Date: Mon, 10 Oct 2016 07:38:24 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r49477 - in head/share: security/advisories security/patches/SA-16:27 security/patches/SA-16:28 security/patches/SA-16:29 security/patches/SA-16:30 security/patches/SA-16:31 xml Message-ID: <201610100738.u9A7cOSU053277@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Mon Oct 10 07:38:23 2016 New Revision: 49477 URL: https://svnweb.freebsd.org/changeset/doc/49477 Log: Add SA-16:27-31. Added: head/share/security/advisories/FreeBSD-SA-16:27.openssl.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:28.bind.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:29.bspatch.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:30.portsnap.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-16:31.libarchive.asc (contents, props changed) head/share/security/patches/SA-16:27/ head/share/security/patches/SA-16:27/openssl.patch (contents, props changed) head/share/security/patches/SA-16:27/openssl.patch.asc (contents, props changed) head/share/security/patches/SA-16:28/ head/share/security/patches/SA-16:28/bind.patch (contents, props changed) head/share/security/patches/SA-16:28/bind.patch.asc (contents, props changed) head/share/security/patches/SA-16:29/ head/share/security/patches/SA-16:29/bspatch.patch (contents, props changed) head/share/security/patches/SA-16:29/bspatch.patch.asc (contents, props changed) head/share/security/patches/SA-16:30/ head/share/security/patches/SA-16:30/portsnap-10.patch (contents, props changed) head/share/security/patches/SA-16:30/portsnap-10.patch.asc (contents, props changed) head/share/security/patches/SA-16:30/portsnap-9.3.patch (contents, props changed) head/share/security/patches/SA-16:30/portsnap-9.3.patch.asc (contents, props changed) head/share/security/patches/SA-16:31/ head/share/security/patches/SA-16:31/libarchive-10.1.patch (contents, props changed) head/share/security/patches/SA-16:31/libarchive-10.1.patch.asc (contents, props changed) head/share/security/patches/SA-16:31/libarchive-10.2.patch (contents, props changed) head/share/security/patches/SA-16:31/libarchive-10.2.patch.asc (contents, props changed) head/share/security/patches/SA-16:31/libarchive-10.3.patch (contents, props changed) head/share/security/patches/SA-16:31/libarchive-10.3.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-16:27.openssl.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:27.openssl.asc Mon Oct 10 07:38:23 2016 (r49477) @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:27.openssl Security Advisory + The FreeBSD Project + +Topic: Regression in OpenSSL suite + +Category: contrib +Module: openssl +Announced: 2016-10-10 +Credits: OpenSSL Project +Affects: All supported versions of FreeBSD. +Corrected: 2016-09-26 14:30:19 UTC (stable/11, 11.0-STABLE) + 2016-09-26 20:26:19 UTC (releng/11.0, 11.0-RELEASE-p1) +CVE Name: CVE-2016-7052 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is +a collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) +and Transport Layer Security (TLS v1) protocols as well as a full-strength +general purpose cryptography library. + +II. Problem Description + +The OpenSSL version included in FreeBSD 11.0-RELEASE is 1.0.2i. The version +has bug fix for CVE-2016-7052, which should have included CRL sanity check, +but the check was omitted. + +III. Impact + +Any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer +exception. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Restart all daemons that use the library, or reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all daemons that use the library, or reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:27/openssl.patch +# fetch https://security.FreeBSD.org/patches/SA-16:27/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r306343 +releng/11.0/ r306354 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://www.openssl.org/news/secadv/20160926.txt>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7052>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:27.openssl.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.13 (FreeBSD) + +iQIcBAEBCgAGBQJX+0OlAAoJEO1n7NZdz2rnEPYQAOewieypFMknEi5Q02IBVhcC +Bs1sczFLXaSz+4c9lNRi+m6Q5TXbW0MM9ZhZDnoLOXZ9OZ7DsQ0OVJcmWPHCSTkT +WAlZgiB5B2xtZpLUNi0XAVPyegh+YxWCKa5mq/e4gC7BL+QhtTQqIlzsNylBDcI0 +2Tp5fPfO3vIJlSwPpsUA2peYlm2c75/dusE0+bvWnqickWbEmFdCAd8rzTLrsm9R +w5essD2o6BzFPA9j+3X/LNaMI6ZKKa4EkaXXB42KHruDfNTV8dmYL/LLxWs6aj1f +Li++71GPh3aZZCA5SCo6NYdI25kg4xORZzqUmYzT856kdmpaemLd8oVT8/ojOCTX +CoNtA9yVphhYgfSGLy2BIs0u7U3H16SVjZ1oC5MjTAY6kUsEDt6x2vlKOt5452yN +3v2fHf9I8/ibgo4d4ovpGGzvrj/8EfodmDLhjYP5RcwZH4FW1jCUzXTflsYmPWMi +8+COC+K19MNIXR0M8ajs2M8z2ILc3pOUZ1sdrNhU1jEIyYCl8EDMEU0Bc13XlUKS +UE92RKfxIAMh+Zyu44++8UizfOorBVKhQVd+9NthMnfXW6xlnwujjbabam8k2E5V +Za4sBQ57JvL9aKrsbmB/hhVnxXE6jYqtp7tagXK+wwULO1SarpRp7HENd50ggH5l +yu2DM4rkIcwzTaJEdvyT +=5rNc +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:28.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:28.bind.asc Mon Oct 10 07:38:23 2016 (r49477) @@ -0,0 +1,138 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:28.bind Security Advisory + The FreeBSD Project + +Topic: BIND remote Denial of Service vulnerability + +Category: contrib +Module: bind +Announced: 2016-10-10 +Credits: ISC +Affects: FreeBSD 9.x +Corrected: 2016-09-28 06:11:01 UTC (stable/9, 9.3-STABLE) + 2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48) +CVE Name: CVE-2016-2776 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +II. Problem Description + +Testing by ISC has uncovered a critical error condition which can occur when +a nameserver is constructing a response. A defect in the rendering of +messages into packets can cause named to exit with an assertion failure in +buffer.c while constructing a response to a query that meets certain +criteria. + +This assertion can be triggered even if the apparent source address is not +allowed to make queries (i.e. doesn't match 'allow-query'). [CVE-2016-2776] + +III. Impact + +A remote attacker who can send queries to a server running BIND can cause +the server to crash, resulting in a Denial of Service condition. + +IV. Workaround + +No workaround is available, but hosts not running named(8) are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +The named service has to be restarted after the update. A reboot is +recommended but not required. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +The named service has to be restarted after the update. A reboot is +recommended but not required. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/SA-16:28/bind.patch +# fetch https://security.FreeBSD.org/patches/SA-16:28/bind.patch.asc +# gpg --verify bind.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the named service, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r306394 +releng/9.3/ r306942 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://kb.isc.org/article/AA-01419>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:28.bind.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.13 (FreeBSD) + +iQIcBAEBCgAGBQJX+0OlAAoJEO1n7NZdz2rnt/cQAJJ/P9/cNH4mB3Oq9kks1TJI +thye1Bmd6BAS16UYj+S2POSkrwkTJLhg/Rtch/4O1TUJ7q86Dko/0nciF/4Qin/J +LrNhX2TUUTpQygfWdzTqdk9EiHLKT46sNh1Two4Lb9gMuBulES9Fy40gj8y81ypv +uys05i6DMAlY/EsmidTHFKUGGC9160XLS7wFWnlw9XglDHn2+pIDALHl77mmoXwR +VKiCbGO6IybDV5bATh12eflCSb+IJRT0MMOwJAt3Nhzp//7t2tf+izazzfs43IH4 +HRkiDfkkxqAMus6h0Dm4xR91oe/oSzlEedKFM3ctHfQqyIi+AP0FKixf8pS72n7o +M0W5vIbkMSuTsiOTzyQUJpQ3tExvWeZjhNZj9U5trs2YNdPCRaM3pETUdF6GZmNC +tnPiTZFst3ARsy/4oJg8Eeo/cyrd/sfPm4fXCbXkakL7ml/Mu+/KEyq5qw43FIXn +96/btRfHsPSpy74KRtLsqSM29eCK9puGhJIk1iBtuhuTvze/48Od7U5zWOjn8XiS +o4oOyCtm3nQfB8VIzfypFAIUFFOqfHmsfP3s51J9tUXjxvORO3UWD3/R2wXLre2Y +Z5+s7IUhesunZztGtaUFCqG28KCrzmSiIVXGRd/IsQCuTJ4DNiUFZofKYdI0B7fE +hrSETFwDg/OYusZ5/96D +=v9vM +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:29.bspatch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:29.bspatch.asc Mon Oct 10 07:38:23 2016 (r49477) @@ -0,0 +1,146 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:29.bspatch Security Advisory + The FreeBSD Project + +Topic: Heap overflow vulnerability in bspatch + +Category: core +Module: bsdiff +Announced: 2016-10-10 +Affects: All supported versions of FreeBSD. + 2016-09-22 21:05:21 UTC (stable/11, 11.0-STABLE) + 2016-09-27 19:36:12 UTC (releng/11.0, 11.0-RELEASE-p1) + 2016-09-22 21:16:54 UTC (stable/10, 10.3-STABLE) + 2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10) + 2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23) + 2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40) + 2016-09-23 01:52:06 UTC (stable/9, 9.3-STABLE) + 2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48) + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The bspatch utility generates newfile from oldfile and patchfile where +patchfile is a binary patch built by bsdiff(1). + +II. Problem Description + +The implementation of bspatch is susceptible to integer overflows with +carefully crafted input, potentially allowing an attacker who can control +the patch file to write at arbitrary locations in the heap. This issue +was partially addressed in FreeBSD-SA-16:25.bspatch, but some possible +integer overflows remained. + +III. Impact + +An attacker who can control the patch file can cause a crash or run arbitrary +code under the credentials of the user who runs bspatch, in many cases, root. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +No reboot is needed. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility. + +Because this vulnerability exists in bspatch, a component used by +freebsd-update, a special procedure must be followed to safely update. +First, truncate bspatch to a zero byte file: + +# :> /usr/bin/bspatch + +FreeBSD-update will fall back to replacing bspatch, rather than applying +a binary patch. Proceed with FreeBSD-update as usual: + +# freebsd-update fetch +# freebsd-update install + +No reboot is needed. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:29/bspatch.patch +# fetch https://security.FreeBSD.org/patches/SA-16:29/bspatch.patch.asc +# gpg --verify bspatch.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r306222 +releng/9.3/ r306942 +stable/10/ r306215 +releng/10.1/ r306941 +releng/10.2/ r306941 +releng/10.3/ r306941 +stable/11/ r306213 +releng/11.0/ r306379 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:29.bspatch.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.13 (FreeBSD) + +iQIcBAEBCgAGBQJX+0OmAAoJEO1n7NZdz2rnMHQQALyzQ6rIFLMV+qfIKr/dxUmv +frrY3rE8GbHNI6UYnlB7T97SZBVG2lOGpUO7sGNzsqAol+aBEn44mX88ijCQk+mc +pIHcbwACkAG6u5c6nyelHAa3ZLc8PkPbNaryjfc9Y0vZxGFKI5ETpdN1nFxUBKRA +eGt4h4GW3ZxHTkc3DDogDM6kBds3DYAnQjnqvkH6QesM/cMIdnU2NMjIrYDdtcsJ +Mp92PqRl8/qCZxcpfoHSl3S190Dmu9KNjEwXdk8gvtr7aTe/OG9fcIOAwIJHMi/n +E3tojTrSGLl0v9yuznG8rU0Hr6VyFNRv9i5QhPEQF4ZQ0HT2/naV0v/THMB1JdeR +8rszvO8HIdYkKEYPEp4RZ+QWJX36xK0ZOA0BSF3+OW6VYMIEB+iMvK1xAlGWmyJq +D6f5AQuw559o4MNZ9gh1tXl+PXjYHvwSOrHb1EZ7mDZ3zVarn8TwUjxaE2ILIhjW +wS+wqbxZt1eENfKbhLHxSavIE+Bi59ab/iymmOFtFdgDDDpQhzx13MUFM17v270g +1OCXnx7HLMIr5ibndJBQbjPmZT0InMM9856Hij8UhcFjyFpytCJie7sVcDFG9nNp +z3VXrSIdEIA5MwaD6MYGW8nUfBwQnD/rSh6t2Tt4qz24FPk9K9pbzpb8CDIOImiF +GnLZXJQlgmJ55XOa0EgR +=uRNW +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:30.portsnap.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:30.portsnap.asc Mon Oct 10 07:38:23 2016 (r49477) @@ -0,0 +1,149 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:30.portsnap Security Advisory + The FreeBSD Project + +Topic: Multiple portsnap vulnerabilities + +Category: core +Module: portsnap +Announced: 2016-10-10 +Affects: All supported versions of FreeBSD. +Corrected: 2016-09-28 21:33:35 UTC (stable/11, 11.0-STABLE) + 2016-09-28 22:04:07 UTC (releng/11.0, 11.0-RELEASE-p1) + 2016-10-05 00:33:06 UTC (stable/10, 10.3-STABLE) + 2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10) + 2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23) + 2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40) + 2016-10-05 01:01:10 UTC (stable/9, 9.3-STABLE) + 2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48) + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The portsnap utility is used to fetch and update compressed snapshots of +the FreeBSD ports tree. Portsnap fetches snapshots and updates over http, +and then cryptographically verifies the downloaded files. + +II. Problem Description + +Flaws in portsnap's verification of downloaded tar files allows additional +files to be included without causing the verification to fail. Portsnap may +then use or execute these files. + +III. Impact + +An attacker who can conduct man in the middle attack on the network at the +time when portsnap is run can cause portsnap to execute arbitrary commands +under the credentials of the user who runs portsnap, typically root. + +IV. Workaround + +The ports tree may be obtained by methods other than portsnap, as +described in the FreeBSD handbook. + +V. Solution + +portsnap has been modified to explicitly validate compressed files within +the tar file by full name, rather than relying on gunzip's filename search +logic. portsnap now verifies that snapshots contain only the expected files. + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +No reboot is needed. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility. + +This advisory is released concurrently with FreeBSD-SA-16:29.bspatch +which contains special instructions for using freebsd-update. Following +the instructions in that advisory will safely apply updates for +FreeBSD-SA-16:29.bspatch, FreeBSD-SA-16:30.portsnap, and +FreeBSD-SA-16:31.libarchive. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.x] +# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-10.patch +# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-10.patch.asc +# gpg --verify portsnap-10.patch.asc + +[FreeBSD 9.3] +# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-9.3.patch +# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-9.3.patch.asc +# gpg --verify portsnap-9.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r306701 +releng/9.3/ r306942 +stable/10/ r306697 +releng/10.1/ r306941 +releng/10.2/ r306941 +releng/10.3/ r306941 +stable/11/ r306418 +releng/11.0/ r306419 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:30.portsnap.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.13 (FreeBSD) + +iQIcBAEBCgAGBQJX+0OqAAoJEO1n7NZdz2rns54P/3N6V4ZGWZ8jXDSw7KPRhF16 +gUs2AQx+rL+o5rOVsMZ6DulVtFP+AzUvEsLIJeARdaOJar9St1cQVTZHa+8CtWr5 +aCSgx5r39srcvvMuQ34z0yss7eEkHRubzkIzrjHcD6MweFg4tAIufXHgxmhNVuKp +QOQCwUbWIp8MssNbd/nYr1fpNoEvhkuzEv+EsvU+gTXeYNbHDS8zN/XC1a4167Q9 +flFCqVn45ZpYR+2ifeLv0s+Rj4MQdnaCUYPpt1JoY5pIr/1GbNuywam9YgUQJZ7o +gbY+S9Un0aByEOmPgD2e6qb8qhQFtaJgAbhB51dsI/qpZUljQKERmV1vd78drqWB +1gss/MFe5oyxZ5IbmHLBabIcKvvtH72gSaD8Zp973TbD72usjC/ZfdkukNBlWkbm +M4PFTK+VQA1y5c8R2RduVoz3ioaBtRisxqqGOi0i3AUgiWx6IeP9jkIana28dGtJ +Mkm4ZiWBj12lT5B+gafpy7+bLkbYl2sEFYIt+YUlJ1GqAumyDnnmYt5rDhZwMLFo +7ywCpCwtoBc49sCV7szV4MdFw0Zmo8tT0uiWBehferN1SHygKVNGnXIj+NotRXx0 +mp0j7pgK4AcML2y7pJLEUwyWUKE5tBkPKmHg+4ELhqPb0mjm+A+KHX/8vXxlPpRJ +2yVhfIubEhECQJeJKAqm +=y+kG +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-16:31.libarchive.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-16:31.libarchive.asc Mon Oct 10 07:38:23 2016 (r49477) @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-16:31.libarchive Security Advisory + The FreeBSD Project + +Topic: Multiple libarchive vulnerabilities + +Category: core +Module: portsnap +Announced: 2016-10-05 +Affects: All supported versions of FreeBSD. +Corrected: 2016-09-25 22:02:27 UTC (stable/11, 11.0-STABLE) + 2016-09-27 19:36:12 UTC (releng/11.0, 11.0-RELEASE-p1) + 2016-09-25 22:04:02 UTC (stable/10, 10.3-STABLE) + 2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10) + 2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23) + 2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40) + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The libarchive(3) library provides a flexible interface for reading and +writing streaming archive files such as tar(1) and cpio(1), and has been the +basis for the FreeBSD implementation of the tar(1) and cpio(1) utilities +since FreeBSD 5.3. + +II. Problem Description + +Flaws in libarchive's handling of symlinks and hard links allow overwriting +files outside the extraction directory, or permission changes to a directory +outside the extraction directory. + +III. Impact + +An attacker who can control freebsd-update's or portsnap's input to tar can +change file content or permisssions on files outside of the update tool's +working sandbox. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +No reboot is needed. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility. + +This advisory is released concurrently with FreeBSD-SA-16:29.bspatch +which contains special instructions for using freebsd-update. Following +the instructions in that advisory will safely apply updates for +FreeBSD-SA-16:29.bspatch, FreeBSD-SA-16:30.portsnap, and +FreeBSD-SA-16:31.libarchive. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch +# fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch.asc +# gpg --verify libarchive.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r306322 +releng/10.1/ r306941 +releng/10.2/ r306941 +releng/10.3/ r306941 +stable/11/ r306321 +releng/11.0/ r306379 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f>; +<URL:https://github.com/libarchive/libarchive/issues/743>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:31.libarchive.asc>; +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.1.13 (FreeBSD) + +iQIcBAEBCgAGBQJX+0OrAAoJEO1n7NZdz2rnkaAP/i5Njok8Lg3ogwRGVo/HVQfA +AzRz2oQ5oAuwZhmpkQ3CzHArRsaTGuKK5C1SNJpmEDuq5XM2u5Td2ph/R5ry0fwF +7B58Ci+o7ngRWtJ/N8dYk3cXfg0sjPZKDO1otIyfh8HF3UAq5uB3/w/8UFOpqcxQ +guMKahd/r9PnfrD8GtS+t/2V+KHInNH0J4YD/+hoqcdZPzMKtlE5D5OjqOov9rVn +myQwAuN+w2buPj2gXSuubq5wTNFOvj8u06mVpRj+0X0VoybdN5cohuqSx7s4vlw+ +/qV7gT2993aijXp43dGGSUeuGl1ZbrKp233vntkIYrsjJzaw56YMHL3ushopGGhj +OfC/ilXmsUjrlHgCrWpMiTuN7cdWDXrpMnaf4c99yMxdYUuRtbbnVthdOpZB8iOt +7xeVnvHiYTYbQu+4xy4SPOWqPLOnrbwVqIocXU1QjWJice5A3EU/mSAd2IpX04a2 +prdlaGxBNZlziLgzsZoiER+5u0S3owbx7y2SVhMEslHyrRQ92X7SZjfu4NrvlX5k +Dw6xjpHD51pshj4GXTPuznbCyd8246u1fRnH3fnlNLhz5/XhrYbG+OVQ9WDbnX2C +6SzS/oOcjA9qcq1+Ghmz6G7S2MuWZ0XcKfzV0ygX2RZEhU1p0rZfsF/2cGrKIGY1 +JguXI1tZdrjfSZisAI+l +=vqSJ +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-16:27/openssl.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-16:27/openssl.patch Mon Oct 10 07:38:23 2016 (r49477) @@ -0,0 +1,4151 @@ +--- crypto/openssl/crypto/engine/eng_cryptodev.c.orig ++++ crypto/openssl/crypto/engine/eng_cryptodev.c +@@ -939,7 +939,7 @@ + if (fstate->mac_len != 0) { + if (fstate->mac_data != NULL) { + dstate->mac_data = OPENSSL_malloc(fstate->mac_len); +- if (dstate->ac_data == NULL) { ++ if (dstate->mac_data == NULL) { + printf("cryptodev_digest_init: malloc failed\n"); + return 0; + } +--- crypto/openssl/crypto/x509/x509_vfy.c.orig ++++ crypto/openssl/crypto/x509/x509_vfy.c +@@ -1124,10 +1124,10 @@ + crl = sk_X509_CRL_value(crls, i); + reasons = *preasons; + crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); +- if (crl_score < best_score) ++ if (crl_score < best_score || crl_score == 0) + continue; + /* If current CRL is equivalent use it if it is newer */ +- if (crl_score == best_score) { ++ if (crl_score == best_score && best_crl != NULL) { + int day, sec; + if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl), + X509_CRL_get_lastUpdate(crl)) == 0) +--- crypto/openssl/crypto/opensslv.h.orig ++++ crypto/openssl/crypto/opensslv.h +@@ -30,11 +30,11 @@ + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-# define OPENSSL_VERSION_NUMBER 0x1000209fL ++# define OPENSSL_VERSION_NUMBER 0x100020afL + # ifdef OPENSSL_FIPS +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2i-fips 22 Sep 2016" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2j-fips 26 Sep 2016" + # else +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2i-freebsd 22 Sep 2016" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2j-freebsd 26 Sep 2016" + # endif + # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT + +--- crypto/openssl/ssl/t1_ext.c.orig ++++ crypto/openssl/ssl/t1_ext.c +@@ -275,7 +275,9 @@ + case TLSEXT_TYPE_ec_point_formats: + case TLSEXT_TYPE_elliptic_curves: + case TLSEXT_TYPE_heartbeat: ++# ifndef OPENSSL_NO_NEXTPROTONEG + case TLSEXT_TYPE_next_proto_neg: ++# endif + case TLSEXT_TYPE_padding: + case TLSEXT_TYPE_renegotiate: + case TLSEXT_TYPE_server_name: +--- crypto/openssl/CHANGES.orig ++++ crypto/openssl/CHANGES +@@ -2,6 +2,18 @@ + OpenSSL CHANGES + _______________ + ++ Changes between 1.0.2i and 1.0.2j [26 Sep 2016] ++ ++ *) Missing CRL sanity check ++ ++ A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 ++ but was omitted from OpenSSL 1.0.2i. As a result any attempt to use ++ CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. ++ ++ This issue only affects the OpenSSL 1.0.2i ++ (CVE-2016-7052) ++ [Matt Caswell] ++ + Changes between 1.0.2h and 1.0.2i [22 Sep 2016] + + *) OCSP Status Request extension unbounded memory growth +--- crypto/openssl/Makefile.orig ++++ crypto/openssl/Makefile +@@ -4,7 +4,7 @@ + ## Makefile for OpenSSL + ## + +-VERSION=1.0.2i ++VERSION=1.0.2j + MAJOR=1 + MINOR=0.2 + SHLIB_VERSION_NUMBER=1.0.0 +--- crypto/openssl/NEWS.orig ++++ crypto/openssl/NEWS +@@ -5,6 +5,10 @@ + This file gives a brief overview of the major changes between each OpenSSL + release. For more details please read the CHANGES file. + ++ Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016] ++ ++ o Fix Use After Free for large message sizes (CVE-2016-6309) ++ + Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016] + + o OCSP Status Request extension unbounded memory growth (CVE-2016-6304) +--- crypto/openssl/README.orig ++++ crypto/openssl/README +@@ -1,5 +1,5 @@ + +- OpenSSL 1.0.2i 22 Sep 2016 ++ OpenSSL 1.0.2j 26 Sep 2016 + + Copyright (c) 1998-2015 The OpenSSL Project + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson +--- secure/lib/libcrypto/man/ASN1_OBJECT_new.3.orig ++++ secure/lib/libcrypto/man/ASN1_OBJECT_new.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "ASN1_OBJECT_new 3" +-.TH ASN1_OBJECT_new 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH ASN1_OBJECT_new 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/ASN1_STRING_length.3.orig ++++ secure/lib/libcrypto/man/ASN1_STRING_length.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "ASN1_STRING_length 3" +-.TH ASN1_STRING_length 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH ASN1_STRING_length 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/ASN1_STRING_new.3.orig ++++ secure/lib/libcrypto/man/ASN1_STRING_new.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "ASN1_STRING_new 3" +-.TH ASN1_STRING_new 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH ASN1_STRING_new 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/ASN1_STRING_print_ex.3.orig ++++ secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "ASN1_STRING_print_ex 3" +-.TH ASN1_STRING_print_ex 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH ASN1_STRING_print_ex 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/ASN1_TIME_set.3.orig ++++ secure/lib/libcrypto/man/ASN1_TIME_set.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "ASN1_TIME_set 3" +-.TH ASN1_TIME_set 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH ASN1_TIME_set 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/ASN1_generate_nconf.3.orig ++++ secure/lib/libcrypto/man/ASN1_generate_nconf.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "ASN1_generate_nconf 3" +-.TH ASN1_generate_nconf 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH ASN1_generate_nconf 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/BIO_ctrl.3.orig ++++ secure/lib/libcrypto/man/BIO_ctrl.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "BIO_ctrl 3" +-.TH BIO_ctrl 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH BIO_ctrl 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/BIO_f_base64.3.orig ++++ secure/lib/libcrypto/man/BIO_f_base64.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "BIO_f_base64 3" +-.TH BIO_f_base64 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH BIO_f_base64 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/BIO_f_buffer.3.orig ++++ secure/lib/libcrypto/man/BIO_f_buffer.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "BIO_f_buffer 3" +-.TH BIO_f_buffer 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH BIO_f_buffer 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/BIO_f_cipher.3.orig ++++ secure/lib/libcrypto/man/BIO_f_cipher.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "BIO_f_cipher 3" +-.TH BIO_f_cipher 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH BIO_f_cipher 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/BIO_f_md.3.orig ++++ secure/lib/libcrypto/man/BIO_f_md.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "BIO_f_md 3" +-.TH BIO_f_md 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH BIO_f_md 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/BIO_f_null.3.orig ++++ secure/lib/libcrypto/man/BIO_f_null.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "BIO_f_null 3" +-.TH BIO_f_null 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH BIO_f_null 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/BIO_f_ssl.3.orig ++++ secure/lib/libcrypto/man/BIO_f_ssl.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "BIO_f_ssl 3" +-.TH BIO_f_ssl 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH BIO_f_ssl 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/BIO_find_type.3.orig ++++ secure/lib/libcrypto/man/BIO_find_type.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "BIO_find_type 3" +-.TH BIO_find_type 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH BIO_find_type 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/BIO_new.3.orig ++++ secure/lib/libcrypto/man/BIO_new.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "BIO_new 3" +-.TH BIO_new 3 "2016-09-22" "1.0.2i" "OpenSSL" ++.TH BIO_new 3 "2016-09-26" "1.0.2j" "OpenSSL" + .\" For nroff, turn off justification. Always turn off hyphenation; it makes + .\" way too many mistakes in technical documents. + .if n .ad l +--- secure/lib/libcrypto/man/BIO_new_CMS.3.orig ++++ secure/lib/libcrypto/man/BIO_new_CMS.3 +@@ -133,7 +133,7 @@ + .\" ======================================================================== + .\" + .IX Title "BIO_new_CMS 3" +-.TH BIO_new_CMS 3 "2016-09-22" "1.0.2i" "OpenSSL" *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610100738.u9A7cOSU053277>