Publish SA-16:18 and SA-16:19.
This commit is contained in:
parent
de3fd4ae5f
commit
03b2b49f5d
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=48826
7 changed files with 335 additions and 0 deletions
139
share/security/advisories/FreeBSD-SA-16:18.atkbd.asc
Normal file
139
share/security/advisories/FreeBSD-SA-16:18.atkbd.asc
Normal file
|
@ -0,0 +1,139 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-16:18.atkbd Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: Buffer overflow in keyboard driver
|
||||
|
||||
Category: core
|
||||
Module: atkbd
|
||||
Announced: 2016-05-17
|
||||
Credits: CTurt and the HardenedBSD team
|
||||
Affects: All supported versions of FreeBSD.
|
||||
Corrected: 2016-05-17 22:29:59 UTC (stable/10, 10.3-STABLE)
|
||||
2016-05-17 22:28:27 UTC (releng/10.3, 10.3-RELEASE-p3)
|
||||
2016-05-17 22:28:20 UTC (releng/10.2, 10.2-RELEASE-p17)
|
||||
2016-05-17 22:28:11 UTC (releng/10.1, 10.1-RELEASE-p34)
|
||||
2016-05-17 22:31:12 UTC (stable/9, 9.3-STABLE)
|
||||
2016-05-17 22:28:36 UTC (releng/9.3, 9.3-RELEASE-p42)
|
||||
CVE Name: CVE-2016-1886
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The atkbd(4) driver, together with the atkbdc(4) driver, provides access
|
||||
to the AT 84 keyboard or the AT enhanced keyboard which is connected to
|
||||
the AT keyboard controller. The driver is required for the console driver
|
||||
syscons(4) or vt(4). The driver exposes its own ioctl(2) interface to allow
|
||||
it to be configured from userland through the kbdcontrol(1) utility.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
Incorrect signedness comparison in the ioctl(2) handler allows a malicious
|
||||
local user to overwrite a portion of the kernel memory.
|
||||
|
||||
III. Impact
|
||||
|
||||
A local user may crash the kernel, read a portion of kernel memory and
|
||||
execute arbitrary code in kernel context. The result of executing an
|
||||
arbitrary kernel code is privilege escalation.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
Disallow keymap changes for non-privileged users:
|
||||
|
||||
sysctl hw.kbd.keymap_restrict_change=4
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
Reboot is required.
|
||||
|
||||
2) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
Reboot is required.
|
||||
|
||||
3) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch.asc
|
||||
# gpg --verify atkbd.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile your kernel as described in
|
||||
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
||||
system.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/9/ r300093
|
||||
releng/9.3/ r300088
|
||||
stable/10/ r300091
|
||||
releng/10.1/ r300085
|
||||
releng/10.2/ r300086
|
||||
releng/10.3/ r300087
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:http://cturt.github.io/SETFKEY.html>
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1886>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:18.atkbd.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAEBCgAGBQJXO5z8AAoJEO1n7NZdz2rns0MQAKaUrGjGn0nkFpx/PpiM6SHv
|
||||
s/Fj/z/qTXTUmimZloiQd9bkMh5wFMymozihVqoQVX2jwzPFm4Cql+Ez8ihTl9YX
|
||||
s+vMgQA8mUrinebwqXHRY+bZrwbJzsvLhAepL6vrSncPBaXM37smOmVlfjyUySWZ
|
||||
61L1QPhDZIYSamAMDZFx4qkdv32nWTTaE6OImQOFWY19l2tAxUMrUsTM5zSUfSas
|
||||
Tq2oP4BUvI58psapMgs38UY1Bjo33E/Gd7n6FS8gUQAX1OspN1wh981oX9GHU+U1
|
||||
bHY/Ihl+rqlh3Dmxp1JBP8ma2DSLXcuhrywNpE8i/dNQA4sxXXGQyuzVk24QNXbt
|
||||
cnV7F3nTqBpB9evhNFuHk0Z/z2Lg4cCaId+xSJjX8eWfvfjP8q+c9SblC2LdJg6V
|
||||
D0Gt0rbUNvSikCLDI/RYY1K5pWdjvtRN6ES+YO+sk2er9Uq/ZPrNj2SfNYguRkTV
|
||||
Kfwut8aQW5AQ9JTr9YGFxfqEWOzgBWutE3ysWtx6bLoROY4/vUPRBrcVDOmsiiJt
|
||||
QLPdf/m8VM/NH2lQoSQ44mUXvp+BdclrhM74C7GCc0RGmdEtuoC49esNKtZ+0349
|
||||
Sm7Tj/3ZWfwN0x+DQnbnDUeRmI5zaU3o4VycmhFcm3eWQ+je8O8aCLKI/iPTKYO7
|
||||
/OVeNnLKzp5Z7naKeHct
|
||||
=6GJy
|
||||
-----END PGP SIGNATURE-----
|
129
share/security/advisories/FreeBSD-SA-16:19.sendmsg.asc
Normal file
129
share/security/advisories/FreeBSD-SA-16:19.sendmsg.asc
Normal file
|
@ -0,0 +1,129 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-16:19.sendmsg Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: Incorrect argument handling in sendmsg(2)
|
||||
|
||||
Category: core
|
||||
Module: kernel
|
||||
Announced: 2016-05-17
|
||||
Credits: CTurt and the HardenedBSD team
|
||||
Affects: FreeBSD 10.x
|
||||
Corrected: 2016-05-17 22:30:43 UTC (stable/10, 10.3-STABLE)
|
||||
2016-05-17 22:28:27 UTC (releng/10.3, 10.3-RELEASE-p3)
|
||||
2016-05-17 22:28:20 UTC (releng/10.2, 10.2-RELEASE-p17)
|
||||
2016-05-17 22:28:11 UTC (releng/10.1, 10.1-RELEASE-p34)
|
||||
CVE Name: CVE-2016-1887
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The sendmsg(2) system call allows to send data to a socket. The data
|
||||
may be accompanied by optional ancillary data.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
Incorrect argument handling in the socket code allows malicious local
|
||||
user to overwrite large portion of the kernel memory.
|
||||
|
||||
III. Impact
|
||||
|
||||
Malicious local user may crash kernel or execute arbitrary code in the kernel,
|
||||
potentially gaining superuser privileges.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
Reboot is required.
|
||||
|
||||
2) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
Reboot is required.
|
||||
|
||||
3) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:19/sendmsg.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:19/sendmsg.patch.asc
|
||||
# gpg --verify sendmsg.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile your kernel as described in
|
||||
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
||||
system.
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/10/ r300093
|
||||
releng/10.1/ r300085
|
||||
releng/10.2/ r300086
|
||||
releng/10.3/ r300087
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:http://cturt.github.io/sendmsg.html>
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1887>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:19.sendmsg.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAEBCgAGBQJXO50VAAoJEO1n7NZdz2rnWOAP/RyUks4Xf30YVGra+bHUjOsw
|
||||
gFQEJ7HNNJHkkaJ5l0LpVh87YQxr7VXnlddskDRcL6MDf7IjW5bkpw+875iEFz93
|
||||
VykCN+1l84D0WlXAi9YZwg1GWoQs3SBfNpT1dtr9GuqJYAAeBfvMydJI1jHbJzJJ
|
||||
7inDzgvhfPOaq8wQBfjXbUN0GgYiz6dJc3xir4+4JRw0C9sgzh1pI14o1oREJbZ0
|
||||
glmHRCpuijndqluabl7rF19mSSDyF0AV7RqDCZIt7AkYHWvR1yLl4o0LGGBYCLXx
|
||||
iArz2ayzbAqBVw1JktVHzGx0HuVpobxb/yOpDuYBcaxtSL6riuSYrkzHp0Dca+JT
|
||||
0/qENdMnXDN98ZMBcvVR66uWUuTVEF3/T2LXCi6G+RllrcoavvLqrcjghqT5k84P
|
||||
jmAjO3Q3rIeAinjArfyexHo/f/A5CHGJylsY0FZd41A35xWaYg/dd0cT+8qsoigD
|
||||
65Ix+/6AOIjocqqQToFXiHKBCN5unwrn/UT5heU0K3ZqESGmxUrx+6yJ3mjDjtLh
|
||||
C7zWcNaJu1whcT7e4eKx9vMlAFFt6OrSnr1V09KnqPiHPtIu95PZhGlrizlZVELQ
|
||||
8fKHoycOkT5F+00CWzcQuZK+l9p5iT5aWGkhunwvR7EKzqvgEFbDDpaJ5QzKTNTl
|
||||
lJXypb8SMlol4YY8Spdo
|
||||
=wuhi
|
||||
-----END PGP SIGNATURE-----
|
11
share/security/patches/SA-16:18/atkbd.patch
Normal file
11
share/security/patches/SA-16:18/atkbd.patch
Normal file
|
@ -0,0 +1,11 @@
|
|||
--- sys/dev/kbd/kbd.c.orig
|
||||
+++ sys/dev/kbd/kbd.c
|
||||
@@ -996,7 +996,7 @@
|
||||
splx(s);
|
||||
return (error);
|
||||
}
|
||||
- kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
|
||||
+ kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
|
||||
bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
|
||||
kbd->kb_fkeytab[fkeyp->keynum].len);
|
||||
break;
|
16
share/security/patches/SA-16:18/atkbd.patch.asc
Normal file
16
share/security/patches/SA-16:18/atkbd.patch.asc
Normal file
|
@ -0,0 +1,16 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAABCgAGBQJXO2BtAAoJEO1n7NZdz2rnB6kP/R2dxR6o6GemMN2VjdgOp9rM
|
||||
i3DEFEcimF1oGOfwF7kIDabr9XLubeU1l+NnJhuExnAdyrcVr+7+SvgFAzv6lZlS
|
||||
47wDgw/HABsjeJSYE2+hcrOAOKTvC4qObBB7YuOJu4e1vW5MJKcqBYsLk7+ECwVr
|
||||
sDhelLXLcvTunR2aLg5jEsgRwHEvOwB7GR1SQ6ABU7w+emCCabJLvYe3stMYKsFE
|
||||
CxL6hKDjShN0Vyqx6d76Bja6ZsWmMo2SLgz3e/m072imHfmHaAhc5GlAvdOPihzJ
|
||||
OsRlIGd7jR5+mTikmWZG0s3/IVoEf+udC/CJ/3JyL3NEywQXEogJpPY2Zjv6P8or
|
||||
6vWvyoIqrXrKZ5k6DxUHJzJdAhmbxZHfCVlwidu+aTfp9M8x5W7tu711wPFwAcEW
|
||||
/HSQ1mssj7GEzDy2kbhKiEXTRV0YXatVy1L2o/ckYiLFMk0HhYEqFXLV36VUPIRl
|
||||
h2SOUpsaLbhVuUlT+XF1jXrTc1gOW5woLl8uQ6h84cfcdQj6tUk2ZBzobKjz+zEk
|
||||
VP/julLL8cGUDemnWeMLWuBClsAuf5pLMg405m1uIBd9kxEHhGKprz/kGhFfGl/3
|
||||
PyESdLIq8VD9Grjzb8rgCfL0USepeiCnOTI8uYwRNUUrAFSMqtWrx4zvl1tWdHE9
|
||||
1SBJLfQgQKuIaBAtxnHV
|
||||
=Ful4
|
||||
-----END PGP SIGNATURE-----
|
12
share/security/patches/SA-16:19/sendmsg.patch
Normal file
12
share/security/patches/SA-16:19/sendmsg.patch
Normal file
|
@ -0,0 +1,12 @@
|
|||
--- sys/kern/uipc_syscalls.c.orig
|
||||
+++ sys/kern/uipc_syscalls.c
|
||||
@@ -1699,6 +1699,9 @@
|
||||
struct mbuf *m;
|
||||
int error;
|
||||
|
||||
+ if (buflen < 0)
|
||||
+ return (EINVAL);
|
||||
+
|
||||
if (buflen > MLEN) {
|
||||
#ifdef COMPAT_OLDSOCK
|
||||
if (type == MT_SONAME && buflen <= 112)
|
16
share/security/patches/SA-16:19/sendmsg.patch.asc
Normal file
16
share/security/patches/SA-16:19/sendmsg.patch.asc
Normal file
|
@ -0,0 +1,16 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAABCgAGBQJXO2CNAAoJEO1n7NZdz2rnuvcP/R501Yhdfqfmw1XDYqMkKS6L
|
||||
ehQwFX8rnlbZVfKEhVcZL0kGgo43jyBvuHG55vk6iwC6EjHKE6BSgUVhbRaIdfJ5
|
||||
H0gRdUL9q9inTRGLEU7P2D7E0SMsRm+PtKW5F0uw5BfZw2LD1SIBBEKGBN0M48u0
|
||||
PhTzIXzgFsvSNFbZ85Un90hi2N67hrq3rOGtxC10/jAGBpGgRGCQKqr0lssIS+6r
|
||||
7QT3fEH8MQGnYW0RP26rJHh0ae0Wd0DLBdnLG0cHx6bwYEGKb6/GH65Vvl1feMAU
|
||||
61O6wL3BnrSXfJQmSx34sokhh3BT7pfEEwkw3xtsdqjP6h4PXxiI2l+UlB5eGCAY
|
||||
kT0eLz7qyR1vXvJUZnXezBdllUu/nWtyMmuUnoM0xnytNYeHAqDoL4o6T4lMERmy
|
||||
DUn6LvrC8oqdqDKtBpaWMCq2OMb4/mNUvVdn2oh67Tq4ZFLxsGOEMm+lTYJOZdkU
|
||||
um+KG7LGiWkj9G08yPiayVhDcigvIK9v9/p9E3tv5rNVyCaOvpJsezM7Z+mMIS68
|
||||
IG72BvLh+idOaVW1tib9s9nXYQTc1V9u+Fp356/eDSE1h0uEd12l+swwRcz5NmBv
|
||||
78Ki51E1ZQ87b9J4RacL31MauINyN0SIJI1QRu7lLe62tgGlGKQND6/Na993EdUM
|
||||
ftK8gS0awc3Rr3Bw540N
|
||||
=yry1
|
||||
-----END PGP SIGNATURE-----
|
|
@ -10,6 +10,18 @@
|
|||
<month>
|
||||
<name>5</name>
|
||||
|
||||
<day>
|
||||
<name>17</name>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-16:19.sendmsg</name>
|
||||
</advisory>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-16:18.atkbd</name>
|
||||
</advisory>
|
||||
</day>
|
||||
|
||||
<day>
|
||||
<name>4</name>
|
||||
|
||||
|
|
Loading…
Reference in a new issue