os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add EN-19:13 and SA-19:12 to SA-19:17.

Browse source 
Approved by:	so
This commit is contained in:
Gordon Tetlow 2019-07-24 13:28:52 +00:00
parent 17f514aec2
commit c531075a51
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=53269
29 changed files with 1620 additions and 0 deletions

133
share/security/advisories/FreeBSD-EN-19:13.mds.asc Normal file
View file

@ -0,0 +1,133 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-19:13.mds Errata Notice
The FreeBSD Project
Topic: Kernel panic from Intel CPU vulnerability mitigation
Category: core
Module: kernel
Announced: 2019-07-24
Credits: Schuendehuette, Matthias
All supported versions of FreeBSD.
Corrected: 2019-07-14 05:40:03 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:50:46 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-14 05:41:43 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:50:46 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:50:46 UTC (releng/11.3, 11.3-RELEASE-p1)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
In a previous update FreeBSD added mitigations for an Intel CPU
vulnerability known as "microarchitectural data sampling."
II. Problem Description
Under certain configurations a pointer to the mitigation routine may be
dereferenced before it is initialized.
III. Impact
Depending on system configuration, version, and architecture, the system
may panic early in boot process, and thus be unusable.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Errata update"
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.2, FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.11.patch
# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.11.patch.asc
# gpg --verify mds.11.patch.asc
[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.12.patch
# fetch https://security.FreeBSD.org/patches/EN-19:13/mds.12.patch.asc
# gpg --verify mds.12.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r349983
releng/12.0/ r350280
stable/11/ r349985
releng/11.2/ r350280
releng/11.3/ r350280
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:13.mds.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WkVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIkZA//ZbeSb2yAsux4w/nOLXQI1kfNWFT3LjVsiYS0VXCoixHr07nkDNMUv2Pn
08eP+9hy5mtgtooOjxP/aYIzR11+HZKpS/MG1x8KGAA/0TWY4EObJUTQ53UHY5+i
WStyHgKvqgeV2vuTqtjK5eAJfaTQV9huoapcQo0ngJMlbzICxN37UBZhOnSGb5HL
vRAL1AnI37LBWeZJhp3nyNatUjYfaL/HBYVpmuO9g+lgXqcFRpgIZxTNSzpDsAUb
7ARtHNUOelUoeMcMQXHbYtNOpM9c84fWxLftNsVfD3d9+GiHpklU2B++aBfzbTl3
3lgRRk1p1p0JUNXCJy/cPb6/4SqnQRHehu1pwnJnuOM4PBpLB5HRD4WWGzM2A4Jq
SB1rLKCwfeSWPDQ0/iOs6P+UPFjqV8WvbNmQQT+oZxZH7YSm2TY9EGd8V/3wxzYo
+FeVQ+KTW+qxXTKHnNS9KGD26Xseq8S7Ft4dzIjm6hZVwSwNPBQFnPptv4b42/sQ
1sJxjKwKb7CrJJl4uf7vlIyNRHu7FrdyE9w1YlSB1yC2lX9Q/PQqVOxToGCIlhPk
JvGlPa6O4ZIkhBUKDt6XJdYrRrzlM3bV5Z1lNvW02ii7KG0pDWpzGHuUdkKIF1p0
qHugXJ4OG+lOr5n0KKfUE66gfJV0WVUDBPCeEuBun75YG++TP2w=
=P8y6
-----END PGP SIGNATURE-----

136
share/security/advisories/FreeBSD-SA-19:12.telnet.asc Normal file
View file

@ -0,0 +1,136 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:12.telnet Security Advisory
The FreeBSD Project
Topic: telnet(1) client multiple vulnerabilities
Category: contrib
Module: contrib/telnet
Announced: 2019-07-24
Credits: Juniper Networks
Affects: All supported versions of FreeBSD.
Corrected: 2019-07-19 15:37:29 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:51:52 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-19 15:27:53 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:51:52 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:51:52 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name: CVE-2019-0053
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The telnet(1) command is a TELNET protocol client, used primarily to
establish terminal sessions across a network.
II. Problem Description
Insufficient validation of environment variables in the telnet client
supplied in FreeBSD can lead to stack-based buffer overflows. A stack-
based overflow is present in the handling of environment variables when
connecting via the telnet client to remote telnet servers.
This issue only affects the telnet client. Inbound telnet sessions to
telnetd(8) are not affected by this issue.
III. Impact
These buffer overflows may be triggered when connecting to a malicious
server, or by an active attacker in the network path between the client
and server. Specially crafted TELNET command sequences may cause the
execution of arbitrary code with the privileges of the user invoking
telnet(1).
IV. Workaround
Do not use telnet(1) to connect to untrusted machines or over an
untrusted network.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch
# fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch.asc
# gpg --verify telnet.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r350139
releng/12.0/ r350281
stable/11/ r350140
releng/11.2/ r350281
releng/11.3/ r350281
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:12.telnet.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WltfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLOzA//YxRZNUr+d8B+t6DnBUbVvthJiY9sQ1YPXUIJmp4QA7wvXr5UjURw+6qv
raxEp6JmF06wZK4RjeIFckQD6s2wnjO5VHO80Zbs0nD4NejQGeDAIlVdKqofOtJv
bBQNSY3vPAtumyfElc+N19rKetAjGbsUjOMbn87GlWrit4lqcavBQsdmSlQB5gVA
dFAFsVxr+ujjATnrCmIpFiaDk0unyJ7Gtz7jiM9I8xZueJtM49/9kNCFFLKCMUl8
HpB2k0cb18GVNJoKtzo1nELOM/oIJVO5HZt1fmYG/RgeL1BSyzg4q/5jXJQopJ2h
Qax7fmMP+RpGGrfp9Uom63tj79eQk2NirpUtfAaYkfGKzj6fNcq/7jxZfbobx0R8
uTiF88mlv2/SGxpo11Z/QBqOSYTQtjDRYJvjCo77g7YW8HauECC3tiklpPfFOIO8
m5qNOORKI74Do377GBF3gxDF2T8ILwj1j7nKHf3apotvQXJkkbpWBG7ADRTFcZWd
PMKdYiDPHV33YmCAg9tOAqV4O7TvaB07ZLKiI6kuSBtPVrazB8Az/oRJwfF6JQ6g
4ZdinyCrXWYrWslkW8402GKCERFFYJUvwLSUqHxYMRgZWPy9zf/mH56vh4bleYnP
kz2X7OgtB3Juu0Uzwv927+KZuyzitniaPlLe9tsyBwXFbUM+BrY=
=LWVf
-----END PGP SIGNATURE-----

132
share/security/advisories/FreeBSD-SA-19:13.pts.asc Normal file
View file

@ -0,0 +1,132 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:13.pts Security Advisory
The FreeBSD Project
Topic: pts(4) write-after-free
Category: core
Module: kernel
Announced: 2019-07-24
Credits: syzkaller
Affects: All supported versions of FreeBSD.
Corrected: 2019-07-07 14:19:46 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:53:06 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-07 14:20:14 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:53:06 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:53:06 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name: CVE-2019-5606
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The posix_openpt(2) system call allocates a pseudo-terminal device and
returns a descriptor referencing that device. Such a descriptor may be
configured such that a SIGIO signal will be sent to a designated process
or process group when the device is ready to perform I/O.
II. Problem Description
The code which handles a close(2) of a descriptor created by
posix_openpt(2) fails to undo the configuration which causes SIGIO to be
raised. This bug can lead to a write-after-free of kernel memory.
III. Impact
The bug permits malicious code to trigger a write-after-free, which may
be used to gain root privileges or escape a jail.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch
# fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch.asc
# gpg --verify pts.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r349805
releng/12.0/ r350282
stable/11/ r349806
releng/11.2/ r350282
releng/11.3/ r350282
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5606>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:13.pts.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04Wl9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLZDA//SGC+7Vghtofm/CzylIXhC1drFOxNYJOF7KEJqDwsRR3U9S99Q9NBWS5+
e+/vJzvV0+epZNQXDlit5a76jGwy4fNuutNh0J3APHe/l0Zp/PhM56IwRWQgqAkQ
hF67xhHxFZs8AH6/bw21N4IkRrAZHmrrCY8ubZArjoUi0gCoFzAYRw1Nh/JTQoLS
IGuqUFaMZWKvu3aeJiikLjHiJUMRAY7sxh+iSBSp99dsLkASqQZtx1grmosljttN
fuD7qO2f067EWUpC50JTbNt9V7za854hrlOp8jn1g51O4fWWJoEEL2/0VUeOO+fr
aGS9UNal25NPr2zGzx2t0u1VNE3/YKoZ0tq+mQYtaXke32ZO15Ufby0YcLU4DF8d
dU1ZoG2AGbWmBqgQ982hocq5Dn0r5yCHXDeEGguE1DsfyBuUEZw6zfYRtzIQ0swk
wDrdETxpIMa8jaSGtDw2bilrLNRIVqYkXBJftC3fpXhlz6PyU6bZaFm00xrs7z1D
EJMkuIWho9oMqLTU7bZNHv7JD4G3ziTF1h2tGXGcEKp02ImNZQnw3w5PBberFgto
H4uJQCWgFqqddkjnSidX3Uj676LC99ERDEUlqi+xnXMmBScJnQuRtiUdbpOCkPD2
gLJmcyy7qjKw87i8KaQF5hUcym2D9xygbUV+I4RT93jR2DCVBA0=
=Cpu+
-----END PGP SIGNATURE-----

135
share/security/advisories/FreeBSD-SA-19:14.freebsd32.asc Normal file
View file

@ -0,0 +1,135 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:14.freebsd32 Security Advisory
The FreeBSD Project
Topic: Kernel memory disclosure in freebsd32_ioctl
Category: core
Module: kernel
Announced: 2019-07-24
Credits: Ilja van Sprundel, IOActive
Affects: FreeBSD 11.2 and FreeBSD 11.3
Corrected: 2019-07-22 18:14:34 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:54:10 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:54:10 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name: CVE-2019-5605
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The FreeBSD kernel supports executing 32-bit applications on a 64-bit
kernel, including the ioctl(2) interface.
II. Problem Description
Due to insufficient initialization of memory copied to userland in the
components listed above small amounts of kernel memory may be disclosed
to userland processes.
III. Impact
A user who can invoke 32-bit FreeBSD ioctls may be able to read the
contents of small portions of kernel memory.
Such memory might contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way; for example, a terminal buffer might include a user-entered
password.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch
# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch.asc
# gpg --verify freebsd32.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r350217
releng/11.2/ r350283
releng/11.3/ r350283
- -------------------------------------------------------------------------
Note: This issue was addressed in a different way prior to the branch point
for stable/12. As such, no patch is needed for FreeBSD 12.x.
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5605>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:14.freebsd32.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIavw//emdRXVNpGREW1FfUvWmUPpdgk6rFck9nEG0KUKYCcfhqN83BN9XtqaWu
lBQ1jbB/CsalwL6Gpn2yuMvgS8W4yUidyPHLpzuoAThlsy5bHID1/oRftJt0T0BS
kHbTD0tTUt3QDV51FoLBjvXfjRRb8xJ+wIGJ0NzOscWgjgu6JPUysHEJD3+vSOKN
X3qJd3zcoYqswcvuhoVE2cFrSaZKEyIi1pJVr9CGItQTWXIisgdXdGYTnBdZU8jq
iJGaI1BXiNUl/p/21JA32T+ZD7cdMtx6KiuoKlY7Bzgj7Qk3XW7xsQsYu724LIJT
pVhIxntMrQSak7wIaqNPGR/FgkkKDsoo6iCHXlGxXv6tLg7pnioZIaHhc5+UZqmT
8I0UogWhQZS03/nwFRVDLPp+ka2P0g2gsm/dX1UVuucMT+hGeqn2c/iaSU76duoR
qavRPjLPJDnfVrpXhpqco9rq1+UwA/1uSNe0cFX0ArX040hCReDsMphcxgrkZ0sD
u71Px2ZLE5rpWmFd8LD0X2y1l4OEcTmoTPUtJxHlVrMFztuNbAlRnyCxTV8c2uId
zN44wRj6c2ZEV/w+kBVTV+L7NSt1eHDZ5tgUL7boEOylEgkHTl30aZ8nV2wvpaM3
1Y/IwBnGmI4iNLMnRoIDlac6rR3dMUS4gtH+lkfxlBri9Qc3Qso=
=8LlB
-----END PGP SIGNATURE-----

138
share/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc Normal file
View file

@ -0,0 +1,138 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:15.mqueuefs Security Advisory
The FreeBSD Project
Topic: Reference count overflow in mqueue filesystem
Category: core
Module: kernel
Announced: 2019-07-24
Credits: Mateusz Guzik
Affects: All supported versions of FreeBSD.
Corrected: 2019-07-23 21:12:32 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:55:16 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-23 21:15:28 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:55:16 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:55:16 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name: CVE-2019-5603
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
mqueuefs(5) implements POSIX message queue file system which can be used
by processes as a communication mechanism.
'struct file' represents open files, directories, sockets and other
entities.
II. Problem Description
System calls operating on file descriptors obtain a reference to
relevant struct file which due to a programming error was not always put
back, which in turn could be used to overflow the counter of affected
struct file.
III. Impact
A local user can use this flaw to obtain access to files, directories,
sockets etc. opened by processes owned by other users. If obtained
struct file represents a directory from outside of user's jail, it can
be used to access files outside of the jail. If the user in question is
a jailed root they can obtain root privileges on the host system.
IV. Workaround
No workaround is available. Note that the mqueuefs file system is not
enabled by default.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch
# fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch.asc
# gpg --verify mqueuefs.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r350261
releng/12.0/ r350284
stable/11/ r350263
releng/11.2/ r350284
releng/11.3/ r350284
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:15.mqueuefs.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIWpBAAg9BmPamkj7wLJODR8SvNk+qYqEbYeakiSGnvXllz2l+qI2dhMVsuQRGQ
ko7VY0P2Wuh68UiiDG63Oq3hbOWPPkL1axk6n275rZSdoVj856tjrHjnUtP3UX5S
WQUKRAREjhVjM9dAOwCYrmAmcpX4SkslklhfiR6AR62t4eptMlfJ6ACQATs6FPnX
WRdyDe7yq0mL4UHWg+PvotQ+rxGiynwgVRMXwaglKOldGOuPOeuj7azM4nb6/qkN
GjJlJOIRwfU1/sXVII3cCzndnCrz5A0sSttg4JK+uzneJNze+rOghGbyQ9F046z9
H0M0Ae6M74UCyioyoTrQgvivWvATtNRkLBoRfvHQUNGSt6bS9g1F0N5J7NCgaIPx
vos7P4vnRM1avEAAnAhmm9eYAkO5VLmTb1ry5vOY1o2viesN3P0URcj7o+JIipaA
Kqlff154N2nJmCkT0BJ3m+80GWeAnwqli/LvAIruXxc2hqgWLh7wO+71mraPrV5Z
2+IiuLPMF18FdpTBjhXyX5zCtW7t7uARgZLJMjM+hTXc7aAer7746XY5JyXfRsa9
jLVWHlff2YoF7DySyDIC7+ONfPIHGgr45imdJgJ9Cxu31ZBmCjesNR4x1DCKgLvT
KnpBvofWIkIb8sEikEnXMfrHqoP/RtVtK73GlmT7sbH9PDQPUYw=
=ehKK
-----END PGP SIGNATURE-----

135
share/security/advisories/FreeBSD-SA-19:16.bhyve.asc Normal file
View file

@ -0,0 +1,135 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:16.bhyve Security Advisory
The FreeBSD Project
Topic: Bhyve out-of-bounds read in XHCI device
Category: core
Module: bhyve
Announced: 2019-07-24
Credits: Reno Robert
Affects: All supported versions of FreeBSD.
Corrected: 2019-07-23 17:48:37 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:56:06 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-23 17:48:37 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:56:06 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:56:06 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name: CVE-2019-5604
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
bhyve(8) is a hypervisor that supports running a variety of virtual
machines (guests). bhyve includes an emulated XHCI device.
II. Problem Description
The pci_xhci_device_doorbell() function does not validate the 'epid' and
'streamid' provided by the guest, leading to an out-of-bounds read.
III. Impact
A misbehaving bhyve guest could crash the system or access memory that
it should not be able to.
IV. Workaround
No workaround is available, however systems not using bhyve(8) for
virtualization are not vulnerable.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
No reboot is required. Rather the bhyve(8) process for vulnerable virtual
machines should be restarted.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart any bhyve virtual machines or reboot the system.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch
# fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch.asc
# gpg --verify bhyve.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart any bhyve virtual machines, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r350246
releng/12.0/ r350285
stable/11/ r350247
releng/11.2/ r350285
releng/11.3/ r350285
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5604>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:16.bhyve.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cI+Jw//TcrKrFaXkEJtqzspjoeK9YKwNwj30ewdb/Ph3GdcgVoQmfJVsWPcmcM9
+dewKdl7gGLhVhoJ+3f3oFzlDcqSxFLHcNwSW5J7P8Zt+7ZpQzwH8pfB6S8T1Nk6
77Sv5hYrjy8kdSh6Z/c8BkAQrhEFYO09xej8ekQ1B+iL2N4ErexpCNTMKlP96pGS
0/4tso5gdcwrc1t6HHGffFkjItgnE8Lvgr1ZsSHbcRGAc3nqy3n21U+VH+fecAzK
0NBO3HQeCbRIEdAms3jMLcAJGrs60VBN0nnWqLxlGBb10hY7Si0NkgbWOP2g/Elf
J+K4SHTFXbhIGrpsrEdvSVPvytQ8gKOSys5luvtLjt0Yhll08eEUDVzaIk//Hsak
BcUSlKHULLkVTJZvdZAHUMHJOMPpSAh61DuFcM+pxAt5E9rmgX+HnPBs1yLbgd23
NaQadFC126T+AW5W5GyOs2BIEo4bdTNHqONF7gmR4a5bv6/7GWZz/QNsep43jDZH
43lur9mts+/1LUCD1s4DkMniNMaGt28GMNa44PgQVzHI7NU/gdVe25TLnAv+X9lO
aAkV/WAyszux/Io2G2DfJNTc8Am/xRzFBvmydOnbMtzw8X/xgxB1/0ysl51O9Bdw
OhfpMygAsxbG0e8y5VuhpuoHd8/vIoBmA0z+u1tt4zxJIXgqSgE=
=/161
-----END PGP SIGNATURE-----

146
share/security/advisories/FreeBSD-SA-19:17.fd.asc Normal file
View file

@ -0,0 +1,146 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:17.fd Security Advisory
The FreeBSD Project
Topic: File description reference count leak
Category: core
Module: unix
Announced: 2019-07-24
Credits: Mark Johnston
Affects: All supported versions of FreeBSD.
Corrected: 2019-07-22 19:25:05 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:57:49 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-22 19:27:23 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:57:49 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:57:49 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name: CVE-2019-5607
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
UNIX-domain sockets are used for inter-process communication. It is
possible to use UNIX-domain sockets to transfer rights, encoded as file
descriptors, to another process. Rights are encapsulated in control
messages, and multiple such messages may be transmitted with a single
system call.
II. Problem Description
If a process attempts to transmit rights over a UNIX-domain socket and
an error causes the attempt to fail, references acquired on the rights
are not released and are leaked. This bug can be used to cause the
reference counter to wrap around and free the corresponding file
structure.
III. Impact
A local user can exploit the bug to gain root privileges or escape from
a jail.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch.asc
# gpg --verify fd.11.2.patch.asc
[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch.asc
# gpg --verify fd.11.patch.asc
[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch.asc
# gpg --verify fd.12.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r350222
releng/12.0/ r350286
stable/11/ r350223
releng/11.2/ r350286
releng/11.3/ r350286
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5607>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:17.fd.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WnBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIOTQ/+KQMGXwNiuMVNib5ErewD9QdT48NYaU/hYUub3VMAfQltvWmbiPw7zXj7
yJGm9FxWrMvZ6hFnKskV60u9d7PMYkOv4nzcaFgPoadByXXlALQGd/ansrZFyTJr
bDeBs7J3dM/VnH/lSlPc/LlbnH4iN+gj6SSqpsWAIdq99VIviAnzHTr7SniGfXul
hP+5+xSlfAYOKuH7jM1+gpuld9kR2QzGObiUJ6gfJk+I41C90tSJHb3v+DCanyrM
N2NXKbkgRtZoaIItiqZVIKHJP+VaHOnHCBq3uEbj2+OR7I5yFkDYdQbTiWVU1bl0
9Ps/5LPDEiQYQqgCGadzZyqyEHvoPFy2vWvc1GFya6cV1L3gtM51C713ci2Xa3NK
ZknS4bIC2Nhtrf9PcFJRkMKW8OOdwYi/2vL9I4W/PAs2EV3thQivBB7dH9TYRTdC
BWP2tFM+isibjezJfj2RAjdAq0Kln0U+4AkNWgNNToyzSNFJ0LBtvzlgS7mmtuN0
mA9n7tYyQM5vCXEQqcC3hIkJSeNE2Sj4/RVd8oo1Ngh1el0AFTJ2aq+QowG/lWO/
pK1lvOQXMPElbSSxCytqALWY995VRxmEUO/TF6pCgsRDIXxx+eSf1XrtT2d1+Na7
nzt511Ho9/F4Uwbih7u+IhnWReB2Da0djLBWUtOc+HsMLQZVAUk=
=juJj
-----END PGP SIGNATURE-----

18
share/security/patches/EN-19:13/mds.11.patch Normal file
View file

@ -0,0 +1,18 @@
--- sys/x86/x86/cpu_machdep.c.orig
+++ sys/x86/x86/cpu_machdep.c
@@ -953,7 +953,6 @@
* architectural state except possibly %rflags. Also, it is always
* called with interrupts disabled.
*/
-void (*mds_handler)(void);
void mds_handler_void(void);
void mds_handler_verw(void);
void mds_handler_ivb(void);
@@ -962,6 +961,7 @@
void mds_handler_skl_avx(void);
void mds_handler_skl_avx512(void);
void mds_handler_silvermont(void);
+void (*mds_handler)(void) = mds_handler_void;
static int
sysctl_hw_mds_disable_state_handler(SYSCTL_HANDLER_ARGS)

18
share/security/patches/EN-19:13/mds.11.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WohfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL2Uw/7BSeV5qpvcB0DWjmccL4skTSJt37KOZ+2B4kO3RuCQ3VLZm73tAJZYGkZ
gUlgluC0qr6mzjtG5eXfFB0yQ95XfM5/Fcu/d1m/g7Zg/OC/lTzfyoMiW3cKrY0E
p1t5zPmWMJ3rbLGaJy5NimUl+ef/y8LRXmUyzrK3vExN/NXt+ACwndZxPiXLQ7PC
qATgsksuzLrTkYhW1lbX3yewU2R4DTiDoe2ytx1W9BFIE+AhtuEGb4mk4sAaqXzf
cL4NWDETq6BDldYo9hXikHzZL8hzE5zyuFK/wYQ7a4JN05KqI0iSiMMhlhe4g0ui
BzurSSSKPvJRHaA6YD3HWTPOZBv9rGf4xFRAAjZpjOlT+iWPMO73rdQQkEIbHBQc
JWm6fOGodnP01qVjNpYXpjgGyzDvFoI3b1YMktPy0o8tYadHzHYsinH883Ihik97
i9EqjxacqBoAK3XKatDNM83ZIE1VfanULktCZ1eloxIrlkBqjjHw2VmiWgB6s7j7
t0o3+SP7gfusBmagHRdv9pfDd8Jp5RDG8aRhZP7Gd2zb2lNop9TfdyxMGMEFEh3f
IG5X8/UED3MBjwVgem74k0Pov/NUzW3x9TB14hoPO5Z1CewlKWCirDXn5l1qhpkf
4pGXZdd10QW1UGRG7NQ+dbRLiqX0YdfUGJm78ntoczYP1zNBpH0=
=lZrt
-----END PGP SIGNATURE-----

18
share/security/patches/EN-19:13/mds.12.patch Normal file
View file

@ -0,0 +1,18 @@
--- sys/x86/x86/cpu_machdep.c.orig
+++ sys/x86/x86/cpu_machdep.c
@@ -924,7 +924,6 @@
* architectural state except possibly %rflags. Also, it is always
* called with interrupts disabled.
*/
-void (*mds_handler)(void);
void mds_handler_void(void);
void mds_handler_verw(void);
void mds_handler_ivb(void);
@@ -933,6 +932,7 @@
void mds_handler_skl_avx(void);
void mds_handler_skl_avx512(void);
void mds_handler_silvermont(void);
+void (*mds_handler)(void) = mds_handler_void;
static int
sysctl_hw_mds_disable_state_handler(SYSCTL_HANDLER_ARGS)

18
share/security/patches/EN-19:13/mds.12.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WohfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKNWQ//S9SPs5aLAn548fpti++SamgqLC+OpBWilFxruB+Y4i1J8EKYde58DzIw
GSpJya11QZz+oHUhHGuR3gqxCeaUK3Qyvld1NNqPg5nRDPBdEWWxkX0slliRbKWM
VYQdak5SkRozvc1A7Ssy8bZ3krqgpRLCdETvy2RCFURPXWs7lAFqCYP6FiJvPd5n
gzi49FFLMXr5REtHe9D2i3z1/3v0mwOwSE7uvgBHHqf9/Cu7cypSLpZc4b9nwmta
r9gB2jLM+9+Stocsilht5fdH2X2+3iTIxuYKkkjvkqKcLD0cOYdm+CvnaRqf5GhA
9lFC/wsbcTz6itn0MmBgPReN6fTRGAmr0dACkU6mtPHke8x9Cii8u5GQD/W+Q6Zs
UJ9CMvE4EuaUFCfooigHDCeLM4jRBzF6auZL6BXPDENC0btJaU9iYnwkuxH7jyFy
LWcm67asSqDy9YMhip4SUmeQZe03wMvxPnDf9QXGclo9AhWAH2YxjFxIXOZlQOwO
fbVedzyxEtBjYLZz8c9GSoklKnS0d7FEGK9hZxAx4QFMsAMTiidPFhSUiP65F1du
Y5kkDw3a8xFeBegA+43s1ds+Y7YGKyrEwao/L7N1NZ2fvqHNUnbpa/A0uTvr17Dc
1Ja/FDSLV2X3bffidbn4BkBuWXIEjJJHuKVPl10tMgV4BbrJPMQ=
=rBsY
-----END PGP SIGNATURE-----

60
share/security/patches/SA-19:12/telnet.patch Normal file
View file

@ -0,0 +1,60 @@
--- contrib/telnet/telnet/commands.c.orig
+++ contrib/telnet/telnet/commands.c
@@ -45,6 +45,7 @@
#include <sys/socket.h>
#include <netinet/in.h>
+#include <assert.h>
#include <ctype.h>
#include <err.h>
#include <errno.h>
@@ -1654,11 +1655,14 @@
|| (strncmp((char *)ep->value, "unix:", 5) == 0))) {
char hbuf[256+1];
char *cp2 = strchr((char *)ep->value, ':');
+ size_t buflen;
- gethostname(hbuf, 256);
- hbuf[256] = '\0';
- cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1);
- sprintf((char *)cp, "%s%s", hbuf, cp2);
+ gethostname(hbuf, sizeof(hbuf));
+ hbuf[sizeof(hbuf)-1] = '\0';
+ buflen = strlen(hbuf) + strlen(cp2) + 1;
+ cp = (char *)malloc(sizeof(char)*buflen);
+ assert(cp != NULL);
+ snprintf((char *)cp, buflen, "%s%s", hbuf, cp2);
free(ep->value);
ep->value = (unsigned char *)cp;
}
--- contrib/telnet/telnet/utilities.c.orig
+++ contrib/telnet/telnet/utilities.c
@@ -629,7 +629,7 @@
}
{
char tbuf[64];
- sprintf(tbuf, "%s%s%s%s%s",
+ snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
pointer[2]&MODE_EDIT ? "|EDIT" : "",
pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
--- contrib/telnet/telnet/telnet.c.orig
+++ contrib/telnet/telnet/telnet.c
@@ -785,7 +785,7 @@
name = gettermname();
len = strlen(name) + 4 + 2;
if (len < NETROOM()) {
- sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+ snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
TELQUAL_IS, name, IAC, SE);
ring_supply_data(&netoring, temp, len);
printsub('>', &temp[2], len-2);
@@ -807,7 +807,7 @@
TerminalSpeeds(&ispeed, &ospeed);
- sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
+ snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
TELQUAL_IS, ospeed, ispeed, IAC, SE);
len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */

18
share/security/patches/SA-19:12/telnet.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJr9Q//SGYP2npXtSX0LVpT8luManWEbjjhTTz12ZW80R/QOwheoJXq9zJ4R812
WlHtEtFi4PBIqGAdvSOUISHVJTzpLy9jOVoavW5jynFDUiE2gFikirVxu+ERWxDm
MMYJ6b/0P7VWAlyp0+05NuOGSOxFEiGs43qP8rVYUVLQF7zUYwR8nKVRxvxwSm9E
xp5gy0bM00O2Ct8cH1IS9lJjFFopIHXU0Xv2HxxURSZUJfbHKvc4+3mPXqTeyBmw
YEziisxeUuU2h4z4dbbsv3Vhz1RiN+4+7EfaFDcFLryn1h5LSqdrlHkqgea6K8gW
CMYUE4MWYOWHzZIWLQJ0nb2R+7qo8xCbPjSsOf6qQ+x5NWqb7SX6HPNGy7LAKpXa
xGY7Ffefl2qtHwe3If7O4PKG30VGMdQfhn9OBgiX0gGf3Datyihcn9GwiSF7NrHs
bIh8RIAM1AbmpI3tkNrUhFyV7N1aAF08wjkn9G8AaUtqHwnjkfWXlzegJGYidRmx
7AU/oem/7jm7NqjccrglEkRpKUz2f9fTPnpAVdqs18XfZfCgqkVeaz284WRDWV5r
QXd64u38lyitZBBCnGR6tbeD429437ZbWtX4X97bdVUaUUIg2YUzkDsnFFSYBJh9
7POO792tDemfPvgQdIvq9+OMGMULus+4SQ9D+gQ7DWKRQVxsAiE=
=eI9w
-----END PGP SIGNATURE-----

22
share/security/patches/SA-19:13/pts.patch Normal file
View file

@ -0,0 +1,22 @@
--- sys/kern/tty.c.orig
+++ sys/kern/tty.c
@@ -231,9 +231,6 @@
tp->t_flags |= TF_OPENCLOSE;
- /* Stop asynchronous I/O. */
- funsetown(&tp->t_sigio);
-
/* Remove console TTY. */
if (constty == tp)
constty_clear();
@@ -1124,6 +1121,9 @@
return;
}
+ /* Stop asynchronous I/O. */
+ funsetown(&tp->t_sigio);
+
/* TTY can be deallocated. */
dev = tp->t_dev;
tp->t_dev = NULL;

18
share/security/patches/SA-19:13/pts.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKlaw//dbfqbTg1CcRs+IrcUydAbJIk4uLnrw69HIWYTGt0kN0Kcv6WoVxY5ecM
KkQMRMq9e+8L0Sy7FH9A9QV99FoQeAxlzZsy1tXpqrVd50SCgpzC0XaBtaqzT7vY
q00IWIXUXlbAnoIeKs/mnNjoeLRnesLLt7swWiUXQYtD2xPeJIA01TFaG0EwvBC5
wZ0S9UD0dwQZzUVxXz+SI6V+3seYLkGtL8csnfom1LiGRX6M3OuMz6Kgoss3St8R
Lvq3pFwdWnAHm2ewv7rpF0M8R4vbLQw/sikoK3xTCbv+Wi9xbv85OR2HN6NDLsjs
g11zvnHt5fDYnWtZvoplUFNg98rxKc0T1zcae91ZaenPqV+F4dsVvs4RdO2MmNmf
ye2GyzO/QkiOzZsgAQm+C7hUIkYfe16swAhd8qYLw7AQkF0ax10HKw+0QVMfQPTK
jRT79IHILRzMm4wIyE18n6WPFuvQP+PHcJ4ky+PY8lTtZFpuLZTTOIM7KJNAAFtS
dtJnHDZiJuxcDeGZHRQJW6WFgk+oFpiB2Pe0rSmZIZYe2yJ6rwoPubEenWEMUKrr
mOqCBGIB8kVSixZX8dQeDacrPN5qjuQkEoh1H+jG/CtYEYdgFm/ybyKFY9Qqz/X4
UPnAQMRrZpXLjqbd6/5qcDiDUXDwrBryEcgSsLXOSQSPXxgy8Dw=
=/BMl
-----END PGP SIGNATURE-----

11
share/security/patches/SA-19:14/freebsd32.patch Normal file
View file

@ -0,0 +1,11 @@
--- sys/compat/freebsd32/freebsd32_ioctl.c.orig
+++ sys/compat/freebsd32/freebsd32_ioctl.c
@@ -262,6 +262,8 @@
vm_offset_t addr;
int error;
+ memset(&pmc, 0, sizeof(pmc));
+ memset(&pc32, 0, sizeof(pc32));
if ((error = copyin(uap->data, &pci32, sizeof(pci32))) != 0)
return (error);

18
share/security/patches/SA-19:14/freebsd32.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIa8xAAnsULsYOMNQbGeBE3LMOa3RfB0PQ2EElLcEnkAgnmTYY/rEaX4ekTFZV8
W7uC111kJCvbJQOWgT2w28Xn0+rqY4Jp2zQKoJ8bqxSxGkKjVls2dsywa50NehD4
YOBWW2B6G9LxFYFOmkSNq/lFHKSkacwC7wP4/NjRqJ36Ky+AJYRTUwdguTlAO/DU
dYbmuXTiZSryxiyYglRJi+ZhQ8BnIkseSuZMn+4KuKMp9CMpxTB+qIIAmCcf0Mdt
ac/VTVmrnnBvaSjRGQdrwzpX2e23cThCuaSY0M5R4/KfaNoZQ6Jhejm4hJm+XPw2
S4ZT9ZGdqNK/qFBgZrunWrJA2AxXxG8SJtC/kDb6H1pikrfE8TmE74IzWBOCfDJ9
XioQF7OvV1pNDgGMhP3O5FYrUeTCe2OyQsAjYJu371i0YsoDTMuL5d8Gj/0JAX0U
DDZPW/0eOb0rMnLE9jc++cNdFuBhJXbkfP8TQ2hef224/WXoQYsq1g6sPgnUCAkS
fE4HDUAzfxAwNNHsF8ZLI2KonCIY8fBTT3NvNXihBxQvPDiXg/RlEKS7EYlR65CC
6mwlnKgBmmeQT3F1C3FSMt9T9ncwZxvCaVk2u7gpH/TiycuSF7H1D226HcRYXKyu
8Q6GhnOBbS2TXBCKca/1HS/WfvyNA4FXUDvK0ZSch3nFGbEJVmA=
=fjwv
-----END PGP SIGNATURE-----

51
share/security/patches/SA-19:15/mqueuefs.patch Normal file
View file

@ -0,0 +1,51 @@
--- sys/kern/uipc_mqueue.c.orig
+++ sys/kern/uipc_mqueue.c
@@ -2283,13 +2283,14 @@
if (uap->abs_timeout != NULL) {
error = copyin(uap->abs_timeout, &ets, sizeof(ets));
if (error != 0)
- return (error);
+ goto out;
abs_timeout = &ets;
} else
abs_timeout = NULL;
waitok = !(fp->f_flag & O_NONBLOCK);
error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len,
uap->msg_prio, waitok, abs_timeout);
+out:
fdrop(fp, td);
return (error);
}
@@ -2309,13 +2310,14 @@
if (uap->abs_timeout != NULL) {
error = copyin(uap->abs_timeout, &ets, sizeof(ets));
if (error != 0)
- return (error);
+ goto out;
abs_timeout = &ets;
} else
abs_timeout = NULL;
waitok = !(fp->f_flag & O_NONBLOCK);
error = mqueue_send(mq, uap->msg_ptr, uap->msg_len,
uap->msg_prio, waitok, abs_timeout);
+out:
fdrop(fp, td);
return (error);
}
@@ -2834,7 +2836,7 @@
if (uap->abs_timeout != NULL) {
error = copyin(uap->abs_timeout, &ets32, sizeof(ets32));
if (error != 0)
- return (error);
+ goto out;
CP(ets32, ets, tv_sec);
CP(ets32, ets, tv_nsec);
abs_timeout = &ets;
@@ -2843,6 +2845,7 @@
waitok = !(fp->f_flag & O_NONBLOCK);
error = mqueue_receive(mq, uap->msg_ptr, uap->msg_len,
uap->msg_prio, waitok, abs_timeout);
+out:
fdrop(fp, td);
return (error);
}

18
share/security/patches/SA-19:15/mqueuefs.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKwuw//cbOammnRyK+06gajcjueERuZUL8F3YGwnMfok0Afx0QXGS/OGYsCFbmx
CeuX6ZICoGlNo94kWT0Gv8g7fZy2XuZMIcjaG1PHmPODIz27zo1DeMXvB9Yj4oEp
oeGbf7mXqwgxHVQxY94j8oFRunTFRAUkjIJZfeLWq5JZTnLNWm2WhJBR0prH4SL/
pkGWca/QdnrFiDYBm02FLcUF3lXgSkZLLm63FDb7P+ouahlTzL0CMzV/TaMMwTGS
XFOvIwkeeU0ni8BPRUpbamFo4caTlffC2n+FPa6/wmoW9URW9SHLkkAsPfq9IfBC
UUF8DXYkOkpbduXpmXK7IzE3eINW7zJD3dz3AvjpXq9GxUXIgXN76cOnbM/pur5p
BTVdEgcpmM8h8crERS+nXC3uh9w0mSJg/66qRjpOF8SfI59uUqVkd1vvenTke/zF
etgGRjQtm4f8kHH6S6b96kQWmBRD1xZwwXS2sJgvd1VVcb0dB0GFFv/FJ8hWNWKl
nY/JaUUYf6sxC4Lm1X9g5cCluiSnGNBGOlKeNoOIj20NvUa6dgi5CBWxGlzwUTOP
GzO9dkwij8wb9sHPXk3INpOLzSzwua9a8YQVNQf5aFErPiw3nuU6Bc16qJ/GV+Rg
F2D49u63NrIak1JwQ27PNmoNs7XpEI4QCF7ASoqWqu+2YGwCigs=
=Zirz
-----END PGP SIGNATURE-----

49
share/security/patches/SA-19:16/bhyve.patch Normal file
View file

@ -0,0 +1,49 @@
--- usr.sbin/bhyve/pci_xhci.c.orig
+++ usr.sbin/bhyve/pci_xhci.c
@@ -1900,6 +1900,11 @@
return;
}
+ if (epid == 0 || epid >= XHCI_MAX_ENDPOINTS) {
+ DPRINTF(("pci_xhci: invalid endpoint %u\r\n", epid));
+ return;
+ }
+
dev = XHCI_SLOTDEV_PTR(sc, slot);
devep = &dev->eps[epid];
dev_ctx = pci_xhci_get_dev_ctx(sc, slot);
@@ -1925,6 +1930,23 @@
/* get next trb work item */
if (XHCI_EPCTX_0_MAXP_STREAMS_GET(ep_ctx->dwEpCtx0) != 0) {
+ struct xhci_stream_ctx *sctx;
+
+ /*
+ * Stream IDs of 0, 65535 (any stream), and 65534
+ * (prime) are invalid.
+ */
+ if (streamid == 0 || streamid == 65534 || streamid == 65535) {
+ DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+ return;
+ }
+
+ sctx = NULL;
+ pci_xhci_find_stream(sc, ep_ctx, streamid, &sctx);
+ if (sctx == NULL) {
+ DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+ return;
+ }
sctx_tr = &devep->ep_sctx_trbs[streamid];
ringaddr = sctx_tr->ringaddr;
ccs = sctx_tr->ccs;
@@ -1933,6 +1955,10 @@
streamid, ep_ctx->qwEpCtx2 & XHCI_TRB_3_CYCLE_BIT,
trb->dwTrb3 & XHCI_TRB_3_CYCLE_BIT));
} else {
+ if (streamid != 0) {
+ DPRINTF(("pci_xhci: invalid stream %u\r\n", streamid));
+ return;
+ }
ringaddr = devep->ep_ringaddr;
ccs = devep->ep_ccs;
trb = devep->ep_tr;

18
share/security/patches/SA-19:16/bhyve.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLhbQ//fufmu/lZgce6Y+GGMZdBCEIAE305OqASgpXt0ifC5/swQ83ky3P/yJcI
Qh9YeH57JZ5YI+K29mqP+lkTrYiBKqHl1zAK4qm+XUkXAq+5GOSQqDB4ZJdq12za
wDO8toOtNkv6Yz1L+dYnG3iFEzbdz8FzoZMv2FTbZ22o0NobzH3YHtODS4nsLuJT
lCaoJctYnpZ+4ajhnvSfBiQbFr3zwCpLvbLLox0QGZ+v/Pjn976c//RRj0z6ed5J
bmyr6nFPIleqJ8T+W36E00W3EB7sc/h1gxtyJtKJm4lqgTCY+qREr1/4gXIiqHwd
m8S13X39J9E4PhLbtw2m5f6yth/Qfjyh70wgOdb3LItjfZG6Swdo8NR6tuXJu+ZR
XcYCsqeQkn8sivT3GZvvJlPx8DUJe0MtiB4pOy2MpLWTEcUM8S9sBCcFz9EMA06M
rK1pE+4W1fWxYbISXY5UNEOQgQE82+aJDFmACKmIJhKO+bbgH9RjekklUbtoSUdD
Qeu4yVrhliFUWqCv0phhIZz3UPlU+Ewqb8imH6b5tAX1+XM9kMeSZdO80qZKK20J
9/jXGuMt9MX4bpErdFY1l0GtGblNa1XASaOGGGTs8dwPRq1jBaVKSus4AslVkbuj
6UZEdaNn4ysAWpe/B1z0nr0TThGyA9wWX+AqPfKAD5VAJV+xTpU=
=qjT1
-----END PGP SIGNATURE-----

72
share/security/patches/SA-19:17/fd.11.2.patch Normal file
View file

@ -0,0 +1,72 @@
--- sys/kern/uipc_usrreq.c.orig
+++ sys/kern/uipc_usrreq.c
@@ -1896,29 +1896,52 @@
UNP_DEFERRED_LOCK_INIT();
}
+static void
+unp_internalize_cleanup_rights(struct mbuf *control)
+{
+ struct cmsghdr *cp;
+ struct mbuf *m;
+ void *data;
+ socklen_t datalen;
+
+ for (m = control; m != NULL; m = m->m_next) {
+ cp = mtod(m, struct cmsghdr *);
+ if (cp->cmsg_level != SOL_SOCKET ||
+ cp->cmsg_type != SCM_RIGHTS)
+ continue;
+ data = CMSG_DATA(cp);
+ datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data;
+ unp_freerights(data, datalen / sizeof(struct filedesc *));
+ }
+}
+
static int
unp_internalize(struct mbuf **controlp, struct thread *td)
{
- struct mbuf *control = *controlp;
- struct proc *p = td->td_proc;
- struct filedesc *fdesc = p->p_fd;
+ struct mbuf *control, **initial_controlp;
+ struct proc *p;
+ struct filedesc *fdesc;
struct bintime *bt;
- struct cmsghdr *cm = mtod(control, struct cmsghdr *);
+ struct cmsghdr *cm;
struct cmsgcred *cmcred;
struct filedescent *fde, **fdep, *fdev;
struct file *fp;
struct timeval *tv;
- int i, *fdp;
void *data;
- socklen_t clen = control->m_len, datalen;
- int error, oldfds;
+ socklen_t clen, datalen;
+ int i, error, *fdp, oldfds;
u_int newlen;
UNP_LINK_UNLOCK_ASSERT();
+ p = td->td_proc;
+ fdesc = p->p_fd;
error = 0;
+ control = *controlp;
+ clen = control->m_len;
*controlp = NULL;
- while (cm != NULL) {
+ initial_controlp = controlp;
+ for (cm = mtod(control, struct cmsghdr *); cm != NULL;) {
if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET
|| cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) {
error = EINVAL;
@@ -2045,6 +2068,8 @@
}
out:
+ if (error != 0 && initial_controlp != NULL)
+ unp_internalize_cleanup_rights(*initial_controlp);
m_freem(control);
return (error);
}

18
share/security/patches/SA-19:17/fd.11.2.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cI3nw/+NnAFVvmg//5FWzm6875s9mJ51hJaG0svbq7xp9qfyc8m+E8rQihZsyX1
0/oNuOnthlqfO3qGPjxDi5WpQ6bHeVjx//73wxUtYmCHr1vVNHttKjWdR5jyfafX
dvacX9lWmNJhKl6r4eC/Fn79R7ARqWy52+bQruTRqyJvMPna7ck/7dhqbOq+FFEN
5ld+5DSfIycp5u4gMqB9a6QneUw93tBnF1LqRw4v4OOmreZ2OZj3khDiQ+ALOU/b
LJgn/nuDwVxLeStMPZSlrz+Gvg92ZjlcPt4krS4tK3Wana9su/0pr+QjhjLvog51
TtCZmnw3geDj7BdL4YWqv/odnU9vFZJ/j97Aa7WJldH89g1egN6a5TIw8FPqDyS5
Z+VHWczypGxLL8hLOkK76GbqqbwQDhomosl4GDOOiNoAHrflB+qWm1Eyq7hlOKEF
aghZPSa31LJ5wbX7PxSPK+LBp/3wV1ukGbbUok7UHAjnUaU4NeE643Gv1q1xXNeR
PwvJVTdXSwuOgdUA3Da+6np45K6ysPgKiHpwy53sNfdLsTDftfCxC4+nYrqeAy3b
2Vl7UZpherBns95HBYTZ2jIrxjhF19KYRatfsGAGA0yEvmG96vKk59P/+Br9Hpui
YJ+xZFDgU25+VpMHGLtiE5YQeQ4Vdsqr6LNlkPnwUVH5aRBH/Ys=
=trQX
-----END PGP SIGNATURE-----

73
share/security/patches/SA-19:17/fd.11.patch Normal file
View file

@ -0,0 +1,73 @@
--- sys/kern/uipc_usrreq.c.orig
+++ sys/kern/uipc_usrreq.c
@@ -1908,30 +1908,53 @@
UNP_DEFERRED_LOCK_INIT();
}
+static void
+unp_internalize_cleanup_rights(struct mbuf *control)
+{
+ struct cmsghdr *cp;
+ struct mbuf *m;
+ void *data;
+ socklen_t datalen;
+
+ for (m = control; m != NULL; m = m->m_next) {
+ cp = mtod(m, struct cmsghdr *);
+ if (cp->cmsg_level != SOL_SOCKET ||
+ cp->cmsg_type != SCM_RIGHTS)
+ continue;
+ data = CMSG_DATA(cp);
+ datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data;
+ unp_freerights(data, datalen / sizeof(struct filedesc *));
+ }
+}
+
static int
unp_internalize(struct mbuf **controlp, struct thread *td)
{
- struct mbuf *control = *controlp;
- struct proc *p = td->td_proc;
- struct filedesc *fdesc = p->p_fd;
+ struct mbuf *control, **initial_controlp;
+ struct proc *p;
+ struct filedesc *fdesc;
struct bintime *bt;
- struct cmsghdr *cm = mtod(control, struct cmsghdr *);
+ struct cmsghdr *cm;
struct cmsgcred *cmcred;
struct filedescent *fde, **fdep, *fdev;
struct file *fp;
struct timeval *tv;
struct timespec *ts;
- int i, *fdp;
void *data;
- socklen_t clen = control->m_len, datalen;
- int error, oldfds;
+ socklen_t clen, datalen;
+ int i, error, *fdp, oldfds;
u_int newlen;
UNP_LINK_UNLOCK_ASSERT();
+ p = td->td_proc;
+ fdesc = p->p_fd;
error = 0;
+ control = *controlp;
+ clen = control->m_len;
*controlp = NULL;
- while (cm != NULL) {
+ initial_controlp = controlp;
+ for (cm = mtod(control, struct cmsghdr *); cm != NULL;) {
if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET
|| cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) {
error = EINVAL;
@@ -2082,6 +2105,8 @@
}
out:
+ if (error != 0 && initial_controlp != NULL)
+ unp_internalize_cleanup_rights(*initial_controlp);
m_freem(control);
return (error);
}

18
share/security/patches/SA-19:17/fd.11.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJmTxAAjBscnsnRUzIkRuvJ+5F6VrwduZye14G5jwbW6/fUnmI6mt2wyGSkHVHQ
bcVTAaF5g8fN1xBk0urta1q3nlGJRCKIyVp+qkBLxiiMvrZlryZ2nsgVmylRZ7oA
kQK96WWORU8fptXqeG0q3N+i3EoZPMqd2d38Xh4TlqupYlFYOJUcTJOFV/Hb4qZC
Sd1bIj3DdtX+2hhXPr5LOe3w2ootgqxF7l/LloQ2LXpPqsPm31EXYTexetowyMXz
2PaXPLKE44eVseaazS/S/F9bG6weFgxqjjbzzzXI1uiXqctwODL4f1QDEz/G1/+g
SlrR6pXD2wtFZGWTJr8FjwwpJl78sH0ov9NvtO5MdRUvCB7p4lp6DGP+tIbzugbH
+D5nlpEUFBUGwM3VNQ79zAzNQkSlAm551RxGgGA8RxlXQrwqZQ7TYSgoDonABfCm
ELkMv/3GcuaEtljXBTN44rCJZjuRlGi/k2nDs5phlUGnN5fk6nQtWdzo7p63kdYE
mR9vR9VVO11KAFm1SVp4w9hmIRTtt1Vd9Rm2PKAxiAJzwZTWWmjUfSg2DO6DFOb8
rlK5pqgOml3FIDAfegrhvjsyrsc7Fbp6Rjny+MM58fcKBpuJNAOIgB+lqN8GbTaV
sZsSZiiTtBSV93JvcwWe+My+59GbpoAEwex0OMkuxa/T0+yeh5E=
=ptiz
-----END PGP SIGNATURE-----

73
share/security/patches/SA-19:17/fd.12.patch Normal file
View file

@ -0,0 +1,73 @@
--- sys/kern/uipc_usrreq.c.orig
+++ sys/kern/uipc_usrreq.c
@@ -2120,30 +2120,53 @@
UNP_DEFERRED_LOCK_INIT();
}
+static void
+unp_internalize_cleanup_rights(struct mbuf *control)
+{
+ struct cmsghdr *cp;
+ struct mbuf *m;
+ void *data;
+ socklen_t datalen;
+
+ for (m = control; m != NULL; m = m->m_next) {
+ cp = mtod(m, struct cmsghdr *);
+ if (cp->cmsg_level != SOL_SOCKET ||
+ cp->cmsg_type != SCM_RIGHTS)
+ continue;
+ data = CMSG_DATA(cp);
+ datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data;
+ unp_freerights(data, datalen / sizeof(struct filedesc *));
+ }
+}
+
static int
unp_internalize(struct mbuf **controlp, struct thread *td)
{
- struct mbuf *control = *controlp;
- struct proc *p = td->td_proc;
- struct filedesc *fdesc = p->p_fd;
+ struct mbuf *control, **initial_controlp;
+ struct proc *p;
+ struct filedesc *fdesc;
struct bintime *bt;
- struct cmsghdr *cm = mtod(control, struct cmsghdr *);
+ struct cmsghdr *cm;
struct cmsgcred *cmcred;
struct filedescent *fde, **fdep, *fdev;
struct file *fp;
struct timeval *tv;
struct timespec *ts;
- int i, *fdp;
void *data;
- socklen_t clen = control->m_len, datalen;
- int error, oldfds;
+ socklen_t clen, datalen;
+ int i, error, *fdp, oldfds;
u_int newlen;
UNP_LINK_UNLOCK_ASSERT();
+ p = td->td_proc;
+ fdesc = p->p_fd;
error = 0;
+ control = *controlp;
+ clen = control->m_len;
*controlp = NULL;
- while (cm != NULL) {
+ initial_controlp = controlp;
+ for (cm = mtod(control, struct cmsghdr *); cm != NULL;) {
if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET
|| cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) {
error = EINVAL;
@@ -2294,6 +2317,8 @@
}
out:
+ if (error != 0 && initial_controlp != NULL)
+ unp_internalize_cleanup_rights(*initial_controlp);
m_freem(control);
return (error);
}

18
share/security/patches/SA-19:17/fd.12.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WqlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cI9ChAAiOmOES6zvuVjCZayU6TCnSvyeMIAqVEpJHEqJrHUVbjXZrxnGrz8Tc3D
yQ62leplJY4H+BPf1k4MqTQNQej6cEbbUOL6OqwOqXq3Ej3IKIGSqW/0S0xNZi6s
JhAw2GkS8UHsWzpTkyMaqsl4m3PSx/L8T1qOHNZ/EwMes64pBRLPyAH2ePU4eOdP
cZV3Tug4TzeCfz/j8R+bBcHWjpPcfumgXkvR1QH+uEd8GjkRuw1U7dsnj7EpXQeF
JH4Ap/QA5V1vfPCO0KJBRI8scwnXB6WAzQ4VHcmk6euNDHAWDCVS4RcmyFk7baA+
NFbr+JhyDQ+fzLGmPUGmNElQGx9ypckxd3KAt4Q1LasXyzHbmx8qFBmvxqoPhg0r
uYRXBpaDDdChm1zMRuEKvqHEW4Kr/WIXIevY0vSgsebZEB0LnhxSY0syHJiPF7FD
TY7u7Am59FtxLbXsWOnyfdOiQBDPppSyUZ1YhEKeqMJ4qih0h9bJFanZWixGGzHa
1nXwN1UMbF01NCzxDSt3NGfKYEbW1ogeV8B81aqxxQDKuf71PL84WN/+C31ZZXNJ
IFFH/arlmacriXKHlIzAJ/bU2maX7F3y5WjFsMVEgMiP6V4qkragSHCJqfSdwJkP
wrf2nA3RFErqVlG9wMVbCuvzZrEZ/q+oixQdrdE7D++oCNdVrjY=
=29X3
-----END PGP SIGNATURE-----

29
share/xml/advisories.xml
View file

@ -10,6 +10,35 @@
<month>
<name>7</name>
<day>
<name>24</name>
<advisory>
<name>FreeBSD-SA-19:17.fd</name>
</advisory>
<advisory>
<name>FreeBSD-SA-19:16.bhyve</name>
</advisory>
<advisory>
<name>FreeBSD-SA-19:15.mqueuefs</name>
</advisory>
<advisory>
<name>FreeBSD-SA-19:14.freebsd32</name>
</advisory>
<advisory>
<name>FreeBSD-SA-19:13.pts</name>
</advisory>
<advisory>
<name>FreeBSD-SA-19:12.telnet</name>
</advisory>
</day>
<day>
<name>2</name>

9
share/xml/notices.xml
View file

@ -10,6 +10,15 @@
<month>
<name>7</name>
<day>
<name>24</name>
<notice>
<name>FreeBSD-EN-19:13.mds</name>
</notice>
</day>
<day>
<name>2</name>