Date: Mon, 25 Jul 2016 15:12:34 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r49164 - in head/share: security/advisories security/patches/EN-16:09 security/patches/SA-16:25 xml Message-ID: <201607251512.u6PFCYeT061854@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Mon Jul 25 15:12:34 2016 New Revision: 49164 URL: https://svnweb.freebsd.org/changeset/doc/49164 Log: Add EN-16:09 and SA-16:25. Added: head/share/security/advisories/FreeBSD-EN-16:09.freebsd-update.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:25.bspatch.asc (contents, props changed) head/share/security/patches/EN-16:09/ head/share/security/patches/EN-16:09/freebsd-update.patch (contents, props changed) head/share/security/patches/EN-16:09/freebsd-update.patch.asc (contents, props changed) head/share/security/patches/SA-16:25/ head/share/security/patches/SA-16:25/bspatch.patch (contents, props changed) head/share/security/patches/SA-16:25/bspatch.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-16:09.freebsd-update.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-16:09.freebsd-update.asc Mon Jul 25 15:12:34 2016 (r49164) @@ -0,0 +1,149 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-16:09.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update(8) support of FreeBSD 11.0 release distribution + +Category: core +Module: freebsd-update +Announced: 2016-07-25 +Affects: All supported versions of FreeBSD. +Corrected: 2016-07-11 04:50:32 UTC (stable/11, 11.0-BETA2) + 2016-07-11 04:50:32 UTC (stable/11, 11.0-BETA1-p1) + 2016-07-11 04:11:33 UTC (stable/10, 10.3-STABLE) + 2016-07-25 15:04:17 UTC (releng/10.3, 10.3-RELEASE-p6) + 2016-07-25 15:04:17 UTC (releng/10.2, 10.2-RELEASE-p20) + 2016-07-25 15:04:17 UTC (releng/10.1, 10.1-RELEASE-p37) + 2016-07-11 04:12:15 UTC (stable/9, 9.3-STABLE) + 2016-07-25 15:04:17 UTC (releng/9.3, 9.3-RELEASE-p45) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The freebsd-update(8) utility is used to apply binary patches to FreeBSD +systems installed from official release images, as an alternative to +rebuilding from source. + +II. Problem Description + +The recent development of FreeBSD has introduced additional release +distribution names, which would fail with the existing freebsd-update(8) +sanity checks. + +III. Impact + +Upgrading to FreeBSD 11.x from existing FreeBSD releases is not possible +due failing sanity checks. + +IV. Workaround + +No workaround is available other than patching the freebsd-update(8) +utility, but systems that do not use FreeBSD-provided binary updates +to upgrade are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +A reboot is not required. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is not required. + +Please note that for FreeBSD 11.0-BETA1, the freebsd-update utility needs +to be patched manually. + +# fetch http://update.freebsd.org/11.0-BETA1/i386/f/6b42aa5e560601bbf30c0b7a6ceed274796c955e6254f7a2fcd393376fe21c55.gz +# gunzip -c < 6b42aa5e560601bbf30c0b7a6ceed274796c955e6254f7a2fcd393376fe21c55.gz > NEW +# sha256 -q NEW + +Verify that the output is: + +6b42aa5e560601bbf30c0b7a6ceed274796c955e6254f7a2fcd393376fe21c55 + +# install -m 555 NEW /usr/sbin/freebsd-update + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-16:09/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-16:09/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r302537 +releng/9.3/ r303304 +stable/10/ r302536 +releng/10.1/ r303304 +releng/10.2/ r303304 +releng/10.3/ r303304 +stable/11/ r302539 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:09.freebsd-update.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.13 (FreeBSD) + +iQIcBAEBCgAGBQJXliskAAoJEO1n7NZdz2rngvEP/iP/SI7ot9+oiV+BfV5QWUki +e5ZV9K780kMPfDOxJh7jR9/CJbzHz0Sp/KLLq0vgfpq3hiwdDGnrRGWK0k+Wb0QQ +QtXftMl5DSSfbaICK03jVjrBszytFpoKIlSqCdT2BB5vGIT9rCO7m2d320MfIQXK +M1vVxOt67FRVRPbG4nOFwhdExllKk4jt0Tp5AqSkO3WlNC0qVyK6IECwKnpMn3YO +o0upyQaJCNxZgDzg8X+paCHMYLeliafJhugJjH7V/QtYJI5RMFY7FWaCOtD+uFux +RkVqsRGxDm7kzlvXMW+sh6jcbP1jk83Nv6LZjNYyZlqYILUoRclubtLXN9aI7Tfa +Z6Qr33IBX+nRNDFSIy6awm+hiwC9Gm6ODz5aQSMkEd0uzpO11I6BXxUaj7QmEl1u +NnmmKbdoZvI6k0g4tWMgXZtwFFjij8d7RlyG57Sa058nnHr/0uehgc2g4wU59qXa +au5USIuyyBzZpyznT2/UFH7GzYlJ10Pq2iog+1U/5NJMgIGMrDQ7xwx8Xwwthdxg +5fk3dmGWYsnTS/bB567tGuqAwk55lOSLgxYoPUrK9AqGgmZwaMK5yAxbfUl4D9Z1 +6ED1Nmb2EEJSDA7HupECEZOszmmGy8ydSiKzXuSqZ0DLX+LqBBP6YTvCH4w4vyh6 +7KZWLEr7uRQ9/fTqlGFf +=WJIj +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:25.bspatch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:25.bspatch.asc Mon Jul 25 15:12:34 2016 (r49164) @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:25.bspatch Security Advisory + The FreeBSD Project + +Topic: Heap vulnerability in bspatch + +Category: core +Module: bsdiff +Announced: 2016-07-25 +Affects: All supported versions of FreeBSD. +Corrected: 2016-07-25 14:52:12 UTC (stable/11, 11.0-BETA2-p1) + 2016-07-25 14:52:12 UTC (stable/11, 11.0-BETA1-p1) + 2016-07-25 14:53:04 UTC (stable/10, 10.3-STABLE) + 2016-07-25 15:04:17 UTC (releng/10.3, 10.3-RELEASE-p6) + 2016-07-25 15:04:17 UTC (releng/10.2, 10.2-RELEASE-p20) + 2016-07-25 15:04:17 UTC (releng/10.1, 10.1-RELEASE-p37) + 2016-07-25 14:53:04 UTC (stable/9, 9.3-STABLE) + 2016-07-25 15:04:17 UTC (releng/9.3, 9.3-RELEASE-p45) +CVE Name: CVE-2014-9862 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The bspatch utility generates newfile from oldfile and patchfile where +patchfile is a binary patch built by bsdiff(1). + +II. Problem Description + +The implementation of bspatch does not check for a negative value on numbers +of bytes read from the diff and extra streams, allowing an attacker who +can control the patch file to write at arbitrary locations in the heap. + +This issue was first discovered by The Chromium Project and reported +independently by Lu Tung-Pin to the FreeBSD project. + +III. Impact + +An attacker who can control the patch file can cause a crash or run arbitrary +code under the credentials of the user who runs bspatch, in many cases, root. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +No reboot is needed. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +No reboot is needed. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:25/bspatch.patch +# fetch https://security.FreeBSD.org/patches/SA-16:25/bspatch.patch.asc +# gpg --verify bspatch.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r303301 +releng/9.3/ r303304 +stable/10/ r303301 +releng/10.1/ r303304 +releng/10.2/ r303304 +releng/10.3/ r303304 +stable/11/ r303300 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.chromium.org/p/chromium/issues/detail?id=372525> + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:25.bspatch.asc> +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.13 (FreeBSD) + +iQIcBAEBCgAGBQJXlir7AAoJEO1n7NZdz2rnTtAP/iFnhrcmRuxmeMGtVPWHZFhH +/I2iB62wGf4vNGVedwh3fHPEgjEpMvDVP7S+OCLB7Fnf+Mwm9uL47cjxdr/P5dy8 +iKRsojG7HVE3Iia7DyaSEQwbJMQZGWsy2wr9epiHPoOpnSaWKUBx94C+oc7gPdM5 +8LW5OpUgSpFCztQ82gbM/2Bjy5OREJQP6ASW62WO+MkD7n+ZUzsUCdR13bzvpA23 +BaNeInQArn5Zf3OiZXjQ9Go1muml2llQmqxeb8p3V9IbJ3mdUBQat1AtF/yXfpWA +tkUfgqAaoKbjOrk22h/wBRssPlqqftZDXWqi2KlkEltqyU1evnsb5UVCu0SZdgkW +lQlnE1vymJCnxC211SweDNbbP8laR0OpjRxUxljSXVMXag4Lh9+9aD6zIZ9zZNi7 +MxXEasLZViwq8gEbZLlLUfcOQVv6T+3jTiH8aRUYFp5PsBGBgQCAQgGCEaztQTNr +lnSp/rqnP7FEu7gsHtP3wGK03RItNketbKMSUzV5eXiWmVYC3a6/WboqqJuqhDka +zs3W0h0Fw6iqk6CfImHnhD1unarXnSQU5vRcf9srnUvS0XgYS/113BQK23SjGmki +OIJe3Wm0CrcChAf8lKdeyPlKFcN906EkQ8Hh8vB00B9BZCXYLY9zBK6lW40NA1UN +cy+ljfLX/xwCNIJJXdwH +=FL3H +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-16:09/freebsd-update.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:09/freebsd-update.patch Mon Jul 25 15:12:34 2016 (r49164) @@ -0,0 +1,11 @@ +--- usr.sbin/freebsd-update/freebsd-update.sh.orig ++++ usr.sbin/freebsd-update/freebsd-update.sh +@@ -1250,7 +1250,7 @@ + + # Check that the first four fields make sense. + if gunzip -c < files/$1.gz | +- grep -qvE "^[a-z]+\|[0-9a-z]+\|${P}+\|[fdL-]\|"; then ++ grep -qvE "^[a-z]+\|[0-9a-z-]+\|${P}+\|[fdL-]\|"; then + fetch_metadata_bogus "" + return 1 + fi Added: head/share/security/patches/EN-16:09/freebsd-update.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-16:09/freebsd-update.patch.asc Mon Jul 25 15:12:34 2016 (r49164) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.13 (FreeBSD) + +iQIcBAABCgAGBQJXlisdAAoJEO1n7NZdz2rn8A0QAOZkAJrgoOhtyTIp9M15Vgw5 +gbBYIIfu0M0ZORGK0ii+kpoyWSYebM11NEw8j3xodMioCF9xrOKkBqa6aSZbJ/yu +t+zvs7m0XA/Dz1Gbdk/+Kb9NZiBnK256OUXosg1YCqNZl+G+hkJP0J6mmbhq5ngM +F29+XfSNsDnZOkO65r8i6HeGCV6xE5WuxWPL4Tyb5eBE4fF1RThJm7wPWz6taNCJ +rt63fxZsaoZwxPYUq3gne/X33Zdxufg6+nYv6wMF+NpgMg8ATnrDkt8iCSHIi03x +xfuZHDB90mW0tuCBs06Si7AgZmyoyp99val51xPfyid0rcyHqxhPy5O/ggJTtFUk +2y+hAq4bF6wk/skJee2vrhSsOOAOwZ1rbysVnjVTy38nGK+2bVskGMCGfsYLNm7z +BGfUNCdVAn3n+DKpdsC9PBThWD+yVDUpNOuxZoGa+zeX1TY5pw2uJb+DEMqGMGAa +zIj7A4HGMWksJWcZ14OLckyOX3TegwOl/ypjGBweDpkPmHdpW8Vsp3vzJ7QwGx3Q +AY0agzts22RjzFlIpfhF5rrPuqekXgx2iAlxlwdikzu4maE5bjmYe81ctPezYFem +hsdwvHJZlAU30CxIpnUGahvfTVJxeVupLL2lMCD0PdX5s89mQRxY1jAVdkimUUmN +/DYhPCPiUnodANkReDlm +=1xk9 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:25/bspatch.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:25/bspatch.patch Mon Jul 25 15:12:34 2016 (r49164) @@ -0,0 +1,13 @@ +--- usr.bin/bsdiff/bspatch/bspatch.c.orig ++++ usr.bin/bsdiff/bspatch/bspatch.c +@@ -164,6 +164,10 @@ + } + + /* Sanity-check */ ++ if ((ctrl[0] < 0) || (ctrl[1] < 0)) ++ errx(1,"Corrupt patch\n"); ++ ++ /* Sanity-check */ + if(newpos+ctrl[0]>newsize) + errx(1,"Corrupt patch\n"); + Added: head/share/security/patches/SA-16:25/bspatch.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:25/bspatch.patch.asc Mon Jul 25 15:12:34 2016 (r49164) @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.13 (FreeBSD) + +iQIcBAABCgAGBQJXlisQAAoJEO1n7NZdz2rn+DsQANxyj43FDDzMKGUqMksTkJHY +tZ46p64Je48sfGx5gTbeq/Uu1a6SLSM7ZnXGnwkm+IbOtIxu/tqKG/VhRg519UHU +7nHRDR8kNc51jyXkG7g0jbwe/kwhZ+a0D2XJGdYIZ6UOzw56b+otdHSU+mLgoNeK +t+3A6ETxQNXrqBmas87ylaGr7qdvN9ZlCDFjRDH3c2G6lVwA+YriOLSpRCCPe2HK +bAgj9QoqgeCP1dqzqOiLd+4RCy0/8acdaZL+46vGpqlvWXPQOM6CTDMc3DZ1Ck0S +UXmcDWJTLnU0BamYw3/q6VQxorQIbM3ihRQZSIx67wwK2FZMyCCrFTOeS7+3Qtn+ +kJgN5ZBrODQ0waYZ+9796+KL4cOff29a0Yj3CECOOhvl4+sQsN+q5oNk7mrSIDoj +zPbyijP2Op8WTmpY1kL1VjKudbMwnjAHTcl3RQQHMOqsy0jkXmSnaFbq1wwbCCFS +bLhKz8CzwILjHj4PVFjFB2tnbPzaHZ+PukSFhQJoWPZt2fbY6wetxvnwGNzDckrT +7QvoLlutBCUXRMueP8fmmaPvf2/C4YdtSRjvhP0aGA16YyULw1/Yb5YMOFmIdxtb +ba/sdkW2wZJU4is0BXAHlvYLuZCiC+bS5KldQtVh15kU+3bxaM0TL4aFgkQjsBGM +NULonnlJR8NKf6bFD7RG +=v3Sd +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Mon Jul 25 15:06:16 2016 (r49163) +++ head/share/xml/advisories.xml Mon Jul 25 15:12:34 2016 (r49164) @@ -8,6 +8,18 @@ <name>2016</name> <month> + <name>7</name> + + <day> + <name>25</name> + + <advisory> + <name>FreeBSD-SA-16:25.bspatch</name> + </advisory> + </day> + </month> + + <month> <name>6</name> <day> Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Mon Jul 25 15:06:16 2016 (r49163) +++ head/share/xml/notices.xml Mon Jul 25 15:12:34 2016 (r49164) @@ -8,6 +8,18 @@ <name>2016</name> <month> + <name>7</name> + + <day> + <name>25</name> + + <notice> + <name>FreeBSD-EN-16:09.freebsd-update</name> + </notice> + </day> + </month> + + <month> <name>5</name> <day>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607251512.u6PFCYeT061854>