os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add 3 new advisories and patches.

Browse source
This commit is contained in:
Xin LI 2015-04-07 20:36:34 +00:00
parent b1f10282bc
commit 4f5662b555
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=46499
13 changed files with 999 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

65
share/security/advisories/FreeBSD-SA-15:04.igmp.asc
View file

@ -9,23 +9,27 @@ Topic: Integer overflow in IGMP protocol
Category: core Category: core
Module: igmp Module: igmp
Announced: 2015-02-25 Announced: 2015-02-25; Last revised on 2015-04-07
Credits: Mateusz Kocielski, Logicaltrust, Credits: Mateusz Kocielski, Logicaltrust,
Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466
Affects: All supported versions of FreeBSD. Affects: All supported versions of FreeBSD.
Corrected: 2015-02-25 05:43:02 UTC (stable/10, 10.1-STABLE) Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18) 2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
2015-02-25 05:43:02 UTC (stable/9, 9.3-STABLE) 2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) 2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
2015-02-25 05:43:02 UTC (stable/8, 8.4-STABLE) 2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)
CVE Name: CVE-2015-1414 CVE Name: CVE-2015-1414
For general information regarding FreeBSD Security Advisories, For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>. following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2015-02-25 Initial release.
v1.1 2015-04-07 Revised patch to address a potential overflow issue.
I. Background I. Background
IGMP is a control plane protocol used by IPv4 hosts and routers to propagate IGMP is a control plane protocol used by IPv4 hosts and routers to propagate
@ -73,6 +77,10 @@ detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc
# gpg --verify igmp.patch.asc # gpg --verify igmp.patch.asc
# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch
# fetch https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch.asc
# gpg --verify igmp-errata.patch.asc
b) Apply the patch. Execute the following commands as root: b) Apply the patch. Execute the following commands as root:
# cd /usr/src # cd /usr/src
@ -89,13 +97,12 @@ affected branch.
Branch/path Revision Branch/path Revision
- ------------------------------------------------------------------------- - -------------------------------------------------------------------------
stable/8/ r279263 stable/8/ r281231
releng/8.4/ r279265 releng/8.4/ r281233
stable/9/ r279263 stable/9/ r281231
releng/9.3/ r279265 releng/9.3/ r281233
stable/10/ r279263 stable/10/ r281230
releng/10.0/ r279264 releng/10.1/ r281232
releng/10.1/ r279264
- ------------------------------------------------------------------------- - -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the To see which files were modified by a particular revision, run the
@ -115,19 +122,19 @@ VII. References
The latest revision of this advisory is available at The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:04.igmp.asc> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:04.igmp.asc>
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.1 (FreeBSD) Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnjr8QAL0J0+4lRtPXRyDRX2xFSnzw iQIcBAEBCgAGBQJVJD39AAoJEO1n7NZdz2rnewwQAN9xI01nzOO71Q7qP7xDq+wu
sc3OpfmlTiD3pCFkebTYy3/+EK86iAL1ZELqlJe5mm2+pzhCQB13C4/exc0l1U6b RW2C+2A4viIZIId1od6GiDY7Qpigy1CMwHsae6qJ62R+D5F2x9vANV4U6AS44oNy
tyiGXxhVi2/4SBrs6n9lmB/YhXkgtqaOQAcNaOD6sVbS1e5cBtjnG86oOq8tQ2qG 2jDwbrByM7QQ3qeCh8NzCUvOwPuXyKsAGKV73t3QPk0leKdbqUyjTooWJtZAv0dN
c7Dvh3HTp9M5fDJtsI40SIpqy3FcKORBfpjYd8jONfSqMnLM2kM8xzwHSv4/X23e VgQ4VCQh+2ZlxjMT0igUScmCVqOncRUm33xKBLeTif5LZHi/afkR6CToMlACOvl3
GlDKHtIi+1ylD/Qu7Z3S7hqXDTSYjZb1QHc7axDFB6X6nj2Rz3aWS2hPPTypFd3T syJNhEeM+zYU9XLzb90hAjvqn1xLDkoS4qJNbrekj0/dI0jkgZdk18QAualwWgeZ
zTj5DZjgiP7U2LhR40sWW68RYi21yzNUwbe0w5LeDah6Ymc5CDO2ujdm3HDQbQGH i39Da6IQ4wCn8Sx9o8pc8NdtzHn37rmOcdzBIodzxa1vALmNhDWuBpIIysffsZvf
pA9QIOjzpgR64nWLIJfZ7jMxL3rCCaCW3NCB/iRXni2Ib/wt3ZDkJyEk/SF4K82H ewVdI83pabRdZZxO1YAPjJi34CTXmvwf8Hit/hh0n1AO21lhr0NhwQzEn7gmLqSh
72U2u2qVjAsnhmwWK8gksBi9bEXk3TnX778bkrwm4rt1xOjACq8k66LAernoE4tB JZYg46k6tNGy6qUa1NU/ywja0kLCG0KdR1FO9IKaN6TCgB30bpndGq1Y0esX1Mo8
DkE0pO4QR+6XwFb5sJMG/3L9CmrhTp2pkPDBQDbSD+ngBs5V5mJOqVf7gB+UptnN 5xq/P/KoNPE9BzifyhbDBt77eEmfpiKIuQXQVP3B1n3KEDDUlSSeiz3x0h9ZOjfm
Fh8OACO/5KtDkqBDsCljHxHZNaboVF4Q613+iF5CUc6SYOTkLnBDUE4Pq38vlzVB vLb1hinfp1RPC4S72a0Zts6r60aee9dMWd/DvC8RqWQqEE0PUamipL2ClzBmOpTK
GdZMEo/hvsCbR4c2TmdKuvEkEqayxCxcv0DXiyTlVCecxSkaYvMXPwCKK43QtS7S F9b2y9776hfPV/mvGUwS7H63mAMJkMOTDGZn3WWIT3Dmr6Eru0/t1XXqCPB4cNUl
het83QCUxaVuxLiznuwR uf5sxNtEDjXadkeM20lu
=lkYC =y2yR
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

157
share/security/advisories/FreeBSD-SA-15:07.ntp.asc Normal file
View file

@ -0,0 +1,157 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:07.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Category: contrib
Module: ntp
Announced: 2015-04-07
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
CVE Name: CVE-2014-9297, CVE-2015-1798, CVE-2015-1799
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.
II. Problem Description
The vallen packet value is not validated in several code paths in
ntp_crypto.c. [CVE-2014-9297]
When ntpd(8) is configured to use a symmetric key to authenticate a remote
NTP server/peer, it checks if the NTP message authentication code (MAC)
in received packets is valid, but not that there actually is any MAC
included, and packets without a MAC are accepted as if they had a valid
MAC. [CVE-2015-1798]
NTP state variables are updated prior to validating the received packets.
[CVE-2015-1799]
III. Impact
A remote attacker who can send specifically crafted packets may be able
to reveal memory contents of ntpd(8) or cause it to crash, when ntpd(8)
is configured to use autokey. [CVE-2014-9297]
A man-in-the-middle (MITM) attacker can send specially forged packets
that would be accepted by the client/peer without having to know the
symmetric key. [CVE-2015-1798]
An attacker knowing that NTP hosts A and B are peering with each other
(symmetric association) can periodically send a specially crafted or
replayed packet which will break the synchronization between the two
peers due to transmit timestamp mismatch, preventing the two nodes from
synchronizing with each other, even when authentication is enabled.
[CVE-2015-1799]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch.asc
# gpg --verify ntp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r281231
releng/8.4/ r281233
stable/9/ r281231
releng/9.3/ r281233
stable/10/ r281230
releng/10.1/ r281232
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:07.ntp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rn4doQAKwA67MgX6jiCS4dm1roREi+
G1moTCtqO8LXzH3nOOOk6R/MqFGOs6Jq8D+K/YmdD+4l3c/qCNR0qtv0YcVL0kE+
+xfaIYoGxTzlPjEfpWtceCM0wcAThaF8085hi0IAzG7ozhKPt+Inv33ISgos5c7h
zYcbTqBYgQqcJGWdftnYpZ1Nxvoa3wiOlxsOMa4qnNeUakeXcGLZ+1XB5pLjXMZF
dHfKhMS6KxcUdHoPgOj468D3bQE05puLk13Kjy+Ti38GhcgMROAsMZVOzgno3J7g
D7Hk4dR1dms+6xcSJ0BV4ej0ZfypGv0xiFmUiTk/p7AVbnqrChyjvGca+8reu+Gc
Ks/67oZjP5rc0glvRFgjJBmQV/xK2rUK805e4eAm8qBecRjDv6M3mUmPdw5BlgcA
7fcj4VdGkOzLB0Vj7uJFjf3p9cyT+x8yvMtknxehiYmrYnFDsM5d7lcv0+KnRzb2
3bt6maO40wqWIcLErFthcT/nLP+wi35aykNIbGh7PXvqL92gWX+h/xB6YY9Ouo4N
hb32W/F5O50MjL6BeY+k5J6usoFrk0EHWK+2Fxm2/AA/5K/JnryWN44F8PVPNzxE
f+Vb6CzxBvmflpa/29tF/wSD0oU78AhuShtVrnEVT5ZWJj+/PHBZtcLk2Z+s5hgd
hKFvV5Xqix0/U//+yGhj
=1fHm
-----END PGP SIGNATURE-----

119
share/security/advisories/FreeBSD-SA-15:08.bsdinstall.asc Normal file
View file

@ -0,0 +1,119 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:08.bsdinstall Security Advisory
The FreeBSD Project
Topic: Insecure default GELI keyfile permissions
Category: core
Module: bsdinstall
Announced: 2015-04-07
Credits: Pierre Kim
Affects: FreeBSD 10.1.
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
CVE Name: CVE-2015-1415
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The GEOM ELI class, or geli(8) implements encryption on GEOM providers which
supports various cryptographic encryption and authentication methods as
well as hardware acceleration. Each geli(8) provider has two key slots,
and each slot holds a copy of its master key encrypted by a keyfile and/or
a passphrase chosen by the system administrator.
The bsdinstall(8) installer is the default system installer of FreeBSD since
FreeBSD 10.0-RELEASE.
II. Problem Description
The default permission set by bsdinstall(8) installer when configuring full
disk encrypted ZFS is too open.
III. Impact
A local attacker may be able to get a copy of the geli(8) provider's
keyfile which is located at a fixed location.
IV. Solution
Note well: due to the nature of this issue, there is no way to fix this
issue for already installed systems without human intervention. System
administrators are advised to assume that the keyfile have already been
leaked and a new keyfile is necessary.
The system administrator can create a new keyfile with the correct
permissions, and change the key slot that holds the master key encrypted
with the old keyfile.
For example, if the GELI provider is /dev/ada0, the system administrator
can do the following:
# umask 077
# dd if=/dev/random of=/boot/encryption.key.new bs=4096 count=1
# umask 022
# geli setkey -K /boot/encryption.key.new /dev/ada0p3
Enter new passphrase:
Reenter new passphrase:
(Repeat the geli setkey command if multiple providers are used)
# mv /boot/encryption.key.new /boot/encryption.key
# ls -l /boot/encryption.key
Make sure that the new /boot/encryption.key can only be read by root.
The FreeBSD stable and security branch (releng) and the changes are mainly
intended for system integrators who build their own installation image for
new installations.
V. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r281230
releng/10.1/ r281232
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VI. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1415>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:08.bsdinstall.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rntF0P/0vVZ6W5xpIAm5K7eS184GaJ
TuQ0E5XdqH1i6smYxAwUHtINFmAJ11cv+KwAbwFwazdB9jy4def6kwBZ/PE1y1M9
OGi/JD3RghL0RrrrIzADVz5Z4Hi401BmLN7aOW9REX75/o82XqGXTRlDmow5z22D
/B4NRNQ0p6cwmwh179HHuJPgQsDmL3mBkgn4oMv1036q9VjP5V/b+i2Ja/I6oCa/
ZJhdEg17P9ek6GBna/fV7yo1Cr+A7v9aSUFcN9E8VqoWGn06jO0sLjWCC9Lrc6sZ
KAgFbxNuPW/eZOE447DIu9jrgE8xxBFn6skeW81jsPsT4FsF/7KWG+dxBOa9XxOH
XQTzc9sx3tsRVUzEBUGHRpPh/ZbkqtqQ5MYrAYk66NJ1NFqbrhY08mqzOd4+Sr7a
CUMV/1vD0pCRME8bgIVupKciIw9y6QYWo2Gm+BJIqAw7L8EaEhaN7nnBxDbRehlj
PdRYxHO4aQLIxdaV4dtDx3SX+njRxyVP/0OOSVQz1laiKadsRO2YQe+IhVoFhU5v
fLSoBI+8mX8Sc65UasqsuNXC3G2c6XXKkLBCYzmL90R2pwPtxbQRTDVGMmG9fyyc
b4w+yindLcwKXxKJryQWswAbv6hBQunAoCaVsqiIdF2N9Psrlr3FhkU//JbvrxA1
COcciZEksTS0JwEpOGi5
=wg1b
-----END PGP SIGNATURE-----

153
share/security/advisories/FreeBSD-SA-15:09.ipv6.asc Normal file
View file

@ -0,0 +1,153 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:09.ipv6 Security Advisory
The FreeBSD Project
Topic: Denial of Service with IPv6 Router Advertisements
Category: core
Module: ipv6
Announced: 2015-04-07
Credits: Dennis Ljungmark
Affects: All supported versions of FreeBSD.
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
CVE Name: CVE-2015-2923
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer
address of other nodes, find routers, and maintain reachability information.
Routers advertise their presence together with various link and Internet
parameters either periodically, or in response to a Router Solicitation
message, using Router Advertisement (ICMPv6 type 134).
II. Problem Description
The Neighbor Discover Protocol allows a local router to advertise a
suggested Current Hop Limit value of a link, which will replace
Current Hop Limit on an interface connected to the link on the FreeBSD
system.
III. Impact
When the Current Hop Limit (similar to IPv4's TTL) is small, IPv6 packets
may get dropped before they reached their destinations.
By sending specifically crafted Router Advertisement packets, an attacker
on the local network can cause the FreeBSD system to lose the ability to
communicate with another IPv6 node on a different network.
IV. Workaround
Only systems that are manually configured to use "accept_rtadv"
ifconfig(8) flag on an interface are affected.
The system administrator may decide to disable acceptance of Router
Advertisements from untrusted network in a per-interface basis, by
removing accept_rtadv flag at run time using ifconfig(8):
ifconfig em0 inet6 -accept_rtadv
Note that an interface does not accept Router Advertisement messages
by default even if an IPv6 address is configured. One can know
whether an interface is accepting Router Advertisement message or not
from existence of ACCEPT_RTADV in "nd6 options" line in an output of
ifconfig(8):
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch
# fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch.asc
# gpg --verify ipv6.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r281231
releng/8.4/ r281233
stable/9/ r281231
releng/9.3/ r281233
stable/10/ r281230
releng/10.1/ r281232
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2923>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:09.ipv6.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rn13cQANJCk2LXSX8GDHGzWnD+D5gN
rNC4Q8n9CnN80ZO/0Pk0Xx2VAtr3CKxflBTXBKISKuY+dWOzNvuUuUUkrB9SlyTj
MYpqAljnBT0JkosGGBKJwt39DjW34HWlaj9wEPr1SdIq5vQO0cXS2glVPI/CQuy3
NwnpaAmftAG4eMSYojOeodXniha/ZasFap5Zj+1dgofFHEP87zxefP2IamG1Cq72
d8YJSCD8yy51mZ7dVFM29R3FAFdMpponci31dXGb5p8pj0yzVfvI/HF1MRK+x8Nz
R0/jFOHY4TR26BfKsc4Nc6Ze7jdZHUP1qWoL2O6HiLVqws0nQp3jma7FkMrUMuui
H9kAQaIc27tJOkSK4Gdc/dwzHgb3xr2fNfOjvbUv3VNjzijTzbzKfRlVH77EAxAi
sQfUcql/toGdC/QaOlhC8+v5jHdwkLdpfRc4QdsV1rKDAA8mj068sJQS/yAig8E8
QUNmB3UK1QsX3tmy0JuDJk7tr/jjnhl2Jt9Skvm70xUiA7G05Z1qouErkIAjwikY
zQSPpSQebi3am9TtK/GViOjEVpWLYzLFYo6laR8wMw9eJsj0xlF8Qqz+0HudqfSt
lMOfpVfUmBSIxlFdiIzMBfbpLdD1gSo4oBLIYA/xw7UtDMiWi2Iji/mBY1Jg/i5V
ZCTwZmnmaVuPcsGOzv5W
=A2Am
-----END PGP SIGNATURE-----

32
share/security/patches/SA-15:04/igmp-errata.patch Normal file
View file

@ -0,0 +1,32 @@
Index: sys/netinet/igmp.c
===================================================================
--- sys/netinet/igmp.c (revision 280920)
+++ sys/netinet/igmp.c (working copy)
@@ -1534,7 +1534,6 @@ igmp_input(struct mbuf *m, int off)
struct igmpv3 *igmpv3;
uint16_t igmpv3len;
uint16_t nsrc;
- int srclen;
IGMPSTAT_INC(igps_rcv_v3_queries);
igmpv3 = (struct igmpv3 *)igmp;
@@ -1542,8 +1541,8 @@ igmp_input(struct mbuf *m, int off)
* Validate length based on source count.
*/
nsrc = ntohs(igmpv3->igmp_numsrc);
- srclen = sizeof(struct in_addr) * nsrc;
- if (nsrc * sizeof(in_addr_t) > srclen) {
+ if (nsrc * sizeof(in_addr_t) >
+ UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
IGMPSTAT_INC(igps_rcv_tooshort);
return;
}
@@ -1552,7 +1551,7 @@ igmp_input(struct mbuf *m, int off)
* this scope.
*/
igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
- srclen;
+ sizeof(struct in_addr) * nsrc;
if ((m->m_flags & M_EXT ||
m->m_len < igmpv3len) &&
(m = m_pullup(m, igmpv3len)) == NULL) {

17
share/security/patches/SA-15:04/igmp-errata.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAABCgAGBQJVJD4RAAoJEO1n7NZdz2rnrYQQANA/aVjCvRZArJcQTrv6KZQx
UA3GLXRG+gSlE3tVo7zx1qFvQGTET6lDNM8C8shj//biaevNxjRlagFDQWHUoh7U
5HYfImnCAkIsO4OvAeJWHj+Xfskf22VRNGodou1PpVEco3XAFCQKMmsdMDUetiIw
zgXEMcONQFgUBf0g8e2YS0UPtJDwaxTFkGs/4uQvOoKLqCNf5esUDGKNeKMp85wg
pFt6TCIsXIoQidFCFz6TWSjXLin9QKhGxSngxKrM9LnkM4l3b7bsh1JoqIrsXQ/W
lIFZnInVYsRrbq/RUaYeh/2FzYGFfks1nKH1Gyg9I/uy0hF1NMig7egUP5cnh7GU
emXVUU6CYvkh4ndmPFKxlWgnf4PBJAebjzFrZtNK8OY6Uz8FrLZo1HuSFhNFdd6k
MRncaZ4rY7AyYYgXZKu5563+ztQh1tAvrSbXAN9adk1QH6t5DmWvOopK7vVJ3fTD
KLcXOQ2wmmr2rmQiSDLg9pUAi7ewu1sUzSbd2IML97ovtALDWU7VMWoQsBAlfHfP
GaY3ncCxsiJW+87udH4kGfDXRkY85Io7VRGEblFaz+AsF4xisMTboXcYy+z+SZH4
4QXsqoDoTLwZ4XZaIaNW8Z/PdB81j2WPvDbxdRD4DtZkx47KZw1a8SU3tRzlVyaS
Cboc9S/wjp6xphvBNRJl
=WOIN
-----END PGP SIGNATURE-----

377
share/security/patches/SA-15:07/ntp.patch Normal file
View file

@ -0,0 +1,377 @@
Index: contrib/ntp/ntpd/ntp_crypto.c
===================================================================
--- contrib/ntp/ntpd/ntp_crypto.c (revision 280717)
+++ contrib/ntp/ntpd/ntp_crypto.c (working copy)
@@ -93,6 +93,7 @@
#define TAI_1972 10 /* initial TAI offset (s) */
#define MAX_LEAP 100 /* max UTC leapseconds (s) */
#define VALUE_LEN (6 * 4) /* min response field length */
+#define MAX_VALLEN (65535 - VALUE_LEN)
#define YEAR (60 * 60 * 24 * 365) /* seconds in year */
/*
@@ -137,8 +138,8 @@ static u_int ident_scheme = 0; /* server identity
*/
static int crypto_verify P((struct exten *, struct value *,
struct peer *));
-static int crypto_encrypt P((struct exten *, struct value *,
- keyid_t *));
+static int crypto_encrypt P((const u_char *, u_int, keyid_t *,
+ struct value *));
static int crypto_alice P((struct peer *, struct value *));
static int crypto_alice2 P((struct peer *, struct value *));
static int crypto_alice3 P((struct peer *, struct value *));
@@ -446,6 +447,12 @@ crypto_recv(
tstamp = ntohl(ep->tstamp);
fstamp = ntohl(ep->fstamp);
vallen = ntohl(ep->vallen);
+ /*
+ * Bug 2761: I hope this isn't too early...
+ */
+ if ( vallen == 0
+ || len - VALUE_LEN < vallen)
+ return XEVNT_LEN;
}
switch (code) {
@@ -488,7 +495,7 @@ crypto_recv(
break;
if (vallen == 0 || vallen > MAXHOSTNAME ||
- len < VALUE_LEN + vallen) {
+ len - VALUE_LEN < vallen) {
rval = XEVNT_LEN;
break;
}
@@ -1250,7 +1257,8 @@ crypto_xmit(
vallen = ntohl(ep->vallen);
if (vallen == 8) {
strcpy(certname, sys_hostname);
- } else if (vallen == 0 || vallen > MAXHOSTNAME) {
+ } else if (vallen == 0 || vallen > MAXHOSTNAME ||
+ len - VALUE_LEN < vallen) {
rval = XEVNT_LEN;
break;
@@ -1407,7 +1415,10 @@ crypto_xmit(
* anything goes wrong.
*/
case CRYPTO_COOK | CRYPTO_RESP:
- if ((opcode & 0xffff) < VALUE_LEN) {
+ vallen = ntohl(ep->vallen); /* Must be <64k */
+ if ( vallen == 0
+ || (vallen >= MAX_VALLEN)
+ || (opcode & 0x0000ffff) < VALUE_LEN + vallen) {
rval = XEVNT_LEN;
break;
}
@@ -1420,10 +1431,11 @@ crypto_xmit(
}
tcookie = peer->pcookie;
}
- if ((rval = crypto_encrypt(ep, &vtemp, &tcookie)) ==
- XEVNT_OK)
+ if ((rval = crypto_encrypt((const u_char *)ep->pkt, vallen, &tcookie, &vtemp))
+ == XEVNT_OK) {
len += crypto_send(fp, &vtemp);
- value_free(&vtemp);
+ value_free(&vtemp);
+ }
break;
/*
@@ -1558,10 +1570,15 @@ crypto_verify(
* are rounded up to the next word.
*/
vallen = ntohl(ep->vallen);
+ if ( vallen == 0
+ || vallen > MAX_VALLEN)
+ return (XEVNT_LEN);
i = (vallen + 3) / 4;
siglen = ntohl(ep->pkt[i++]);
- if (len < VALUE_LEN + ((vallen + 3) / 4) * 4 + ((siglen + 3) /
- 4) * 4)
+ if ( siglen > MAX_VALLEN
+ || len - VALUE_LEN < ((vallen + 3) / 4) * 4
+ || len - VALUE_LEN - ((vallen + 3) / 4) * 4
+ < ((siglen + 3) / 4) * 4)
return (XEVNT_LEN);
/*
@@ -1627,6 +1644,7 @@ crypto_verify(
* avoid doing the sign exchange.
*/
EVP_VerifyInit(&ctx, peer->digest);
+ /* XXX: the "+ 12" needs to be at least documented... */
EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0)
return (XEVNT_SIG);
@@ -1641,10 +1659,10 @@ crypto_verify(
/*
- * crypto_encrypt - construct encrypted cookie and signature from
- * extension field and cookie
+ * crypto_encrypt - construct vp (encrypted cookie and signature) from
+ * the public key and cookie.
*
- * Returns
+ * Returns:
* XEVNT_OK success
* XEVNT_PUB bad or missing public key
* XEVNT_CKY bad or missing cookie
@@ -1652,9 +1670,10 @@ crypto_verify(
*/
static int
crypto_encrypt(
- struct exten *ep, /* extension pointer */
- struct value *vp, /* value pointer */
- keyid_t *cookie /* server cookie */
+ const u_char *ptr, /* Public Key */
+ u_int vallen, /* Length of Public Key */
+ keyid_t *cookie, /* server cookie */
+ struct value *vp /* value pointer */
)
{
EVP_PKEY *pkey; /* public key */
@@ -1661,15 +1680,11 @@ crypto_encrypt(
EVP_MD_CTX ctx; /* signature context */
tstamp_t tstamp; /* NTP timestamp */
u_int32 temp32;
- u_int len;
- u_char *ptr;
/*
* Extract the public key from the request.
*/
- len = ntohl(ep->vallen);
- ptr = (u_char *)ep->pkt;
- pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len);
+ pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, vallen);
if (pkey == NULL) {
msyslog(LOG_ERR, "crypto_encrypt %s\n",
ERR_error_string(ERR_get_error(), NULL));
@@ -1683,9 +1698,9 @@ crypto_encrypt(
memset(vp, 0, sizeof(struct value));
vp->tstamp = htonl(tstamp);
vp->fstamp = hostval.tstamp;
- len = EVP_PKEY_size(pkey);
- vp->vallen = htonl(len);
- vp->ptr = emalloc(len);
+ vallen = EVP_PKEY_size(pkey);
+ vp->vallen = htonl(vallen);
+ vp->ptr = emalloc(vallen);
temp32 = htonl(*cookie);
if (!RSA_public_encrypt(4, (u_char *)&temp32, vp->ptr,
pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING)) {
@@ -1705,9 +1720,9 @@ crypto_encrypt(
vp->sig = emalloc(sign_siglen);
EVP_SignInit(&ctx, sign_digest);
EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
- EVP_SignUpdate(&ctx, vp->ptr, len);
- if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
- vp->siglen = htonl(len);
+ EVP_SignUpdate(&ctx, vp->ptr, vallen);
+ if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
+ vp->siglen = htonl(sign_siglen);
return (XEVNT_OK);
}
@@ -1794,6 +1809,9 @@ crypto_ident(
* call in the protocol module.
*
* Returns extension field pointer (no errors).
+ *
+ * XXX: opcode and len should really be 32-bit quantities and
+ * we should make sure that str is not too big.
*/
struct exten *
crypto_args(
@@ -1805,11 +1823,14 @@ crypto_args(
tstamp_t tstamp; /* NTP timestamp */
struct exten *ep; /* extension field pointer */
u_int len; /* extension field length */
+ size_t slen;
tstamp = crypto_time();
len = sizeof(struct exten);
- if (str != NULL)
- len += strlen(str);
+ if (str != NULL) {
+ slen = strlen(str);
+ len += slen;
+ }
ep = emalloc(len);
memset(ep, 0, len);
if (opcode == 0)
@@ -1829,8 +1850,8 @@ crypto_args(
ep->fstamp = hostval.tstamp;
ep->vallen = 0;
if (str != NULL) {
- ep->vallen = htonl(strlen(str));
- memcpy((char *)ep->pkt, str, strlen(str));
+ ep->vallen = htonl(slen);
+ memcpy((char *)ep->pkt, str, slen);
} else {
ep->pkt[0] = peer->associd;
}
@@ -1844,6 +1865,8 @@ crypto_args(
* Returns extension field length. Note: it is not polite to send a
* nonempty signature with zero timestamp or a nonzero timestamp with
* empty signature, but these rules are not enforced here.
+ *
+ * XXX This code won't work on a box with 16-bit ints.
*/
u_int
crypto_send(
@@ -2212,7 +2235,8 @@ crypto_bob(
tstamp_t tstamp; /* NTP timestamp */
BIGNUM *bn, *bk, *r;
u_char *ptr;
- u_int len;
+ u_int len; /* extension field length */
+ u_int vallen = 0; /* value length */
/*
* If the IFF parameters are not valid, something awful
@@ -2227,8 +2251,11 @@ crypto_bob(
/*
* Extract r from the challenge.
*/
- len = ntohl(ep->vallen);
- if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
+ vallen = ntohl(ep->vallen);
+ len = ntohl(ep->opcode) & 0x0000ffff;
+ if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen)
+ return XEVNT_LEN;
+ if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) {
msyslog(LOG_ERR, "crypto_bob %s\n",
ERR_error_string(ERR_get_error(), NULL));
return (XEVNT_ERR);
@@ -2240,7 +2267,7 @@ crypto_bob(
*/
bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
sdsa = DSA_SIG_new();
- BN_rand(bk, len * 8, -1, 1); /* k */
+ BN_rand(bk, vallen * 8, -1, 1); /* k */
BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */
BN_add(bn, bn, bk);
BN_mod(bn, bn, dsa->q, bctx); /* k + b r mod q */
@@ -2254,19 +2281,25 @@ crypto_bob(
/*
* Encode the values in ASN.1 and sign.
*/
- tstamp = crypto_time();
- memset(vp, 0, sizeof(struct value));
- vp->tstamp = htonl(tstamp);
- vp->fstamp = htonl(if_fstamp);
- len = i2d_DSA_SIG(sdsa, NULL);
- if (len <= 0) {
+ vallen = i2d_DSA_SIG(sdsa, NULL);
+ if (vallen == 0) {
msyslog(LOG_ERR, "crypto_bob %s\n",
ERR_error_string(ERR_get_error(), NULL));
DSA_SIG_free(sdsa);
return (XEVNT_ERR);
}
- vp->vallen = htonl(len);
- ptr = emalloc(len);
+ if (vallen > MAX_VALLEN) {
+ msyslog(LOG_ERR, "crypto_bob: signature is too big: %d",
+ vallen);
+ DSA_SIG_free(sdsa);
+ return (XEVNT_LEN);
+ }
+ memset(vp, 0, sizeof(struct value));
+ tstamp = crypto_time();
+ vp->tstamp = htonl(tstamp);
+ vp->fstamp = htonl(if_fstamp);
+ vp->vallen = htonl(vallen);
+ ptr = emalloc(vallen);
vp->ptr = ptr;
i2d_DSA_SIG(sdsa, &ptr);
DSA_SIG_free(sdsa);
@@ -2277,11 +2310,12 @@ crypto_bob(
if (tstamp < cinfo->first || tstamp > cinfo->last)
return (XEVNT_PER);
+ /* XXX: more validation to make sure the sign fits... */
vp->sig = emalloc(sign_siglen);
EVP_SignInit(&ctx, sign_digest);
EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
- EVP_SignUpdate(&ctx, vp->ptr, len);
- if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
+ EVP_SignUpdate(&ctx, vp->ptr, vallen);
+ if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
vp->siglen = htonl(len);
return (XEVNT_OK);
}
Index: contrib/ntp/ntpd/ntp_proto.c
===================================================================
--- contrib/ntp/ntpd/ntp_proto.c (revision 280717)
+++ contrib/ntp/ntpd/ntp_proto.c (working copy)
@@ -459,7 +459,7 @@ receive(
while (has_mac > 0) {
int temp;
- if (has_mac % 4 != 0 || has_mac < 0) {
+ if (has_mac % 4 != 0 || has_mac < MIN_MAC_LEN) {
sys_badlength++;
return; /* bad MAC length */
}
@@ -483,6 +483,13 @@ receive(
return; /* bad MAC length */
}
}
+ /*
+ * If has_mac is < 0 we had a malformed packet.
+ */
+ if (has_mac < 0) {
+ sys_badlength++;
+ return; /* bad length */
+ }
#ifdef OPENSSL
pkeyid = tkeyid = 0;
#endif /* OPENSSL */
@@ -942,12 +949,9 @@ receive(
}
/*
- * Update the origin and destination timestamps. If
- * unsynchronized or bogus abandon ship. If the crypto machine
+ * If unsynchronized or bogus abandon ship. If the crypto machine
* breaks, light the crypto bit and plaint the log.
*/
- peer->org = p_xmt;
- peer->rec = rbufp->recv_time;
if (peer->flash & PKT_TEST_MASK) {
#ifdef OPENSSL
if (crypto_flags && (peer->flags & FLAG_SKEY)) {
@@ -978,10 +982,11 @@ receive(
* versions. If symmetric modes, return a crypto-NAK. The peer
* should restart the protocol.
*/
- } else if (!AUTH(peer->keyid || (restrict_mask & RES_DONTTRUST),
- is_authentic)) {
+ } else if (!AUTH(peer->keyid || has_mac ||
+ (restrict_mask & RES_DONTTRUST), is_authentic)) {
peer->flash |= TEST5;
- if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)
+ if (has_mac &&
+ (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
return; /* bad auth */
}
@@ -989,7 +994,12 @@ receive(
/*
* That was hard and I am sweaty, but the packet is squeaky
* clean. Get on with real work.
+ *
+ * Update the origin and destination timestamps.
*/
+ peer->org = p_xmt;
+ peer->rec = rbufp->recv_time;
+
peer->received++;
peer->timereceived = current_time;
if (is_authentic == AUTH_OK)

17
share/security/patches/SA-15:07/ntp.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAABCgAGBQJVJD4SAAoJEO1n7NZdz2rnXCUQAJAxDCUySWaZ/XvdHiIXfMfa
fcB4oEVQBUuMjmE/hC5CzA/t98M4VM2TtV2oWp53CKhIGsBlte64y3t8a7r2nyBt
17x7P6FtV1q6yRS5DPYl/JZV/mbO4cPGto3f8MXOYraNl7MPvZFJcXXEZPXOQDrz
2Ek4wasnnuCruTjtwSWoXWgC5dqQch97dQG639EyhUtOQ1a/pS334lbBw8wDGAnA
ITsQuEGGqwFBJ2NIVwxW0rHFfz4mSk67OHru0mrnza37TQM8HnYhxvL8nrZNhGcC
FhDjWAWDs4VlqrBIuiRC/dTgA6H6PvF3LDAxQ+ODSB5RiGs9g4TvcxF0XJp0EIp4
9Kh0rC9wY4nO/q+DBz4nOJXMwJi7rUH2Y7dPSoKsWtgXIuyuefrACD9C2WwZ8EKA
GWSuF4YidBOadl2x6kJGiIrjFhdrgRENVL4Nj5oVy1JztSBdb+qJMn3GSgpC1C00
7tsvOJmjQgzgRuMnUo/IA++6P8Gj4G3M99K7yN4NcYJOQm1h9opEx7XKZ9W4hnrK
qK9rxeXNzGhXi7/sfHER6AQIRgUliqUyl30RBcy6XuNwX5+2e2SwenAUb5Uu1HkX
oTWWjm47BeG+sjGzM1QXGcukQFH8YFYaZmhSTk3O1ZoKFpMvzhqZEg9CJqfSOCKC
PbrCxYouiyHPXLAIV+OZ
=1bd7
-----END PGP SIGNATURE-----

14
share/security/patches/SA-15:08/bsdinstall.patch Normal file
View file

@ -0,0 +1,14 @@
Index: usr.sbin/bsdinstall/scripts/zfsboot
===================================================================
--- usr.sbin/bsdinstall/scripts/zfsboot (revision 280920)
+++ usr.sbin/bsdinstall/scripts/zfsboot (working copy)
@@ -1137,6 +1137,9 @@ zfs_create_boot()
f_eval_catch $funcname dd "$DD_WITH_OPTIONS" \
/dev/random "$bootpool/$zroot_key" \
"bs=4096 count=1" || return $FAILURE
+ f_eval_catch $funcname chmod "$CHMOD_MODE" \
+ go-wrx "$bootpool/$zroot_key" ||
+ return $FAILURE
else
# Clean up
f_eval_catch $funcname zfs "$ZFS_UNMOUNT" \

17
share/security/patches/SA-15:08/bsdinstall.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAABCgAGBQJVJD4SAAoJEO1n7NZdz2rnC4MP/RPAtT+h695D7Xi8Gs3GUbSh
Ied253cwSMMIH0eVYbUu/NgJpvjulHl4KGJj6hxgvieeBIbE6Vm4o/2EJCqRTsj2
dv3ERJQkBYRkuuEQblR8wBFT0EeIcveWPrlKE0btNga0Frj9WuLGFQvNZgwCfRBN
Yn72ST/blhsPpp/kdBy7T5YDZRQYQaLMFJ4Onz1JnpxOjyEEOTHax9B1bX1S01+H
Y/8Xqi7dTK6IN7+XM/IuSHSVB7S56Zij/LHvkB4WNotwFVSvFDZ47E4NBKSJRU9B
35zvDxtt9TV0B9hOk59jUJwUU4WMbe8rXzKnhHJV8ARJ+I1Jx1lAGZuchzcvoiyj
qA5Ynb2MT3htxGDQ0Jns0XTjz/w0qV79NwB4IvLirs4S8qtCzpqKB5Iq8KQT/THZ
SM4L8zRdWVhJREPyl3P3f5jd/XWiXCHCfrzn6RtLxzxU1u9LC3y7TSghNs6nUf96
A6+o82EUIEQPpIT9y51z98Zho0i9LK9fBgawnZHQ1bMRh+Nh3pmtFK8hEqtwpNNK
pCceLtl9YphaJmq0eSGlZRkIMpdeJWqV8UBiDcqf2SGwE50/kjPJ2rxQlzc024EF
2RxEg7JVOwB2LaNAnaVG0QKmi1ElyX1azIv/hR2zqggyV1BPef8zB6pHXUiehMzd
yCxpUpS93C5k0/GeuXRE
=FP3O
-----END PGP SIGNATURE-----

23
share/security/patches/SA-15:09/ipv6.patch Normal file
View file

@ -0,0 +1,23 @@
Index: sys/netinet6/nd6_rtr.c
===================================================================
--- sys/netinet6/nd6_rtr.c (revision 280920)
+++ sys/netinet6/nd6_rtr.c (working copy)
@@ -296,8 +296,16 @@ nd6_ra_input(struct mbuf *m, int off, int icmp6len
}
if (nd_ra->nd_ra_retransmit)
ndi->retrans = ntohl(nd_ra->nd_ra_retransmit);
- if (nd_ra->nd_ra_curhoplimit)
- ndi->chlim = nd_ra->nd_ra_curhoplimit;
+ if (nd_ra->nd_ra_curhoplimit) {
+ if (ndi->chlim < nd_ra->nd_ra_curhoplimit)
+ ndi->chlim = nd_ra->nd_ra_curhoplimit;
+ else if (ndi->chlim != nd_ra->nd_ra_curhoplimit) {
+ log(LOG_ERR, "RA with a lower CurHopLimit sent from "
+ "%s on %s (current = %d, received = %d). "
+ "Ignored.\n", ip6_sprintf(ip6bufs, &ip6->ip6_src),
+ if_name(ifp), ndi->chlim, nd_ra->nd_ra_curhoplimit);
+ }
+ }
dr = defrtrlist_update(&dr0);
}

17
share/security/patches/SA-15:09/ipv6.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)
iQIcBAABCgAGBQJVJD4SAAoJEO1n7NZdz2rn1O4QAKXDrEAuvYLgCP81UX0JxXH1
0lt0QXnOTKW1WtyQkVK2cJjDO12wksoHbeROjOWKZnuSYqCHjhkBjhvIPn8Crs7X
lYMNlPfBsYKzIgDGBvh1AAveWvo/6yZWoaQ4wucDrkqZhP3IYabP3fIiRJsnxykq
XPgmtntg2xq91plIPtcrQyf/OHLRx99Gpz6mm/KIhZu5v70Z7xwqMUyZ3a+YXm3N
ZPH75E2n/opLC+Ju7LP9jvH+2Jo07fAmZMzxSWiIDa/BFrcfF3QArgk7r/2z7nb2
Y2vmYkrKilKgvaYsFm5tx26QCSuVcqUsBm3B8Ren9cAw/PYxF2bAlA5AU1UIqHSS
dhdngXMh7lTva3Psx44hE71Iuj4bkK/CaNlI9MLwFqqpMEKC7KoYvuI/UlJEm+uw
0SF2UpHSEjykTn1a4dczc1ESShBg3Hea0hVcLkNW+fSrXjlv6Bq/Js1omK9w1Z9m
D7yG/b8LgCGjVEIO36OwsXeOZmnK4lemf3D4AvfvtYY76BoyDaHjYS9Uv71scYHg
OkE95dZqmcYYp+KMeeFKblJihExGn+cs4/N7xviBgqxgts8ArHWqfoZR0xwsV0WY
Npki/cBVegb10YR1l+KbVvhbTd5acNWZFVw1xjReXz0xYKBmj+2+g1ub2G4GS7Tt
slndiaYEEnJsulh0q3ut
=BTId
-----END PGP SIGNATURE-----

20
share/xml/advisories.xml
View file

@ -7,6 +7,26 @@
<year> <year>
<name>2015</name> <name>2015</name>
<month>
<name>4</name>
<day>
<name>7</name>
<advisory>
<name>FreeBSD-SA-15:09.ipv6</name>
</advisory>
<advisory>
<name>FreeBSD-SA-15:08.bsdinstall</name>
</advisory>
<advisory>
<name>FreeBSD-SA-15:07.ntp</name>
</advisory>
</day>
</month>
<month> <month>
<name>3</name> <name>3</name>