os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add EN-20:19 to EN-20:22, SA-20:31, and SA-20:32.

Browse source 
Approved by:	so
This commit is contained in:
Gordon Tetlow 2020-12-01 19:53:40 +00:00
parent cc296b4d19
commit cdd891a20a
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=54726
28 changed files with 4216 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

142
share/security/advisories/FreeBSD-EN-20:19.audit.asc Normal file
View file

@ -0,0 +1,142 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:19.audit Errata Notice
The FreeBSD Project
Topic: execve/fexecve system call auditing
Category: core
Module: kernel
Announced: 2020-12-01
Affects: FreeBSD 12.1 and later.
Corrected: 2020-10-27 13:13:04 UTC (stable/12, 12.2-STABLE)
2020-12-01 19:34:45 UTC (releng/12.2, 12.2-RELEASE-p1)
2020-12-01 19:34:45 UTC (releng/12.1, 12.1-RELEASE-p11)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The audit(4) facility allows a system administrator to audit
security-relevant events. System calls are one such security-related event,
and the audit(4) facility will record whether the system call was successful
along with other important details.
II. Problem Description
All execve/fexecve system calls in affected versions will be reported as a
failure, even upon successful execution. For affected kernels, the exact
error reported is EJUSTRETURN, 201, or "Just return" depending on the tooling
used. These can safely be considered successful returns for the fexecve and
execve system calls. Note that audit trails that were produced by kernels
starting with FreeBSD 12.0 will exhibit this problem.
III. Impact
It is important to be able to determine when a process is, for instance,
executing a shell. Such events may be indicative of an intrusion if they
are not expected. Failure to report such an execution as successful may
result in intrusions that are no longer detectable.
IV. Workaround
No workaround is available. This error is irrelevant for system
administrators that do not use the audit(4) facility. Users of the
audit(4) facility could detect the specific error that is being
returned as success, but this may complicate auditing as all failures
must be recorded.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.2]
# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.2.patch
# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.2.patch.asc
# gpg --verify audit.12.2.patch.asc
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.1.patch
# fetch https://security.FreeBSD.org/patches/EN-20:19/audit.12.1.patch.asc
# gpg --verify audit.12.1.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r367080
releng/12.2/ r368249
releng/12.1/ r368249
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=249179>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:19.audit.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GnclfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKqdBAAjBubNRAnzviekLybf9W6QnFT+9LrdoHEKM0epXT7GxHeGdKSbWwJPvaO
PmogRZ88uPOvaRVYIjGLXjJf48zA6D5LuQrVre0BEICVsLEaKcoQpwqOgtSKroI4
LguI26tLC/TmzWMid7CUeDOxzY0yg+t8QWPvrc9kDCZVqDFjrWtUDurLYM50p8Rm
FHfbWgFg0g3ytPF6k7DuafDrSJIs0lULwOtAPBrYR5chTr3/quc6onU99B6oxo4K
rRe4Se458M3Gm637lADAqqyRXtzwMXZ+bJBRFjdMZb3gn6QSRphHluXosv9EWwZe
FV5muyouYzxObkE4ev8dXF8Xx6LyuWfYLj5r064DRS7oFIZjIc/5F3wUITmkzCSc
iqOPZ545JO2Mxd5JwgA6QMy1YagHJb4MKDpwoQG5EHdNSSIRxRy9SEnyyxB/boMw
c65iw+SXM6ln+iAoFO9tyoLF5ek9OFRMH/1hemkY82eECcMA2m8/taSHb3++YOQr
7tmGjBZpynj/xDLQKwQiOrz5bVSPkWFc/4q9yQWAg/IoRPs+j/bsu1QoFlZX5b/8
/161dxwjs5ZLsTj+/oV/cBKQSWIFkSkbaK61ZAdrysXmGHB1jJ6OZDlsXK9kptHr
XavfRbYVCs8tB6NmWWEcfRQvLso20u+9zLO2X0yGz0+XEpKNU4k=
=QTo/
-----END PGP SIGNATURE-----

148
share/security/advisories/FreeBSD-EN-20:20.tzdata.asc Normal file
View file

@ -0,0 +1,148 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:20.tzdata Errata Notice
The FreeBSD Project
Topic: Timezone database information update
Category: contrib
Module: zoneinfo
Announced: 2020-12-01
Affects: All supported versions of FreeBSD.
Corrected: 2020-10-23 01:06:33 UTC (stable/12, 12.1-STABLE)
2020-12-01 19:35:48 UTC (releng/12.2, 12.2-RELEASE-p1)
2020-12-01 19:35:48 UTC (releng/12.1, 12.1-RELEASE-p11)
2020-10-23 01:06:42 UTC (stable/11, 11.4-STABLE)
2020-12-01 19:35:48 UTC (releng/11.4, 11.4-RELEASE-p5)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The tzsetup(8) program allows the user to specify the default local timezone.
Based on the selected timezone, tzsetup(8) copies one of the files from
/usr/share/zoneinfo to /etc/localtime. This file actually controls the
conversion.
II. Problem Description
Several changes in Daylight Saving Time happened after previous FreeBSD
releases were released that would affect many people who live in different
parts of the world. Because of these changes, the data in the zoneinfo files
need to be updated, and if the local timezone on the running system is
affected, tzsetup(8) needs to be run so the /etc/localtime is updated.
III. Impact
An incorrect time will be displayed on a system configured to use one of the
affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
not updated, and all applications on the system that rely on the system time,
such as cron(8) and syslog(8), will be affected.
IV. Workaround
The system administrator can install an updated timezone database from the
misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.
Applications that store and display times in Coordinated Universal Time (UTC)
are not affected.
V. Solution
Please note that some third party software, for instance PHP, Ruby, Java and
Perl, may be using different zoneinfo data source, in such cases this
software must be updated separately. For software packages that is installed
via binary packages, they can be upgraded by executing `pkg upgrade'.
Following the instructions in this Errata Notice will update all of the
zoneinfo files to be the same as what was released with FreeBSD release.
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date. Restart all the affected
applications and daemons, or reboot the system.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all the affected applications and daemons, or reboot the system.
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-20:20/tzdata-2020d.patch
# fetch https://security.FreeBSD.org/patches/EN-20:20/tzdata-2020d.patch.asc
# gpg --verify tzdata-2020d.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all the affected applications and daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r366956
releng/12.2/ r368251
releng/12.1/ r368251
stable/11/ r366957
releng/11.4/ r368251
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:20.tzdata.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLWBw/9HeAWb+xuxt8CdZUD+99vXFdHb8gLSFrlFZbHnjDwrGhz4yrAzO/3NFxh
j+DQugxxUgLvJpm3W+sYAwqO7TjJE2DkG2BV2r4vdMCax3YpkPqvuk/3oYdVy+nm
c0LTJDwHLWhluO7nrA3v49yOPICMGW1Xb7S7hNPHQaRCEVfP3hI61LM9sHAEp3zW
Q44qWfeXK46grCCbviDI+GVYmQr3/b5QJbvLidzIAz+XTToD88+DDgaowwg8GuUn
9v29aT8LjLB2XNYxRr3CZ5khdZTT5q+CGWSb0VvKHKaRgFMNLYw7gTKDOFTBQi0x
utonkT5Jsxq6kqHbp9drA6LMvUzWOThrabxCaJEk5p7t5FQWtYUfDTsspThwS54e
6n2cSCNg8j3eW6YVF7CVvCrUEsXejA/bv0ZW0M896oy5xizTKa6Yjh1llqNvpJ1h
jW9UrxtI4oGQ+Q2cUc7+85P7ddNQ/wO/SHIRVcKPHVBbs8u0YAikGjUzEhWR/pDD
tzUpNR3UTOIq96h1J+sK+jxk7arw6gCIksNDCKo3AI2DoXTe12K2OdG88OKW/t5P
iZZZufbAvY88SdKSGlBHbSXZLiMB+uH1NTI2Fab4XIetXdZq/5TPX7rRmlINS8nd
LMqCDSsVhjaUR6E1D3pOamo3n8IZgiluxqx7JZ2m9p0nKMjHDZo=
=gsQm
-----END PGP SIGNATURE-----

118
share/security/advisories/FreeBSD-EN-20:21.ipfw.asc Normal file
View file

@ -0,0 +1,118 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:21.ipfw Errata Notice
The FreeBSD Project
Topic: Uninitialized variable in ipfw
Category: core
Module: ipfw
Announced: 2020-12-01
Affects: FreeBSD 12.2
Corrected: 2020-10-18 20:54:15 UTC (stable/12, 12.2-STABLE)
2020-12-01 19:36:36 UTC (releng/12.2, 12.2-RELEASE-p1)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
ipfw(8) is the command-line utility used to configure the ipfw(4) firewall.
II. Problem Description
A regression in FreeBSD 12.2 meant that ipfw(8) fwd commands referencing
specific port numbers may configure the firewall incorrectly.
III. Impact
Forwarding rules referencing port numbers may not work as configured.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-20:21/ipfw.patch
# fetch https://security.FreeBSD.org/patches/EN-20:21/ipfw.patch.asc
# gpg --verify ipfw.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r366816
releng/12.2/ r368252
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250434>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:21.ipfw.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLY3w/8DpeBoG7dMm3m60BFStxuQMkUKwuMNiYXVOADLIACLW5F8fRxleAiMh1n
09YHHO/OfoGuuI8FkviqUfwBQsX9ljY8x35/UUZtf19YTllKvmz8gTTAVYmkO0g/
ohEZBMsA9h9Wfnn51/CVziTtO597mbLsJrt+lXnYVJLUIFdf6VNbK719ZtUOq53v
5mMKaFqyZJzDTouXePPVirvsiM5a2S7qVSoWTDEgog6iYxvEeXhd4Mtbaxbl2UW5
JJ1ZUycIUECCu2MI09JxZhRaRLnUA4RfzGIu63wxUJtfiKyIK0Afn3Gm/nyF+Sop
X/rm7jg1DDdqMd55QdG9AchI4D4C0DcJbTo4r8OSRFzmwQlTAsfOAlrH3ov+E+0f
rZ8SN2gjR/y+cdWQJxQ04pGh9NJkdrWMZJdZ047NnO8jF25rSN3iMgY6PydhE5TT
JKZXcfjTUqGeFveeMqdaZ5uoUyKaE/DnrNimv7Y4tcY0dsRIVIZQb6ml1dJdrkCG
6R5/yboAp2m9dtkplGUOo7cRae8bxXTQteANhZJYT3dqKDMKUJCw6ZShmr0pg2Of
KASqUMdHYSIyGoUaQ+Pd3s5UweuG8NEZt+p302qbn8cBCncMioibZqUJyo0lt/zn
jVFCZuepLOSGH7u0hYvlizkpbsXkUraBkQOTelqYyxXGoWF7WQg=
=N2u/
-----END PGP SIGNATURE-----

137
share/security/advisories/FreeBSD-EN-20:22.callout.asc Normal file
View file

@ -0,0 +1,137 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:22.callout Errata Notice
The FreeBSD Project
Topic: Race condition in callout CPU migration
Category: core
Module: callout
Announced: 2020-12-01
Affects: FreeBSD 12.1 and 12.2
Corrected: 2020-11-26 14:57:30 UTC (stable/12, 12.2-STABLE)
2020-12-01 19:37:33 UTC (releng/12.2, 12.2-RELEASE-p1)
2020-12-01 19:37:33 UTC (releng/12.1, 12.1-RELEASE-p11)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The callout(9) kernel subsystem is used by other kernel subsystems to request
execution of a function following a specified timeout. callout(9) implements
an interface which allows a pending callout to be stopped.
II. Problem Description
Callouts may be bound to a specific CPU, in which case that CPU is
responsible for raising the timer interrupt which schedules execution of the
callout.
A kernel thread may attempt to stop a callout while it is actively executing,
in which case the thread goes to sleep until execution has completed. In the
meantime the callout may be re-scheduled and re-executed on a different CPU.
In this scenario, when the sleeping thread finally completes removal of the
callout from some internal data structures, it may modify the wrong CPU's
data structures and thus leave them in an invalid state.
III. Impact
The bug may result in kernel panics under some workloads, typically in the
softclock threads.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.2]
# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.2.patch
# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.2.patch.asc
# gpg --verify callout.12.2.patch.asc
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.1.patch
# fetch https://security.FreeBSD.org/patches/EN-20:22/callout.12.1.patch.asc
# gpg --verify callout.12.1.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r368057
releng/12.2/ r368254
releng/12.1/ r368254
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:22.callout.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJUHxAAg1Mw+GeweWrKv/qaDymHW6YTGF8/y1qJ9YQKhVZ4QCtFMX2E467Slh35
sVOtfVsfUxKmwsKfdEM93sw9uSjj6///TodhF9vJMKGk/uVpF+PHrnFLtD+2VONs
jhAtH1R5tatIQEZeijaGBGizxXQRN2y2PqUQfKBNIqO5u06rG3KonNI+Cx1TGKm1
4R0ua06s0i2WpTsdW6AMszJqD3WbvlV7W5aM5pRfWtGM/OFksBKp/ScJ4J/MdOhh
11g4RsbvPvxGwBMad32TDV9Npjmkcjy65Ro92RUHAkDOT9Eftt18w1JYNaOxl+/p
fcS7cLBjdXJgvARJ57turXEiQT03SemG7yu9mr3SB//2Kh/RNVE5KFZev+i1kZOe
98NS8+AYNyN3ovg5ceESuXBpVM+T+mFMu6NLfNFSfgfd0OneNSiiB0uDt2B07TWN
LM0bz3vrq91GSnf7EZWppx/f3e8wIT0lBXcpJMJo9T56096ewoPMx9C5/RNqcrpL
LskXRnwi8od0o8nw7nDWYlIGiAfWkwzXm5slvKA0v2c9qVsyB7OWtGtS+YonOb4c
Eyc5b14MoRb9Y4J/fZHm3gWDVP9OQDWxyRTXvLZq8QCYmOYFoXspIM6kM5geOIZH
S/X3Xl671coCtCJcQVQJShMwgEcEeUCtJcKEOJ+gC3f60E0aLS0=
=l7SY
-----END PGP SIGNATURE-----

152
share/security/advisories/FreeBSD-SA-20:31.icmp6.asc Normal file
View file

@ -0,0 +1,152 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:31.icmp6 Security Advisory
The FreeBSD Project
Topic: ICMPv6 use-after-free in error message handling
Category: core
Module: icmp6
Announced: 2020-12-01
Credits: Maxime Villard
Affects: All supported versions of FreeBSD.
Corrected: 2020-11-05 22:41:54 UTC (stable/12, 12.2-STABLE)
2020-12-01 19:38:52 UTC (releng/12.2, 12.2-RELEASE-p1)
2020-12-01 19:38:52 UTC (releng/12.1, 12.1-RELEASE-p11)
2020-12-01 03:07:26 UTC (stable/11, 11.4-STABLE)
2020-12-01 19:38:52 UTC (releng/11.4, 11.4-RELEASE-p5)
CVE Name: CVE-2020-7469
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
ICMPv6 is the ICMP protocol for IPv6. It is used to transmit informational
and error messages between IPv6 hosts.
II. Problem Description
When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack may
extract information from the message to hand to upper-layer protocols. As a
part of this operation, it may parse IPv6 header options from a packet
embedded in the ICMPv6 message.
The handler for a routing option caches a pointer into the packet buffer
holding the ICMPv6 message. However, when processing subsequent options the
packet buffer may be freed, rendering the cached pointer invalid. The
network stack may later dereference the pointer, potentially triggering a
use-after-free.
III. Impact
A remote host may be able to trigger a read of freed kernel memory. This may
trigger a kernel panic if the address had been unmapped.
IV. Workaround
Systems with IPv6 disabled are not affected. No workaround is available
except to disable IPv6 on the system's network interfaces.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date and
reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.2]
# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.2.patch
# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.2.patch.asc
# gpg --verify icmp6.12.2.patch.asc
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.1.patch
# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.12.1.patch.asc
# gpg --verify icmp6.12.1.patch.asc
[FreeBSD 11.4]
# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.11.4.patch
# fetch https://security.FreeBSD.org/patches/SA-20:31/icmp6.11.4.patch.asc
# gpg --verify icmp6.11.4.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r367402
releng/12.2/ r368255
releng/12.1/ r368255
stable/11/ r368202
releng/11.4/ r368255
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<other info on vulnerability>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7469>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:31.icmp6.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIE8g//d4TXo4cXH4H0k6Et5lCoKz7R+x/wE6EuTymvKOiYyvwGwk3TZnLwhSSr
+FmwYMa0nQfHl3JdbUFYcQdA8Q/mvh0OZf55icRRHwchA+V9ENzuN8DqP1FPbL09
Ar3Q7osE2LyblTX9vOF0KYNWT+OmUZE5BDHEJ+OD5TKV2xWMkrksVOylXdKKgNyK
Umc3uccud3nvBlrIeP5SiNewCP06/SEZkSovFI1QKCVJGs4hCO97Es0RWiY9MkPG
JcUOdCsYVrvfcWNeRkcAqnH/vgWQYBumSW15ldNGIrMaUAi0DiDTisFIifPI1z8T
j+WmxN2IGvjYQzLBLhpJqq9Ox1OUD2R6Q0YSsndMHgf2bo1HheVUtQlBPMOq/V/8
I74Ppu2NPxdh2ocUzk60XaNZ2PuZhqkDMOLqZLcKNEe7m94ImzfNxtDGyRkEwpbw
/Vu4ysFrHQR4derU3c9TV+LJwCYaoNw//0WKpcycnqfvb/y5dWgOc3sBf5zwiuRL
NNwRnnRK/gaGoigJxm/Ev2SNsJDLs0g7IuscwYPRtadi1eUTeKeJFg3yvSVTYRov
tGPIhWYmWvOmKSg8ZGIAnTcXeNleyymw+vi6l0gHtwcLJ0AjdbVEWZ3FCy7XvD3c
yRbkJ4ORllto95caGGtzHDj0CMShYaOMNhrf+QrEYDRMB8jfXh0=
=a0pv
-----END PGP SIGNATURE-----

156
share/security/advisories/FreeBSD-SA-20:32.rtsold.asc Normal file
View file

@ -0,0 +1,156 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:32.rtsold Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in rtsold
Category: core
Module: rtsold
Announced: 2020-12-01
Credits: Quarkslab Vulnerability Reports
Affects: All supported versions of FreeBSD
Corrected: 2020-12-01 19:35:48 UTC (stable/12, 12.2-STABLE)
2020-12-01 19:39:44 UTC (releng/12.2, 12.2-RELEASE-p1)
2020-12-01 19:39:44 UTC (releng/12.1, 12.1-RELEASE-p11)
2020-12-01 19:36:37 UTC (stable/11, 11.4-STABLE)
2020-12-01 19:39:44 UTC (releng/11.4, 11.4-RELEASE-p5)
CVE Name: CVE-2020-25577
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
As part of the stateless address autoconfiguration (SLAAC) mechanism, IPv6
routers periodically broadcast router advertisement messages on attached
networks to inform hosts of the correct network prefix, router address and
MTU, as well as additional network parameters such as the DNS servers
(RDNSS), DNS search list (DNSSL) and whether a stateful configuration service
is available. Hosts that have recently joined the network can broadcast a
router solicitation message to solicit an immediate advertisement instead of
waiting for the next periodic advertisement.
The router solicitation daemon, rtsold(8), broadcasts router solicitation
messages at startup or when the state of an interface changes from passive to
active. Incoming router advertisement messages are first processed by the
kernel and then passed on to rtsold(8), which handles the DNS and stateful
configuration options.
II. Problem Description
Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First,
rtsold(8) failed to perform sufficient bounds checking on the extent of the
option. In particular, it does not verify that the option does not extend
past the end of the received packet before processing its contents. The
kernel currently ignores such malformed packets but still passes them to
userspace programs.
Second, when processing a DNSSL option, rtsold(8) decodes domain name labels
per an encoding specified in RFC 1035 in which the first octet of each label
contains the label's length. rtsold(8) did not validate label lengths
correctly and could overflow the destination buffer.
III. Impact
It is believed that these bugs could be exploited to gain remote code
execution within the rtsold(8) daemon, which runs as root. Note that
rtsold(8) only processes messages received from hosts attached to the same
physical link as the interface(s) on which rtsold(8) is listening.
In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the scope of a
compromised rtsold(8) process.
IV. Workaround
No workaround is available, but systems that do not run rtsold(8) are not
affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:32/rtsold.patch
# fetch https://security.FreeBSD.org/patches/SA-20:32/rtsold.patch.asc
# gpg --verify rtsold.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r368250
releng/12.2/ r368256
releng/12.1/ r368256
stable/11/ r368253
releng/11.4/ r368256
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25577>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:32.rtsold.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIUXQ/+K/FAB22beBBiOUDaRMF0n4a/umwvwX2BAy7PsLIzRcYL8ydhvTWPXQnU
KssmRoi0eobczpIYgIqTDNDTI46UErEvfoCBTIiY+uedER77FKxesfnO/9S3owvh
8uP+WCMzZXRfNvIYqEsK43ipm3LL4rDfUNLEdeFj0bLlwEwiTJaXsdLayJ3KpanN
A3ykePDXnQD41BcDcotvzSV6r7o5dbCILI4K4zEOSCAXBP1Du16J/K/aHOWahJ20
Ex6YFg0llH3VkAVE9iGdHLGFqakjobUhm+LzV9ShAkXZqZs3Hx+p8dfM4w7aicCM
f6Nn0rLlb4ZdSmMnbsexoZZwO0v2dQNHd1EEtQD6zjJfey1auJKJLTcLoWXH+3mm
w5eOjjmqdOkab0h224q8jidhgyUm1c8By5H5aZ79y5SpRG0mfuS82Z6uIAf0KKZ3
uIzPswc0YtI30M638ZCKCug3gxwZu4EG7P08/Ab4B0fpyfqqLy6KVsMdH6w64R6+
64twgiVPuM3DpokvTfdcQLp13IHeMJwkpdc/SICyg3NDAFJZMcIe6eqjko5FsNnH
RSjA0SHRKyl303OLR+jUHe64m+LISyNne+fC1VoThbqQ1f5nWX9PlF4VjRu30Wz4
8VcmRCehMT1G1aIEGG74zKDeWDP6+bGeieBU7Pa/jfr/aI88Hw0=
=5tIC
-----END PGP SIGNATURE-----

139
share/security/patches/EN-20:19/audit.12.1.patch Normal file
View file

@ -0,0 +1,139 @@
--- sys/amd64/linux/linux_machdep.c.orig
+++ sys/amd64/linux/linux_machdep.c
@@ -81,6 +81,8 @@
#include <x86/ifunc.h>
#include <x86/sysarch.h>
+#include <security/audit/audit.h>
+
#include <amd64/linux/linux.h>
#include <amd64/linux/linux_proto.h>
#include <compat/linux/linux_emul.h>
@@ -107,6 +109,7 @@
free(path, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
--- sys/amd64/linux32/linux32_machdep.c.orig
+++ sys/amd64/linux32/linux32_machdep.c
@@ -69,6 +69,8 @@
#include <vm/vm.h>
#include <vm/vm_map.h>
+#include <security/audit/audit.h>
+
#include <compat/freebsd32/freebsd32_util.h>
#include <amd64/linux32/linux.h>
#include <amd64/linux32/linux32_proto.h>
@@ -143,6 +145,7 @@
free(path, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
--- sys/arm64/linux/linux_machdep.c.orig
+++ sys/arm64/linux/linux_machdep.c
@@ -38,6 +38,8 @@
#include <sys/proc.h>
#include <sys/sdt.h>
+#include <security/audit/audit.h>
+
#include <arm64/linux/linux.h>
#include <arm64/linux/linux_proto.h>
#include <compat/linux/linux_dtrace.h>
@@ -74,6 +76,7 @@
free(path, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
--- sys/compat/freebsd32/freebsd32_misc.c.orig
+++ sys/compat/freebsd32/freebsd32_misc.c
@@ -440,6 +440,7 @@
if (error == 0)
error = kern_execve(td, &eargs, NULL);
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
@@ -460,6 +461,7 @@
error = kern_execve(td, &eargs, NULL);
}
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
--- sys/i386/linux/linux_machdep.c.orig
+++ sys/i386/linux/linux_machdep.c
@@ -61,6 +61,8 @@
#include <vm/vm.h>
#include <vm/vm_map.h>
+#include <security/audit/audit.h>
+
#include <i386/linux/linux.h>
#include <i386/linux/linux_proto.h>
#include <compat/linux/linux_emul.h>
@@ -116,6 +118,7 @@
free(newpath, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
--- sys/kern/kern_exec.c.orig
+++ sys/kern/kern_exec.c
@@ -224,6 +224,7 @@
if (error == 0)
error = kern_execve(td, &args, NULL);
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
@@ -251,6 +252,7 @@
error = kern_execve(td, &args, NULL);
}
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
@@ -279,6 +281,7 @@
if (error == 0)
error = kern_execve(td, &args, uap->mac_p);
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
#else
return (ENOSYS);
--- sys/kern/subr_syscall.c.orig
+++ sys/kern/subr_syscall.c
@@ -133,6 +133,16 @@
AUDIT_SYSCALL_ENTER(sa->code, td);
error = (sa->callp->sy_call)(td, sa->args);
+
+ /*
+ * Note that some syscall implementations (e.g., sys_execve)
+ * will commit the audit record just before their final return.
+ * These were done under the assumption that nothing of interest
+ * would happen between their return and here, where we would
+ * normally commit the audit record. These assumptions will
+ * need to be revisited should any substantial logic be added
+ * above.
+ */
AUDIT_SYSCALL_EXIT(error, td);
/* Save the latest error return value. */

18
share/security/patches/EN-20:19/audit.12.1.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJXAA/9E0lCQrBoO79sqBKqCbbEr4o+ofO4jft7KkJOKgcpUvJS94dWGNgqEsVG
6H2gnFJM/PcDqdRZ4u3ooepdnPcvlehpBC17W7XFf5WSnXebdGnLY+xYTA3BIwyg
iXbghEeTh8OK8wiHJPZSoSOTF8XSpzEZi6YLoh6PG5DPTsOokyu9/TqIIXzNL7MW
viqWBNIGPKbuP34ooZaSXBAyqqXL5xgzb03seZapIqW5wCO6rbeZ7hMNSfNNgitA
msBTD++DZ42vZt88Z0Eho4WLchp/AJa7rd7RluWLKLlqXFnL5a0lqz/kjcA3gslm
O1qDi8TXMYYxPhnOyHo6TIFWwRnImMXLnlPw5nvk0c0MfTb+mKzRj+FjCOcGy5Sa
c/RkdKmhX9VxB7/yEC+S9sJP/ZcTZjOltWS7zJgFOO8mVb53lZGkO8jl6jawdY0W
ggKqLEHgCfQMXy0Z5VZNvoqLobYRDK5sUMNkptkcrzwBAS5jnwNg+jcPqWQmf7GA
dQGlEjoDlrqqk3wpPRuEuu247q3HOT2QKWorTMtevMFgsYNL+BgKP6m5pB+VArlq
vHi+/jOmB25EunWEXfLm2FYHqnEMoMKXBzNd2OgxeKjypQFL2kjWBcwvxFRkGIpf
KhM3pRlNRFre37MDs9nOw5aXGhzU9WjjTbr23nx2ZeOtPoDcEwc=
=nMXE
-----END PGP SIGNATURE-----

139
share/security/patches/EN-20:19/audit.12.2.patch Normal file
View file

@ -0,0 +1,139 @@
--- sys/amd64/linux/linux_machdep.c.orig
+++ sys/amd64/linux/linux_machdep.c
@@ -81,6 +81,8 @@
#include <x86/ifunc.h>
#include <x86/sysarch.h>
+#include <security/audit/audit.h>
+
#include <amd64/linux/linux.h>
#include <amd64/linux/linux_proto.h>
#include <compat/linux/linux_emul.h>
@@ -107,6 +109,7 @@
free(path, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
--- sys/amd64/linux32/linux32_machdep.c.orig
+++ sys/amd64/linux32/linux32_machdep.c
@@ -69,6 +69,8 @@
#include <vm/vm.h>
#include <vm/vm_map.h>
+#include <security/audit/audit.h>
+
#include <compat/freebsd32/freebsd32_util.h>
#include <amd64/linux32/linux.h>
#include <amd64/linux32/linux32_proto.h>
@@ -138,6 +140,7 @@
free(path, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
--- sys/arm64/linux/linux_machdep.c.orig
+++ sys/arm64/linux/linux_machdep.c
@@ -38,6 +38,8 @@
#include <sys/proc.h>
#include <sys/sdt.h>
+#include <security/audit/audit.h>
+
#include <arm64/linux/linux.h>
#include <arm64/linux/linux_proto.h>
#include <compat/linux/linux_dtrace.h>
@@ -74,6 +76,7 @@
free(path, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
--- sys/compat/freebsd32/freebsd32_misc.c.orig
+++ sys/compat/freebsd32/freebsd32_misc.c
@@ -440,6 +440,7 @@
if (error == 0)
error = kern_execve(td, &eargs, NULL, oldvmspace);
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
@@ -460,6 +461,7 @@
error = kern_execve(td, &eargs, NULL, oldvmspace);
}
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
--- sys/i386/linux/linux_machdep.c.orig
+++ sys/i386/linux/linux_machdep.c
@@ -61,6 +61,8 @@
#include <vm/vm.h>
#include <vm/vm_map.h>
+#include <security/audit/audit.h>
+
#include <i386/linux/linux.h>
#include <i386/linux/linux_proto.h>
#include <compat/linux/linux_emul.h>
@@ -111,6 +113,7 @@
free(newpath, M_TEMP);
if (error == 0)
error = linux_common_execve(td, &eargs);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
--- sys/kern/kern_exec.c.orig
+++ sys/kern/kern_exec.c
@@ -224,6 +224,7 @@
if (error == 0)
error = kern_execve(td, &args, NULL, oldvmspace);
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
@@ -251,6 +252,7 @@
error = kern_execve(td, &args, NULL, oldvmspace);
}
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
}
@@ -279,6 +281,7 @@
if (error == 0)
error = kern_execve(td, &args, uap->mac_p, oldvmspace);
post_execve(td, error, oldvmspace);
+ AUDIT_SYSCALL_EXIT(error == EJUSTRETURN ? 0 : error, td);
return (error);
#else
return (ENOSYS);
--- sys/kern/subr_syscall.c.orig
+++ sys/kern/subr_syscall.c
@@ -142,6 +142,16 @@
AUDIT_SYSCALL_ENTER(sa->code, td);
error = (sa->callp->sy_call)(td, sa->args);
+
+ /*
+ * Note that some syscall implementations (e.g., sys_execve)
+ * will commit the audit record just before their final return.
+ * These were done under the assumption that nothing of interest
+ * would happen between their return and here, where we would
+ * normally commit the audit record. These assumptions will
+ * need to be revisited should any substantial logic be added
+ * above.
+ */
AUDIT_SYSCALL_EXIT(error, td);
/* Save the latest error return value. */

18
share/security/patches/EN-20:19/audit.12.2.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJx2w/+KTqASybIYxgNDmouQyx4Ik5n3J+NinZJ2MVej1ePwq6kCxz9sJZ5pnIB
yvuwVLJILVOpDjdtgj1NIYGm18HD4Y7dUtcTZis4y1j2cki0W/U6rQB3J78MW2aX
6AJipmo0kYWKc1lAEuMzkhxO6ijVlnhdsV1SCbmZ8ND5GYnr/9nqZ22nA7GWceW6
yy5pU5CtgJU0c7oRW5mQzomzGuy5Amml1xMA3m+GSgdajmYpkLuLrT8N2ny3xW8k
7mRibxSfaJmdCOeNlPPZ87DIdKs4M6/PQwk/kVaimeAZxTD8uo2F2RGN4OkXPa7q
wnLMRy7tpQPFq6E5LdtK4VEc16c8IbOyD05ouOX7BUQYumCkqxmt1KQgHjDj8H8+
65yry8jgY57lodjwpBjZd7bSBxhvQHnQpf7LJn0+nvZ0FZcn9XRe6yji98wC6PPi
p7bpmqWihWPdn6gNA0kBvW7eyCK9FbjPyQORNDtAy2fpW1YVVUzqrR2iOITwUEZu
06a0+gIuV1FxXNKdCgKqCirD70q7EKtksvge/rS8GWK9HWCLbEEt9qg0xhcwNMf7
LkyBEApdSXsfoY+6wi69uZ+GtCOGlgWOVBfnYytcRO/dNlYcdXnH9+HOUBsbrFoy
gLokeabKK+U/Ped7BslVGQe4PzA5h5fw1NbC2vHWEntgFu34hlA=
=y1yb
-----END PGP SIGNATURE-----

2507
share/security/patches/EN-20:20/tzdata-2020d.patch Normal file
View file

File diff suppressed because it is too large Load diff

18
share/security/patches/EN-20:20/tzdata-2020d.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLNvw/9FVwnxlarsLLMSuWOCKZtbAIs5Bxoa2bxBvMLM12nWHAh7gUSFQzM2cCk
Wcc7JZueQf57qyVMM+nzV3W+evJ55ZBLsBVNLh7LeEhosZFFgCoSjJg3CZrkNL6D
8uupAWLNOGikv+mFi7HIViI56a9Zdnse+hAgNBowj6vt20queVTbW+3K3Tqmb0Ru
EksgdQ7+Y0Rhd9XpgnB5bmLPSnyeKJ4ffLyG4aj4THyc/lPqYXauc3xGhgnmtdTO
Pm+HTlWsOy9dMFzA+28nBhpS5Wa3hx8mMNM0XjZxeCRrI8yvFugtIPoW7Avn8LII
88GvrZG8pKGehUqJcKERY/DZnwESxiJJvZ/YF8SDXnkjNA2q+fAzrekG+Qk9QcLB
8Pnybv7scU8IKcuONmMIN18ini7lJqbnApW9gOgKwLQBmwnSCcaYQuTCJ8CigQgR
73FvoLvMyAKoTUz1A2+TbArWEJLXWsCAffo2ki8WBVzOivFk0gw8O7rmHXl5lCJP
FbdIxfsC82xjKLvVG7CwB+WRUwQCG17QzElQVYyYlTSbFa1CUXqfwVvxqhzXXh63
9FFoBVcGaglrmYVojGr5Mj41G0MhRvNieQ7VAId3uUxVfQe8Z77gf3x52lXjwVPt
VpDjZOooFEDi+WlD/DuMmLnIVOFmyWbeYIV2nlIgcWGA5a9qE2M=
=MCBt
-----END PGP SIGNATURE-----

89
share/security/patches/EN-20:21/ipfw.patch Normal file
View file

@ -0,0 +1,89 @@
--- sbin/ipfw/dummynet.c.orig
+++ sbin/ipfw/dummynet.c
@@ -1279,8 +1279,8 @@
struct dn_profile *pf = NULL;
struct ipfw_flow_id *mask = NULL;
#ifdef NEW_AQM
- struct dn_extra_parms *aqm_extra;
- struct dn_extra_parms *sch_extra;
+ struct dn_extra_parms *aqm_extra = NULL;
+ struct dn_extra_parms *sch_extra = NULL;
int lmax_extra;
#endif
--- sbin/ipfw/ipfw2.c.orig
+++ sbin/ipfw/ipfw2.c
@@ -1618,6 +1618,9 @@
case O_TCPWIN:
s = "tcpwin";
break;
+ default:
+ s = "<unknown>";
+ break;
}
bprintf(bp, " %s %u", s, cmd->arg1);
} else
@@ -4003,7 +4006,7 @@
struct addrinfo *res;
char *s, *end;
int family;
- u_short port_number;
+ u_short port_number = 0;
NEED1("missing forward address[:port]");
@@ -5600,7 +5603,7 @@
static void
ipfw_list_tifaces(void)
{
- ipfw_obj_lheader *olh;
+ ipfw_obj_lheader *olh = NULL;
ipfw_iface_info *info;
uint32_t i;
int error;
@@ -5608,7 +5611,6 @@
if ((error = ipfw_get_tracked_ifaces(&olh)) != 0)
err(EX_OSERR, "Unable to request ipfw tracked interface list");
-
qsort(olh + 1, olh->count, olh->objsize, ifinfo_cmp);
info = (ipfw_iface_info *)(olh + 1);
@@ -5625,7 +5627,3 @@
free(olh);
}
-
-
-
-
--- sbin/ipfw/nat64lsn.c.orig
+++ sbin/ipfw/nat64lsn.c
@@ -99,6 +99,7 @@
stg = (ipfw_nat64lsn_stg_v1 *)(od + 1);
sz = od->head.length - sizeof(*od);
next_idx = 0;
+ proto = NULL;
while (sz > 0 && next_idx != 0xFF) {
next_idx = stg->next.index;
sz -= sizeof(*stg);
--- sbin/ipfw/tables.c.orig
+++ sbin/ipfw/tables.c
@@ -847,7 +847,7 @@
static int
table_show_one(ipfw_xtable_info *i, void *arg)
{
- ipfw_obj_header *oh;
+ ipfw_obj_header *oh = NULL;
int error;
int is_all;
@@ -1179,7 +1179,7 @@
struct servent *sent;
int masklen;
- masklen = 0;
+ mask = masklen = 0;
af = 0;
paddr = (struct in6_addr *)&tentry->k;

18
share/security/patches/EN-20:21/ipfw.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cK2ixAAlpgsUKdrLpBC5c56MsSuX76DEvyiMwbyTK7II8+Wyslj/ZUZA+PXEqJ5
D0btsf33HfDsaFum7qyJ9GPoSkxQh4cYVY7OfQB40mJp2NKtMbSVDVjXPqb/Igm1
kVhT/AJO3vm2WUhwy6ER5s5zxPh5unsw3rWtgwwC6YiJ+mf5JjowM6jE7DKB20eH
Ix6+pPwroCaZ3dN5XsbDBNaORaROuC8EbrwjB+/AHhHK0enXukd5WgwPNTrah9q7
i5+dZX1cDk7rZVWHPo1fywvFDdEWwNUeW2yL7B4Ftuha44n4vZU253Z8CtDLv7hw
xzioch1uKM+xnXNqkx1uzT4mgghlHl8cIe3Px/1CiUXGUdAjo8Fq8tiCYKWrp3PB
hZsE7+RmdlxfcI7COOeFUaLf1HGlFQXnsw7I6Q4fE1Bgo+qOyk7URq2yXvi5aKOA
WVcZkr7PSHnj9KGqHLi5j4i/ieqeptN1ZXwhGtSW5P7xDfxX4Oxt/9Nqlmhp7vFR
G3XPChMwn7j6EL/CzR89BG2S7Gaz7kZe6evG4rfd2UCD5oI/cceu3/ihA+EeEdtn
WZ50pqGMLBRuJySJOGJM8Yh6gXlydzkiQWp+Ux43s5ltALONF1g43wPfx6dsNhtL
oPap5xzObkFKs0m9vNSMacZqS5Oz5LeoeZqTBz/VMUiCdayewhk=
=4mes
-----END PGP SIGNATURE-----

20
share/security/patches/EN-20:22/callout.12.1.patch Normal file
View file

@ -0,0 +1,20 @@
--- sys/kern/kern_timeout.c.orig
+++ sys/kern/kern_timeout.c
@@ -1270,7 +1270,7 @@
* just wait for the current invocation to
* finish.
*/
- while (cc_exec_curr(cc, direct) == c) {
+ if (cc_exec_curr(cc, direct) == c) {
/*
* Use direct calls to sleepqueue interface
* instead of cv/msleep in order to avoid
@@ -1318,7 +1318,7 @@
/* Reacquire locks previously released. */
PICKUP_GIANT();
- CC_LOCK(cc);
+ goto again;
}
c->c_flags &= ~CALLOUT_ACTIVE;
} else if (use_lock &&

18
share/security/patches/EN-20:22/callout.12.1.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLVfA//ekZ9PiCNi+aoV3AW8hY1zTeRKy2SUPGJ0zBL2fmM6p8jByqIYL7qm9RR
EpEFv9E8IDfp2SBHj8mdD8TcBZls1wSVnCVy2oAl2RUxZxmimBNBlhB57iLUsfMz
kSUviZksGS6B1uYZGysFOQhknRRB+dA9/jojIkJZOevMZcMV73zq0CXIjhJ3QbSy
D0wIZfDZx65Q9ZprxLcFfyhteFtRFzaYsIi9IcWRWB9SrE/mlrAm4Fye3wvgDPmu
5cxpzRDyJqWnGZk/ViQpUIsbbq4MYAh2cO3Qc9uTv+BxegpOpR+0XMCFffegI8UH
454zbVeMHVIDCV0/R3nfMBxb+UnOhjYAwiQydA405xEvtHFlMGOqko4lVpDfoRRd
2dnEowPdo06CSSgfMVIod0kFUxJq7ijjGrxXeXs+Q4oVcb7ETXo16qPSwFMTV7QB
2HrdUNE6OmWoaEEIywIKF2mTk0aCWroYlpX+Nr80uJqW6KjOd+qPkuWPFu4JauJ4
dpL0cOU4B29wQUbXjekaGvArJ8nqf6/UJ4xad9o8jgbJS7ncNvXXY6tPQqc1QmAo
8Jbbd6QM37dE+hiZ3lXSJjA5MWUTcEfrNnlAP32hkjwlOeIrYE+5St1VRHq2pCMY
R8EEdRlQG4GBKZnhbmlKbT9IUrWL4KioZfg5wdiJmG45eRjPKUo=
=f0gt
-----END PGP SIGNATURE-----

20
share/security/patches/EN-20:22/callout.12.2.patch Normal file
View file

@ -0,0 +1,20 @@
--- sys/kern/kern_timeout.c.orig
+++ sys/kern/kern_timeout.c
@@ -1271,7 +1271,7 @@
* just wait for the current invocation to
* finish.
*/
- while (cc_exec_curr(cc, direct) == c) {
+ if (cc_exec_curr(cc, direct) == c) {
/*
* Use direct calls to sleepqueue interface
* instead of cv/msleep in order to avoid
@@ -1319,7 +1319,7 @@
/* Reacquire locks previously released. */
PICKUP_GIANT();
- CC_LOCK(cc);
+ goto again;
}
c->c_flags &= ~CALLOUT_ACTIVE;
} else if (use_lock &&

18
share/security/patches/EN-20:22/callout.12.2.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKZLg//Q6GcyfEtQgG86dIwR+ZvIQvmqKnLu8w3fLGpCuZ0rrgQ52+OKl7htsfP
9T2HuyRwb/WM3C86vgrw70+FiXBkEQ7DwsjDSXD1REOTbg3gGa3RN4f0kZfHH7xq
vYdHzgVp6wT6Ld7bxFRdylsS33tSg3ZJ/PObjxJGugtwCgtP80oc+yxvaNpEmCz4
6CckiK0TG8HZPT04mudyS7X7QYEPjpwANwPfSbYvBZm2FTpQyU7xeOr/gfw6o7QR
/ORMfdWtumehRcSEosMrvGEKmd7HM4fwNUJQwW1mesKMDwd8UfK9LeW/J030icua
DvjfLvtpx3H1FxPvH1QIsoj54KD/W0zazPP7T4IyOgNha7qMRihY5q5Dwt1yvC8g
6k6HtTIxfqoROKc5FpyzEeBTWuli3AiJPo9WYr85UaMtpEzwxavgaVjEQb+kxCpO
STHGKUbU8LX3spJDEvMZPqq86VQQZd5b1mgMjClZ9/0uc3eNlL3tAfcRb3AXYJ54
7l1itJ3RQYqfRgTzA6dKnWeWwMqg2PN6nN/z01VmCBIJHsF47ae9Mc51kRbdXN4e
jvwQn+Obk5WmaiWEhbnEs24gLK8cqXsnHaM8mf9RE+z2Tn5dd9chqtTF+gsmxw8M
07t0Wp3yoUdyqGkaJOo9WVFNt0bEK+AboT5HsNjyFda89Xz9OLY=
=ZONK
-----END PGP SIGNATURE-----

57
share/security/patches/SA-20:31/icmp6.11.4.patch Normal file
View file

@ -0,0 +1,57 @@
--- sys/netinet6/icmp6.c.orig
+++ sys/netinet6/icmp6.c
@@ -903,6 +903,7 @@
}
#endif
eip6 = (struct ip6_hdr *)(icmp6 + 1);
+ bzero(&icmp6dst, sizeof(icmp6dst));
/* Detect the upper level protocol */
{
@@ -911,7 +912,6 @@
int eoff = off + sizeof(struct icmp6_hdr) +
sizeof(struct ip6_hdr);
struct ip6ctlparam ip6cp;
- struct in6_addr *finaldst = NULL;
int icmp6type = icmp6->icmp6_type;
struct ip6_frag *fh;
struct ip6_rthdr *rth;
@@ -994,7 +994,7 @@
/* just ignore a bogus header */
if ((rth0->ip6r0_len % 2) == 0 &&
(hops = rth0->ip6r0_len/2))
- finaldst = (struct in6_addr *)(rth0 + 1) + (hops - 1);
+ icmp6dst.sin6_addr = *((struct in6_addr *)(rth0 + 1) + (hops - 1));
}
eoff += rthlen;
nxt = rth->ip6r_nxt;
@@ -1059,13 +1059,10 @@
*/
eip6 = (struct ip6_hdr *)(icmp6 + 1);
- bzero(&icmp6dst, sizeof(icmp6dst));
icmp6dst.sin6_len = sizeof(struct sockaddr_in6);
icmp6dst.sin6_family = AF_INET6;
- if (finaldst == NULL)
+ if (IN6_IS_ADDR_UNSPECIFIED(&icmp6dst.sin6_addr))
icmp6dst.sin6_addr = eip6->ip6_dst;
- else
- icmp6dst.sin6_addr = *finaldst;
if (in6_setscope(&icmp6dst.sin6_addr, m->m_pkthdr.rcvif, NULL))
goto freeit;
bzero(&icmp6src, sizeof(icmp6src));
@@ -1077,13 +1074,11 @@
icmp6src.sin6_flowinfo =
(eip6->ip6_flow & IPV6_FLOWLABEL_MASK);
- if (finaldst == NULL)
- finaldst = &eip6->ip6_dst;
ip6cp.ip6c_m = m;
ip6cp.ip6c_icmp6 = icmp6;
ip6cp.ip6c_ip6 = (struct ip6_hdr *)(icmp6 + 1);
ip6cp.ip6c_off = eoff;
- ip6cp.ip6c_finaldst = finaldst;
+ ip6cp.ip6c_finaldst = &icmp6dst.sin6_addr;
ip6cp.ip6c_src = &icmp6src;
ip6cp.ip6c_nxt = nxt;

18
share/security/patches/SA-20:31/icmp6.11.4.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJIVxAAk45mGlrtJ9NU3MqPexb3BO2Ta5qoOUZcXLSUtVn/uAguB3pE0U6YvyUW
S4JRl5V/I3sB2R4PfJbO/tISHXVKcVpag9xjjYumXgKKWbQQQPCmw2GAhFikzwix
njPwhZaw3IfH9JTfrqkUXYGMwaVTZ4UcvfSInPCRKTlBiKa17OcIlALwv0LOo91V
B3uJJOix6zasPDEaCQwSOOrLgxjt0ddxZVvxi3DiQvoyTDXgZ6n2RuC/xqJWMnO2
Xv3rVdfXEpMX8w20/Q5x7tA3GJROdijNooaUu7gs4r6nssYR6UYejnvWLHsk0uZw
JDGdlczDY06V0vRQ/kj9Nwg74c3XfHanGcvUlwtLj4LIAE9j6iXpD72aBlPzGpsE
+PgghqKkay9ALMp/DmvTR9W7OhmGtPvG9xOLMfFH7TiBPo9qXScopl9Qe9dDAKsR
7C+sNp8K13usF9hfdzqsXFmIzHZOoQ5hKblawfDTMUrw3RW53toL2UetGJCPkAo5
0QHIgE+zqY0q+ikMppT9Cm1rW2DfgUmdDL1adlp+3eBZWfmqJ+O/H4KvZD906LZU
iP08TwzWuj2zrHyRTRHtiQDYLD4n1vVMbuROmLJvvF58RAfhck7tJQWaZKuCEXJr
smt+DicU+NjCslpOFFOcKzMU7n83POKg+2U2KxryKxJEIJpsefM=
=pxHP
-----END PGP SIGNATURE-----

57
share/security/patches/SA-20:31/icmp6.12.1.patch Normal file
View file

@ -0,0 +1,57 @@
--- sys/netinet6/icmp6.c.orig
+++ sys/netinet6/icmp6.c
@@ -896,6 +896,7 @@
}
#endif
eip6 = (struct ip6_hdr *)(icmp6 + 1);
+ bzero(&icmp6dst, sizeof(icmp6dst));
/* Detect the upper level protocol */
{
@@ -904,7 +905,6 @@
int eoff = off + sizeof(struct icmp6_hdr) +
sizeof(struct ip6_hdr);
struct ip6ctlparam ip6cp;
- struct in6_addr *finaldst = NULL;
int icmp6type = icmp6->icmp6_type;
struct ip6_frag *fh;
struct ip6_rthdr *rth;
@@ -987,7 +987,7 @@
/* just ignore a bogus header */
if ((rth0->ip6r0_len % 2) == 0 &&
(hops = rth0->ip6r0_len/2))
- finaldst = (struct in6_addr *)(rth0 + 1) + (hops - 1);
+ icmp6dst.sin6_addr = *((struct in6_addr *)(rth0 + 1) + (hops - 1));
}
eoff += rthlen;
nxt = rth->ip6r_nxt;
@@ -1052,13 +1052,10 @@
*/
eip6 = (struct ip6_hdr *)(icmp6 + 1);
- bzero(&icmp6dst, sizeof(icmp6dst));
icmp6dst.sin6_len = sizeof(struct sockaddr_in6);
icmp6dst.sin6_family = AF_INET6;
- if (finaldst == NULL)
+ if (IN6_IS_ADDR_UNSPECIFIED(&icmp6dst.sin6_addr))
icmp6dst.sin6_addr = eip6->ip6_dst;
- else
- icmp6dst.sin6_addr = *finaldst;
if (in6_setscope(&icmp6dst.sin6_addr, m->m_pkthdr.rcvif, NULL))
goto freeit;
bzero(&icmp6src, sizeof(icmp6src));
@@ -1070,13 +1067,11 @@
icmp6src.sin6_flowinfo =
(eip6->ip6_flow & IPV6_FLOWLABEL_MASK);
- if (finaldst == NULL)
- finaldst = &eip6->ip6_dst;
ip6cp.ip6c_m = m;
ip6cp.ip6c_icmp6 = icmp6;
ip6cp.ip6c_ip6 = (struct ip6_hdr *)(icmp6 + 1);
ip6cp.ip6c_off = eoff;
- ip6cp.ip6c_finaldst = finaldst;
+ ip6cp.ip6c_finaldst = &icmp6dst.sin6_addr;
ip6cp.ip6c_src = &icmp6src;
ip6cp.ip6c_nxt = nxt;

18
share/security/patches/SA-20:31/icmp6.12.1.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJ4kw/9Gs/epcOA+MRGwUP34WIXmrnHB+qZPZ5TMTldCHviTfVhAlCGApNqnuW3
8T0TkvC7h11yD2ftTMarOZsIerAJvn3fA+ZMKGB3GvsuyO7z4K+OWJbPDuXvk7XY
Ad+NOLS+lovxC0RMPnxNU5Np82/ei1wprkgbVdLO5bLGvlTy1fGAi1skpOd4Lobk
9rHHPd9lo8s27YYJzQq8re92amdSq0td6L/L2xwpfd0USc1KUPZA6DMq9CsAzUdu
j7k0EGGzU1+ekyzjLyd4pp4mhLGGVHVEQ9Fin5RseR9qDVw9vVAItVUlaEgEp0nd
iMuYJ5zSIeBOUcf0HqwLxKqfTK+yN+/fW916Mn+h7inj7dF6kHOxZNFtAbA17G6X
HeLCTgnW9Sw81bBED780jbLoHO7wiMVHeRgiEyFh8tA30qvBslfGOXQHMOJ65WzV
60HJmqrksZEwKeAZm9lQc3Q0kPyj9VZgMWm8JhvbpWwE4iYLx3tfXhzGnMxUYEzI
TueBf3Dmu/V/2hNlO2fkOWJ1zdsZM0oudO0zTn+MyuaPmCxEEJ9WzGOPGr5SXSod
BkMwGAGYQG8FjlxvNaLOH23snpQiXGRi/zrLN34zeaqwNaU8f7bZoJAm6VEvfo4n
MYsSNbKSkNZK2FV1DmF+zdefBjNrfU11TIfXKkcmRKLiUb6zuM8=
=BitD
-----END PGP SIGNATURE-----

61
share/security/patches/SA-20:31/icmp6.12.2.patch Normal file
View file

@ -0,0 +1,61 @@
--- sys/netinet6/icmp6.c.orig
+++ sys/netinet6/icmp6.c
@@ -912,6 +912,7 @@
}
icmp6 = (struct icmp6_hdr *)(mtod(m, caddr_t) + off);
eip6 = (struct ip6_hdr *)(icmp6 + 1);
+ bzero(&icmp6dst, sizeof(icmp6dst));
/* Detect the upper level protocol */
{
@@ -920,7 +921,6 @@
int eoff = off + sizeof(struct icmp6_hdr) +
sizeof(struct ip6_hdr);
struct ip6ctlparam ip6cp;
- struct in6_addr *finaldst = NULL;
int icmp6type = icmp6->icmp6_type;
struct ip6_frag *fh;
struct ip6_rthdr *rth;
@@ -994,10 +994,11 @@
}
rth0 = (struct ip6_rthdr0 *)
(mtod(m, caddr_t) + eoff);
+
/* just ignore a bogus header */
if ((rth0->ip6r0_len % 2) == 0 &&
(hops = rth0->ip6r0_len/2))
- finaldst = (struct in6_addr *)(rth0 + 1) + (hops - 1);
+ icmp6dst.sin6_addr = *((struct in6_addr *)(rth0 + 1) + (hops - 1));
}
eoff += rthlen;
nxt = rth->ip6r_nxt;
@@ -1051,13 +1052,10 @@
*/
eip6 = (struct ip6_hdr *)(icmp6 + 1);
- bzero(&icmp6dst, sizeof(icmp6dst));
icmp6dst.sin6_len = sizeof(struct sockaddr_in6);
icmp6dst.sin6_family = AF_INET6;
- if (finaldst == NULL)
+ if (IN6_IS_ADDR_UNSPECIFIED(&icmp6dst.sin6_addr))
icmp6dst.sin6_addr = eip6->ip6_dst;
- else
- icmp6dst.sin6_addr = *finaldst;
if (in6_setscope(&icmp6dst.sin6_addr, m->m_pkthdr.rcvif, NULL))
goto freeit;
bzero(&icmp6src, sizeof(icmp6src));
@@ -1069,13 +1067,11 @@
icmp6src.sin6_flowinfo =
(eip6->ip6_flow & IPV6_FLOWLABEL_MASK);
- if (finaldst == NULL)
- finaldst = &eip6->ip6_dst;
ip6cp.ip6c_m = m;
ip6cp.ip6c_icmp6 = icmp6;
ip6cp.ip6c_ip6 = (struct ip6_hdr *)(icmp6 + 1);
ip6cp.ip6c_off = eoff;
- ip6cp.ip6c_finaldst = finaldst;
+ ip6cp.ip6c_finaldst = &icmp6dst.sin6_addr;
ip6cp.ip6c_src = &icmp6src;
ip6cp.ip6c_nxt = nxt;

18
share/security/patches/SA-20:31/icmp6.12.2.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJt2g/+PxSwZYW93TorqIa3EDX9uGg2vA7NzKqJ2ilswktRDf5E3ZgEN9GqePzv
3tiHpdDSr9k6uVZVKH6GgW/0sEUQKJY/xs6rzIUlQowHH0Zi4fF6h3llHWmI3Ay6
iJxCnikCxYQEkb7Gq+xgrNBHKM6JGeKKGxqwe0STb6NvgEmPhQzL7KtWL4L7MZv2
wzmvfLKR4rTIYAY/BBsx6hMdUA5fEQQCjQr0eor7P9Rb3JPyHN7D8Ho7HkkXLNER
iK9rryUOcIBIOrVrSxIaockJABMk+Umhw2UnlGLuqlvW9KgVV+mKZ4yFdpTr7ZLn
TNS/UFql8HCTidAqxT0cLfGsDfUwqTwi+qNJclKoOqCXIH15rlvyJbyi8XWt333+
YmRnkbxMZ8ETCa1W/36qDYjjEE9l2hVbRV/D7JpDGl5Mb4GXs3hhPTm8LJ8xx/BZ
iBht4KfhOEoVl4K0lvasyGPSvEz1D/2TXciAJtM3nuSFJNgl476Tk57rewVZTl1/
CWWfdTWaWggFSAo7nE1NAhkV0dUqbGUZrK3A2kmYq4EDEx90+k1NLbhI8Xeu4f0p
pE3y2/qk6bg3W1/6ZgFb7WvuzgMUD6qC4GbV84X1nt+IWgQDZWD6yfxKmkJLKlfv
/zbhO0bYtpRTtfCEei6k6Ec7koxd7HIWW202+SdEAIdVq+v3CUM=
=hs7b
-----END PGP SIGNATURE-----

52
share/security/patches/SA-20:32/rtsold.patch Normal file
View file

@ -0,0 +1,52 @@
--- usr.sbin/rtsold/rtsol.c.orig
+++ usr.sbin/rtsold/rtsol.c
@@ -337,8 +337,8 @@
newent_rai = 1;
}
-#define RA_OPT_NEXT_HDR(x) (struct nd_opt_hdr *)((char *)x + \
- (((struct nd_opt_hdr *)x)->nd_opt_len * 8))
+#define RA_OPT_NEXT_HDR(x) (struct nd_opt_hdr *)((char *)(x) + \
+ (((struct nd_opt_hdr *)(x))->nd_opt_len * 8))
/* Process RA options. */
warnmsg(LOG_DEBUG, __func__, "Processing RA");
raoptp = (char *)icp + sizeof(struct nd_router_advert);
@@ -350,6 +350,15 @@
warnmsg(LOG_DEBUG, __func__, "ndo->nd_opt_len = %d",
ndo->nd_opt_len);
+ if (ndo->nd_opt_len == 0) {
+ warnmsg(LOG_INFO, __func__, "invalid option length 0.");
+ break;
+ }
+ if ((char *)RA_OPT_NEXT_HDR(raoptp) > (char *)icp + msglen) {
+ warnmsg(LOG_INFO, __func__, "option length overflow.");
+ break;
+ }
+
switch (ndo->nd_opt_type) {
case ND_OPT_RDNSS:
rdnss = (struct nd_opt_rdnss *)raoptp;
@@ -760,15 +769,18 @@
src_last = strchr(src, '\0');
dst_origin = dst;
memset(dst, '\0', dlen);
- while (src && (len = (uint8_t)(*src++) & 0x3f) &&
- (src + len) <= src_last &&
- (dst - dst_origin < (ssize_t)dlen)) {
- if (dst != dst_origin)
+ while ((len = (*src++) & 0x3f) &&
+ src + len <= src_last &&
+ len + 1 + (dst == dst_origin ? 0 : 1) <= dlen) {
+ if (dst != dst_origin) {
*dst++ = '.';
+ dlen--;
+ }
warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len);
memcpy(dst, src, len);
src += len;
dst += len;
+ dlen -= len;
}
*dst = '\0';

18
share/security/patches/SA-20:32/rtsold.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl/GndZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIxIRAAh4x47/cWVRAIb46KNT518hxl1BKFKngUpIndte+y9fBpzDwvUV0fqhHS
csYCa0zPdcTc6FCrTyeB60+u7NbAKjMdw2UwL6YtkNZdNUuUy7h/Hd+gTYRQBVm1
CO0d0MjOunR0M9oVp20jr6rJG4coQ/7GNCzkbgqA91gABPKxqZCvYWv6NLy2ngwB
r0ITNuazGxv3GPsU1aGqskVHx1ER1f9RaecT7ZvWFUXjobk1lQJrMPU9lGkt7/j7
oIBzgISbGCKjKLh/XRIHnXiF16bRXq/arJo0+bH6nU16VKH9TgTPZdK0pprbtNKJ
46vEfou2khYDLjDUIm8d+JIetE+Ja3SpKdvsiYnTVQsKsUG22hma+c/H3wYJh/3Q
jeLvl5EG/3HE04s1wq+gwSwJ0Fcgr7gadgnafAaCXXl70D3j3hsuyNMvqNLkDXBm
LyNr6lMNBgdFddZzWmQS+EHmHtQWGCSTNCYtibDmti+rjVJdgpC6e9ACCgG6w+Dd
WfQ4MYb/ODbwko8+Dtm0ITxm3I38ArufYHBcOUUlKD1mt2YXlNodHNfXPl70Nnix
lAtY8snO2TOUmmwN5qxtvCwYjyEo5gCD+WWwgugFmkJyyqyQ6j6+reKZW9C9zl9k
mK2rN4yVGPRkSHzg49We430KCBg+kGK3pavZGqZCGn/Q0DOv57Q=
=9gYz
-----END PGP SIGNATURE-----

17
share/xml/advisories.xml
View file

@ -7,6 +7,23 @@
<year>
<name>2020</name>
<month>
<name>12</name>
<day>
<name>1</name>
<advisory>
<name>FreeBSD-SA-20:32.rtsold</name>
</advisory>
<advisory>
<name>FreeBSD-SA-20:31.icmp6</name>
</advisory>
</day>
</month>
<month>
<name>9</name>

25
share/xml/notices.xml
View file

@ -7,6 +7,31 @@
<year>
<name>2020</name>
<month>
<name>12</name>
<day>
<name>1</name>
<notice>
<name>FreeBSD-EN-20:22.callout</name>
</notice>
<notice>
<name>FreeBSD-EN-20:21.ipfw</name>
</notice>
<notice>
<name>FreeBSD-EN-20:20.tzdata</name>
</notice>
<notice>
<name>FreeBSD-EN-20:19.audit</name>
</notice>
</day>
</month>
<month>
<name>9</name>