From owner-svn-doc-all@freebsd.org Wed May 4 22:52:57 2016 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1EF74B2DD4C; Wed, 4 May 2016 22:52:57 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DB8841486; Wed, 4 May 2016 22:52:56 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u44MquEQ060445; Wed, 4 May 2016 22:52:56 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u44Mqs6O060430; Wed, 4 May 2016 22:52:54 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201605042252.u44Mqs6O060430@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Wed, 4 May 2016 22:52:54 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r48779 - in head/share: security/advisories security/patches/EN-16:06 security/patches/EN-16:07 security/patches/EN-16:08 security/patches/SA-16:06 security/patches/SA-16:17 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2016 22:52:57 -0000 Author: glebius (src committer) Date: Wed May 4 22:52:54 2016 New Revision: 48779 URL: https://svnweb.freebsd.org/changeset/doc/48779 Log: Publish todays advisory and notices: - SA-16:17.openssl - EN-16:06.libc - EN-16:07.ipi - EN-16:08.zfs Approved by: so Added: head/share/security/advisories/FreeBSD-EN-16:06.libc.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-16:07.ipi.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-16:08.zfs.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:17.openssl.asc (contents, props changed) head/share/security/patches/EN-16:06/ head/share/security/patches/EN-16:07/ head/share/security/patches/EN-16:07/ipi.patch (contents, props changed) head/share/security/patches/EN-16:07/ipi.patch.asc (contents, props changed) head/share/security/patches/EN-16:08/ head/share/security/patches/EN-16:08/zfs.patch (contents, props changed) head/share/security/patches/EN-16:08/zfs.patch.asc (contents, props changed) head/share/security/patches/SA-16:06/libc.patch (contents, props changed) head/share/security/patches/SA-16:06/libc.patch.asc (contents, props changed) head/share/security/patches/SA-16:17/ head/share/security/patches/SA-16:17/openssl-10.patch (contents, props changed) head/share/security/patches/SA-16:17/openssl-10.patch.asc (contents, props changed) head/share/security/patches/SA-16:17/openssl-9.patch (contents, props changed) head/share/security/patches/SA-16:17/openssl-9.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-16:06.libc.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:06.libc.asc Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:06.libc Errata Notice + The FreeBSD Project + +Topic: Performance regression in libc hash(3) + +Category: core +Module: libc / hash(3) +Announced: 2016-05-04 +Credits: Bryan Drewery, Baptiste Daroussin +Affects: FreeBSD 10.3-RELEASE +Corrected: 2016-04-13 01:54:36 UTC (stable/10, 10.3-STABLE) + 2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security branches, +and the following sections, please visit +. + +I. Background + +The dbopen(3) with DB_HASH allows reading and writing to database files +in the hash(3) format. Examples of such files are the system master +passwd and services databases in /etc. In FreeBSD 10.3 operations +using dbopen(3) were fixed to always call fsync(2) on their files when +writing to ensure they were consistent after a power loss. This was +mostly noticeable for the user and group database files after using +pw, vipw, chpass, etc. + +II. Problem Description + +The changes in FreeBSD 10.3 to use fsync(2) were improperly extended to +operations that were read-only. + +III. Impact + +This could manifest as extreme slowdowns in operations that read from one +of these files, such as the user database. It was especially noticeable +during the use of "pkg install" since it reads from the user database. It +could also incur excessive I/O writes to these files if the file system +was not mounted with noatime which could lessen the lifetime of SSD. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.3] +# fetch https://security.FreeBSD.org/patches/EN-16:06/libc.patch +# fetch https://security.FreeBSD.org/patches/EN-16:06/libc.patch.asc +# gpg --verify libc.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r297904 +releng/10.3/ r299066 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this Errata Notice is available at +https://security.FreeBSD.org/advisories/FreeBSD-EN-16:06.libc.asc +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJXKj2JAAoJEO1n7NZdz2rnAqUQAKQmHsqyFPwl+yva/Is8U0Z+ +iuMnGAa9zp422ESLF8wczAYIQxv2wNuPAupuZGdDD5vnt8AJNEhs84xq9RW63AxM +V1YQAsNzMTeP4xhGJbrLXPgS5tgB59Rwj0OmIjrbyi4rmDMVGl0Ok0XRr+L+c9KV +dZhUSTmtlR005887aEoUe7Ujnqn4TljijaK/mD2YhGoE5Xkx5yOzJoO3ajCkyY61 +qSFVDqKP+pGgazt9gXpf7vtj4tw+TUqCMH3lj+LF4I7QfbAATYqwXo6pPVxSdZAY +D8qFR7h31Rpb7ImnSLiULGkZvV5cJrbHJQR63ty1WF6y5qur1La4EfTDDhqqkz3I +hvC8PCgAu11E55TsDeFUAFibjWZZvcqoYG3taWAKc9JlOHd5+cKoXVAzGTX4a/B7 +V0r5WH9AmmcodE7oRo90yFhUuv28G9T/z7a7bihaD6Cu2+3C7ez9f8cyD2x/FYJV +Y7wF3Ey4faybuaXBmxrbq3aJQYPe4knfvigmLoJNbCgIutvCiDVue/BxXaZ97Zc3 +RxPx7+SQo18R83u/iGgYIgs5MAsLLDphwETQhAi8ZUsSO/YVb4Od0ScCHaHC/byp +CdSC7DW56wiqYYyFjAe5/MQIIv8cvNLtekiaiUhAf36DrstglbSwOTw7x2kMcguk +KLNONz99Am4A/sIHhizX +=p2R6 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-16:07.ipi.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:07.ipi.asc Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,125 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:07.ipi Errata Notice + The FreeBSD Project + +Topic: Excessive latency in x86 IPI delivery + +Category: core +Module: kernel +Announced: 2016-05-04 +Credits: Stanislav Sedov +Affects: FreeBSD 10.2 and 10.3 +Corrected: 2016-04-27 19:12:49 UTC (stable/10, 10.3-STABLE) + 2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2) + 2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security branches, +and the following sections, please visit +. + +I. Background + +Each CPU in an x86 system contains an interrupt controller (local APIC) +used to handle both external interrupts and inter-processor-interrupts +(IPIs). + +II. Problem Description + +In xAPIC mode, the local APIC can only queue a single IPI at a time. If +a previously queued IPI is still pending when a CPU attempts to send an +IPI, it spins waiting for the previous IPI to complete. A change merged +prior to 10.2-RELEASE altered this loop to check the state of the previous +IPI once every 5 microseconds rather than constantly polling. + +III. Impact + +Checking the status of the previous IPI once every 5 microseconds could +introduce 5 microsecond delays when sending IPIs. This could increase the +latency of various scheduling operations reducing performance. + +IV. Workaround + +No workaround is available, but non-x86 systems are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your present system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-16:07/ipi.patch +# fetch https://security.FreeBSD.org/patches/EN-16:07/ipi.patch.asc +# gpg --verify ipi.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r298715 +releng/10.2/ r299067 +releng/10.3/ r299066 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this Errata Notice is available at +https://security.FreeBSD.org/advisories/FreeBSD-EN-16:07.ipi.asc +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJXKj3tAAoJEO1n7NZdz2rnbpMP/R/Xetx8IFIeP4Ez9IYvQPXM +ylnDZiLn0AP2AW5Wn4Dxa6SyfrTGYOpjMSGFtxu6JqPczFYhYY0fYVkdwLqPu0DS +2Q9xGLJ0hedVa+aPbDyoS6Zafe2VElFjcpHm+y3qaaAhLoQNolMd+3bj0sezxzb/ +mVJZq1vHzFKU84vmiBXb6zF6lcwJgEqbdeLyLT+y+p42Sne9/k6QIUPUQPZKciu/ +gs3RH3/0NhNWyXRl8ISjU0uJB3SHFZTbbfRSoX/0pE0FGaaYue9UeOEAzsBi5O6x +apF5euq6o6QSzH1MQaPj1hApreUY4TCS+/2ZSjKGTOZAOP9CkIjm/U89G5cw+dH4 +Bs4jV4q0H1Pc3jHGP/Y0NyPDA7XrmNUjhw//8WodchqyeHkrSboy4K2Cd5AFS03e +dM4fUz1ybTWYTAuHejKIN7yPKo1MsI7tX55fYXZtZ9iA+JhTYGBuJEoBVqlDiSte +RcfYWjMY45srf5lPwTjauuHFjsfgvHwxuxyQyKPV+uysq9y7E2E6hypBYZ0SJNaz +W6fEAyUFv8rM6qMxtANuuOVDDrRTYq/FId5AhMMheK9AONA3XcvL9otMqw5HMBtg +kzOoQ0JJKUbDow8sy9mjtM0cOgoNvmfRlUuLXxV26swXEHZ4la0o16mNVEzo10Z9 +mlbeuHCqBP25eT/TzQG4 +=XoQ4 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-16:08.zfs.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:08.zfs.asc Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:08.zfs Errata Notice + The FreeBSD Project + +Topic: Memory leak in ZFS + +Category: contrib +Module: zfs +Announced: 2016-05-04 +Credits: Eric Borisch +Affects: All supported versions of FreeBSD. +Corrected: 2016-03-18 13:32:00 UTC (stable/10, 10.3-STABLE) + 2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2) + 2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16) + 2016-05-04 15:27:09 UTC (releng/10.1, 10.1-RELEASE-p33) + 2016-03-18 13:32:37 UTC (stable/9, 9.3-STABLE) + 2016-05-04 15:27:09 UTC (releng/9.3, 9.3-RELEASE-p41) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +ZFS is one of several filesystems available on FreeBSD. ZFS supports many +advanced features, including snapshots, which provides a frozen read-only +image of file system at a given time. + +File system snapshots can be accessed under the .zfs/snapshot directory +in the root of the file system. + +II. Problem Description + +There is a memory leak in the error path when mounting a snapshot via the +automatic .zfs/snapshot directory, which can be triggered when the snapshot +was once mounted, but later deleted by the system administrator. + +III. Impact + +A local user may be able to trigger the memory leak multiple times and +eventually exhaust kernel memory, if the user knows a snapshot and access +it before the system administrator deletes it. + +IV. Workaround + +No workaround is available, but systems that do not use ZFS snapshots are +not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Reboot is required. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Reboot is required. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-16:08/zfs.patch +# fetch https://security.FreeBSD.org/patches/EN-16:08/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r297022 +releng/9.3/ r299068 +stable/10/ r297021 +releng/10.1/ r299068 +releng/10.2/ r299067 +releng/10.3/ r299066 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJXKk4dAAoJEO1n7NZdz2rnscQQAODmJLkUgi8YgTP32IuWyz+N +mX/g5HNKGWP7COTzsoIFrGZ1l+BqWwqcX9cSR1K3fFOYSDPPgug3qMHdfg63RIsm +G9sJRQ/XdsUC6436UYGe3ElZyqKUjrKSPW2pA95AYVWMiJTJwly+Vd6UqDadLKmA +HyebF2uh5HR7JpkTyw9lT6uN4FHTIF6NfKruap3m+NNCMw64w4bILwOLuylvxT+0 +fiPJRlZ5X+I9lRM7QqO8m/S4AYAHeFAu/GG8GDPR2kO6ZuW2iuIQg04tfv8JmHgG +4074OkCo7etJ6qq59EC1Y7k6TpuNDuiTNtTpn5DnOWVCaduZnGxZo0FhKhZg7b0K +D4uJkXF8aSTi4Y9rp4ynEP+d1NJD7B5dLnI5R3P3EGuGKhigymI0QlT+iDy/UGLT +rG1Hx9Tsq1CsrpUe6/Go6Daqt4VxW/WYtOULDZBoVaIhhKk5H4gV1Yj66MUAsPhZ +Fe+hMnehYdCcKlSYrlCaF6MTosAafhzyTgxDKehgc0K1RPxHXOME98NF76erU1Vx +62P7sdq3JrYFNg+9TUkyjaYnhc5XrHtShzCJxcMKm0NMNm7nWfyYYVwvBYpflSUI +AE1VGcgAAlnH/yLnJPJL1BY6hfjsA2wPO+vituxOGDKCvSuUdWCV1baAW9ySmG4K +Pgle9/Qvg/BNvtVL3dvv +=PzFd +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:17.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:17.openssl.asc Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,178 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:17.openssl Security Advisory + The FreeBSD Project + +Topic: Multiple OpenSSL vulnerabilities + +Category: contrib +Module: openssl +Announced: 2016-05-04 +Credits: OpenSSL Project +Affects: All supported versions of FreeBSD. +Corrected: 2016-05-03 18:54:20 UTC (stable/10, 10.3-STABLE) + 2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2) + 2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16) + 2016-05-04 15:27:09 UTC (releng/10.1, 10.1-RELEASE-p33) + 2016-05-04 06:53:02 UTC (stable/9, 9.3-STABLE) + 2016-05-04 15:27:09 UTC (releng/9.3, 9.3-RELEASE-p41) +CVE Name: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, + CVE-2016-2176 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +II. Problem Description + +The padding check in AES-NI CBC MAC was rewritten to be in constant time +by making sure that always the same bytes are read and compared against +either the MAC or padding bytes. But it no longer checked that there was +enough data to have both the MAC and padding bytes. [CVE-2016-2107] + +An overflow can occur in the EVP_EncodeUpdate() function which is used for +Base64 encoding of binary data. [CVE-2016-2105] + +An overflow can occur in the EVP_EncryptUpdate() function, however it is +believed that there can be no overflows in internal code due to this problem. +[CVE-2016-2106] + +When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() +a short invalid encoding can casuse allocation of large amounts of memory +potentially consuming excessive resources or exhausting memory. +[CVE-2016-2109] + +ASN1 Strings that are over 1024 bytes can cause an overread in applications +using the X509_NAME_oneline() function on EBCDIC systems. [CVE-2016-2176] +FreeBSD does not run on any EBCDIC systems and therefore is not affected. + +III. Impact + +A MITM attacker can use a padding oracle attack to decrypt traffic +when the connection uses an AES CBC cipher and the server support +AES-NI. [CVE-2016-2107] + +If an attacker is able to supply very large amounts of input data then a +length check can overflow resulting in a heap corruption. [CVE-2016-2105] + +Any application parsing untrusted data through d2i BIO functions are vulnerable +to memory exhaustion attack. [CVE-2016-2109] TLS applications are not affected. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Restart all daemons that use the library, or reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all daemons that use the library, or reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.x] +# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch +# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch.asc +# gpg --verify openssl-10.patch.asc + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patc +# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patch.asc +# gpg --verify openssl-9.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r299053 +releng/9.3/ r299068 +stable/10/ r298999 +releng/10.1/ r299068 +releng/10.2/ r299067 +releng/10.3/ r299066 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJXKjuIAAoJEO1n7NZdz2rneZoP/jqsWr9q5MkCel2aZzfmSVhU +8CjzPwm3t48ibZqrkolAak4dbjJGhidUM/S83BvIcCdtKWyoG8D0fzemB7bBIP2L +fqvd1314vuy82CgZlAyJIqzokckUPfyHhTAz9FPZW46f8A+s8znzJcaaD81tt1Xe +qg9JZ61e2DZJ2NdZSJSjOpBl55gZqQq3tIwGYw027GKjiflJSvOG1n/531R4rppI +x0IZpLor7XBWuiC44hPc4yasC4khWzmdaRpqcUoWVEex8g6Il6xByS2o4AgX7kE/ +NBZ0mj4IMYZNQW4VUYbnkmLtWXJYYScboBKh4FRljNCG/t5u/YoSfOY8SbS9LT9K +KVj56C6tQRq+/frKbPt26HbqqRTFNVn3FKxJWNQ9CLzsebobXPUYATTN2NVC8gkj +S0A/lT2xnvA2YqB9HfmHOvlHS2LDv8SivJWNK4dCPOwhVm624H4qH/N+VFcwU7zc +ue+BPvDYU/czsyoJDdQoWxTdkreaOY6eLAWkYAh9dEDIkZSOxgsZR7C4th6THXMu +ybIy544elc3bf9vS4tGR552Wi9VntE0B1/LJ2la8l+MnYE6qZL1hbAYpvNyuPWVP +EDPjOc4inaMpV62fuL1UrKH1g1HMmFUnoWhC70iS+cuLeXWFdvwBFyL420Ixkd5H +zvcsfJCrazlcZ6j83Qfd +=PGTh +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-16:07/ipi.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:07/ipi.patch Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,103 @@ +--- sys/x86/x86/local_apic.c.orig ++++ sys/x86/x86/local_apic.c +@@ -56,6 +56,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -158,6 +159,9 @@ + vm_paddr_t lapic_paddr; + static u_long lapic_timer_divisor; + static struct eventtimer lapic_et; ++#ifdef SMP ++static uint64_t lapic_ipi_wait_mult; ++#endif + + static void lapic_enable(void); + static void lapic_resume(struct pic *pic, bool suspend_cancelled); +@@ -221,6 +225,9 @@ + void + lapic_init(vm_paddr_t addr) + { ++#ifdef SMP ++ uint64_t r, r1, r2, rx; ++#endif + u_int regs[4]; + int i, arat; + +@@ -275,6 +282,38 @@ + lapic_et.et_priv = NULL; + et_register(&lapic_et); + } ++ ++#ifdef SMP ++#define LOOPS 1000000 ++ /* ++ * Calibrate the busy loop waiting for IPI ack in xAPIC mode. ++ * lapic_ipi_wait_mult contains the number of iterations which ++ * approximately delay execution for 1 microsecond (the ++ * argument to native_lapic_ipi_wait() is in microseconds). ++ * ++ * We assume that TSC is present and already measured. ++ * Possible TSC frequency jumps are irrelevant to the ++ * calibration loop below, the CPU clock management code is ++ * not yet started, and we do not enter sleep states. ++ */ ++ KASSERT((cpu_feature & CPUID_TSC) != 0 && tsc_freq != 0, ++ ("TSC not initialized")); ++ r = rdtsc(); ++ for (rx = 0; rx < LOOPS; rx++) { ++ (void)lapic->icr_lo; ++ ia32_pause(); ++ } ++ r = rdtsc() - r; ++ r1 = tsc_freq * LOOPS; ++ r2 = r * 1000000; ++ lapic_ipi_wait_mult = r1 >= r2 ? r1 / r2 : 1; ++ if (bootverbose) { ++ printf("LAPIC: ipi_wait() us multiplier %ju (r %ju tsc %ju)\n", ++ (uintmax_t)lapic_ipi_wait_mult, (uintmax_t)r, ++ (uintmax_t)tsc_freq); ++ } ++#undef LOOPS ++#endif /* SMP */ + } + + /* +@@ -1381,25 +1420,20 @@ + * private to the MD code. The public interface for the rest of the + * kernel is defined in mp_machdep.c. + */ ++ ++/* ++ * Wait delay microseconds for IPI to be sent. If delay is -1, we ++ * wait forever. ++ */ + int + lapic_ipi_wait(int delay) + { +- int x; ++ uint64_t rx; + +- /* +- * Wait delay microseconds for IPI to be sent. If delay is +- * -1, we wait forever. +- */ +- if (delay == -1) { +- while ((lapic->icr_lo & APIC_DELSTAT_MASK) != APIC_DELSTAT_IDLE) +- ia32_pause(); +- return (1); +- } +- +- for (x = 0; x < delay; x += 5) { ++ for (rx = 0; delay == -1 || rx < lapic_ipi_wait_mult * delay; rx++) { + if ((lapic->icr_lo & APIC_DELSTAT_MASK) == APIC_DELSTAT_IDLE) + return (1); +- DELAY(5); ++ ia32_pause(); + } + return (0); + } Added: head/share/security/patches/EN-16:07/ipi.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:07/ipi.patch.asc Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJXKj3yAAoJEO1n7NZdz2rnv4kP/06mfaq4/iwxKgkmZ/YA1xr1 +OyeEURd20DU/z5IJrcOOM7I6t20tzTpITp4G4TirPAl+614ieFBEJLZtlLYCCnhd +02VfG9SEbqsM1ymfCrWg2FBx9YJtszL6bkWUSjlWA9dei2eomie6GyJeprfVDolD +Va+fp1FDVPmhcw8uXp9BNiCoBe/S1pd1ireMemXVwJCTwzJAcIrhMThDqTBKX9Rh +hxzd4gJBtAfppdPL0jcfjLMN3NUelRLs6AlT447lGJJeLJZTGnZNyaq6TKzHBE9E +witl2MOcaxm3SodaYq5e7CT4DZ+zfZHJ6Tc9r3RqoshlMgVk2DV6GXzcY8Z+GAjv +VeMY4shqEmApu3qIB3h/+PHN9RRPYtt4yNIAJjZt7sYWqEyAIIu4TH3UkUmdbLyg +v+Gf6CmDCoDmPsO0Yg1Ap5TrZy6NxoEXERzPOhgUaRBy7q0VKFrmLZoBw6UJ9GPu +DcS6aSxVoNgD7a/zUkrMezAtOsXD2OGcPpPOvco6JsbYqieoAZ4UGtCRSW+m7uJK +G1i1+c4sC5lqN/PxPvc05ci1RbtrjZFdYakg8Jz4rTegg44zU24ENZ+qW0k4uXUY +pm4ED1z1yozrMghOeTcFvq33j2fttfpHGtR24QCzoIMd6S9NNuCT5zTNf8PpU5aW +Tq2KDK20ywHxg8rBZdlW +=L412 +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-16:08/zfs.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:08/zfs.patch Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,10 @@ +--- sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c.orig ++++ sys/cddl/compat/opensolaris/kern/opensolaris_vfs.c +@@ -196,6 +196,7 @@ + VI_UNLOCK(vp); + vrele(vp); + vfs_unbusy(mp); ++ vfs_freeopts(mp->mnt_optnew); + vfs_mount_destroy(mp); + *vpp = NULL; + return (error); Added: head/share/security/patches/EN-16:08/zfs.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:08/zfs.patch.asc Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJXKk4gAAoJEO1n7NZdz2rnJnsQAKcsAvrU96EYdeIHQnR2AJ88 +jCHXfXDnGN+dPpHXqBwjVCM4TLTHQVdsa47sw9wWOD5hhlP53qsKmsDohV68E+nc +HSbksbOWACuLtihtiR5bwlU2NuSUF+MKH+P35yqlIC6IFLJ41XrfbPXidJz4vUH0 +1FhKGiXgHMlaCDpOxRXVKtQ05O8BvKl3kh1G2u/wM0fbdTWmK98kscc8b/abysi9 +qV88b8cDYf9Dn57moFN0GySAKxPTnn4s0IKAu6BCko/bwH9cdwJmbbktpxTZrJuS +s2z0KKO15Wb/iD1SPTF9oxetXc8kok6nTQikLBVUNA6aXCpn69CeD6X7SL4198a0 +oCXCZM1cYJDrT7V1Z/JTncF7e66UViLdFxI3v9RnpcGmsz88xjhXKv7jtv5DD+L+ +tLsCCHZqfOtNEF7mTBdm0tfZP7B+quhXCnFs4qB945q0nJ1J8s5fLsWKSFgaeYUu +nEmNpjE3EbhxzUVa3xSdbs+hwtcOdMUaOelbO5sehaFOwblO6FDNLZ7TDpU2vfNk +noo9t2OqyK6hJvm+IIZgjwnQxTS64O4ehpd3S5HZit/3ExIt3SdsF7LUuGIHskfU +ucHvK763RsxjbwTyF2M6HV8TWbn8zKdLIJ9AlSF3B3hJIqwIpTKFBF6Sm/ovGe48 +kSE51i0jjr8eRC87SB0K +=wnPD +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:06/libc.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:06/libc.patch Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,12 @@ +--- lib/libc/db/hash/hash.c.orig ++++ lib/libc/db/hash/hash.c +@@ -423,7 +423,8 @@ + free(hashp->tmp_buf); + + if (hashp->fp != -1) { +- (void)_fsync(hashp->fp); ++ if (hashp->save_file) ++ (void)_fsync(hashp->fp); + (void)_close(hashp->fp); + } + Added: head/share/security/patches/SA-16:06/libc.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:06/libc.patch.asc Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJXKj1xAAoJEO1n7NZdz2rnBE4QALyliMFWZRH6HNFUOmUzpb82 +ukBfKSS7MA2xXoFAZAGcpStuHRVg8sl21s4tGtnSa7Q9VkDzr898BG4mFlf+ZNWc +qHZqaZcQbJAJofrywklu4XCss0V9pv5WQ5TPnIaddoQs/USbbx4nZFyiY7p3XFHc +D9U30O8/QAUJO//TwHcQftbhNRJiVINWiGaNlKzf/tW5LipkA+GuMrLjqodA0FjN +nTZo469DWm26YzVKx7QH0ZobqEhK+7P/4Uo+gMLhXfBXnh+EX4P1w+gsYPXOhy02 +bL0MsqG9F7tpcNI6tlxjNP0V6PjMCtuEuQ0Fk4rkPEZJDq9B6dc9wY9Vxas5hQ8n +IsNkMeIfNz9plK9WFTwfOiwu9IO84J0xhHgdp4cHqbvFcDSxU+GrtYU2zmPqoxJe +uT+KqdhfC533oN6CXzKzrn+kcxx2NuBt2lIjsg8K1V1Q/ovYpopdPfTOColDdBKZ +41XBo5AdDVS1liTNTiXtjUL9A5Eb8876Be4O+yvhQiXYsRFhQ7Kw2talGLiiJWlP +MOWEtBAvkFYZPedGNnIc+dmtBQ3G2uqEd/w4ZO0tgxkL0jt2b02s9xD0Y3YU9Xtp +f/sjoxT2kWNeQ8MS+zWh2dEj9OIxAerdOZsOSJmchqNHXD3Rv+99jmK/IY78LmbZ +5+hYuoGy4zOMHFXMJ8vm +=9bAQ +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:17/openssl-10.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:17/openssl-10.patch Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,127 @@ +--- crypto/openssl/crypto/asn1/a_type.c.orig ++++ crypto/openssl/crypto/asn1/a_type.c +@@ -126,9 +126,7 @@ + result = 0; /* They do not have content. */ + break; + case V_ASN1_INTEGER: +- case V_ASN1_NEG_INTEGER: + case V_ASN1_ENUMERATED: +- case V_ASN1_NEG_ENUMERATED: + case V_ASN1_BIT_STRING: + case V_ASN1_OCTET_STRING: + case V_ASN1_SEQUENCE: +--- crypto/openssl/crypto/asn1/tasn_dec.c.orig ++++ crypto/openssl/crypto/asn1/tasn_dec.c +@@ -903,9 +903,7 @@ + break; + + case V_ASN1_INTEGER: +- case V_ASN1_NEG_INTEGER: + case V_ASN1_ENUMERATED: +- case V_ASN1_NEG_ENUMERATED: + tint = (ASN1_INTEGER **)pval; + if (!c2i_ASN1_INTEGER(tint, &cont, len)) + goto err; +--- crypto/openssl/crypto/asn1/tasn_enc.c.orig ++++ crypto/openssl/crypto/asn1/tasn_enc.c +@@ -611,9 +611,7 @@ + break; + + case V_ASN1_INTEGER: +- case V_ASN1_NEG_INTEGER: + case V_ASN1_ENUMERATED: +- case V_ASN1_NEG_ENUMERATED: + /* + * These are all have the same content format as ASN1_INTEGER + */ +--- crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c.orig ++++ crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c +@@ -59,6 +59,7 @@ + # include + # include + # include "evp_locl.h" ++# include "constant_time_locl.h" + + # ifndef EVP_CIPH_FLAG_AEAD_CIPHER + # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 +@@ -286,6 +287,8 @@ + maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); + maxpad &= 255; + ++ ret &= constant_time_ge(maxpad, pad); ++ + inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); + mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); + inp_len &= mask; +--- crypto/openssl/crypto/evp/encode.c.orig ++++ crypto/openssl/crypto/evp/encode.c +@@ -57,6 +57,7 @@ + */ + + #include ++#include + #include "cryptlib.h" + #include + +@@ -151,13 +152,13 @@ + const unsigned char *in, int inl) + { + int i, j; +- unsigned int total = 0; ++ size_t total = 0; + + *outl = 0; + if (inl <= 0) + return; + OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); +- if ((ctx->num + inl) < ctx->length) { ++ if (ctx->length - ctx->num > inl) { + memcpy(&(ctx->enc_data[ctx->num]), in, inl); + ctx->num += inl; + return; +@@ -174,7 +175,7 @@ + *out = '\0'; + total = j + 1; + } +- while (inl >= ctx->length) { ++ while (inl >= ctx->length && total <= INT_MAX) { + j = EVP_EncodeBlock(out, in, ctx->length); + in += ctx->length; + inl -= ctx->length; +@@ -183,6 +184,11 @@ + *out = '\0'; + total += j + 1; + } ++ if (total > INT_MAX) { ++ /* Too much output data! */ ++ *outl = 0; ++ return; ++ } + if (inl != 0) + memcpy(&(ctx->enc_data[0]), in, inl); + ctx->num = inl; +--- crypto/openssl/crypto/evp/evp_enc.c.orig ++++ crypto/openssl/crypto/evp/evp_enc.c +@@ -334,7 +334,7 @@ + bl = ctx->cipher->block_size; + OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); + if (i != 0) { +- if (i + inl < bl) { ++ if (bl - i > inl) { + memcpy(&(ctx->buf[i]), in, inl); + ctx->buf_len += inl; + *outl = 0; +--- crypto/openssl/crypto/x509/x509_obj.c.orig ++++ crypto/openssl/crypto/x509/x509_obj.c +@@ -117,8 +117,9 @@ + type == V_ASN1_PRINTABLESTRING || + type == V_ASN1_TELETEXSTRING || + type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { +- ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) +- ? sizeof ebcdic_buf : num); ++ if (num > (int)sizeof(ebcdic_buf)) ++ num = sizeof(ebcdic_buf); ++ ascii2ebcdic(ebcdic_buf, q, num); + q = ebcdic_buf; + } + #endif Added: head/share/security/patches/SA-16:17/openssl-10.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:17/openssl-10.patch.asc Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJXKjysAAoJEO1n7NZdz2rnmqsP/AhTL40m2kb2Ccu8prEqw2XF +glaizsxpLE5fxARZm4V/MB5s2uQk1OvhN3/im6mzfIZhLwrVnIERtMXG5cZM3fUa +kSguKkP72U2agBivBXLQgsWXWzdzwLk+boS9idUhXj8MU4o9Irrpmm4N31l2K+3A +A853HSIHfOB1R/1U9hKUPTAYnz2SVrqjtcmxAC/0m7//v5mWotR4KE/BL9x8lzUm +ZmdNc/O8HsXkZdIrMt3l4K5va20sFUEFURVhUl2drd4FAv52RK1N36d4uZ09riyU +9/dEJdln4V1HWM48Smy/spqvNBzKUPidJPXw2lfFacKqMAM8h5micvAxfwD50iUy +8noKrZyT9CfeZPGxp9iua5F86Qgco7sRyDL5vgsZQDHLDzQFA4uFgnaW1qDlci+K +qEF5gJtXHw0bezjbiAr0Z/68bcYzcEz5j4/nUmFcd2+ZTzhGY/PKCdHKwoCdvoB9 +J+XLCsvM5TN8+OFFp7Mb42fW5BuaRlOjzk1G6zUPSeHVhI6mPcoyYRXDaBudh3KV +DoX6SUFQaqm12wyheFkj0n1tNUMmBd3L5JKPWRNEMbm3kFXVlwbPq4iqKjsMVryy +wxQsdv30WXUpfwtN0XYfAkAcYh99lZB7873qSGJ+MvFPWLi7M7HhHnP46A27zHF/ +yflt63U9yT6T/apz5LCa +=sQdP +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:17/openssl-9.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:17/openssl-9.patch Wed May 4 22:52:54 2016 (r48779) @@ -0,0 +1,108 @@ +--- crypto/openssl/crypto/asn1/a_type.c.orig ++++ crypto/openssl/crypto/asn1/a_type.c +@@ -123,9 +123,7 @@ + result = 0; /* They do not have content. */ + break; + case V_ASN1_INTEGER: +- case V_ASN1_NEG_INTEGER: + case V_ASN1_ENUMERATED: +- case V_ASN1_NEG_ENUMERATED: + case V_ASN1_BIT_STRING: + case V_ASN1_OCTET_STRING: + case V_ASN1_SEQUENCE: +--- crypto/openssl/crypto/asn1/tasn_dec.c.orig ++++ crypto/openssl/crypto/asn1/tasn_dec.c +@@ -901,9 +901,7 @@ + break; + + case V_ASN1_INTEGER: +- case V_ASN1_NEG_INTEGER: + case V_ASN1_ENUMERATED: +- case V_ASN1_NEG_ENUMERATED: + tint = (ASN1_INTEGER **)pval; + if (!c2i_ASN1_INTEGER(tint, &cont, len)) + goto err; +--- crypto/openssl/crypto/asn1/tasn_enc.c.orig ++++ crypto/openssl/crypto/asn1/tasn_enc.c +@@ -610,9 +610,7 @@ + break; + + case V_ASN1_INTEGER: +- case V_ASN1_NEG_INTEGER: + case V_ASN1_ENUMERATED: +- case V_ASN1_NEG_ENUMERATED: + /* + * These are all have the same content format as ASN1_INTEGER + */ +--- crypto/openssl/crypto/evp/encode.c.orig ++++ crypto/openssl/crypto/evp/encode.c +@@ -57,6 +57,7 @@ + */ + + #include ++#include + #include "cryptlib.h" + #include + +@@ -134,13 +135,13 @@ + const unsigned char *in, int inl) + { + int i, j; +- unsigned int total = 0; ++ size_t total = 0; + + *outl = 0; + if (inl == 0) + return; + OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); +- if ((ctx->num + inl) < ctx->length) { ++ if (ctx->length - ctx->num > inl) { + memcpy(&(ctx->enc_data[ctx->num]), in, inl); + ctx->num += inl; + return; +@@ -157,7 +158,7 @@ + *out = '\0'; + total = j + 1; + } +- while (inl >= ctx->length) { ++ while (inl >= ctx->length && total <= INT_MAX) { + j = EVP_EncodeBlock(out, in, ctx->length); + in += ctx->length; + inl -= ctx->length; +@@ -166,6 +167,11 @@ + *out = '\0'; + total += j + 1; + } ++ if (total > INT_MAX) { ++ /* Too much output data! */ *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***