os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add SA-16:27-31.

Browse source
This commit is contained in:
Xin LI 2016-10-10 07:38:23 +00:00
parent c5eba003d3
commit 99ea0d28e6
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=49477
22 changed files with 9336 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

132
share/security/advisories/FreeBSD-SA-16:27.openssl.asc Normal file
View file

@ -0,0 +1,132 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:27.openssl Security Advisory
The FreeBSD Project
Topic: Regression in OpenSSL suite
Category: contrib
Module: openssl
Announced: 2016-10-10
Credits: OpenSSL Project
Affects: All supported versions of FreeBSD.
Corrected: 2016-09-26 14:30:19 UTC (stable/11, 11.0-STABLE)
2016-09-26 20:26:19 UTC (releng/11.0, 11.0-RELEASE-p1)
CVE Name: CVE-2016-7052
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
The OpenSSL version included in FreeBSD 11.0-RELEASE is 1.0.2i. The version
has bug fix for CVE-2016-7052, which should have included CRL sanity check,
but the check was omitted.
III. Impact
Any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer
exception.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart all daemons that use the library, or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all daemons that use the library, or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:27/openssl.patch
# fetch https://security.FreeBSD.org/patches/SA-16:27/openssl.patch.asc
# gpg --verify openssl.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r306343
releng/11.0/ r306354
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.openssl.org/news/secadv/20160926.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7052>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:27.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX+0OlAAoJEO1n7NZdz2rnEPYQAOewieypFMknEi5Q02IBVhcC
Bs1sczFLXaSz+4c9lNRi+m6Q5TXbW0MM9ZhZDnoLOXZ9OZ7DsQ0OVJcmWPHCSTkT
WAlZgiB5B2xtZpLUNi0XAVPyegh+YxWCKa5mq/e4gC7BL+QhtTQqIlzsNylBDcI0
2Tp5fPfO3vIJlSwPpsUA2peYlm2c75/dusE0+bvWnqickWbEmFdCAd8rzTLrsm9R
w5essD2o6BzFPA9j+3X/LNaMI6ZKKa4EkaXXB42KHruDfNTV8dmYL/LLxWs6aj1f
Li++71GPh3aZZCA5SCo6NYdI25kg4xORZzqUmYzT856kdmpaemLd8oVT8/ojOCTX
CoNtA9yVphhYgfSGLy2BIs0u7U3H16SVjZ1oC5MjTAY6kUsEDt6x2vlKOt5452yN
3v2fHf9I8/ibgo4d4ovpGGzvrj/8EfodmDLhjYP5RcwZH4FW1jCUzXTflsYmPWMi
8+COC+K19MNIXR0M8ajs2M8z2ILc3pOUZ1sdrNhU1jEIyYCl8EDMEU0Bc13XlUKS
UE92RKfxIAMh+Zyu44++8UizfOorBVKhQVd+9NthMnfXW6xlnwujjbabam8k2E5V
Za4sBQ57JvL9aKrsbmB/hhVnxXE6jYqtp7tagXK+wwULO1SarpRp7HENd50ggH5l
yu2DM4rkIcwzTaJEdvyT
=5rNc
-----END PGP SIGNATURE-----

138
share/security/advisories/FreeBSD-SA-16:28.bind.asc Normal file
View file

@ -0,0 +1,138 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:28.bind Security Advisory
The FreeBSD Project
Topic: BIND remote Denial of Service vulnerability
Category: contrib
Module: bind
Announced: 2016-10-10
Credits: ISC
Affects: FreeBSD 9.x
Corrected: 2016-09-28 06:11:01 UTC (stable/9, 9.3-STABLE)
2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48)
CVE Name: CVE-2016-2776
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
Testing by ISC has uncovered a critical error condition which can occur when
a nameserver is constructing a response. A defect in the rendering of
messages into packets can cause named to exit with an assertion failure in
buffer.c while constructing a response to a query that meets certain
criteria.
This assertion can be triggered even if the apparent source address is not
allowed to make queries (i.e. doesn't match 'allow-query'). [CVE-2016-2776]
III. Impact
A remote attacker who can send queries to a server running BIND can cause
the server to crash, resulting in a Denial of Service condition.
IV. Workaround
No workaround is available, but hosts not running named(8) are not
vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The named service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The named service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:28/bind.patch
# fetch https://security.FreeBSD.org/patches/SA-16:28/bind.patch.asc
# gpg --verify bind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the named service, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r306394
releng/9.3/ r306942
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://kb.isc.org/article/AA-01419>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:28.bind.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX+0OlAAoJEO1n7NZdz2rnt/cQAJJ/P9/cNH4mB3Oq9kks1TJI
thye1Bmd6BAS16UYj+S2POSkrwkTJLhg/Rtch/4O1TUJ7q86Dko/0nciF/4Qin/J
LrNhX2TUUTpQygfWdzTqdk9EiHLKT46sNh1Two4Lb9gMuBulES9Fy40gj8y81ypv
uys05i6DMAlY/EsmidTHFKUGGC9160XLS7wFWnlw9XglDHn2+pIDALHl77mmoXwR
VKiCbGO6IybDV5bATh12eflCSb+IJRT0MMOwJAt3Nhzp//7t2tf+izazzfs43IH4
HRkiDfkkxqAMus6h0Dm4xR91oe/oSzlEedKFM3ctHfQqyIi+AP0FKixf8pS72n7o
M0W5vIbkMSuTsiOTzyQUJpQ3tExvWeZjhNZj9U5trs2YNdPCRaM3pETUdF6GZmNC
tnPiTZFst3ARsy/4oJg8Eeo/cyrd/sfPm4fXCbXkakL7ml/Mu+/KEyq5qw43FIXn
96/btRfHsPSpy74KRtLsqSM29eCK9puGhJIk1iBtuhuTvze/48Od7U5zWOjn8XiS
o4oOyCtm3nQfB8VIzfypFAIUFFOqfHmsfP3s51J9tUXjxvORO3UWD3/R2wXLre2Y
Z5+s7IUhesunZztGtaUFCqG28KCrzmSiIVXGRd/IsQCuTJ4DNiUFZofKYdI0B7fE
hrSETFwDg/OYusZ5/96D
=v9vM
-----END PGP SIGNATURE-----

146
share/security/advisories/FreeBSD-SA-16:29.bspatch.asc Normal file
View file

@ -0,0 +1,146 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:29.bspatch Security Advisory
The FreeBSD Project
Topic: Heap overflow vulnerability in bspatch
Category: core
Module: bsdiff
Announced: 2016-10-10
Affects: All supported versions of FreeBSD.
2016-09-22 21:05:21 UTC (stable/11, 11.0-STABLE)
2016-09-27 19:36:12 UTC (releng/11.0, 11.0-RELEASE-p1)
2016-09-22 21:16:54 UTC (stable/10, 10.3-STABLE)
2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10)
2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23)
2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40)
2016-09-23 01:52:06 UTC (stable/9, 9.3-STABLE)
2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The bspatch utility generates newfile from oldfile and patchfile where
patchfile is a binary patch built by bsdiff(1).
II. Problem Description
The implementation of bspatch is susceptible to integer overflows with
carefully crafted input, potentially allowing an attacker who can control
the patch file to write at arbitrary locations in the heap. This issue
was partially addressed in FreeBSD-SA-16:25.bspatch, but some possible
integer overflows remained.
III. Impact
An attacker who can control the patch file can cause a crash or run arbitrary
code under the credentials of the user who runs bspatch, in many cases, root.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
No reboot is needed.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility.
Because this vulnerability exists in bspatch, a component used by
freebsd-update, a special procedure must be followed to safely update.
First, truncate bspatch to a zero byte file:
# :> /usr/bin/bspatch
FreeBSD-update will fall back to replacing bspatch, rather than applying
a binary patch. Proceed with FreeBSD-update as usual:
# freebsd-update fetch
# freebsd-update install
No reboot is needed.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:29/bspatch.patch
# fetch https://security.FreeBSD.org/patches/SA-16:29/bspatch.patch.asc
# gpg --verify bspatch.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r306222
releng/9.3/ r306942
stable/10/ r306215
releng/10.1/ r306941
releng/10.2/ r306941
releng/10.3/ r306941
stable/11/ r306213
releng/11.0/ r306379
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:29.bspatch.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX+0OmAAoJEO1n7NZdz2rnMHQQALyzQ6rIFLMV+qfIKr/dxUmv
frrY3rE8GbHNI6UYnlB7T97SZBVG2lOGpUO7sGNzsqAol+aBEn44mX88ijCQk+mc
pIHcbwACkAG6u5c6nyelHAa3ZLc8PkPbNaryjfc9Y0vZxGFKI5ETpdN1nFxUBKRA
eGt4h4GW3ZxHTkc3DDogDM6kBds3DYAnQjnqvkH6QesM/cMIdnU2NMjIrYDdtcsJ
Mp92PqRl8/qCZxcpfoHSl3S190Dmu9KNjEwXdk8gvtr7aTe/OG9fcIOAwIJHMi/n
E3tojTrSGLl0v9yuznG8rU0Hr6VyFNRv9i5QhPEQF4ZQ0HT2/naV0v/THMB1JdeR
8rszvO8HIdYkKEYPEp4RZ+QWJX36xK0ZOA0BSF3+OW6VYMIEB+iMvK1xAlGWmyJq
D6f5AQuw559o4MNZ9gh1tXl+PXjYHvwSOrHb1EZ7mDZ3zVarn8TwUjxaE2ILIhjW
wS+wqbxZt1eENfKbhLHxSavIE+Bi59ab/iymmOFtFdgDDDpQhzx13MUFM17v270g
1OCXnx7HLMIr5ibndJBQbjPmZT0InMM9856Hij8UhcFjyFpytCJie7sVcDFG9nNp
z3VXrSIdEIA5MwaD6MYGW8nUfBwQnD/rSh6t2Tt4qz24FPk9K9pbzpb8CDIOImiF
GnLZXJQlgmJ55XOa0EgR
=uRNW
-----END PGP SIGNATURE-----

149
share/security/advisories/FreeBSD-SA-16:30.portsnap.asc Normal file
View file

@ -0,0 +1,149 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:30.portsnap Security Advisory
The FreeBSD Project
Topic: Multiple portsnap vulnerabilities
Category: core
Module: portsnap
Announced: 2016-10-10
Affects: All supported versions of FreeBSD.
Corrected: 2016-09-28 21:33:35 UTC (stable/11, 11.0-STABLE)
2016-09-28 22:04:07 UTC (releng/11.0, 11.0-RELEASE-p1)
2016-10-05 00:33:06 UTC (stable/10, 10.3-STABLE)
2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10)
2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23)
2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40)
2016-10-05 01:01:10 UTC (stable/9, 9.3-STABLE)
2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The portsnap utility is used to fetch and update compressed snapshots of
the FreeBSD ports tree. Portsnap fetches snapshots and updates over http,
and then cryptographically verifies the downloaded files.
II. Problem Description
Flaws in portsnap's verification of downloaded tar files allows additional
files to be included without causing the verification to fail. Portsnap may
then use or execute these files.
III. Impact
An attacker who can conduct man in the middle attack on the network at the
time when portsnap is run can cause portsnap to execute arbitrary commands
under the credentials of the user who runs portsnap, typically root.
IV. Workaround
The ports tree may be obtained by methods other than portsnap, as
described in the FreeBSD handbook.
V. Solution
portsnap has been modified to explicitly validate compressed files within
the tar file by full name, rather than relying on gunzip's filename search
logic. portsnap now verifies that snapshots contain only the expected files.
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
No reboot is needed.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility.
This advisory is released concurrently with FreeBSD-SA-16:29.bspatch
which contains special instructions for using freebsd-update. Following
the instructions in that advisory will safely apply updates for
FreeBSD-SA-16:29.bspatch, FreeBSD-SA-16:30.portsnap, and
FreeBSD-SA-16:31.libarchive.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.x]
# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-10.patch
# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-10.patch.asc
# gpg --verify portsnap-10.patch.asc
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-9.3.patch
# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-9.3.patch.asc
# gpg --verify portsnap-9.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r306701
releng/9.3/ r306942
stable/10/ r306697
releng/10.1/ r306941
releng/10.2/ r306941
releng/10.3/ r306941
stable/11/ r306418
releng/11.0/ r306419
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:30.portsnap.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX+0OqAAoJEO1n7NZdz2rns54P/3N6V4ZGWZ8jXDSw7KPRhF16
gUs2AQx+rL+o5rOVsMZ6DulVtFP+AzUvEsLIJeARdaOJar9St1cQVTZHa+8CtWr5
aCSgx5r39srcvvMuQ34z0yss7eEkHRubzkIzrjHcD6MweFg4tAIufXHgxmhNVuKp
QOQCwUbWIp8MssNbd/nYr1fpNoEvhkuzEv+EsvU+gTXeYNbHDS8zN/XC1a4167Q9
flFCqVn45ZpYR+2ifeLv0s+Rj4MQdnaCUYPpt1JoY5pIr/1GbNuywam9YgUQJZ7o
gbY+S9Un0aByEOmPgD2e6qb8qhQFtaJgAbhB51dsI/qpZUljQKERmV1vd78drqWB
1gss/MFe5oyxZ5IbmHLBabIcKvvtH72gSaD8Zp973TbD72usjC/ZfdkukNBlWkbm
M4PFTK+VQA1y5c8R2RduVoz3ioaBtRisxqqGOi0i3AUgiWx6IeP9jkIana28dGtJ
Mkm4ZiWBj12lT5B+gafpy7+bLkbYl2sEFYIt+YUlJ1GqAumyDnnmYt5rDhZwMLFo
7ywCpCwtoBc49sCV7szV4MdFw0Zmo8tT0uiWBehferN1SHygKVNGnXIj+NotRXx0
mp0j7pgK4AcML2y7pJLEUwyWUKE5tBkPKmHg+4ELhqPb0mjm+A+KHX/8vXxlPpRJ
2yVhfIubEhECQJeJKAqm
=y+kG
-----END PGP SIGNATURE-----

136
share/security/advisories/FreeBSD-SA-16:31.libarchive.asc Normal file
View file

@ -0,0 +1,136 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:31.libarchive Security Advisory
The FreeBSD Project
Topic: Multiple libarchive vulnerabilities
Category: core
Module: portsnap
Announced: 2016-10-05
Affects: All supported versions of FreeBSD.
Corrected: 2016-09-25 22:02:27 UTC (stable/11, 11.0-STABLE)
2016-09-27 19:36:12 UTC (releng/11.0, 11.0-RELEASE-p1)
2016-09-25 22:04:02 UTC (stable/10, 10.3-STABLE)
2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10)
2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23)
2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The libarchive(3) library provides a flexible interface for reading and
writing streaming archive files such as tar(1) and cpio(1), and has been the
basis for the FreeBSD implementation of the tar(1) and cpio(1) utilities
since FreeBSD 5.3.
II. Problem Description
Flaws in libarchive's handling of symlinks and hard links allow overwriting
files outside the extraction directory, or permission changes to a directory
outside the extraction directory.
III. Impact
An attacker who can control freebsd-update's or portsnap's input to tar can
change file content or permisssions on files outside of the update tool's
working sandbox.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
No reboot is needed.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility.
This advisory is released concurrently with FreeBSD-SA-16:29.bspatch
which contains special instructions for using freebsd-update. Following
the instructions in that advisory will safely apply updates for
FreeBSD-SA-16:29.bspatch, FreeBSD-SA-16:30.portsnap, and
FreeBSD-SA-16:31.libarchive.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch
# fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch.asc
# gpg --verify libarchive.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r306322
releng/10.1/ r306941
releng/10.2/ r306941
releng/10.3/ r306941
stable/11/ r306321
releng/11.0/ r306379
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f>
<URL:https://github.com/libarchive/libarchive/issues/743>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:31.libarchive.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX+0OrAAoJEO1n7NZdz2rnkaAP/i5Njok8Lg3ogwRGVo/HVQfA
AzRz2oQ5oAuwZhmpkQ3CzHArRsaTGuKK5C1SNJpmEDuq5XM2u5Td2ph/R5ry0fwF
7B58Ci+o7ngRWtJ/N8dYk3cXfg0sjPZKDO1otIyfh8HF3UAq5uB3/w/8UFOpqcxQ
guMKahd/r9PnfrD8GtS+t/2V+KHInNH0J4YD/+hoqcdZPzMKtlE5D5OjqOov9rVn
myQwAuN+w2buPj2gXSuubq5wTNFOvj8u06mVpRj+0X0VoybdN5cohuqSx7s4vlw+
/qV7gT2993aijXp43dGGSUeuGl1ZbrKp233vntkIYrsjJzaw56YMHL3ushopGGhj
OfC/ilXmsUjrlHgCrWpMiTuN7cdWDXrpMnaf4c99yMxdYUuRtbbnVthdOpZB8iOt
7xeVnvHiYTYbQu+4xy4SPOWqPLOnrbwVqIocXU1QjWJice5A3EU/mSAd2IpX04a2
prdlaGxBNZlziLgzsZoiER+5u0S3owbx7y2SVhMEslHyrRQ92X7SZjfu4NrvlX5k
Dw6xjpHD51pshj4GXTPuznbCyd8246u1fRnH3fnlNLhz5/XhrYbG+OVQ9WDbnX2C
6SzS/oOcjA9qcq1+Ghmz6G7S2MuWZ0XcKfzV0ygX2RZEhU1p0rZfsF/2cGrKIGY1
JguXI1tZdrjfSZisAI+l
=vqSJ
-----END PGP SIGNATURE-----