Add SA-15:18 and SA-15:19.

svn path=/head/; revision=47162

share/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc

@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:18.bsdpatch                                   Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          shell injection vulnerability in patch(1)
+
+Category:       contrib
+Module:         patch
+Announced:      2015-08-05
+Credits:        Martin Natano
+Affects:        FreeBSD 10.x.
+Corrected:      2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE)
+                2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3)
+                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2)
+                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1)
+                2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17)
+CVE Name:       CVE-2015-1418
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The patch(1) utility takes a patch file produced by the diff(1) program and
+apply the differences to an original file, producing a patched version.
+
+The patch(1) utility supports patches that uses ed(1) script format, as
+required by the POSIX.1-2008 standard.
+
+ed(1) is a line-oriented text editor.
+
+II.  Problem Description
+
+Due to insufficient sanitization of the input patch stream, it is possible
+for a patch file to cause patch(1) to pass certain ed(1) scripts to the
+ed(1) editor, which would run commands.
+
+III. Impact
+
+This issue could be exploited to execute arbitrary commands as the user
+invoking patch(1) against a specically crafted patch file, which could be
+leveraged to obtain elevated privileges.
+
+IV.  Workaround
+
+No workaround is available, but systems where a privileged user does not
+make use of patches without proper validation are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+A reboot is not required after updating.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is not required after updating.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch.asc
+# gpg --verify bsdpatch.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r286348
+releng/10.1/                                                      r286351
+releng/10.2/                                                      r286350
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1418>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:18.bsdpatch.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVwoplAAoJEO1n7NZdz2rn8D4QAM0077U1nLiJFIU1VcM9IOKp
+GeZ/w9SnkrKqKzAQpq3QS1hmw0TxvP8kuJNuRVFF6M15Woprfxccb8mDxM0ntru4
+t8rq/QLO2jMWopf67Spv6jr6GLLQXkiyRwLEyr7L8a7MbrFwjO1wYt+8GnQ6Nsvn
+kNfCnbNKPr1gNYM1XsLS7Ej1kl7aBx3xGQXU4d9HlOs/1X7rnPCnGKuc3ZD2Z/N4
+zu8pV4NMFhWyJsax+FVYEFxwyd2uEb73A35nz/sQhGiwGOCtL424KG+hwj9mnm45
+8f4m+53b6RDcBh6xU41fghMsac2PVCzY2r9GXXXJNlfEa+KnSN8yC+CvtXYEM9BX
+9Y5g6i++RVLLT7mwFdG86FjZxSGpDBXlkpZ4I9qiS4YC8MFO4qC7SFzufxtfOcg+
+R+QSj+DWOfeHDcXjEkHGlqTW9poE2EDWXDLwlEoOykh9NLyWl6enYd8ZEI3GUqyJ
+FgKiICrs1vUuGhOhTCgjyQjQUc6jaV/GzhLBJfyxz5xYDpr7DIILxJ8uki2FJcHS
+tZhlNu6JNqpBlsWNspqjw7NSP2j58Uj0bBdwWvFNX8otQiIXVfkdY8RCjxstq5lT
+3bcF6akAFEBx/f/VYM1lswLM/XdbORYC3asLu84BP541EDqdx9d88TeTKNPvyb4Q
+sGJ763WSlsoLrQDr8CUt
+=iR0L
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-15:19.routed.asc

@@ -0,0 +1,164 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:19.routed                                     Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          routed(8) remote denial of service vulnerability
+
+Category:       core
+Module:         routed
+Announced:      2015-08-05
+Credits:        Hiroki Sato
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE)
+                2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3)
+                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2)
+                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1)
+                2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17)
+                2015-08-05 22:05:07 UTC (stable/9, 9.3-STABLE)
+                2015-08-05 22:05:24 UTC (releng/9.3, 9.3-RELEASE-p22)
+CVE Name:       CVE-2015-5674
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The routing information protocol (RIP) is an older routing protocol
+which, while not as capable as more recent protocols such as OSPF and
+BGP, is sometimes preferred for its simplicity and therefore still
+used as an interior gateway protocol on smaller networks.
+
+Routers in a RIP network periodically broadcast their routing table on
+all enabled interfaces.  Neighboring routers and hosts receive these
+broadcasts and update their routing tables accordingly.
+
+The routed(8) daemon is a RIP implementation for FreeBSD.  The
+rtquery(8) utility can be used to send a RIP query to a router and
+display the result without updating the routing table.
+
+II.  Problem Description
+
+The input path in routed(8) will accept queries from any source and
+attempt to answer them.  However, the output path assumes that the
+destination address for the response is on a directly connected
+network.
+
+III. Impact
+
+Upon receipt of a query from a source which is not on a directly
+connected network, routed(8) will trigger an assertion and terminate.
+The affected system's routing table will no longer be updated.  If the
+affected system is a router, its routes will eventually expire from
+other routers' routing tables, and its networks will no longer be
+reachable unless they are also connected to another router.
+
+IV.  Workaround
+
+Note that this problem does not affect a system on which routed(8)
+is not enabled.  The routed(8) daemon is not enabled by default.
+
+Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP
+packets with destination port 520 that did not originate on the same
+subnet as the destination address.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The routed service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The routed service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-15:19/routed.patch
+# fetch http://security.FreeBSD.org/patches/SA-15:19/routed.patch.asc
+# gpg --verify routed.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/routed.patch
+
+c) Recompile routed.  Execute the following commands as root:
+
+# cd /usr/src/sbin/routed
+# make && make install
+
+Restart the routed daemon, or reboot the system.
+
+To restart the affected service after updating the system, either
+reboot the system or execute the following command as root:
+
+# service routed restart
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r286349
+releng/9.3/                                                       r286352
+stable/10/                                                        r286348
+releng/10.1/                                                      r286351
+releng/10.2/                                                      r286350
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5674>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-15:19.routed.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVwoplAAoJEO1n7NZdz2rnMFAP/3HWG6FrFxM3jgMcK7a5+nKP
+O6BqVXpFdia0UUN5JlcEZXc89957mXdMXCDqNeTj3CeDc0p9GbPX1zV/vlYoOqhM
+eIPwgERbMRFnDRaWm2ClG+aatJvdpeDEioNy8b8tmKq94JcpXIJnwX8dhY3WrMwj
+Mc3QBGT08XLImHqNw6d6/0wavFeOZ/3g1ZoloAktsgA9KhTUOai6dUhIbIJzk6gh
+0oa4NRkhzRNmUKyHOS6HDrghhQ/kZGtE8joVBxLBljK0Thi0mIZtn3UFGsNAgAWw
+7WGAiTN2o8c48IUJosmiGsJ7rV1wCFt5zXrZVCcnq6dr60He16Z2Zwif2tugiTvm
+5x9lDbTEnYOTxM38Ya5gMtMf733YgAtoRCkf3ROsnwXukJYVsJXms7Ej4NihoKMd
+aYOLDItl+AXUGIyQ44GuUm2955wo9Fb5RlkDSCLAvdgnkPk+k0puLp0MR0B2MOAI
+tdKNecRNg0fDR5gJbfdzdjVhsGBZXdYlxo4VjXUXDSZJ+8+jkAg2LA9DTRKIfbgX
+BX5GiOhkhIivFlgvSePv0LRuIbgt0H1cxiJdk6OqNS5gROuqwo7wwUnaig8KVKOI
+887gfpf7PepYD4xWTo3nAoEcGM0rBwUyq1X3pbx9OJADcqRvOhxfMcHFcCv75uxa
+OISkQhkWdZUv6ls76rRu
+=p5Rl
+-----END PGP SIGNATURE-----