From owner-svn-doc-all@freebsd.org Wed Nov 29 06:13:17 2017 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 81711DF99F9; Wed, 29 Nov 2017 06:13:17 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3AD2166FFA; Wed, 29 Nov 2017 06:13:17 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAT6DGmF013077; Wed, 29 Nov 2017 06:13:16 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAT6DFM6013071; Wed, 29 Nov 2017 06:13:15 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201711290613.vAT6DFM6013071@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 29 Nov 2017 06:13:15 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r51235 - in head/share: security/advisories security/patches/SA-17:11 xml X-SVN-Group: doc-head X-SVN-Commit-Author: delphij X-SVN-Commit-Paths: in head/share: security/advisories security/patches/SA-17:11 xml X-SVN-Commit-Revision: 51235 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Nov 2017 06:13:17 -0000 Author: delphij Date: Wed Nov 29 06:13:15 2017 New Revision: 51235 URL: https://svnweb.freebsd.org/changeset/doc/51235 Log: Add SA-17:11. Added: head/share/security/advisories/FreeBSD-SA-17:11.openssl.asc (contents, props changed) head/share/security/patches/SA-17:11/ head/share/security/patches/SA-17:11/openssl-10.patch (contents, props changed) head/share/security/patches/SA-17:11/openssl-10.patch.asc (contents, props changed) head/share/security/patches/SA-17:11/openssl.patch (contents, props changed) head/share/security/patches/SA-17:11/openssl.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-17:11.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-17:11.openssl.asc Wed Nov 29 06:13:15 2017 (r51235) @@ -0,0 +1,166 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-17:11.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL multiple vulnerabilities + +Category: contrib +Module: openssl +Announced: 2017-11-29 +Affects: All supported versions of FreeBSD. +Corrected: 2017-11-02 18:30:41 UTC (stable/11, 11.1-STABLE) + 2017-11-29 05:59:12 UTC (releng/11.1, 11.1-RELEASE-p5) + 2017-11-29 05:59:12 UTC (releng/11.0, 11.0-RELEASE-p16) + 2017-11-29 05:35:28 UTC (stable/10, 10.4-STABLE) + 2017-11-29 05:59:50 UTC (releng/10.4, 10.4-RELEASE-p4) + 2017-11-29 05:59:50 UTC (releng/10.3, 10.3-RELEASE-p25) +CVE Name: CVE-2017-3735, CVE-2017-3736 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) and Secure Sockets +Layer (SSL) protocols. It is also a full-strength general purpose +cryptography library. + +II. Problem Description + +If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL +could do a one-byte buffer overread. [CVE-2017-3735] + +There is a carry propagating bug in the x86_64 Montgomery squaring procedure. +This only affects processors that support the BMI1, BMI2 and ADX extensions +like Intel Broadwell (5th generation) and later or AMD Ryzen. [CVE-2017-3736] +This bug only affects FreeBSD 11.x. + +III. Impact + +Application using OpenSSL may display erroneous certificate in text format. +[CVE-2017-3735] + +Mishandling of carry propagation will produce incorrect output, and make it +easier for a remote attacker to obtain sensitive private-key information. +No EC algorithms are affected, analysis suggests that attacks against RSA +and DSA as a result of this defect would be very difficult to perform and +are not believed likely. + +Attacks against DH are considered just feasible (although very difficult) +because most of the work necessary to deduce information about a private +key may be performed offline. The amount of resources required for such +an attack would be very significant and likely only accessible to a limited +number of attackers. An attacker would additionally need online access to +an unpatched system using the target private key in a scenario with +persistent DH parameters and a private key that is shared between multiple +clients. [CVE-2017-3736] + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Restart all daemons that use the library, or reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all daemons that use the library, or reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.3] +# fetch https://security.FreeBSD.org/patches/SA-17:11/openssl-10.patch +# fetch https://security.FreeBSD.org/patches/SA-17:11/openssl-10.patch.asc +# gpg --verify openssl-10.patch.asc + +[FreeBSD 11.x] +# fetch https://security.FreeBSD.org/patches/SA-17:11/openssl.patch +# fetch https://security.FreeBSD.org/patches/SA-17:11/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r326357 +releng/10.3/ r326359 +releng/10.4/ r326359 +stable/11/ r325337 +releng/11.0/ r326358 +releng/11.1/ r326358 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.3 (FreeBSD) + +iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloeTmQACgkQ7Wfs1l3P +aueQNRAAzUxb6H1JAgmgCRUKzN00FunkUNygvcvJRL9jK6h1TRCGvKk/jhdmakqZ +r/x7zjWSWBh3oBg6V3egTRIMcpSDmjKIkf/H/q9eeSlQKfHR5MVadCedghy1nq3c +XmpDlKyLp1zuy8gzkJNQCiIqn9BvxBRaUCzPJKFlpmgQwZStZvqpxUScJOX3X4ZC +tjlF3kaBE/9IKX8p8vulWWM+vXwsDxVKRulUeFAL75eIwo9YWva1hsUBLruKo1xg +CgWPJ4AXa9PL8WdJsYFkOA9R9wqBs1q6A+zuUQQJw5qQnQdg/rMchKsdS8I/dV7F +01qYYfM25q109pnNFEhIZNsZ4mIbBpW0hxzTwaq6f8bd8+7JuP3mH2xFHxIfNUzp +jrK1DSn/kOGf0Dun8mrBAsO4y+3F92GbqOHdUzPnTAtHOHwmjIY3ljsbHnTNtUxm +44X2O+6XIGmzUxQMOFqAfe8wRkBhIGMcEpY4NTW6g8hPJBk1o0dQgtDLpg6i+Wj/ +p+jDSNgkD4aFzsMoGc1kYsIT7qVBqn8jBydIUyrY5wQMNC+15+cDoF2QwKjGIU2H +yWEjaec2dY6YtakMiQV8U0WPRSEj18lrSs7L9uizZSS0UHquP/xY8b6yFrBPvwXQ +gVS3ZVKLOvCgGvl9MsJzB/FAR2jdOZdz6QzWchyG0PVZQVCPjBQ= +=9Q78 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-17:11/openssl-10.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:11/openssl-10.patch Wed Nov 29 06:13:15 2017 (r51235) @@ -0,0 +1,19 @@ +--- crypto/openssl/crypto/x509v3/v3_addr.c.orig ++++ crypto/openssl/crypto/x509v3/v3_addr.c +@@ -130,10 +130,12 @@ + */ + unsigned int v3_addr_get_afi(const IPAddressFamily *f) + { +- return ((f != NULL && +- f->addressFamily != NULL && f->addressFamily->data != NULL) +- ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) +- : 0); ++ if (f == NULL ++ || f->addressFamily == NULL ++ || f->addressFamily->data == NULL ++ || f->addressFamily->length < 2) ++ return 0; ++ return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; + } + + /* Added: head/share/security/patches/SA-17:11/openssl-10.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:11/openssl-10.patch.asc Wed Nov 29 06:13:15 2017 (r51235) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.3 (FreeBSD) + +iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloeToEACgkQ7Wfs1l3P +aufSLA//X4kKoir7fhdlprg9oTE54WmueGfgE5qYj8ZOelJJ6zR1c7stXDZ6BY4D +2aYlkL8C3j0iPPuN7pPq+g1zM3TybllcQH91coBpF/r8QnWAID9ZIARWmck11K/3 +9a3oMtMXC5Zsy5e3cXCWQvKwjZy3/83/WdOh1aOZKTRnB6zvHbu94PwFj2EvW4YZ +kypD2/8MZUCDSvMDDwNHGgXqCuqXR8RTxt9Z7PyiQcms5qwn77UtdlUhIGt+SRWB +XsdryyQnS/zGcRy606qBweitN3S6hBUhLDWAruBFN+3R3Rk+Tcf1EV3mqcUGqPj1 +KpD8LLgVnriwm0pZjn2bX+uXv38RvosrFRutOq3G3gFfsa4zzAzSjdRLzczDQcor +r7yBxqQs8Xm/OiHmXD5Ch2ly7mTwwbnqIgDYkVlDKZFIVcJkqgQlIx4m+z3WDixM +FjN+HoXWF9AfgWoS7Ka287uqWE/3Yzgi8d8t9YGyjqYaSVzN864JmpULqDBF74dU +4X7OGZqyeD7SrjZZwxktcTvNLtrR2ftTBWvRoosPq1qs+5kQv97TtdDvhtTsrfgP +TOHOc72aEqjERKFaXzwn+RCrDZ7ljTEhrcHa1nYfoKSX9jwIxAFK26fQ/6nyIiqx +vqLrYYY1bx2YMHyDAskMXVrXPNC8doG3CazHF8L5fiThDRaMEC8= +=QvsH +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-17:11/openssl.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:11/openssl.patch Wed Nov 29 06:13:15 2017 (r51235) @@ -0,0 +1,67 @@ +--- crypto/openssl/crypto/bn/asm/x86_64-mont5.pl.orig ++++ crypto/openssl/crypto/bn/asm/x86_64-mont5.pl +@@ -3090,11 +3090,19 @@ + + .align 32 + .Lsqrx8x_break: +- sub 16+8(%rsp),%r8 # consume last carry ++ xor $zero,$zero ++ sub 16+8(%rsp),%rbx # mov 16(%rsp),%cf ++ adcx $zero,%r8 + mov 24+8(%rsp),$carry # initial $tptr, borrow $carry ++ adcx $zero,%r9 + mov 0*8($aptr),%rdx # a[8], modulo-scheduled +- xor %ebp,%ebp # xor $zero,$zero ++ adc \$0,%r10 + mov %r8,0*8($tptr) ++ adc \$0,%r11 ++ adc \$0,%r12 ++ adc \$0,%r13 ++ adc \$0,%r14 ++ adc \$0,%r15 + cmp $carry,$tptr # cf=0, of=0 + je .Lsqrx8x_outer_loop + +--- crypto/openssl/crypto/x509v3/v3_addr.c.orig ++++ crypto/openssl/crypto/x509v3/v3_addr.c +@@ -130,10 +130,12 @@ + */ + unsigned int v3_addr_get_afi(const IPAddressFamily *f) + { +- return ((f != NULL && +- f->addressFamily != NULL && f->addressFamily->data != NULL) +- ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) +- : 0); ++ if (f == NULL ++ || f->addressFamily == NULL ++ || f->addressFamily->data == NULL ++ || f->addressFamily->length < 2) ++ return 0; ++ return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; + } + + /* +--- secure/lib/libcrypto/amd64/x86_64-mont5.S.orig ++++ secure/lib/libcrypto/amd64/x86_64-mont5.S +@@ -3077,11 +3077,19 @@ + + .align 32 + .Lsqrx8x_break: +- subq 16+8(%rsp),%r8 ++ xorq %rbp,%rbp ++ subq 16+8(%rsp),%rbx ++ adcxq %rbp,%r8 + movq 24+8(%rsp),%rcx ++ adcxq %rbp,%r9 + movq 0(%rsi),%rdx +- xorl %ebp,%ebp ++ adcq $0,%r10 + movq %r8,0(%rdi) ++ adcq $0,%r11 ++ adcq $0,%r12 ++ adcq $0,%r13 ++ adcq $0,%r14 ++ adcq $0,%r15 + cmpq %rcx,%rdi + je .Lsqrx8x_outer_loop + Added: head/share/security/patches/SA-17:11/openssl.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-17:11/openssl.patch.asc Wed Nov 29 06:13:15 2017 (r51235) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.2.3 (FreeBSD) + +iQIzBAABCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloeToIACgkQ7Wfs1l3P +aueWcg//RlFQI3WV/Tp0/Rr97YHQz1UD4rdqGLq+Thl3alcW3Qv/78SdAGe8uH+D +gNsz75tNH5GAR1jrxawXQfrYttasfJgL+gmJxFZWx5NeVW0XbP2i9XIcc6cwgN5x +hRWRbaBrnmGDwP/DFhqPr/Dc4bT8UpfEKSOKt51F5XiZMSNcNFoh3rbBCf4Vr631 +0NroVSCKNJAOKl0ZXF//tm3tbMmWgrI8SMlJjfDa9sqd0e3iJoouHe+z+kYDpbQ1 +tx78U1PaUV651T+gMc9ynyG4+V9TBFS+5pEjEw+IKBSQ4EW8rsEOzin80CdgcwJo +uFmnCXyr/xOy9pNNWipug9qo0f1beQ5txo1LQb55eR5U4N58Pp90+OoMc7noAfBd +kHJUJQkbqoi+CNivK0W7zLOcWw0iBWEhiI3FIEDXnXI86r7evVTHozPPJhcp276c +k1KTJPxcs7YOEpKJYIXL5Ec3SXzXgGPwhUvq64sKrSSmB0nUb/vbH/SlDrT6Q99d +ifFgpZ2gZmGVkQM0eIDeChQCD19xu1BLbw9mvlw8RqA1NIbqWlBdxmlLGY00iPy2 +TxiHJWaOdF0OnhS/LHe6BtKmhcpllpERMvCrDtlnG37DR07VPs5hM6mSFDwYZN7/ +0/MdsoODCQIOdsXMUo/d74F36/cPL/1QgPYpO3OdVpIovzl3MRQ= +=CiUu +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Nov 29 02:59:18 2017 (r51234) +++ head/share/xml/advisories.xml Wed Nov 29 06:13:15 2017 (r51235) @@ -11,6 +11,14 @@ 11 + 29 + + + FreeBSD-SA-17:11.openssl + + + + 15