Date: Thu, 24 Oct 2019 17:08:53 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r515493 - head/security/vuxml Message-ID: <201910241708.x9OH8rub022700@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Thu Oct 24 17:08:53 2019 New Revision: 515493 URL: https://svnweb.freebsd.org/changeset/ports/515493 Log: Add missing FreeBSD SAs Security: FreeBSD-SA-19:24.mqueuefs Security: FreeBSD-SA-19:23.midi Security: FreeBSD-SA-19:22.mbuf Security: FreeBSD-SA-19:21.bhyve Security: FreeBSD-SA-19:20.bsnmp Security: FreeBSD-SA-19:19.mldv2 Security: FreeBSD-SA-19:18.bzip2 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Oct 24 17:05:56 2019 (r515492) +++ head/security/vuxml/vuln.xml Thu Oct 24 17:08:53 2019 (r515493) @@ -58,6 +58,261 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="53b3474c-f680-11e9-a87f-a4badb2f4699"> + <topic>FreeBSD -- Reference count overflow in mqueue filesystem 32-bit compat</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>12.0</ge><lt>12.0_10</lt></range> + <range><ge>11.3</ge><lt>11.3_3</lt></range> + <range><ge>11.2</ge><lt>11.2_14</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>System calls operating on file descriptors obtain a + reference to relevant struct file which due to a programming + error was not always put back, which in turn could be used + to overflow the counter of affected struct file.</p> + <h1>Impact:</h1> + <p>A local user can use this flaw to obtain access to files, + directories, sockets, etc., opened by processes owned by + other users. If obtained struct file represents a directory + from outside of user's jail, it can be used to access files + outside of the jail. If the user in question is a jailed + root they can obtain root privileges on the host system.</p> + </body> + </description> + <references> + <cvename>CVE-2019-5603</cvename> + <freebsdsa>SA-19:24.mqueuefs</freebsdsa> + </references> + <dates> + <discovery>2019-08-20</discovery> + <entry>2019-10-24</entry> + </dates> + </vuln> + + <vuln vid="5027b62e-f680-11e9-a87f-a4badb2f4699"> + <topic>FreeBSD -- kernel memory disclosure from /dev/midistat</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>12.0</ge><lt>12.0_10</lt></range> + <range><ge>11.3</ge><lt>11.3_3</lt></range> + <range><ge>11.2</ge><lt>11.2_14</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>The kernel driver for /dev/midistat implements a handler + for read(2). This handler is not thread-safe, and a + multi-threaded program can exploit races in the handler to + cause it to copy out kernel memory outside the boundaries + of midistat's data buffer.</p> + <h1>Impact:</h1> + <p>The races allow a program to read kernel memory within + a 4GB window centered at midistat's data buffer. The buffer + is allocated each time the device is opened, so an attacker + is not limited to a static 4GB region of memory.</p> + <p>On 32-bit platforms, an attempt to trigger the race may + cause a page fault in kernel mode, leading to a panic.</p> + </body> + </description> + <references> + <cvename>CVE-2019-5612</cvename> + <freebsdsa>SA-19:23.midi</freebsdsa> + </references> + <dates> + <discovery>2019-08-20</discovery> + <entry>2019-10-24</entry> + </dates> + </vuln> + + <vuln vid="4d3d4f64-f680-11e9-a87f-a4badb2f4699"> + <topic>FreeBSD -- IPv6 remote Denial-of-Service</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>12.0</ge><lt>12.0_10</lt></range> + <range><ge>11.3</ge><lt>11.3_3</lt></range> + <range><ge>11.2</ge><lt>11.2_14</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>Due do a missing check in the code of m_pulldown(9) data + returned may not be contiguous as requested by the caller.</p> + <h1>Impact:</h1> + <p>Extra checks in the IPv6 code catch the error condition + and trigger a kernel panic leading to a remote DoS + (denial-of-service) attack with certain Ethernet interfaces. + At this point it is unknown if any other than the IPv6 code + paths can trigger a similar condition.</p> + </body> + </description> + <references> + <cvename>CVE-2019-5611</cvename> + <freebsdsa>SA-19:22.mbuf</freebsdsa> + </references> + <dates> + <discovery>2019-08-20</discovery> + <entry>2019-10-24</entry> + </dates> + </vuln> + + <vuln vid="499b22a3-f680-11e9-a87f-a4badb2f4699"> + <topic>FreeBSD -- Insufficient validation of guest-supplied data (e1000 device)</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>12.0</ge><lt>12.0_9</lt></range> + <range><ge>11.3</ge><lt>11.3_2</lt></range> + <range><ge>11.2</ge><lt>11.2_13</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>The e1000 network adapters permit a variety of modifications + to an Ethernet packet when it is being transmitted. These + include the insertion of IP and TCP checksums, insertion + of an Ethernet VLAN header, and TCP segmentation offload + ("TSO"). The e1000 device model uses an on-stack buffer to + generate the modified packet header when simulating these + modifications on transmitted packets.</p> + <p>When TCP segmentation offload is requested for a transmitted + packet, the e1000 device model used a guest-provided value + to determine the size of the on-stack buffer without + validation. The subsequent header generation could overflow + an incorrectly sized buffer or indirect a pointer composed + of stack garbage.</p> + <h1>Impact:</h1> + <p>A misbehaving bhyve guest could overwrite memory in the + bhyve process on the host.</p> + </body> + </description> + <references> + <cvename>CVE-2019-5609</cvename> + <freebsdsa>SA-19:21.bhyve</freebsdsa> + </references> + <dates> + <discovery>2019-08-06</discovery> + <entry>2019-10-24</entry> + </dates> + </vuln> + + <vuln vid="45a95fdd-f680-11e9-a87f-a4badb2f4699"> + <topic>FreeBSD -- Insufficient message length validation in bsnmp library</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>12.0</ge><lt>12.0_9</lt></range> + <range><ge>11.3</ge><lt>11.3_2</lt></range> + <range><ge>11.2</ge><lt>11.2_13</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>A function extracting the length from type-length-value + encoding is not properly validating the submitted length.</p> + <h1>Impact:</h1> + <p>A remote user could cause, for example, an out-of-bounds + read, decoding of unrelated data, or trigger a crash of the + software such as bsnmpd resulting in a denial of service.</p> + </body> + </description> + <references> + <cvename>CVE-2019-5610</cvename> + <freebsdsa>SA-19:20.bsnmp</freebsdsa> + </references> + <dates> + <discovery>2019-08-06</discovery> + <entry>2019-10-24</entry> + </dates> + </vuln> + + <vuln vid="41d2f3e6-f680-11e9-a87f-a4badb2f4699"> + <topic>FreeBSD -- ICMPv6 / MLDv2 out-of-bounds memory access</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>12.0</ge><lt>12.0_9</lt></range> + <range><ge>11.3</ge><lt>11.3_2</lt></range> + <range><ge>11.2</ge><lt>11.2_13</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>The ICMPv6 input path incorrectly handles cases where + an MLDv2 listener query packet is internally fragmented + across multiple mbufs.</p> + <h1>Impact:</h1> + <p>A remote attacker may be able to cause an out-of-bounds + read or write that may cause the kernel to attempt to access + an unmapped page and subsequently panic.</p> + </body> + </description> + <references> + <cvename>CVE-2019-5608</cvename> + <freebsdsa>SA-19:19.mldv2</freebsdsa> + </references> + <dates> + <discovery>2019-08-06</discovery> + <entry>2019-10-24</entry> + </dates> + </vuln> + + <vuln vid="3c7edc7a-f680-11e9-a87f-a4badb2f4699"> + <topic>FreeBSD -- Multiple vulnerabilities in bzip2</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>12.0</ge><lt>12.0_9</lt></range> + <range><ge>11.3</ge><lt>11.3_2</lt></range> + <range><ge>11.2</ge><lt>11.2_13</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>The decompressor used in bzip2 contains a bug which can + lead to an out-of-bounds write when processing a specially + crafted bzip2(1) file.</p> + <p>bzip2recover contains a heap use-after-free bug which + can be triggered when processing a specially crafted bzip2(1) + file.</p> + <h1>Impact:</h1> + <p>An attacker who can cause maliciously crafted input to + be processed may trigger either of these bugs. The bzip2recover + bug may cause a crash, permitting a denial-of-service. The + bzip2 decompressor bug could potentially be exploited to + execute arbitrary code.</p> + <p>Note that some utilities, including the tar(1) archiver + and the bspatch(1) binary patching utility (used in portsnap(8) + and freebsd-update(8)) decompress bzip2(1)-compressed data + internally; system administrators should assume that their + systems will at some point decompress bzip2(1)-compressed + data even if they never explicitly invoke the bunzip2(1) + utility.</p> + </body> + </description> + <references> + <cvename>CVE-2016-3189</cvename> + <cvename>CVE-2019-1290</cvename> + <freebsdsa>SA-19:18.bzip2</freebsdsa> + </references> + <dates> + <discovery>2019-08-06</discovery> + <entry>2019-10-24</entry> + </dates> + </vuln> + <vuln vid="2d4076eb-f679-11e9-a87f-a4badb2f4699"> <topic>varnish -- Information Disclosure Vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201910241708.x9OH8rub022700>