Date: Wed, 4 Apr 2018 05:55:14 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r51533 - in head/share/security: advisories patches/EN-18:03 patches/EN-18:04 patches/SA-18:04 patches/SA-18:05 Message-ID: <201804040555.w345tE9d035536@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon (src,ports committer) Date: Wed Apr 4 05:55:14 2018 New Revision: 51533 URL: https://svnweb.freebsd.org/changeset/doc/51533 Log: Add SA-18:04.vt, SA-18:05.ipsec, EN-18:03.tzdata, EN-18:04.mem. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-18:03.tzdata.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-18:04.mem.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-18:04.vt.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-18:05.ipsec.asc (contents, props changed) head/share/security/patches/EN-18:03/ head/share/security/patches/EN-18:03/tzdata-2018d.patch (contents, props changed) head/share/security/patches/EN-18:03/tzdata-2018d.patch.asc (contents, props changed) head/share/security/patches/EN-18:04/ head/share/security/patches/EN-18:04/mem.10.patch (contents, props changed) head/share/security/patches/EN-18:04/mem.10.patch.asc (contents, props changed) head/share/security/patches/EN-18:04/mem.11.patch (contents, props changed) head/share/security/patches/EN-18:04/mem.11.patch.asc (contents, props changed) head/share/security/patches/SA-18:04/ head/share/security/patches/SA-18:04/vt.patch (contents, props changed) head/share/security/patches/SA-18:04/vt.patch.asc (contents, props changed) head/share/security/patches/SA-18:05/ head/share/security/patches/SA-18:05/ipsec.patch (contents, props changed) head/share/security/patches/SA-18:05/ipsec.patch.asc (contents, props changed) Added: head/share/security/advisories/FreeBSD-EN-18:03.tzdata.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:03.tzdata.asc Wed Apr 4 05:55:14 2018 (r51533) @@ -0,0 +1,149 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:03.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2018-04-04 +Credits: Philip Paeps +Affects: All supported versions of FreeBSD +Corrected: 2018-03-28 07:42:50 UTC (stable/11, 11.1-STABLE) + 2018-04-04 05:40:48 UTC (releng/11.1, 11.1-RELEASE-p9) + 2018-03-28 07:45:57 UTC (stable/10, 10.4-STABLE) + 2018-04-04 05:40:48 UTC (releng/10.4, 10.4-RELEASE-p8) + 2018-04-04 05:40:48 UTC (releng/10.3, 10.3-RELEASE-p29) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The tzsetup(8) program allows the user to specify the default local timezone. +Based on the selected timezone, tzsetup(8) copies one of the files from +/usr/share/zoneinfo to /etc/localtime. This file actually controls the +conversion. + +II. Problem Description + +Several changes in Daylight Savings Time happened after previous FreeBSD +releases were released that would affect many people who live in different +countries. Because of these changes, the data in the zoneinfo files need to +be updated, and if the local timezone on the running system is affected, +tzsetup(8) needs to be run so the /etc/localtime is updated. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected timezones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated timezone database from the +misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected. + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Please note that some third party software, for instance PHP, Ruby, Java and +Perl, may be using different zoneinfo data source, in such cases this +software must be updated separately. For software packages that is installed +via binary packages, they can be upgraded by executing `pkg upgrade'. + +Following the instructions in this Errata Notice will update all of the +zoneinfo files to be the same as what was released with FreeBSD release. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Restart all the affected +applications and daemons, or reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-18:03/tzdata-2018d.patch +# fetch https://security.FreeBSD.org/patches/EN-18:03/tzdata-2018d.patch.asc +# gpg --verify tzdata-2018d.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r331663 +releng/10.3/ r331986 +releng/10.4/ r331986 +stable/11/ r331662 +releng/11.1/ r331986 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:03.tzdata.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZutfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKJ7A/+NXjXPibYne7thcIjSJPFJDlA13Ga4UhKytjO7KW2wN5CjQp62ULwCfaO +dcl5ysljMGXxNmCBqCcfQrO9AL7vnOxQSr60KwB8AAzIBPfLzXrqopXW2fB/8pKP +cOTJHpZlNQ4P8cJ1OHpjsovcA5a/7KQ87BgRj8AUJoeTlCPoLlDlnyCR6VMOswSa +a8PX9cAb+lcQWGg56E+n7ZE0JEMDHUVwvHplU1m5nn1Dn8b04na+tn3MRMKi2iqF +Y9MhLavfY1UzwXkuUKf/ODTuGSYF8Sy4lJgLrqs4awJXErIJvJNbh6V4h8uRpEIY +iUN+wPBWsvfZ4X0KSb+4aPI5jpKnE2LATHiz2vDYuDZ5U5y9ec8GMuGnFOueNwcb +vMQkPPPOj7VTTKUZPHgAGdYlsO9mLTMkAjiTPwB0kZ6P7MN0211dHN+fvr8Skwyl +x9IFVW6h9XtTvSqU29/Nd3KSFORuiKowokxWTQ+jnEdsYCsm0wQNKH6avxedbEAA +oKowh4zfTGO2jOzcuCtfmZNUFUAVYE0SASnYD4rxEDcuJNx/jSVhf1wY97G22s7n +aLKDnHHGKHsLzQAuFEITaC0pMTs41XL1baO9RtjtZDSz/dKla+ZsgQk5yVKyR2v7 +tW6ertUBZiUfD50d0GKPgGEMTWH9k5a5hJvMhAMLfHzhxBT0B+w= +=k+2X +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-18:04.mem.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:04.mem.asc Wed Apr 4 05:55:14 2018 (r51533) @@ -0,0 +1,151 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:04.mem Errata Notice + The FreeBSD Project + +Topic: Multiple small kernel memory disclosures + +Category: core +Module: kernel +Announced: 2018-04-04 +Credits: Ilja van Sprundel +Affects: All supported versions of FreeBSD. +Corrected: 2018-03-28 13:41:43 UTC (stable/11, 11.1-STABLE) + 2018-04-04 05:43:03 UTC (releng/11.1, 11.1-RELEASE-p9) + 2018-03-29 22:31:14 UTC (stable/10, 10.4-STABLE) + 2018-04-04 05:43:03 UTC (releng/10.4, 10.4-RELEASE-p8) + 2018-04-04 05:43:03 UTC (releng/10.3, 10.3-RELEASE-p29) +CVE Name: CVE-2018-6919 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes drivers for HighPoint disk controllers via the hpt27xx(4), +hptnr(4) and hptrr(4) drivers, for some graphics cards via drm drivers. In +addition, FreeBSD includes optional support for executing svr4 and ibcs2 +binaries. + +II. Problem Description + +Due to insufficient initialization of memory copied to userland small amounts +of kernel memory may be disclosed to userland processes. + +III. Impact + +A user who can access these drivers or execute svr4 or ibcs2 binaries +may be able to read the contents of kernel memory. + +Such memory might contain sensitive information, such as portions of the file +cache or terminal buffers. This information might be directly useful, or it +might be leveraged to obtain elevated privileges in some way; for example, +a terminal buffer might include a user-entered password. + +IV. Workaround + +No workaround is available, but systems that do not use these devices and +do not enable support for ibcs2 and svr4 binaries are not vulnerable. +In addition, note that the drm driver affected by this issue supports only +relatively old hardware. Systems built within the last decade likely +contain graphics hardware supported by the drm2 driver in the FreeBSD base +system or the drm-next-kmod driver in FreeBSD ports. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.x] +# fetch https://security.FreeBSD.org/patches/EN-18:04/mem.11.patch +# fetch https://security.FreeBSD.org/patches/EN-18:04/mem.11.patch.asc +# gpg --verify mem.11.patch.asc + +[FreeBSD 10.x] +# fetch https://security.FreeBSD.org/patches/EN-18:04/mem.10.patch +# fetch https://security.FreeBSD.org/patches/EN-18:04/mem.10.patch.asc +# gpg --verify mem.10.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r331749 +releng/10.3/ r331987 +releng/10.4/ r331987 +stable/11/ r331670 +releng/11.1/ r331987 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6919>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:04.mem.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZvNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJa/A//Z53qYxwSpKH5hrkHsMVzH62xagHUn7zqewyfmBIaz8xLPArNYEy3onPv +5mXLLL5RIoaiUXq++Nld90QPDbbHtuyfwKySm/X8vNXUu/a2mFpzSixI1tQEIcsx +PH+eqCQTgFHyzo0uADRcLyxuo4qmM/b/8LQZWr0CLpxmdPVuoGG2tlcVpL47f5sa +nFghwxiOj5gKCR0Wx0buZ8u1T0NV0EyGcI7SRXJItq1GM8lvb26bfSnDls5h0hPW +dn8qa7+exYL133qZ4vgEyNk+cGjEGNIG1eoAe3WeoUaaFsmpXTNK17P8Gxr/KZk4 +QmMiRbbIooX4AsNnY+OnkGRN1LzxFF2TLc+zYGV7j/uyhGE5cfZ3Av3hDMFlyTRO +Udp1/ghmm/GPrHO/FAmJGYPmfxRYdU/jZU6gJld+QXd2y8/HLsXNOdRK92KIwCyp +I9tUVwMg4mze6L6/s1chmQL5jdy5Sz5SSfjDAcP3ieJ5cmg0DDITYjWEVk4Fdaxl +rWU2X2nYmJeROqU6tlAEfMPJZEw2cPxE14vRe3iN9mPUSPvGKT4oWLMtwRnjsQyz +v8da9m4lncTQd5/qz9BpWzFANP6+g8gmgm8G4j1HeVyf2WFPMsU+YqAoaQewB3h5 +Hnfq/GhTTNtvjTnW2trPT21lXPEFbuVVZ724U+SJwYzVJv2tyug= +=r842 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-18:04.vt.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:04.vt.asc Wed Apr 4 05:55:14 2018 (r51533) @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:04.vt Security Advisory + The FreeBSD Project + +Topic: vt console memory disclosure + +Category: core +Module: vt console +Announced: 2018-04-04 +Credits: Dr Silvio Cesare of InfoSect +Affects: All supported versions of FreeBSD. +Corrected: 2018-04-04 05:24:59 UTC (stable/11, 11.1-STABLE) + 2018-04-04 05:33:56 UTC (releng/11.1, 11.1-RELEASE-p9) + 2018-04-04 05:26:33 UTC (stable/10, 10.4-STABLE) + 2018-04-04 05:33:56 UTC (releng/10.4, 10.4-RELEASE-p8) + 2018-04-04 05:33:56 UTC (releng/10.3, 10.3-RELEASE-p29) +CVE Name: CVE-2018-6917 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +On FreeBSD 11 and later, and FreeBSD 10.x systems that boot via UEFI, the +default system video console is provided by the vt(4) driver. The console +allows the user, including an unprivileged user, to load a font at runtime. + +II. Problem Description + +Insufficient validation of user-provided font parameters can result in an +integer overflow, leading to the use of arbitrary kernel memory as glyph +data. Characters that reference this data can be displayed on the screen, +effectively disclosing kernel memory. + +III. Impact + +Unprivileged users may be able to access privileged kernel data. + +Such memory might contain sensitive information, such as portions of the file +cache or terminal buffers. This information might be directly useful, or it +might be leveraged to obtain elevated privileges in some way; for example, +a terminal buffer might include a user-entered password. + +IV. Workaround + +The syscons sc(4) system console is not affected by this issue and may be +used on systems that do not boot via UEFI. To use the syscons console, +set the kern.vty tunable in /boot/loader.conf as described in sc(4), and +reboot. No workaround is available for systems that boot via UEFI. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is required after the upgrade. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-18:04/vt.patch +# fetch https://security.FreeBSD.org/patches/SA-18:04/vt.patch.asc +# gpg --verify vt.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r331983 +releng/10.3/ r331984 +releng/10.4/ r331984 +stable/11/ r331982 +releng/11.1/ r331984 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6917>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:04.vt.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZttfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cI5CBAAmZS+2l3qNafZ0FQDKONeX+jiyJt6lPWk2LUd/jJXnEnVjqiP/pW1YpC0 +9oob5gFaCt8YEpQRIPGU1VwIfX16KeMSiM2TYnZXAaTzSo5ecWemrQ706ds7hy+m +FmlyoqoqmDn3AyziTeJAxFc2QVZ5jo25KWZL7zMJdNjGqzFao4UktY01Sy9fB3Ak +rgi/AInZV1FGt1KrH04zJpK+WSfNtM553e7KfFlmD6cR+yXViHfGHl6TBYcb1H3y +8wjfZmdlfyFMB84bQ5bw9iqx5fHhth4s/0sbAErRAS/PeWOKF9uxSVy3t4p160BZ +Ym7k4PXYO8hUH9n5mqDzg/asPkRA8nJMqmUtvBJrdUMi9VhQqOybhddZNAZp7RGb +6BtlsBUaRRmxA9tm4h5nbk+Fy9/qqtkcOdsJNqqAdSk4nTTkkkKPNPrIkXKcW4HE +qv8c71xDkpbAGfQjkC2B4VXg9uoQIi36F8843ha6UbhdL2urSWWPXLBOoSupRAyp +PkB35tvulXyJ/cRRf/FfAL+lSmoqImi2WjSjpd+fqABWSaxrypJqI0Cca3ySdhVG +mylVk2sDW/d27Wltyd1Pdy9qXHVSEoKwdWemCamAABFwaCf49D1xrgysCrdY+uFp +zydy8rxJ0Bht18n4Yhp+WveujRFwamvGjWxYbxJ0g+LD+SWD7Zs= +=L6/K +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-18:05.ipsec.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:05.ipsec.asc Wed Apr 4 05:55:14 2018 (r51533) @@ -0,0 +1,142 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:05.ipsec Security Advisory + The FreeBSD Project + +Topic: ipsec crash or denial of service + +Category: core +Module: ipsec +Announced: 2018-04-04 +Credits: Maxime Villard +Affects: All supported versions of FreeBSD. +Corrected: 2018-01-31 09:24:48 UTC (stable/11, 11.1-STABLE) + 2018-04-04 05:37:52 UTC (releng/11.1, 11.1-RELEASE-p9) + 2018-01-31 09:26:28 UTC (stable/10, 10.4-STABLE) + 2018-04-04 05:37:52 UTC (releng/10.4, 10.4-RELEASE-p8) + 2018-04-04 05:37:52 UTC (releng/10.3, 10.3-RELEASE-p29) +CVE Name: CVE-2018-6918 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The IPsec suite of protocols provide network level security for IPv4 and IPv6 +packets. FreeBSD includes software originally developed by the KAME project +which implements the various protocols that make up IPsec. + +In IPsec, the IP Authentication Header (AH) is used to provide protection +against replay attacks and connectionless integrity and data origin +authentication for IP datagrams. + +II. Problem Description + +The length field of the option header does not count the size of the option +header itself. This causes a problem when the length is zero, the count is +then incremented by zero, which causes an infinite loop. + +In addition there are pointer/offset mistakes in the handling of IPv4 +options. + +III. Impact + +A remote attacker who is able to send an arbitrary packet, could cause the +remote target machine to crash. + +IV. Workaround + +No workaround is available. Note that in FreeBSD 10 IPsec is not included +in the kernel by default, but it is in FreeBSD 11. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-18:05/ipsec.patch +# fetch https://security.FreeBSD.org/patches/SA-18:05/ipsec.patch.asc +# gpg --verify ipsec.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r328621 +releng/10.3/ r331985 +releng/10.4/ r331985 +stable/11/ r328620 +releng/11.1/ r331985 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6918>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZuRfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKpOxAAlcyr88qHimXmMWNelNe+RvNkRoQwlmOw5XCWmWFGt4bX6KyrPSNVkZXK +9bZr0+sYiEjHPstXy+F6v95wqShRiefwpLVNJkP6LFKdQJeuxy0Uwsgl/i3aZVHy +q4iM+PgnMwt5FxzmIcFHjwZSGGaOw5p9dMlkFLxXQ6chafPutMbgkXMIGVGXEp4e +iwQgmh7j5LbUED0P9G7sYpcEN+DKZLWIyvz6L/AJmeHC/Z21TTeOoPjNPImgUmeU +R2gK6WrQ5hfDvvFIJK1RvkR7OGdgrw0p2bCeeW8HRR5WEifO+a5Mb6+S414jWLYi +uPYoxWf5NP92b9r3sLjNXbbsZ71mOZ49nZO3gc83O4mqOo9FYbTZ1W9C1UIO66pO +bsp9e7g09gvT/VTO9j2Bu9nNdLd41Jx6NCmrrJAPP5fp7yhgtI7a+voF+swyBPSq +kzSrNuY+PAnEvvAPzCz97uQQWabwbJoZNlPc+9IWZ7K++8N9j0K94dtsy8g6FMIT +A54s3LX9X5v+EYEwqnbNgEZxkSgjgpQkbnQC3evBwVkSgm0aQb4jRXoe9aY6KGtA +pSldkfyC364h8KNM1tbMq02fAIGDdBc+TbxjPabdc+FNmwVT+KlW/cBDy8J/rUhz +BSyWQdVwjHZ45R4Vmf8pEDA4/uc/L7XnMuqwgn2gBe23riiAjDM= +=WcBl +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:03/tzdata-2018d.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:03/tzdata-2018d.patch Wed Apr 4 05:55:14 2018 (r51533) @@ -0,0 +1,4454 @@ +--- contrib/tzdata/CONTRIBUTING.orig ++++ contrib/tzdata/CONTRIBUTING +@@ -25,7 +25,8 @@ + + Please submit changes against either the latest release in + <https://www.iana.org/time-zones>; or the master branch of the development +-repository. If you use Git the following workflow may be helpful: ++repository. The latter is preferred. If you use Git the following ++workflow may be helpful: + + * Copy the development repository. + +@@ -42,6 +43,12 @@ + + git checkout -b mybranch + ++ * Sleuth by using 'git blame'. For example, when fixing data for ++ Africa/Sao_Tome, if the command 'git blame africa' outputs a line ++ '2951fa3b (Paul Eggert 2018-01-08 09:03:13 -0800 1068) Zone ++ Africa/Sao_Tome 0:26:56 - LMT 1884', commit 2951fa3b should ++ provide some justification for the 'Zone Africa/Sao_Tome' line. ++ + * Edit source files. Include commentary that justifies the + changes by citing reliable sources. + +@@ -67,6 +74,9 @@ + + git send-email master + ++ For an archived example of such an email, see ++ <https://mm.icann.org/pipermail/tz/2018-February/026122.html>. ++ + * Start anew by getting current with the master branch again + (the second step above). + +--- contrib/tzdata/Makefile.orig ++++ contrib/tzdata/Makefile +@@ -10,6 +10,15 @@ + # Email address for bug reports. + BUGEMAIL= tz@iana.org + ++# Choose source data features. To get new features right away, use: ++# DATAFORM= vanguard ++# To wait a while before using new features, to give downstream users ++# time to upgrade zic (the default), use: ++# DATAFORM= main ++# To wait even longer for new features, use: ++# DATAFORM= rearguard ++DATAFORM= main ++ + # Change the line below for your time zone (after finding the zone you want in + # the time zone files, or adding it to a time zone file). + # Alternately, if you discover you've got the wrong time zone, you can just +@@ -25,10 +34,10 @@ + # for handling POSIX-style time zone environment variables, + # change the line below (after finding the zone you want in the + # time zone files, or adding it to a time zone file). +-# (When a POSIX-style environment variable is handled, the rules in the ++# When a POSIX-style environment variable is handled, the rules in the + # template file are used to determine "spring forward" and "fall back" days and + # times; the environment variable itself specifies UT offsets of standard and +-# summer time.) ++# daylight saving time. + # Alternately, if you discover you've got the wrong time zone, you can just + # zic -p rightzone + # to correct things. +@@ -189,6 +198,7 @@ + # -DHAVE_STDINT_H if you have a non-C99 compiler with <stdint.h> + # -DHAVE_STRFTIME_L if <time.h> declares locale_t and strftime_l + # -DHAVE_STRDUP=0 if your system lacks the strdup function ++# -DHAVE_STRTOLL=0 if your system lacks the strtoll function + # -DHAVE_SYMLINK=0 if your system lacks the symlink function + # -DHAVE_SYS_STAT_H=0 if your compiler lacks a <sys/stat.h> + # -DHAVE_SYS_WAIT_H=0 if your compiler lacks a <sys/wait.h> +@@ -195,7 +205,11 @@ + # -DHAVE_TZSET=0 if your system lacks a tzset function + # -DHAVE_UNISTD_H=0 if your compiler lacks a <unistd.h> + # -Dlocale_t=XXX if your system uses XXX instead of locale_t ++# -DRESERVE_STD_EXT_IDS if your platform reserves standard identifiers ++# with external linkage, e.g., applications cannot define 'localtime'. + # -Dssize_t=long on hosts like MS-Windows that lack ssize_t ++# -DSUPPRESS_TZDIR to not prepend TZDIR to file names; this has ++# security implications and is not recommended for general use + # -DTHREAD_SAFE to make localtime.c thread-safe, as POSIX requires; + # not needed by the main-program tz code, which is single-threaded. + # Append other compiler flags as needed, e.g., -pthread on GNU/Linux. +@@ -394,13 +408,19 @@ + SAFE_CHARSET= $(SAFE_CHARSET1)$(SAFE_CHARSET2)$(SAFE_CHARSET3) + SAFE_CHAR= '[]'$(SAFE_CHARSET)'-]' + ++# Non-ASCII non-letters that OK_CHAR allows, as these characters are ++# useful in commentary. XEmacs 21.5.34 displays them correctly, ++# presumably because they are Latin-1. ++UNUSUAL_OK_CHARSET= °±½¾× ++ + # OK_CHAR matches any character allowed in the distributed files. +-# This is the same as SAFE_CHAR, except that multibyte letters are +-# also allowed so that commentary can contain people's names and quote +-# non-English sources. For non-letters the sources are limited to +-# ASCII renderings for the convenience of maintainers whose text editors +-# mishandle UTF-8 by default (e.g., XEmacs 21.4.22). +-OK_CHAR= '[][:alpha:]'$(SAFE_CHARSET)'-]' ++# This is the same as SAFE_CHAR, except that UNUSUAL_OK_CHARSET and ++# multibyte letters are also allowed so that commentary can contain a ++# few safe symbols and people's names and can quote non-English sources. ++# Other non-letters are limited to ASCII renderings for the ++# convenience of maintainers using XEmacs 21.5.34, which by default ++# mishandles Unicode characters U+0100 and greater. ++OK_CHAR= '[][:alpha:]$(UNUSUAL_OK_CHARSET)'$(SAFE_CHARSET)'-]' + + # SAFE_LINE matches a line of safe characters. + # SAFE_SHARP_LINE is similar, except any OK character can follow '#'; +@@ -462,10 +482,12 @@ + ZONETABLES= zone1970.tab zone.tab + TABDATA= iso3166.tab $(TZDATA_TEXT) $(ZONETABLES) + LEAP_DEPS= leapseconds.awk leap-seconds.list +-TZDATA_ZI_DEPS= zishrink.awk version $(TDATA) $(PACKRATDATA) ++TZDATA_ZI_DEPS= ziguard.awk zishrink.awk version $(TDATA) $(PACKRATDATA) ++DSTDATA_ZI_DEPS= ziguard.awk $(TDATA) $(PACKRATDATA) + DATA= $(TDATA_TO_CHECK) backzone iso3166.tab leap-seconds.list \ + leapseconds yearistype.sh $(ZONETABLES) +-AWK_SCRIPTS= checklinks.awk checktab.awk leapseconds.awk zishrink.awk ++AWK_SCRIPTS= checklinks.awk checktab.awk leapseconds.awk \ ++ ziguard.awk zishrink.awk + MISC= $(AWK_SCRIPTS) zoneinfo2tdf.pl + TZS_YEAR= 2050 + TZS= to$(TZS_YEAR).tzs +@@ -499,7 +521,8 @@ + + SHELL= /bin/sh + +-all: tzselect yearistype zic zdump libtz.a $(TABDATA) ++all: tzselect yearistype zic zdump libtz.a $(TABDATA) \ ++ vanguard.zi main.zi rearguard.zi + + ALL: all date $(ENCHILADA) + +@@ -534,11 +557,15 @@ + printf '%s\n' "$$V" >$@.out + mv $@.out $@ + +-# This file can be tailored by setting BACKWARD, PACKRATDATA, etc. +-tzdata.zi: $(TZDATA_ZI_DEPS) ++# These files can be tailored by setting BACKWARD, PACKRATDATA, etc. ++vanguard.zi main.zi rearguard.zi: $(DSTDATA_ZI_DEPS) ++ $(AWK) -v outfile='$@' -f ziguard.awk $(TDATA) $(PACKRATDATA) \ ++ >$@.out ++ mv $@.out $@ ++tzdata.zi: $(DATAFORM).zi version + version=`sed 1q version` && \ + LC_ALL=C $(AWK) -v version="$$version" -f zishrink.awk \ +- $(TDATA) $(PACKRATDATA) >$@.out ++ $(DATAFORM).zi >$@.out + mv $@.out $@ + + version.h: version +@@ -614,19 +641,29 @@ + + zones: $(REDO) + ++# dummy.zd is not a real file; it is mentioned here only so that the ++# top-level 'make' does not have a syntax error. ++ZDS = dummy.zd ++# Rule used only by submakes invoked by the $(TZS_NEW) rule. ++# It is separate so that GNU 'make -j' can run instances in parallel. ++$(ZDS): zdump ++ ./zdump -i -c $(TZS_YEAR) '$(wd)/'$$(expr $@ : '\(.*\).zd') >$@ ++ + $(TZS_NEW): tzdata.zi zdump zic +- mkdir -p tzs.dir ++ rm -fr tzs.dir ++ mkdir tzs.dir + $(zic) -d tzs.dir tzdata.zi + $(AWK) '/^L/{print "Link\t" $$2 "\t" $$3}' \ + tzdata.zi | LC_ALL=C sort >$@.out + wd=`pwd` && \ +- zones=`$(AWK) -v wd="$$wd" \ +- '/^Z/{print wd "/tzs.dir/" $$2}' tzdata.zi \ +- | LC_ALL=C sort` && \ +- ./zdump -i -c $(TZS_YEAR) $$zones >>$@.out +- sed 's,^TZ=".*tzs\.dir/,TZ=",' $@.out >$@.sed.out +- rm -fr tzs.dir $@.out +- mv $@.sed.out $@ ++ set x `$(AWK) '/^Z/{print "tzs.dir/" $$2 ".zd"}' tzdata.zi \ ++ | LC_ALL=C sort -t . -k 2,2` && \ ++ shift && \ ++ ZDS=$$* && \ ++ $(MAKE) wd="$$wd" TZS_YEAR=$(TZS_YEAR) ZDS="$$ZDS" $$ZDS && \ ++ sed 's,^TZ=".*tzs\.dir/,TZ=",' $$ZDS >>$@.out ++ rm -fr tzs.dir ++ mv $@.out $@ + + # If $(TZS) does not already exist (e.g., old-format tarballs), create it. + # If it exists but 'make check_tzs' fails, a maintainer should inspect the +@@ -669,8 +706,10 @@ + sharp='#' && \ + ! grep -Env $(SAFE_LINE) $(MANS) date.1 $(MANTXTS) \ + $(MISC) $(SOURCES) $(WEB_PAGES) \ +- CONTRIBUTING LICENSE Makefile README \ ++ CONTRIBUTING LICENSE README \ + version tzdata.zi && \ ++ ! grep -Env $(SAFE_LINE)'|^UNUSUAL_OK_CHARSET='$(OK_CHAR)'*$$' \ ++ Makefile && \ + ! grep -Env $(SAFE_SHARP_LINE) $(TDATA_TO_CHECK) backzone \ + leapseconds yearistype.sh zone.tab && \ + ! grep -Env $(OK_LINE) $(ENCHILADA); \ +@@ -702,7 +741,7 @@ + $(AWK) '/^[^#]/ $(CHECK_CC_LIST)' zone1970.tab | \ + LC_ALL=C sort -cu + +-check_links: checklinks.awk $(TDATA_TO_CHECK) ++check_links: checklinks.awk $(TDATA_TO_CHECK) tzdata.zi + $(AWK) -f checklinks.awk $(TDATA_TO_CHECK) + $(AWK) -f checklinks.awk tzdata.zi + +@@ -720,17 +759,26 @@ + check_web: tz-how-to.html + $(VALIDATE_ENV) $(VALIDATE) $(VALIDATE_FLAGS) tz-how-to.html + +-# Check that tzdata.zi generates the same binary data that its sources do. +-check_zishrink: tzdata.zi zic leapseconds $(PACKRATDATA) $(TDATA) ++# Check that zishrink.awk does not alter the data, and that ziguard.awk ++# preserves main-format data. ++check_zishrink: zic leapseconds $(PACKRATDATA) $(TDATA) \ ++ $(DATAFORM).zi tzdata.zi + for type in posix right; do \ +- mkdir -p time_t.dir/$$type time_t.dir/$$type-shrunk && \ ++ mkdir -p time_t.dir/$$type time_t.dir/$$type-t \ ++ time_t.dir/$$type-shrunk && \ + case $$type in \ + right) leap='-L leapseconds';; \ + *) leap=;; \ + esac && \ +- $(ZIC) $$leap -d time_t.dir/$$type $(TDATA) && \ +- $(AWK) '/^Rule/' $(TDATA) | \ +- $(ZIC) $$leap -d time_t.dir/$$type - $(PACKRATDATA) && \ ++ $(ZIC) $$leap -d time_t.dir/$$type $(DATAFORM).zi && \ ++ case $(DATAFORM) in \ ++ main) \ ++ $(ZIC) $$leap -d time_t.dir/$$type-t $(TDATA) && \ ++ $(AWK) '/^Rule/' $(TDATA) | \ ++ $(ZIC) $$leap -d time_t.dir/$$type-t - \ ++ $(PACKRATDATA) && \ ++ diff -r time_t.dir/$$type time_t.dir/$$type-t;; \ ++ esac && \ + $(ZIC) $$leap -d time_t.dir/$$type-shrunk tzdata.zi && \ + diff -r time_t.dir/$$type time_t.dir/$$type-shrunk || exit; \ + done +@@ -740,7 +788,7 @@ + rm -f core *.o *.out \ + date tzselect version.h zdump zic yearistype libtz.a + clean: clean_misc +- rm -fr *.dir tzdata.zi tzdb-*/ $(TZS_NEW) ++ rm -fr *.dir *.zi tzdb-*/ $(TZS_NEW) + + maintainer-clean: clean + @echo 'This command is intended for maintainers to use; it' +@@ -856,6 +904,9 @@ + VERSION=`cat version` && \ + $(MAKE) VERSION="$$VERSION" $@_version + ++# These *_version rules are intended for use if VERSION is set by some ++# other means. Ordinarily these rules are used only by the above ++# non-_version rules, which set VERSION on the 'make' command line. + tarballs_version: traditional_tarballs_version tzdb-$(VERSION).tar.lz + traditional_tarballs_version: \ + tzcode$(VERSION).tar.gz tzdata$(VERSION).tar.gz +@@ -917,13 +968,17 @@ + .KEEP_STATE: + + .PHONY: ALL INSTALL all +-.PHONY: check check_character_set check_links ++.PHONY: check check_character_set check_links check_name_lengths + .PHONY: check_public check_sorted check_tables + .PHONY: check_time_t_alternatives check_tzs check_web check_white_space + .PHONY: check_zishrink +-.PHONY: clean clean_misc force_tzs ++.PHONY: clean clean_misc dummy.zd force_tzs + .PHONY: install install_data maintainer-clean names + .PHONY: posix_only posix_packrat posix_right + .PHONY: public right_only right_posix signatures signatures_version +-.PHONY: tarballs tarballs_version typecheck ++.PHONY: tarballs tarballs_version ++.PHONY: traditional_signatures traditional_signatures_version ++.PHONY: traditional_tarballs traditional_tarballs_version ++.PHONY: typecheck + .PHONY: zonenames zones ++.PHONY: $(ZDS) +--- contrib/tzdata/NEWS.orig ++++ contrib/tzdata/NEWS +@@ -1,9 +1,146 @@ + News for the tz database + ++Release 2018d - 2018-03-22 07:05:46 -0700 ++ ++ Briefly: ++ ++ Palestine starts DST a week earlier in 2018. ++ Add support for vanguard and rearguard data consumers. ++ Add subsecond precision to source data format, though not to data. ++ ++ Changes to future time stamps ++ ++ In 2018, Palestine starts DST on March 24, not March 31. ++ Adjust future predictions accordingly. (Thanks to Sharef Mustafa.) ++ ++ Changes to past and future time stamps ++ ++ Casey Station in Antarctica changed from +11 to +08 on 2018-03-11 ++ at 04:00. (Thanks to Steffen Thorsen.) ++ ++ Changes to past time stamps ++ ++ Historical transitions for Uruguay, represented by ++ America/Montevideo, have been updated per official legal documents, ++ replacing previous data mainly originating from the inventions of ++ Shanks & Pottenger. This has resulted in adjustments ranging from ++ 30 to 90 minutes in either direction over at least two dozen ++ distinct periods ranging from one day to several years in length. ++ A mere handful of pre-1991 transitions are unaffected; data since ++ then has come from more reliable contemporaneous reporting. These ++ changes affect various timestamps in 1920-1923, 1936, 1939, ++ 1942-1943, 1959, 1966-1970, 1972, 1974-1980, and 1988-1990. ++ Additionally, Uruguay's pre-standard-time UT offset has been ++ adjusted westward by 7 seconds, from UT-03:44:44 to UT-03:44:51, to ++ match the location of the Observatory of the National Meteorological ++ Institute in Montevideo. ++ (Thanks to Jeremie Bonjour, Tim Parenti, and Michael Deckers.) ++ ++ Enderbury and Kiritimati skipped New Year's Eve 1994, not ++ New Year's Day 1995. (Thanks to Kerry Shetline.) ++ ++ Fix the 1912-01-01 transition for Portugual and its colonies. ++ This transition was at 00:00 according to the new UT offset, not ++ according to the old one. Also assume that Cape Verde switched on ++ the same date as the rest, not in 1907. This affects ++ Africa/Bissau, Africa/Sao_Tome, Asia/Macau, Atlantic/Azores, ++ Atlantic/Cape_Verde, Atlantic/Madeira, and Europe/Lisbon. ++ (Thanks to Michael Deckers.) ++ ++ Fix an off-by-1 error for pre-1913 timestamps in Jamaica and in ++ Turks & Caicos. ++ ++ Changes to past time zone abbreviations ++ ++ MMT took effect in Uruguay from 1908-06-10, not 1898-06-28. There ++ is no clock change associated with the transition. ++ ++ Changes to build procedure ++ ++ The new DATAFORM macro in the Makefile lets the installer choose ++ among three source data formats. The idea is to lessen downstream ++ disruption when data formats are improved. ++ ++ * DATAFORM=vanguard installs from the latest, bleeding-edge ++ format. DATAFORM=main (the default) installs from the format ++ used in the 'africa' etc. files. DATAFORM=rearguard installs ++ from a trailing-edge format. Eventually, elements of today's ++ vanguard format should move to the main format, and similarly ++ the main format's features should eventually move to the ++ rearguard format. ++ ++ * In the current version, the main and rearguard formats are ++ identical and match that of 2018c, so this change does not ++ affect default behavior. The vanguard format currently contains ++ one feature not in the main format: negative SAVE values. This ++ improves support for Ireland, which uses Irish Standard Time ++ (IST, UTC+01) in summer and GMT (UTC) in winter. tzcode has ++ supported negative SAVE values for decades, and this feature ++ should move to the main format soon. However, it will not move ++ to the rearguard format for quite some time because some ++ downstream parsers do not support it. ++ ++ * The build procedure constructs three files vanguard.zi, main.zi, ++ and rearguard.zi, one for each format. The files represent the ++ same data as closely as the formats allow. These three files ++ are intended for downstream data consumers and are not ++ installed. Zoneinfo parsers that do not support negative SAVE values ++ should start using rearguard.zi, so that they will be unaffected ++ when the negative-DST feature moves from vanguard to main. ++ Bleeding-edge Zoneinfo parsers that support the new features ++ already can use vanguard.zi; in this respect, current tzcode is ++ bleeding-edge. ++ ++ The Makefile should now be safe for parallelized builds, and 'make ++ -j to2050new.tzs' is now much faster on a multiprocessor host ++ with GNU Make. ++ ++ When built with -DSUPPRESS_TZDIR, the tzcode library no longer ++ prepends TZDIR/ to file names that do not begin with '/'. This is ++ not recommended for general use, due to its security implications. ++ (From a suggestion by Manuela Friedrich.) ++ ++ Changes to code ++ ++ zic now accepts subsecond precision in expressions like ++ 00:19:32.13, which is approximately the legal time of the ++ Netherlands from 1835 to 1937. However, because it is ++ questionable whether the few recorded uses of non-integer offsets ++ had subsecond precision in practice, there are no plans for tzdata ++ to use this feature. (Thanks to Steve Allen for pointing out ++ the limitations of historical data in this area.) ++ *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804040555.w345tE9d035536>