From owner-freebsd-security@freebsd.org  Wed Aug  7 17:06:20 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 623B3B13EF
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Wed,  7 Aug 2019 17:06:20 +0000 (UTC) (envelope-from mike@sentex.net)
Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "pyroxene.sentex.ca",
 Issuer "Let's Encrypt Authority X3" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 463dFS1z0Kz41t2
 for <freebsd-security@freebsd.org>; Wed,  7 Aug 2019 17:06:20 +0000 (UTC)
 (envelope-from mike@sentex.net)
Received: from [192.168.43.26] ([192.168.43.26])
 by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTP id x77H6ITg057233
 for <freebsd-security@freebsd.org>; Wed, 7 Aug 2019 13:06:18 -0400 (EDT)
 (envelope-from mike@sentex.net)
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2
To: freebsd-security@freebsd.org
References: <20190806183211.EE35BEE16@freefall.freebsd.org>
From: Mike Tancsa <mike@sentex.net>
Openpgp: preference=signencrypt
Autocrypt: addr=mike@sentex.net; prefer-encrypt=mutual; keydata=
 mQENBEzcA24BCACpwI/iqOrs0GfQSfhA1v6Z8AcXVeGsRyKEKUpxoOYxXWc2z3vndbYlIP6E
 YJeifzKhS/9E+VjhhICaepLHfw865TDTUPr5D0Ed+edSsKjlnDtb6hfNJC00P7eoiuvi85TW
 F/gAxRY269A5d856bYrzLbkWp2lKUR3Bg6NnORtflGzx9ZWAltZbjYjjRqegPv0EQNYcHqWo
 eRpXilEo1ahT6nmOU8V7yEvT2j4wlLcQ6qg7w+N/vcBvyd/weiwHU+vTQ9mT61x5/wUrQhdw
 2gJHeQXeDGMJV49RT2EEz+QVxaf477eyWsdQzPVjAKRMT3BVdK8WvpYAEfBAbXmkboOxABEB
 AAG0HG1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5jYT6JATgEEwECACIFAkzcA24CGwMGCwkI
 BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJXHwM2kc8rX+sMH/2V6pTBKsQ5mpWWLgs6wVP2k
 BC+6r/YKNXv9Rw/PrC6+9hTbgA+sSjJ+8gxsCbJsOQXZrxF0x3l9oYdYfuKcwdwXFX1/FS8p
 HfBeDkmlH+dI709xT9wgrR4dS5aMmKp0scPrXPIAKiYVOHjOlNItcLYTEEWEFBepheEVsgmk
 GrNbcrHwOx/u4igUQ8vcpyXPyUki+BsftPw8ZQvBU887igh0OxaCR8AurJppQ5UQd63r81cX
 E1ZjoFoWCaGK/SjPb/OhpYpu5swoZIhOxQbn7OtakYPsDd5t2A5KhvjI8BMTnd5Go+2xsCmr
 jlIEq8Bi29gCcfQUvNiClevi13ifmnm5AQ0ETNwDbgEIALWGNJHRAhpd0A4vtd3G0oRqMBcM
 FGThQr3qORmEBTPPEomTdBaHcn+Xl+3YUvTBD/67/mutWBwgp2R5gQOSqcM7axvgMSHbKqBL
 9sd1LsLw0UT2O5AYxv3EwzhG84pwRg3XcUqvWA4lA8tIj/1q4Jzi5qOkg1zxq4W9qr9oiYK5
 bBR638JUvr3eHMaz/Nz+sDVFgwHmXZj3M6aE5Ce9reCGbvrae7H5D5PPvtT3r22X8SqfVAiO
 TFKedCf/6jbSOedPN931FJQYopj9P6b3m0nI3ZiCDVSqeyOAIBLzm+RBUIU3brzoxDhYR8pz
 CJc2sK8l6YjqivPakrD86bFDff8AEQEAAYkBHwQYAQIACQUCTNwDbgIbDAAKCRCVx8DNpHPK
 1+iQB/99aqNtez9ZTBWELj269La8ntuRx6gCpzfPXfn6SDIfTItDxTh1hrdRVP5QNGGF5wus
 N4EMwXouskva1hbFX3Pv72csYSxxEJXjW16oV8WK4KjKXoskLg2RyRP4uXqL7Mp2ezNtVY5F
 9nu3fj4ydpHCSaqKy5xd70A8D50PfZsFgkrsa5gdQhPiGGEdxhq/XSeAAnZ4uVLJKarH+mj5
 MEhgZPEBWkGrbDZpezl9qbFcUem/uT9x8FYT/JIztMVh9qDcdP5tzANW5J7nvgXjska+VFGY
 ryZK4SPDczh74mn6GI/+RBi7OUzXXPgpPBrhS5FByjwCqjjsSpTjTds+NGIY
Organization: Sentex Communications
Message-ID: <d172247e-1602-ade2-02e6-f9adebe18cab@sentex.net>
Date: Wed, 7 Aug 2019 13:06:17 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <20190806183211.EE35BEE16@freefall.freebsd.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Rspamd-Queue-Id: 463dFS1z0Kz41t2
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-6.98 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_LONG(-1.00)[-0.995,0]; REPLY(-4.00)[];
 NEURAL_HAM_SHORT(-0.98)[-0.981,0]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 17:06:20 -0000


Does anyone have any more details about the implication of this ? e.g.
does a daemon need to be listening on a target device ? Is it merely the
act of forwarding such packets ? Can a non root user open such a daemon ?
Thanks,

    ---Mike


> =============================================================================
> FreeBSD-SA-19:19.mldv2                                      Security
> Advisory
>                                                           The FreeBSD
> Project
>
> Topic:          ICMPv6 / MLDv2 out-of-bounds memory access
> MLDv2 is the Multicast Listener Discovery protocol, version 2.  It is used
> by IPv6 routers to discover multicast listeners.
>
> II.  Problem Description
>
> The ICMPv6 input path incorrectly handles cases where an MLDv2 listener
> query packet is internally fragmented across multiple mbufs.
>
> III. Impact
>
> A remote attacker may be able to cause an out-of-bounds read or write that
> may cause the kernel to attempt to access an unmapped page and
> subsequently
> panic.