Date: Wed, 10 Jun 2026 11:46:44 +0100 From: Ian Stanley <iandstanley@gmail.com> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:28.capsicum Message-ID: <D4DF5472-0C02-4C58-948C-956BFC78074E@gmail.com> In-Reply-To: <20260609231323.ACEA71FC52@freefall.freebsd.org>
index | next in thread | previous in thread | raw e-mail
Unsubscribe > On 10 Jun 2026, at 00:32, FreeBSD Security Advisories <security-advisories@freebsd.org> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-26:28.capsicum Security Advisory > The FreeBSD Project > > Topic: sigqueue(2) missing capability mode restriction > > Category: core > Module: capsicum > Announced: 2026-06-09 > Credits: Ed Maste > Affects: All supported versions of FreeBSD. > Corrected: 2026-05-29 19:11:40 UTC (stable/15, 15.1-STABLE) > 2026-06-09 19:20:09 UTC (releng/15.1, 15.1-RC3-p1) > 2026-06-09 19:19:46 UTC (releng/15.0, 15.0-RELEASE-p10) > 2026-05-29 19:12:58 UTC (stable/14, 14.4-STABLE) > 2026-06-09 19:19:08 UTC (releng/14.4, 14.4-RELEASE-p6) > 2026-06-09 19:18:38 UTC (releng/14.3, 14.3-RELEASE-p15) > CVE Name: CVE-2026-45259 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:https://security.FreeBSD.org/>. > > I. Background > > Capsicum is a lightweight OS capability and sandbox framework. It provides > two kernel primitives: capability mode, and capabilities. Capability mode > restricts the ability of a sandboxed process to interact with the global > namespace, including the ability to send signals to other processes, other > than via capability-based interfaces. > > In capability mode, kill(2) restricts signal delivery to the calling process > only, preventing a sandboxed process from signalling other processes. > sigqueue(2) provides similar signal delivery functionality, and is similarly > permitted in capability mode. > > II. Problem Description > > sigqueue(2) was marked as permitted in capability mode with the introduction > of Capsicum in 2011, but the implementation of kern_sigqueue did not include > a capability mode check restricting signal delivery to the calling process's > own PID. > > III. Impact > > A process in capability mode can use sigqueue(2) to send signals to any > process it could signal following standard Unix permissions, bypassing the > Capsicum sandbox restriction. A compromised sandboxed process could > interfere with other processes, for example by sending SIGKILL or SIGSTOP. > This could be any process running as the same user, or any process, for a > superuser sandboxed process. > > IV. Workaround > > No workaround is available. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, and > reboot. > > Perform one of the following: > > 1) To update your vulnerable system installed from base system packages: > > Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 > platforms, which were installed using base system packages, can be updated > via the pkg(8) utility: > > # pkg upgrade -r FreeBSD-base > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system installed from binary distribution sets: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms > which were not installed using base system packages can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 15.1] > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch.asc > # gpg --verify capsicum-15.1.patch.asc > > [FreeBSD 15.0] > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch.asc > # gpg --verify capsicum-15.0.patch.asc > > [FreeBSD 14.x] > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch.asc > # gpg --verify capsicum-14.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > <URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the > system. > > VI. Correction details > > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: > > Branch/path Hash Revision > - ------------------------------------------------------------------------- > stable/15/ defd9b86ef99 stable/15-n283744 > releng/15.1/ 871d33e8a66a releng/15.1-n283553 > releng/15.0/ 77ee83d12625 releng/15.0-n281055 > stable/14/ d11ff01b3aec stable/14-n274231 > releng/14.4/ eab757f954ed releng/14.4-n273717 > releng/14.3/ f56e8cb94df6 releng/14.3-n271517 > - ------------------------------------------------------------------------- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat <commit hash> > > Or visit the following URL, replacing NNNNNN with the hash: > > <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > <URL:https://www.cve.org/CVERecord?id=CVE-2026-45259>; > > The latest revision of this advisory is available at > <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:28.capsicum.asc>; > -----BEGIN PGP SIGNATURE----- > > iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxAbFIAAAAAABAAO > bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv9xQQALSpP1xklc9UjGzlSpTo > 2owWykX02TVDqd7a57jEFpak6F9sJ1B83jrkEQVIGjBGQpTIWYt/C34QEzeo502F > +dqfqXr32MyudPDq+lsWB7HhafG/gktTDpibJrQkqPDdTc+TwzzhoHxGAdckAMsr > vCqnUF6UmtmTzQEyoQBqPGPWbVnyVboOQ0ZvKouMZdMBVlC7IvWPDlbpMEOLePTE > NPHeuxFYbFHMUkOLq97Dhg4XTqdIG0t3n/0jA1kjCDvJWDbXpR1bPy1USTNxHO35 > xjeZshL2IWXDJSxLFBNE+cNFwg4dyp5vXcQXh3HtyMC9PMPMyIbJT7zQluV3CVI7 > 9gC6MMH7QiLssj5hJqMSXccrNzkag6Alu9ET5A/NtoGjyogbXmIPsQ9hLAqf/c9v > 5m4O86dlHBL/JsGcPqsGw3+gucqgso2gy4yQ8h1GqGwNGv440TMAHRz5eAu+qOZq > tDxo3OqK3HIEoChiQaRZp5bc/p0L1Rfka10J0HmIxB2KkdHEjdMn5SBsEYRsIv5v > Sp34rl0cLm0oHraIQ0jNVTwZetrxl4CMIAexHYO1hJ+jZDRdBQ5CC7S83+t2Tbnu > JgRsm6A+1TZfWsaflIx9ga42DEndXgqpmdrtjIFoO1zNQjrvcd3sqJH6GTMNdywg > 2woyv6Bb/bwINWDE7EhicoJl > =WJPW > -----END PGP SIGNATURE----- >home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D4DF5472-0C02-4C58-948C-956BFC78074E>