os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

o Fix regressions related to SA-15:25 upgrade of NTP. [1]

Browse source 
o Fix kqueue write events never fired for files greater 2GB. [2]
o Fix kpplications exiting due to segmentation violation on a correct
  memory address. [3]

PR:		204046 [1]
PR:		204203 [1]
Errata Notice:	FreeBSD-EN-15:19.kqueue [2]
Errata Notice:	FreeBSD-EN-15:20.vm [3]
Approved by:	so
This commit is contained in:
Gleb Smirnoff 2015-11-04 11:52:12 +00:00
parent ac3ecdce0f
commit 3bdc44ff8a
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=47736
23 changed files with 669 additions and 165 deletions
Download patch file Download diff file Expand all files Collapse all files

133
share/security/advisories/FreeBSD-EN-15:19.kqueue.asc Normal file
View file

@ -0,0 +1,133 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-15:19.kqueue Errata Notice
The FreeBSD Project
Topic: kqueue write events for files greater 2GB would never fire
Category: core
Module: kern
Announced: 2015-11-04
Credits: Steven Hartland
Affects: All supported versions of FreeBSD.
Corrected: 2015-09-24 08:42:08 UTC (stable/10, 10.2-STABLE)
2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7)
2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24)
2015-09-24 09:35:35 UTC (stable/9, 9.3-STABLE)
2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security branches,
and the following sections, please visit
<URL:https://security.freebsd.org/>.
I. Background
The kqueue(2) system call provides a generic method of notifying the user
when an event happens or a condition holds, based on the results of small
pieces of kernel code termed filters.
II. Problem Description
Due to int usage for file offsets in the VOP_WRITE_(PRE|POST) macros,
kqueue(2) write events for files greater 2GB where never fired.
III. Impact
Any kqueue(2) consumer monitoring for file changes will fail to receive an
event if the monitored file is greater than 2GB.
This causes commands such as 'tail -f' to never see updates.
IV. Workaround
For the specific case of tail(1), using '-F' instead of '-f' avoids the
issue, however other consumers of kqueue(2) events to monitor files do not
have a workaround.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot the system.
2) To update your present system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
And reboot the system.
3) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-15:19/kqueue.patch
# fetch https://security.FreeBSD.org/patches/EN-15:19/kqueue.patch.asc
# gpg --verify kqueue.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r288168
releng/9.3/ r290363
stable/10/ r288167
releng/10.1/ r290362
releng/10.2/ r290361
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:19.kqueue.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWOe7vAAoJEO1n7NZdz2rneAkP/0FCRnyH6vkJFZBbfdIQY5u7
XPSbSD+2847aJRWw/xU+FWHsFjjcfKrvKqgRtdZXkTBe3FjTgiNbf6jQRCSy0f6u
odcPXt4ZprXmhn6BOsyF92NgDHE5VXIiO1h0Jz1Y/+PTi/52BjNbevGUox6VpbMc
t9XwxuARKG5bSNU+QdWdilP4H//+SAxuhK4Y96i6pccbT51DoO3ACCa8EpuOJYW9
elXTQbB4XC1n0EATr5gtTwKE+5/yPDEgl9pPNjsN8UTWCqzPwxPTwfplf3idN5Vq
Oe5YIiI5aaAE16fSYUkIZR0kZ/ScR6gbmc2ALKRtHPa4+9g9TpNINpfmreV2htfH
CrUW4qGZaoABpX1X2sFJ6su2NCgW3DliOuSAJUyK8Re2XEJZVfcVauyWaZxocJhu
NRoH8yBoLJKrPB0Z3Dr9eygmDNGEvaFUB/ZpbeCbyebwyFTmTMUshwfZwcfPftaB
bNd+R4J9UkY5wJWYUve7VpGDY2L6+j2MoPnlZJDfZZpYmFByD/GmdV5Pxxl4yEj3
2DBevZIGOGlH9E26JrPTcCYjkX15OS0KUkWQy7xv1jdxXCZ4AVbRq8CRiFdQ2JPU
uSsrwgrGPdYkku0k6xXbb5YDw4475lQPAy9gMSeEDCqcl4GjKf1AVbrN9Jq73C8o
c65YAK83vX3x9HDWCrss
=OODP
-----END PGP SIGNATURE-----

137
share/security/advisories/FreeBSD-EN-15:20.vm.asc Normal file
View file

@ -0,0 +1,137 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-15:20.vm Errata Notice
The FreeBSD Project
Topic: Applications exiting due to segmentation violation
on a correct memory address
Category: core
Module: kernel
Announced: 2015-11-04
Credits: Konstantin Belousov
Affects: All supported versions of FreeBSD.
Corrected: 2015-09-15 04:20:39 UTC (stable/10, 10.2-STABLE)
2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7)
2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24)
2015-10-30 13:05:39 UTC (stable/9, 9.3-STABLE)
2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The FreeBSD virtual memory system provides processes with virtual
address space. Features of virtual address space include copy-on-write
pages and page wiring.
II. Problem Description
A race condition exists in the virtual memory implementation. When an
application writes to a valid address in its address space, and the
corresponding map entry is marked as copy-on-write, and right now
undergoes wiring process, and the corresponding page does not yet have
a page table entry installed, the application receives a segmentation
violation signal. A usual case for this scenario to happen is a write
into a never written map entry in a child process right after fork(2)
system call.
III. Impact
Under certain conditions, a correctly behaving application could be
terminated.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# reboot
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-15:20/vm.patch
# fetch https://security.FreeBSD.org/patches/EN-15:20/vm.patch.asc
# gpg --verify vm.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r290194
releng/9.3/ r290363
stable/10/ r287846
releng/10.1/ r290362
releng/10.2/ r290361
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://svnweb.freebsd.org/base?view=revision&revision=r287591>
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204048>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-15:20.vm.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWOe8FAAoJEO1n7NZdz2rnqBcP/2XPJ87Fr1b7I1i0R8ClJj5G
Kk+pGD+OkZF9h7ix0b1NrSBjB2quCFUy+u8ImPXMkSZM0Id7hAIX0VourkqcoHSL
CrsYTUXyqq4KU3E7xvoU4Q54cnDAd3hHIm9Gsduv1UNY02YBI/mRYqiMVnXKHGk/
SLlmMtFCmLkXHJP5/Ynx1xILWC9c2xYLqfvlLbkTTbmtZn8gAQqgh1kfuEkzEvt4
sgXx8kewUnv9Z2Oo+Xcqqrh5UfeppDEc7x8Y7a4tiSkW034xMETzC0xjrbq+4lE1
2MU/j65ZN5Sq5EjrmHdnr5q0R7/V4CHjRcLAvw2UaVpNlfMNmVpe5uye/slUDRw0
gCcztomi1heU78octR71kD0irhRVa+bcftsuanDRF8hs0czJL5BhPYyIaEb7e4s5
tGQyyflncD4EONbI/rmfsQhLEaTTg240NtkZbQFY1f5FqoyFiKXX99Hwm1jHZsRR
OYGOAo3YZPx6biRdaIOPg0OTjqNw/mZgY3uQ/vCjWGAcgSzynDMkMJEOmyf+RBgZ
F4qWOxmmFMr9+X1+1c7/ApwjampmfCV/Z7UvJTaFkVuKPiFA4ubrJ3TmDLsQMzza
k9zumzxZAo+tsYD8ArbpPYlERe6JoF3axm/97JcFrn5iUcnaMM8vmawQo8xsrunx
GyLfwUPpXSI25C1iNJDx
=HTKc
-----END PGP SIGNATURE-----

275
share/security/advisories/FreeBSD-SA-15:25.ntp.asc
View file

@ -1,22 +1,22 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA512
=============================================================================
FreeBSD-SA-15:25.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Topic: Multiple vulnerabilities of ntp [REVISED]
Category: contrib
Module: ntp
Announced: 2015-10-26
Announced: 2015-10-26, revised on 2015-11-04
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE)
2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6)
2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23)
2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE)
2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29)
2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7)
2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24)
2015-11-02 10:39:26 UTC (stable/9, 9.3-STABLE)
2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30)
CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704,
CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851,
CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855,
@ -26,6 +26,12 @@ For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/.
0. Revision history.
v1.0 2015-10-26 Initial release.
v1.1 2015-11-04 Revised patches to address regression in ntpq(8), ntpdc(8)
utilities and lack of RAWDCF reference clock support in ntpd(8).
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
@ -36,125 +42,120 @@ II. Problem Description
Crypto-NAK packets can be used to cause ntpd(8) to accept time from an
unauthenticated ephemeral symmetric peer by bypassing the authentication
required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and
10.1 are not affected.
required to mobilize peer associations. [CVE-2015-7871]
FreeBSD 9.3 and 10.1 are not affected.
If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual
If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusually
long data value where a network address is expected, the decodenetnum()
function will abort with an assertion failure instead of simply returning
a failure condition. [CVE-2015-7855]
a failure condition. [CVE-2015-7855]
If ntpd(8) is configured to allow remote configuration, and if the
(possibly spoofed) source IP address is allowed to send remote
configuration requests, and if the attacker knows the remote
configuration password or if ntpd(8) was configured to disable
authentication, then an attacker can send a set of packets to ntpd(8) that
may cause it to crash, with the hypothetical possibility of a small code
injection. [CVE-2015-7854]
If ntpd(8) is configured to allow remote configuration, and if the (possibly
spoofed) source IP address is allowed to send remote configuration requests,
and if the attacker knows the remote configuration password or if ntpd(8)
was configured to disable authentication, then an attacker can send a set
of packets to ntpd(8) that may cause it to crash, with the hypothetical
possibility of a small code injection. [CVE-2015-7854]
A negative value for the datalen parameter will overflow a data buffer.
NTF's ntpd(8) driver implementations always set this value to 0 and are
therefore not vulnerable to this weakness. If you are running a custom
The NTF ntpd(8) driver implementation always sets this value to 0 and are
therefore not vulnerable to this weakness. If the system runs a custom
refclock driver in ntpd(8) and that driver supplies a negative value for
datalen (no custom driver of even minimal competence would do this)
then ntpd would overflow a data buffer. It is even hypothetically
possible in this case that instead of simply crashing ntpd the
attacker could effect a code injection attack. [CVE-2015-7853]
datalen (no custom driver of even minimal competence would do this), then
ntpd(8) would overflow the data buffer. It is even hypothetically possible
in this case that instead of simply crashing ntpd(8), the attacker could
effect a code injection attack. [CVE-2015-7853]
If an attacker can figure out the precise moment that ntpq(8) is listening
for data and the port number it is listening on or if the attacker can
provide a malicious instance ntpd(8) that victims will connect to then an
attacker can send a set of crafted mode 6 response packets that, if
received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852]
for data and the port number on which it is listening, or if the attacker
can provide a malicious instance ntpd(8) that victims will connect to, then
an attacker can send a set of crafted mode 6 response packets that, if
received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852]
If ntpd(8) is configured to allow remote configuration, and if the
(possibly spoofed) IP address is allowed to send remote configuration
requests, and if the attacker knows the remote configuration password
or if ntpd(8) was configured to disable authentication, then an attacker
can send a set of packets to ntpd that may cause ntpd(8) to overwrite
files. [CVE-2015-7851]. The default configuration of ntpd(8) within
FreeBSD does not allow remote configuration.
If ntpd(8) is configured to allow remote configuration, and if the (possibly
spoofed) IP address is allowed to send remote configuration requests, and if
the attacker knows the remote configuration password or if ntpd(8) was
configured to disable authentication, then an attacker can send a set of
packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851]
The default configuration of ntpd(8) within FreeBSD does not allow remote
configuration.
If ntpd(8) is configured to allow remote configuration, and if the
(possibly spoofed) source IP address is allowed to send remote
configuration requests, and if the attacker knows the remote
configuration password or if ntpd(8) was configured to disable
authentication, then an attacker can send a set of packets to ntpd
that will cause it to crash and/or create a potentially huge log
file. Specifically, the attacker could enable extended logging,
point the key file at the log file, and cause what amounts to an
infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8)
within FreeBSD does not allow remote configuration.
If ntpd(8) is configured to allow remote configuration, and if the (possibly
spoofed) source IP address is allowed to send remote configuration
requests, and if the attacker knows the remote configuration password or if
ntpd(8) was configured to disable authentication, then an attacker can send
a set of packets to ntpd that will cause it to crash and/or create
a potentially huge log file. Specifically, the attacker could enable
extended logging, point the key file at the log file, and cause what amounts
to an infinite loop. [CVE-2015-7850]
The default configuration of ntpd(8) within FreeBSD does not allow remote
configuration.
If ntpd(8) is configured to allow remote configuration, and if the
(possibly spoofed) source IP address is allowed to send remote
configuration requests, and if the attacker knows the remote
configuration password or if ntpd was configured to disable
authentication, then an attacker can send a set of packets to
ntpd that may cause a crash or theoretically perform a code
injection attack. [CVE-2015-7849]. The default configuration of ntpd(8)
within FreeBSD does not allow remote configuration.
If ntpd(8) is configured to allow remote configuration, and if the (possibly
spoofed) source IP address is allowed to send remote configuration requests,
and if the attacker knows the remote configuration password or if ntpd(8) was
configured to disable authentication, then an attacker can send a set of
packets to ntpd(8) that may cause a crash or theoretically perform a code
injection attack. [CVE-2015-7849]
The default configuration of ntpd(8) within FreeBSD does not allow remote
configuration.
If ntpd(8) is configured to enable mode 7 packets, and if the use
of mode 7 packets is not properly protected thru the use of the
available mode 7 authentication and restriction mechanisms, and
if the (possibly spoofed) source IP address is allowed to send
mode 7 queries, then an attacker can send a crafted packet to
ntpd that will cause it to crash. [CVE-2015-7848]. The default
configuration of ntpd(8) within FreeBSD does not allow mode 7
If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7
packets is not properly protected through the use of the available mode 7
authentication and restriction mechanisms, and if the (possibly spoofed)
source IP address is allowed to send mode 7 queries, then an attacker can
send a crafted packet to ntpd that will cause it to crash. [CVE-2015-7848]
The default configuration of ntpd(8) within FreeBSD does not allow mode 7
packets.
If ntpd(8) is configured to use autokey, then an attacker can send
packets to ntpd that will, after several days of ongoing attack,
cause it to run out of memory. [CVE-2015-7701]. The default
configuration of ntpd(8) within FreeBSD does not use autokey.
If ntpd(8) is configured to use autokey, then an attacker can send packets to
ntpd that will, after several days of ongoing attack, cause it to run out of
memory. [CVE-2015-7701]
The default configuration of ntpd(8) within FreeBSD does not use autokey.
If ntpd(8) is configured to allow for remote configuration, and if
the (possibly spoofed) source IP address is allowed to send
remote configuration requests, and if the attacker knows the
remote configuration password, it's possible for an attacker
to use the "pidfile" or "driftfile" directives to potentially
overwrite other files. [CVE-2015-5196]. The default configuration
of ntpd(8) within FreeBSD does not allow remote configuration
If ntpd(8) is configured to allow for remote configuration, and if the
(possibly spoofed) source IP address is allowed to send remote configuration
requests, and if the attacker knows the remote configuration password, it is
possible for an attacker to use the "pidfile" or "driftfile" directives to
potentially overwrite other files. [CVE-2015-5196]
The default configuration of ntpd(8) within FreeBSD does not allow remote
configuration
An ntpd(8) client that honors Kiss-of-Death responses will honor
KoD messages that have been forged by an attacker, causing it
to delay or stop querying its servers for time updates. Also,
an attacker can forge packets that claim to be from the target
and send them to servers often enough that a server that
implements KoD rate limiting will send the target machine a
KoD response to attempt to reduce the rate of incoming packets,
or it may also trigger a firewall block at the server for
packets from the target machine. For either of these attacks
to succeed, the attacker must know what servers the target
is communicating with. An attacker can be anywhere on the
Internet and can frequently learn the identity of the target's
time source by sending the target a time query. [CVE-2015-7704]
Kiss-of-Death messages that have been forged by an attacker, causing it to
delay or stop querying its servers for time updates. Also, an attacker can
forge packets that claim to be from the target and send them to servers
often enough that a server that implements Kiss-of-Death rate limiting will
send the target machine a Kiss-of-Death response to attempt to reduce the
rate of incoming packets, or it may also trigger a firewall block at the
server for packets from the target machine. For either of these attacks to
succeed, the attacker must know what servers the target is communicating
with. An attacker can be anywhere on the Internet and can frequently learn
the identity of the time source of a target by sending the target a time
query. [CVE-2015-7704]
The fix for CVE-2014-9750 was incomplete in that there were
certain code paths where a packet with particular autokey
operations that contained malicious data was not always being
completely validated. Receipt of these packets can cause ntpd
to crash. [CVE-2015-7702]. The default configuration of ntpd(8)
within FreeBSD does not use autokey.
The fix for CVE-2014-9750 was incomplete in that there were certain code
paths where a packet with particular autokey operations that contained
malicious data was not always being completely validated. Receipt of these
packets can cause ntpd to crash. [CVE-2015-7702].
The default configuration of ntpd(8) within FreeBSD does not use autokey.
III. Impact
An attacker which can send NTP packets to ntpd(8), which uses cryptographic
An attacker which can send NTP packets to ntpd(8) which uses cryptographic
authentication of NTP data, may be able to inject malicious time data
causing the system clock to be set incorrectly. [CVE-2015-7871]
causing the system clock to be set incorrectly. [CVE-2015-7871]
An attacker which can send NTP packets to ntpd(8), can block the
communication of the daemon with time servers, causing the system
clock not being synchronized. [CVE-2015-7704]
An attacker which can send NTP packets to ntpd(8) can block the communication
of the daemon with time servers, causing the system clock not being
synchronized. [CVE-2015-7704]
An attacker which can send NTP packets to ntpd(8), can remotely crash
the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854]
An attacker which can send NTP packets to ntpd(8) can remotely crash the
daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854]
[CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848]
An attacker which can send NTP packets to ntpd(8), can remotely
trigger the daemon to overwrite its configuration files. [CVE-2015-7851]
[CVE-2015-5196]
An attacker which can send NTP packets to ntpd(8) can remotely trigger the
daemon to overwrite its configuration files. [CVE-2015-7851] [CVE-2015-5196]
IV. Workaround
@ -191,28 +192,50 @@ FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2
# bunzip2 ntp-102.patch.bz2
[*** v1.1 NOTE ***] If your sources are not yet patched using initial
advisory patches, then you need to apply full patches named ntp-NNN.patch,
where NNN stands for the release version. If your sources are already
updated, or patched with patches from initial advisory, then you need to
apply incremental patches, named ntp-NNN-inc.patch, where NNN stands for
the release version.
[FreeBSD 10.2-RELEASE-p5, not patched with initial SA-15:25 patch]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.xz
# unxz ntp-102.patch.xz
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc
# gpg --verify ntp-102.patch.asc
[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2
# bunzip2 ntp-101.patch.bz2
[FreeBSD 10.1-RELEASE-p22, not patched with initial SA-15:25 patch]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.xz
# unxz ntp-101.patch.xz
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc
# gpg --verify ntp-101.patch.asc
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2
# bunzip2 ntp-93.patch.bz2
[FreeBSD 9.3-RELEASE-p28, not patched with initial SA-15:25 patch]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.xz
# unxz ntp-93.patch.xz
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc
# gpg --verify ntp-93.patch.asc
[FreeBSD 10.2-RELEASE-p6, initial SA-15:25 patch applied]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102-inc.patch
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102-inc.patch.asc
# gpg --verify ntp-102-inc.patch.asc
[FreeBSD 10.1-RELEASE-p23, initial SA-15:25 patch applied]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101-inc.patch
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101-inc.patch.asc
# gpg --verify ntp-101-inc.patch.asc
[FreeBSD 9.3-RELEASE-p29, initial SA-15:25 patch applied]
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93-inc.patch
# fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93-inc.patch.asc
# gpg --verify ntp-93-inc.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# patch -p0 < /path/to/patch
# find contrib/ntp -type f -empty -delete
c) Recompile the operating system using buildworld and installworld as
@ -231,11 +254,11 @@ affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r289998
releng/9.3/ r290001
stable/9/ r290269
releng/9.3/ r290363
stable/10/ r289997
releng/10.1/ r290000
releng/10.2/ r289999
releng/10.1/ r290362
releng/10.2/ r290361
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
@ -269,17 +292,17 @@ https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJWLhOJAAoJEO1n7NZdz2rn91wP/2GwEt1boNQq2a7nYzv/mS5D
sYKkIi7o+2yr2BLXvtc3O7c9QC3/YeGsza9DTRqndcY572SWvRgtkFstMTTm8IV/
RVlIE40gVR3tex0zo7BiD7uKUrxWxWcpwMbE5dzlE+vSybyyj0dSSkwUHJjrbJoA
RmyNuEEUhQn5sRCg6qJv/PLp2G7BcYAasKScukjm7QnLP2kq/tvM9mcqwfh2tadM
7kbf8uq+ykvsRzctaDnxQaB5+zJxBQYJjBelxQfIkNek0XGfdj3sRwISeFznbllq
mOLTIBaFiuEtHtusO7MKKavMgS5CQJOvuuvd/l3NY1MnxC6X/1SWig9KIKDIn/hv
q8dsnq7LLx+tO6Cv4Dub7EbC2ZP3xXGOC4Ie02z8bTZnbX7iwyPUidQQqtU9ra15
rxzFcZnBxu+yyMNJVsV2qVV/r9OycgKxWlEELC1wYrK9fKfvLdA5aEGjDeU1Z+s6
JS2zKr0t4F2bMrCsjYP1lQD8sHkCVjwJk+IJU/slcwSajDjBNlMH0yBxGYE1ETIZ
qMF7/PAkLe8V78pdYmXw9pcaPyhI+ihPLnNrdhX8AI2RX5jDK7IuUNJeUM04UrVB
8N+mMwgamcuCPWNNyXaL0bz21fexZOuhHmU+B8Yn3SFX5O5b/r9gGvrjo8ei8jOk
EUlBT3ViDhHNrI7PTaiI
=djPm
iQIcBAEBCgAGBQJWOe7GAAoJEO1n7NZdz2rnzLUQAOugJiyGHZFYllUnCF/EBFoo
UIKc3RjWAqreJ5Mg0upKqI7i2oHw4/VjxVjdvwdp7E5t6b+/LYA5jDCfO/RcuMMS
SZDyC2BWGq8kkSuwNZmo1js1WRUsdpTQPr3TLvoTh/o1w5D0ncLgqJz7IeuqlHer
2VG5yJP30OUyF1cdk4E9LJcDXx24u8iP0DN5e/0XJGST5/trp/+VYpMy7Vm8dv1l
IQks3wtU4tI574rQKjmAiQyRnvLq0TJ4v/eHHKP4PkMC6FNFUyJx0OhVqZdqWJXz
ynT28JY5d1SsiPlhUDfSRKGjdpi4kC4szv7ceCuAwmWiDlsNqinKadu9bz4Rwudt
qlgJZRmtoFcyeReHckZmEwcmW9hPT3i98kjWs83vZqGD9bw7Zt05HfZ/TPyTk3tg
ec1Dmvhx4s9jprypuThPgs3W7KlgnvdpYdc2aagiU/dqvTArzVuWeLP0ryo269CD
ZWbgVrfFZjhvi+/nUJD+eMoVLsJYBhNZoJEv7NvUSWizVE4bfD4oFkAxEHBpXxVo
VKt5V6edVR0rdmI3xFkiP8372UPbYN8KUfa1R5y4GWPbORv/Z5Wb/XAVmGlvkHNj
U0bmAWv5XOw3CtwFJnRaATl/H5+WqQOVthxvT9EHvt8fHczAq8HvDHS7bIrFDEdN
gVRXzv6oTlBVGq6sP17H
=Jtlu
-----END PGP SIGNATURE-----