1v +LbO2L1d3TZWGjdPnS4AvFLTQd+ckSFAldMsF46nB7Nf45RYV3f9lnb0COk0UPvYI +U3gKJ20S8tAF+VO7hZZV +=DXel +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:19/routed.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:19/routed.patch Wed Aug 5 22:18:29 2015 (r47162) @@ -0,0 +1,17 @@ +Index: sbin/routed/input.c +=================================================================== +--- sbin/routed/input.c (revision 286262) ++++ sbin/routed/input.c (working copy) +@@ -160,6 +160,12 @@ input(struct sockaddr_in *from, /* received from + + trace_rip("Recv", "from", from, sifp, rip, cc); + ++ if (sifp == 0) { ++ trace_pkt(" discard a request from an indirect router" ++ " (possibly an attack)"); ++ return; ++ } ++ + if (rip->rip_vers == 0) { + msglim(&bad_router, FROM_NADDR, + "RIP version 0, cmd %d, packet received from %s", Added: head/share/security/patches/SA-15:19/routed.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:19/routed.patch.asc Wed Aug 5 22:18:29 2015 (r47162) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.6 (FreeBSD) + +iQIcBAABCgAGBQJVwoqMAAoJEO1n7NZdz2rnWTMP/Rs3RWs7vpS5kjD46iM5KZv9 +BY011+7N5uaa9yxCIBXe2KwjRbmzd480eU3nfOMZh3XHo/aehAyJdI4QtnFCXFLq +5+JnixcfHmVjtNvrjz29OyRi6Y9E9biW9M2yTisGdNjM5aYMlPNBhi+eSoB0QfLa +H5q7tDM6h/iuotXbJtqzTHRLb+TuFTieSyDndFLX9Dk5CFi7vTZeCkV2qSm2uVFi +msBrWSckl6F/wrWjJkvB4khPdzdBKslG4m2mxfIRLEUM2V31CTmqmyJiNhjHXL4U +JW+3uq02jz+zYHuMf6IxpEB5eK6JaieqaQhaTzyGQd6XImRtXp9T3wEyuahm+s0C +pBnO4ky+/oTWqwcAGjEdAwxXw1IL594ZcZIpbTdSNhRApNWRXyk08uS9ktP3W/kV +eOZW6HB19oJipyNZE3zCFHDInUMh6OMWQFxKpOBxYid08vYy8bKhXLG+Di+ddfnF +6ITFHLetyw0RT306gHm1GGbHY8SkuZpsqo67R8fUOilsc5RE9J0qJg3BRYmIzhbA +I+JkXpZ33Wxi9BO8nPdZxTC7UylKJT1Nd6rk511gAtKjta2dZvoisFIQ0XxIVBdC +vLO0pferZj4jDEkAlaH8UlmHGl483oRW7P4OfpLWlxZ2imWH2LTh/mxEDiJMqAjR +6Cf6RRTd14yoQha24Osf +=wxDr +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Aug 5 14:17:16 2015 (r47161) +++ head/share/xml/advisories.xml Wed Aug 5 22:18:29 2015 (r47162) @@ -8,6 +8,22 @@ 2015 + 8 + + + 5 + + + FreeBSD-SA-15:19.routed + + + + FreeBSD-SA-15:18.bsdpatch + + + + + 7