From nobody Fri May 1 08:26:38 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g6PK26gk3z6c8cC for ; Fri, 01 May 2026 08:26:46 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Received: from mail-yx1-xb130.google.com (mail-yx1-xb130.google.com [IPv6:2607:f8b0:4864:20::b130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g6PK146mkz3l89 for ; Fri, 01 May 2026 08:26:45 +0000 (UTC) (envelope-from oliver.pntr@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20251104 header.b=DxpCsb7s; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of oliver.pntr@gmail.com designates 2607:f8b0:4864:20::b130 as permitted sender) smtp.mailfrom=oliver.pntr@gmail.com; arc=pass ("google.com:s=arc-20240605:i=1") Received: by mail-yx1-xb130.google.com with SMTP id 956f58d0204a3-64e87a81639so1598795d50.0 for ; Fri, 01 May 2026 01:26:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1777624000; cv=none; d=google.com; s=arc-20240605; b=PEDsSL9VkmwQEXbnwjIf+PspJ3zSkc4wbDG0we7YPjS16pXwPGjkqFlCfB/s74osJT KQkYgTdudySPvTSrbMh0lilBwTOw5YH5rOhQPyHxzPEiRwuhyBBsBb7ejPEB9B+0olue PliloGMJckr8Rwdta6NtW1ebeyMFcbu1M55Kwtlz8GEOX50g2Bw+2oZQ8lGsFZ0X4bBe vq2JG9Al4t+rc6QxywKAUsqF0Gz6FYsGc9IYlwxymzyxvwkiQPi3qonmZd/srxGgu0rf Ku06OjqoJdWiuTLPpkieNqAhFGHEEqmwgmRpsH/L37wleQYMcgO0XzlzMhsN8njweZ4g 6Kag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:dkim-signature; bh=VAEC5jHL0PKVmgOBq/yrnVLdmzJVlvN4O5tYWRJ2myg=; fh=MuIHWvbkHrzZymJCUprAhNGIPuQw1sgW13PIwdlHOq0=; b=U+Js731tT0szQqf1fPqPssJjOsjZzpA0e6ieWuZKGPoxTDnuS9kogvhEDpvCN7chSs R1SFRfAV+hXmiikIYE+KzEG6nYffPzirLzJvS9EYq8bAo59xY+yR1CDwzdioJ8pfgspe UhaoAjHr88FX+OQ+zToJjlsUtSQLIMS6ar7nkMdZytudvW9fGsgZbZnTBGj8EKnDcI1/ DE7m6VYqZnzbAwX+hjwC3pMQUP2AevieLKsdmNbfbQ8yEqL9yMeCXmdnnDXtZNv4RQgM OteTvMYt7Ec7AOf3UA+FUnDeN/n5VLyzhKeA54ZdYojZ6x9MqsJJL0obTkhvYEtrU6LP 1NVA==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777624000; x=1778228800; darn=freebsd.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VAEC5jHL0PKVmgOBq/yrnVLdmzJVlvN4O5tYWRJ2myg=; b=DxpCsb7s+nnFxaLTrKCkdxjZMDs3r5c3E+CfPqMvCRwpo0hFFLOv0XpZd6JyjxTpFl JV0tGQMbKKTYw0INSnjNI4rFPg8h6T2elme1BqFmDQfH2om/NEzXeyPyMi+TD2qS7mO9 Asq+BymsNqO3Of6QAaCiyhfZsFJNsA5lAd7IPi86PNwKJMaCRvZS4Ht1ihi8nO6kWbcr 4f08Q+MDMP1xgqhQW+yONrkHOKCu0ryNsofOXtKqIBhNzcEOYgOxW6uypxYGdjKyjKrv 8MpSSaxPGHwQF8Jv3WFAVUeirWWXAmJckLHLoZBPLC6hDqjOEBaA3KcNxm6QuCDriwIj k/+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777624000; x=1778228800; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=VAEC5jHL0PKVmgOBq/yrnVLdmzJVlvN4O5tYWRJ2myg=; b=f3hhsa1c+/l8lN0Qw5zhHulWicTAG6+SdgVqd/o7zETduPQ2zrg7emx6Grf1x5jRYR f1kx+1Htd8hEkPTeZJVuzk+UrEhVT5ijGaj0RlrtqBmONG/peqOJh82lzDLik2OGbyLG 21nKCWB9HyZjv8Mw/lZw/30OHBb2Iyy/zJ6wSW0g6MeKiSwexgUUFeJDHc4EGGepXmAd jTp5qOb0+dzhWjdfVc2FmNKzlRQ4CkL37kOPvWJaURCdj9XUbee1Hr2/o9aJwyNF6PsJ VrwKais/vQZ9qHoOCiotUlPxcO43CDvs9FkfX6BtCBaisKAt9ogQwGJTBPM6dQgs/pU0 DzlA== X-Forwarded-Encrypted: i=1; AFNElJ+3ldeqZIDhP9CaYV3hKx+ySYiD+l145qPxD/tuhhmx4/lw8RcWiJJNMkIOBtvtE7wzwQKuve6dU1qG3XIYEgZzM5fu@freebsd.org X-Gm-Message-State: AOJu0YxPMjBa997km7pz58RpEsHMGCUkKRkb+1sTa/lIsp7zXNblaYHC aJBUi7kARkCpQZFAL2fS/A2xDoA4KwQHXrvEU8dEknFJEKnGqRHu+BrgmSy/8ti/Qjs9hGFD5Qp 8iBDw6nU4i4meGioD0kLHfTJWpna1stLj/QpB X-Gm-Gg: AeBDiesd93cEuQa6EfaWtus9N1E1iJYHiAyjWcvht6rbk77JACfcOmguubDwitb7Xka iLyjou4WWnln0/FVaHRnMnToyyQHpmCMcl8hedrYelYsD2ITWaKgxViDIbbpOktohzjiOzk4Rxw lQYasIZJrOGKRamh0zdOkEA85TDXoVrxhGJfyjCBDGB/sF1EIuIIaRY3eLQI3m6HQs/u8wjO7DH 3jJB1X0K+6gwL003UJXEtHODf4Q/8yIjsCIL4W9pXER5OGRG/+RIJ2ER6Ub8oexaup3+5KhSzKs JaOIdPiG2okJx6QT0qkytTdbdAJeGaBUzFIImRLj7W7FkY1Pmcka4Cnk+UwdHA== X-Received: by 2002:a05:690e:1387:b0:65c:2a49:880f with SMTP id 956f58d0204a3-65c2a499a65mr3499030d50.30.1777623999788; Fri, 01 May 2026 01:26:39 -0700 (PDT) List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Received: by 2002:a05:7011:628d:20b0:518:6106:eec6 with HTTP; Fri, 1 May 2026 01:26:38 -0700 (PDT) In-Reply-To: <4E7ABEB8-1EE6-4CDF-9F58-BD2C0E0BF8C7@tetlows.org> References: <69f219fa.3c9fa.1698d8e9@gitrepo.freebsd.org> <4E7ABEB8-1EE6-4CDF-9F58-BD2C0E0BF8C7@tetlows.org> From: Oliver Pinter Date: Fri, 1 May 2026 09:26:38 +0100 X-Gm-Features: AVHnY4IIZ4gmTc9XvY9PQl_EqKXDSdifQuywwTxw9Nak8DrjkfA3uStdfxGs0H8 Message-ID: Subject: Re: git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient script environments [CORRECTION: CVE ID] To: Gordon Tetlow Cc: Mark Johnston , "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" Content-Type: multipart/alternative; boundary="0000000000000d3be90650bd5702" X-Spamd-Result: default: False [-4.83 / 15.00]; ARC_ALLOW(-1.00)[google.com:s=arc-20240605:i=1]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.83)[-0.828]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20251104]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4864::/56:c]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TAGGED_FROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b130:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; PREVIOUSLY_DELIVERED(0.00)[dev-commits-src-all@freebsd.org]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org]; MID_RHS_MATCH_FROMTLD(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCPT_COUNT_FIVE(0.00)[5] X-Spamd-Bar: ---- X-Rspamd-Queue-Id: 4g6PK146mkz3l89 --0000000000000d3be90650bd5702 Content-Type: text/plain; charset="UTF-8" On Thursday, April 30, 2026, Gordon Tetlow wrote: > This commit as well as the corresponding stable and releng branch commits > were incorrectly tagged CVE-2026-42511 and should be CVE-2026-42512. > Apologies for the mix up there. > > Best regards, > Gordon > Hat: security-officer > Hi! I've seen a new trend regarding the commit messages. If someone described the commit wrong, then the commit gets reverted and the exactly same commit message reapplied with the fixed commit message. The question is that do FreeBSD wants the correct CVE id in the history or not? If wants, then one possible way would be the revert + reapply or the other possible would be to create an empty commit with git which references the original commit and adds the correct CVE id to the empty commits description. > On 29 Apr 2026, at 7:47, Mark Johnston wrote: > > The branch main has been updated by markj: > > URL: https://cgit.FreeBSD.org/src/commit/?id= > 5d8e32aad2a8316b0aab8a93a677a63e4c3df422 > > commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422 > Author: Mark Johnston markj@FreeBSD.org > AuthorDate: 2026-04-27 20:56:21 +0000 > Commit: Mark Johnston markj@FreeBSD.org > CommitDate: 2026-04-29 14:39:27 +0000 > > dhclient: Fix reallocation of dhclient script environments > > When the number of DHCP options exceeds a threshold, script_set_env() > will reallocate the environment, stored as an array of pointers. The > calculation of the array size failed to multiply by the pointer size, > resulting in a smaller than expected buffer which admits out-of-bounds > writes. > > Approved by: so > Security: FreeBSD-SA-26:15.dhclient > Security: CVE-2026-42511 > Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) > > ------------------------------ > > sbin/dhclient/dhclient.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c > index 719e20cffad9..f671b0ab9bed 100644 > --- a/sbin/dhclient/dhclient.c > +++ b/sbin/dhclient/dhclient.c > @@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const > char *prefix, > char **newscriptEnv; > int newscriptEnvsize = client->scriptEnvsize + 50; > > - > > newscriptEnv = realloc(client->scriptEnv, > > - > > newscriptEnvsize); > > > > - > > newscriptEnv = reallocarray(client->scriptEnv, > > - > > newscriptEnvsize, sizeof(char *)); > if (newscriptEnv == NULL) { > free(client->scriptEnv); > client->scriptEnv = NULL; > > > --0000000000000d3be90650bd5702 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Thursday, April 30, 2026, Gordon Tetlow <gordon@tetlows.org> wrote:

This commit as well as the corresponding stable and releng = branch commits were incorrectly tagged CVE-2026-42511 and should be CVE-202= 6-42512. Apologies for the mix up there.

Best regards,
Gordon
Hat: security-officer

Hi!

I've seen a new trend regarding the commit messages. If someon= e described the commit wrong, then the commit gets reverted and the exactly= same commit message reapplied with the fixed commit message. The question = is that do FreeBSD wants the correct CVE id in the history or not? If wants= , then one possible way would be the revert + reapply or the other possible= would be to create an empty commit with git which references the original = commit and adds the correct CVE id to the empty commits description.
<= /div>

=C2=A0

On 29 Apr 2026, at 7:47, Mark Johnston wrote:

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=3D5d8e32aad2a8316= b0aab8a93a677a63e4c3df422

commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422
Author: Mark Johnston markj@FreeBSD.org
AuthorDate: 2026-04-27 20:56:21 +0000
Commit: Mark Johnston markj@FreeBSD.org
CommitDate: 2026-04-29 14:39:27 +0000

dhclient: Fix reallocation of dhclient script environments

When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers.  The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.

Approved by:    so
Security:       FreeBSD-SA-26:15.dhclient
Security:       CVE-2026-42511
Reported by:    Joshua Rogers of AISLE Research Team (https://aisle.com/)

sbin/dhclient/dhclient.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhcli= ent.c
index 719e20cffad9..f671b0ab9bed 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const cha= r *prefix,
char **newscriptEnv;
int newscriptEnvsize =3D client->scriptEnvsize + 50;

  • 	newscriptEnv =3D realloc(client->scriptEnv,

  • 	    newscriptEnvsize);

  • 	newscriptEnv =3D reallocarray(client->scriptEnv,

  • 	    newscriptEnvsize, sizeof(char *));
	if (newscriptEnv =3D=3D NULL) {
		free(client->scriptEnv);
		client->scriptEnv =3D NULL;
--0000000000000d3be90650bd5702--