Date: Wed, 8 Jul 2020 20:50:28 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r54319 - in head/share: security/advisories security/patches/EN-20:13 security/patches/EN-20:14 security/patches/EN-20:15 security/patches/SA-20:18 security/patches/SA-20:19 security/pa... Message-ID: <202007082050.068KoSi1049363@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon (src committer) Date: Wed Jul 8 20:50:27 2020 New Revision: 54319 URL: https://svnweb.freebsd.org/changeset/doc/54319 Log: Add EN-20:13 through EN-20:15, and SA-20:18 through SA-20:20. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-20:13.bhyve.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-20:14.linuxkpi.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-20:15.mps.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-20:18.posix_spawnp.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-20:19.unbound.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-20:20.ipv6.asc (contents, props changed) head/share/security/patches/EN-20:13/ head/share/security/patches/EN-20:13/bhyve.patch (contents, props changed) head/share/security/patches/EN-20:13/bhyve.patch.asc (contents, props changed) head/share/security/patches/EN-20:14/ head/share/security/patches/EN-20:14/linuxkpi.patch (contents, props changed) head/share/security/patches/EN-20:14/linuxkpi.patch.asc (contents, props changed) head/share/security/patches/EN-20:15/ head/share/security/patches/EN-20:15/mps.patch (contents, props changed) head/share/security/patches/EN-20:15/mps.patch.asc (contents, props changed) head/share/security/patches/SA-20:18/ head/share/security/patches/SA-20:18/posix_spawnp.patch (contents, props changed) head/share/security/patches/SA-20:18/posix_spawnp.patch.asc (contents, props changed) head/share/security/patches/SA-20:19/ head/share/security/patches/SA-20:19/unbound.11.3.patch (contents, props changed) head/share/security/patches/SA-20:19/unbound.11.3.patch.asc (contents, props changed) head/share/security/patches/SA-20:19/unbound.11.4.patch (contents, props changed) head/share/security/patches/SA-20:19/unbound.11.4.patch.asc (contents, props changed) head/share/security/patches/SA-20:19/unbound.12.1.patch (contents, props changed) head/share/security/patches/SA-20:19/unbound.12.1.patch.asc (contents, props changed) head/share/security/patches/SA-20:20/ head/share/security/patches/SA-20:20/ipv6.patch (contents, props changed) head/share/security/patches/SA-20:20/ipv6.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-20:13.bhyve.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:13.bhyve.asc Wed Jul 8 20:50:27 2020 (r54319) @@ -0,0 +1,143 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:13.bhyve Errata Notice + The FreeBSD Project + +Topic: Host crash in bhyve with PCI device passthrough + +Category: core +Module: bhyve +Announced: 2020-07-08 +Credits: Peter Grehan +Affects: FreeBSD 12.1 +Corrected: 2020-06-01 05:14:01 UTC (stable/12, 12.1-STABLE) + 2020-07-08 19:56:34 UTC (releng/12.1, 12.1-RELEASE-p7) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that supports running a variety of guest operating +systems in virtual machines. bhyve(8) includes support for PCI devices +passthrough (a technique to pass host PCI devices to a virtual machine for its +exclusive control and use). + +II. Problem Description + +When an attempt is made to pass through a PCI device to a bhyve(8) VM (causing +initialization of IOMMU) on certain Intel chipsets using VT-d the PCI bus +stops working entirely resulting in a host crash. This issue occurs at least +on the Intel Skylake series processors and those released later. + +A device passed through to a guest VM running OpenBSD at least since version +6.4 on both AMD and Intel processors may not fully work in the guest. OpenBSD +issues 4-byte PCI configuration-space register reads and writes to consecutive +2-byte fields, which were not handled correctly by bhyve(8). + +III. Impact + +These issues prevent using bhyve in production with some combinations of host +hardware and/or guest operating system. + +IV. Workaround + +No workaround is available. Systems not using bhyve(8) for virtualization +with PCI passthrough are not affected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +The first problem requires a reboot as the affected part is the kernel. + +The second problem does not require a reboot as the affected part is the +bhyve userland executable. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:13/bhyve.patch +# fetch https://security.FreeBSD.org/patches/EN-20:13/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +d) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r361686 +releng/12.1/ r363022 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229852> + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245392> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:13.bhyve.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLjVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKMwQ/9HxrcUNvL8myn512t+drnCnDg/lNL2cqlc53VyDsvwesgXbGA3k1pQsyV +VLB2jn56+EWcq0b1eieLavK77YtdrbEfa72YOlTd576586VRroUC3d4o6eaAHKHS +Hzm/Qh5cQM46065Eoshz8T+N1/RNmU0ANS19ogBmogqhbJwwQUSr402a/BGrTES+ ++rx4ywmTOrmXxVQwAlRHp1/7pQ5PL3cK2ByYzuFjKjzNX3scHoMxOul2TC1bYwj6 +IhBT7NNxQuY/g7gxGM/ndifOiJtAlsxJdccWxZAMdYv3mzhnM2vqCmdz8KjB7UKH +2XOKB1RwSq0b1FBsur8Z0Pg6AlIRcNW952mAn2UJxx9mh/oCSj0sqtdmAKu0EO1e +Vn6+psOffB28ITvdBsf7D/3ixM8+jdAogFzW00iGPppF02QwM6FVxa3+mogOVtsv +R+Fu381qwQmqvMtAEXOxQ6NiAk3fTan+VuEDB8FnYPEs5JkWef/fn4SPRUrr04hY +yTkX8F3XID2XdSMTgJllQzhf1uCK3QT77Y0BcPJH+NPZIZiyKkROxqnpS7LGFlEs +v8dLXTOFnaHfdrjefB/QCwLMTcX1AfN1n0OxQigtwKC1rvKHweaqZBEujtDmyMOm +uFXhQjoT3o29i1O139Q/3yINEbVYn6U5INrW5ZUGt1nm/wL9PuA= +=mH7Y +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-20:14.linuxkpi.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:14.linuxkpi.asc Wed Jul 8 20:50:27 2020 (r54319) @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:14.linuxkpi Errata Notice + The FreeBSD Project + +Topic: Kernel panic in LinuxKPI subsystem + +Category: core +Module: linuxkpi +Announced: 2020-07-08 +Affects: FreeBSD 12.1 and 11.3 +Corrected: 2020-01-22 00:30:27 UTC (stable/12, 12.1-STABLE) + 2020-07-08 19:57:24 UTC (releng/12.1, 12.1-RELEASE-p7) + 2020-01-22 15:51:24 UTC (stable/11, 11.3-STABLE) + 2020-07-08 19:57:24 UTC (releng/11.3, 11.3-RELEASE-p11) + +Note: FreeBSD 11.4 was branched after the original commit to the stable/11 +branch and already includes this erratum. + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The LinuxKPI subsystem allows kernel code ported from Linux to run in the +FreeBSD kernel without extensive modification. Some graphics drivers make +use of this subsystem. + +II. Problem Description + +A bug in one of the LinuxKPI subroutines could cause a kernel panic. + +III. Impact + +Certain graphical applications may trigger a kernel panic. This is most +often observed when using X11 forwarding to run an application remotely. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:14/linuxpki.patch +# fetch https://security.FreeBSD.org/patches/EN-20:14/linuxpki.patch.asc +# gpg --verify linuxkpi.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r356953 +releng/12.1/ r363023 +stable/11/ r356987 +releng/11.3/ r363023 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<other info on the problem> + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242913> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:14.linuxkpi.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLkpfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJG7A//RWsupxbp1AMqYFz7KsC6zezh8pYU8rONJvWGgaH5MNTdzKVa+SDAg9il +HI2IOAsDDRFRQvweyf1yOPMdPFUv15ZPgYpUcx2MoAbLFNa5TsqcodE6t1hEjBrQ +20x0yjg/Fy6T17BaX3cziBFjxd3YW79jf/+FpzCTOoNasxIteiR5Vt4NbJ7Esqoa +u7U3uXtIvDmfVASfMYq2NmKWTP8cz+f2FCB3687G4jGmBhrfMK8DNVQ3RI6IjGEm +RUzmnYLX0Xbs83PTCYEkEqmEdj+o9zRokCPxdhFjd9XxnKaWh5vM0N6FNxBOcYER +OqGMy0X88wsqvs5l+FnXYdI/BzELrzXmB4lMEh9wXDfrCZt4wVkb0C0NBLGgrafV +95/YQobMsghe44ysVTmpfTi1++NnEDPgV/klVwBo6u9VluMH3PRxrTtW92SB0DOt +QABVpgV96LKibsO26PRLS5yqMEgUPJ57W6mQvL9RdsTL/4VBamHQmUinXM1VlMml +d2WVLguLw2vc86Mv2V4FZiC6A1eG91mUDTUYCeGxqBknl7DxBl+iGyM4Bu3Kw1+p +eRi1Y6hAR/Vb/VyE4mNTBd0UzZhRymaXkiVm7nAKZjTAvSbpbEe26QCPzZGUgVsT +UemEPi2lAAn2J3O46sEv8RjFjOOdrbOnyaZkJNBaKSPK7qq6etc= +=1UKD +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-20:15.mps.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-20:15.mps.asc Wed Jul 8 20:50:27 2020 (r54319) @@ -0,0 +1,129 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:15.mps Errata Notice + The FreeBSD Project + +Topic: Kernel panic in mps(4) driver + +Category: core +Module: mps +Announced: 2020-07-08 +Affects: All supported version of FreeBSD. +Corrected: 2020-06-11 14:48:20 UTC (stable/12, 12.1-STABLE) + 2020-07-08 19:58:00 UTC (releng/12.1, 12.1-RELEASE-p7) + 2020-06-11 14:49:38 UTC (stable/11, 11.4-STABLE) + 2020-07-08 19:58:00 UTC (releng/11.4, 11.4-RELEASE-p1) + 2020-07-08 19:58:00 UTC (releng/11.3, 11.3-RELEASE-p11) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +mps(4) is a disk controller driver. It exports an ioctl(2) interface used by +several command-line utilities to query for or set properties of the device. + +II. Problem Description + +mps(4) implements a pass-through interface which allows privileged user +processes to submit commands directly to disks behind the controller. A bug +in the code which copies command results out to the requesting process could +cause a kernel panic. + +III. Impact + +Administrative commands issued by, e.g., sas2ircu, could cause a kernel panic. + +IV. Workaround + +No workaround is available. Systems that do not use mps(4) are unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:15/mps.patch +# fetch https://security.FreeBSD.org/patches/EN-20:15/mps.patch.asc +# gpg --verify mps.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r362057 +releng/12.1/ r363024 +stable/11/ r362058 +releng/11.4/ r363024 +releng/11.3/ r363024 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223813> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:15.mps.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLk5fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLlPxAAgUVjwHuRGD4sTiymH2QgkdjneeE99obAzXDTDDNAOWaJQqmZV2L+ooYq +2nnNdax0CpNvSaNF7KyEFYy30kcoBkSl8MBfOwtuUbO4fWUTDLIm3nUBn6YLvlkr +ZdrDEzLN3EXOoHnVez4+dcCostVDWAVMPiGzNitU4htPy3pPvwyEcko9lA4eOF5Q +ZanF1YjsAJOUvtmmCOr1XGRjzsW05Fbiyv6dAmaK7z508gAUj9t7x1a6XnIdLbJY +tx4+UcBT3yvdSkXNlqGa8EGtPXz9ue4Aq53PSy+C9pbUiEBPgvnLQB0IJNU5Kynv +fGlHMhee/Ih9+ZfSXoInvDJ+gVYdhufqQQ3GSUcdm7suUuQ+Gc8xn+KUUUZ8xtub +3EfDeQ2h2eKlaGs0RrVNHtE9ETn+aimagVp5wcws6JLw3Nm5cEAzJFz8fK8lIbXe +xONslLH1a6985k8CmHVDh6YULCZV9G3G+DGG3mvBnj+/wtysSaa3nOyQEPFuUXHI +rf6d9JWzV6Is3nx0+34StQu/lyyixwb1LssSjop08+J2G66/ZBVYoorQ1qVzU1lH +OkUg00JeHvFI4uKEEsv0/P31vM4aeW5iJsiWvjY6MAZ7VMmJMOrJEdiX+vycNkQ1 +cS7Qi6DCEpnFZCP61cEbYonBK1rgvNexTRTwIHIrATLLKEOtq+U= +=6tC9 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-20:18.posix_spawnp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-20:18.posix_spawnp.asc Wed Jul 8 20:50:27 2020 (r54319) @@ -0,0 +1,138 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:18.posix_spawnp Security Advisory + The FreeBSD Project + +Topic: posix_spawnp(3) buffer overflow + +Category: core +Module: libc +Announced: 2020-07-08 +Credits: Andrew Gierth +Affects: FreeBSD 11.4 +Corrected: 2020-06-17 16:22:08 UTC (stable/12, 12.1-STABLE) + 2020-06-17 16:22:08 UTC (stable/11, 11.4-STABLE) + 2020-07-08 20:08:05 UTC (releng/11.4, 11.4-RELEASE-p1) +CVE Name: CVE-2020-7458 + +Note: This vulnerability was introduced after the release of FreeBSD 11.3 and +FreeBSD 12.1; FreeBSD 11.4 is the only affected release. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +posix_spawnp(3) is a lightweight process creation mechanism provided by libc +for general application usage. + +II. Problem Description + +posix_spawnp spawns a new thread with a limited stack allocated on the heap +before delegating to execvp for the final execution within that thread. + +execvp would previously make unbounded allocations on the stack, directly +proportional to the length of the user-controlled PATH environment variable. + +III. Impact + +Long values in the user-controlled PATH environment variable cause +posix_spawnp to write beyond the end of stack that was allocated, ultimately +overflowing the heap-allocated stack with a direct copy of the value stored +in PATH. + +IV. Workaround + +No workaround is available. Few applications in the base system use +posix_spawnp(3) and none of them are particularly viable candidates for an +exploit. Use by third-party applications has not been investigated. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.4] +# fetch https://security.FreeBSD.org/patches/SA-20:18/posix_spawnp.patch +# fetch https://security.FreeBSD.org/patches/SA-20:18/posix_spawnp.patch.asc +# gpg --verify posix_spawnp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r362281 +stable/11/ r362281 +releng/11.4/ r363025 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7458> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:18.posix_spawnp.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLlNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLdthAAgchE9dOcTvmFerK/SEAI7G/+3l1GRQ/hKJfvGbvNuZKKudpMdCmLHzil +MepCvRO7ft6OTBF66PaAscbdadD54CluQGjD96eLNnQ6dMgU5yZdWTUvvjdJze1R +200oAlAu2eoZvuRghSNFqh4s8iffYN/T4Tc1ubRCAyZUXYbq5rg3r21P9FugXX+Y +RZhYzUNRMCi4ZSGkUmcqLltZZtSrI9GOU2H4cKpedYaHJ+b76tALt1fCsSVZwMJK +7WKiqKkw4ilRH5gbUuTqngVjt7Uy9JGyS2WrAwhnxLIr6+4qxAkiOltwZdFNUhSJ +HGvTzl2As/gxxjqpqmvzegKfrGOd4pz2i7ZdAhhPWEK0sHNp1NttPQ7wWnU1Ikt3 +bkoiy+eJTF43GL7IpxurOOMDdH9MWL/RAZBZNpTof4XCjhEHvvMaSoeO/GLpcSja ++dYFoip65b1tlBtGt/tlgHVqlzCD86o6pBiRdZ7mYYLTxurDc/dcTpebypQPogcB +agD3IO0hMXnt1Q/UQVl1pC3LDnSvabeHVI7xuB1T9UP/CsAxTt1nhEM4b9/YnJv5 +Bt1cZFlBvZgrVFVvegYAf7lVz3TsF3xz2pKZD6wxezAk+QbH4ho6aTHWJkRotE4z +C5bcIEbIz6OX+J7VjOxcgkTu+bFykWb9xcTjtKpRexxICMOef+E= +=2OBY +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-20:19.unbound.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-20:19.unbound.asc Wed Jul 8 20:50:27 2020 (r54319) @@ -0,0 +1,143 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:19.unbound Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in unbound + +Category: contrib +Module: unbound +Announced: 2020-07-08 +Affects: All supported versions of FreeBSD. +Corrected: 2020-05-24 16:47:27 UTC (stable/12, 12.1-STABLE) + 2020-07-08 20:25:06 UTC (releng/12.1, 12.1-RELEASE-p7) + 2020-05-24 11:47:27 UTC (stable/11, 11.4-STABLE) + 2020-07-08 20:22:38 UTC (releng/11.4, 11.4-RELEASE-p1) + 2020-07-08 20:20:59 UTC (releng/11.3, 11.3-RELEASE-p11) +CVE Name: CVE-2020-12662, CVE-2020-12663 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +Unbound is a validating, recursive, and caching DNS resolver. + +II. Problem Description + +Malformed answers from upstream name servers can send Unbound into an infinite +loop, resulting in denial of service. A malicious query can cause a traffic +amplification attack against third party authoritative nameservers. + +III. Impact + +Denial of service of the affected host, or of third parties via traffic +amplification. + +IV. Workaround + +No workaround is available. Systems not running Unbound are not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.12.1.patch +# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.12.1.patch.asc +# gpg --verify unbound.12.1.patch.asc + +[FreeBSD 11.4] +# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.4.patch +# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.4.patch.asc +# gpg --verify unbound.11.4.patch.asc + +[FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.3.patch +# fetch https://security.FreeBSD.org/patches/SA-20:19/unbound.11.3.patch.asc +# gpg --verify unbound.11.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch -p0 < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r361435 +releng/12.1/ r363029 +stable/11/ r361435 +releng/11.4/ r363028 +releng/11.3/ r363027 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12662> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12663> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLldfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLg3g/+KxaCk6wFvqDCYlT2Rx8ZfxuU4cG8anJvdanwI8pV7SWsVIilWvpIuW5Y +1P/TVmZiXpICToiUXdwaOMj8r/8QhmALXd3icb+QBUBdLlkm6Cuh/lSbEAyA63aF +YYDF9FsXITVMcUCiUCxpVWSzDUW3LD5jMC/0jjvb7N0VhQyn4vHgEUa74jstnu4r +36QV1s+ucsJafwAyzfobP+fCGKnVM8rmJ/3jE/eifN9RajFJdlkTtV0j6ReK9XQR +jWunCgYZs8Ur0RFu98hspeRsXPuygV83sDiVWPQUd+iKXC8fW52f+IpAVO4BB763 +ZOjXaeudVfqorBXpKsldggEaCrxbJlEdwR9oZOrNww4QDqgPnU4Fkdb2TXyl5Gtx +t0fbvEl2sxfx5M+3rF9ae++DPpmIiu8DiodF8XKfXicFZ2WpJmnwEY0SeEGYGyrO +MJZW3i45qfe4CneFtt1r1v1feX3XQZKuyjtb++S2/PDiSQ1ZrkdE3Y3VYS3X+pLt +C1ZFkw6nLDDSVzPiD+1i8VzRoKwS7zZKfAWMBJRiO3Jjh2vXsNRYO6wAMPq4HAvA +DkB0Ykm0ioDqtUwEKhqAcJEmu6P44BM9SJ0ApFeKQ8L+isNoiaEMEVFG1HW9avl6 +E+I33y5yBtvgrRiyqUvANh/ZYSb7FQDTf5rlUOwG+Pk/kUlMrUA= +=tonD +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-20:20.ipv6.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-20:20.ipv6.asc Wed Jul 8 20:50:27 2020 (r54319) @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:20.ipv6 Security Advisory + The FreeBSD Project + +Topic: IPv6 socket option race condition and use after free + +Category: core +Module: network +Announced: 2020-07-08 +Credits: syzkaller, Andy Nguyen +Affects: All supported versions of FreeBSD. +Corrected: 2020-04-02 15:30:51 UTC (stable/12, 12.1-STABLE) + 2020-07-08 20:11:40 UTC (releng/12.1, 12.1-RELEASE-p7) + 2020-07-06 20:23:14 UTC (stable/11, 11.4-STABLE) + 2020-07-08 20:11:40 UTC (releng/11.4, 11.4-RELEASE-p1) + 2020-07-08 20:11:40 UTC (releng/11.3, 11.3-RELEASE-p11) +CVE Name: CVE-2020-7457 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The IPV6_2292PKTOPTIONS socket option allows user code to set IPv6 +header options on a socket. + +II. Problem Description + +The IPV6_2292PKTOPTIONS set handler was missing synchronization, +so racing accesses could modify freed memory. + +III. Impact + +A malicious user application could trigger memory corruption, leading +to privilege escalation. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or release / +security branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:20/ipv6.patch +# fetch https://security.FreeBSD.org/patches/SA-20:20/ipv6.patch.asc +# gpg --verify ipv6.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r359565 +releng/12.1/ r363026 +stable/11/ r362975 +releng/11.4/ r363026 +releng/11.3/ r363026 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://hackerone.com/reports/826026> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7457> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:20.ipv6.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLvVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJqxA/9H58yyRUSUy6BTRw0XkCQFO3r0NpTYPWK4RJFPWO2Jh5zL2QjxuSj3k9t +zgJXM6a1RRgOxevxSzJJXD74BZz3XLJnC9T0tXsp3nikMrd+NSVN0g2jfAbx0l7R +RFRUJOI2EfcGkIe0tZy4/nGr+H9eZiJt9a9vJ8DCoJuU9Ph/7w3GrVG+gbJfH4sV +KhvhrRzla4ePadnHyQZALL5ov554BUa3dB9STz8zbdjt5yFREpvCJ9mIOHKNPBCR +X5v7OMwhw++2Q0JtoMsmBHMi8zOkDpbjPk5eQNLHg3Iw9ZQrxW8KtM9Ru3KFtPw9 +gisI9e53NkCUGLm9iq3oQG6CnCMulTMAlgN5f0HflEwy3vd7R/ibNLvx2yObmVOU +cX1Nf0ydFfhoS/YQwArdGTUg12BlYL9lqiXTqojUBG+yikwA3XAIUJccpcYyZDLQ +jR5N8Ct7fV9Ec5pdu4xkSQhKsto9pQVfS0Kabv7hlwumynVL+S7qsmS7FT3IC/4n +FiXisrJr5TTNO8p/bIs8qooHYUkd06A5O8xy+gRDDPbgvYfevGWrd/vaHmiXpUsv +dvv9ZnU8xlaSi66AEPs9kYw/WhF55deqaU1M0p6Ob3+TGyJIR3j3IPTAIIXSgTrq +YiyvzqXM+ob3aysILYRv48LK7+5N/3hDU48FLUN6q1V99G7TV8o= +=JUip +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-20:13/bhyve.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-20:13/bhyve.patch Wed Jul 8 20:50:27 2020 (r54319) @@ -0,0 +1,342 @@ +--- sys/amd64/vmm/intel/vtd.c.orig ++++ sys/amd64/vmm/intel/vtd.c +@@ -51,6 +51,8 @@ + * Architecture Spec, September 2008. + */ + ++#define VTD_DRHD_INCLUDE_PCI_ALL(Flags) (((Flags) >> 0) & 0x1) ++ + /* Section 10.4 "Register Descriptions" */ + struct vtdmap { + volatile uint32_t version; +@@ -116,10 +118,11 @@ + static SLIST_HEAD(, domain) domhead; + + #define DRHD_MAX_UNITS 8 +-static int drhd_num; +-static struct vtdmap *vtdmaps[DRHD_MAX_UNITS]; +-static int max_domains; +-typedef int (*drhd_ident_func_t)(void); ++static ACPI_DMAR_HARDWARE_UNIT *drhds[DRHD_MAX_UNITS]; ++static int drhd_num; ++static struct vtdmap *vtdmaps[DRHD_MAX_UNITS]; ++static int max_domains; ++typedef int (*drhd_ident_func_t)(void); + + static uint64_t root_table[PAGE_SIZE / sizeof(uint64_t)] __aligned(4096); + static uint64_t ctx_tables[256][PAGE_SIZE / sizeof(uint64_t)] __aligned(4096); +@@ -175,6 +178,69 @@ + return (id); + } + ++static struct vtdmap * ++vtd_device_scope(uint16_t rid) ++{ ++ int i, remaining, pathremaining; ++ char *end, *pathend; ++ struct vtdmap *vtdmap; ++ ACPI_DMAR_HARDWARE_UNIT *drhd; ++ ACPI_DMAR_DEVICE_SCOPE *device_scope; ++ ACPI_DMAR_PCI_PATH *path; ++ ++ for (i = 0; i < drhd_num; i++) { ++ drhd = drhds[i]; ++ ++ if (VTD_DRHD_INCLUDE_PCI_ALL(drhd->Flags)) { ++ /* ++ * From Intel VT-d arch spec, version 3.0: ++ * If a DRHD structure with INCLUDE_PCI_ALL flag Set is reported ++ * for a Segment, it must be enumerated by BIOS after all other ++ * DRHD structures for the same Segment. ++ */ ++ vtdmap = vtdmaps[i]; ++ return(vtdmap); ++ } ++ ++ end = (char *)drhd + drhd->Header.Length; ++ remaining = drhd->Header.Length - sizeof(ACPI_DMAR_HARDWARE_UNIT); ++ while (remaining > sizeof(ACPI_DMAR_DEVICE_SCOPE)) { ++ device_scope = (ACPI_DMAR_DEVICE_SCOPE *)(end - remaining); ++ remaining -= device_scope->Length; ++ ++ switch (device_scope->EntryType){ ++ /* 0x01 and 0x02 are PCI device entries */ ++ case 0x01: ++ case 0x02: ++ break; ++ default: ++ continue; ++ } ++ ++ if (PCI_RID2BUS(rid) != device_scope->Bus) ++ continue; ++ ++ pathend = (char *)device_scope + device_scope->Length; ++ pathremaining = device_scope->Length - sizeof(ACPI_DMAR_DEVICE_SCOPE); ++ while (pathremaining >= sizeof(ACPI_DMAR_PCI_PATH)) { ++ path = (ACPI_DMAR_PCI_PATH *)(pathend - pathremaining); ++ pathremaining -= sizeof(ACPI_DMAR_PCI_PATH); ++ ++ if (PCI_RID2SLOT(rid) != path->Device) ++ continue; ++ if (PCI_RID2FUNC(rid) != path->Function) ++ continue; ++ ++ vtdmap = vtdmaps[i]; ++ return (vtdmap); ++ } ++ } ++ } ++ ++ /* No matching scope */ ++ return (NULL); ++} ++ + static void + vtd_wbflush(struct vtdmap *vtdmap) + { +@@ -240,7 +306,7 @@ + static int + vtd_init(void) + { +- int i, units, remaining; ++ int i, units, remaining, tmp; + struct vtdmap *vtdmap; + vm_paddr_t ctx_paddr; + char *end, envname[32]; +@@ -291,8 +357,9 @@ + break; + + drhd = (ACPI_DMAR_HARDWARE_UNIT *)hdr; +- vtdmaps[units++] = (struct vtdmap *)PHYS_TO_DMAP(drhd->Address); +- if (units >= DRHD_MAX_UNITS) ++ drhds[units] = drhd; ++ vtdmaps[units] = (struct vtdmap *)PHYS_TO_DMAP(drhd->Address); ++ if (++units >= DRHD_MAX_UNITS) + break; + remaining -= hdr->Length; + } +@@ -302,12 +369,18 @@ + + skip_dmar: + drhd_num = units; +- vtdmap = vtdmaps[0]; + +- if (VTD_CAP_CM(vtdmap->cap) != 0) +- panic("vtd_init: invalid caching mode"); ++ max_domains = 64 * 1024; /* maximum valid value */ ++ for (i = 0; i < drhd_num; i++){ ++ vtdmap = vtdmaps[i]; ++ ++ if (VTD_CAP_CM(vtdmap->cap) != 0) ++ panic("vtd_init: invalid caching mode"); + +- max_domains = vtd_max_domains(vtdmap); ++ /* take most compatible (minimum) value */ ++ if ((tmp = vtd_max_domains(vtdmap)) < max_domains) ++ max_domains = tmp; ++ } + + /* + * Set up the root-table to point to the context-entry tables +@@ -373,7 +446,6 @@ + struct vtdmap *vtdmap; + uint8_t bus; + +- vtdmap = vtdmaps[0]; + bus = PCI_RID2BUS(rid); + ctxp = ctx_tables[bus]; + pt_paddr = vtophys(dom->ptp); +@@ -385,6 +457,10 @@ + (uint16_t)(ctxp[idx + 1] >> 8)); + } + ++ if ((vtdmap = vtd_device_scope(rid)) == NULL) ++ panic("vtd_add_device: device %x is not in scope for " ++ "any DMA remapping unit", rid); ++ + /* + * Order is important. The 'present' bit is set only after all fields + * of the context pointer are initialized. +@@ -568,8 +644,6 @@ + if (drhd_num <= 0) + panic("vtd_create_domain: no dma remapping hardware available"); + *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007082050.068KoSi1049363>