From nobody Fri May 1 08:26:38 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g6PK26h1Wz6c95M for ; Fri, 01 May 2026 08:26:46 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-yx1-xb133.google.com (mail-yx1-xb133.google.com [IPv6:2607:f8b0:4864:20::b133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g6PK13SK4z3lLs for ; Fri, 01 May 2026 08:26:45 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20251104 header.b=DxpCsb7s; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of oliver.pntr@gmail.com designates 2607:f8b0:4864:20::b133 as permitted sender) smtp.mailfrom=oliver.pntr@gmail.com; arc=pass ("google.com:s=arc-20240605:i=1") Received: by mail-yx1-xb133.google.com with SMTP id 956f58d0204a3-6579254f996so985504d50.1 for ; Fri, 01 May 2026 01:26:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1777624000; cv=none; d=google.com; s=arc-20240605; b=bbEysgBjVDLlHYQVfAnK1IsN/XgiPEWx/6rVuSuhuSEkAmIufWMsSM0SZ9MpNvYkwx 7Uy+T0T4APAwm9GayWbqUIsi8zAmjEgXL1zNUOoIac7zsInvOWBm1tK2HZsSNiEX8JUx rykrU9zwsjhPQSlsrcyhnm7cYL2mpldzMiYcqrH8xknvDkUwQo13fxq1+Tpl9UKb8NF0 SZUhPQQe7gI9N/uILs+IlGdTNtXL5PtOSFT0FWsNhjVES5E2Vu9yVC97zOHHv8hoMoxk uIBW6yOp9kzNlIbYz5l5rCAlrNXJN8w7BCgwXzEk2Az4I93JKaAY6yndqz1GT1IUYAx6 +HWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:dkim-signature; bh=VAEC5jHL0PKVmgOBq/yrnVLdmzJVlvN4O5tYWRJ2myg=; fh=zQ6kzMu/Us3suyZNg5V4/C0XPJGylodfnc4iYCLRoUw=; b=MEhFp7pIYvlNhMTyuRNom6pUk1cIBzitrtpQyDXFzbUDT14f88OxttV2GrOkaXpQ+Q BMm9xHgeoiwdRpSn5kQ+3JhtQ4M6Fh62exQumxYIpE15GJRxpNW23gciyt4R73mU13qi K03vdy4W5N+BpYm78O3VibwsrvHnhCVDa6dJvLm/2gLnxcpLJnarySHi5zhW9u2Sa/Fm 8BjpQnmoJwxcSc/IhAeeGrP2LtEz3QE4bL80Sj+1fLHw1BK25IE9J7Yf7B+IFbdvXQKo KTKoxVQRXEYxtw74kAbwhffIszlP3M1HGf17UYYoorE8+jBSLwNVo26x/oxmFJFJkWSQ wiDQ==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777624000; x=1778228800; darn=freebsd.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VAEC5jHL0PKVmgOBq/yrnVLdmzJVlvN4O5tYWRJ2myg=; b=DxpCsb7s+nnFxaLTrKCkdxjZMDs3r5c3E+CfPqMvCRwpo0hFFLOv0XpZd6JyjxTpFl JV0tGQMbKKTYw0INSnjNI4rFPg8h6T2elme1BqFmDQfH2om/NEzXeyPyMi+TD2qS7mO9 Asq+BymsNqO3Of6QAaCiyhfZsFJNsA5lAd7IPi86PNwKJMaCRvZS4Ht1ihi8nO6kWbcr 4f08Q+MDMP1xgqhQW+yONrkHOKCu0ryNsofOXtKqIBhNzcEOYgOxW6uypxYGdjKyjKrv 8MpSSaxPGHwQF8Jv3WFAVUeirWWXAmJckLHLoZBPLC6hDqjOEBaA3KcNxm6QuCDriwIj k/+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777624000; x=1778228800; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=VAEC5jHL0PKVmgOBq/yrnVLdmzJVlvN4O5tYWRJ2myg=; b=ZmAIb+2XfbLXaw+zax13pihoq5cTIoB6ReJ7BGkYBRv8loB2J/1nZH+sPzfc6mZgIF 8kTMJSBjI+YtwCnpLJJC5kL2UNkJ6X3MfmO/9C48oTO3ZekA+Lb7X85dzAkWYafF+g5+ XLsoCSYICTrpbtvEwprAkbM0gbUc05eFgu1vuL2qrMlyYUq33eT3SqB/RBIEsOIfkKn2 6rwEIigY+OuIJhT33eU0DiqHvJk0UEvYsrybCZUV+qmzJxKfySMdpGH1C+0uQD4c3HX6 BXnfbfovAEqX6hl2dFJOH0YYiIB0jfgfW5TjqC8F9aZxk1l5QTmaj5go/KJcM+yHOd1A uwSg== X-Forwarded-Encrypted: i=1; AFNElJ9BAUacCXIsLdYjpERAP4LpknFOlamyIAD1CCVaxwMLRAeygGAzDSoigv8AaVGGQi0pyX5yXVIz+sLhA6biM1gLsjGyCA==@freebsd.org X-Gm-Message-State: AOJu0YxSUbEal9/cZyB/15/2dRdL/hT0FQpGnGUbhv32V6gBfEMrorLi NN2t7/BCemhmdTEBslYoRmMwH64sHKBp55/UtNo42EVuxejJDy/PPNWU7ly65w0uz3XCFaTVX4r cACQt9phLcnPEq4R7b5ZdCAZfpnFL7gU= X-Gm-Gg: AeBDieti1q2Tn6IOQtW/3Q4YBiK7xKQL5afX8FPwIR/JW//0vqgH0tFjmOjAo2YGQOk dEL+fCoFYjH4Po4KRjOUcJx1uqgW1FsJgbeCjhONAodFp0L+7ZJqAeP1QkueF/IEi6RBjchyQLr Wik7P6NJNlov17FnqwnTLPlxFaAslTYgjdji8qx7ZFxD98HT0Ni6KL/DU/TDg14WuwT3ZyVk8LH Fisdm4KQS/9XQNxFUK9/x/Oy6XogYLVgu1PAYszd23pfBomSfpWeQP97tmcqx3zH/TpBXLJK673 luFIrSTikOFZaK6OiAwoq8Yl9AA67qmXsNYm14eauZzDVjKOq2BgYFY6nid7ww== X-Received: by 2002:a05:690e:1387:b0:65c:2a49:880f with SMTP id 956f58d0204a3-65c2a499a65mr3499030d50.30.1777623999788; Fri, 01 May 2026 01:26:39 -0700 (PDT) List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Received: by 2002:a05:7011:628d:20b0:518:6106:eec6 with HTTP; Fri, 1 May 2026 01:26:38 -0700 (PDT) In-Reply-To: <4E7ABEB8-1EE6-4CDF-9F58-BD2C0E0BF8C7@tetlows.org> References: <69f219fa.3c9fa.1698d8e9@gitrepo.freebsd.org> <4E7ABEB8-1EE6-4CDF-9F58-BD2C0E0BF8C7@tetlows.org> From: Oliver Pinter Date: Fri, 1 May 2026 09:26:38 +0100 X-Gm-Features: AVHnY4IIZ4gmTc9XvY9PQl_EqKXDSdifQuywwTxw9Nak8DrjkfA3uStdfxGs0H8 Message-ID: Subject: Re: git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient script environments [CORRECTION: CVE ID] To: Gordon Tetlow Cc: Mark Johnston , "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" Content-Type: multipart/alternative; boundary="0000000000000d3be90650bd5702" X-Spamd-Result: default: False [-4.83 / 15.00]; ARC_ALLOW(-1.00)[google.com:s=arc-20240605:i=1]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.83)[-0.828]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20251104]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4864::/56:c]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b133:from]; TAGGED_FROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; PREVIOUSLY_DELIVERED(0.00)[dev-commits-src-main@freebsd.org]; MLMMJ_DEST(0.00)[dev-commits-src-main@freebsd.org]; MID_RHS_MATCH_FROMTLD(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Spamd-Bar: ---- X-Rspamd-Queue-Id: 4g6PK13SK4z3lLs --0000000000000d3be90650bd5702 Content-Type: text/plain; charset="UTF-8" On Thursday, April 30, 2026, Gordon Tetlow wrote: > This commit as well as the corresponding stable and releng branch commits > were incorrectly tagged CVE-2026-42511 and should be CVE-2026-42512. > Apologies for the mix up there. > > Best regards, > Gordon > Hat: security-officer > Hi! I've seen a new trend regarding the commit messages. If someone described the commit wrong, then the commit gets reverted and the exactly same commit message reapplied with the fixed commit message. The question is that do FreeBSD wants the correct CVE id in the history or not? If wants, then one possible way would be the revert + reapply or the other possible would be to create an empty commit with git which references the original commit and adds the correct CVE id to the empty commits description. > On 29 Apr 2026, at 7:47, Mark Johnston wrote: > > The branch main has been updated by markj: > > URL: https://cgit.FreeBSD.org/src/commit/?id= > 5d8e32aad2a8316b0aab8a93a677a63e4c3df422 > > commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422 > Author: Mark Johnston markj@FreeBSD.org > AuthorDate: 2026-04-27 20:56:21 +0000 > Commit: Mark Johnston markj@FreeBSD.org > CommitDate: 2026-04-29 14:39:27 +0000 > > dhclient: Fix reallocation of dhclient script environments > > When the number of DHCP options exceeds a threshold, script_set_env() > will reallocate the environment, stored as an array of pointers. The > calculation of the array size failed to multiply by the pointer size, > resulting in a smaller than expected buffer which admits out-of-bounds > writes. > > Approved by: so > Security: FreeBSD-SA-26:15.dhclient > Security: CVE-2026-42511 > Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) > > ------------------------------ > > sbin/dhclient/dhclient.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c > index 719e20cffad9..f671b0ab9bed 100644 > --- a/sbin/dhclient/dhclient.c > +++ b/sbin/dhclient/dhclient.c > @@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const > char *prefix, > char **newscriptEnv; > int newscriptEnvsize = client->scriptEnvsize + 50; > > - > > newscriptEnv = realloc(client->scriptEnv, > > - > > newscriptEnvsize); > > > > - > > newscriptEnv = reallocarray(client->scriptEnv, > > - > > newscriptEnvsize, sizeof(char *)); > if (newscriptEnv == NULL) { > free(client->scriptEnv); > client->scriptEnv = NULL; > > > --0000000000000d3be90650bd5702 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Thursday, April 30, 2026, Gordon Tetlow <gordon@tetlows.org> wrote:

This commit as well as the corresponding stable and releng = branch commits were incorrectly tagged CVE-2026-42511 and should be CVE-202= 6-42512. Apologies for the mix up there.

Best regards,
Gordon
Hat: security-officer

Hi!

I've seen a new trend regarding the commit messages. If someon= e described the commit wrong, then the commit gets reverted and the exactly= same commit message reapplied with the fixed commit message. The question = is that do FreeBSD wants the correct CVE id in the history or not? If wants= , then one possible way would be the revert + reapply or the other possible= would be to create an empty commit with git which references the original = commit and adds the correct CVE id to the empty commits description.
<= /div>

=C2=A0

On 29 Apr 2026, at 7:47, Mark Johnston wrote:

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=3D5d8e32aad2a8316= b0aab8a93a677a63e4c3df422

commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422
Author: Mark Johnston markj@FreeBSD.org
AuthorDate: 2026-04-27 20:56:21 +0000
Commit: Mark Johnston markj@FreeBSD.org
CommitDate: 2026-04-29 14:39:27 +0000

dhclient: Fix reallocation of dhclient script environments

When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers.  The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.

Approved by:    so
Security:       FreeBSD-SA-26:15.dhclient
Security:       CVE-2026-42511
Reported by:    Joshua Rogers of AISLE Research Team (https://aisle.com/)

sbin/dhclient/dhclient.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhcli= ent.c
index 719e20cffad9..f671b0ab9bed 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const cha= r *prefix,
char **newscriptEnv;
int newscriptEnvsize =3D client->scriptEnvsize + 50;

  • 	newscriptEnv =3D realloc(client->scriptEnv,

  • 	    newscriptEnvsize);

  • 	newscriptEnv =3D reallocarray(client->scriptEnv,

  • 	    newscriptEnvsize, sizeof(char *));
	if (newscriptEnv =3D=3D NULL) {
		free(client->scriptEnv);
		client->scriptEnv =3D NULL;
--0000000000000d3be90650bd5702--