From nobody Mon Dec 22 23:23:11 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dZvMn30LJz6LqcW for ; Mon, 22 Dec 2025 23:23:33 +0000 (UTC) (envelope-from polarian@polarian.dev) Received: from mail.polarian.dev (0.e.1.e.8.3.e.f.f.f.e.3.6.1.2.0.5.8.3.2.a.7.5.0.0.b.8.0.1.0.0.2.ip6.arpa [IPv6:2001:8b0:57a:2385:216:3eff:fe38:e1e0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4dZvMm5VMkz3Rs4 for ; Mon, 22 Dec 2025 23:23:32 +0000 (UTC) (envelope-from polarian@polarian.dev) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=polarian.dev header.s=polarian header.b=bhCHF2bb; dmarc=pass (policy=reject) header.from=polarian.dev; spf=softfail (mx1.freebsd.org: 2001:8b0:57a:2385:216:3eff:fe38:e1e0 is neither permitted nor denied by domain of polarian@polarian.dev) smtp.mailfrom=polarian@polarian.dev DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=polarian.dev; s=polarian; t=1766445797; bh=bxdPQD42IiJq5qsFbSif9g5DNMgLHW8dqxk7A8fIAwY=; h=Date:From:To:Subject:In-Reply-To:References; b=bhCHF2bbgk4Ql31TbUz84wzQpJZ9Q0zEZW9UL/Baxhqr8xhvUrTe+Pm48ZpMhsu76 pCWczr6pixTrw5XSeZP6YVz9zU5pUQ968Qjce6SV5SSVgB1RnIK2BURDakcrPXRZdJ O+36RXHYgkR/82j3zqMfpYrjteV40GPmt7Yb0Xjw= Date: Mon, 22 Dec 2025 23:23:11 +0000 From: Polarian To: freebsd-security@freebsd.org Subject: Re: FreeBSD-SA-25:12.rtsold.asc clarification needed Message-ID: <20251222232311.1939bf75@Hydrogen> In-Reply-To: <9db9807a-a05e-4bcf-85b5-8e921db91f5b@denninger.net> References: <20251222210308.4352ee6f@Hydrogen> <479965af-2f24-4ee5-b938-adc1e5eea2a4@sentex.net> <20251222211100.3f245825@Hydrogen> <20251222215128.212a1040@Hydrogen> <9db9807a-a05e-4bcf-85b5-8e921db91f5b@denninger.net> X-Mailer: Claws Mail 3.21.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: / X-Spamd-Result: default: False [0.30 / 15.00]; VIOLATED_DIRECT_SPF(3.50)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[]; MID_RHS_NOT_FQDN(0.50)[]; R_DKIM_ALLOW(-0.20)[polarian.dev:s=polarian]; ONCE_RECEIVED(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:20712, ipnet:2001:8b0::/34, country:GB]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; DMARC_POLICY_ALLOW(0.00)[polarian.dev,reject]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_NONE(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; DKIM_TRACE(0.00)[polarian.dev:+] X-Rspamd-Queue-Id: 4dZvMm5VMkz3Rs4 Hey, > When I asked if patching the userland code was enough, you said no. Sorry I must have misunderstood. > Without rtsold if you have an interface that goes down and comes back > up you likely will not get routes (including default) until the > gateway performs its next timed transmission (typically 10 minutes.) To my knowledge, rtsold sends out router solicitation, this is has nothing to do with resolvconf, so actually I am not 100% sure I understand how rtsold can be used in this RCE. The domain search would be within the advertisement, and thus parsed by rtsol and passed to resolvconf, this is where the RCE exploit could take place. In any case rtsold and rtsol are both used in SLAAC, and whether its just one or them, or both of them play a part in the RCE, the solution is the same. Rebooting if you can spare the minute downtime is your best bet, if not netif restart should ensure the patch is applied. Take care, -- Polarian Jabber/XMPP: polarian@icebound.dev