os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add SA-16:08, SA-16:09 and SA-16:10.

Browse source
This commit is contained in:
Xin LI 2016-01-27 08:09:32 +00:00
parent 5f388dea1d
commit cf53b9400e
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=48099
10 changed files with 18007 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

145
share/security/advisories/FreeBSD-SA-16:08.bind.asc Normal file
View file

@ -0,0 +1,145 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:08.bind Security Advisory
The FreeBSD Project
Topic: BIND remote denial of service vulnerability
Category: contrib
Module: bind
Announced: 2016-01-27
Credits: ISC
Affects: FreeBSD 9.x
Corrected: 2016-01-20 08:54:35 UTC (stable/9, 9.3-STABLE)
2016-01-27 07:42:11 UTC (releng/9.3, 9.3-RELEASE-p35)
CVE Name: CVE-2015-8704
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
Address Prefixes List (APL RR) is a type of DNS Resource Record defined in
RFC 3123.
II. Problem Description
There is an off-by-one error in a buffer size check when performing certain
string formatting operations.
III. Impact
Slaves using text-format db files could be vulnerable if receiving a
malformed record in a zone transfer from their master.
Masters using text-format db files could be vulnerable if they accept
a malformed record in a DDNS update message.
Recursive resolvers are potentially vulnerable when debug logging is
enabled and if they are fed a deliberately malformed record by a
malicious server.
A server which has cached a specially constructed record could encounter
this condition while performing 'rndc dumpdb'.
IV. Workaround
No workaround is available, but hosts not running named(8) are not
vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The named service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The named service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:08/bind.patch
# fetch https://security.FreeBSD.org/patches/SA-16:08/bind.patch.asc
# gpg --verify bind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r294405
releng/9.3/ r294905
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://kb.isc.org/article/AA-01335>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:08.bind.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)
iQIcBAEBCgAGBQJWqHmfAAoJEO1n7NZdz2rngIkP/Ru1a5U14/iJKqGO2o+OQkk5
j9G3rwEQROlPhtHdUE3vtA2fZcsayJaK1CjU3j91VWlTXHfBnju6gbJVPntNQqe5
TxRFmRhRjcyreNdt6hKvFgDrXmWwrytRukJ/XafdYxoWFDTtrUScwrOH87U8ILcF
gkWgzCQ7EnYqr7sEW1makDHmIOLukJo5pJOnUTRkraDP2oaKSros3GC+Fnh6Wf+q
wYOkgl2gj96ubJW4SvdZCAKFtnMrhw0ZZyrVDuPojzWU+ZotzWvZz3xGvoSqXy5U
rqqtUQNHMU0Aqhe9zurW4B2ioff6XALZPgRYqQRI8ezXTgDDhJSwa12mjTJuQmaR
hQRJlW5u5/Ejj2NML6NkhvLuSApwZcAZ2G7cLGdR6nEKKVEb6mXgnL7T/CdhhTj8
2owIz1iIdI2sUmhv6vuxPxB1k/O7b76LTZ2AL6jx4/mEtOVeofpNej5w7qnvCSqV
RcZsOYRXrMZ0YWuhBkKqnMGGIU0TBMDvjJL5gxf5RR14iLExcC1fKhkhbvRMag4Y
ck7Ja45Ltpwtd0t7/AfzbeI4OVmos4NB36HK5pYJchmOUavm6im5V6781mYGZgQn
HtOQEyi7tSeft+Fz21dmK6Z1GV6lRmrt52wAKyJ71nA/WESgma50WE49RX+cH1MH
nmon5PYKLuMuzFVNYZWs
=HYpu
-----END PGP SIGNATURE-----

225
share/security/advisories/FreeBSD-SA-16:09.ntp.asc Normal file
View file

@ -0,0 +1,225 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:09.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Category: contrib
Module: ntp
Announced: 2016-01-27
Credits: Cisco ASIG / Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2016-01-22 15:55:21 UTC (stable/10, 10.2-STABLE)
2016-01-27 07:41:31 UTC (releng/10.2, 10.2-RELEASE-p11)
2016-01-27 07:41:31 UTC (releng/10.1, 10.1-RELEASE-p28)
2016-01-22 15:56:35 UTC (stable/9, 9.3-STABLE)
2016-01-27 07:42:11 UTC (releng/9.3, 9.3-RELEASE-p35)
CVE Name: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975, CVE-2015-7976,
CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138,
CVE-2015-8139, CVE-2015-8140, CVE-2015-8158
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.
II. Problem Description
Multiple vulnerabilities have been discovered in ntp 4.2.8p5:
Potential Infinite Loop in ntpq. [CVE-2015-8158]
A logic error would allow packets with an origin timestamp of zero
to bypass this check whenever there is not an outstanding request
to the server. [CVE-2015-8138]
Off-path Denial of Service (DoS) attack on authenticated broadcast mode.
[CVE-2015-7979]
Stack exhaustion in recursive traversal of restriction list. [CVE-2015-7978]
reslist NULL pointer dereference. [CVE-2015-7977]
ntpq saveconfig command allows dangerous characters in filenames.
[CVE-2015-7976]
nextvar() missing length check. [CVE-2015-7975]
Skeleton Key: Missing key check allows impersonation between authenticated
peers. [CVE-2015-7974]
Deja Vu: Replay attack on authenticated broadcast mode. [CVE-2015-7973]
ntpq vulnerable to replay attacks. [CVE-2015-8140]
Origin Leak: ntpq and ntpdc, disclose origin. [CVE-2015-8139]
III. Impact
A malicious NTP server, or an attacker who can conduct MITM attack by
intercepting NTP query traffic, may be able to cause a ntpq client to
infinitely loop. [CVE-2015-8158]
A malicious NTP server, or an attacker who can conduct MITM attack by
intercepting NTP query traffic, may be able to prevent a ntpd(8) daemon
to distinguish between legitimate peer responses from forgeries. This
can partially be mitigated by configuring multiple time sources.
[CVE-2015-8138]
An off-path attacker who can send broadcast packets with bad
authentication (wrong key, mismatched key, incorrect MAC, etc) to
broadcast clients can cause these clients to tear down associations.
[CVE-2015-7979]
An attacker who can send unauthenticated 'reslist' command to a NTP
server may cause it to crash, resulting in a denial of service
condition due to stack exhaustion [CVE-2015-7978] or a NULL pointer
dereference [CVE-2015-7977].
An attacker who can send 'modify' requests to a NTP server may be
able to create file that contain dangerous characters in their name,
which could cause dangerous behavior in a later shell invocation.
[CVE-2015-7976]
A remote attacker may be able to crash a ntpq client. [CVE-2015-7975]
A malicious server which holds a trusted key may be able to
impersonate other trusted servers in an authenticated configuration.
[CVE-2015-7974]
A man-in-the-middle attacker or a malicious participant that has the
same trusted keys as the victim can replay time packets if the NTP
network is configured for broadcast operations. [CVE-2015-7973]
The ntpq protocol is vulnerable to replay attacks which may be used
to e.g. re-establish an association to malicious server. [CVE-2015-8140]
An attacker who can intercept NTP traffic can easily forge live server
responses. [CVE-2015-8139]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected. Network administrators are advised to implement BCP-38,
which helps to reduce risk associated with the attacks.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The ntpd service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The ntpd service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:09/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-16:09/ntp.patch.asc
# gpg --verify ntp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r294570
releng/9.3/ r294905
stable/10/ r294569
releng/10.1/ r294904
releng/10.2/ r294904
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-7973>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-7974>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-7975>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-7976>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-7977>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-7978>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-7979>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-8138>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-8139>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-8140>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?CVE-2015-8158>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)
iQIcBAEBCgAGBQJWqHmfAAoJEO1n7NZdz2rnt9cP/2EtdEPX/oBJXKFWqQv5cwvY
C4gmlK5MZok2an330XMPl0RO2RplsIw4Lo4BuUh7HPKhVa5loYasabKrULQ+4Pgv
z9INxDTDO8iooHeTeNe/VAb5YcKFrD7sqajdc0cY11rLEw1o53IuULz9wZnczAe/
KnHDNUyYaSU2Ep+c3+ADSJqOk3ffhsGDS+0byoOBcUN+66MnBg19/rKomiN5a7Nt
XSseoQgYISU8aaJDvPlGoaN/Xm5fnFZaKFlJ4y7h51sYYep0qgjQx+Gdakk0vNbh
CwsjpBKqDpFpBcSgdEC/bYHnNpYUTJB/tPmG3YDO5jMWQISKGrrnuMYeh+7PjTDS
vCrneztpVBscLG4ZKSlfmhpZ/Jfy31YPXm5P/w8NuA05i13K06P4gG5PKNyUMgsk
AZQ4Vg8YlyS0Ci4ufdc+AIQI35QMrKvfecJVu49+sNhUA4PpTe7coEU9dks3Dtaw
g2QbfnsEWzJ6RBJcw7aQDSgRoqrVQgMB8IIota+aMzeVurgyFxPm9LASk2RYjhmC
Ep283cc+HPUnihKBZTwwkw5iznbmpyRYlPghEc7slgOZCbk9pefnsCMOZAqRW9fZ
DUpt+HvZD5BKB4kCAUMIvKGS91cyBFaNcdJhlB8uUx2aP2UJmuzldk+x9K74wWGK
lnP0IazzXnWFobfwr+qT
=0ZhD
-----END PGP SIGNATURE-----

140
share/security/advisories/FreeBSD-SA-16:10.linux.asc Normal file
View file

@ -0,0 +1,140 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:10.linux Security Advisory
The FreeBSD Project
Topic: Linux compatibility layer issetugid(2) system call
vulnerability
Category: core
Module: kernel
Announced: 2016-01-27
Credits: Isaac Dunham, Brent Cook, Warner Losh
Affects: All supported versions of FreeBSD.
Corrected: 2016-01-27 07:28:55 UTC (stable/10, 10.2-STABLE)
2016-01-27 07:41:31 UTC (releng/10.2, 10.2-RELEASE-p11)
2016-01-27 07:41:31 UTC (releng/10.1, 10.1-RELEASE-p28)
2016-01-27 07:34:23 UTC (stable/9, 9.3-STABLE)
2016-01-27 07:42:11 UTC (releng/9.3, 9.3-RELEASE-p35)
CVE Name: CVE-2016-1883
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD is binary-compatible with the Linux operating system through a
loadable kernel module/optional kernel component. The support is
provided on amd64 and i386 machines.
II. Problem Description
A programming error in the Linux compatibility layer could cause the
issetugid(2) system call to return incorrect information.
III. Impact
If an application relies on output of the issetugid(2) system call
and that information is incorrect, this could lead to a privilege
escalation.
IV. Workaround
No workaround is available, but systems not using the Linux binary
compatibility layer are not vulnerable.
The following command can be used to test if the Linux binary
compatibility layer is loaded:
# kldstat -m linuxelf
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Reboot the system or unload and reload the linux.ko kernel module.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reboot the system or unload and reload the linux.ko kernel module.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:10/linux.patch
# fetch https://security.FreeBSD.org/patches/SA-16:10/linux.patch.asc
# gpg --verify linux.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r294903
releng/9.3/ r294905
stable/10/ r294901
releng/10.1/ r294904
releng/10.2/ r294904
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1883>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:10.linux.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)
iQIcBAEBCgAGBQJWqHmfAAoJEO1n7NZdz2rnsr0QAJtM4C+IgRcRHdNGL7vXp1NP
u3sFyktcRGCR0p+lMOaFYPp/Vmu09NglhcaxYFbk4WONVSnZKOuiWsjOL9by/eof
77i8bXINlB/8Pp+34KpxDtz5wR3jVAApaL8xvS+/DaKj3RdQ63RrHgtQRTAk+VSO
ISAXxF2U/XAcRlmBQ3oOtqeHads6M1LNG/D/I0FgpU2G17QoUpfa+AvOkS1wBw7d
mdcnC4NDKKx3QnyD0FTrh4z444PwvE3IQ7OSm7VX4/oOZdH+CC9coLCV1BXALrfA
WVmaUMDy8bWiv7JMsda2xl4KhcEx2Y0UN2hGYdMZJubqYcnUknMimW3b2fhsfgl1
UaQDD6xv9I4xZqo1NHh4/WiH33PvOmM+U0E6IMb5hTUbfSd0mXOn4yzTP5gJxe4h
fPk5ZUj/HTKx6C8ERMknTDdn+ZrLLlQJAoDbipPZkRBMcsgvRYGjKquBnrW9N0z2
BUtuLODg/GxMmkQXYV7mT08xw7YLvIbfSwGvlOd/k5hB/0KMTRLBFGd6vc2lZ+CL
dseeK59vUK50Arua8qbg6AlOYc9Dga/XeQ753za0zEm7LOXzjr7jlBex/04ZxvE/
N4OTxNYlASk1cwBcoytZ8da3D7Vqh7vw7QmUR8lAb/x5ijR1QjCApji+yRupCEG+
PGHIMcxSGeBx7Drd1eBE
=PyM5
-----END PGP SIGNATURE-----

22
share/security/patches/SA-16:08/bind.patch Normal file
View file

@ -0,0 +1,22 @@
Index: contrib/bind9/lib/dns/rdata/in_1/apl_42.c
===================================================================
--- contrib/bind9/lib/dns/rdata/in_1/apl_42.c (revision 294299)
+++ contrib/bind9/lib/dns/rdata/in_1/apl_42.c (working copy)
@@ -116,7 +116,7 @@ totext_in_apl(ARGS_TOTEXT) {
isc_uint8_t len;
isc_boolean_t neg;
unsigned char buf[16];
- char txt[sizeof(" !64000")];
+ char txt[sizeof(" !64000:")];
const char *sep = "";
int n;
@@ -140,7 +140,7 @@ totext_in_apl(ARGS_TOTEXT) {
isc_region_consume(&sr, 1);
INSIST(len <= sr.length);
n = snprintf(txt, sizeof(txt), "%s%s%u:", sep,
- neg ? "!": "", afi);
+ neg ? "!" : "", afi);
INSIST(n < (int)sizeof(txt));
RETERR(str_totext(txt, target));
switch (afi) {

17
share/security/patches/SA-16:08/bind.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)
iQIcBAABCgAGBQJWqHnkAAoJEO1n7NZdz2rnSzoQALduvw7DCOsGiKYoQgU17nyo
iiacv5vRmDx7+43BMsND1SM9kwid9RPZWbAj5lb80g7ZOnluBxAoilmqVWgzs9gb
1IkATsf5TTbQcGxYG1wQqx2ahfih0FUIb3Qg1KFMDO3XCPvIMucSAQMtPgq3FdFl
A/FGH1+Yls4Aum53ulgR6IuotzaYnxiznxqi5IGhfTrPSZIuVnH4SDubwTrE+0kJ
N3SzYc3ilguqOtxwSyBtIMSaqPiXZCBGYKGnR8RzysxhfdP56dBSJHzkNoniexjU
4jYD5X+fY6ze04yjgdh/Fat3IgoqjnJ3UJ//lxMWGBrj4xI9JHUAS/jLJpLPnMuI
WBL7G2jJXGrBsGwq5imDPuobfQoT8wuXYGfMi14XRc5/cKbQn+JqTGf9zB562NSW
ADe26s05zgvYS10+nhbxT7v3gYcB/0U2M6HGbN5t/KCTBGteJJsSo3o2ZEZBdkbe
jKnNP8RR2OTAjeCCXYqp8BVO9d+tecOzX/LM5Lj+97iwKKkPkHnOGA9zkyeQdGvt
8KxBsub1LRYPR/87WZDZWtdGALaxqgQDj7G1ib0mLCbj2CzOSRa34bS/kvTQ7BtD
ca7fhrebvhBVP6MqnYAmmuU+ojqMftx7mTZs+fWWFVLcTiPp9WqP2w0r6A/MlkSq
ys1rAAXCj/WvMFopSMzu
=kVrg
-----END PGP SIGNATURE-----

17352
share/security/patches/SA-16:09/ntp.patch Normal file
View file

File diff suppressed because it is too large Load diff

17
share/security/patches/SA-16:09/ntp.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)
iQIcBAABCgAGBQJWqHnkAAoJEO1n7NZdz2rneC4P/0YjmeW8xqfQGLBIBa9odNPJ
JxGegvos/aYLrPP3+m3hFtaWwGjQgO4iPBrniK/DqmzoTUJ2S5zYiGO4ZjZHxAcm
d/sxrwb2xtAvHDvjrMGLTxq5wSaI2cMXplp9cF5UlYWSjSL4GcJ+ZiOKWPela0mX
fy/Z5kmHA3gL39xS8emfWHyYbLGdyYrmcBxMILC4XfHzr9pUz/a093hobja5xDCR
ulHsoW+QwdJJPleGt9bN5Ajtl7ZQqHZn/CAsuZfJE7qx+Cpbyyi5/AkK0jqabBQa
mzETADhO0H/EYodAfxe1zFfNwbGZ0bEtIrodQ595jDqpY7ocECn1rTTjV30JgDmx
+/N1n4XKVqcNdC9mX0YUQlljaHxlN/LCOJJ4pFn8UKBXptmacY2i6yvgaoyNyMKy
jHGr4fACYsOtyA82EDE2t4fd0tZC5uasPtIPyCrCLQZN2otfP47sY7q84cMXbex8
q5T1c/PZU8kUjPVmPRmFXpUjEVw5BLxiLtwTusYk/6Kjz9bKXrwa2h0gqZiyedMV
5nf8C2xi4dnaYIIQB3txSVN6vhxs5he3vhbuEpfE8qM3qI5N3WKl1d0azMjDN2zM
4XUNrdklRI2yIWiun1V71QHKhwZtfZmT3KUYhoXe72zq4OOzN4PDXeaLkPAcaCzC
4HSz1ozAqx3i3jJD7crA
=X9Vq
-----END PGP SIGNATURE-----

56
share/security/patches/SA-16:10/linux.patch Normal file
View file

@ -0,0 +1,56 @@
Index: sys/amd64/linux32/linux32_sysvec.c
===================================================================
--- sys/amd64/linux32/linux32_sysvec.c (revision 294778)
+++ sys/amd64/linux32/linux32_sysvec.c (working copy)
@@ -248,6 +248,7 @@ elf_linux_fixup(register_t **stack_base, struct im
Elf32_Addr *base;
Elf32_Addr *pos, *uplatform;
struct linux32_ps_strings *arginfo;
+ int issetugid;
arginfo = (struct linux32_ps_strings *)LINUX32_PS_STRINGS;
uplatform = (Elf32_Addr *)((caddr_t)arginfo - linux_szplatform);
@@ -258,6 +259,7 @@ elf_linux_fixup(register_t **stack_base, struct im
args = (Elf32_Auxargs *)imgp->auxargs;
pos = base + (imgp->args->argc + imgp->args->envc + 2);
+ issetugid = imgp->proc->p_flag & P_SUGID ? 1 : 0;
AUXARGS_ENTRY_32(pos, LINUX_AT_HWCAP, cpu_feature);
/*
@@ -277,7 +279,7 @@ elf_linux_fixup(register_t **stack_base, struct im
AUXARGS_ENTRY_32(pos, AT_FLAGS, args->flags);
AUXARGS_ENTRY_32(pos, AT_ENTRY, args->entry);
AUXARGS_ENTRY_32(pos, AT_BASE, args->base);
- AUXARGS_ENTRY_32(pos, LINUX_AT_SECURE, 0);
+ AUXARGS_ENTRY_32(pos, LINUX_AT_SECURE, issetugid);
AUXARGS_ENTRY_32(pos, AT_UID, imgp->proc->p_ucred->cr_ruid);
AUXARGS_ENTRY_32(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid);
AUXARGS_ENTRY_32(pos, AT_GID, imgp->proc->p_ucred->cr_rgid);
Index: sys/i386/linux/linux_sysvec.c
===================================================================
--- sys/i386/linux/linux_sysvec.c (revision 294778)
+++ sys/i386/linux/linux_sysvec.c (working copy)
@@ -244,11 +244,13 @@ elf_linux_fixup(register_t **stack_base, struct im
Elf32_Addr *uplatform;
struct ps_strings *arginfo;
register_t *pos;
+ int issetugid;
KASSERT(curthread->td_proc == imgp->proc,
("unsafe elf_linux_fixup(), should be curproc"));
p = imgp->proc;
+ issetugid = imgp->proc->p_flag & P_SUGID ? 1 : 0;
arginfo = (struct ps_strings *)p->p_sysent->sv_psstrings;
uplatform = (Elf32_Addr *)((caddr_t)arginfo - linux_szplatform);
args = (Elf32_Auxargs *)imgp->auxargs;
@@ -273,7 +275,7 @@ elf_linux_fixup(register_t **stack_base, struct im
AUXARGS_ENTRY(pos, AT_FLAGS, args->flags);
AUXARGS_ENTRY(pos, AT_ENTRY, args->entry);
AUXARGS_ENTRY(pos, AT_BASE, args->base);
- AUXARGS_ENTRY(pos, LINUX_AT_SECURE, 0);
+ AUXARGS_ENTRY(pos, LINUX_AT_SECURE, issetugid);
AUXARGS_ENTRY(pos, AT_UID, imgp->proc->p_ucred->cr_ruid);
AUXARGS_ENTRY(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid);
AUXARGS_ENTRY(pos, AT_GID, imgp->proc->p_ucred->cr_rgid);

17
share/security/patches/SA-16:10/linux.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)
iQIcBAABCgAGBQJWqHnlAAoJEO1n7NZdz2rnCPUP/3VkL6MUy2x0Nw69Ei+aM64T
3uuhvv7VPvjdtSmYNBigxTEz8vSyofLN94H4nxXhdaNDCDy4Uixmqq3sN4uOAbCk
xMdqQ5Ks1zwesZceZDD0MMuEmIZoOF5+xM22ZtqbS/gjwwKyGjWn8EKSA1Y8sxI8
by5jGdaVxIe0A5L9bJlAs4/sdISNKi7KBCNkwLw/lzgprV101eXc/5YnmQNxoFPd
URyhMGQiZjNynD/t2L1lqwNwgHPN4I8nXoZLhbG2dh7b1S+7LZU5hapXPAxqQe9X
vYyhj4HJhUMJKY+Kp9kNLtj0NiXcynwF3IAYQpBIuiZFt1VAkRN6JIiWOU9hZO+V
2l/kcXWYwe4FeNxszIkXgOdgs/BJrh2M8t3w5lDdgkUQr98hopMQLb0Tbzn1rPCL
5apBEIycx0JfAm15zadP/6RkaT/Hry9Ql8cP00UXWuLqN44vaFY0uAVlrfNmIHSM
1//+UY5dSnuIB4AcmlSu1TVPAIHCagKbKg1564Rv9xQxFYqKDFenmDONTN7gAXm4
MhDXuB8nr4XO/l8W0Rw3hCI3x3wV54GRkSEx7pxsFK8xUrY6F5eY24SvYiEfOsYC
9c5NJi/HFnG9ZrR3ov2iPxwcbTkub1YPV7kbyg3LYsB9mAMXAxZWi3sOJX5r4geb
PmWo0n/1uPD/hC0dRMVB
=kZyo
-----END PGP SIGNATURE-----

16
share/xml/advisories.xml
View file

@ -10,6 +10,22 @@
<month> <month>
<name>1</name> <name>1</name>
<day>
<name>14</name>
<advisory>
<name>FreeBSD-SA-16:10.linux</name>
</advisory>
<advisory>
<name>FreeBSD-SA-16:09.ntp</name>
</advisory>
<advisory>
<name>FreeBSD-SA-16:08.bind</name>
</advisory>
</day>
<day> <day>
<name>14</name> <name>14</name>