os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add EN-20:07, SA-20:10, and SA-20:11.

Browse source 
Approved by:	so
This commit is contained in:
Gordon Tetlow 2020-04-21 16:29:32 +00:00
parent 0437235d02
commit 9b4c8884f1
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=54065
13 changed files with 798 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

133
share/security/advisories/FreeBSD-EN-20:07.quotad.asc Normal file
View file

@ -0,0 +1,133 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:07.quotad Errata Notice
The FreeBSD Project
Topic: Regression in rpc.rquotad with certain NFS servers
Category: core
Module: rpc.quotad
Announced: 2020-04-21
Affects: All supported versions of FreeBSD
Corrected: 2019-09-21 14:03:41 UTC (stable/12, 12.1-STABLE)
2020-04-21 15:50:57 UTC (releng/12.1, 12.1-RELEASE-p4)
2019-09-21 14:06:16 UTC (stable/11, 11.3-STABLE)
2020-04-21 15:50:57 UTC (releng/11.3, 11.3-RELEASE-p8)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The Network File System (NFS) allows a system to share directories and files
with others over a network. By using this, users and programs can access
files on remote systems almost as if they were local files.
The rpc.rquotad utility is an rpc(3) server which returns quotas for a user
of a local file system which is NFS-mounted onto a remote machine.
II. Problem Description
A change in rpc.rquotad made it send RQUOTA v2 requests instead of RQUOTA v1
requests. Some vendors would send RPC_PROGNOTREGISTERED ("Program Not
Registered") response instead of the desired RPC_PROGVERSMISMATCH ("Program
Version Mismatch") response, preventing the mechanism from working.
III. Impact
The quota(8) command will not be able obtain quota information for some NFS
server vendors.
IV. Workaround
No workaround is available. Systems not using quotas on NFS mounted file
systems are unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-20:07/quotad.patch
# fetch https://security.FreeBSD.org/patches/EN-20:07/quotad.patch.asc
# gpg --verify quotad.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r352575
releng/12.1/ r360148
stable/11/ r352576
releng/11.3/ r360148
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=NNNNNN>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:07.quotad.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHKNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKrMg/+LLZH7D0fPM2gvxxgDi078N0yfnb4hjbJxI+xdDrbWMEqy/Y9k5hi6+AD
iEnSdQ1/Ak6n174b4Xz2L+Dpih4BEzLumfwb9oFCudUFvyuxNwQmO9tkGLCdu9ps
wRp2quYw0T/whnIS2tTsOM/TPCNZa72mym19OTZi9pgSh82Z+raUeRlfXyOS6HlL
8GkIqkMBBEXRYEQnWX7FAcN+4G1kUHCzHIsyLImCaic8YL/+rX2bqalhFGdLGbJd
epKQQ8FvT1kMns6XVkzSfL35LDoOfbOYjWYTwp3D5Fxk0I5gSK1u3LTrhVZpEV0p
EBO7l2ivee/cwtdOjkIZR1NF+Lp+gHeXxWaJFz0tE6skB2fCYdZq4EeIjXg1okqQ
piWmiesIDpmzz5P2e1OEbkrh5yKr/FeLYDOlge3D1jFZd7iBxeS/BvdGGhSVZI4F
wssveFUnGiKm47kFRzXJnSPz0Nji2R2KyKaaNSB6dqZGW0ZelgPgjh09j09FijbH
mvFPSsxWSKH3rD0CE2QeWIvwk0dbtAhti1TM0gJque8D50IZB8VlNNtOa4V+fyQ6
puH+5+haHzwfUXwSrLcYK+v0xMdQ71oYqC5G5tV/eYXJCbzIu1Y3hbgmbLzAx+xf
LwW3uCcm1cDQpzs2WxirHE+jS4DbYIMqS/K2c5+tj9kAEtXX1b0=
=mFhE
-----END PGP SIGNATURE-----

141
share/security/advisories/FreeBSD-SA-20:10.ipfw.asc Normal file
View file

@ -0,0 +1,141 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:10.ipfw Security Advisory
The FreeBSD Project
Topic: ipfw invalid mbuf handling
Category: core
Module: kernel
Announced: 2020-04-21
Credits: Maxime Villard
All supported versions of FreeBSD.
Corrected: 2019-12-23 10:02:55 UTC (stable/12, 12.1-STABLE)
2020-04-21 15:52:22 UTC (releng/12.1, 12.1-RELEASE-p4)
2019-12-23 10:06:32 UTC (stable/11, 11.3-STABLE)
2020-04-21 15:52:22 UTC (releng/11.3, 11.3-RELEASE-p8)
CVE Name: CVE-2019-5614, CVE-2019-15874
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The ipfw system facility allows filtering, redirecting, and other operations
on IP packets travelling through network interfaces.
II. Problem Description
Incomplete packet data validation may result in accessing out-of-bounds
memory (CVE-2019-5614) or may access memory after it has been freed
(CVE-2019-15874).
III. Impact
Access to out of bounds or freed mbuf data can lead to a kernel panic or
other unpredictable results.
IV. Workaround
No workaround is available. Systems not using the ipfw firewall are
not vulnerable.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.11.patch
# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.11.patch.asc
# gpg --verify ipfw.11.patch.asc
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.12.patch
# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.12.patch.asc
# gpg --verify ipfw.12.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r356035
releng/12.1/ r360149
stable/11/ r356036
releng/11.3/ r360149
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<other info on vulnerability>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5614>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15874>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:10.ipfw.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHK1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJnFA//Zqygqhfo2vs/FBe67+/MILbAn5KeZoha6jbhr7YGD//Yzdy0+LtiaMpL
DskM6z2bF6VKMuB5XQufUcAPTqzf8m3pgdFoPBT2P47ndkqDsF7/EDe5IaYCQZq+
CB0tTuD6m3/8qYXvKyD+c6WV92Tn75GOpguKEYWnoBlOe8YVoVWxIknl+wuG+w4h
D6hGGntvvs7RyXVITo9wzW70W8b57fIszVHTvH0YoFwBLGeie/uNomkcawti6jcp
h703a4VsGeM1FFqb8hrNgKdDMC8Xmddjd78PMxl4wjC4WrrziQ1M8RxEoLHCSrH0
4hLSjQOIVuI+OoEArn533QyHWQa1KbeECc2GgSlUrq6rlNk3SELWl72tugETT0JJ
EYWFaLUGLUV5PMeuv7c6HfuXXtaVOEP/Gyvf9Rduesohdzw+DYrzXSyVv9wsRbfx
34H9Xcjlu+BzYrHyKJkgdILwEFpEHCZmxRLxeJLGBjPAsudhN2XzGfKEQNd8olTr
pe0Cw+C/sBhe0jh42REDRXW/Vr0YF4ivZf6L8d1zdG462GMn9aZteCjRmfMOWN1D
BjU0+qY6mkWU0bVep0sjPU9ON8T9vnEinjhfqIb/A9XOvKag7cehpxWC+PJyf3I4
eAjdzQeq0FH08XMWFfFWDqa7VmGYhmp/e53HNbHb90NtW07GtHE=
=p+5n
-----END PGP SIGNATURE-----

132
share/security/advisories/FreeBSD-SA-20:11.openssl.asc Normal file
View file

@ -0,0 +1,132 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:11.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL remote denial of service vulnerability
Category: contrib
Module: openssl
Announced: 2020-04-21
Credits: Bernd Edlinger
Affects: FreeBSD 12.1
Corrected: 2020-04-21 15:47:58 UTC (stable/12, 12.1-STABLE)
2020-04-21 15:53:08 UTC (releng/12.1, 12.1-RELEASE-p4)
CVE Name: CVE-2020-1967
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit for the Transport Layer Security (TLS) and Secure Sockets
Layer (SSL) protocols. It is also a full-strength general purpose
cryptography library.
II. Problem Description
Server or client applications that call the SSL_check_chain() function during
or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS
extension. The crash occurs if an invalid or unrecognized signature
algorithm is received from the peer.
III. Impact
A malicious peer could exploit the NULL pointer dereference crash, causing a
denial of service attack.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:11/openssl.patch
# fetch https://security.FreeBSD.org/patches/SA-20:11/openssl.patch.asc
# gpg --verify openssl.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r360147
releng/12.1/ r360150
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.openssl.org/news/secadv/20200421.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHLBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJEGw/7BWgBW3Vi98Sj0OFQnKUyckFaKxOY5WNl+N2k1MC5QIwtFRknS/i4xiBe
wfpudj8PRiYe5sXC7C0vpHBB6LAq9RCflZAu3auRD/r/wShAq1wVY6nC7zJ+nXKX
r7OuUj0NBQK7Gc5k89LEeRI8qjcJv7XwUY63msVvDUzqWwZeVDufrRnSwoUi0LR/
qbya9ICb9qt7o52QNpECccEUVB4Qc1mfdESpDi/7h/JYXvLptsa/W6DtTZRlJ2n/
f/hi2ja7xUD78NlQ6Sbc17+QUFWWIvyljl255Nhi3YhjWpFSWewmJg3aLqQ3O4uB
g632jncGVFtRiDWHvUPqIx0Ephs3Ubd0llBsWXJ4uEQzeqVVVk05oomWDBjUoxW/
Iw7kfVJDBNrrIuNikhOaf3lmUEJ8iXUhg8NxLwoyq6v2SM2eFLqYxx9MLwH5RQkV
nAuWszYSnxkReUE4oGrm7Vn3Mq7yhiM8KpNS08BSADeWRWEJSsdeA5BC2bLIUgE+
UKRDYaTyLSl9knHNmCd9W/8b3w03k2E4lrosc+hiaYoVB9l83e5elQm/tgdBynmL
w653iJIoATgApXXresLW3x/by9+BhCq1fLkipDoaRZTrsg7zaYCyseDmfvmaV6Pn
x8nm+i+VHeB8hp+vurijO9wuaisPs4LNv7pPcler2LmtAGYV3Lg=
=231J
-----END PGP SIGNATURE-----

11
share/security/patches/EN-20:07/quotad.patch Normal file
View file

@ -0,0 +1,11 @@
--- usr.bin/quota/quota.c.orig
+++ usr.bin/quota/quota.c
@@ -606,7 +606,7 @@
call_stat = callaurpc(host, RQUOTAPROG, EXT_RQUOTAVERS,
RQUOTAPROC_GETQUOTA, (xdrproc_t)xdr_ext_getquota_args, (char *)&gq_args,
(xdrproc_t)xdr_getquota_rslt, (char *)&gq_rslt);
- if (call_stat == RPC_PROGVERSMISMATCH) {
+ if (call_stat == RPC_PROGVERSMISMATCH || call_stat == RPC_PROGNOTREGISTERED) {
if (quotatype == USRQUOTA) {
old_gq_args.gqa_pathp = cp + 1;
old_gq_args.gqa_uid = id;

18
share/security/patches/EN-20:07/quotad.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHMNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cI6Hg/+IjHObivifL7eLY2O8ydr8fj8q735PmFvWCzWdUl2vhNC64Rb3jcELcCo
L+8CkBtWNklTZo4HWB5R+6oQSfDwLnW9tHQ/aVg308IZOZ8b680RT0SI83mwfmG9
SwzPj8SqINTRUO0pWaKtS3sP4tXytCVBu70uet3L57cozP9ylVmC4z+ecwkXosq+
bnIe1gJMs5xTTkX1JierutJ/cMlma/nJ0aenW2um85CSuTsQBTsEPxug7NCm8UeG
1ABpzQ3TdkSciRQNoPjM5VrUkm05PA+zHrHE0tTyN3wwef4Pcyte2dnfJ8gBjUzI
PveME1u1DSxSRwaBSNdUVJtXgLDTdeeN/OjTQFRSxT5BJi7a5ux4CI8OIbXkS4gE
nRTcl0VKbDnQ2R16OPzEIzHvItXomHTnRvcuzT8oLZj/9pRdr6kWuAYsAx4jU1wn
/QE7LtqNS89X9+tGjfbqO1kgnMb6SfNJ0me2U+L7Syw+SRWa9lVxdGUe0Oantexu
Xe0hZ+DOMDH+ntcAEenmZ2lsMCGH1triQINW/laA9gz1Ad045yleC33V/RSYwGiU
cw4+0M9kxMTB7vMCMP0+788VE382aTzi5t8tZNM98iGsA4UrlUg4K/XX9KI0PI/0
qrNyUNGTpDqey7mbSE1sYiih1Etx8UO4k+ryvabNydhC4sJICzQ=
=9zFb
-----END PGP SIGNATURE-----

136
share/security/patches/SA-20:10/ipfw.11.patch Normal file
View file

@ -0,0 +1,136 @@
--- sys/netpfil/ipfw/ip_fw2.c.orig
+++ sys/netpfil/ipfw/ip_fw2.c
@@ -328,50 +328,71 @@
return (flags_match(cmd, bits));
}
+/*
+ * Parse TCP options. The logic copied from tcp_dooptions().
+ */
static int
-tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd)
+tcpopts_parse(const struct tcphdr *tcp, uint16_t *mss)
{
+ const u_char *cp = (const u_char *)(tcp + 1);
int optlen, bits = 0;
- u_char *cp = (u_char *)(tcp + 1);
- int x = (tcp->th_off << 2) - sizeof(struct tcphdr);
+ int cnt = (tcp->th_off << 2) - sizeof(struct tcphdr);
- for (; x > 0; x -= optlen, cp += optlen) {
+ for (; cnt > 0; cnt -= optlen, cp += optlen) {
int opt = cp[0];
if (opt == TCPOPT_EOL)
break;
if (opt == TCPOPT_NOP)
optlen = 1;
else {
+ if (cnt < 2)
+ break;
optlen = cp[1];
- if (optlen <= 0)
+ if (optlen < 2 || optlen > cnt)
break;
}
switch (opt) {
-
default:
break;
case TCPOPT_MAXSEG:
+ if (optlen != TCPOLEN_MAXSEG)
+ break;
bits |= IP_FW_TCPOPT_MSS;
+ if (mss != NULL)
+ *mss = be16dec(cp + 2);
break;
case TCPOPT_WINDOW:
- bits |= IP_FW_TCPOPT_WINDOW;
+ if (optlen == TCPOLEN_WINDOW)
+ bits |= IP_FW_TCPOPT_WINDOW;
break;
case TCPOPT_SACK_PERMITTED:
+ if (optlen == TCPOLEN_SACK_PERMITTED)
+ bits |= IP_FW_TCPOPT_SACK;
+ break;
+
case TCPOPT_SACK:
- bits |= IP_FW_TCPOPT_SACK;
+ if (optlen > 2 && (optlen - 2) % TCPOLEN_SACK == 0)
+ bits |= IP_FW_TCPOPT_SACK;
break;
case TCPOPT_TIMESTAMP:
- bits |= IP_FW_TCPOPT_TS;
+ if (optlen == TCPOLEN_TIMESTAMP)
+ bits |= IP_FW_TCPOPT_TS;
break;
-
}
}
- return (flags_match(cmd, bits));
+ return (bits);
+}
+
+static int
+tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd)
+{
+
+ return (flags_match(cmd, tcpopts_parse(tcp, NULL)));
}
static int
@@ -1419,17 +1440,31 @@
* this way).
*/
#define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T))
-#define PULLUP_LEN(_len, p, T) \
+#define _PULLUP_LOCKED(_len, p, T, unlock) \
do { \
int x = (_len) + T; \
if ((m)->m_len < x) { \
args->m = m = m_pullup(m, x); \
- if (m == NULL) \
+ if (m == NULL) { \
+ unlock; \
goto pullup_failed; \
+ } \
} \
p = (mtod(m, char *) + (_len)); \
} while (0)
+#define PULLUP_LEN(_len, p, T) _PULLUP_LOCKED(_len, p, T, )
+#define PULLUP_LEN_LOCKED(_len, p, T) \
+ _PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain)); \
+ UPDATE_POINTERS()
+/*
+ * In case pointers got stale after pullups, update them.
+ */
+#define UPDATE_POINTERS() \
+do { \
+ ip = mtod(m, struct ip *); \
+} while (0)
+
/*
* if we have an ether header,
*/
@@ -2255,7 +2290,7 @@
case O_TCPOPTS:
if (proto == IPPROTO_TCP && offset == 0 && ulp){
- PULLUP_LEN(hlen, ulp,
+ PULLUP_LEN_LOCKED(hlen, ulp,
(TCP(ulp)->th_off << 2));
match = tcpopts_match(TCP(ulp), cmd);
}
@@ -3106,6 +3141,7 @@
} /* end of inner loop, scan opcodes */
#undef PULLUP_LEN
+#undef PULLUP_LEN_LOCKED
if (done)
break;

18
share/security/patches/SA-20:10/ipfw.11.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHNNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKVEhAApEcxwYJh0IP2/JPsfaNkAKLflaiaTY1MHd0SK4icoGYgbUFXGfYFFx5y
V+xYyzJ6hqufaLgRDlOUWy7QLqkSD5iuNas7ZC9Sorge24uVYS9QKoQETAUc4EsA
puyWWfFA8jD/cUIzmLpuTlz8qUFT2n4j28djmbYvH46jgoOyMGrUzoTKfeyPSvMR
LCkzyzsnkfauwl8lpAkyWqhi3VPmCLtzd4boVmG2UnpaKKny0l3M2/CRHJhCute4
3+15ilzONzcr0J38hd6sM11HZIVEUK3DywefMhiMx9sQQD71sqisvADCxZ8cdML/
he+mBB38YzGyy/qezb/ZC1oXfPHmNKlJjxHzCyZkgkLd03GSrviykj4o8I9HOgty
X2NmrUoi22j3nezE4lEqh+6f6yXRVsBmJjzFGUXTSgjP6vGIewZiwmQReadGzcZk
nwCdtZSMbPAFLt6EBXMfU/pvLAokYk87XCyivAPkrbojrbDKg0ucUfttgPjwuAkN
G3s4xsmC+XuAbGrzCJwDr1o8zPcDLJlfPijJAmzWlQReHHAaVSgVt0jRoFvznZjh
QCI3b9aRPHayGBoJxFNripYdggF9jcaUA7OGrLjw86VHBFvAl2fKZxZexUbKVFqX
c8wvkiWbAvknV18pbVlifSdjKgylY8vwi39dj8zDxpWULRXFLYg=
=aOrU
-----END PGP SIGNATURE-----

132
share/security/patches/SA-20:10/ipfw.12.patch Normal file
View file

@ -0,0 +1,132 @@
--- sys/netpfil/ipfw/ip_fw2.c.orig
+++ sys/netpfil/ipfw/ip_fw2.c
@@ -330,22 +330,27 @@
return (flags_match(cmd, bits));
}
+/*
+ * Parse TCP options. The logic copied from tcp_dooptions().
+ */
static int
-tcpopts_parse(struct tcphdr *tcp, uint16_t *mss)
+tcpopts_parse(const struct tcphdr *tcp, uint16_t *mss)
{
- u_char *cp = (u_char *)(tcp + 1);
+ const u_char *cp = (const u_char *)(tcp + 1);
int optlen, bits = 0;
- int x = (tcp->th_off << 2) - sizeof(struct tcphdr);
+ int cnt = (tcp->th_off << 2) - sizeof(struct tcphdr);
- for (; x > 0; x -= optlen, cp += optlen) {
+ for (; cnt > 0; cnt -= optlen, cp += optlen) {
int opt = cp[0];
if (opt == TCPOPT_EOL)
break;
if (opt == TCPOPT_NOP)
optlen = 1;
else {
+ if (cnt < 2)
+ break;
optlen = cp[1];
- if (optlen <= 0)
+ if (optlen < 2 || optlen > cnt)
break;
}
@@ -354,22 +359,31 @@
break;
case TCPOPT_MAXSEG:
+ if (optlen != TCPOLEN_MAXSEG)
+ break;
bits |= IP_FW_TCPOPT_MSS;
if (mss != NULL)
*mss = be16dec(cp + 2);
break;
case TCPOPT_WINDOW:
- bits |= IP_FW_TCPOPT_WINDOW;
+ if (optlen == TCPOLEN_WINDOW)
+ bits |= IP_FW_TCPOPT_WINDOW;
break;
case TCPOPT_SACK_PERMITTED:
+ if (optlen == TCPOLEN_SACK_PERMITTED)
+ bits |= IP_FW_TCPOPT_SACK;
+ break;
+
case TCPOPT_SACK:
- bits |= IP_FW_TCPOPT_SACK;
+ if (optlen > 2 && (optlen - 2) % TCPOLEN_SACK == 0)
+ bits |= IP_FW_TCPOPT_SACK;
break;
case TCPOPT_TIMESTAMP:
- bits |= IP_FW_TCPOPT_TS;
+ if (optlen == TCPOLEN_TIMESTAMP)
+ bits |= IP_FW_TCPOPT_TS;
break;
}
}
@@ -1427,18 +1441,32 @@
* pointer might become stale after other pullups (but we never use it
* this way).
*/
-#define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T))
-#define PULLUP_LEN(_len, p, T) \
+#define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T))
+#define _PULLUP_LOCKED(_len, p, T, unlock) \
do { \
int x = (_len) + T; \
if ((m)->m_len < x) { \
args->m = m = m_pullup(m, x); \
- if (m == NULL) \
+ if (m == NULL) { \
+ unlock; \
goto pullup_failed; \
+ } \
} \
p = (mtod(m, char *) + (_len)); \
} while (0)
+#define PULLUP_LEN(_len, p, T) _PULLUP_LOCKED(_len, p, T, )
+#define PULLUP_LEN_LOCKED(_len, p, T) \
+ _PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain)); \
+ UPDATE_POINTERS()
+/*
+ * In case pointers got stale after pullups, update them.
+ */
+#define UPDATE_POINTERS() \
+do { \
+ ip = mtod(m, struct ip *); \
+} while (0)
+
/*
* if we have an ether header,
*/
@@ -2269,7 +2297,7 @@
case O_TCPOPTS:
if (proto == IPPROTO_TCP && offset == 0 && ulp){
- PULLUP_LEN(hlen, ulp,
+ PULLUP_LEN_LOCKED(hlen, ulp,
(TCP(ulp)->th_off << 2));
match = tcpopts_match(TCP(ulp), cmd);
}
@@ -2294,7 +2322,7 @@
uint16_t mss, *p;
int i;
- PULLUP_LEN(hlen, ulp,
+ PULLUP_LEN_LOCKED(hlen, ulp,
(TCP(ulp)->th_off << 2));
if ((tcpopts_parse(TCP(ulp), &mss) &
IP_FW_TCPOPT_MSS) == 0)
@@ -3145,6 +3173,7 @@
} /* end of inner loop, scan opcodes */
#undef PULLUP_LEN
+#undef PULLUP_LEN_LOCKED
if (done)
break;

18
share/security/patches/SA-20:10/ipfw.12.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHNVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJiwQ/+Lpt5TbpgVsZBpwt/LlMngD3jQzuP4NR41LSpynro/diN4ZKyUIDZ2y1r
RMOy2kVVEQfaO3TdzQzA290ZIZevoZeMWzchG3N23Ya9Ddyz4ChLNWdhdqJwX0Lf
tIgYuOh3Nd90FP+BSx5KbKC4P9Y2DiXOX6FmzKbCBvNH+etAs8hshbqty1Fcahtv
aBOjYGvB1tBAl29brsxpSROd0aMVayxbk+2zs4nfrU7RuIHcjjNT0tWlDYrrFZ4a
qBUucxtv/+UgTDiXIOao55tx2cw4st9Kj6mUp5h3RMNTkB2piztFpH8XLOYq6PLK
7HzJFbji9sFHQyEjtoa/OoM+o52yfDqEU4YXfKtjvA21xjzfi00shnPY9Cp96CY5
Q7zjXJsV2J6rvMXm9DY3Dis2cbkgt8nBU2B3ftSFWrCkblmeS49dCUzv+YtJ/J22
eU7Tkc/bw8dqcZZgiJhEiOTRjSDZzNM9UJBeHpQBcppIltG3TdzDD3YY6KFIBjae
FwijjljfyA0wAEJREO+km2KpQca1wYyQKFNOVOimenazI+qsSvZg+xotyaGjYKWf
sDxnieRHzkqrp+6z3fMbo+n7Xz+KLQAxTBAN4YOAv04cePVOVx0/YeiWqWiy7LEk
Ponji3sfgPmuze/T785zIumLbo7HmoJQJg5o34wRtuF/1ANx0Bg=
=e2S6
-----END PGP SIGNATURE-----

11
share/security/patches/SA-20:11/openssl.patch Normal file
View file

@ -0,0 +1,11 @@
--- crypto/openssl/ssl/t1_lib.c.orig
+++ crypto/openssl/ssl/t1_lib.c
@@ -2099,7 +2099,7 @@
sigalg = use_pc_sigalgs
? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
: s->shared_sigalgs[i];
- if (sig_nid == sigalg->sigandhash)
+ if (sigalg != NULL && sig_nid == sigalg->sigandhash)
return 1;
}
return 0;

18
share/security/patches/SA-20:11/openssl.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHMlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL1OxAAgpwan3XY96qOUx5NVpagPkYkqtGrJsXS4PFwYl3UbWFx6iLXIQCFZxVV
N5aODi0ixr0oMSlzM8hUhn590LG8UnU2UbUK2WwyhlzDMQaB04kT1xK1V0fqU0vy
BdRx0sIOGDz38qHLkGKEjJI7M41k5f/2wj65I16YCD3LDaUNzYQvHHRA4nMWa/iG
g/arSEBSXWEOmAdtazTGzb4x7umLfTzR7fkVBKW5RsaQrPNDaKsGvfkvgi9ZCpc0
nqcDV07ivPMoM/DkYMO1RYrqHuGch8hejaDrJrf9hu5oYeUFRsl+XqUjVi1H33T6
Wov9/FzzMEUxwkBm9wzH1vn2rGFncDa6/WR00iHMEKOcGM6B9lCqBNNnpNVC7vEC
/KVZasjRRwcRGpHMYte0R6rqoxJ4Pas6iaUUJwmv10S1mBaIPLV0k30o5J9G4euf
r2tsRBQCcY0dyyqO89k1krdFSQw36PDCe/vGoGoIUHsvIWcn894EBW6BdKeky6ns
PyON5G0/oM+oeyzL+bmocqj479S1poyRY++gGRpkgtVWoOV1+GaiyEhqfJK0srGZ
vbln/FMvL1mHstM6pyGwYFcd8aYZM+tkp9+hv4T2JCZ0Wj/zEEbGg72vClU+Fuji
XJsBJu435h0Kl/SZTUYcudwjLai9oHfxAOopyffsfV6NrZU53iE=
=1JP9
-----END PGP SIGNATURE-----

17
share/xml/advisories.xml
View file

@ -7,6 +7,23 @@
<year>
<name>2020</name>
<month>
<name>4</name>
<day>
<name>21</name>
<advisory>
<name>FreeBSD-SA-20:11.openssl</name>
</advisory>
<advisory>
<name>FreeBSD-SA-20:10.ipfw</name>
</advisory>
</day>
</month>
<month>
<name>3</name>

13
share/xml/notices.xml
View file

@ -7,6 +7,19 @@
<year>
<name>2020</name>
<month>
<name>4</name>
<day>
<name>21</name>
<notice>
<name>FreeBSD-EN-20:07.quotad</name>
</notice>
</day>
</month>
<month>
<name>3</name>