Date: Fri, 1 May 2026 09:26:38 +0100 From: Oliver Pinter <oliver.pntr@gmail.com> To: Gordon Tetlow <gordon@tetlows.org> Cc: Mark Johnston <markj@freebsd.org>, "src-committers@freebsd.org" <src-committers@freebsd.org>, "dev-commits-src-all@freebsd.org" <dev-commits-src-all@freebsd.org>, "dev-commits-src-main@freebsd.org" <dev-commits-src-main@freebsd.org> Subject: Re: git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient script environments [CORRECTION: CVE ID] Message-ID: <CAPjTQNFt2zGK5HAM-qbvDUkDis-8PfTEp%2B-=cn=RxMx9pSc1mg@mail.gmail.com> In-Reply-To: <4E7ABEB8-1EE6-4CDF-9F58-BD2C0E0BF8C7@tetlows.org> References: <69f219fa.3c9fa.1698d8e9@gitrepo.freebsd.org> <4E7ABEB8-1EE6-4CDF-9F58-BD2C0E0BF8C7@tetlows.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Thursday, April 30, 2026, Gordon Tetlow <gordon@tetlows.org> wrote: > This commit as well as the corresponding stable and releng branch commits > were incorrectly tagged CVE-2026-42511 and should be CVE-2026-42512. > Apologies for the mix up there. > > Best regards, > Gordon > Hat: security-officer > Hi! I've seen a new trend regarding the commit messages. If someone described the commit wrong, then the commit gets reverted and the exactly same commit message reapplied with the fixed commit message. The question is that do FreeBSD wants the correct CVE id in the history or not? If wants, then one possible way would be the revert + reapply or the other possible would be to create an empty commit with git which references the original commit and adds the correct CVE id to the empty commits description. > On 29 Apr 2026, at 7:47, Mark Johnston wrote: > > The branch main has been updated by markj: > > URL: https://cgit.FreeBSD.org/src/commit/?id= > 5d8e32aad2a8316b0aab8a93a677a63e4c3df422 > > commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422 > Author: Mark Johnston markj@FreeBSD.org > AuthorDate: 2026-04-27 20:56:21 +0000 > Commit: Mark Johnston markj@FreeBSD.org > CommitDate: 2026-04-29 14:39:27 +0000 > > dhclient: Fix reallocation of dhclient script environments > > When the number of DHCP options exceeds a threshold, script_set_env() > will reallocate the environment, stored as an array of pointers. The > calculation of the array size failed to multiply by the pointer size, > resulting in a smaller than expected buffer which admits out-of-bounds > writes. > > Approved by: so > Security: FreeBSD-SA-26:15.dhclient > Security: CVE-2026-42511 > Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) > > ------------------------------ > > sbin/dhclient/dhclient.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c > index 719e20cffad9..f671b0ab9bed 100644 > --- a/sbin/dhclient/dhclient.c > +++ b/sbin/dhclient/dhclient.c > @@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const > char *prefix, > char **newscriptEnv; > int newscriptEnvsize = client->scriptEnvsize + 50; > > - > > newscriptEnv = realloc(client->scriptEnv, > > - > > newscriptEnvsize); > > > > - > > newscriptEnv = reallocarray(client->scriptEnv, > > - > > newscriptEnvsize, sizeof(char *)); > if (newscriptEnv == NULL) { > free(client->scriptEnv); > client->scriptEnv = NULL; > > > [-- Attachment #2 --] <br><br>On Thursday, April 30, 2026, Gordon Tetlow <<a href="mailto:gordon@tetlows.org">gordon@tetlows.org</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u> <div><div style="font-family:sans-serif"><div style="white-space:normal"> <p dir="auto">This commit as well as the corresponding stable and releng branch commits were incorrectly tagged CVE-2026-42511 and should be CVE-2026-42512. Apologies for the mix up there.</p> <p dir="auto">Best regards,<br> Gordon<br> Hat: security-officer</p></div></div></div></blockquote><div>Hi!<div><br></div><div>I've seen a new trend regarding the commit messages. If someone described the commit wrong, then the commit gets reverted and the exactly same commit message reapplied with the fixed commit message. The question is that do FreeBSD wants the correct CVE id in the history or not? If wants, then one possible way would be the revert + reapply or the other possible would be to create an empty commit with git which references the original commit and adds the correct CVE id to the empty commits description.</div></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:sans-serif"><div style="white-space:normal"> <p dir="auto">On 29 Apr 2026, at 7:47, Mark Johnston wrote:</p> <blockquote style="margin:0 0 5px;padding-left:5px;border-left:2px solid #777777;color:#777777"> <p dir="auto">The branch main has been updated by markj:</p> <p dir="auto">URL: <a href="https://cgit.FreeBSD.org/src/commit/?id=5d8e32aad2a8316b0aab8a93a677a63e4c3df422" style="color:#777777" target="_blank">https://cgit.FreeBSD.org/src/<wbr>commit/?id=<wbr>5d8e32aad2a8316b0aab8a93a677a6<wbr>3e4c3df422</a></p>; <p dir="auto">commit 5d8e32aad2a8316b0aab8a93a677a6<wbr>3e4c3df422<br> Author: Mark Johnston <a href="mailto:markj@FreeBSD.org" style="color:#777777" target="_blank">markj@FreeBSD.org</a><br> AuthorDate: 2026-04-27 20:56:21 +0000<br> Commit: Mark Johnston <a href="mailto:markj@FreeBSD.org" style="color:#777777" target="_blank">markj@FreeBSD.org</a><br> CommitDate: 2026-04-29 14:39:27 +0000</p> <pre style="margin-left:15px;margin-right:15px;padding:5px;background-color:#f7f7f7;border-radius:5px 5px 5px 5px;overflow-x:auto;max-width:90vw"><code style="margin:0 0;border-radius:3px;background-color:#f7f7f7;padding:0px">dhclient: Fix reallocation of dhclient script environments When the number of DHCP options exceeds a threshold, script_set_env() will reallocate the environment, stored as an array of pointers. The calculation of the array size failed to multiply by the pointer size, resulting in a smaller than expected buffer which admits out-of-bounds writes. Approved by: so Security: FreeBSD-SA-26:15.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (<a href="https://aisle.com/" target="_blank">https://aisle.com/</a>) </code></pre> <hr style="border:0;height:1px;background:#333;background-image:linear-gradient(to right,#ccc,#333,#ccc)"> <p dir="auto">sbin/dhclient/dhclient.c | 4 ++--<br> 1 file changed, 2 insertions(+), 2 deletions(-)</p> <p dir="auto">diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c<br> index 719e20cffad9..f671b0ab9bed 100644<br> --- a/sbin/dhclient/dhclient.c<br> +++ b/sbin/dhclient/dhclient.c<br> @@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const char *prefix,<br> char **newscriptEnv;<br> int newscriptEnvsize = client->scriptEnvsize + 50;</p> <ul> <li> <pre style="margin-left:15px;margin-right:15px;padding:5px;background-color:#f7f7f7;border-radius:5px 5px 5px 5px;overflow-x:auto;max-width:90vw"><code style="margin:0 0;border-radius:3px;background-color:#f7f7f7;padding:0px"> newscriptEnv = realloc(client->scriptEnv, </code></pre> </li> <li> <pre style="margin-left:15px;margin-right:15px;padding:5px;background-color:#f7f7f7;border-radius:5px 5px 5px 5px;overflow-x:auto;max-width:90vw"><code style="margin:0 0;border-radius:3px;background-color:#f7f7f7;padding:0px"> newscriptEnvsize); </code></pre> </li> </ul> <ul> <li> <pre style="margin-left:15px;margin-right:15px;padding:5px;background-color:#f7f7f7;border-radius:5px 5px 5px 5px;overflow-x:auto;max-width:90vw"><code style="margin:0 0;border-radius:3px;background-color:#f7f7f7;padding:0px"> newscriptEnv = reallocarray(client-><wbr>scriptEnv, </code></pre> </li> <li> <pre style="margin-left:15px;margin-right:15px;padding:5px;background-color:#f7f7f7;border-radius:5px 5px 5px 5px;overflow-x:auto;max-width:90vw"><code style="margin:0 0;border-radius:3px;background-color:#f7f7f7;padding:0px"> newscriptEnvsize, sizeof(char *)); if (newscriptEnv == NULL) { free(client->scriptEnv); client->scriptEnv = NULL; </code></pre> </li> </ul> </blockquote> </div> </div> </div> </blockquote>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPjTQNFt2zGK5HAM-qbvDUkDis-8PfTEp%2B-=cn=RxMx9pSc1mg>