From owner-freebsd-net@FreeBSD.ORG  Fri Nov 21 08:07:00 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A5E1AEC;
 Fri, 21 Nov 2014 08:07:00 +0000 (UTC)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com
 [IPv6:2a00:1450:4010:c03::229])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3FA7196F;
 Fri, 21 Nov 2014 08:07:00 +0000 (UTC)
Received: by mail-la0-f41.google.com with SMTP id gf13so3786685lab.14
 for <multiple recipients>; Fri, 21 Nov 2014 00:06:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:cc:content-type;
 bh=R6NaaR9sUPaIWwpNqAZOXjKSZ2hiSD7+wU7brstTvew=;
 b=lwGL8fO4IZs2Q789fdDJNV1LczNaheEFzY6b6BfP5Vn664k9nbzseGUb1Ml8gP3EB7
 dJe7GBkC6j5xKuZxEuWUXpmGuMW2UB5T+or/6wBwilmmQApzYHgoJa/2CL7217/bqJbP
 duFq1EGpiPAwssx5qqu3hyUFpqaLL1qGv4NOYGWMQuKMiejkfAnN2qbIt62qgBD6eNOP
 0gIXz3lfyZP7bEhFpQ7XL2cTD/64cGosjwvzSCDAHuFzD7Nv4HbKgfOS8hq0ZqHNahGo
 KFb6hHzpU/57q/9HKSjGQ2BN6rk56rI88NbteHGZpwyTpCwEjMLJ0Ra093yr1mlAH4RH
 wlmQ==
MIME-Version: 1.0
X-Received: by 10.112.16.39 with SMTP id c7mr2550923lbd.19.1416557218197; Fri,
 21 Nov 2014 00:06:58 -0800 (PST)
Sender: crodr001@gmail.com
Received: by 10.112.130.168 with HTTP; Fri, 21 Nov 2014 00:06:58 -0800 (PST)
In-Reply-To: <CAG=rPVfRmoaGvcCnDdBSF6=NxEfi7=PhbQkncb6Z_WrRMZtjmQ@mail.gmail.com>
References: <CAG=rPVfRmoaGvcCnDdBSF6=NxEfi7=PhbQkncb6Z_WrRMZtjmQ@mail.gmail.com>
Date: Fri, 21 Nov 2014 00:06:58 -0800
X-Google-Sender-Auth: NvEn0fM3QA5OFreLz0ufAqhcRlg
Message-ID: <CAG=rPVewFvRWhVAk-3_A8NS2_MbymsX1wBQbcbOfg6RgTfiw1w@mail.gmail.com>
Subject: Re: VIMAGE + pf security fix?
From: Craig Rodrigues <rodrigc@FreeBSD.org>
To: "Bjoern A. Zeeb" <bz@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: FreeBSD Net <freebsd-net@freebsd.org>,
 "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org>,
 freebsd-arch <freebsd-arch@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2014 08:07:00 -0000

On Thu, Nov 20, 2014 at 10:07 AM, Craig Rodrigues <rodrigc@freebsd.org>
wrote:

> On Wed, Nov 19, 2014 at 6:05 AM, Bjoern A. Zeeb <bz@freebsd.org> wrote:
>
>>
>> For people to use pf with VIMAGE we first MUST have the security fix
>> imported that I pointed out a couple of times in the past.
>>
>
> At this link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3830
>
> I see the security issue mentioned, but I can't find the patch that fixes
> the problem.
> Where is the patch?
>

I read this link:
http://esec-lab.sogeti.com/post/2010/12/09/CVE-2010-3830-iOS-4.2.1-packet-filter-local-kernel-vulnerability

and I think this is the fix:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_ioctl.c?rev=1.236&content-type=text/x-cvsweb-markup

but I can't even apply that patch to our pf_ioctl.c.

--
Craig