Date: Tue, 6 Apr 2021 20:13:55 GMT From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 06731fae1b - main - Add EN-21:09, EN-21:10, and SA-21:08 through SA-21:10. Approved by: so Message-ID: <202104062013.136KDtkd077397@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by gordon (src committer): URL: https://cgit.FreeBSD.org/doc/commit/?id=06731fae1bedfd833b102bbb3c81ba6f59b93168 commit 06731fae1bedfd833b102bbb3c81ba6f59b93168 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2021-04-06 20:12:54 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2021-04-06 20:12:54 +0000 Add EN-21:09, EN-21:10, and SA-21:08 through SA-21:10. Approved by: so --- website/data/security/advisories.toml | 12 ++ website/data/security/errata.toml | 8 + .../security/advisories/FreeBSD-EN-21:09.pf.asc | 119 +++++++++++++++ .../security/advisories/FreeBSD-EN-21:10.lldb.asc | 119 +++++++++++++++ .../security/advisories/FreeBSD-SA-21:08.vm.asc | 166 ++++++++++++++++++++ .../advisories/FreeBSD-SA-21:09.accept_filter.asc | 168 ++++++++++++++++++++ .../advisories/FreeBSD-SA-21:10.jail_mount.asc | 170 +++++++++++++++++++++ website/static/security/patches/EN-21:09/pf.patch | 22 +++ .../static/security/patches/EN-21:09/pf.patch.asc | 16 ++ .../static/security/patches/EN-21:10/lldb.patch | 54 +++++++ .../security/patches/EN-21:10/lldb.patch.asc | 16 ++ .../security/patches/SA-21:08/vm_fault.11.patch | 37 +++++ .../patches/SA-21:08/vm_fault.11.patch.asc | 16 ++ .../security/patches/SA-21:08/vm_fault.12.patch | 37 +++++ .../patches/SA-21:08/vm_fault.12.patch.asc | 16 ++ .../security/patches/SA-21:08/vm_fault.13.patch | 47 ++++++ .../patches/SA-21:08/vm_fault.13.patch.asc | 16 ++ .../security/patches/SA-21:09/accept_filter.patch | 26 ++++ .../patches/SA-21:09/accept_filter.patch.asc | 16 ++ .../security/patches/SA-21:10/jail_mount.11.patch | 15 ++ .../patches/SA-21:10/jail_mount.11.patch.asc | 16 ++ .../security/patches/SA-21:10/jail_mount.12.patch | 17 +++ .../patches/SA-21:10/jail_mount.12.patch.asc | 16 ++ .../security/patches/SA-21:10/jail_mount.13.patch | 17 +++ .../patches/SA-21:10/jail_mount.13.patch.asc | 16 ++ 25 files changed, 1178 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 08e22e3be7..b3a4c14939 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,18 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-21:10.jail_mount" +date = "2021-04-06" + +[[advisories]] +name = "FreeBSD-SA-21:09.accept_filter" +date = "2021-04-06" + +[[advisories]] +name = "FreeBSD-SA-21:08.vm" +date = "2021-04-06" + [[advisories]] name = "FreeBSD-SA-21:07.openssl" date = "2021-03-25" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index d6a17c8a9b..bf235e7212 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,14 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-21:10.lldb" +date = "2021-04-06" + +[[notices]] +name = "FreeBSD-EN-21:09.pf" +date = "2021-04-06" + [[notices]] name = "FreeBSD-EN-21:08.freebsd-update" date = "2021-02-24" diff --git a/website/static/security/advisories/FreeBSD-EN-21:09.pf.asc b/website/static/security/advisories/FreeBSD-EN-21:09.pf.asc new file mode 100644 index 0000000000..16e3bb7d68 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-21:09.pf.asc @@ -0,0 +1,119 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-21:09.pf Errata Notice + The FreeBSD Project + +Topic: net.pf.request_maxcount not settable from loader.conf(5) + +Category: core +Module: pf +Announced: 2021-04-06 +Affects: FreeBSD 12.2 +Corrected: 2020-12-15 08:29:45 UTC (stable/12, 12.2-STABLE) + 2021-04-06 19:21:24 UTC (releng/12.2, 12.2-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +pf(4) is an Internet Protocol packet filter originally written for OpenBSD. + +II. Problem Description + +The net.pf.request_maxcount sysctl provides an upper bound on the amount of +memory used by pf(4) to store various types of state. Prior to FreeBSD 12.2 +this sysctl was read-only and could only be adjusted via loader.conf(5). In +FreeBSD 12.2, the sysctl was made writeable, but lost the ability to be +adjusted from loader.conf(5). + +III. Impact + +pf(4) may fail to load filtering rules if they cause the default +request_maxcount bound to be exceeded. Users that relied on loader.conf to +increase the request_maxcount value could see their rules fail to load. + +IV. Workaround + +The value of request_maxcount may be set via sysctl.conf(5). + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-21:09/pf.patch +# fetch https://security.FreeBSD.org/patches/EN-21:09/pf.patch.asc +# gpg --verify pf.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r368656 +releng/12.2/ r369554 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:09.pf.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswB8ACgkQ05eS9J6n +5cLYFw//fkTpjSXiflCHENinkk3u72W8Pxw4vvhDl9DBSHUdYi+fzB6t70xxUcnH +wsjJcyMe1nqU7BVYFYo+aIkDL2yeW+PlJVrVfLcuWn8OwX7R0WbCM13EF75WZmlM +Ty6YWPZkqYAWc0lbBYWiEtW+f6m5FTgdlvsXnTBENiz3iX2ddNkFK+qcEY9sasiJ +HjsIoM1bs41YAgiOByyuh1xqMr+ieB4QQQ3QAbBmkqqPqBu1Nk0Xcpmos0sBf6Sn +dSPDBMcKfJ4VelSGBnn98bXjjyLeiwbfBhNceCbI8eIgulTWboMJHg9XoUWMwWhJ +314OOq0D0CssWj9136dKLxQc+gWyu5xfszenfbA1k9rrFY5uKOBVUMgK8b9meWfH +WX1CscDTYe4wCp/YpT/oU31PJfm0foFNWnOel7hDrlNwe0t+ElVX56xyy19BLQ/9 +tgZ1CIZv6IihMxxBDnayU/SUVB5bJxfwHXZb845xjKB+owNYaw5pwHhEgLYWklAL +A6a6Lja5dzVn1KsrHfUb11KEzWvUvtqp0y6vaZv6UTSLI9FfaSL/xA6uy3Ft/r/E +OvD0qL/ShKmA/jvLG6vxJe0XQjU9JMI/FViPrs4YLCpFymRXthokoXoD1FyK6Hgn +aMBdWTVEGHuQFG37OZIxr7AvefR0d3MXPbReXVKnn367VdbZ1lw= +=7QHR +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-21:10.lldb.asc b/website/static/security/advisories/FreeBSD-EN-21:10.lldb.asc new file mode 100644 index 0000000000..ac25f41455 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-21:10.lldb.asc @@ -0,0 +1,119 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-21:10.lldb Errata Notice + The FreeBSD Project + +Topic: lldb abort on print command + +Category: contrib +Module: lldb +Announced: 2021-04-06 +Affects: FreeBSD 12.2 +Corrected: 2020-10-31 18:42:03 UTC (stable/12, 12.2-STABLE) + 2021-04-06 19:21:27 UTC (releng/12.2, 12.2-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +lldb is the debugger from the LLVM project. Version 10.0.1 is included +in FreeBSD 12.2. + +II. Problem Description + +Attempts to use lldb's `print` command (`p` alias) resulted in lldb +aborting. + +III. Impact + +Some common debugger functionality cannot be used. + +IV. Workaround + +No general workaround is available. Information provided by certain print +expressions may be available by using other commands, such as +`frame variable` (`fr v` alias). + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-21:10/lldb.patch +# fetch https://security.FreeBSD.org/patches/EN-21:10/lldb.patch.asc +# gpg --verify lldb.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r367228 +releng/12.2/ r369555 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248745>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:10.lldb.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswDUACgkQ05eS9J6n +5cL7iRAAnlsryVy3aJFQIMghO7+rOwwpFnxlDponVvzIkeNH2x3c62V81eAhUIvj +q6TvEp2dNQdaTDoN6ytPoL+ek4sBh8WdVt0R8sWnUbEDf1BhvGQ3P9eT4q8Thx+Z +wB3L40pLQZFapINmpEIp7xwcWJv8xiKxmY2PDOcNkju5GWD4OatoMuCx5iMNwQ+g +7aYUL1gUhvcudSMghJ+jH6Pre2Yq+y+ziAhmGB0QOREOEoguXvJwgdO+clZHdFl2 +E1Yudhfr0v6afQFL9RzX+Ck6ft9KBPd9rzZwc2bTHfi08zmAy63FN3Bxvx/8O/EJ +9NXRJHv0zuVSOZePKJ6qv1ap5f7RLzLN7ztaUQMCxkqCoRsdV3UYsUCkE8NH/ZOT +NZ7zZCmL7zHpn17QX7tBqqYeAHtFJLAlXaBiSIxYOaKM87GMMmvpb+06f9frwtuu +lOxzY0l7H+iWsSakdsoUrtL+wNvOM3wFafHtDSXDyHbSUKWiWa3yubzl8szIgCrX +GhW84r3MdaVSm3EQQS2qQux+9HTLcx5Lh0+BVmeA36VBwNeG+wc8t5eZYc4xSlJh +jIv2CRPm97e5796O5gGtjqyiidSL2lfw9tHE3H/1gqn/2DLNFbM+DcwgI20Wfz4u +hdhN//GsIDiOA9BwClgIW6Vbs/V5B9uN8E/RH4lFggmJAkkPWGU= +=boNk +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-21:08.vm.asc b/website/static/security/advisories/FreeBSD-SA-21:08.vm.asc new file mode 100644 index 0000000000..d9513f4eee --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-21:08.vm.asc @@ -0,0 +1,166 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-21:08.vm Security Advisory + The FreeBSD Project + +Topic: Memory disclosure by stale virtual memory mapping + +Category: core +Module: vm +Announced: 2021-04-06 +Credits: Ryan Libby, Dell Inc. +Affects: All supported versions of FreeBSD. +Corrected: 2021-04-06 18:50:46 UTC (stable/13, 13.0-STABLE) + 2021-04-06 19:18:49 UTC (releng/13.0, 13.0-RC5-p1) + 2021-04-06 19:20:46 UTC (stable/12, 12.2-STABLE) + 2021-04-06 19:21:30 UTC (releng/12.2, 12.2-RELEASE-p6) + 2021-04-06 19:22:31 UTC (stable/11, 11.4-STABLE) + 2021-04-06 19:22:56 UTC (releng/11.4, 11.4-RELEASE-p9) +CVE Name: CVE-2021-29626 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +Memory mappings shared between processes are a feature of the FreeBSD +virtual memory system. They may be established by unprivileged +processes with the mmap(2), fork(2), and other system calls. + +II. Problem Description + +A particular case of memory sharing is mishandled in the virtual memory +system. It is possible and legal to establish a relationship where +multiple descendant processes share a mapping which shadows memory of an +ancestor process. In this scenario, when one process modifies memory +through such a mapping, the copy-on-write logic fails to invalidate +other mappings of the source page. These stale mappings may remain even +after the mapped pages have been reused for another purpose. + +III. Impact + +An unprivileged local user process can maintain a mapping of a page +after it is freed, allowing that process to read private data belonging +to other processes or the kernel. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.0] +# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.13.patch +# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.13.patch.asc +# gpg --verify vm_fault.13.patch.asc + +[FreeBSD 12.2] +# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.12.patch +# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.12.patch.asc +# gpg --verify vm_fault.12.patch.asc + +[FreeBSD 11.4] +# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.11.patch +# fetch https://security.FreeBSD.org/patches/SA-21:08/vm_fault.11.patch.asc +# gpg --verify vm_fault.11.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 2e08308d62f3 stable/13-n245117 +releng/13.0/ 724bc23da1a9 releng/13.0-n244728 +stable/12/ r369551 +releng/12.2/ r369556 +stable/11/ r369559 +releng/11.4/ r369561 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing HHHHHH with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=HHHHHH>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29626>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:08.vm.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveMACgkQ05eS9J6n +5cJ0Xw/+JFP6UKPMxcYwmAmIoDS5YAsUzuDVQNooZzOQiltyVqPrHD3Dh/32+Tm3 +W6yeITNcnUbVhFBPli3x0pHldCCcj1JQNtzUYcS/DKNvD2LxjB4bhiiE0YHImaP9 +JWOMoc5rNYpOl4iKK5DZkQAxZsHu1zFSVt+0O/aL70bDCYupsslWBbRRkxgkeShW +wGFhSMhlJ1QnnygzsICbyK5GP4XYqfAWZ5dviznNcZLrOifCLG6HNxixfOG/vf33 +yZzwA7RSNpOyULC1AYmUqiEZWgABL63hOIiraD0sASteBhMY/DCjq/QLZKsaONsp +FYemSTnW1hs1MVfTm4ecwgZJEJf8bV7cQXrxA3bLJmRoN9CcTGHDQCjFKHvMVXSe +qU/n+CICO6Ly8nTmL0xYjpJLEQaQfC/98hXk2otpgIia8r5Gn1MOwooTdN+KWlfA +LHzuP0Wf5NIjo1QkbbBRUSfCjV+dbGzRxgCYTGj1dN+XbR0uxeVtWeKXU3WaDIYI +6sT3L41yUBvEce7h/449RunNjRb5nuWczh3YTIzqDA3dEStLPKxlzL790M8TId6e +XE+YclkxSTNMuxvCEw/vDJB4bZ2eOQ6noSzfrUqxjGnbtcuYP/RJGc3XrVZpiXbY +u+OuE4Owve9e/sNCRqZeEQ2CHnntCdji0sk/CAlbkHcdHYPbunI= +=rC4V +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-21:09.accept_filter.asc b/website/static/security/advisories/FreeBSD-SA-21:09.accept_filter.asc new file mode 100644 index 0000000000..0e58b59b15 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-21:09.accept_filter.asc @@ -0,0 +1,168 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-21:09.accept_filter Security Advisory + The FreeBSD Project + +Topic: double free in accept_filter(9) socket configuration interface + +Category: core +Module: accept_filter +Announced: 2021-04-06 +Credits: Alexey Kulaev +Affects: FreeBSD 12.2 and later. +Corrected: 2021-03-28 00:24:15 UTC (stable/13, 13.0-STABLE) + 2021-03-28 15:03:37 UTC (releng/13.0, 13.0-RC4) + 2021-03-28 00:26:49 UTC (stable/12, 12.2-STABLE) + 2021-04-06 19:21:21 UTC (releng/12.2, 12.2-RELEASE-p6) +CVE Name: CVE-2021-29627 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD features an accept_filter(9) mechanism which allows an +application to request that the kernel pre-process incoming connections. +For example, the accf_http(9) accept filter prevents accept(2) from +returning until a full HTTP request has been buffered. + +No accept filters are enabled by default. A system administrator must +either compile the FreeBSD kernel with a particular accept filter option +(such as ACCEPT_FILTER_HTTP) or load the filter using kldload(8) in +order to utilize accept filters. + +II. Problem Description + +An unprivileged process can configure an accept filter on a listening +socket. This is done using the setsockopt(2) system call. The process +supplies the name of the accept filter which is to be attached to the +socket, as well as a string containing filter-specific information. + +If the filter implements the accf_create callback, the socket option +handler attempts to preserve the process-supplied argument string. A +bug in the socket option handler caused this string to be freed +prematurely, leaving a dangling pointer. Additional operations on the +socket can turn this into a double free or a use-after-free. + +III. Impact + +The bug may be exploited to trigger local privilege escalation or kernel +memory disclosure. + +IV. Workaround + +Systems not using accept filters, or using only the accept filters +included with the FreeBSD base system (accf_data(9), accf_dns(9), and +accf_http(9)) are unaffected. Note that no accept filters are loaded +in the kernel by default. + +Systems using a third-party accept filter module are affected if the +module defines an accf_create callback. In this case, the only +workaround is to ensure that the module is not loaded into the kernel. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-21:09/accept_filter.patch +# fetch https://security.FreeBSD.org/patches/SA-21:09/accept_filter.patch.asc +# gpg --verify accept_filter.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ c7d10e7ec872 stable/13-n245050 +releng/13.0/ af6611e5adc6 releng/13.0-n244711 +stable/12/ r369525 +releng/12.2/ r369553 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing HHHHHH with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=HHHHHH>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<other info on vulnerability> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29627>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:09.accept_filter.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveMACgkQ05eS9J6n +5cIfkA//bD0wm/rhdTUkyCeKhDCocFC/elfC+g7FsiG/eNJFh0mAiuTrC9Ja9+TN +QU4xjZPx0kN6PxAgEzCqH2NgSL+MwW60ApxlH/kVhcFU/tOrUxmuFg8u9bk6/gU3 +xRcpHzT5M4iFzrdyimbc9UvKHZet1Hh7CkIQwQZWvdrJYL3p+lODe3DpS9OUXcaJ +S6eHGzMlTKQsV5m3vGEefRP1ByDNOT4w3q+w6s0K381ck8Y+k1SLQLLDZJuNR752 +ixZdUg/oE82PIosoH8SXP8bHklRcHFsa6DmTLYGxxpKh9l++CyiytiQThUIlClfY +2KOKh1Y4ND5FU001g98OdikgfRJhf9mQIk4ytNyBjey3c/aBFtcJHzydrV5uPg4u +SPvk59SEiRVZswQkR+kpXD8Maa7jkRTe6qbBhQ5+CiXEO/FWF108OVULn0saDycp +NtGNa6Htichm+RWPeHnbCo5OwSW0wDHKUB2yP/EcCOkJtBPOBpL8r3iJSnk5ZsrH +mTQeQzSrbzeD/pMOiEor6AIKjJoII2rWIT6v2RaofY5vb30kQl56/m7nrN1bm6n1 +aatAsvJvFIaE6LVKkCpIkKaHEEmgOpf5/p4n2xia8i6xUc1BN14nq0xEaqGskesS +bAe1TJZJnc6hHvdJVhuLxdT1CSStG56BrkJd2RtCAenwatJaRzQ= +=UfpF +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-21:10.jail_mount.asc b/website/static/security/advisories/FreeBSD-SA-21:10.jail_mount.asc new file mode 100644 index 0000000000..dd5b048a37 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-21:10.jail_mount.asc @@ -0,0 +1,170 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-21:10.jail_mount Security Advisory + The FreeBSD Project + +Topic: jail escape possible by mounting over jail root + +Category: core +Module: jail +Announced: 2021-04-06 +Credits: Mateusz Guzik +Affects: All supported versions of FreeBSD. +Corrected: 2021-04-06 18:50:48 UTC (stable/13, 13.0-STABLE) + 2021-04-06 19:18:59 UTC (releng/13.0, 13.0-RC5-p1) + 2021-04-06 19:20:50 UTC (stable/12, 12.2-STABLE) + 2021-04-06 19:21:33 UTC (releng/12.2, 12.2-RELEASE-p6) + 2021-04-06 19:22:31 UTC (stable/11, 11.4-STABLE) + 2021-04-06 19:22:59 UTC (releng/11.4, 11.4-RELEASE-p9) +CVE Name: CVE-2020-25584 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The jail(2) system call allows a system administrator to lock a process +and all of its descendants inside an environment with a very limited +ability to affect the system outside that environment, even for +processes with superuser privileges. It is an extension of, but +far more powerful than, the traditional UNIX chroot(2) system call. + +II. Problem Description + +Due to a race condition between lookup of ".." and remounting a filesystem, +a process running inside a jail might access filesystem hierarchy outside +of jail. + +III. Impact + +A process with superuser privileges running inside a jail configured +with the allow.mount permission (not enabled by default) could change the root +directory outside of the jail, and thus gain full read and write access +to all files and directories in the system. + +IV. Workaround + +As a workaround, disable allow.mount permission for all jails with untrusted +root users; see jail(1) and jail.conf(5) manual pages for details. + +Note that this permission is not enabled by default. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 13.0] +# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.13.patch +# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.13.patch.asc +# gpg --verify jail_mount.13.patch.asc + +[FreeBSD 12.2] +# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.12.patch +# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.12.patch.asc +# gpg --verify jail_mount.12.patch.asc + +[FreeBSD 11.4] +# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.11.patch +# fetch https://security.FreeBSD.org/patches/SA-21:10/jail_mount.11.patch.asc +# gpg --verify jail_mount.11.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 3ae17faa3704 stable/13-n245118 +releng/13.0/ 4710439ec594 releng/13.0-n244729 +stable/12/ r369552 +releng/12.2/ r369557 +stable/11/ r369560 +releng/11.4/ r369562 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing HHHHHH with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=HHHHHH>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<other info on vulnerability> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25584>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:10.jail_mount.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBsveQACgkQ05eS9J6n +5cIujRAAoTOIB1bMhDN3w382izu+g4L4HATqhOyKlf3Ezwlnmckt4s+ERar7EWND +4MayXSogCYwYwb6gsfBsqEdAJwhID1zkBDmC9LaYKehOLMMdPOCbpemJ3xT0540m +S4MJ+vPBT2NZ8NsUGNNpIF/mZTgwDai4WSBCr/0OIyNDd+nzStOv0d8h3aNGNweW +p/pvETnf/FtR9kACZ2HuiHtOx2IvQv8+n4gjefl440fz8czb3nftdGHRXLc0Kkcy +T/l3Y0SgBvXmlhtmhGZmF787Bw/5No+fbKZ4AuTMms42OWz8y02ZjFCvwXEu7/tC +f9eeFUzpR+rjNr0MMFEm1GBPNgbdF4v/IhnUA4gWrhjp1sh+4SjHoFhS1tfdY6gf +W76eyT0B8oDOLK4Jo76iTjvN1sZ0wctOaq7yk+7rGbhSUFUohQmtsMbvGOfHIVxl +DlJ9faccWJLOjbeUAVhVMbowT3/QKqnbuRpkq6U7YIcs9P4cg8RUrokCOiGd5pBz +PD5zpNcRCe69c+d39XDGDiBjPm4mQK1VEOr90gcAlE5yioxUW6qlHkFrp/Mje6dX +25Sb1q1zwjn3rM1moIeRXmx+ioLAT9ZWpYs5IvKsuRw4VmppIjA6TWm8ECbjKQKG +yPuUgUyxoIoEJgQNmJaM2Rk/fKijyVjEG22jlDNwCxASE4vJ7Xw= +=g2On +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-21:09/pf.patch b/website/static/security/patches/EN-21:09/pf.patch new file mode 100644 index 0000000000..7407c4494a --- /dev/null +++ b/website/static/security/patches/EN-21:09/pf.patch @@ -0,0 +1,22 @@ + MFC r368588: + + pf: Allow net.pf.request_maxcount to be set from loader.conf + + Mark request_maxcount as RWTUN so we can set it both at runtime and from + loader.conf. This avoids users getting caught out by the change from tunable to + run time configuration. + + Suggested by: Franco Fichtner + + (cherry picked from commit 08d13750ebdae45bcdb73d52665b823e9ba93db1) +--- sys/netpfil/pf/pf.c.orig ++++ sys/netpfil/pf/pf.c +@@ -382,7 +382,7 @@ + &pf_hashsize, 0, "Size of pf(4) states hashtable"); + SYSCTL_ULONG(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN, + &pf_srchashsize, 0, "Size of pf(4) source nodes hashtable"); +-SYSCTL_ULONG(_net_pf, OID_AUTO, request_maxcount, CTLFLAG_RW, ++SYSCTL_ULONG(_net_pf, OID_AUTO, request_maxcount, CTLFLAG_RWTUN, + &pf_ioctl_maxcount, 0, "Maximum number of tables, addresses, ... in a single ioctl() call"); + + VNET_DEFINE(void *, pf_swi_cookie); diff --git a/website/static/security/patches/EN-21:09/pf.patch.asc b/website/static/security/patches/EN-21:09/pf.patch.asc new file mode 100644 index 0000000000..1b708cc8a3 --- /dev/null +++ b/website/static/security/patches/EN-21:09/pf.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswCIACgkQ05eS9J6n +5cL9LA/+JMfWVH4WcjeN+0mci/eV/7arH0CQWNHgBL5h6Jqgqbj+1rzIZoMxuzGM +bgrikYYRsjvGcikGOuToWx2sxxCPuCIGN2PQV3Z+rmQYUp+lHx33SZiJ/gwMLv43 +7aY3VB8Zpqar/MJbWHlJM9tRcrwEZIDaJZqUqsku57RWvAj5uPd7TMW3Ount0Dza +wbDy+qgO9MJZsP9IE2ePi0M7bHtqOkLhK4KcXoYmzNkZ5n3W+edUH6AKoLBddoCA +N6FC69MGJWAWY59bMGRLfexMB8LCal22orRe+zABWVelNM3Y36ymABaA1i/H4lYc +XbB9lwkkzttXyO10UBOq2jNMjZ0VG5MA59TjfyMtszaEFHsp3PEH7gEO1nmCO+hi +fiol4UGpcHUyufIwBQE3f8fj8iFWNDu7vHGMCmNoNjUP98TskhEQ6ZzW+fIrgIRh +oq8cFcGE5uHXACvlWpQ+PZrqGC/D/4t9OK0mOCYkekDJvG93ejFxz8Bck0zk2Tc4 +ICoduClnotLtTCP2wtkszXmrH0JYGvSrN0sxSMtEPY+6wnuEtrJnN6e3MKA/f2GP +KsAO7poiz9QEieimD5+Tw4WfCGuOTliRZNvrWO7B6GUF9cRP1Ttr2AIx7vdjhdVt +uUOd2R7FgFmVsCzLIhmyFh4aTZgwf3bXr91tHa5iD4wtw0h9Z/I= +=ESG4 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-21:10/lldb.patch b/website/static/security/patches/EN-21:10/lldb.patch new file mode 100644 index 0000000000..38f58bfa57 --- /dev/null +++ b/website/static/security/patches/EN-21:10/lldb.patch @@ -0,0 +1,54 @@ +--- contrib/llvm-project/lldb/source/Target/Target.cpp.orig ++++ contrib/llvm-project/lldb/source/Target/Target.cpp +@@ -2412,21 +2412,13 @@ + + llvm::Expected<lldb_private::Address> Target::GetEntryPointAddress() { + Module *exe_module = GetExecutableModulePointer(); +- llvm::Error error = llvm::Error::success(); +- assert(!error); // Check the success value when assertions are enabled. + +- if (!exe_module || !exe_module->GetObjectFile()) { +- error = llvm::make_error<llvm::StringError>("No primary executable found", +- llvm::inconvertibleErrorCode()); +- } else { ++ // Try to find the entry point address in the primary executable. ++ const bool has_primary_executable = exe_module && exe_module->GetObjectFile(); ++ if (has_primary_executable) { + Address entry_addr = exe_module->GetObjectFile()->GetEntryPointAddress(); + if (entry_addr.IsValid()) + return entry_addr; +- +- error = llvm::make_error<llvm::StringError>( +- "Could not find entry point address for executable module \"" + +- exe_module->GetFileSpec().GetFilename().GetStringRef() + "\"", +- llvm::inconvertibleErrorCode()); + } + + const ModuleList &modules = GetImages(); +@@ -2437,14 +2429,21 @@ + continue; + + Address entry_addr = module_sp->GetObjectFile()->GetEntryPointAddress(); +- if (entry_addr.IsValid()) { +- // Discard the error. +- llvm::consumeError(std::move(error)); ++ if (entry_addr.IsValid()) + return entry_addr; +- } + } + +- return std::move(error); ++ // We haven't found the entry point address. Return an appropriate error. ++ if (!has_primary_executable) ++ return llvm::make_error<llvm::StringError>( ++ "No primary executable found and could not find entry point address in " ++ "any executable module", ++ llvm::inconvertibleErrorCode()); ++ ++ return llvm::make_error<llvm::StringError>( ++ "Could not find entry point address for primary executable module \"" + ++ exe_module->GetFileSpec().GetFilename().GetStringRef() + "\"", ++ llvm::inconvertibleErrorCode()); + } + + lldb::addr_t Target::GetCallableLoadAddress(lldb::addr_t load_addr, diff --git a/website/static/security/patches/EN-21:10/lldb.patch.asc b/website/static/security/patches/EN-21:10/lldb.patch.asc new file mode 100644 index 0000000000..533380c6d0 --- /dev/null +++ b/website/static/security/patches/EN-21:10/lldb.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBswDUACgkQ05eS9J6n +5cKwUw/+LG+VaMCCQu9W9y0YfVoxcvGzSeBO9ZmdL1jrP+REZqHsVEIi4T+vV4JK +EEBf/Cnp45/86AP9oT6Txt/A+/dGNa91Dq3eB/SfdChGjQg3K5egCThmmQwZfQPI +VcPyhFSQXUCHfk0ozxQBiNCBZgIg49Nsj/jY3JQUmxF9olTKL2nKVvpOguujkdOC +FkkSffnQeJw2MUml4Bpn71BOf6XBLxDG5WimzVv5hRi/dwMqn/LU4VIg97LPIa+9 +mZotQDLszKLwyo2HA1iI5/Atg3XnB0PHDHfEAuHp/dReF6OzrG1ZvvLdbZM5WFnY +HXol3Nd7oafdjI29v6prAlHMTooJOzKJZ2X6Rg9SwPkKVcA0SJFNo5x/0HMMPgnr +Ybo4rvB7zdLn/SRtGXk0cWy41ahIcDNt/CbaztXm9a/QIHhb18jF2kdOSCvEXDlU +rMmZMLQ/Rfm2jA/WByK/5wR9E0YO23yMIdI5OW12I48x8IRKKcjdihkk6ilo2F3u ++1c+CvA2c0Lsua+BAMASxoDVvFel0jR9IONku/Bk+mAIWGa2XFCDiH3ssBM8h774 +Qu4IEbpw+EtbF5fMPBDLeycXrGM/P0IO9fd6tyUQFwlN64OPWwSw72nYn3bDD5hJ +XwzAbUf0aU7MiX8DvqdNB0lBhwicWvWHF6t5N4jRtWM3fadf2NM= +=XWab +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-21:08/vm_fault.11.patch b/website/static/security/patches/SA-21:08/vm_fault.11.patch *** 391 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104062013.136KDtkd077397>