From owner-svn-ports-head@freebsd.org  Thu Oct 24 17:08:54 2019
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8E105174234;
 Thu, 24 Oct 2019 17:08:54 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46zYcQ36kPz4Fb1;
 Thu, 24 Oct 2019 17:08:54 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 49D30195BC;
 Thu, 24 Oct 2019 17:08:54 +0000 (UTC)
 (envelope-from feld@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x9OH8spX022701;
 Thu, 24 Oct 2019 17:08:54 GMT (envelope-from feld@FreeBSD.org)
Received: (from feld@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x9OH8rub022700;
 Thu, 24 Oct 2019 17:08:53 GMT (envelope-from feld@FreeBSD.org)
Message-Id: <201910241708.x9OH8rub022700@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: feld set sender to
 feld@FreeBSD.org using -f
From: Mark Felder <feld@FreeBSD.org>
Date: Thu, 24 Oct 2019 17:08:53 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r515493 - head/security/vuxml
X-SVN-Group: ports-head
X-SVN-Commit-Author: feld
X-SVN-Commit-Paths: head/security/vuxml
X-SVN-Commit-Revision: 515493
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 17:08:54 -0000

Author: feld
Date: Thu Oct 24 17:08:53 2019
New Revision: 515493
URL: https://svnweb.freebsd.org/changeset/ports/515493

Log:
  Add missing FreeBSD SAs
  
  Security:	FreeBSD-SA-19:24.mqueuefs
  Security:	FreeBSD-SA-19:23.midi
  Security:	FreeBSD-SA-19:22.mbuf
  Security:	FreeBSD-SA-19:21.bhyve
  Security:	FreeBSD-SA-19:20.bsnmp
  Security:	FreeBSD-SA-19:19.mldv2
  Security:	FreeBSD-SA-19:18.bzip2

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu Oct 24 17:05:56 2019	(r515492)
+++ head/security/vuxml/vuln.xml	Thu Oct 24 17:08:53 2019	(r515493)
@@ -58,6 +58,261 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="53b3474c-f680-11e9-a87f-a4badb2f4699">
+    <topic>FreeBSD -- Reference count overflow in mqueue filesystem 32-bit compat</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>12.0</ge><lt>12.0_10</lt></range>
+	<range><ge>11.3</ge><lt>11.3_3</lt></range>
+	<range><ge>11.2</ge><lt>11.2_14</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>System calls operating on file descriptors obtain a
+	reference to relevant struct file which due to a programming
+	error was not always put back, which in turn could be used
+	to overflow the counter of affected struct file.</p>
+	<h1>Impact:</h1>
+	<p>A local user can use this flaw to obtain access to files,
+	directories, sockets, etc., opened by processes owned by
+	other users. If obtained struct file represents a directory
+	from outside of user's jail, it can be used to access files
+	outside of the jail. If the user in question is a jailed
+	root they can obtain root privileges on the host system.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2019-5603</cvename>
+      <freebsdsa>SA-19:24.mqueuefs</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2019-08-20</discovery>
+      <entry>2019-10-24</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="5027b62e-f680-11e9-a87f-a4badb2f4699">
+    <topic>FreeBSD -- kernel memory disclosure from /dev/midistat</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>12.0</ge><lt>12.0_10</lt></range>
+	<range><ge>11.3</ge><lt>11.3_3</lt></range>
+	<range><ge>11.2</ge><lt>11.2_14</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The kernel driver for /dev/midistat implements a handler
+	for read(2). This handler is not thread-safe, and a
+	multi-threaded program can exploit races in the handler to
+	cause it to copy out kernel memory outside the boundaries
+	of midistat's data buffer.</p>
+	<h1>Impact:</h1>
+	<p>The races allow a program to read kernel memory within
+	a 4GB window centered at midistat's data buffer. The buffer
+	is allocated each time the device is opened, so an attacker
+	is not limited to a static 4GB region of memory.</p>
+	<p>On 32-bit platforms, an attempt to trigger the race may
+	cause a page fault in kernel mode, leading to a panic.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2019-5612</cvename>
+      <freebsdsa>SA-19:23.midi</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2019-08-20</discovery>
+      <entry>2019-10-24</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="4d3d4f64-f680-11e9-a87f-a4badb2f4699">
+    <topic>FreeBSD -- IPv6 remote Denial-of-Service</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>12.0</ge><lt>12.0_10</lt></range>
+	<range><ge>11.3</ge><lt>11.3_3</lt></range>
+	<range><ge>11.2</ge><lt>11.2_14</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>Due do a missing check in the code of m_pulldown(9) data
+	returned may not be contiguous as requested by the caller.</p>
+	<h1>Impact:</h1>
+	<p>Extra checks in the IPv6 code catch the error condition
+	and trigger a kernel panic leading to a remote DoS
+	(denial-of-service) attack with certain Ethernet interfaces.
+	At this point it is unknown if any other than the IPv6 code
+	paths can trigger a similar condition.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2019-5611</cvename>
+      <freebsdsa>SA-19:22.mbuf</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2019-08-20</discovery>
+      <entry>2019-10-24</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="499b22a3-f680-11e9-a87f-a4badb2f4699">
+    <topic>FreeBSD -- Insufficient validation of guest-supplied data (e1000 device)</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>12.0</ge><lt>12.0_9</lt></range>
+	<range><ge>11.3</ge><lt>11.3_2</lt></range>
+	<range><ge>11.2</ge><lt>11.2_13</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The e1000 network adapters permit a variety of modifications
+	to an Ethernet packet when it is being transmitted. These
+	include the insertion of IP and TCP checksums, insertion
+	of an Ethernet VLAN header, and TCP segmentation offload
+	("TSO"). The e1000 device model uses an on-stack buffer to
+	generate the modified packet header when simulating these
+	modifications on transmitted packets.</p>
+	<p>When TCP segmentation offload is requested for a transmitted
+	packet, the e1000 device model used a guest-provided value
+	to determine the size of the on-stack buffer without
+	validation. The subsequent header generation could overflow
+	an incorrectly sized buffer or indirect a pointer composed
+	of stack garbage.</p>
+	<h1>Impact:</h1>
+	<p>A misbehaving bhyve guest could overwrite memory in the
+	bhyve process on the host.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2019-5609</cvename>
+      <freebsdsa>SA-19:21.bhyve</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2019-08-06</discovery>
+      <entry>2019-10-24</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="45a95fdd-f680-11e9-a87f-a4badb2f4699">
+    <topic>FreeBSD -- Insufficient message length validation in bsnmp library</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>12.0</ge><lt>12.0_9</lt></range>
+	<range><ge>11.3</ge><lt>11.3_2</lt></range>
+	<range><ge>11.2</ge><lt>11.2_13</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>A function extracting the length from type-length-value
+	encoding is not properly validating the submitted length.</p>
+	<h1>Impact:</h1>
+	<p>A remote user could cause, for example, an out-of-bounds
+	read, decoding of unrelated data, or trigger a crash of the
+	software such as bsnmpd resulting in a denial of service.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2019-5610</cvename>
+      <freebsdsa>SA-19:20.bsnmp</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2019-08-06</discovery>
+      <entry>2019-10-24</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="41d2f3e6-f680-11e9-a87f-a4badb2f4699">
+    <topic>FreeBSD -- ICMPv6 / MLDv2 out-of-bounds memory access</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>12.0</ge><lt>12.0_9</lt></range>
+	<range><ge>11.3</ge><lt>11.3_2</lt></range>
+	<range><ge>11.2</ge><lt>11.2_13</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The ICMPv6 input path incorrectly handles cases where
+	an MLDv2 listener query packet is internally fragmented
+	across multiple mbufs.</p>
+	<h1>Impact:</h1>
+	<p>A remote attacker may be able to cause an out-of-bounds
+	read or write that may cause the kernel to attempt to access
+	an unmapped page and subsequently panic.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2019-5608</cvename>
+      <freebsdsa>SA-19:19.mldv2</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2019-08-06</discovery>
+      <entry>2019-10-24</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="3c7edc7a-f680-11e9-a87f-a4badb2f4699">
+    <topic>FreeBSD -- Multiple vulnerabilities in bzip2</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>12.0</ge><lt>12.0_9</lt></range>
+	<range><ge>11.3</ge><lt>11.3_2</lt></range>
+	<range><ge>11.2</ge><lt>11.2_13</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The decompressor used in bzip2 contains a bug which can
+	lead to an out-of-bounds write when processing a specially
+	crafted bzip2(1) file.</p>
+	<p>bzip2recover contains a heap use-after-free bug which
+	can be triggered when processing a specially crafted bzip2(1)
+	file.</p>
+	<h1>Impact:</h1>
+	<p>An attacker who can cause maliciously crafted input to
+	be processed may trigger either of these bugs. The bzip2recover
+	bug may cause a crash, permitting a denial-of-service. The
+	bzip2 decompressor bug could potentially be exploited to
+	execute arbitrary code.</p>
+	<p>Note that some utilities, including the tar(1) archiver
+	and the bspatch(1) binary patching utility (used in portsnap(8)
+	and freebsd-update(8)) decompress bzip2(1)-compressed data
+	internally; system administrators should assume that their
+	systems will at some point decompress bzip2(1)-compressed
+	data even if they never explicitly invoke the bunzip2(1)
+	utility.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-3189</cvename>
+      <cvename>CVE-2019-1290</cvename>
+      <freebsdsa>SA-19:18.bzip2</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2019-08-06</discovery>
+      <entry>2019-10-24</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="2d4076eb-f679-11e9-a87f-a4badb2f4699">
     <topic>varnish -- Information Disclosure Vulnerability</topic>
     <affects>