From owner-freebsd-security@freebsd.org Wed Sep 2 17:45:53 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6D4E83DE67A for ; Wed, 2 Sep 2020 17:45:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BhWZ928n3z3b7H; Wed, 2 Sep 2020 17:45:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1599068753; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=XfaQ8J8+wfq5usNpWFUz4NucE+j6kJxpfLuRDFHBB+k=; b=C4dRGwuWhez1fWjM/RHESUX6MtZdf93Eu0sUb6CMtLBw76AvsTmtRwNJHwA3yGo6U7T0mV pU9WPSkUl8mc9aXGBTRjKYkXyAk4YqEkuavmsgFXSVoUfVH6rXYUV66+aoq8ZSuc1DULnk YzfvIhK1pc0xgRpEFZzx5TRYIp2ZsNoi6Qz6adFdVcvHzDUK8xlmqpctVW9PI0Npk5kq9f 7Vnc0pASdfbaCIuwpNPF2X3tHNgY6kwKDKZKxJ+EuMJNrNTxmF/GX1UPJXmWV8YMPwloHc 8yxD9uFRDLZ1U5yzXioYjWNA2ZPBFp5k1a/YlG2UEk7gDejwIztISlrHWWjMmg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 412F5C7D8; Wed, 2 Sep 2020 17:45:53 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-20:24.ipv6 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20200902174553.412F5C7D8@freefall.freebsd.org> Date: Wed, 2 Sep 2020 17:45:53 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1599068753; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=XfaQ8J8+wfq5usNpWFUz4NucE+j6kJxpfLuRDFHBB+k=; b=eD7HbRsqddYV8e49lfnQsxKJ+iQEnGWEF9ZNp41H+iJkgeWT7/2WDnqr6vEgJIVZAFvHWu Cdj9DsuLd3XkjYjzFNychyGCJTEoNbSv1YZh8cRlvPsYeTghLnb3nKQ+bYsYpSlMFUQnFI g9BwmE7uGXqvB/h/M5j+Vf+TScOFUl7cIsJt2G8Xc9aGqb5o8/MOkOHW/yO2B/O7KXhhxt KbqY2DvIyd+SBkcexeoQR2iK6pztqnZI0rGUXnMECBWtifnVo9O4Um3pZaOPNhgEVpim9A 2rAgyQ0YYPryNzgPjAwRPdwjILAhkKrOUJ7QnIyfbmS1Q3ax0kCJRVRP8d+MYw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1599068753; a=rsa-sha256; cv=none; b=mQXlFHbk3+hM1tlIE+dZUEeYiu3G0j7zUomgUdOKbQGxdo6Gzchj6qZgd1PsKXzYQipINj 8pk3sQSGIDZfD8ulAXxPB/dR/IVmxD8xDJUY4Cc+EQ4NN80uqbjXLpXSWV/9RZtgCOR4Cf VzsQHbFm5ZEcVv1pDWE0ADEVrBDNE75h7tisH7Hhky7OUCX4HunFbcWhDDmDdjD5ykvOen 3zmLVTMShweFqXZSubUO70f8o/VjVZVZ9ZhzKs/XjG8CeMJIvgMDrtMMXYO0rTiahTpxnx kqi2JtpGEV8OJgBSnGeXvHbfyBhevuHWwNEWSUW/zOAyZvv15pOJECrimygGLg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.33 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2020 17:45:53 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:24.ipv6 Security Advisory The FreeBSD Project Topic: IPv6 Hop-by-Hop options use-after-free bug Category: core Module: kernel Announced: 2020-09-02 Affects: FreeBSD 11.3 Corrected: 2020-05-07 01:28:59 UTC (stable/11, 11.4-PRERELEASE) 2020-09-02 16:23:15 UTC (releng/11.3, 11.3-RELEASE-p13) CVE Name: CVE-2020-7462 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 is a network layer supporting Hop-by-Hop options, which can be sent by applications via the socket API. The memory management for packet handling is done using mbufs. II. Problem Description Due to improper mbuf handling in the kernel, a use-after-free bug might be triggered by sending IPv6 Hop-by-Hop options over the loopback interface. III. Impact Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch # fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch.asc # gpg --verify ipv6.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/11/ r360733 releng/11.3/ r365255 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLJYxAAotGAWrawa3gRK8gVpEIJiYknR9bODjDojm7KovlkuKeYAkyQ92/Ii23U U6tMXSPDYQFyscOdrGq4yEjxRDLLkGQGynQpioinDn8POKX7BKpy+PFFdv1mmBef h/WpgmlPdhymYisaImgVyGAxU81auzpFB6mArzFDCdHavTd7jVD2lJwcpdzeOk// NHOsj8C4VYJs0XcYrNa4CEWfH/D/uNO8u2b3QUfKQSOdfIfaDv22k2b96YKm+zcr xS7Q1jDv7QBTQou7KNOfoPi0Gclp8Q9VReP2nY/hB5TmJjR3irz+Z6UcGfiyDGrL XRB7oP23jIUmBbsINUN06FIhAPGF9/7zcOOoV1YOdwvmbLM0/W4c+mERZ16gw6+N MzCLDOeiyKAUr+pQzcl6lORxr31eB8400l6nRJwmCiWx4nHwyHPIl1RtfvsdNqfE /OBVEalxsCrzStfW4ME5RziPo9Y8DrajPf7+JY/4CIV3v/dJAiGi3+qs9Zn8enar WCR/8+o4xbT+d1sGTG1W3Qjh9a28jxqEusLjdehDy8PTk9OnIfPRuxj+kvot3Wo0 lWdeSIo8YZPYn7hG9N19k6aDlljM1fgkBmWj1uELtCeIE7WM5tHGMBuaS0cTt1jL s2g01qgkgW2a6cChdm3oNfUKE5KpD3/hU63/jEA6QyJJQQqXlOs= =kFlz -----END PGP SIGNATURE-----