From nobody Wed Jun 10 10:46:44 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gb2XR5NLjz6hb80 for ; Wed, 10 Jun 2026 10:47:03 +0000 (UTC) (envelope-from iandstanley@gmail.com) Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gb2XR4Gbmz3llL for ; Wed, 10 Jun 2026 10:47:03 +0000 (UTC) (envelope-from iandstanley@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-68e5f7c1131so12462757a12.2 for ; Wed, 10 Jun 2026 03:47:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781088422; x=1781693222; darn=freebsd.org; h=to:in-reply-to:references:message-id:date:subject:mime-version:from :content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=z/Z8MLyeMhcrbMQ7pV0OWNJ9XYX4bsJOoYLFE90P7cE=; b=Ru09Ik/savLyOjcyDVch01Mdpb5cvjUe2mPBXSLd+jQY3xWOZgqlw+D56nhed/YVDR sgT860yP3tHXuyzYMEB+dECd5Wk3Ro98k0h+LnCnbezJsM29OT3w7aW5YwuxIunji845 pwUGvgSRzdHLRBK1E/KiQO/jd6UtVk7gR7zg1WEz7rGoeO+TP+13ZfGbI0J9hlr2Z4Sx j5xuqVcb2qt5WF0uQBnBkFMLn+4EnT9UZxJLs0tWACorZ097pTHQr7yyqpSH2JKO5aLp XYnjKtyJzLGC/44lU0Qa0Q4BNfyd9LGRx3vL95OPRc6SKl/uMSZNj5IZmWu91ecwb6lf 3XYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781088422; x=1781693222; h=to:in-reply-to:references:message-id:date:subject:mime-version:from :content-transfer-encoding:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=z/Z8MLyeMhcrbMQ7pV0OWNJ9XYX4bsJOoYLFE90P7cE=; b=WQOb39gcfZ1IvyY2lKtvZbG6BFJwZGtaZI1cX7zDIopp89UieOk9VgkHAjbdjqg5+z 2+p4KfEEubZyVdH2XVSt+igJBGDrjFv/cAi1fRUUei5TShlFI9DbnV1feww1QBWdqqBC fDuoDAMBb6hEdChMZL5QJUFwXHCsQ0mnoIITfIKnlIqBFE7yT05cW2IY/jTa/at9fnkJ C3amBF/ewk6Mx4kSeHNGA0bP1P7U4ilT9uO+NJ7XAvun429vcbE3h/z8ybObXCmwW4ak X8e3au71n1Xk1WMHc4teQ5R+rUm5CeOrQvDIZ+gUWFUTbGPGn2tqI7gXlXdsC/rC5KMO WkdQ== X-Gm-Message-State: AOJu0YxQGPqn+XdfQzJZ5zmHYDVzlncYAKU62mjqE+X78H0ZB0XQTNPv qMtvBQSHYtY5eG9tr9R88eTh1arGUAu5aj9tu/NU2e6u3HisA6444dVxVgBG7g== X-Gm-Gg: Acq92OGVgsIwgLoiUxfItnfFodIcEP5Vw8HnYdHilYzqgIH2qNxL1/YMmyeSWp8AHhD jABjiabvqMKfCX5sOE7nlz5nKDInaBzy0myYfvVOvgFD/NQbhhmYTjvG9/l36cWGZTp+yWsr8oj XqKKs4M0MkLOVmVhP20q1ZWeAurn78PCjvJ2fg7cLH/dLgLkzo62zc3qtf/BrXtAKfykBnO/caK 3+gBNouGHkRbRS2+vDyAL9XGcVd9y0LJr0Usceqsgv81ywj8oEf/OJkna2WLkw5be/9o0SXjAmu nxE7RLU22RPXUKgfXaeyNEdYNJ2FgSMaUkeBTkE+q0IiF8BM3wbemCikFSP4PYmSoZTaixDWj++ lWtiO6OdU4laVqZRuxXO16heGMct6xrwFuA6U66uMe3mOWNpihqdsiLymMuuEvYJye/pBzzjyup J8a2WVVp+vphmyIRL8BK97092YcU0lF5lVSdhNhj/e1SJodaUFEJbC+knboBUwFvQoAlI4v1rn+ F8N4Rn3YOIt7y9yF/K1jP+HMpZm X-Received: by 2002:a17:907:2718:b0:bea:f4e0:c7b9 with SMTP id a640c23a62f3a-bf370d638ccmr947525166b.19.1781088418102; Wed, 10 Jun 2026 03:46:58 -0700 (PDT) Received: from smtpclient.apple ([2a00:23c7:3c55:2c01:6dcb:87cd:278e:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-bf051e9c499sm1153116766b.22.2026.06.10.03.46.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Jun 2026 03:46:57 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Ian Stanley List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list Mime-Version: 1.0 (1.0) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:28.capsicum Date: Wed, 10 Jun 2026 11:46:44 +0100 Message-Id: References: <20260609231323.ACEA71FC52@freefall.freebsd.org> In-Reply-To: <20260609231323.ACEA71FC52@freefall.freebsd.org> To: freebsd-security@freebsd.org X-Mailer: iPhone Mail (23F77) X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Queue-Id: 4gb2XR4Gbmz3llL X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated Unsubscribe=20 > On 10 Jun 2026, at 00:32, FreeBSD Security Advisories wrote: >=20 > =EF=BB=BF-----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > FreeBSD-SA-26:28.capsicum Security Advis= ory > The FreeBSD Proje= ct >=20 > Topic: sigqueue(2) missing capability mode restriction >=20 > Category: core > Module: capsicum > Announced: 2026-06-09 > Credits: Ed Maste > Affects: All supported versions of FreeBSD. > Corrected: 2026-05-29 19:11:40 UTC (stable/15, 15.1-STABLE) > 2026-06-09 19:20:09 UTC (releng/15.1, 15.1-RC3-p1) > 2026-06-09 19:19:46 UTC (releng/15.0, 15.0-RELEASE-p10) > 2026-05-29 19:12:58 UTC (stable/14, 14.4-STABLE) > 2026-06-09 19:19:08 UTC (releng/14.4, 14.4-RELEASE-p6) > 2026-06-09 19:18:38 UTC (releng/14.3, 14.3-RELEASE-p15) > CVE Name: CVE-2026-45259 >=20 > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . >=20 > I. Background >=20 > Capsicum is a lightweight OS capability and sandbox framework. It provide= s > two kernel primitives: capability mode, and capabilities. Capability mode= > restricts the ability of a sandboxed process to interact with the global > namespace, including the ability to send signals to other processes, other= > than via capability-based interfaces. >=20 > In capability mode, kill(2) restricts signal delivery to the calling proce= ss > only, preventing a sandboxed process from signalling other processes. > sigqueue(2) provides similar signal delivery functionality, and is similar= ly > permitted in capability mode. >=20 > II. Problem Description >=20 > sigqueue(2) was marked as permitted in capability mode with the introducti= on > of Capsicum in 2011, but the implementation of kern_sigqueue did not inclu= de > a capability mode check restricting signal delivery to the calling process= 's > own PID. >=20 > III. Impact >=20 > A process in capability mode can use sigqueue(2) to send signals to any > process it could signal following standard Unix permissions, bypassing the= > Capsicum sandbox restriction. A compromised sandboxed process could > interfere with other processes, for example by sending SIGKILL or SIGSTOP.= > This could be any process running as the same user, or any process, for a > superuser sandboxed process. >=20 > IV. Workaround >=20 > No workaround is available. >=20 > V. Solution >=20 > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, and > reboot. >=20 > Perform one of the following: >=20 > 1) To update your vulnerable system installed from base system packages: >=20 > Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 > platforms, which were installed using base system packages, can be updated= > via the pkg(8) utility: >=20 > # pkg upgrade -r FreeBSD-base > # shutdown -r +10min "Rebooting for a security update" >=20 > 2) To update your vulnerable system installed from binary distribution set= s: >=20 > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platfor= ms > which were not installed using base system packages can be updated via the= > freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" >=20 > 3) To update your vulnerable system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > [FreeBSD 15.1] > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch.= asc > # gpg --verify capsicum-15.1.patch.asc >=20 > [FreeBSD 15.0] > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch.= asc > # gpg --verify capsicum-15.0.patch.asc >=20 > [FreeBSD 14.x] > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch > # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch.as= c > # gpg --verify capsicum-14.patch.asc >=20 > b) Apply the patch. Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile your kernel as described in > and reboot the > system. >=20 > VI. Correction details >=20 > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: >=20 > Branch/path Hash Revision > - ------------------------------------------------------------------------= - > stable/15/ defd9b86ef99 stable/15-n283744 > releng/15.1/ 871d33e8a66a releng/15.1-n283553 > releng/15.0/ 77ee83d12625 releng/15.0-n281055 > stable/14/ d11ff01b3aec stable/14-n274231 > releng/14.4/ eab757f954ed releng/14.4-n273717 > releng/14.3/ f56e8cb94df6 releng/14.3-n271517 > - ------------------------------------------------------------------------= - >=20 > Run the following command to see which files were modified by a > particular commit: >=20 > # git show --stat >=20 > Or visit the following URL, replacing NNNNNN with the hash: >=20 > >=20 > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: >=20 > # git rev-list --count --first-parent HEAD >=20 > VII. References >=20 > >=20 > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- >=20 > iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxAbFIAAAAAABAAO > bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv9xQQALSpP1xklc9UjGzlSpTo > 2owWykX02TVDqd7a57jEFpak6F9sJ1B83jrkEQVIGjBGQpTIWYt/C34QEzeo502F > +dqfqXr32MyudPDq+lsWB7HhafG/gktTDpibJrQkqPDdTc+TwzzhoHxGAdckAMsr > vCqnUF6UmtmTzQEyoQBqPGPWbVnyVboOQ0ZvKouMZdMBVlC7IvWPDlbpMEOLePTE > NPHeuxFYbFHMUkOLq97Dhg4XTqdIG0t3n/0jA1kjCDvJWDbXpR1bPy1USTNxHO35 > xjeZshL2IWXDJSxLFBNE+cNFwg4dyp5vXcQXh3HtyMC9PMPMyIbJT7zQluV3CVI7 > 9gC6MMH7QiLssj5hJqMSXccrNzkag6Alu9ET5A/NtoGjyogbXmIPsQ9hLAqf/c9v > 5m4O86dlHBL/JsGcPqsGw3+gucqgso2gy4yQ8h1GqGwNGv440TMAHRz5eAu+qOZq > tDxo3OqK3HIEoChiQaRZp5bc/p0L1Rfka10J0HmIxB2KkdHEjdMn5SBsEYRsIv5v > Sp34rl0cLm0oHraIQ0jNVTwZetrxl4CMIAexHYO1hJ+jZDRdBQ5CC7S83+t2Tbnu > JgRsm6A+1TZfWsaflIx9ga42DEndXgqpmdrtjIFoO1zNQjrvcd3sqJH6GTMNdywg > 2woyv6Bb/bwINWDE7EhicoJl > =3DWJPW > -----END PGP SIGNATURE----- >=20