From 9b4c8884f13272a0e35997f844eb03458258243a Mon Sep 17 00:00:00 2001 From: Gordon Tetlow Date: Tue, 21 Apr 2020 16:29:32 +0000 Subject: [PATCH] Add EN-20:07, SA-20:10, and SA-20:11. Approved by: so --- .../advisories/FreeBSD-EN-20:07.quotad.asc | 133 +++++++++++++++++ .../advisories/FreeBSD-SA-20:10.ipfw.asc | 141 ++++++++++++++++++ .../advisories/FreeBSD-SA-20:11.openssl.asc | 132 ++++++++++++++++ share/security/patches/EN-20:07/quotad.patch | 11 ++ .../patches/EN-20:07/quotad.patch.asc | 18 +++ share/security/patches/SA-20:10/ipfw.11.patch | 136 +++++++++++++++++ .../patches/SA-20:10/ipfw.11.patch.asc | 18 +++ share/security/patches/SA-20:10/ipfw.12.patch | 132 ++++++++++++++++ .../patches/SA-20:10/ipfw.12.patch.asc | 18 +++ share/security/patches/SA-20:11/openssl.patch | 11 ++ .../patches/SA-20:11/openssl.patch.asc | 18 +++ share/xml/advisories.xml | 17 +++ share/xml/notices.xml | 13 ++ 13 files changed, 798 insertions(+) create mode 100644 share/security/advisories/FreeBSD-EN-20:07.quotad.asc create mode 100644 share/security/advisories/FreeBSD-SA-20:10.ipfw.asc create mode 100644 share/security/advisories/FreeBSD-SA-20:11.openssl.asc create mode 100644 share/security/patches/EN-20:07/quotad.patch create mode 100644 share/security/patches/EN-20:07/quotad.patch.asc create mode 100644 share/security/patches/SA-20:10/ipfw.11.patch create mode 100644 share/security/patches/SA-20:10/ipfw.11.patch.asc create mode 100644 share/security/patches/SA-20:10/ipfw.12.patch create mode 100644 share/security/patches/SA-20:10/ipfw.12.patch.asc create mode 100644 share/security/patches/SA-20:11/openssl.patch create mode 100644 share/security/patches/SA-20:11/openssl.patch.asc diff --git a/share/security/advisories/FreeBSD-EN-20:07.quotad.asc b/share/security/advisories/FreeBSD-EN-20:07.quotad.asc new file mode 100644 index 0000000000..7c6bd65fc5 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-20:07.quotad.asc @@ -0,0 +1,133 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-20:07.quotad Errata Notice + The FreeBSD Project + +Topic: Regression in rpc.rquotad with certain NFS servers + +Category: core +Module: rpc.quotad +Announced: 2020-04-21 +Affects: All supported versions of FreeBSD +Corrected: 2019-09-21 14:03:41 UTC (stable/12, 12.1-STABLE) + 2020-04-21 15:50:57 UTC (releng/12.1, 12.1-RELEASE-p4) + 2019-09-21 14:06:16 UTC (stable/11, 11.3-STABLE) + 2020-04-21 15:50:57 UTC (releng/11.3, 11.3-RELEASE-p8) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The Network File System (NFS) allows a system to share directories and files +with others over a network. By using this, users and programs can access +files on remote systems almost as if they were local files. + +The rpc.rquotad utility is an rpc(3) server which returns quotas for a user +of a local file system which is NFS-mounted onto a remote machine. + +II. Problem Description + +A change in rpc.rquotad made it send RQUOTA v2 requests instead of RQUOTA v1 +requests. Some vendors would send RPC_PROGNOTREGISTERED ("Program Not +Registered") response instead of the desired RPC_PROGVERSMISMATCH ("Program +Version Mismatch") response, preventing the mechanism from working. + +III. Impact + +The quota(8) command will not be able obtain quota information for some NFS +server vendors. + +IV. Workaround + +No workaround is available. Systems not using quotas on NFS mounted file +systems are unaffected. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-20:07/quotad.patch +# fetch https://security.FreeBSD.org/patches/EN-20:07/quotad.patch.asc +# gpg --verify quotad.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r352575 +releng/12.1/ r360148 +stable/11/ r352576 +releng/11.3/ r360148 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHKNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKrMg/+LLZH7D0fPM2gvxxgDi078N0yfnb4hjbJxI+xdDrbWMEqy/Y9k5hi6+AD +iEnSdQ1/Ak6n174b4Xz2L+Dpih4BEzLumfwb9oFCudUFvyuxNwQmO9tkGLCdu9ps +wRp2quYw0T/whnIS2tTsOM/TPCNZa72mym19OTZi9pgSh82Z+raUeRlfXyOS6HlL +8GkIqkMBBEXRYEQnWX7FAcN+4G1kUHCzHIsyLImCaic8YL/+rX2bqalhFGdLGbJd +epKQQ8FvT1kMns6XVkzSfL35LDoOfbOYjWYTwp3D5Fxk0I5gSK1u3LTrhVZpEV0p +EBO7l2ivee/cwtdOjkIZR1NF+Lp+gHeXxWaJFz0tE6skB2fCYdZq4EeIjXg1okqQ +piWmiesIDpmzz5P2e1OEbkrh5yKr/FeLYDOlge3D1jFZd7iBxeS/BvdGGhSVZI4F +wssveFUnGiKm47kFRzXJnSPz0Nji2R2KyKaaNSB6dqZGW0ZelgPgjh09j09FijbH +mvFPSsxWSKH3rD0CE2QeWIvwk0dbtAhti1TM0gJque8D50IZB8VlNNtOa4V+fyQ6 +puH+5+haHzwfUXwSrLcYK+v0xMdQ71oYqC5G5tV/eYXJCbzIu1Y3hbgmbLzAx+xf +LwW3uCcm1cDQpzs2WxirHE+jS4DbYIMqS/K2c5+tj9kAEtXX1b0= +=mFhE +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:10.ipfw.asc b/share/security/advisories/FreeBSD-SA-20:10.ipfw.asc new file mode 100644 index 0000000000..9289035564 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:10.ipfw.asc @@ -0,0 +1,141 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:10.ipfw Security Advisory + The FreeBSD Project + +Topic: ipfw invalid mbuf handling + +Category: core +Module: kernel +Announced: 2020-04-21 +Credits: Maxime Villard + All supported versions of FreeBSD. +Corrected: 2019-12-23 10:02:55 UTC (stable/12, 12.1-STABLE) + 2020-04-21 15:52:22 UTC (releng/12.1, 12.1-RELEASE-p4) + 2019-12-23 10:06:32 UTC (stable/11, 11.3-STABLE) + 2020-04-21 15:52:22 UTC (releng/11.3, 11.3-RELEASE-p8) +CVE Name: CVE-2019-5614, CVE-2019-15874 + + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The ipfw system facility allows filtering, redirecting, and other operations +on IP packets travelling through network interfaces. + +II. Problem Description + +Incomplete packet data validation may result in accessing out-of-bounds +memory (CVE-2019-5614) or may access memory after it has been freed +(CVE-2019-15874). + +III. Impact + +Access to out of bounds or freed mbuf data can lead to a kernel panic or +other unpredictable results. + +IV. Workaround + +No workaround is available. Systems not using the ipfw firewall are +not vulnerable. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.11.patch +# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.11.patch.asc +# gpg --verify ipfw.11.patch.asc + +[FreeBSD 12.1] +# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.12.patch +# fetch https://security.FreeBSD.org/patches/SA-20:10/ipfw.12.patch.asc +# gpg --verify ipfw.12.patch.asc + + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r356035 +releng/12.1/ r360149 +stable/11/ r356036 +releng/11.3/ r360149 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHK1fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJnFA//Zqygqhfo2vs/FBe67+/MILbAn5KeZoha6jbhr7YGD//Yzdy0+LtiaMpL +DskM6z2bF6VKMuB5XQufUcAPTqzf8m3pgdFoPBT2P47ndkqDsF7/EDe5IaYCQZq+ +CB0tTuD6m3/8qYXvKyD+c6WV92Tn75GOpguKEYWnoBlOe8YVoVWxIknl+wuG+w4h +D6hGGntvvs7RyXVITo9wzW70W8b57fIszVHTvH0YoFwBLGeie/uNomkcawti6jcp +h703a4VsGeM1FFqb8hrNgKdDMC8Xmddjd78PMxl4wjC4WrrziQ1M8RxEoLHCSrH0 +4hLSjQOIVuI+OoEArn533QyHWQa1KbeECc2GgSlUrq6rlNk3SELWl72tugETT0JJ +EYWFaLUGLUV5PMeuv7c6HfuXXtaVOEP/Gyvf9Rduesohdzw+DYrzXSyVv9wsRbfx +34H9Xcjlu+BzYrHyKJkgdILwEFpEHCZmxRLxeJLGBjPAsudhN2XzGfKEQNd8olTr +pe0Cw+C/sBhe0jh42REDRXW/Vr0YF4ivZf6L8d1zdG462GMn9aZteCjRmfMOWN1D +BjU0+qY6mkWU0bVep0sjPU9ON8T9vnEinjhfqIb/A9XOvKag7cehpxWC+PJyf3I4 +eAjdzQeq0FH08XMWFfFWDqa7VmGYhmp/e53HNbHb90NtW07GtHE= +=p+5n +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:11.openssl.asc b/share/security/advisories/FreeBSD-SA-20:11.openssl.asc new file mode 100644 index 0000000000..d5d26440ec --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:11.openssl.asc @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:11.openssl Security Advisory + The FreeBSD Project + +Topic: OpenSSL remote denial of service vulnerability + +Category: contrib +Module: openssl +Announced: 2020-04-21 +Credits: Bernd Edlinger +Affects: FreeBSD 12.1 +Corrected: 2020-04-21 15:47:58 UTC (stable/12, 12.1-STABLE) + 2020-04-21 15:53:08 UTC (releng/12.1, 12.1-RELEASE-p4) +CVE Name: CVE-2020-1967 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a +collaborative effort to develop a robust, commercial-grade, full-featured +Open Source toolkit for the Transport Layer Security (TLS) and Secure Sockets +Layer (SSL) protocols. It is also a full-strength general purpose +cryptography library. + +II. Problem Description + +Server or client applications that call the SSL_check_chain() function during +or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a +result of incorrect handling of the "signature_algorithms_cert" TLS +extension. The crash occurs if an invalid or unrecognized signature +algorithm is received from the peer. + +III. Impact + +A malicious peer could exploit the NULL pointer dereference crash, causing a +denial of service attack. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:11/openssl.patch +# fetch https://security.FreeBSD.org/patches/SA-20:11/openssl.patch.asc +# gpg --verify openssl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r360147 +releng/12.1/ r360150 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHLBfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJEGw/7BWgBW3Vi98Sj0OFQnKUyckFaKxOY5WNl+N2k1MC5QIwtFRknS/i4xiBe +wfpudj8PRiYe5sXC7C0vpHBB6LAq9RCflZAu3auRD/r/wShAq1wVY6nC7zJ+nXKX +r7OuUj0NBQK7Gc5k89LEeRI8qjcJv7XwUY63msVvDUzqWwZeVDufrRnSwoUi0LR/ +qbya9ICb9qt7o52QNpECccEUVB4Qc1mfdESpDi/7h/JYXvLptsa/W6DtTZRlJ2n/ +f/hi2ja7xUD78NlQ6Sbc17+QUFWWIvyljl255Nhi3YhjWpFSWewmJg3aLqQ3O4uB +g632jncGVFtRiDWHvUPqIx0Ephs3Ubd0llBsWXJ4uEQzeqVVVk05oomWDBjUoxW/ +Iw7kfVJDBNrrIuNikhOaf3lmUEJ8iXUhg8NxLwoyq6v2SM2eFLqYxx9MLwH5RQkV +nAuWszYSnxkReUE4oGrm7Vn3Mq7yhiM8KpNS08BSADeWRWEJSsdeA5BC2bLIUgE+ +UKRDYaTyLSl9knHNmCd9W/8b3w03k2E4lrosc+hiaYoVB9l83e5elQm/tgdBynmL +w653iJIoATgApXXresLW3x/by9+BhCq1fLkipDoaRZTrsg7zaYCyseDmfvmaV6Pn +x8nm+i+VHeB8hp+vurijO9wuaisPs4LNv7pPcler2LmtAGYV3Lg= +=231J +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-20:07/quotad.patch b/share/security/patches/EN-20:07/quotad.patch new file mode 100644 index 0000000000..65d4859799 --- /dev/null +++ b/share/security/patches/EN-20:07/quotad.patch @@ -0,0 +1,11 @@ +--- usr.bin/quota/quota.c.orig ++++ usr.bin/quota/quota.c +@@ -606,7 +606,7 @@ + call_stat = callaurpc(host, RQUOTAPROG, EXT_RQUOTAVERS, + RQUOTAPROC_GETQUOTA, (xdrproc_t)xdr_ext_getquota_args, (char *)&gq_args, + (xdrproc_t)xdr_getquota_rslt, (char *)&gq_rslt); +- if (call_stat == RPC_PROGVERSMISMATCH) { ++ if (call_stat == RPC_PROGVERSMISMATCH || call_stat == RPC_PROGNOTREGISTERED) { + if (quotatype == USRQUOTA) { + old_gq_args.gqa_pathp = cp + 1; + old_gq_args.gqa_uid = id; diff --git a/share/security/patches/EN-20:07/quotad.patch.asc b/share/security/patches/EN-20:07/quotad.patch.asc new file mode 100644 index 0000000000..347f1de6b6 --- /dev/null +++ b/share/security/patches/EN-20:07/quotad.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHMNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cI6Hg/+IjHObivifL7eLY2O8ydr8fj8q735PmFvWCzWdUl2vhNC64Rb3jcELcCo +L+8CkBtWNklTZo4HWB5R+6oQSfDwLnW9tHQ/aVg308IZOZ8b680RT0SI83mwfmG9 +SwzPj8SqINTRUO0pWaKtS3sP4tXytCVBu70uet3L57cozP9ylVmC4z+ecwkXosq+ +bnIe1gJMs5xTTkX1JierutJ/cMlma/nJ0aenW2um85CSuTsQBTsEPxug7NCm8UeG +1ABpzQ3TdkSciRQNoPjM5VrUkm05PA+zHrHE0tTyN3wwef4Pcyte2dnfJ8gBjUzI +PveME1u1DSxSRwaBSNdUVJtXgLDTdeeN/OjTQFRSxT5BJi7a5ux4CI8OIbXkS4gE +nRTcl0VKbDnQ2R16OPzEIzHvItXomHTnRvcuzT8oLZj/9pRdr6kWuAYsAx4jU1wn +/QE7LtqNS89X9+tGjfbqO1kgnMb6SfNJ0me2U+L7Syw+SRWa9lVxdGUe0Oantexu +Xe0hZ+DOMDH+ntcAEenmZ2lsMCGH1triQINW/laA9gz1Ad045yleC33V/RSYwGiU +cw4+0M9kxMTB7vMCMP0+788VE382aTzi5t8tZNM98iGsA4UrlUg4K/XX9KI0PI/0 +qrNyUNGTpDqey7mbSE1sYiih1Etx8UO4k+ryvabNydhC4sJICzQ= +=9zFb +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:10/ipfw.11.patch b/share/security/patches/SA-20:10/ipfw.11.patch new file mode 100644 index 0000000000..05305fa8fd --- /dev/null +++ b/share/security/patches/SA-20:10/ipfw.11.patch @@ -0,0 +1,136 @@ +--- sys/netpfil/ipfw/ip_fw2.c.orig ++++ sys/netpfil/ipfw/ip_fw2.c +@@ -328,50 +328,71 @@ + return (flags_match(cmd, bits)); + } + ++/* ++ * Parse TCP options. The logic copied from tcp_dooptions(). ++ */ + static int +-tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd) ++tcpopts_parse(const struct tcphdr *tcp, uint16_t *mss) + { ++ const u_char *cp = (const u_char *)(tcp + 1); + int optlen, bits = 0; +- u_char *cp = (u_char *)(tcp + 1); +- int x = (tcp->th_off << 2) - sizeof(struct tcphdr); ++ int cnt = (tcp->th_off << 2) - sizeof(struct tcphdr); + +- for (; x > 0; x -= optlen, cp += optlen) { ++ for (; cnt > 0; cnt -= optlen, cp += optlen) { + int opt = cp[0]; + if (opt == TCPOPT_EOL) + break; + if (opt == TCPOPT_NOP) + optlen = 1; + else { ++ if (cnt < 2) ++ break; + optlen = cp[1]; +- if (optlen <= 0) ++ if (optlen < 2 || optlen > cnt) + break; + } + + switch (opt) { +- + default: + break; + + case TCPOPT_MAXSEG: ++ if (optlen != TCPOLEN_MAXSEG) ++ break; + bits |= IP_FW_TCPOPT_MSS; ++ if (mss != NULL) ++ *mss = be16dec(cp + 2); + break; + + case TCPOPT_WINDOW: +- bits |= IP_FW_TCPOPT_WINDOW; ++ if (optlen == TCPOLEN_WINDOW) ++ bits |= IP_FW_TCPOPT_WINDOW; + break; + + case TCPOPT_SACK_PERMITTED: ++ if (optlen == TCPOLEN_SACK_PERMITTED) ++ bits |= IP_FW_TCPOPT_SACK; ++ break; ++ + case TCPOPT_SACK: +- bits |= IP_FW_TCPOPT_SACK; ++ if (optlen > 2 && (optlen - 2) % TCPOLEN_SACK == 0) ++ bits |= IP_FW_TCPOPT_SACK; + break; + + case TCPOPT_TIMESTAMP: +- bits |= IP_FW_TCPOPT_TS; ++ if (optlen == TCPOLEN_TIMESTAMP) ++ bits |= IP_FW_TCPOPT_TS; + break; +- + } + } +- return (flags_match(cmd, bits)); ++ return (bits); ++} ++ ++static int ++tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd) ++{ ++ ++ return (flags_match(cmd, tcpopts_parse(tcp, NULL))); + } + + static int +@@ -1419,17 +1440,31 @@ + * this way). + */ + #define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T)) +-#define PULLUP_LEN(_len, p, T) \ ++#define _PULLUP_LOCKED(_len, p, T, unlock) \ + do { \ + int x = (_len) + T; \ + if ((m)->m_len < x) { \ + args->m = m = m_pullup(m, x); \ +- if (m == NULL) \ ++ if (m == NULL) { \ ++ unlock; \ + goto pullup_failed; \ ++ } \ + } \ + p = (mtod(m, char *) + (_len)); \ + } while (0) + ++#define PULLUP_LEN(_len, p, T) _PULLUP_LOCKED(_len, p, T, ) ++#define PULLUP_LEN_LOCKED(_len, p, T) \ ++ _PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain)); \ ++ UPDATE_POINTERS() ++/* ++ * In case pointers got stale after pullups, update them. ++ */ ++#define UPDATE_POINTERS() \ ++do { \ ++ ip = mtod(m, struct ip *); \ ++} while (0) ++ + /* + * if we have an ether header, + */ +@@ -2255,7 +2290,7 @@ + + case O_TCPOPTS: + if (proto == IPPROTO_TCP && offset == 0 && ulp){ +- PULLUP_LEN(hlen, ulp, ++ PULLUP_LEN_LOCKED(hlen, ulp, + (TCP(ulp)->th_off << 2)); + match = tcpopts_match(TCP(ulp), cmd); + } +@@ -3106,6 +3141,7 @@ + + } /* end of inner loop, scan opcodes */ + #undef PULLUP_LEN ++#undef PULLUP_LEN_LOCKED + + if (done) + break; diff --git a/share/security/patches/SA-20:10/ipfw.11.patch.asc b/share/security/patches/SA-20:10/ipfw.11.patch.asc new file mode 100644 index 0000000000..4c3667a965 --- /dev/null +++ b/share/security/patches/SA-20:10/ipfw.11.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHNNfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKVEhAApEcxwYJh0IP2/JPsfaNkAKLflaiaTY1MHd0SK4icoGYgbUFXGfYFFx5y +V+xYyzJ6hqufaLgRDlOUWy7QLqkSD5iuNas7ZC9Sorge24uVYS9QKoQETAUc4EsA +puyWWfFA8jD/cUIzmLpuTlz8qUFT2n4j28djmbYvH46jgoOyMGrUzoTKfeyPSvMR +LCkzyzsnkfauwl8lpAkyWqhi3VPmCLtzd4boVmG2UnpaKKny0l3M2/CRHJhCute4 +3+15ilzONzcr0J38hd6sM11HZIVEUK3DywefMhiMx9sQQD71sqisvADCxZ8cdML/ +he+mBB38YzGyy/qezb/ZC1oXfPHmNKlJjxHzCyZkgkLd03GSrviykj4o8I9HOgty +X2NmrUoi22j3nezE4lEqh+6f6yXRVsBmJjzFGUXTSgjP6vGIewZiwmQReadGzcZk +nwCdtZSMbPAFLt6EBXMfU/pvLAokYk87XCyivAPkrbojrbDKg0ucUfttgPjwuAkN +G3s4xsmC+XuAbGrzCJwDr1o8zPcDLJlfPijJAmzWlQReHHAaVSgVt0jRoFvznZjh +QCI3b9aRPHayGBoJxFNripYdggF9jcaUA7OGrLjw86VHBFvAl2fKZxZexUbKVFqX +c8wvkiWbAvknV18pbVlifSdjKgylY8vwi39dj8zDxpWULRXFLYg= +=aOrU +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:10/ipfw.12.patch b/share/security/patches/SA-20:10/ipfw.12.patch new file mode 100644 index 0000000000..c584c41a4f --- /dev/null +++ b/share/security/patches/SA-20:10/ipfw.12.patch @@ -0,0 +1,132 @@ +--- sys/netpfil/ipfw/ip_fw2.c.orig ++++ sys/netpfil/ipfw/ip_fw2.c +@@ -330,22 +330,27 @@ + return (flags_match(cmd, bits)); + } + ++/* ++ * Parse TCP options. The logic copied from tcp_dooptions(). ++ */ + static int +-tcpopts_parse(struct tcphdr *tcp, uint16_t *mss) ++tcpopts_parse(const struct tcphdr *tcp, uint16_t *mss) + { +- u_char *cp = (u_char *)(tcp + 1); ++ const u_char *cp = (const u_char *)(tcp + 1); + int optlen, bits = 0; +- int x = (tcp->th_off << 2) - sizeof(struct tcphdr); ++ int cnt = (tcp->th_off << 2) - sizeof(struct tcphdr); + +- for (; x > 0; x -= optlen, cp += optlen) { ++ for (; cnt > 0; cnt -= optlen, cp += optlen) { + int opt = cp[0]; + if (opt == TCPOPT_EOL) + break; + if (opt == TCPOPT_NOP) + optlen = 1; + else { ++ if (cnt < 2) ++ break; + optlen = cp[1]; +- if (optlen <= 0) ++ if (optlen < 2 || optlen > cnt) + break; + } + +@@ -354,22 +359,31 @@ + break; + + case TCPOPT_MAXSEG: ++ if (optlen != TCPOLEN_MAXSEG) ++ break; + bits |= IP_FW_TCPOPT_MSS; + if (mss != NULL) + *mss = be16dec(cp + 2); + break; + + case TCPOPT_WINDOW: +- bits |= IP_FW_TCPOPT_WINDOW; ++ if (optlen == TCPOLEN_WINDOW) ++ bits |= IP_FW_TCPOPT_WINDOW; + break; + + case TCPOPT_SACK_PERMITTED: ++ if (optlen == TCPOLEN_SACK_PERMITTED) ++ bits |= IP_FW_TCPOPT_SACK; ++ break; ++ + case TCPOPT_SACK: +- bits |= IP_FW_TCPOPT_SACK; ++ if (optlen > 2 && (optlen - 2) % TCPOLEN_SACK == 0) ++ bits |= IP_FW_TCPOPT_SACK; + break; + + case TCPOPT_TIMESTAMP: +- bits |= IP_FW_TCPOPT_TS; ++ if (optlen == TCPOLEN_TIMESTAMP) ++ bits |= IP_FW_TCPOPT_TS; + break; + } + } +@@ -1427,18 +1441,32 @@ + * pointer might become stale after other pullups (but we never use it + * this way). + */ +-#define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T)) +-#define PULLUP_LEN(_len, p, T) \ ++#define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T)) ++#define _PULLUP_LOCKED(_len, p, T, unlock) \ + do { \ + int x = (_len) + T; \ + if ((m)->m_len < x) { \ + args->m = m = m_pullup(m, x); \ +- if (m == NULL) \ ++ if (m == NULL) { \ ++ unlock; \ + goto pullup_failed; \ ++ } \ + } \ + p = (mtod(m, char *) + (_len)); \ + } while (0) + ++#define PULLUP_LEN(_len, p, T) _PULLUP_LOCKED(_len, p, T, ) ++#define PULLUP_LEN_LOCKED(_len, p, T) \ ++ _PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain)); \ ++ UPDATE_POINTERS() ++/* ++ * In case pointers got stale after pullups, update them. ++ */ ++#define UPDATE_POINTERS() \ ++do { \ ++ ip = mtod(m, struct ip *); \ ++} while (0) ++ + /* + * if we have an ether header, + */ +@@ -2269,7 +2297,7 @@ + + case O_TCPOPTS: + if (proto == IPPROTO_TCP && offset == 0 && ulp){ +- PULLUP_LEN(hlen, ulp, ++ PULLUP_LEN_LOCKED(hlen, ulp, + (TCP(ulp)->th_off << 2)); + match = tcpopts_match(TCP(ulp), cmd); + } +@@ -2294,7 +2322,7 @@ + uint16_t mss, *p; + int i; + +- PULLUP_LEN(hlen, ulp, ++ PULLUP_LEN_LOCKED(hlen, ulp, + (TCP(ulp)->th_off << 2)); + if ((tcpopts_parse(TCP(ulp), &mss) & + IP_FW_TCPOPT_MSS) == 0) +@@ -3145,6 +3173,7 @@ + + } /* end of inner loop, scan opcodes */ + #undef PULLUP_LEN ++#undef PULLUP_LEN_LOCKED + + if (done) + break; diff --git a/share/security/patches/SA-20:10/ipfw.12.patch.asc b/share/security/patches/SA-20:10/ipfw.12.patch.asc new file mode 100644 index 0000000000..c789c4f772 --- /dev/null +++ b/share/security/patches/SA-20:10/ipfw.12.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHNVfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJiwQ/+Lpt5TbpgVsZBpwt/LlMngD3jQzuP4NR41LSpynro/diN4ZKyUIDZ2y1r +RMOy2kVVEQfaO3TdzQzA290ZIZevoZeMWzchG3N23Ya9Ddyz4ChLNWdhdqJwX0Lf +tIgYuOh3Nd90FP+BSx5KbKC4P9Y2DiXOX6FmzKbCBvNH+etAs8hshbqty1Fcahtv +aBOjYGvB1tBAl29brsxpSROd0aMVayxbk+2zs4nfrU7RuIHcjjNT0tWlDYrrFZ4a +qBUucxtv/+UgTDiXIOao55tx2cw4st9Kj6mUp5h3RMNTkB2piztFpH8XLOYq6PLK +7HzJFbji9sFHQyEjtoa/OoM+o52yfDqEU4YXfKtjvA21xjzfi00shnPY9Cp96CY5 +Q7zjXJsV2J6rvMXm9DY3Dis2cbkgt8nBU2B3ftSFWrCkblmeS49dCUzv+YtJ/J22 +eU7Tkc/bw8dqcZZgiJhEiOTRjSDZzNM9UJBeHpQBcppIltG3TdzDD3YY6KFIBjae +FwijjljfyA0wAEJREO+km2KpQca1wYyQKFNOVOimenazI+qsSvZg+xotyaGjYKWf +sDxnieRHzkqrp+6z3fMbo+n7Xz+KLQAxTBAN4YOAv04cePVOVx0/YeiWqWiy7LEk +Ponji3sfgPmuze/T785zIumLbo7HmoJQJg5o34wRtuF/1ANx0Bg= +=e2S6 +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:11/openssl.patch b/share/security/patches/SA-20:11/openssl.patch new file mode 100644 index 0000000000..3ccde741be --- /dev/null +++ b/share/security/patches/SA-20:11/openssl.patch @@ -0,0 +1,11 @@ +--- crypto/openssl/ssl/t1_lib.c.orig ++++ crypto/openssl/ssl/t1_lib.c +@@ -2099,7 +2099,7 @@ + sigalg = use_pc_sigalgs + ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]) + : s->shared_sigalgs[i]; +- if (sig_nid == sigalg->sigandhash) ++ if (sigalg != NULL && sig_nid == sigalg->sigandhash) + return 1; + } + return 0; diff --git a/share/security/patches/SA-20:11/openssl.patch.asc b/share/security/patches/SA-20:11/openssl.patch.asc new file mode 100644 index 0000000000..cb196b27df --- /dev/null +++ b/share/security/patches/SA-20:11/openssl.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHMlfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cL1OxAAgpwan3XY96qOUx5NVpagPkYkqtGrJsXS4PFwYl3UbWFx6iLXIQCFZxVV +N5aODi0ixr0oMSlzM8hUhn590LG8UnU2UbUK2WwyhlzDMQaB04kT1xK1V0fqU0vy +BdRx0sIOGDz38qHLkGKEjJI7M41k5f/2wj65I16YCD3LDaUNzYQvHHRA4nMWa/iG +g/arSEBSXWEOmAdtazTGzb4x7umLfTzR7fkVBKW5RsaQrPNDaKsGvfkvgi9ZCpc0 +nqcDV07ivPMoM/DkYMO1RYrqHuGch8hejaDrJrf9hu5oYeUFRsl+XqUjVi1H33T6 +Wov9/FzzMEUxwkBm9wzH1vn2rGFncDa6/WR00iHMEKOcGM6B9lCqBNNnpNVC7vEC +/KVZasjRRwcRGpHMYte0R6rqoxJ4Pas6iaUUJwmv10S1mBaIPLV0k30o5J9G4euf +r2tsRBQCcY0dyyqO89k1krdFSQw36PDCe/vGoGoIUHsvIWcn894EBW6BdKeky6ns +PyON5G0/oM+oeyzL+bmocqj479S1poyRY++gGRpkgtVWoOV1+GaiyEhqfJK0srGZ +vbln/FMvL1mHstM6pyGwYFcd8aYZM+tkp9+hv4T2JCZ0Wj/zEEbGg72vClU+Fuji +XJsBJu435h0Kl/SZTUYcudwjLai9oHfxAOopyffsfV6NrZU53iE= +=1JP9 +-----END PGP SIGNATURE----- diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml index 48fd505d48..6147080510 100644 --- a/share/xml/advisories.xml +++ b/share/xml/advisories.xml @@ -7,6 +7,23 @@ 2020 + + 4 + + + 21 + + + FreeBSD-SA-20:11.openssl + + + + FreeBSD-SA-20:10.ipfw + + + + + 3 diff --git a/share/xml/notices.xml b/share/xml/notices.xml index 7b867cbc5a..8c3aa1131e 100644 --- a/share/xml/notices.xml +++ b/share/xml/notices.xml @@ -7,6 +7,19 @@ 2020 + + 4 + + + 21 + + + FreeBSD-EN-20:07.quotad + + + + + 3