Date: Wed, 24 Jul 2019 13:28:52 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r53269 - in head/share: security/advisories security/patches/EN-19:13 security/patches/SA-19:12 security/patches/SA-19:13 security/patches/SA-19:14 security/patches/SA-19:15 security/pa... Message-ID: <201907241328.x6ODSqWb094555@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon (src committer) Date: Wed Jul 24 13:28:52 2019 New Revision: 53269 URL: https://svnweb.freebsd.org/changeset/doc/53269 Log: Add EN-19:13 and SA-19:12 to SA-19:17. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-19:13.mds.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-19:12.telnet.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-19:13.pts.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-19:14.freebsd32.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-19:16.bhyve.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-19:17.fd.asc (contents, props changed) head/share/security/patches/EN-19:13/ head/share/security/patches/EN-19:13/mds.11.patch (contents, props changed) head/share/security/patches/EN-19:13/mds.11.patch.asc (contents, props changed) head/share/security/patches/EN-19:13/mds.12.patch (contents, props changed) head/share/security/patches/EN-19:13/mds.12.patch.asc (contents, props changed) head/share/security/patches/SA-19:12/ head/share/security/patches/SA-19:12/telnet.patch (contents, props changed) head/share/security/patches/SA-19:12/telnet.patch.asc (contents, props changed) head/share/security/patches/SA-19:13/ head/share/security/patches/SA-19:13/pts.patch (contents, props changed) head/share/security/patches/SA-19:13/pts.patch.asc (contents, props changed) head/share/security/patches/SA-19:14/ head/share/security/patches/SA-19:14/freebsd32.patch (contents, props changed) head/share/security/patches/SA-19:14/freebsd32.patch.asc (contents, props changed) head/share/security/patches/SA-19:15/ head/share/security/patches/SA-19:15/mqueuefs.patch (contents, props changed) head/share/security/patches/SA-19:15/mqueuefs.patch.asc (contents, props changed) head/share/security/patches/SA-19:16/ head/share/security/patches/SA-19:16/bhyve.patch (contents, props changed) head/share/security/patches/SA-19:16/bhyve.patch.asc (contents, props changed) head/share/security/patches/SA-19:17/ head/share/security/patches/SA-19:17/fd.11.2.patch (contents, props changed) head/share/security/patches/SA-19:17/fd.11.2.patch.asc (contents, props changed) head/share/security/patches/SA-19:17/fd.11.patch (contents, props changed) head/share/security/patches/SA-19:17/fd.11.patch.asc (contents, props changed) head/share/security/patches/SA-19:17/fd.12.patch (contents, props changed) head/share/security/patches/SA-19:17/fd.12.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-19:13.mds.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-19:13.mds.asc Wed Jul 24 13:28:52 2019 (r53269) @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:13.mds Errata Notice + The FreeBSD Project + +Topic: Kernel panic from Intel CPU vulnerability mitigation + +Category: core +Module: kernel +Announced: 2019-07-24 +Credits: Schuendehuette, Matthias + All supported versions of FreeBSD. +Corrected: 2019-07-14 05:40:03 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:50:46 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-14 05:41:43 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:50:46 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:50:46 UTC (releng/11.3, 11.3-RELEASE-p1) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +In a previous update FreeBSD added mitigations for an Intel CPU +vulnerability known as "microarchitectural data sampling." + +II. Problem Description + +Under certain configurations a pointer to the mitigation routine may be +dereferenced before it is initialized. + +III. Impact + +Depending on system configuration, version, and architecture, the system +may panic early in boot process, and thus be unusable. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Errata update" + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2, FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.11.patch +# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.11.patch.asc +# gpg --verify mds.11.patch.asc + +[FreeBSD 12.0] +# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.12.patch +# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.12.patch.asc +# gpg --verify mds.12.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r349983 +releng/12.0/ r350280 +stable/11/ r349985 +releng/11.2/ r350280 +releng/11.3/ r350280 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:13.mds.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WkVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIkZA//ZbeSb2yAsux4w/nOLXQI1kfNWFT3LjVsiYS0VXCoixHr07nkDNMUv2Pn +08eP+9hy5mtgtooOjxP/aYIzR11+HZKpS/MG1x8KGAA/0TWY4EObJUTQ53UHY5+i +WStyHgKvqgeV2vuTqtjK5eAJfaTQV9huoapcQo0ngJMlbzICxN37UBZhOnSGb5HL +vRAL1AnI37LBWeZJhp3nyNatUjYfaL/HBYVpmuO9g+lgXqcFRpgIZxTNSzpDsAUb +7ARtHNUOelUoeMcMQXHbYtNOpM9c84fWxLftNsVfD3d9+GiHpklU2B++aBfzbTl3 +3lgRRk1p1p0JUNXCJy/cPb6/4SqnQRHehu1pwnJnuOM4PBpLB5HRD4WWGzM2A4Jq +SB1rLKCwfeSWPDQ0/iOs6P+UPFjqV8WvbNmQQT+oZxZH7YSm2TY9EGd8V/3wxzYo ++FeVQ+KTW+qxXTKHnNS9KGD26Xseq8S7Ft4dzIjm6hZVwSwNPBQFnPptv4b42/sQ +1sJxjKwKb7CrJJl4uf7vlIyNRHu7FrdyE9w1YlSB1yC2lX9Q/PQqVOxToGCIlhPk +JvGlPa6O4ZIkhBUKDt6XJdYrRrzlM3bV5Z1lNvW02ii7KG0pDWpzGHuUdkKIF1p0 +qHugXJ4OG+lOr5n0KKfUE66gfJV0WVUDBPCeEuBun75YG++TP2w= +=P8y6 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-19:12.telnet.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-19:12.telnet.asc Wed Jul 24 13:28:52 2019 (r53269) @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:12.telnet Security Advisory + The FreeBSD Project + +Topic: telnet(1) client multiple vulnerabilities + +Category: contrib +Module: contrib/telnet +Announced: 2019-07-24 +Credits: Juniper Networks +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-19 15:37:29 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:51:52 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-19 15:27:53 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:51:52 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:51:52 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-0053 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The telnet(1) command is a TELNET protocol client, used primarily to +establish terminal sessions across a network. + +II. Problem Description + +Insufficient validation of environment variables in the telnet client +supplied in FreeBSD can lead to stack-based buffer overflows. A stack- +based overflow is present in the handling of environment variables when +connecting via the telnet client to remote telnet servers. + +This issue only affects the telnet client. Inbound telnet sessions to +telnetd(8) are not affected by this issue. + +III. Impact + +These buffer overflows may be triggered when connecting to a malicious +server, or by an active attacker in the network path between the client +and server. Specially crafted TELNET command sequences may cause the +execution of arbitrary code with the privileges of the user invoking +telnet(1). + +IV. Workaround + +Do not use telnet(1) to connect to untrusted machines or over an +untrusted network. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch +# fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch.asc +# gpg --verify telnet.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350139 +releng/12.0/ r350281 +stable/11/ r350140 +releng/11.2/ r350281 +releng/11.3/ r350281 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:12.telnet.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WltfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLOzA//YxRZNUr+d8B+t6DnBUbVvthJiY9sQ1YPXUIJmp4QA7wvXr5UjURw+6qv +raxEp6JmF06wZK4RjeIFckQD6s2wnjO5VHO80Zbs0nD4NejQGeDAIlVdKqofOtJv +bBQNSY3vPAtumyfElc+N19rKetAjGbsUjOMbn87GlWrit4lqcavBQsdmSlQB5gVA +dFAFsVxr+ujjATnrCmIpFiaDk0unyJ7Gtz7jiM9I8xZueJtM49/9kNCFFLKCMUl8 +HpB2k0cb18GVNJoKtzo1nELOM/oIJVO5HZt1fmYG/RgeL1BSyzg4q/5jXJQopJ2h +Qax7fmMP+RpGGrfp9Uom63tj79eQk2NirpUtfAaYkfGKzj6fNcq/7jxZfbobx0R8 +uTiF88mlv2/SGxpo11Z/QBqOSYTQtjDRYJvjCo77g7YW8HauECC3tiklpPfFOIO8 +m5qNOORKI74Do377GBF3gxDF2T8ILwj1j7nKHf3apotvQXJkkbpWBG7ADRTFcZWd +PMKdYiDPHV33YmCAg9tOAqV4O7TvaB07ZLKiI6kuSBtPVrazB8Az/oRJwfF6JQ6g +4ZdinyCrXWYrWslkW8402GKCERFFYJUvwLSUqHxYMRgZWPy9zf/mH56vh4bleYnP +kz2X7OgtB3Juu0Uzwv927+KZuyzitniaPlLe9tsyBwXFbUM+BrY= +=LWVf +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-19:13.pts.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-19:13.pts.asc Wed Jul 24 13:28:52 2019 (r53269) @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:13.pts Security Advisory + The FreeBSD Project + +Topic: pts(4) write-after-free + +Category: core +Module: kernel +Announced: 2019-07-24 +Credits: syzkaller +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-07 14:19:46 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:53:06 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-07 14:20:14 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:53:06 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:53:06 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-5606 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The posix_openpt(2) system call allocates a pseudo-terminal device and +returns a descriptor referencing that device. Such a descriptor may be +configured such that a SIGIO signal will be sent to a designated process +or process group when the device is ready to perform I/O. + +II. Problem Description + +The code which handles a close(2) of a descriptor created by +posix_openpt(2) fails to undo the configuration which causes SIGIO to be +raised. This bug can lead to a write-after-free of kernel memory. + +III. Impact + +The bug permits malicious code to trigger a write-after-free, which may +be used to gain root privileges or escape a jail. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch +# fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch.asc +# gpg --verify pts.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r349805 +releng/12.0/ r350282 +stable/11/ r349806 +releng/11.2/ r350282 +releng/11.3/ r350282 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5606>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:13.pts.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04Wl9fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLZDA//SGC+7Vghtofm/CzylIXhC1drFOxNYJOF7KEJqDwsRR3U9S99Q9NBWS5+ +e+/vJzvV0+epZNQXDlit5a76jGwy4fNuutNh0J3APHe/l0Zp/PhM56IwRWQgqAkQ +hF67xhHxFZs8AH6/bw21N4IkRrAZHmrrCY8ubZArjoUi0gCoFzAYRw1Nh/JTQoLS +IGuqUFaMZWKvu3aeJiikLjHiJUMRAY7sxh+iSBSp99dsLkASqQZtx1grmosljttN +fuD7qO2f067EWUpC50JTbNt9V7za854hrlOp8jn1g51O4fWWJoEEL2/0VUeOO+fr +aGS9UNal25NPr2zGzx2t0u1VNE3/YKoZ0tq+mQYtaXke32ZO15Ufby0YcLU4DF8d +dU1ZoG2AGbWmBqgQ982hocq5Dn0r5yCHXDeEGguE1DsfyBuUEZw6zfYRtzIQ0swk +wDrdETxpIMa8jaSGtDw2bilrLNRIVqYkXBJftC3fpXhlz6PyU6bZaFm00xrs7z1D +EJMkuIWho9oMqLTU7bZNHv7JD4G3ziTF1h2tGXGcEKp02ImNZQnw3w5PBberFgto +H4uJQCWgFqqddkjnSidX3Uj676LC99ERDEUlqi+xnXMmBScJnQuRtiUdbpOCkPD2 +gLJmcyy7qjKw87i8KaQF5hUcym2D9xygbUV+I4RT93jR2DCVBA0= +=Cpu+ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-19:14.freebsd32.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-19:14.freebsd32.asc Wed Jul 24 13:28:52 2019 (r53269) @@ -0,0 +1,135 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:14.freebsd32 Security Advisory + The FreeBSD Project + +Topic: Kernel memory disclosure in freebsd32_ioctl + +Category: core +Module: kernel +Announced: 2019-07-24 +Credits: Ilja van Sprundel, IOActive +Affects: FreeBSD 11.2 and FreeBSD 11.3 +Corrected: 2019-07-22 18:14:34 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:54:10 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:54:10 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-5605 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The FreeBSD kernel supports executing 32-bit applications on a 64-bit +kernel, including the ioctl(2) interface. + +II. Problem Description + +Due to insufficient initialization of memory copied to userland in the +components listed above small amounts of kernel memory may be disclosed +to userland processes. + +III. Impact + +A user who can invoke 32-bit FreeBSD ioctls may be able to read the +contents of small portions of kernel memory. + +Such memory might contain sensitive information, such as portions of the +file cache or terminal buffers. This information might be directly +useful, or it might be leveraged to obtain elevated privileges in some +way; for example, a terminal buffer might include a user-entered +password. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch +# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch.asc +# gpg --verify freebsd32.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r350217 +releng/11.2/ r350283 +releng/11.3/ r350283 +- ------------------------------------------------------------------------- + +Note: This issue was addressed in a different way prior to the branch point +for stable/12. As such, no patch is needed for FreeBSD 12.x. + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5605>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:14.freebsd32.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIavw//emdRXVNpGREW1FfUvWmUPpdgk6rFck9nEG0KUKYCcfhqN83BN9XtqaWu +lBQ1jbB/CsalwL6Gpn2yuMvgS8W4yUidyPHLpzuoAThlsy5bHID1/oRftJt0T0BS +kHbTD0tTUt3QDV51FoLBjvXfjRRb8xJ+wIGJ0NzOscWgjgu6JPUysHEJD3+vSOKN +X3qJd3zcoYqswcvuhoVE2cFrSaZKEyIi1pJVr9CGItQTWXIisgdXdGYTnBdZU8jq +iJGaI1BXiNUl/p/21JA32T+ZD7cdMtx6KiuoKlY7Bzgj7Qk3XW7xsQsYu724LIJT +pVhIxntMrQSak7wIaqNPGR/FgkkKDsoo6iCHXlGxXv6tLg7pnioZIaHhc5+UZqmT +8I0UogWhQZS03/nwFRVDLPp+ka2P0g2gsm/dX1UVuucMT+hGeqn2c/iaSU76duoR +qavRPjLPJDnfVrpXhpqco9rq1+UwA/1uSNe0cFX0ArX040hCReDsMphcxgrkZ0sD +u71Px2ZLE5rpWmFd8LD0X2y1l4OEcTmoTPUtJxHlVrMFztuNbAlRnyCxTV8c2uId +zN44wRj6c2ZEV/w+kBVTV+L7NSt1eHDZ5tgUL7boEOylEgkHTl30aZ8nV2wvpaM3 +1Y/IwBnGmI4iNLMnRoIDlac6rR3dMUS4gtH+lkfxlBri9Qc3Qso= +=8LlB +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc Wed Jul 24 13:28:52 2019 (r53269) @@ -0,0 +1,138 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:15.mqueuefs Security Advisory + The FreeBSD Project + +Topic: Reference count overflow in mqueue filesystem + +Category: core +Module: kernel +Announced: 2019-07-24 +Credits: Mateusz Guzik +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-23 21:12:32 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:55:16 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-23 21:15:28 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:55:16 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:55:16 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-5603 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +mqueuefs(5) implements POSIX message queue file system which can be used +by processes as a communication mechanism. + +'struct file' represents open files, directories, sockets and other +entities. + +II. Problem Description + +System calls operating on file descriptors obtain a reference to +relevant struct file which due to a programming error was not always put +back, which in turn could be used to overflow the counter of affected +struct file. + +III. Impact + +A local user can use this flaw to obtain access to files, directories, +sockets etc. opened by processes owned by other users. If obtained +struct file represents a directory from outside of user's jail, it can +be used to access files outside of the jail. If the user in question is +a jailed root they can obtain root privileges on the host system. + +IV. Workaround + +No workaround is available. Note that the mqueuefs file system is not +enabled by default. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch +# fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch.asc +# gpg --verify mqueuefs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350261 +releng/12.0/ r350284 +stable/11/ r350263 +releng/11.2/ r350284 +releng/11.3/ r350284 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:15.mqueuefs.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmdfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIWpBAAg9BmPamkj7wLJODR8SvNk+qYqEbYeakiSGnvXllz2l+qI2dhMVsuQRGQ +ko7VY0P2Wuh68UiiDG63Oq3hbOWPPkL1axk6n275rZSdoVj856tjrHjnUtP3UX5S +WQUKRAREjhVjM9dAOwCYrmAmcpX4SkslklhfiR6AR62t4eptMlfJ6ACQATs6FPnX +WRdyDe7yq0mL4UHWg+PvotQ+rxGiynwgVRMXwaglKOldGOuPOeuj7azM4nb6/qkN +GjJlJOIRwfU1/sXVII3cCzndnCrz5A0sSttg4JK+uzneJNze+rOghGbyQ9F046z9 +H0M0Ae6M74UCyioyoTrQgvivWvATtNRkLBoRfvHQUNGSt6bS9g1F0N5J7NCgaIPx +vos7P4vnRM1avEAAnAhmm9eYAkO5VLmTb1ry5vOY1o2viesN3P0URcj7o+JIipaA +Kqlff154N2nJmCkT0BJ3m+80GWeAnwqli/LvAIruXxc2hqgWLh7wO+71mraPrV5Z +2+IiuLPMF18FdpTBjhXyX5zCtW7t7uARgZLJMjM+hTXc7aAer7746XY5JyXfRsa9 +jLVWHlff2YoF7DySyDIC7+ONfPIHGgr45imdJgJ9Cxu31ZBmCjesNR4x1DCKgLvT +KnpBvofWIkIb8sEikEnXMfrHqoP/RtVtK73GlmT7sbH9PDQPUYw= +=ehKK +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-19:16.bhyve.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-19:16.bhyve.asc Wed Jul 24 13:28:52 2019 (r53269) @@ -0,0 +1,135 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:16.bhyve Security Advisory + The FreeBSD Project + +Topic: Bhyve out-of-bounds read in XHCI device + +Category: core +Module: bhyve +Announced: 2019-07-24 +Credits: Reno Robert +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-23 17:48:37 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:56:06 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-23 17:48:37 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:56:06 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:56:06 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-5604 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that supports running a variety of virtual +machines (guests). bhyve includes an emulated XHCI device. + +II. Problem Description + +The pci_xhci_device_doorbell() function does not validate the 'epid' and +'streamid' provided by the guest, leading to an out-of-bounds read. + +III. Impact + +A misbehaving bhyve guest could crash the system or access memory that +it should not be able to. + +IV. Workaround + +No workaround is available, however systems not using bhyve(8) for +virtualization are not vulnerable. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +No reboot is required. Rather the bhyve(8) process for vulnerable virtual +machines should be restarted. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart any bhyve virtual machines or reboot the system. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart any bhyve virtual machines, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350246 +releng/12.0/ r350285 +stable/11/ r350247 +releng/11.2/ r350285 +releng/11.3/ r350285 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5604>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:16.bhyve.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmtfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cI+Jw//TcrKrFaXkEJtqzspjoeK9YKwNwj30ewdb/Ph3GdcgVoQmfJVsWPcmcM9 ++dewKdl7gGLhVhoJ+3f3oFzlDcqSxFLHcNwSW5J7P8Zt+7ZpQzwH8pfB6S8T1Nk6 +77Sv5hYrjy8kdSh6Z/c8BkAQrhEFYO09xej8ekQ1B+iL2N4ErexpCNTMKlP96pGS +0/4tso5gdcwrc1t6HHGffFkjItgnE8Lvgr1ZsSHbcRGAc3nqy3n21U+VH+fecAzK +0NBO3HQeCbRIEdAms3jMLcAJGrs60VBN0nnWqLxlGBb10hY7Si0NkgbWOP2g/Elf +J+K4SHTFXbhIGrpsrEdvSVPvytQ8gKOSys5luvtLjt0Yhll08eEUDVzaIk//Hsak +BcUSlKHULLkVTJZvdZAHUMHJOMPpSAh61DuFcM+pxAt5E9rmgX+HnPBs1yLbgd23 +NaQadFC126T+AW5W5GyOs2BIEo4bdTNHqONF7gmR4a5bv6/7GWZz/QNsep43jDZH +43lur9mts+/1LUCD1s4DkMniNMaGt28GMNa44PgQVzHI7NU/gdVe25TLnAv+X9lO +aAkV/WAyszux/Io2G2DfJNTc8Am/xRzFBvmydOnbMtzw8X/xgxB1/0ysl51O9Bdw +OhfpMygAsxbG0e8y5VuhpuoHd8/vIoBmA0z+u1tt4zxJIXgqSgE= +=/161 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-19:17.fd.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-19:17.fd.asc Wed Jul 24 13:28:52 2019 (r53269) @@ -0,0 +1,146 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:17.fd Security Advisory + The FreeBSD Project + +Topic: File description reference count leak + +Category: core +Module: unix +Announced: 2019-07-24 +Credits: Mark Johnston +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-22 19:25:05 UTC (stable/12, 12.0-STABLE) + 2019-07-24 12:57:49 UTC (releng/12.0, 12.0-RELEASE-p8) + 2019-07-22 19:27:23 UTC (stable/11, 11.2-STABLE) + 2019-07-24 12:57:49 UTC (releng/11.2, 11.2-RELEASE-p12) + 2019-07-24 12:57:49 UTC (releng/11.3, 11.3-RELEASE-p1) +CVE Name: CVE-2019-5607 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +UNIX-domain sockets are used for inter-process communication. It is +possible to use UNIX-domain sockets to transfer rights, encoded as file +descriptors, to another process. Rights are encapsulated in control +messages, and multiple such messages may be transmitted with a single +system call. + +II. Problem Description + +If a process attempts to transmit rights over a UNIX-domain socket and +an error causes the attempt to fail, references acquired on the rights +are not released and are leaked. This bug can be used to cause the +reference counter to wrap around and free the corresponding file +structure. + +III. Impact + +A local user can exploit the bug to gain root privileges or escape from +a jail. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch.asc +# gpg --verify fd.11.2.patch.asc + +[FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch.asc +# gpg --verify fd.11.patch.asc + +[FreeBSD 12.0] +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch +# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch.asc +# gpg --verify fd.12.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350222 +releng/12.0/ r350286 +stable/11/ r350223 +releng/11.2/ r350286 +releng/11.3/ r350286 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5607>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:17.fd.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WnBfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIOTQ/+KQMGXwNiuMVNib5ErewD9QdT48NYaU/hYUub3VMAfQltvWmbiPw7zXj7 +yJGm9FxWrMvZ6hFnKskV60u9d7PMYkOv4nzcaFgPoadByXXlALQGd/ansrZFyTJr +bDeBs7J3dM/VnH/lSlPc/LlbnH4iN+gj6SSqpsWAIdq99VIviAnzHTr7SniGfXul +hP+5+xSlfAYOKuH7jM1+gpuld9kR2QzGObiUJ6gfJk+I41C90tSJHb3v+DCanyrM +N2NXKbkgRtZoaIItiqZVIKHJP+VaHOnHCBq3uEbj2+OR7I5yFkDYdQbTiWVU1bl0 +9Ps/5LPDEiQYQqgCGadzZyqyEHvoPFy2vWvc1GFya6cV1L3gtM51C713ci2Xa3NK +ZknS4bIC2Nhtrf9PcFJRkMKW8OOdwYi/2vL9I4W/PAs2EV3thQivBB7dH9TYRTdC +BWP2tFM+isibjezJfj2RAjdAq0Kln0U+4AkNWgNNToyzSNFJ0LBtvzlgS7mmtuN0 +mA9n7tYyQM5vCXEQqcC3hIkJSeNE2Sj4/RVd8oo1Ngh1el0AFTJ2aq+QowG/lWO/ +pK1lvOQXMPElbSSxCytqALWY995VRxmEUO/TF6pCgsRDIXxx+eSf1XrtT2d1+Na7 +nzt511Ho9/F4Uwbih7u+IhnWReB2Da0djLBWUtOc+HsMLQZVAUk= +=juJj +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-19:13/mds.11.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:13/mds.11.patch Wed Jul 24 13:28:52 2019 (r53269) @@ -0,0 +1,18 @@ +--- sys/x86/x86/cpu_machdep.c.orig ++++ sys/x86/x86/cpu_machdep.c +@@ -953,7 +953,6 @@ + * architectural state except possibly %rflags. Also, it is always + * called with interrupts disabled. + */ +-void (*mds_handler)(void); + void mds_handler_void(void); + void mds_handler_verw(void); + void mds_handler_ivb(void); +@@ -962,6 +961,7 @@ + void mds_handler_skl_avx(void); + void mds_handler_skl_avx512(void); + void mds_handler_silvermont(void); ++void (*mds_handler)(void) = mds_handler_void; + + static int + sysctl_hw_mds_disable_state_handler(SYSCTL_HANDLER_ARGS) Added: head/share/security/patches/EN-19:13/mds.11.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:13/mds.11.patch.asc Wed Jul 24 13:28:52 2019 (r53269) @@ -0,0 +1,18 @@ *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907241328.x6ODSqWb094555>