os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add EN-19:14, EN-19:15, and SA-19:18 to SA-19:21.

Browse source 
Approved by:	so
This commit is contained in:
Gordon Tetlow 2019-08-06 17:31:19 +00:00
parent 5d8fe221ff
commit c0889e8ec6
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=53296
22 changed files with 1960 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

125
share/security/advisories/FreeBSD-EN-19:14.epoch.asc Normal file
View file

@ -0,0 +1,125 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-19:14.epoch Errata Notice
The FreeBSD Project
Topic: Incorrect locking in epoch(9)
Category: core
Module: kernel
Announced: 2019-08-06
Credits: Mark Johnston
Affects: FreeBSD 12.0
Corrected: 2019-07-27 16:11:04 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:07:43 UTC (releng/12.0, 12.0-RELEASE-p9)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Some parts of the kernel use a new synchronization primitive, epoch(9),
which can be used to implement safe memory reclamation. In this usage,
threads can use the epoch(9) KPI to ensure that no other threads hold
a reference to a given object in memory.
II. Problem Description
In the case where epoch(9) must wait for a thread that is blocked on
a lock, it will use the turnstile(9) KPI to propagate the current
thread's priority to the lock holder. However, in the case where the
lock has no designated owner - for example, it is a reader-writer lock
owned by one or more readers - a bug in the interaction with the
turnstile meant that pair of spin locks were left locked when they
should have been unlocked.
III. Impact
In rare cases and under heavy load, the kernel may panic or lock up.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-19:14/epoch.patch
# fetch https://security.FreeBSD.org/patches/EN-19:14/epoch.patch.asc
# gpg --verify epoch.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r350373
releng/12.0/ r350641
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:14.epoch.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1JtztfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJgXA//Wbh6Nv6OL+Aer7oZ8uiZEhDTj+a+IMG617uCyeD+x4/8Hj73J7Pg6vaT
CGqGAslxy8GMmvrO8Jmn0RFDyfJb+mW1M9FqQS4u9DNm1r7nNuOBWj9UcAC9TQOY
rIEoqe/wD6a+EKQ01tgsWm2TYA2hX/WwtKJiYuPJOyuTzm9d3PhQ2SPmU0NaqyfU
+0YT3QHRYUEYHU/tZwAV3axcihYP7NfrgEWmE3LY7fBX1ShxFOYZVlexY4604wyc
SLxCMVnfqFiB8vH5X8R4J9OlsK00j1W2B+PJodocDzNjvHgnRb3RSHeo+EC+3y7k
/P3qRCxtgPzb/VHCCRry0LAmeijxQDWVf4vydjaMVDQEv/zQ+Y5ujAucRAtvtjRm
gYLRTOHnXVTpZk/c8h2Gch9g3sB9aqrsMYtPUqSfRRUFDYJjN3NVmVLo4ciAhjwY
EvGr7HloO3O4n+zYWOagvSvu05TjOA1SGGURAkslthjTXRpmiqDSS6yawW23v7Jw
gC7pvVUnmGSGzlwGPojE6LBSX3CWlgwJV/6g2s0wizPGv3K/IQMMQn7NaaLl09xw
X6TND7mVGqk2w3do1k9ZSkvqI+jr4MkJbGh5Vl8q1J/oW9KPTVO3+mQEi91SvgU+
YEyzryregBP69ta7gqT0Pgb2+LR9733qPLSh3Hgn/4zRI/seSkU=
=pBEN
-----END PGP SIGNATURE-----

130
share/security/advisories/FreeBSD-EN-19:15.libunwind.asc Normal file
View file

@ -0,0 +1,130 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-19:15.libunwind Errata Notice
The FreeBSD Project
Topic: Incorrect exception handling
Category: contrib
Module: libunwind
Announced: 2019-08-06
Affects: FreeBSD 11.2, FreeBSD 12.0
Corrected: 2019-08-06 17:08:30 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-06 17:08:30 UTC (releng/11.2, 11.2-RELEASE-p13)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The libunwind library, which originates from the LLVM project, is responsible
for handling the unwinding of stack frames, when programs throw C or C++
style exceptions. It uses exception handling information embedded in the
executable file to determine the layout of the stack, at the time the
exception is being processed.
II. Problem Description
In some cases, the exception handling information embedded in executables is
not correctly interpreted by libunwind. This causes it to emit a runtime
error, and abort the affected program.
III. Impact
Affected programs will show an message on the standard error stream, when
they attempt to throw an exception:
libunwind: getEncodedP \
/usr/src/contrib/llvm/projects/libunwind/src/AddressSpace.hpp:280 - \
unknown pointer encoding
After this message, the program will be aborted using the abort(3) function,
which usually results in a core dump.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-19:15/libunwind.patch
# fetch https://security.FreeBSD.org/patches/EN-19:15/libunwind.patch.asc
# gpg --verify libunwind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>, and
reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
releng/12.0/ r350642
releng/11.2/ r350642
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234201>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:15.libunwind.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt0pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJOkQ/+N8Esx4GPWNOzNOGJAnBgtujVeCDjbubny9ktMElEw6mZJKWqcgFmG1bm
hdz5iAz6xn/W6Y5fUR07aM6KFLTN7Is0LqaC+4mWFgbmPu9t0DVgjjsSHAJk6+fu
NpkSMDYq0tUqhNUFlP36EoTHUuM7KlD3/a1dlGZwSOmT3tQitosD8MYNm8bXdsiG
Fx8xXJz8l7qtSw5a1HI2yrRmR7hZHEblGVDP1BjU+QVh7O+0oTeSWHjtriCeYXOl
KUNypPNU5HTySLI0XE+wXJ8S3SblmCOJSdEy/EDZYd8KxG2ib+abn6KdewQl0dIL
0evKaSeIfrVyHfbQporrUotpuTgHrxdD63vowtyH4fL/JzNmw38ZBRzu/4Lib4eF
uaMr7IXyUvifJRBNHCSV5waEQXdcaZ4/YiNg93kiBCC1FhqKEEel0TLARTqtCEVu
ByQVjjZ5v45OAq74uFSYfnSReLt96VnQFD8J5JIKlYaR145tSUKzgetUy+iekjq2
7sRr0kh7lGFFNoOhbFDBURr3HrFgfpWgRA12/AuAVelXPTG4ik8tU6X/vNlvysK6
TJel41R8++MPUQuaQPU9KfUiAycvV4P9/hHEodnjhNY7NaWkXaP+fJpxCtctcFGd
eIcI3nIoJX+6W2KjZkJcrbuZsqkVSsz0MXgfLNuoNZruzdppLAY=
=Sq9+
-----END PGP SIGNATURE-----

144
share/security/advisories/FreeBSD-SA-19:18.bzip2.asc Normal file
View file

@ -0,0 +1,144 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:18.bzip2 Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in bzip2
Category: contrib
Module: bzip2
Announced: 2019-08-06
Affects: All supported versions of FreeBSD.
Corrected: 2019-07-04 07:29:18 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:09:47 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-07-04 07:32:25 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:09:47 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:09:47 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name: CVE-2016-3189, CVE-2019-12900
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The bzip2(1)/bunzip2(1) utilities and the libbz2 library compress and
decompress files using an algorithm based on the Burrows-Wheeler transform.
They are generally slower than Lempel-Ziv compressors such as gzip, but
usually provide a greater compression ratio.
The bzip2recover utility extracts blocks from a damaged bzip2(1) file,
permitting partial recovery of the contents of the file.
II. Problem Description
The decompressor used in bzip2 contains a bug which can lead to an
out-of-bounds write when processing a specially crafted bzip2(1) file.
bzip2recover contains a heap use-after-free bug which can be triggered
when processing a specially crafted bzip2(1) file.
III. Impact
An attacker who can cause maliciously crafted input to be processed
may trigger either of these bugs. The bzip2recover bug may cause a
crash, permitting a denial-of-service. The bzip2 decompressor bug
could potentially be exploited to execute arbitrary code.
Note that some utilities, including the tar(1) archiver and the bspatch(1)
binary patching utility (used in portsnap(8) and freebsd-update(8))
decompress bzip2(1)-compressed data internally; system administrators should
assume that their systems will at some point decompress bzip2(1)-compressed
data even if they never explicitly invoke the bunzip2(1) utility.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and restart daemons if necessary.
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch.asc
# gpg --verify bzip2.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r349717
releng/12.0/ r350643
stable/11/ r349718
releng/11.3/ r350643
releng/11.2/ r350643
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt09fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJWEQ//dBiFwPCKcUaeSBuM9opVUxWzFYrpWdYwwagQXzNqO3Z77Vi2hHQnfpkD
bM8WgWwChOJmlTja7sjnF+QjoV9/elzYhFrD6q0W1nLZ2XHcXyHrbFLMJ+CrvCWR
AuVCEkmT2fchE/5c71l/v8I452EpGZG7P0fwG1bpf84p1PFLl3esfeo8+CzN1x2h
YLnvfp69/tC18LR0/yozRUuFSqoYBhbnJsclB1JkrGx0fPOcE9y3sudVhBIDbH7h
nYSTJl/KkTHf6tbJVXWUVr5gJzCgGvvhUer49RCdJMAwj6hKYT49vWnOFl1T8DAL
+co0ZzTiKoCdrrrguijh4QTEUe4UAGS3PPAwhUiOu+y8Bry06/U565uO9y9iILef
M5oYTbM7h/TErPxSE421fWeexeK0seCHqmj/rO1Yf7RkRvLg/QaJk5YWM0KoP3NH
QQRdX8qNiy4liEqGvJwfUdNcVXA3d7BKifl6MKH+5/2i5B23wHItIeuIGYo5LgdI
mnH59L5wylhWGa0Dc+N9fP0jFvBfk7/4a0joXYIQ7/KDQg0X+WdiGZ/mzZ4GEisX
hwI2laAh/oyksInrMcLCbvgWql+lrUvK3ltHo17U+wrMeb+8btDLR5T/9XlLPWGp
s101XS6ewcwpZ8g5uBtlFBLmp8BGkALTAJtwwqJ2eoLfLYCXq3I=
=3O6m
-----END PGP SIGNATURE-----

137
share/security/advisories/FreeBSD-SA-19:19.mldv2.asc Normal file
View file

@ -0,0 +1,137 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:19.mldv2 Security Advisory
The FreeBSD Project
Topic: ICMPv6 / MLDv2 out-of-bounds memory access
Category: core
Module: net
Announced: 2019-08-06
Credits: CJD of Apple
Affects: All supported versions of FreeBSD.
Corrected: 2019-08-06 17:13:41 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:11:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-06 17:15:46 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:11:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:11:17 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name: CVE-2019-5608
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
MLDv2 is the Multicast Listener Discovery protocol, version 2. It is used
by IPv6 routers to discover multicast listeners.
II. Problem Description
The ICMPv6 input path incorrectly handles cases where an MLDv2 listener
query packet is internally fragmented across multiple mbufs.
III. Impact
A remote attacker may be able to cause an out-of-bounds read or write that
may cause the kernel to attempt to access an unmapped page and subsequently
panic.
IV. Workaround
No workaround is available. Systems not using IPv6 are not affected.
V. Solution
Perform one of the following:
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Reboot for security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.2, FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch.asc
# gpg --verify mldv2.11.patch.asc
[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch.asc
# gpg --verify mldv2.12.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r350648
releng/12.0/ r350644
stable/11/ r350650
releng/11.3/ r350644
releng/11.2/ r350644
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5608>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:19.mldv2.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLzTA/+OyyukXWH7rfwMhOlpD60UH4hxN3purvdNeBe4ZxlYvtf8gSUzS1VbK5r
NR9D2HiYRlmaePOil5myan6cVkrKoANoWTrQsCcsFLe6KKbiKlQDx/btbENmCMsR
VoS0ZPx3l9iGuVUwDk6k1JXwKCcO3U3dCDYEI941hEKxYadR+twUP3JOceg8Zn0h
oODXW7LcPXWQKAyFc0Kun1VrjrUGdRGfqk30joR20GP2IjgQceFHKUbiOyBbbIjW
+UVvp2wPBxXvcXNPTpcIpTW5UGJBHCT2OsDulh7hqpiWf78VE8BoksKAvDjtI4i0
15fmwn7tmQ3aGWK3WoaKWUOXZUlKrxRQDzGyAZ3LzOqPWhv12tJjNJhjnRmCVLfo
+F4I/MHzPgjitZhv8gfn+MRiPG4E1ueAYnPQWiR3qRCLQGhemVdKZIAVnYg6NGpQ
Jgsr1QS8/3GHZ8yrMXUOSNOSuiMmRHbI9915vVzu+hWkfnrCcSr3uVkJeQvx4CZJ
gdTL083Knnkdo4IPOdHWnQjGfrv2rGRyvCJ88m/DIC6hw4weR1LyFWMEHeJCEcJl
5LHiVWmOUJE4ltJXrRoXwxuh9Dia0Mq6KfNA0343JFpQF9rdt3JQ/54FPGtK6NUO
LyX5a42RIKRxWNTN+ADrSk8czbHFIg8MfTwpjiRGx2rYtxjp1qU=
=WaXC
-----END PGP SIGNATURE-----

131
share/security/advisories/FreeBSD-SA-19:20.bsnmp.asc Normal file
View file

@ -0,0 +1,131 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:20.bsnmp Security Advisory
The FreeBSD Project
Topic: Insufficient message length validation in bsnmp library
Category: contrib
Module: bsnmp
Announced: 2019-08-06
Credits: Guido Vranken <guidovranken@gmail.com>
Affects: All supported versions of FreeBSD.
Corrected: 2019-08-06 16:11:16 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:12:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-06 16:12:43 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:12:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:12:17 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name: CVE-2019-5610
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The bsnmp software library is used for the Internet SNMP (Simple Network
Management Protocol). As part of this it includes functions to handle ASN.1
(Abstract Syntax Notation One).
II. Problem Description
A function extracting the length from type-length-value encoding is not
properly validating the submitted length.
III. Impact
A remote user could cause, for example, an out-of-bounds read, decoding of
unrelated data, or trigger a crash of the software such as bsnmpd resulting
in a denial of service.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch
# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch.asc
# gpg --verify bsnmp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r350637
releng/12.0/ r350646
stable/11/ r350638
releng/11.3/ r350646
releng/11.2/ r350646
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5610>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1lfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKtBBAAltxFzxuMqWCgJoL9SemLRQxGGk0hRFdN5b78mgVdk2lfDgVz8U7mVM6v
XbcCa4lIy7wMYpUdEySAZLR2ENt0xdpx7oQ6lAg5fnnvrUvom4wU9ruxEs5txFVL
K6RaJnQJyOkI2c/LYvI/ZYmuc29/Nt3p/DvVe7wq86taoqUufN11MXkrRHgn68N3
7vewixzWpqH5L/aY2qP1d+Xe3QmHX0IcFqeo4U3/3G4wUGRCfHtaENY4w5eUbCa2
1Qk0oS9iUdX1IJjM5l1ccoFqsjbcO6vNS337qeYNKhLspXMQPwoS0K0HfB6LKt1D
dCBFoXu/qUFjf3qqbpcqGEFrFPZjlNmC4R0Ngx1rfZ1t1dXbj83NOOE1okd3Gb/V
TPDU/jzwt+/6DE6ryNQpeanPdim83w/j+qeA0UaTyxlbj+oSz1gU9Ckaauf+9peI
GT8TPnrgmFlYg2tkYl4tbq5LtRstPGZYguqEt5SHCxBOg3dxByMPzikSFUL9oNxS
9GX7JZT36J20f62hG8Watp2y3W0QsMjJpxF9OojRU6B15Z4Q2aCht4F6DnvEkVfN
1GvS5NAHPHU09TniSgYK3ThkoYrLYykhsXPmJmETV7DU1Qhny1p8H0NwIwB20DEm
AOAcYzLhiXHGpniE5y+MT9Pvt3BDBt36k6WgZ4eZ4RWuzGOumiU=
=rH6X
-----END PGP SIGNATURE-----

142
share/security/advisories/FreeBSD-SA-19:21.bhyve.asc Normal file
View file

@ -0,0 +1,142 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:21.bhyve Security Advisory
The FreeBSD Project
Topic: Insufficient validation of guest-supplied data (e1000 device)
Category: core
Module: bhyve
Announced: 2019-08-06
Credits: Reno Robert
Affects: All supported versions of FreeBSD.
Corrected: 2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name: CVE-2019-5609
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
bhyve(8) is a hypervisor that supports running a variety of guest operating
systems in virtual machines. bhyve(8) includes an emulated Intel 82545
network interface adapter ("e1000").
II. Problem Description
The e1000 network adapters permit a variety of modifications to an Ethernet
packet when it is being transmitted. These include the insertion of IP and
TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation
offload ("TSO"). The e1000 device model uses an on-stack buffer to generate
the modified packet header when simulating these modifications on transmitted
packets.
When TCP segmentation offload is requested for a transmitted packet, the
e1000 device model used a guest-provided value to determine the size of the
on-stack buffer without validation. The subsequent header generation could
overflow an incorrectly sized buffer or indirect a pointer composed of stack
garbage.
III. Impact
A misbehaving bhyve guest could overwrite memory in the bhyve process on the
host.
IV. Workaround
Only the e1000 device model is affected; the virtio-net device is not
affected by this issue. If supported by the guest operating system
presenting only the virtio-net device to the guest is a suitable workaround.
No workaround is available if the e1000 device model is required.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and restart any affected virtual machines.
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch
# fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc
# gpg --verify bhyve.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable virtual machines, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r350619
releng/12.0/ r350647
stable/11/ r350619
releng/11.3/ r350647
releng/11.2/ r350647
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5609>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:21.bhyve.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1xfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL0qA//ZdapXUMl6KuuvtZIveMZgNdMVLYaqB1K8yHXO5udd58fTsH6+Khei0LT
gYGxDEJkHinM1EWy688xE+PSzb9twmEmawW4N4WMhWB9oMoTuLQ5E4Zm9my1TdDh
ducK6Q4GqOojIXJ0LtHDqs9qveAfkgB6L6jmLt/1jpZelLupte3S+bPmI4yta7ge
7k54V9GcN05i7wX2TaZA7H3ROQziW537ZeoRB8BQwt7bekFw2uBfO9s0CWcJZPnG
+0D6QEsRqbtYMJr5RkUCc1y4qaqnWBBn/Zyyr0P+bXZklU/IW2GJTDWNObXN7DPE
NOhuVY7PQHN6jv3u+nKa1AY7mjI3zBo009iAfPQFCb9Kn08tJ2A9WrExEMwZdcbI
nXVqCRdp7xCSPO73vjNv4btzvAU7iwbaBkpGFs721cH72ImvmXi7TwepPEAul0do
VwKYMxhStZtoDQhEea1eq41KNvqxmA/mkbEjpKcTZCUJq7xVyV4uaVme3Uq45uaa
mKMWx+Gg09A2Y5NfSCiz9AGuMkIGn05hKIOK39yAG159uTks60Ybsw/bOnE9WnMJ
5igcI+U6utIMi2M6nH4rn/wKBYM9cHWmQLfo6kECUi2CCTmR5VL8BTJ/8vHCqXi1
vCcAPacKYAROsvGQyynSVLiXJAXOrc8/VyoXRHC5cAapVeParcw=
=0XzG
-----END PGP SIGNATURE-----

87
share/security/patches/EN-19:14/epoch.patch Normal file
View file

@ -0,0 +1,87 @@
--- sys/kern/subr_epoch.c.orig
+++ sys/kern/subr_epoch.c
@@ -325,24 +325,20 @@
*/
critical_enter();
thread_unlock(td);
- owner = turnstile_lock(ts, &lock);
- /*
- * The owner pointer indicates that the lock succeeded. Only
- * in case we hold the lock and the turnstile we locked is still
- * the one that curwaittd is blocked on can we continue. Otherwise
- * The turnstile pointer has been changed out from underneath
- * us, as in the case where the lock holder has signalled curwaittd,
- * and we need to continue.
- */
- if (owner != NULL && ts == curwaittd->td_blocked) {
- MPASS(TD_IS_INHIBITED(curwaittd) && TD_ON_LOCK(curwaittd));
- critical_exit();
- turnstile_wait(ts, owner, curwaittd->td_tsqueue);
- counter_u64_add(turnstile_count, 1);
- thread_lock(td);
- return;
- } else if (owner != NULL)
+
+ if (turnstile_lock(ts, &lock, &owner)) {
+ if (ts == curwaittd->td_blocked) {
+ MPASS(TD_IS_INHIBITED(curwaittd) &&
+ TD_ON_LOCK(curwaittd));
+ critical_exit();
+ turnstile_wait(ts, owner,
+ curwaittd->td_tsqueue);
+ counter_u64_add(turnstile_count, 1);
+ thread_lock(td);
+ return;
+ }
turnstile_unlock(ts, lock);
+ }
thread_lock(td);
critical_exit();
KASSERT(td->td_locks == locksheld,
--- sys/kern/subr_turnstile.c.orig
+++ sys/kern/subr_turnstile.c
@@ -566,14 +566,15 @@
return (ts);
}
-struct thread *
-turnstile_lock(struct turnstile *ts, struct lock_object **lockp)
+bool
+turnstile_lock(struct turnstile *ts, struct lock_object **lockp,
+ struct thread **tdp)
{
struct turnstile_chain *tc;
struct lock_object *lock;
if ((lock = ts->ts_lockobj) == NULL)
- return (NULL);
+ return (false);
tc = TC_LOOKUP(lock);
mtx_lock_spin(&tc->tc_lock);
mtx_lock_spin(&ts->ts_lock);
@@ -580,10 +581,11 @@
if (__predict_false(lock != ts->ts_lockobj)) {
mtx_unlock_spin(&tc->tc_lock);
mtx_unlock_spin(&ts->ts_lock);
- return (NULL);
+ return (false);
}
*lockp = lock;
- return (ts->ts_owner);
+ *tdp = ts->ts_owner;
+ return (true);
}
void
--- sys/sys/turnstile.h.orig
+++ sys/sys/turnstile.h
@@ -100,7 +100,8 @@
struct turnstile *turnstile_trywait(struct lock_object *);
void turnstile_unpend(struct turnstile *);
void turnstile_wait(struct turnstile *, struct thread *, int);
-struct thread *turnstile_lock(struct turnstile *, struct lock_object **);
+bool turnstile_lock(struct turnstile *, struct lock_object **,
+ struct thread **);
void turnstile_unlock(struct turnstile *, struct lock_object *);
void turnstile_assert(struct turnstile *);
#endif /* _KERNEL */

18
share/security/patches/EN-19:14/epoch.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt2lfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLIBg//ekpEak+WE5KSx7vvkel/UzUPtLMDHdcgb6w4xps5I0/jvbjGLp0JuNsW
Tj73NBDA3KkzTlZSaus38yauUzq8Io6Q11/6ovI15TR58V6R35RSDnI2Df9ML0Wg
GcTnm1bTYbJ1TADQtILO6hxCNR1rvHcj0GycT8NGRNFSerNAhpF+YfMba+Tc3rOU
BeOacXDr8WCTgpa46nltcKE7Qmov2JdMS4yMH21KqXSU3ZCnwHZK+pWthPbeAVyO
NzsRPDn9PKp6sYVc5t7BE5Vn3cg76QNYZBNrHcHJNxhJ1IXOyL/SWg1j3zeiOygp
lDxZPja+mKXerEALBdGVfr/eg1ZeySlKRdETezCuzKnUSMbrQEVGL4pgaPepBCg6
eGa6PRiwVz+y93w1UpVl8aDOTr/u2O/LeRZX5lLBSa4nBp7sOLilzbDQNsgHWXCX
R4G72PnAkPNwA158u+/vvz1moLWggVeO8edjKNEwiH/i2gyNllXFOtG1TuBL1+EV
T8ySrByEJ/0/Hq+prZCr7ELry+EZcnaag6+Jg29bfxMOK8RAfjqFHgmtSzblWllg
RCTr6Wttw85XcAKYwTXR9CwBf7yuIJb3taMp7XXHljjaMAvQIybRiHphwZSFOh1q
mktgzP1Yp/CdUw8BKFR1cbB5kkQY6Ezq1XTUDH3qebdWLpTqizI=
=Wj+f
-----END PGP SIGNATURE-----

13
share/security/patches/EN-19:15/libunwind.patch Normal file
View file

@ -0,0 +1,13 @@
--- contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp.orig
+++ contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp
@@ -68,7 +68,9 @@
ehHdrInfo.eh_frame_ptr =
addressSpace.getEncodedP(p, ehHdrEnd, eh_frame_ptr_enc, ehHdrStart);
ehHdrInfo.fde_count =
- addressSpace.getEncodedP(p, ehHdrEnd, fde_count_enc, ehHdrStart);
+ fde_count_enc == DW_EH_PE_omit
+ ? 0
+ : addressSpace.getEncodedP(p, ehHdrEnd, fde_count_enc, ehHdrStart);
ehHdrInfo.table = p;
}

18
share/security/patches/EN-19:15/libunwind.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt25fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJ1hw/+I2Gj+htbN2MhOodcLa4e4LsgxP9rGW9NZw3F9MbjgDNlVnlVLXrvyKjB
sCBuzLWGWMPkrhyh8zkHTHBq+0An3dCPk5LW5jHy6k31mofL8Jj7SyqQVigK93BN
24NcJP51ScUV0sBrhArd2We1bqmVWXsw0ZZYwm0iHVNFqaxJ1+kkvcw4KQmer+/d
E8+bCKszDyPU3rVVlb6OIsXhMrLgW8Qu0LDP9Ym6qNsfXIGwpFhrtuG1OUiSLiT8
lnDpB9x5tDYTBVv9//XVZinoTQY4aJ/IcMdK8B7TS2CTyjCL+n+xXgW3bj0u8zKE
gNoxFwH8JNg3srVSelvEkhxGta35JefjIxu0aqD38DHTcyWoqOfdHFcnsQob9SEq
5/afVzFFUutqjfENmYoQ2CvSt3d4GALRGeoNbp0uysIhw1IqIGGuYt5loAYwDApc
4ic6l4bZ+eNXz7GNYBS+CRqHhMdJH5/YxT0UO2uY7Cpd/FtgcM1kHf9xItnL5Kru
cgo35Aw/LWWC5xI1B9ivERtYuQkvQ1KA4wabAhiblA/2bzbEzuc+zB9NDof1nqFp
4BPSYOm8CYYPX8psoKLvxQzeWind1VlJ8NNKQijTmlSsJcR9OjGq5P5KiGYM41X7
29hUiG8WFFn/3+VglGM6MrGxTCwYTGJ3ry0yFq5LhxDTdH1Yrrg=
=pcMq
-----END PGP SIGNATURE-----

490
share/security/patches/SA-19:18/bzip2.patch Normal file
View file

@ -0,0 +1,490 @@
--- contrib/bzip2/CHANGES.orig
+++ contrib/bzip2/CHANGES
@@ -2,8 +2,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
@@ -325,3 +325,16 @@
Izdebski.
* Make the documentation build on Ubuntu 10.04
+
+1.0.7 (27 Jun 19)
+~~~~~~~~~~~~~~~~~
+
+* Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH
+
+* bzip2: Fix return value when combining --test,-t and -q.
+
+* bzip2recover: Fix buffer overflow for large argv[0]
+
+* bzip2recover: Fix use after free issue with outFile (CVE-2016-3189)
+
+* Make sure nSelectors is not out of range (CVE-2019-12900)
--- contrib/bzip2/LICENSE.orig
+++ contrib/bzip2/LICENSE
@@ -36,7 +36,7 @@
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-Julian Seward, jseward@bzip.org
-bzip2/libbzip2 version 1.0.6 of 6 September 2010
+Julian Seward, jseward@acm.org
+bzip2/libbzip2 version 1.0.7 of 27 June 2019
--------------------------------------------------------------------------
--- contrib/bzip2/README.orig
+++ contrib/bzip2/README
@@ -6,8 +6,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
-bzip2/libbzip2 version 1.0.6 of 6 September 2010
-Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+bzip2/libbzip2 version 1.0.7 of 27 June 2019
+Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in this file.
@@ -73,7 +73,7 @@
It's difficult for me to support compilation on all these platforms.
My approach is to collect binaries for these platforms, and put them
-on the master web site (http://www.bzip.org). Look there. However
+on the master web site (https://sourceware.org/bzip2/). Look there. However
(FWIW), bzip2-1.0.X is very standard ANSI C and should compile
unmodified with MS Visual C. If you have difficulties building, you
might want to read README.COMPILATION.PROBLEMS.
@@ -161,33 +161,12 @@
* Many small improvements in file and flag handling.
* A Y2K statement.
-WHAT'S NEW IN 1.0.0 ?
+WHAT'S NEW IN 1.0.x ?
See the CHANGES file.
-WHAT'S NEW IN 1.0.2 ?
-
- See the CHANGES file.
-
-WHAT'S NEW IN 1.0.3 ?
-
- See the CHANGES file.
-
-WHAT'S NEW IN 1.0.4 ?
-
- See the CHANGES file.
-
-WHAT'S NEW IN 1.0.5 ?
-
- See the CHANGES file.
-
-WHAT'S NEW IN 1.0.6 ?
-
- See the CHANGES file.
-
-
I hope you find bzip2 useful. Feel free to contact me at
- jseward@bzip.org
+ jseward@acm.org
if you have any suggestions or queries. Many people mailed me with
comments, suggestions and patches after the releases of bzip-0.15,
bzip-0.21, and bzip2 versions 0.1pl2, 0.9.0, 0.9.5, 1.0.0, 1.0.1,
@@ -194,10 +173,10 @@
1.0.2 and 1.0.3, and the changes in bzip2 are largely a result of this
feedback. I thank you for your comments.
-bzip2's "home" is http://www.bzip.org/
+bzip2's "home" is https://sourceware.org/bzip2/
Julian Seward
-jseward@bzip.org
+jseward@acm.org
Cambridge, UK.
18 July 1996 (version 0.15)
@@ -213,3 +192,4 @@
20 December 2006 (bzip2, version 1.0.4)
10 December 2007 (bzip2, version 1.0.5)
6 Sept 2010 (bzip2, version 1.0.6)
+27 June 2019 (bzip2, version 1.0.7)
--- contrib/bzip2/README.COMPILATION.PROBLEMS.orig
+++ contrib/bzip2/README.COMPILATION.PROBLEMS
@@ -2,8 +2,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
-bzip2/libbzip2 version 1.0.6 of 6 September 2010
-Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+bzip2/libbzip2 version 1.0.7 of 27 June 2019
+Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
@@ -12,7 +12,7 @@
in the file LICENSE.
------------------------------------------------------------------
-bzip2-1.0.6 should compile without problems on the vast majority of
+bzip2 should compile without problems on the vast majority of
platforms. Using the supplied Makefile, I've built and tested it
myself for x86-linux and amd64-linux. With makefile.msc, Visual C++
6.0 and nmake, you can build a native Win32 version too. Large file
--- contrib/bzip2/blocksort.c.orig
+++ contrib/bzip2/blocksort.c
@@ -8,8 +8,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
@@ -202,9 +202,9 @@
bhtab [ 0 .. 2+(nblock/32) ] destroyed
*/
-#define SET_BH(zz) bhtab[(zz) >> 5] |= (1 << ((zz) & 31))
-#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~(1 << ((zz) & 31))
-#define ISSET_BH(zz) (bhtab[(zz) >> 5] & (1 << ((zz) & 31)))
+#define SET_BH(zz) bhtab[(zz) >> 5] |= ((UInt32)1 << ((zz) & 31))
+#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~((UInt32)1 << ((zz) & 31))
+#define ISSET_BH(zz) (bhtab[(zz) >> 5] & ((UInt32)1 << ((zz) & 31)))
#define WORD_BH(zz) bhtab[(zz) >> 5]
#define UNALIGNED_BH(zz) ((zz) & 0x01f)
--- contrib/bzip2/bzip2.1.orig
+++ contrib/bzip2/bzip2.1
@@ -1,6 +1,6 @@
.TH bzip2 1
.SH NAME
-bzip2, bunzip2 \- a block-sorting file compressor, v1.0.6
+bzip2, bunzip2 \- a block-sorting file compressor, v1.0.7
.br
bzcat \- decompresses files to stdout
.br
@@ -404,7 +404,7 @@
tries hard to detect I/O errors and exit cleanly, but the details of
what the problem is sometimes seem rather misleading.
-This manual page pertains to version 1.0.6 of
+This manual page pertains to version 1.0.7 of
.I bzip2.
Compressed data created by this version is entirely forwards and
backwards compatible with the previous public releases, versions
@@ -426,9 +426,9 @@
.SH AUTHOR
-Julian Seward, jsewardbzip.org.
+Julian Seward, jseward@acm.org.
-http://www.bzip.org
+https://sourceware.org/bzip2/
The ideas embodied in
.I bzip2
--- contrib/bzip2/bzip2.c.orig
+++ contrib/bzip2/bzip2.c
@@ -7,8 +7,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
@@ -554,7 +554,7 @@
Bool testStream ( FILE *zStream )
{
BZFILE* bzf = NULL;
- Int32 bzerr, bzerr_dummy, ret, nread, streamNo, i;
+ Int32 bzerr, bzerr_dummy, ret, streamNo, i;
UChar obuf[5000];
UChar unused[BZ_MAX_UNUSED];
Int32 nUnused;
@@ -577,7 +577,7 @@
streamNo++;
while (bzerr == BZ_OK) {
- nread = BZ2_bzRead ( &bzerr, bzf, obuf, 5000 );
+ BZ2_bzRead ( &bzerr, bzf, obuf, 5000 );
if (bzerr == BZ_DATA_ERROR_MAGIC) goto errhandler;
}
if (bzerr != BZ_STREAM_END) goto errhandler;
@@ -749,7 +749,7 @@
"\n%s: PANIC -- internal consistency error:\n"
"\t%s\n"
"\tThis is a BUG. Please report it to me at:\n"
- "\tjseward@bzip.org\n",
+ "\tjseward@acm.org\n",
progName, s );
showFileNames();
cleanUpAndFail( 3 );
@@ -829,7 +829,7 @@
" The user's manual, Section 4.3, has more info on (1) and (2).\n"
" \n"
" If you suspect this is a bug in bzip2, or are unsure about (1)\n"
- " or (2), feel free to report it to me at: jseward@bzip.org.\n"
+ " or (2), feel free to report it to me at: jseward@acm.org.\n"
" Section 4.3 of the user's manual describes the info a useful\n"
" bug report should have. If the manual is available on your\n"
" system, please try and read it before mailing me. If you don't\n"
@@ -852,7 +852,7 @@
" The user's manual, Section 4.3, has more info on (2) and (3).\n"
" \n"
" If you suspect this is a bug in bzip2, or are unsure about (2)\n"
- " or (3), feel free to report it to me at: jseward@bzip.org.\n"
+ " or (3), feel free to report it to me at: jseward@acm.org.\n"
" Section 4.3 of the user's manual describes the info a useful\n"
" bug report should have. If the manual is available on your\n"
" system, please try and read it before mailing me. If you don't\n"
@@ -1609,7 +1609,7 @@
" \n"
" This program is free software; you can redistribute it and/or modify\n"
" it under the terms set out in the LICENSE file, which is included\n"
- " in the bzip2-1.0.6 source distribution.\n"
+ " in the bzip2 source distribution.\n"
" \n"
" This program is distributed in the hope that it will be useful,\n"
" but WITHOUT ANY WARRANTY; without even the implied warranty of\n"
@@ -2005,12 +2005,14 @@
testf ( aa->name );
}
}
- if (testFailsExist && noisy) {
- fprintf ( stderr,
- "\n"
- "You can use the `bzip2recover' program to attempt to recover\n"
- "data from undamaged sections of corrupted files.\n\n"
- );
+ if (testFailsExist) {
+ if (noisy) {
+ fprintf ( stderr,
+ "\n"
+ "You can use the `bzip2recover' program to attempt to recover\n"
+ "data from undamaged sections of corrupted files.\n\n"
+ );
+ }
setExit(2);
exit(exitValue);
}
--- contrib/bzip2/bzip2recover.c.orig
+++ contrib/bzip2/bzip2recover.c
@@ -7,8 +7,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
@@ -309,11 +309,12 @@
UInt32 buffHi, buffLo, blockCRC;
Char* p;
- strcpy ( progName, argv[0] );
+ strncpy ( progName, argv[0], BZ_MAX_FILENAME-1);
+ progName[BZ_MAX_FILENAME-1]='\0';
inFileName[0] = outFileName[0] = 0;
fprintf ( stderr,
- "bzip2recover 1.0.6: extracts blocks from damaged .bz2 files.\n" );
+ "bzip2recover 1.0.7: extracts blocks from damaged .bz2 files.\n" );
if (argc != 2) {
fprintf ( stderr, "%s: usage is `%s damaged_file_name'.\n",
@@ -457,6 +458,7 @@
bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
bsPutUInt32 ( bsWr, blockCRC );
bsClose ( bsWr );
+ outFile = NULL;
}
if (wrBlock >= rbCtr) break;
wrBlock++;
--- contrib/bzip2/bzlib.c.orig
+++ contrib/bzip2/bzlib.c
@@ -8,8 +8,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
@@ -47,7 +47,7 @@
fprintf(stderr,
"\n\nbzip2/libbzip2: internal error number %d.\n"
"This is a bug in bzip2/libbzip2, %s.\n"
- "Please report it to me at: jseward@bzip.org. If this happened\n"
+ "Please report it to me at: jseward@acm.org. If this happened\n"
"when you were using some program which uses libbzip2 as a\n"
"component, you should also report this bug to the author(s)\n"
"of that program. Please make an effort to report this bug;\n"
--- contrib/bzip2/bzlib.h.orig
+++ contrib/bzip2/bzlib.h
@@ -8,8 +8,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
--- contrib/bzip2/bzlib_private.h.orig
+++ contrib/bzip2/bzlib_private.h
@@ -8,8 +8,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
@@ -36,7 +36,7 @@
/*-- General stuff. --*/
-#define BZ_VERSION "1.0.6, 6-Sept-2010"
+#define BZ_VERSION "1.0.7, 27-Jun-2019"
typedef char Char;
typedef unsigned char Bool;
--- contrib/bzip2/compress.c.orig
+++ contrib/bzip2/compress.c
@@ -8,8 +8,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
--- contrib/bzip2/crctable.c.orig
+++ contrib/bzip2/crctable.c
@@ -8,8 +8,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
--- contrib/bzip2/decompress.c.orig
+++ contrib/bzip2/decompress.c
@@ -8,8 +8,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
@@ -285,9 +285,9 @@
/*--- Now the selectors ---*/
GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
- if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+ if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR);
GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
- if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
+ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
for (i = 0; i < nSelectors; i++) {
j = 0;
while (True) {
--- contrib/bzip2/huffman.c.orig
+++ contrib/bzip2/huffman.c
@@ -8,8 +8,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
--- contrib/bzip2/randtable.c.orig
+++ contrib/bzip2/randtable.c
@@ -8,8 +8,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
--- contrib/bzip2/spewG.c.orig
+++ contrib/bzip2/spewG.c
@@ -13,8 +13,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
--- contrib/bzip2/unzcrash.c.orig
+++ contrib/bzip2/unzcrash.c
@@ -17,8 +17,8 @@
This file is part of bzip2/libbzip2, a program and library for
lossless, block-sorting data compression.
- bzip2/libbzip2 version 1.0.6 of 6 September 2010
- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org>
+ bzip2/libbzip2 version 1.0.7 of 27 June 2019
+ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>
Please read the WARNING, DISCLAIMER and PATENTS sections in the
README file.
--- contrib/bzip2/words2.orig
+++ contrib/bzip2/words2
@@ -1,5 +1,5 @@
Checking test results. If any of the four "cmp"s which follow
report any differences, something is wrong. If you can't easily
-figure out what, please let me know (jseward@bzip.org).
+figure out what, please let me know (jseward@acm.org).

18
share/security/patches/SA-19:18/bzip2.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt3ZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLgdBAAmQQ+moDndbNdPyCwkOOBA0UaVA4J+XBuJxtSK9hm8WxvXjy3hpo26vwM
JUho+ftP7igYL/oyOQPrSO0AUpVgHiEMROOHnfpwTETU4jNUhRZmkkahvmskocuA
Xi+Up4v2ED7E97k+LpN6FwUOZsaqoNfXlYxsRf3gze9VzmtcUGDoP2V3q2icqy0X
HHcvI5BTpU4AJWXeH1KA/XCWWXsbmQAqV4pysJeSLFnaN4ZMb3Z7rYikGimnfiKE
s9ihgr5zJxIbEWACwhhcSRRzBzLB6PrN4J/bZoUzZXAVcYktmhOWmEYSZMZgbzDY
aSKxpXO6yw+w4TM1JzXdatCca0HN0Isml6Mq+EsPE8PWwzu2QcV3jv4L1reW422b
8wSMkjpJElmz4+S5gw2NHOrIC7/W365A//BdqHfdQwkCzkm+Vnuzf7Y3D7eorwa+
Z0RqZ/J5LmMqA6pdzfNgXKVMzCaGNLYelOkZAQYwBDR/buJcbu6WWpa+LU4GKy0Y
RdTevl+vqwyArcASRFZm0RAROO3dkE8C4DL4qBVn8AXn+5yLF1vgOirpwF83bEiG
A85bsRgQS0aFVau+ih9WYYxl51+L0ZuE94/o6s2aZnhJMyQDzl5stH1HIRJrAk+a
WVue+uo9LyK6AtvXymLzIoVs1K0x486FFAILGFN3r/SP31DxkrI=
=9IqU
-----END PGP SIGNATURE-----

138
share/security/patches/SA-19:19/mldv2.11.patch Normal file
View file

@ -0,0 +1,138 @@
--- sys/netinet6/mld6.c.orig
+++ sys/netinet6/mld6.c
@@ -137,7 +137,7 @@
struct in6_multi *, const int, const int, const int,
const int);
static int mld_v2_input_query(struct ifnet *, const struct ip6_hdr *,
- struct mbuf *, const int, const int);
+ struct mbuf *, struct mldv2_query *, const int, const int);
static int mld_v2_merge_state_changes(struct in6_multi *,
struct mbufq *);
static void mld_v2_process_group_timers(struct mld_ifsoftc *,
@@ -144,7 +144,8 @@
struct mbufq *, struct mbufq *,
struct in6_multi *, const int);
static int mld_v2_process_group_query(struct in6_multi *,
- struct mld_ifsoftc *mli, int, struct mbuf *, const int);
+ struct mld_ifsoftc *mli, int, struct mbuf *,
+ struct mldv2_query *, const int);
static int sysctl_mld_gsr(SYSCTL_HANDLER_ARGS);
static int sysctl_mld_ifinfo(SYSCTL_HANDLER_ARGS);
@@ -794,16 +795,16 @@
* Process a received MLDv2 general, group-specific or
* group-and-source-specific query.
*
- * Assumes that the query header has been pulled up to sizeof(mldv2_query).
+ * Assumes that mld points to a struct mldv2_query which is stored in
+ * contiguous memory.
*
* Return 0 if successful, otherwise an appropriate error code is returned.
*/
static int
mld_v2_input_query(struct ifnet *ifp, const struct ip6_hdr *ip6,
- struct mbuf *m, const int off, const int icmp6len)
+ struct mbuf *m, struct mldv2_query *mld, const int off, const int icmp6len)
{
struct mld_ifsoftc *mli;
- struct mldv2_query *mld;
struct in6_multi *inm;
uint32_t maxdelay, nsrc, qqi;
int is_general_query;
@@ -828,8 +829,6 @@
CTR2(KTR_MLD, "input v2 query on ifp %p(%s)", ifp, if_name(ifp));
- mld = (struct mldv2_query *)(mtod(m, uint8_t *) + off);
-
maxdelay = ntohs(mld->mld_maxdelay); /* in 1/10ths of a second */
if (maxdelay >= 32768) {
maxdelay = (MLD_MRC_MANT(maxdelay) | 0x1000) <<
@@ -954,7 +953,7 @@
* group-specific or group-and-source query.
*/
if (mli->mli_v2_timer == 0 || mli->mli_v2_timer >= timer)
- mld_v2_process_group_query(inm, mli, timer, m, off);
+ mld_v2_process_group_query(inm, mli, timer, m, mld, off);
/* XXX Clear embedded scope ID as userland won't expect it. */
in6_clearscope(&mld->mld_addr);
@@ -975,9 +974,8 @@
*/
static int
mld_v2_process_group_query(struct in6_multi *inm, struct mld_ifsoftc *mli,
- int timer, struct mbuf *m0, const int off)
+ int timer, struct mbuf *m0, struct mldv2_query *mld, const int off)
{
- struct mldv2_query *mld;
int retval;
uint16_t nsrc;
@@ -985,7 +983,6 @@
MLD_LOCK_ASSERT();
retval = 0;
- mld = (struct mldv2_query *)(mtod(m0, uint8_t *) + off);
switch (inm->in6m_state) {
case MLD_NOT_MEMBER:
@@ -1005,6 +1002,15 @@
nsrc = ntohs(mld->mld_numsrc);
+ /* Length should be checked by calling function. */
+ KASSERT((m0->m_flags & M_PKTHDR) == 0 ||
+ m0->m_pkthdr.len >= off + sizeof(struct mldv2_query) +
+ nsrc * sizeof(struct in6_addr),
+ ("mldv2 packet is too short: (%d bytes < %zd bytes, m=%p)",
+ m0->m_pkthdr.len, off + sizeof(struct mldv2_query) +
+ nsrc * sizeof(struct in6_addr), m0));
+
+
/*
* Deal with group-specific queries upfront.
* If any group query is already pending, purge any recorded
@@ -1046,28 +1052,20 @@
* report for those sources.
*/
if (inm->in6m_nsrc > 0) {
- struct mbuf *m;
- uint8_t *sp;
+ struct in6_addr srcaddr;
int i, nrecorded;
int soff;
- m = m0;
soff = off + sizeof(struct mldv2_query);
nrecorded = 0;
for (i = 0; i < nsrc; i++) {
- sp = mtod(m, uint8_t *) + soff;
- retval = in6m_record_source(inm,
- (const struct in6_addr *)sp);
+ m_copydata(m0, soff, sizeof(struct in6_addr),
+ (caddr_t)&srcaddr);
+ retval = in6m_record_source(inm, &srcaddr);
if (retval < 0)
break;
nrecorded += retval;
soff += sizeof(struct in6_addr);
- if (soff >= m->m_len) {
- soff = soff - m->m_len;
- m = m->m_next;
- if (m == NULL)
- break;
- }
}
if (nrecorded > 0) {
CTR1(KTR_MLD,
@@ -1276,8 +1274,8 @@
if (mld_v1_input_query(ifp, ip6, mld) != 0)
return (0);
} else if (icmp6len >= sizeof(struct mldv2_query)) {
- if (mld_v2_input_query(ifp, ip6, m, off,
- icmp6len) != 0)
+ if (mld_v2_input_query(ifp, ip6, m,
+ (struct mldv2_query *)mld, off, icmp6len) != 0)
return (0);
}
break;

18
share/security/patches/SA-19:19/mldv2.11.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt4dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJ3OQ/+IaP24bKUpPEK2xAzOrYJ0aWGFxL4Xee0X6hH0LTBQhOheomRaLQhPzcZ
YevSFHc099f7Bw3lPTloc/A7TnQkl9cpsV8a6SD2B6NuDPP+q4sSza8AAJFBSc8K
CDw9VAhz99Arjm6o3pKSj9RLq2JbSPyFKUBxpWEpfNE4Kom6UfSumxbEGix8/+Zp
P2yd6DfrzDoNZCFO2XIvauoK3Ypa9znlZ+S06TzxeST2IF3jtRkhdLXgQuwGmZ2a
nUxkUsP6Zdj8x6oEKTf+sGWb1K4zRekLIsEFP5xGeOcej8NAQZ2Kk4NaXw798zoD
/Zn3gpojxzSkWGmsREkOZcGh/fRcHeAI06JDn/A+l3CqCiVXLwHgKrlilQQkfChN
FrgogibC9ZSAQveNjE2vw7SphQwmN2nJ479h2qNkLy98TRqo1YhWLCLGFV/N+SUB
vIS92pM7rklfp++yeyvhyXT511wWtJR8dppJRywY1OfO5odHnlKrDMdCj1Q7l8+W
eHeYoHKcKxWkWrbrw9O/bBUYy+oBXN8cu552OjnzSl4vv+aNQ79mCwUhFdawFE6J
jNbbC/mYZO2sn9jk3gLzdtyARhTQ4h3dLPTryZ6xqINn9iY3O5d38qaaTRK5arme
nIcqS3Q1zqXnZhw+lQ6fwK2KAqHPnae7ZrScwdLAQjQ+eaHsCTw=
=/GVp
-----END PGP SIGNATURE-----

138
share/security/patches/SA-19:19/mldv2.12.patch Normal file
View file

@ -0,0 +1,138 @@
--- sys/netinet6/mld6.c.orig
+++ sys/netinet6/mld6.c
@@ -139,7 +139,7 @@
struct in6_multi *, const int, const int, const int,
const int);
static int mld_v2_input_query(struct ifnet *, const struct ip6_hdr *,
- struct mbuf *, const int, const int);
+ struct mbuf *, struct mldv2_query *, const int, const int);
static int mld_v2_merge_state_changes(struct in6_multi *,
struct mbufq *);
static void mld_v2_process_group_timers(struct in6_multi_head *,
@@ -146,7 +146,8 @@
struct mbufq *, struct mbufq *,
struct in6_multi *, const int);
static int mld_v2_process_group_query(struct in6_multi *,
- struct mld_ifsoftc *mli, int, struct mbuf *, const int);
+ struct mld_ifsoftc *mli, int, struct mbuf *,
+ struct mldv2_query *, const int);
static int sysctl_mld_gsr(SYSCTL_HANDLER_ARGS);
static int sysctl_mld_ifinfo(SYSCTL_HANDLER_ARGS);
@@ -803,16 +804,16 @@
* Process a received MLDv2 general, group-specific or
* group-and-source-specific query.
*
- * Assumes that the query header has been pulled up to sizeof(mldv2_query).
+ * Assumes that mld points to a struct mldv2_query which is stored in
+ * contiguous memory.
*
* Return 0 if successful, otherwise an appropriate error code is returned.
*/
static int
mld_v2_input_query(struct ifnet *ifp, const struct ip6_hdr *ip6,
- struct mbuf *m, const int off, const int icmp6len)
+ struct mbuf *m, struct mldv2_query *mld, const int off, const int icmp6len)
{
struct mld_ifsoftc *mli;
- struct mldv2_query *mld;
struct in6_multi *inm;
uint32_t maxdelay, nsrc, qqi;
int is_general_query;
@@ -844,8 +845,6 @@
CTR2(KTR_MLD, "input v2 query on ifp %p(%s)", ifp, if_name(ifp));
- mld = (struct mldv2_query *)(mtod(m, uint8_t *) + off);
-
maxdelay = ntohs(mld->mld_maxdelay); /* in 1/10ths of a second */
if (maxdelay >= 32768) {
maxdelay = (MLD_MRC_MANT(maxdelay) | 0x1000) <<
@@ -970,7 +969,7 @@
* group-specific or group-and-source query.
*/
if (mli->mli_v2_timer == 0 || mli->mli_v2_timer >= timer)
- mld_v2_process_group_query(inm, mli, timer, m, off);
+ mld_v2_process_group_query(inm, mli, timer, m, mld, off);
/* XXX Clear embedded scope ID as userland won't expect it. */
in6_clearscope(&mld->mld_addr);
@@ -991,9 +990,8 @@
*/
static int
mld_v2_process_group_query(struct in6_multi *inm, struct mld_ifsoftc *mli,
- int timer, struct mbuf *m0, const int off)
+ int timer, struct mbuf *m0, struct mldv2_query *mld, const int off)
{
- struct mldv2_query *mld;
int retval;
uint16_t nsrc;
@@ -1001,7 +999,6 @@
MLD_LOCK_ASSERT();
retval = 0;
- mld = (struct mldv2_query *)(mtod(m0, uint8_t *) + off);
switch (inm->in6m_state) {
case MLD_NOT_MEMBER:
@@ -1021,6 +1018,15 @@
nsrc = ntohs(mld->mld_numsrc);
+ /* Length should be checked by calling function. */
+ KASSERT((m0->m_flags & M_PKTHDR) == 0 ||
+ m0->m_pkthdr.len >= off + sizeof(struct mldv2_query) +
+ nsrc * sizeof(struct in6_addr),
+ ("mldv2 packet is too short: (%d bytes < %zd bytes, m=%p)",
+ m0->m_pkthdr.len, off + sizeof(struct mldv2_query) +
+ nsrc * sizeof(struct in6_addr), m0));
+
+
/*
* Deal with group-specific queries upfront.
* If any group query is already pending, purge any recorded
@@ -1062,28 +1068,20 @@
* report for those sources.
*/
if (inm->in6m_nsrc > 0) {
- struct mbuf *m;
- uint8_t *sp;
+ struct in6_addr srcaddr;
int i, nrecorded;
int soff;
- m = m0;
soff = off + sizeof(struct mldv2_query);
nrecorded = 0;
for (i = 0; i < nsrc; i++) {
- sp = mtod(m, uint8_t *) + soff;
- retval = in6m_record_source(inm,
- (const struct in6_addr *)sp);
+ m_copydata(m0, soff, sizeof(struct in6_addr),
+ (caddr_t)&srcaddr);
+ retval = in6m_record_source(inm, &srcaddr);
if (retval < 0)
break;
nrecorded += retval;
soff += sizeof(struct in6_addr);
- if (soff >= m->m_len) {
- soff = soff - m->m_len;
- m = m->m_next;
- if (m == NULL)
- break;
- }
}
if (nrecorded > 0) {
CTR1(KTR_MLD,
@@ -1292,8 +1290,8 @@
if (mld_v1_input_query(ifp, ip6, mld) != 0)
return (0);
} else if (icmp6len >= sizeof(struct mldv2_query)) {
- if (mld_v2_input_query(ifp, ip6, m, off,
- icmp6len) != 0)
+ if (mld_v2_input_query(ifp, ip6, m,
+ (struct mldv2_query *)mld, off, icmp6len) != 0)
return (0);
}
break;

18
share/security/patches/SA-19:19/mldv2.12.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt4pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLmARAAoqKzX/k9KMiZOAJAcY90Lv9w5d701GkJXjoEmPPQ+qS/9o4zSfEqhRsX
/dmDAANkdn3ure+QkbpM95/IedCyrFJQymNQX+L1G5rRJ6bMiMCOZeht5mNZ8hTv
+qqDRcZyq31+VP4Qx/JNMRLcGNIB7Z+kvXAUlX6Kw0APbVRIGd7mXCZl7OyEwbk5
A8BAifJEfZMA3CNv6vCDDCPvxvKKI9enxbeQ52o5/cSQvW5vFtIMD9HsFgxEbUGN
V8BrWyKZkRJmLQNU76u5UBo0/b2XfCowopcNhT/Q43ptmolCxodbmFDH4Zxk5HC3
4+BRSXd0Nn5CaSoAssPrQRMU+X/8OZU401LfOOzwRBztt73hSg7En+rS/AnN2aYa
wKi2QvZkFctYW+CCjVPHLfRYPyYWbiiMV0GiEL2Fd72Ke7ooQOr5QR8M5SxaG80i
cytYHb+Obhq4qgOlM0mGmDxrPSSa8uRuYsofje5uTANQW2PjUriBnKfvEwW2tgGk
CN5Xk/2RjXiYWiYF05D2MaJ7cxUNqm/hnWDP7D/MRYrWk+EQVfrv2vf+tPQBDokQ
IO7AjCGYjmB0h22oRtMTr5KyvOroTxxwEdZxmIEHvsiwiOPgAyJJtva6Od3ega/G
q4zBU6P/Mypim74SYxHc2iwjtaqH9JK2UWy/MlsfoT4KOAoT0I0=
=yhZI
-----END PGP SIGNATURE-----

14
share/security/patches/SA-19:20/bsnmp.patch Normal file
View file

@ -0,0 +1,14 @@
--- contrib/bsnmp/lib/asn1.c
+++ contrib/bsnmp/lib/asn1.c
@@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, as
*len = *b->asn_cptr++;
b->asn_len--;
}
+ if (*len > b->asn_len) {
+ asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len);
+ return (ASN_ERR_EOBUF);
+ }
+
return (ASN_ERR_OK);
}

18
share/security/patches/SA-19:20/bsnmp.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt3pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKf6A/+LoGq57ql7ySBBZxXNuOvFEjtBVI4X+bGGlbnWl+tqmfNwym9NkG/zpIW
qM3Hc80nsGDSmtCeO4sfx3rhNadY0tE4qZWn4L3JcDmspwJzLwEuRxIxMjITb492
cCnBOhRrytlxEUjLwqgWsUeBn+fpb3TgP1gDB5SWOiEYnv2pySDZOsXk9bdsbkvl
JoFkPCo0lzH+rzYe/fuP8X1/38oyxk18VTIyGwcErik8e3f+7odzf5TGTwOp2CVf
pYmwefd6t+MgnuF+k3UpZUrHJjznGkakqA0DmyK5nUQ1sApL5FRA5yvbf1yczOVt
Z9nFGkrw2TgJb6HN/EFrKtAuTMWBbS+lyz0IB3MQ0ol0IgJvCzvlugwH+I1pcimF
ibq8V8Y1NqBJ+LuCMQSPb3v0XoNwAPr05tY8s2GAsUFKWtHDXdCbWNOMmJKddyA1
KzXIBcTvdyOQb8YuVdS22i7WvM/kcuqbG0oYsARg5lOOLTT9aOuDMJ0EUHwTOu8x
HQbh89AVpxX6KEWEQqnHVhdEwNID/RGRMwzamV11IJVsiydv6gr1xSy6b9duQtOz
FNMSHR5VUbimrQ8Y5zOXnV71R5KI7+0hMYVaIXJNd0AyuN46vihDe2ctV0pC6MkC
FGEEtaKPX4W2XxGatXs6nyTaTVMpjklblL9ZgGEwLVlwzT4txqg=
=ri0D
-----END PGP SIGNATURE-----

103
share/security/patches/SA-19:21/bhyve.patch Normal file
View file

@ -0,0 +1,103 @@
--- usr.sbin/bhyve/pci_e82545.c.orig
+++ usr.sbin/bhyve/pci_e82545.c
@@ -1078,8 +1078,9 @@
struct ck_info ckinfo[2];
struct iovec *iov;
union e1000_tx_udesc *dsc;
- int desc, dtype, len, ntype, iovcnt, tlen, hdrlen, vlen, tcp, tso;
+ int desc, dtype, len, ntype, iovcnt, tlen, tcp, tso;
int mss, paylen, seg, tiovcnt, left, now, nleft, nnow, pv, pvoff;
+ unsigned hdrlen, vlen;
uint32_t tcpsum, tcpseq;
uint16_t ipcs, tcpcs, ipid, ohead;
@@ -1223,6 +1224,68 @@
} else {
/* In case of TSO header length provided by software. */
hdrlen = sc->esc_txctx.tcp_seg_setup.fields.hdr_len;
+
+ /*
+ * Cap the header length at 240 based on 7.2.4.5 of
+ * the Intel 82576EB (Rev 2.63) datasheet.
+ */
+ if (hdrlen > 240) {
+ WPRINTF("TSO hdrlen too large: %d\r\n", hdrlen);
+ goto done;
+ }
+
+ /*
+ * If VLAN insertion is requested, ensure the header
+ * at least holds the amount of data copied during
+ * VLAN insertion below.
+ *
+ * XXX: Realistic packets will include a full Ethernet
+ * header before the IP header at ckinfo[0].ck_start,
+ * but this check is sufficient to prevent
+ * out-of-bounds access below.
+ */
+ if (vlen != 0 && hdrlen < ETHER_ADDR_LEN*2) {
+ WPRINTF("TSO hdrlen too small for vlan insertion "
+ "(%d vs %d) -- dropped\r\n", hdrlen,
+ ETHER_ADDR_LEN*2);
+ goto done;
+ }
+
+ /*
+ * Ensure that the header length covers the used fields
+ * in the IP and TCP headers as well as the IP and TCP
+ * checksums. The following fields are accessed below:
+ *
+ * Header | Field | Offset | Length
+ * -------+-------+--------+-------
+ * IPv4 | len | 2 | 2
+ * IPv4 | ID | 4 | 2
+ * IPv6 | len | 4 | 2
+ * TCP | seq # | 4 | 4
+ * TCP | flags | 13 | 1
+ * UDP | len | 4 | 4
+ */
+ if (hdrlen < ckinfo[0].ck_start + 6 ||
+ hdrlen < ckinfo[0].ck_off + 2) {
+ WPRINTF("TSO hdrlen too small for IP fields (%d) "
+ "-- dropped\r\n", hdrlen);
+ goto done;
+ }
+ if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) {
+ if (hdrlen < ckinfo[1].ck_start + 14 ||
+ (ckinfo[1].ck_valid &&
+ hdrlen < ckinfo[1].ck_off + 2)) {
+ WPRINTF("TSO hdrlen too small for TCP fields "
+ "(%d) -- dropped\r\n", hdrlen);
+ goto done;
+ }
+ } else {
+ if (hdrlen < ckinfo[1].ck_start + 8) {
+ WPRINTF("TSO hdrlen too small for UDP fields "
+ "(%d) -- dropped\r\n", hdrlen);
+ goto done;
+ }
+ }
}
/* Allocate, fill and prepend writable header vector. */
@@ -1244,7 +1307,8 @@
iovcnt++;
iov->iov_base = hdr;
iov->iov_len = hdrlen;
- }
+ } else
+ hdr = NULL;
/* Insert VLAN tag. */
if (vlen != 0) {
@@ -1286,7 +1350,9 @@
DPRINTF("tx %s segmentation offload %d+%d/%d bytes %d iovs\r\n",
tcp ? "TCP" : "UDP", hdrlen, paylen, mss, iovcnt);
ipid = ntohs(*(uint16_t *)&hdr[ckinfo[0].ck_start + 4]);
- tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]);
+ tcpseq = 0;
+ if (tcp)
+ tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]);
ipcs = *(uint16_t *)&hdr[ckinfo[0].ck_off];
tcpcs = 0;
if (ckinfo[1].ck_valid) /* Save partial pseudo-header checksum. */

18
share/security/patches/SA-19:21/bhyve.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt35fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLaSA/7Bk8eZ0AGuu9qv+qXk/H2Do+n4JN2rZChHe3Lxhami2w1G4M6XQ6FBwsw
Fax8Z/Q9TlySrUjzKbQe9tr+jPJ1JMJGTv18WWUbK0OIPR7tupvpIadxrHHkUMMX
B5yXHoXqT0KUBCGb+5d72U7JgCwzHQ4x71oGCZVOirtJk3gN8p7D0z5LHYG7WvLW
8V1I9n1rkDp9np3lOa0a2ErB1Qno6F7CFuPaxh61xMacmmtxRV83vXcfrFxxIgXy
eKI0faAUkIcXsbsdVM2w3hzburMREJk1A69VDqyjaFVarWCR6uormAYS6r2NNlDl
7GGKO8G+U21wnNKtWjE4f0/zV5TB7t+f2SEEAO/Fs6BIH/OQDWqmkwPEKPUYzRbX
3YXqiNe/3Kn4B3Bsr0jhrDCYbeRmX8g/p13f7IUXDgEvr2hDGQpJYJI6ZTFzQArK
ocQnLtMdcqSBS8SC2YtdShKHzonbCZ3m9pauNTnuVYb6CopS3kBdkkBbJxYQhItb
HGPxsjYFQzT4GAj5GHxzqnFtcIqX6bYZb4UUgSp4BU7z7Bx/dWzh2fHNFHG9076o
Nh9/e+CG8z4ydLcdgkydDvRp7c2ru10RKDezGE3gf/ENGGKlh6xmCJOpwgWe2d7l
G2HK3Nb2aaY2mZ9kgBP3t94Q9vE9I2x1hClgC8QdQRiT4zdUBYI=
=9NBj
-----END PGP SIGNATURE-----

25
share/xml/advisories.xml
View file

@ -7,6 +7,31 @@
<year>
<name>2019</name>
<month>
<name>8</name>
<day>
<name>6</name>
<advisory>
<name>FreeBSD-SA-19:21.bhyve</name>
</advisory>
<advisory>
<name>FreeBSD-SA-19:20.bsnmp</name>
</advisory>
<advisory>
<name>FreeBSD-SA-19:19.mldv2</name>
</advisory>
<advisory>
<name>FreeBSD-SA-19:18.bzip2</name>
</advisory>
</day>
</month>
<month>
<name>7</name>

17
share/xml/notices.xml
View file

@ -7,6 +7,23 @@
<year>
<name>2019</name>
<month>
<name>8</name>
<day>
<name>6</name>
<notice>
<name>FreeBSD-EN-19:15.libunwind</name>
</notice>
<notice>
<name>FreeBSD-EN-19:14.epoch</name>
</notice>
</day>
</month>
<month>
<name>7</name>