From nobody Wed Jun 10 16:17:45 2026
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gb9t95Jvkz6gk38
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Wed, 10 Jun 2026 16:17:53 +0000 (UTC)
	(envelope-from jpresley@eepycat.org)
Received: from mail.eepycat.org (mail.eepycat.org [15.235.43.252])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gb9t93JX7z3hkj
	for <freebsd-security@freebsd.org>; Wed, 10 Jun 2026 16:17:53 +0000 (UTC)
	(envelope-from jpresley@eepycat.org)
Authentication-Results: mx1.freebsd.org;
	none
Received: from mail.eepycat.org (mail.eepycat.org [127.0.0.1])
	by mail.eepycat.org (Postfix) with ESMTP id 4gb9t26Y75z6MWY
	for <freebsd-security@freebsd.org>; Wed, 10 Jun 2026 16:17:46 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=eepycat.org; h=
	content-transfer-encoding:content-type:message-id:user-agent
	:references:in-reply-to:subject:to:from:date:mime-version; s=
	dkim; t=1781108265; x=1783700266; bh=Q8ABcrpHEP6QYYPM8fTmY+QDQl9
	1/+zJl/epkDotkZY=; b=PR4t/hxwG4iA1Cq0Z4UTeoKyN1rOpyosA429NcaxXXq
	A2cZ69l0vogTJlV5nQsvUPtzp3SjQrTdEeNOIo4oTXnLnbPr+U0qvufGOujLLFXt
	N+De3TsgW8Bc4Fll1xWxuNn3+Oa1T/KCAJeFhCAN0ZgzgGeFSvKJvzHdCQUBt4bE
	OtiAcxjOtvV9tDa+wusL6LIAVJclMurDT1vMafGhG9vZbCYB0Rf0T7TcqEH7fXEQ
	UTyB8n+DpE2MAl3aSa5D6u1KyypgQX/nd/b+vH20l2MaUtp6Ofqg6GmV5w5N8jL1
	uFnnyHsRCAZJCRsfzPLAMaoWgWB5+0OwodgXoNd+NAg==
X-Virus-Scanned: amavis at mail.eepycat.org
Received: from mail.eepycat.org ([127.0.0.1])
 by mail.eepycat.org (mail.eepycat.org [127.0.0.1]) (amavis, port 10026)
 with ESMTP id eSmPcpBJMuBT for <freebsd-security@freebsd.org>;
 Wed, 10 Jun 2026 16:17:45 +0000 (GMT)
Received: from localhost (mail.eepycat.org [127.0.0.1])
	by mail.eepycat.org (Postfix) with ESMTPSA id 4gb9t15DkCz6MT8;
	Wed, 10 Jun 2026 16:17:45 +0000 (GMT)
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
List-Id: <freebsd-security.FreeBSD.org>
List-Post: <mailto:freebsd-security@FreeBSD.org>
List-Help: <mailto:freebsd-security+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-security+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Date: Wed, 10 Jun 2026 11:17:45 -0500
From: jpresley@eepycat.org
To: Ian Stanley <iandstanley@gmail.com>
Cc: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:28.capsicum
In-Reply-To: <D4DF5472-0C02-4C58-948C-956BFC78074E@gmail.com>
References: <20260609231323.ACEA71FC52@freefall.freebsd.org>
 <D4DF5472-0C02-4C58-948C-956BFC78074E@gmail.com>
User-Agent: Roundcube Webmail
Message-ID: <be2eeddb64231def10f9bd476906172a@eepycat.org>
X-Sender: jpresley@eepycat.org
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:16276, ipnet:15.235.0.0/17, country:FR]
X-Rspamd-Queue-Id: 4gb9t93JX7z3hkj
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated

The unsubscribe button at=20
https://lists.freebsd.org/subscription/freebsd-security appears to be=20
broken, the below error is returned. I imagine it could be broken for=20
other lists as well, and will report it to webmaster@freebsd.org on your=20
behalf.

Received error:
```
Error 503 Backend fetch failed

Backend status: Backend fetch failed

Transaction ID: 12694749274
```


-------- Original Message --------
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:28.capsicum
Date: 2026-06-10 05:46
 From: Ian Stanley <iandstanley@gmail.com>
To: freebsd-security@freebsd.org

Unsubscribe

> On 10 Jun 2026, at 00:32, FreeBSD Security Advisories=20
> <security-advisories@freebsd.org> wrote:
>=20
> =EF=BB=BF-----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> FreeBSD-SA-26:28.capsicum                                   Security=20
> Advisory
>                                                          The FreeBSD=20
> Project
>=20
> Topic:          sigqueue(2) missing capability mode restriction
>=20
> Category:       core
> Module:         capsicum
> Announced:      2026-06-09
> Credits:        Ed Maste
> Affects:        All supported versions of FreeBSD.
> Corrected:      2026-05-29 19:11:40 UTC (stable/15, 15.1-STABLE)
>                2026-06-09 19:20:09 UTC (releng/15.1, 15.1-RC3-p1)
>                2026-06-09 19:19:46 UTC (releng/15.0, 15.0-RELEASE-p10)
>                2026-05-29 19:12:58 UTC (stable/14, 14.4-STABLE)
>                2026-06-09 19:19:08 UTC (releng/14.4, 14.4-RELEASE-p6)
>                2026-06-09 19:18:38 UTC (releng/14.3, 14.3-RELEASE-p15)
> CVE Name:       CVE-2026-45259
>=20
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>=20
> I.   Background
>=20
> Capsicum is a lightweight OS capability and sandbox framework.  It=20
> provides
> two kernel primitives: capability mode, and capabilities.  Capability=20
> mode
> restricts the ability of a sandboxed process to interact with the=20
> global
> namespace, including the ability to send signals to other processes,=20
> other
> than via capability-based interfaces.
>=20
> In capability mode, kill(2) restricts signal delivery to the calling=20
> process
> only, preventing a sandboxed process from signalling other processes.
> sigqueue(2) provides similar signal delivery functionality, and is=20
> similarly
> permitted in capability mode.
>=20
> II.  Problem Description
>=20
> sigqueue(2) was marked as permitted in capability mode with the=20
> introduction
> of Capsicum in 2011, but the implementation of kern_sigqueue did not=20
> include
> a capability mode check restricting signal delivery to the calling=20
> process's
> own PID.
>=20
> III. Impact
>=20
> A process in capability mode can use sigqueue(2) to send signals to any
> process it could signal following standard Unix permissions, bypassing=20
> the
> Capsicum sandbox restriction.  A compromised sandboxed process could
> interfere with other processes, for example by sending SIGKILL or=20
> SIGSTOP.
> This could be any process running as the same user, or any process, for=
=20
> a
> superuser sandboxed process.
>=20
> IV.  Workaround
>=20
> No workaround is available.
>=20
> V.   Solution
>=20
> Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date, and
> reboot.
>=20
> Perform one of the following:
>=20
> 1) To update your vulnerable system installed from base system=20
> packages:
>=20
> Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
> platforms, which were installed using base system packages, can be=20
> updated
> via the pkg(8) utility:
>=20
> # pkg upgrade -r FreeBSD-base
> # shutdown -r +10min "Rebooting for a security update"
>=20
> 2) To update your vulnerable system installed from binary distribution=20
> sets:
>=20
> Systems running a RELEASE version of FreeBSD on the amd64 or arm64=20
> platforms
> which were not installed using base system packages can be updated via=20
> the
> freebsd-update(8) utility:
>=20
> # freebsd-update fetch
> # freebsd-update install
> # shutdown -r +10min "Rebooting for a security update"
>=20
> 3) To update your vulnerable system via a source code patch:
>=20
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>=20
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>=20
> [FreeBSD 15.1]
> # fetch=20
> https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch
> # fetch=20
> https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch.asc
> # gpg --verify capsicum-15.1.patch.asc
>=20
> [FreeBSD 15.0]
> # fetch=20
> https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch
> # fetch=20
> https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch.asc
> # gpg --verify capsicum-15.0.patch.asc
>=20
> [FreeBSD 14.x]
> # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch
> # fetch=20
> https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch.asc
> # gpg --verify capsicum-14.patch.asc
>=20
> b) Apply the patch.  Execute the following commands as root:
>=20
> # cd /usr/src
> # patch < /path/to/patch
>=20
> c) Recompile your kernel as described in
> <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>=20
> VI.  Correction details
>=20
> This issue is corrected as of the corresponding Git commit hash in the
> following stable and release branches:
>=20
> Branch/path                             Hash                    =20
> Revision
> -=20
> -----------------------------------------------------------------------=
--
> stable/15/                              defd9b86ef99   =20
> stable/15-n283744
> releng/15.1/                            871d33e8a66a =20
> releng/15.1-n283553
> releng/15.0/                            77ee83d12625 =20
> releng/15.0-n281055
> stable/14/                              d11ff01b3aec   =20
> stable/14-n274231
> releng/14.4/                            eab757f954ed =20
> releng/14.4-n273717
> releng/14.3/                            f56e8cb94df6 =20
> releng/14.3-n271517
> -=20
> -----------------------------------------------------------------------=
--
>=20
> Run the following command to see which files were modified by a
> particular commit:
>=20
> # git show --stat <commit hash>
>=20
> Or visit the following URL, replacing NNNNNN with the hash:
>=20
> <URL:https://cgit.freebsd.org/src/commit/?id=3DNNNNNN>
>=20
> To determine the commit count in a working tree (for comparison against
> nNNNNNN in the table above), run:
>=20
> # git rev-list --count --first-parent HEAD
>=20
> VII. References
>=20
> <URL:https://www.cve.org/CVERecord?id=3DCVE-2026-45259>
>=20
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:28.capsicum.=
asc>
> -----BEGIN PGP SIGNATURE-----
>=20
> iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxAbFIAAAAAABAAO
> bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv9xQQALSpP1xklc9UjGzlSpTo
> 2owWykX02TVDqd7a57jEFpak6F9sJ1B83jrkEQVIGjBGQpTIWYt/C34QEzeo502F
> +dqfqXr32MyudPDq+lsWB7HhafG/gktTDpibJrQkqPDdTc+TwzzhoHxGAdckAMsr
> vCqnUF6UmtmTzQEyoQBqPGPWbVnyVboOQ0ZvKouMZdMBVlC7IvWPDlbpMEOLePTE
> NPHeuxFYbFHMUkOLq97Dhg4XTqdIG0t3n/0jA1kjCDvJWDbXpR1bPy1USTNxHO35
> xjeZshL2IWXDJSxLFBNE+cNFwg4dyp5vXcQXh3HtyMC9PMPMyIbJT7zQluV3CVI7
> 9gC6MMH7QiLssj5hJqMSXccrNzkag6Alu9ET5A/NtoGjyogbXmIPsQ9hLAqf/c9v
> 5m4O86dlHBL/JsGcPqsGw3+gucqgso2gy4yQ8h1GqGwNGv440TMAHRz5eAu+qOZq
> tDxo3OqK3HIEoChiQaRZp5bc/p0L1Rfka10J0HmIxB2KkdHEjdMn5SBsEYRsIv5v
> Sp34rl0cLm0oHraIQ0jNVTwZetrxl4CMIAexHYO1hJ+jZDRdBQ5CC7S83+t2Tbnu
> JgRsm6A+1TZfWsaflIx9ga42DEndXgqpmdrtjIFoO1zNQjrvcd3sqJH6GTMNdywg
> 2woyv6Bb/bwINWDE7EhicoJl
> =3DWJPW
> -----END PGP SIGNATURE-----
>=20