os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add EN-20:17, EN-20:18, and SA-20:24 to SA-20:26.

Browse source 
Approved by:	so
This commit is contained in:
Gordon Tetlow 2020-09-02 16:53:16 +00:00
parent 6e2ca911a9
commit 338214adbc
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=54452
21 changed files with 1868 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

132
share/security/advisories/FreeBSD-EN-20:17.linuxthread.asc Normal file
View file

@ -0,0 +1,132 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:17.linuxthread Errata Notice
The FreeBSD Project
Topic: FreeBSD Linux ABI kernel panic
Category: core
Module: kernel
Announced: 2020-09-02
Credits: Martin Filla
Henrique L. Amorim, Independent Security Researcher
Rodrigo Rubira Branco (BSDaemon), Amazon Web Services
Affects: All supported versions of FreeBSD.
Corrected: 2020-06-25 05:24:35 UTC (stable/12, 12.1-STABLE)
2020-09-02 16:21:27 UTC (releng/12.1, 12.1-RELEASE-p9)
2020-06-25 05:35:46 UTC (stable/11, 11.4-STABLE)
2020-09-02 16:21:27 UTC (releng/11.4, 11.4-RELEASE-p3)
2020-09-02 16:21:27 UTC (releng/11.3, 11.3-RELEASE-p13)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The Linux ABI layer (Linuxulator) allows Linux binaries to be executed on a
FreeBSD kernel.
II. Problem Description
The kernel function handling exec(3) of a Linux binary did not correctly
handle a calling process with multiple threads.
III. Impact
A multithread non-Linux process execing a Linux binary would fail a kernel
assertion, resuting in a kernel panic "thread_detach: emuldata not found."
IV. Workaround
No workaround is available. Systems not using the Linux ABI layer are not
affected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-20:17/linuxthread.patch
# fetch https://security.FreeBSD.org/patches/EN-20:17/linuxthread.patch.asc
# gpg --verify linuxthread.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r362605
releng/12.1/ r365253
stable/11/ r362606
releng/11.4/ r365253
releng/11.3/ r365253
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247020>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:17.linuxthread.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzRZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIZEw//QwJJ3DX0k1PnOwRDdl5KSORAZq1Qfa0Rdo4N3QK31Ap/GiAmW+6wZRr1
Cb3dAywlfjw8F+Hnxc6za1V0W7Ckr/tbJHGt1XXsq8Pjpc6+GdNGRZi7eiAQHvU7
I9xkL1jnerBY0l5hq8A6ti1vhraNEFvA0/0lluhqCpgFPEtc/vbvKemyC0RAKVzF
wAz7P3/OyQqcd5qVHBIYfOziau/lfQ2/qD+6hLSZ5pgGX4e/tB1NrYVSd0vNevOl
d3P9LDQYxSIzQ5jHbfLSFOPkT471ItJ6+QW+pAIZQ0Sv4hTQPBRHOL4ZfXG/IDgr
+mVBa6L8lykeC+xh9Teih+dKqZRY5SzKuZVUqURCY2P6miq8C5A2eiTtGIIuwgFF
okqTJx0a+ECAEc7dmaEAM8snqKiPYgu1cCOXKrvAPpkB/Ss1w0Zr/YxLW6v3lMmO
nFOUGeXF9hLxDIINdKRNdaum8aqy1Vtg6xKNfP6z/H4V6saLSLrWk0M2HDKNOyts
MHc/P7zg7hMw1ft/VhiOEWgCk7Se3Q1D2IY53BsUNgtbs5ti29mEeOkNO09FkPYL
t9f3uIOZD9PLg1kDIDA97DulL95gXyX2K10wHciOnDgU+UitHCOqXAnkYGKbezfS
ID1JRdq4uHHIjPOTOiUkTYJDnR/Lgz2572KkTjM5d7YOviS8nS0=
=1pOR
-----END PGP SIGNATURE-----

124
share/security/advisories/FreeBSD-EN-20:18.getfsstat.asc Normal file
View file

@ -0,0 +1,124 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:18.getfsstat Errata Notice
The FreeBSD Project
Topic: getfsstat compatibility system call panic
Category: core
Module: getfsstat
Announced: 2020-09-02
Credits: Rodrigo Rubira Branco (BSDaemon), Amazon Web Services
Affects: FreeBSD 11.3 and 11.4
Corrected: 2020-06-20 04:39:52 UTC (stable/11, 11.4-STABLE)
2020-09-02 16:22:14 UTC (releng/11.4, 11.4-RELEASE-p3)
2020-09-02 16:22:14 UTC (releng/11.3, 11.3-RELEASE-p13)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
getfsstat(2) is a system call which provides information about mounted
filesystems. The kernel provides compatibility system calls for old
versions of the interface.
II. Problem Description
A bug in an internal interface used by getfsstat(2) compatibility system
calls could result in a free of an uninitialized pointer when getfsstat(2)
is called with an invalid argument.
III. Impact
A kernel panic can be triggered by an unprivileged user process.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-20:18/getfsstat.patch
# fetch https://security.FreeBSD.org/patches/EN-20:18/getfsstat.patch.asc
# gpg --verify getfsstat.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r362426
releng/11.4/ r365254
releng/11.3/ r365254
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:18.getfsstat.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzSVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJrrw/9E3bKTN36F+FPrGdi6wWeAHUEZt3hoonrFqrn4SPUEVSRkk39HGpitgJ8
KU7HDr9U9B6zaIYnqE+1BWiIYYhqQQM5zb77TGr0fy/LVa8a+m/6o9wzib26lsAT
jrBS0hsZ0Swb8TlrQdaEpLp1wkEdhy5t10hJ/+/nezzo+q2C52m4Bs80J7gE9BCq
uxgCRlnld3fXJrKrOva8WfvMziE8nV9CzKF9luYlP7U9s1PS5H5U6r22Y8tvzZqS
IbH60i7vPhlqX8faxZfKGRIABsJhnee98JF0rDRBOmMwTnFBTmaot75eEjwZIc5p
0GtM27NOM6a/AaO9Yr8U4PI0PffTi8hVm/1t6dlhG5X3O7IUxKC0XT1vlh3jJ1j2
9i1iuuGU3zSzTSMyWMmzuxCz/YK0C/g4C86ehkdxOYtn6RV31rMSoKdPjxSbyhIJ
ef1eXHm6iBM8aofto24WjCSftPno0rx1peeOnKAqvpTpGH+n08H6iRFagaOt6kkQ
qhy+ZtrlzmjUeUqwLSnyuHJtK+QkP1WFTnT9QgMPnqpRB9e+OsQC2K1KgR9lkOG0
2kyTu+fJGkNvhiHxKuvIsh5OiNvNm/QHYwESaGPbFhierh+CHs00M00GyeeCjBSr
nMbA3DsD3OxrrxYqh/17x4XoiopY6gUSlDSG+RbsTFsTqTxi308=
=E4P4
-----END PGP SIGNATURE-----

124
share/security/advisories/FreeBSD-SA-20:24.ipv6.asc Normal file
View file

@ -0,0 +1,124 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:24.ipv6 Security Advisory
The FreeBSD Project
Topic: IPv6 Hop-by-Hop options use-after-free bug
Category: core
Module: kernel
Announced: 2020-09-02
Affects: FreeBSD 11.3
Corrected: 2020-05-07 01:28:59 UTC (stable/11, 11.4-PRERELEASE)
2020-09-02 16:23:15 UTC (releng/11.3, 11.3-RELEASE-p13)
CVE Name: CVE-2020-7462
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
IPv6 is a network layer supporting Hop-by-Hop options, which can be sent by
applications via the socket API. The memory management for packet handling
is done using mbufs.
II. Problem Description
Due to improper mbuf handling in the kernel, a use-after-free bug might be
triggered by sending IPv6 Hop-by-Hop options over the loopback interface.
III. Impact
Triggering the use-after-free situation may result in unintended kernel
behaviour including a kernel panic.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch
# fetch https://security.FreeBSD.org/patches/SA-20:24/ipv6.patch.asc
# gpg --verify ipv6.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r360733
releng/11.3/ r365255
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7462>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:24.ipv6.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLJYxAAotGAWrawa3gRK8gVpEIJiYknR9bODjDojm7KovlkuKeYAkyQ92/Ii23U
U6tMXSPDYQFyscOdrGq4yEjxRDLLkGQGynQpioinDn8POKX7BKpy+PFFdv1mmBef
h/WpgmlPdhymYisaImgVyGAxU81auzpFB6mArzFDCdHavTd7jVD2lJwcpdzeOk//
NHOsj8C4VYJs0XcYrNa4CEWfH/D/uNO8u2b3QUfKQSOdfIfaDv22k2b96YKm+zcr
xS7Q1jDv7QBTQou7KNOfoPi0Gclp8Q9VReP2nY/hB5TmJjR3irz+Z6UcGfiyDGrL
XRB7oP23jIUmBbsINUN06FIhAPGF9/7zcOOoV1YOdwvmbLM0/W4c+mERZ16gw6+N
MzCLDOeiyKAUr+pQzcl6lORxr31eB8400l6nRJwmCiWx4nHwyHPIl1RtfvsdNqfE
/OBVEalxsCrzStfW4ME5RziPo9Y8DrajPf7+JY/4CIV3v/dJAiGi3+qs9Zn8enar
WCR/8+o4xbT+d1sGTG1W3Qjh9a28jxqEusLjdehDy8PTk9OnIfPRuxj+kvot3Wo0
lWdeSIo8YZPYn7hG9N19k6aDlljM1fgkBmWj1uELtCeIE7WM5tHGMBuaS0cTt1jL
s2g01qgkgW2a6cChdm3oNfUKE5KpD3/hU63/jEA6QyJJQQqXlOs=
=kFlz
-----END PGP SIGNATURE-----

142
share/security/advisories/FreeBSD-SA-20:25.sctp.asc Normal file
View file

@ -0,0 +1,142 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:25.sctp Security Advisory
The FreeBSD Project
Topic: SCTP socket use-after-free bug
Category: core
Module: kernel
Announced: 2020-09-02
Credits: Megan2013678@protonmail.com
Affects: All supported versions of FreeBSD.
Corrected: 2020-08-24 09:19:05 UTC (stable/12, 12.1-STABLE)
2020-09-02 16:24:32 UTC (releng/12.1, 12.1-RELEASE-p9)
2020-08-24 09:46:36 UTC (stable/11, 11.4-STABLE)
2020-09-02 16:24:32 UTC (releng/11.4, 11.4-RELEASE-p3)
2020-09-02 16:24:32 UTC (releng/11.3, 11.3-RELEASE-p13)
CVE Name: CVE-2020-7463
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The Stream Control Transmission Protocol (SCTP) is a message oriented
transport protocol supporting arbitrary large user messages.
It can be accessed from applications by using the the socket API.
II. Problem Description
Due to improper handling in the kernel, a use-after-free bug can be triggered
by sending large user messages from multiple threads on the same socket.
III. Impact
Triggering the use-after-free situation may result in unintended kernel
behaviour including a kernel panic.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.12.1.patch
# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.12.1.patch.asc
# gpg --verify sctp.12.1.patch.asc
[FreeBSD 11.4]
# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.4.patch
# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.4.patch.asc
# gpg --verify sctp.11.4.patch.asc
[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.3.patch
# fetch https://security.FreeBSD.org/patches/SA-20:25/sctp.11.3.patch.asc
# gpg --verify sctp.11.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r364644
releng/12.1/ r365256
stable/11/ r364651
releng/11.4/ r365256
releng/11.3/ r365256
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7463>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:25.sctp.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIMPw//ZOYh7TQdwvreQ/iZbJphPp7hBVJqFWPE9M72Yfo87/vkl+T5/GW9wiLT
MQlknQ7SDyzE7i8RpGvX0lmXLbr1e2rkvin1ZFdCbWkPzC7w0WVH7XX6+I+RJmkh
E4dtmHrYhLRwmVtW5WYZdfO+iYVTJl/h43eYbYvNgJZSuKkvl2Vk6DqyseHx7xR6
gc7/41AIpMiqRLQI9ZnRvZCEiLq4G+q5z499ACfAutT9o+1T9L6QLCPuyY+fziiq
cI2E/pQA5uxOY/z3ejKHeOzErjycY6GEhMiBKmsJqV6oU/cZd5hZ1qsmE9Xbi3/c
Ax+OZr+Ve2a78dD7jOrmCrpBtG1Pg39c6VuQqHD3UN3seBNEkn4kto9vDX9fLceD
GZbueV97boFxjnXu1B6C8ufqEZDqTaf/SU3+vCobBgydP+V8c1P5LbP6qcFHOUrk
k7ijiJv03aYyY1Z6XtqbRsudZzIaTt+jneUA1eA46iWQqVZQHKo2liw5kAtsGu0k
injGcazWRphV6xgOHIMCfrGcLLf0j+4UjiDUk30cansLGewuk/uEh6FlA4NzyRWA
4L3Q0l/XQWvO2sNMtF9LbBUUujDyy93Vy8BouSp59v7+bAYrRHfcIAmaQnE4jev2
BY7/JsrfQ9rG/Anzg49Hec8pw9VEvv4kA1STqXcpMt9Fq+0DslA=
=2ET6
-----END PGP SIGNATURE-----

145
share/security/advisories/FreeBSD-SA-20:26.dhclient.asc Normal file
View file

@ -0,0 +1,145 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:26.dhclient Security Advisory
The FreeBSD Project
Topic: dhclient heap overflow
Category: core
Module: dhclient
Announced: 2020-09-02
Credits: Shlomi Oberman, JSOF
Affects: All supported versions of FreeBSD.
Corrected: 2020-08-31 21:28:09 UTC (stable/12, 12.1-STABLE)
2020-09-02 16:25:31 UTC (releng/12.1, 12.1-RELEASE-p9)
2020-08-31 21:28:57 UTC (stable/11, 11.4-STABLE)
2020-09-02 16:25:31 UTC (releng/11.4, 11.4-RELEASE-p3)
2020-09-02 16:25:31 UTC (releng/11.3, 11.3-RELEASE-p13)
CVE Name: CVE-2020-7461
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is
responsible for contacting DHCP servers on a network segment, and for
initializing and configuring network interfaces and configuring name
resolution based on received information.
dhclient(8) handles DHCP option 119, the Domain Search Option, which provides
a list of domains to search when resolving names using DNS. The option data
format uses a compression scheme to avoid transmitting duplicate domain name
labels.
II. Problem Description
When parsing option 119 data, dhclient(8) computes the uncompressed domain
list length so that it can allocate an appropriately sized buffer to store
the uncompressed list. The code to compute the length failed to handle
certain malformed input, resulting in a heap overflow when the uncompressed
list is copied into in inadequately sized buffer.
III. Impact
The heap overflow could in principle be exploited to achieve remote code
execution. The affected process runs with reduced privileges in a Capsicum
sandbox, limiting the immediate impact of an exploit. However, it is
possible the bug could be combined with other vulnerabilities to escape the
sandbox.
IV. Workaround
No workaround is available. To trigger the bug, a system must be running
dhclient(8) on the same network as a malicious DHCP server.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
restart dhclient or reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:26/dhclient.patch
# fetch https://security.FreeBSD.org/patches/SA-20:26/dhclient.patch.asc
# gpg --verify dhclient.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r365010
releng/12.1/ r365257
stable/11/ r365011
releng/11.4/ r365257
releng/11.3/ r365257
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7461>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:26.dhclient.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9PzTtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLLPxAAhg/FSqWLykYAiQ8czoy98X00VIWAP1f4InfUKm8qOB8/7ptzv3A+2Hov
7lHlyN0D4OwhJFt7fw9oTwNe4UgxShso6QrezaTJZR7juFELy9WODbRFnNK4i8w9
NCBab+NIn1o7nFZnB0M5TMKfa4gc1jAV+Q/U/zi+ONvwZegmjXJxuop3Sq8wfBd2
Vp9VAvEJvvBlQKExR2xNRDKV/0LpW+VffIuzlWT2ex3WwGpFVeVSL0ZNJsPbzMYX
j0aqGo9B/mHfXtKSQ415kGxiaQctnu5FqjNgSc00byzOU0YTiLsPwPdUgIt+nuQd
WFSePoZsDYstkkJ8YaCA/LVzmZo0tNR8m+z7xmhCszUbMIV+iRSycUexEbCXoPx/
Ebg6ycyYMwguK7rL2dkjNWTkr3hP5CgLD7VnzVBYGiBY7ha0zOgbaYWl/33Az5Fb
0eaIyJRFCDmI32NZfri1WLc06K1gFcVcR6VO+BUqRHG6bkYnF/4xlla8ERhYgNeC
Y9cs4Y9TNRges79k7jovpu9B5nicTEqMRQBubcARX5+w9zLg8h2aKH6inuVy1srn
M9H/mjdCHMkySpSSrENw9Jk5I7RAgHHRgA1OTkB6Da02aMzPEh6fYHWeR7IpvxPc
2A/hxnZy0tTeZ4aKbds1GYZWUVDd3I8DlSVcT5Bq1g5kk6I+PN8=
=jfay
-----END PGP SIGNATURE-----