From nobody Wed Jan 29 21:45:18 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjwgL5nRHz5m5xQ for ; Wed, 29 Jan 2025 21:45:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YjwgL1fYXz3Hgk; Wed, 29 Jan 2025 21:45:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738187118; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=lXq7DNRYGIfsLJ0Azg1kNELsdync4vCFhzW6BFKRQIk=; b=kqbJvcIRX5oCgVl83+Rs1R4MA5OVqu7LIU/rO9cxoMySmPe3ZVhPxZm1QeDNotfW3zzgBZ wsDUduWXQGZUgfK4sAr6hqad+DUdrDFYEYhB3r1qLEnhniTfz0j7yVcQnxwpL2rwTJYGwN jQBzAeRehYd7CT4Lk+LNtiFdhiyL6qDRlNBMm/slkd/HVW3Sp9RgwvstBYF0dm4oqJAG3h d2BCrROJ+VINXvD15m0FIywuiT0rnMuvIubHAzxWxacHNRw6gOgKqBhplQWJlLiayshEgc tsvVmijT1WpKUmZt5iCQ7Bk2MPpcH3noA8Q8hJqfhu2px8fP4/0TbF3jrZGjzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738187118; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=lXq7DNRYGIfsLJ0Azg1kNELsdync4vCFhzW6BFKRQIk=; b=ZZ52jI+dRpNvaTjRiyWOuAB2mehJPoL9z5iOiMWK3c1R3wxXLKZMXwpERZdUyySE1ejLJs 2gxqSAd9Ek/3OlFugG4esoQlMffekAoxx5oewaXfr/ROXS2oPp3R5TohAIH34ANVdwHoW2 Y7s598zEDhbxDCEY6X6X6XDwNfOIBi2PZ1S4T7WbFh12nkIGzjNi1txkpjg+c7aXKZu3ng VYnu1JR8hJujmWgDIBE13Jrqp9ciooQ5B3VH4gL1fh8Yl2hd0w7RY5yGcUjlSSJmztglKb V1L/7WoZ8Hu7vcVFVNAF7Nr4e4/48zdf4uLcwE2P48XrGJQsuyT3Lr93k7sCGg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738187118; a=rsa-sha256; cv=none; b=q+zemOTIhfqJfokNZv6YBUDWtawlmOylDHitk2TdhqjyZbtCDiaDeP4KOPKVtLIeOVkNNv 2LUEpqmXpY8M8+PEJNUqaCmxpAtYGdBemGK1UbKcNqtqYkj7CmazuLZDVTyV2ZF5UCDN1Q JNaZGjJbZQjnssdrAig6f8TdQrZLBGG6nnjXkzAGOBaiaQlw2nu+lCf0PcT6zqvdFGgJdC DDgzlOkaQ2SHLVe8B81UzrMolg6Wsg79Q2Q2bwgjrjZjMZhW4irNIjTZfJ03qLoMNmyF2V iOBFnv8P66dzfmzDbwxHSj4m811p6JYSf6/BjQK6FRmBLuX1ML5IzEqHkNndQg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id 204513097; Wed, 29 Jan 2025 21:45:18 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:03.etcupdate Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20250129214518.204513097@freefall.freebsd.org> Date: Wed, 29 Jan 2025 21:45:18 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:03.etcupdate Security Advisory The FreeBSD Project Topic: Unprivileged access to system files Category: core Module: etcupdate Announced: 2025-01-29 Credits: Christos Chatzaras Affects: All supported versions of FreeBSD. Corrected: 2025-01-28 16:07:18 UTC (stable/14, 14.2-STABLE) 2025-01-29 18:54:57 UTC (releng/14.2, 14.2-RELEASE-p1) 2025-01-29 18:55:26 UTC (releng/14.1, 14.1-RELEASE-p7) 2025-01-28 16:07:34 UTC (stable/13, 13.4-STABLE) 2025-01-29 18:55:30 UTC (releng/13.4, 13.4-RELEASE-p3) CVE Name: CVE-2025-0374 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The etcupdate(8) utility is a tool for managing updates to files that are not updated as part of ‘make installworld’ such as files in /etc. It manages updates by doing a three-way merge of changes made to these files against the local versions. It is also designed to minimize the amount of user intervention with the goal of simplifying upgrades for clusters of machines. II. Problem Description When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd. III. Impact An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved. IV. Workaround No workaround is available. Systems whose files are updated using a mechanism other than etcupdate, such as freebsd-update(8), are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-25:03/etcupdate.patch # fetch https://security.FreeBSD.org/patches/SA-25:03/etcupdate.patch.asc # gpg --verify etcupdate.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 93836ff92be8 stable/14-n270244 releng/14.2/ c55000e7c233 releng/14.2-n269513 releng/14.1/ b8945a926a2f releng/14.1-n267736 stable/13/ 17e935f1f327 stable/13-n259074 releng/13.4/ c1c180910d46 releng/13.4-n258274 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKwACgkQbljekB8A Gu+/Zg//S1n7l9ABmKTrFKWstkDgyNplTyb8VRQ6HQtdAQSa1M5C8MUXt57wjCV0 uOilT3GwT29IzBW2EDe3m8uOGdd3n0Ti6pCn0a11HV/VXqTt7zbbLNSPs7soTWVs oIsig0wmw/oZ2+ZkOvZG19ae99NdLzrV6YSK8NpdnOqwnTiZtN0cxCEdzhAQVznL omYwXjw7todZ1mskECDuaFrw+1R6K2Aw0lpauveNcsGewjV85IML6G3sPKYMJJCq E51LZ/1AfkQ+DDae+BVrGpvocf8YtR1p9Af8nSq16/WKKn4bwsVqFDf+fDpLpHW6 W7P+Ng4KDKMPX7D/ObzTECKJLuhP3f0yZkkOrypIXFC5M34lbmyqJvR4tB7uJeNU uqlD9RNbKY652isbIRZKz5L8gnZpFK0IUTHhcGOpTw8dfF19CsfE2jHoI/7fs8rC RqMRCHo2dlPMP1xHTWfsgS3BYNJgC99CF1VCgpj2PuwQ3tP+CnQ5Ed2tvdTRrPjA /IL3DzH/5hUIhHUPPPnw7m4PHUduXJyG1gvv998oIVw4Q7AXTcTGYU4fLZrEvBY7 r4Zgpy8WkdRYMJHfdlrmSJNf3r2isrVXosw5PLbwBRw1k+V2KlxBRo6YjglbakU/ LEmgLL7D4BrMHUBjqe1m1wff3Urz41tRTQr/IaBjeXxI6jlwDDM= =60Xo -----END PGP SIGNATURE-----