From owner-svn-doc-head@freebsd.org Tue Sep 29 18:14:22 2015 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DAE35A0B892; Tue, 29 Sep 2015 18:14:22 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BF3C317F2; Tue, 29 Sep 2015 18:14:22 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t8TIEM0E010460; Tue, 29 Sep 2015 18:14:22 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t8TIELqj010456; Tue, 29 Sep 2015 18:14:21 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201509291814.t8TIELqj010456@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 29 Sep 2015 18:14:21 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r47456 - in head/share: security/advisories security/patches/SA-15:24 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2015 18:14:23 -0000 Author: delphij Date: Tue Sep 29 18:14:20 2015 New Revision: 47456 URL: https://svnweb.freebsd.org/changeset/doc/47456 Log: Add SA-15:24.rpcbind. Added: head/share/security/advisories/FreeBSD-SA-15:24.rpcbind.asc (contents, props changed) head/share/security/patches/SA-15:24/ head/share/security/patches/SA-15:24/rpcbind.patch (contents, props changed) head/share/security/patches/SA-15:24/rpcbind.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-15:24.rpcbind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-15:24.rpcbind.asc Tue Sep 29 18:14:20 2015 (r47456) @@ -0,0 +1,155 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-15:24.rpcbind Security Advisory + The FreeBSD Project + +Topic: rpcbind(8) remote denial of service + +Category: core +Module: rpcbind +Announced: 2015-09-29 +Affects: All supported versions of FreeBSD. +Corrected: 2015-09-29 18:06:27 UTC (stable/10, 10.2-STABLE) + 2015-09-29 18:07:18 UTC (releng/10.2, 10.2-RELEASE-p4) + 2015-09-29 18:07:18 UTC (releng/10.1, 10.1-RELEASE-p21) + 2015-09-29 18:06:27 UTC (stable/9, 9.3-STABLE) + 2015-09-29 18:07:18 UTC (releng/9.3, 9.3-RELEASE-p27) +CVE Name: CVE-2015-7236 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +Sun RPC is a remote procedure call framework which allows clients to invoke +procedures in a server process over a network transparently. + +The rpcbind(8) utility is a server that converts RPC program numbers into +universal addresses. It must be running on the host to be able to make RPC +calls on a server on that machine. + +The Sun RPC framework uses a netbuf structure to represent the transport +specific form of a universal transport address. The structure is expected +to be opaque to consumers. In the current implementation, the structure +contains a pointer to a buffer that holds the actual address. + +II. Problem Description + +In rpcbind(8), netbuf structures are copied directly, which would result in +two netbuf structures that reference to one shared address buffer. When one +of the two netbuf structures is freed, access to the other netbuf structure +would result in an undefined result that may crash the rpcbind(8) daemon. + +III. Impact + +A remote attacker who can send specifically crafted packets to the rpcbind(8) +daemon can cause it to crash, resulting in a denial of service condition. + +IV. Workaround + +No workaround is available, but systems that do not provide the rpcbind(8) +service to untrusted systems, or do not provide any RPC services are not +vulnerable. On FreeBSD, typical RPC based services includes NIS and NFS. + +Alternatively, rpcbind(8) can be configured to bind on specific IP +address(es) by using the '-h' option. This may be used to reduce the attack +vector when the system has multiple network interfaces and when some of them +would face an untrusted network. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Restart the applicable daemons, or reboot the system. Because rpcbind(8) +is an essential service to all RPC service daemons, these daemons may also +need to be restarted. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart the applicable daemons, or reboot the system. Because rpcbind(8) +is an essential service to all RPC service daemons, these daemons may also +need to be restarted. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch +# fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch.asc +# gpg --verify rpcbind.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r288384 +releng/9.3/ r288385 +stable/10/ r288384 +releng/10.1/ r288385 +releng/10.2/ r288385 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.8 (FreeBSD) + +iQIcBAEBCgAGBQJWCtQJAAoJEO1n7NZdz2rnqrcQAMpVQGhgOE2Qz7seLSeKyorU +lYjMQteAxsYFF7t6BCQxMcfnKVYS9fTUwega6bvBMVQqG7bWg3IKr/esH/pExC22 +XbVemdOKot63Qvu+qdQ33DMr0mb4B9NqWQDV4cFu2sj1yHtZjwufFsvTDC8B89Za +OfJsKrdxFbR57uOPnm1jhbb/m46O2q6HnD0GsPCXAA9SWAAk6hrjtVsRURjs654e +iuHa6umSADKeVj0FYiFOyrBM0FgyxmSpBikJD3aaLJa1qCFTPDrGG29283krtSlp +JgbWm0+dj9O6pl9NapuE2dKtXmp/bdjLzWKnj2qDWMpsX31uqLFSzcP6/AxxiIiI +S9Uvb9ucQJRqidJ5jgQkicLd7IIM20HWXOltA4uMovoqF8xOVkCyLZ5Nyg4Yiueg +vsjQ5lQipsOJQBtDO11HjLhZTm4a8c3pHASt0HadvxstNYjB0Kqtm2YySQGdk9H/ +/mvjsWE227fJkqwayBlmUviOX39Cz/9AzpkPtaQYsYKNUEOy0hr04i/yIF40RH/Z +wIChfTR10KkRvr4dAWT7Kg2bm2Xd0Gs6bEI5YX3PE3aROVwnwmVWCd/rpdkrnVsV +Pi5MWtPHNATPwRa2UmKbYtwB9mF3GXuBOSssW3K+DfPS+0/ZfYa5CedyeHA3aDGW +f5ih6/YFCvSB/NURgvcU +=WO98 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-15:24/rpcbind.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:24/rpcbind.patch Tue Sep 29 18:14:20 2015 (r47456) @@ -0,0 +1,65 @@ +Index: usr.sbin/rpcbind/rpcb_svc_com.c +=================================================================== +--- usr.sbin/rpcbind/rpcb_svc_com.c (revision 288019) ++++ usr.sbin/rpcbind/rpcb_svc_com.c (working copy) +@@ -47,6 +47,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1047,19 +1048,31 @@ netbufcmp(struct netbuf *n1, struct netbuf *n2) + return ((n1->len != n2->len) || memcmp(n1->buf, n2->buf, n1->len)); + } + ++static bool_t ++netbuf_copybuf(struct netbuf *dst, const struct netbuf *src) ++{ ++ ++ assert(dst->buf == NULL); ++ ++ if ((dst->buf = malloc(src->len)) == NULL) ++ return (FALSE); ++ ++ dst->maxlen = dst->len = src->len; ++ memcpy(dst->buf, src->buf, src->len); ++ return (TRUE); ++} ++ + static struct netbuf * + netbufdup(struct netbuf *ap) + { + struct netbuf *np; + +- if ((np = malloc(sizeof(struct netbuf))) == NULL) ++ if ((np = calloc(1, sizeof(struct netbuf))) == NULL) + return (NULL); +- if ((np->buf = malloc(ap->len)) == NULL) { ++ if (netbuf_copybuf(np, ap) == FALSE) { + free(np); + return (NULL); + } +- np->maxlen = np->len = ap->len; +- memcpy(np->buf, ap->buf, ap->len); + return (np); + } + +@@ -1067,6 +1080,7 @@ static void + netbuffree(struct netbuf *ap) + { + free(ap->buf); ++ ap->buf = NULL; + free(ap); + } + +@@ -1184,7 +1198,7 @@ xprt_set_caller(SVCXPRT *xprt, struct finfo *fi) + { + u_int32_t *xidp; + +- *(svc_getrpccaller(xprt)) = *(fi->caller_addr); ++ netbuf_copybuf(svc_getrpccaller(xprt), fi->caller_addr); + xidp = __rpcb_get_dg_xidp(xprt); + *xidp = fi->caller_xid; + } Added: head/share/security/patches/SA-15:24/rpcbind.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-15:24/rpcbind.patch.asc Tue Sep 29 18:14:20 2015 (r47456) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.8 (FreeBSD) + +iQIcBAABCgAGBQJWCtQUAAoJEO1n7NZdz2rniJUQANmSbRy/klFblUh7QpeeDAuH +oTugGv4LxEja5OXrHyWQMDQGewY0CQFIt+lWqOh8RxwIiw96xVLntI4RfwkmdXsW +c5Q/HMJ2eyaI8rSdn+L2Zqw7yXvKemxF91R8DWy0FNNZOqStVPjgInYdkPx/uKjF +p7kNPWhycMwa5SKdYbNu14Ftw7epcRp/3vtnWzNQgEhMRD2JFqh1cOcGLAFuzCJ9 +v2jNokXFsIb8N77MCLAcZNn5n2jBQHU6PVetrUU3+BYTjn66YqPhWd1VjppwLZTX +suLolac8SDDG/TOf9f3c2p1BJ5iHeRvKpcj+vP3QvY+PGMcQqOCiU174DoG0lRku ++M6zo4rlzReEqgZT+6kNtsP06CWUmE7pbD+fuqu+9JTPI21Xl+Ck7oGkLq8hqccg +2hl1EK86Wltmd825IqLDgFYAKfcsvAlQnrUk46X5eEOcDn6FMi/y/tb+wZb+FJn/ +tVA3LRTO6uuPTLIT6qEhuuDXj9yy7+KVZP3mAawrKGLa5cffzvG5J+VQxhl2P1/X +7V8x8z3S2uWHQflLQuX22565CaBF5KT4/Bwe6h8m/DUdpUFxmazjofzJ4h+tjq5s +jJ6w7zMJ88pyDvYqVsgVIiqVCicV0go1b+0o//b73d6wTOyfpzAJavh9tDASr0+P +O0Coptza3F8VscwY2pXu +=D7Pg +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Sep 29 11:52:14 2015 (r47455) +++ head/share/xml/advisories.xml Tue Sep 29 18:14:20 2015 (r47456) @@ -11,6 +11,14 @@ 9 + 29 + + + FreeBSD-SA-15:24.rpcbind + + + + 2