From nobody Fri Jan 14 00:23:23 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 77631195F668 for ; Fri, 14 Jan 2022 00:23:36 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JZhqC57zRz4WJj for ; Fri, 14 Jan 2022 00:23:35 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-ua1-x92b.google.com with SMTP id h11so14335414uar.5 for ; Thu, 13 Jan 2022 16:23:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=2+THtEVS9jgqvdzY5vxnCXTGSadfkbParbVvL/uOOQ0=; b=PrCnW/KmmMLQsrh3lzX5BAJpPVTt8dm0FMDGCwQ4TQkxWnU5S0lEg6Bw6G3niOoPIH BAsmBndBWRT0i25iJo53Cubj+qTWwv7BQ5bg+6jCnDy+kkj0pI39kcPUrSatgoNLjV4M B1haCtO+S/441wjhm6vJVyhsm2V43r3s8kAMo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=2+THtEVS9jgqvdzY5vxnCXTGSadfkbParbVvL/uOOQ0=; b=2qDOYpm1HhcEYm35lau/+p13s1odwnDOq3g2nYeckFyaT6tomlqCIl+8qVGRk6F0ni jR6PyymDBc4wU9yCXlHMLsJdKpSH7s4YyoMGEPSBgAzXxAF1AXxbXhLh9kO14I7GqVWt m/xMqih3+WR63OtpKV9orfvE0WgHue3syiQtx1lxZMutQbHd/Y/cT2+1teVOJkrzeq9V PcERPSaIP3Nt0P83DKNWqGx+Ecr4T80DVsU6P4aLe7Resq4/tui54/NiEYIVRiTW0zAF AO+/PNz91q4uI2BX5mK8ieplbJyOjIdCooYyvurGu3ud/QgGd6OQ1W7N5VCYCcn61jYA sKNg== X-Gm-Message-State: AOAM530mNPK1FJFLlqQuNuprZkUD/wVXQlg4H6t5vm6IkeQN5ghV8+FG rA/nBUXMPEeRpf6DkCNmc5dX3J03ERdcG5WCZrRwMaO65Q== X-Google-Smtp-Source: ABdhPJzSPeyMCqX4a/r8TwRMqfI9j6YQfO+DvtdlE8YmXK4ow5oqXtvQLxgjML1tkFZHyMrL1atqVv19Bdb+Ewq7IkI= X-Received: by 2002:a67:a409:: with SMTP id n9mr3170048vse.74.1642119814597; Thu, 13 Jan 2022 16:23:34 -0800 (PST) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 References: <20220114001912.F2F6D770A@freefall.freebsd.org> In-Reply-To: <20220114001912.F2F6D770A@freefall.freebsd.org> From: Gordon Tetlow Date: Thu, 13 Jan 2022 16:23:23 -0800 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:01.vt To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4JZhqC57zRz4WJj X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tetlows.org header.s=google header.b="PrCnW/Km"; dmarc=pass (policy=quarantine) header.from=tetlows.org; spf=pass (mx1.freebsd.org: domain of gordon@tetlows.org designates 2607:f8b0:4864:20::92b as permitted sender) smtp.mailfrom=gordon@tetlows.org X-Spamd-Result: default: False [-0.50 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; R_DKIM_ALLOW(-0.20)[tetlows.org:s=google]; FREEFALL_USER(0.00)[gordon]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_SHORT(0.50)[0.496]; DKIM_TRACE(0.00)[tetlows.org:+]; DMARC_POLICY_ALLOW(-0.50)[tetlows.org,quarantine]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::92b:from]; NEURAL_SPAM_LONG(1.00)[1.000]; MLMMJ_DEST(0.00)[freebsd-security]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Sorry for the delay in sending this to the security mailing list. Since the mailing list change over, we've had a few hiccups on delivery to the lists and with this email, we should hopefully be back to a state where we consistently deliver. Again, apologies for the weirdness, but I believe we have ironed out all the wrinkles and will be in a better spot going forward. Thanks to the postmaster team for the work in getting this all sorted. Gordon Hat: security-officer On Thu, Jan 13, 2022 at 4:19 PM FreeBSD Security Advisories wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-22:01.vt Security Advisory > The FreeBSD Project > > Topic: vt console buffer overflow > > Category: kernel > Module: vt > Announced: 2022-01-11 > Credits: Oleg Bulyzhin > Affects: FreeBSD 12.2 and FreeBSD 13.0 > Corrected: 2021-09-22 18:41:00 UTC (stable/13, 13.0-STABLE) > 2022-01-11 18:15:03 UTC (releng/13.0, 13.0-RELEASE-p6) > 2021-09-25 18:15:49 UTC (stable/12, 12.2-STABLE) > 2022-01-11 18:33:21 UTC (releng/12.2, 12.2-RELEASE-p12) > CVE Name: CVE-2021-29632 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > FreeBSD's system console is provided by the vt(4) virtual terminal console > driver. > > II. Problem Description > > Under certain conditions involving use of the highlight buffer while > text is scrolling on the console, console data may overwrite data > structures associated with the system console or other kernel memory. > > III. Impact > > Users with access to the system console may be able to cause system > misbehaviour. > > IV. Workaround > > No workaround is available. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, > and reboot. > > Perform one of the following: > > 1) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the amd64, i386, or > (on FreeBSD 13 and later) arm64 platforms can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-22:01/vt.patch > # fetch https://security.FreeBSD.org/patches/SA-22:01/vt.patch.asc > # gpg --verify vt.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > This issue is corrected by the corresponding Git commit hash or Subversion > revision number in the following stable and release branches: > > Branch/path Hash Revision > - ------------------------------------------------------------------------- > stable/13/ 9352de39c3dc stable/13-n247428 > releng/13.0/ 3e0a1e124169 releng/13.0-n244773 > stable/12/ r370674 > releng/12.2/ r371491 > - ------------------------------------------------------------------------- > > For FreeBSD 13 and later: > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat > > Or visit the following URL, replacing NNNNNN with the hash: > > > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > For FreeBSD 12 and earlier: > > Run the following command to see which files were modified by a particular > revision, replacing NNNNNN with the revision number: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f4ACgkQ05eS9J6n > 5cIgEBAAkXpnKSElsT96dj4RYWJLkqB4+OBkGoOGrsZj8zd5Ei85oohhL38xiYAE > jQpSwblgYCqmOxRL4hGgKN6fBPMnc/zXCdZhJzAfgkKXsn4eY5mObN1jus7owsmC > RnFNOLSr1VVJZs8H1RAeAjJT2I6DF0oLb/f1u3ik+bPFJ8Y4hvPEliSH7rpzVBq7 > hpmiH1HxAArVwtJ15N+7u6vNUce57dWSh4NzPHLduzMRpatPKVqtkC7UJIvqisxl > bQTK46MYo454SgbZjRPistwnV9NFKjuKy5Rh38/FURbnBxg8w2HVkabidMy5lJyU > geSOvV4wc2LraRdSvJHZlNXu1BJKnPpTpsl6XNr8ePzAl9rRPjZKo8cEBMmTlqK0 > KdMeKsf1OfspA/8L6mCpg4NDeOoHktCrICWTi4/E6nGX/e1hZrCXKcxf0KYbhcfO > xNvrYtKkCtCbEnbzZbW6rjY/RAmRwwMNngVw2FWRuSWU6BCmfKZndUXFO7aghj6Q > JKISfctwtcHWn/QzI2BN9pNWZlzAJ8BfxR+/bV6VJNuRILOhrvgjnUzpies1xv7z > GRN9JlpxzqihhlX8JED7jDOm99YflEG0Ep7Cr1OYXLDVx1xxh8dQLCOwl5qjnKgd > ELae8IKnUn5pI1Og44AsjY9xWOvxxz28luwFxsbYf+3UMo6M4eE= > =hcWy > -----END PGP SIGNATURE----- >