Add EN-20:01, EN-20:01, and SA-20:01 through SA-20:03.

Approved by:	so
This commit is contained in:
Gordon Tetlow 2020-01-28 19:12:55 +00:00
parent b6c3f1683a
commit f6a49b1e07
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=53835
17 changed files with 894 additions and 0 deletions

View file

@ -0,0 +1,138 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:01.ssp Errata Notice
The FreeBSD Project
Topic: Imprecise ordering of SSP canary initialization
Category: core
Module: libc
Announced: 2020-01-28
Credits: Kyle Evans
Affects: All supported versions of FreeBSD.
Corrected: 2019-11-25 03:49:38 UTC (stable/12, 12.1-STABLE)
2020-01-28 18:53:14 UTC (releng/12.1, 12.1-RELEASE-p2)
2020-01-28 18:53:14 UTC (releng/12.0, 12.0-RELEASE-p13)
2019-11-25 03:49:38 UTC (stable/11, 11.3-STABLE)
2020-01-28 18:53:14 UTC (releng/11.3, 11.3-RELEASE-p6)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The Stack Smashing Protector ("SSP") relies on a stack canary being
initialized early on in application startup. On FreeBSD, this is
accomplished with a constructor in libc.
II. Problem Description
When a binary is statically linked, constructor invocation order is based on
priority and sorted arbitrarily within a priority level across all
constructors present in the single statically linked object. The stack
canary guard constructor had no priority, so statically linked binary could
not predictably order their constructors to avoid bad interactions with
respect to the stack canary constructor leading to false-positive detection
of a stack overflow condition and erroneous process abort in some rare cases.
Dynamically linked binaries are generally not affected, since the stack
canary is initialized in libc and libc is ordered very early in constructor
invocation.
III. Impact
Affected programs will abort and log a "stack overflow detected" message to
syslog(3).
IV. Workaround
No workaround is available, but dynamically linked binaries are not affected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date. Statically linked binaries
should be relinked against the updated base system.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-20:01/ssp.patch
# fetch https://security.FreeBSD.org/patches/EN-20:01/ssp.patch.asc
# gpg --verify ssp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r355080
releng/12.1/ r357215
releng/12.0/ r357215
stable/11/ r355080
releng/11.3/ r357215
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241905>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:01.ssp.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whbdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKWSA/8CINmMeEm76kGRoyuDiTD+h1Ra28DM81+HNsTuEb8W8uhNT/ZJf61lWZe
c5BEO8uJMP8XUjGEzIEu4ARkZcV2pvLxyUIoWgq1TGTYB7jp8zXeJZj/wPqLLpI4
lwXl19hWPprz1CDgukR87+flDZyNEe62YfAtL3WRqGuYU8Yb6AmNoKSwOphset4m
6F7pg8wPFnHfW2EOl6/jFZsv41C+2SlIXa8HIXFJj0TnfltLsCqEWhpDhVE0Wv0D
f2MCGs03xS+UN/kUGIE6G2WBD/Etfy4DMr7RsRxu1lta6FhOk8sR27FCcSnqyKPM
MqXK0PxN5qx8D2UbQUhNCmmclnOVjzGEn9ECzxW5XrDsz17bhodtL4f29GmLEw4l
wdHcttUlQduzolZlBgKgNyp6ZuKXXYzPYsATgJTG9LBQShyQeWa4rCz21Nh+vrmA
NdSAY/LEvq6R8IKHFljDwFIPITnV6xQObMIDgrsJMFyFyIUGiZEo0Jo51I28aUJ/
EM76+SULzxY50Agw5KFgCM1iXPfGnEfPN03wNCzrbvpv3y67qduGF4jbmLMZPcnv
aZBVQj4Cx9Q/pC/TCFNilmmEa3/xYDB6hGnQn9cIYBV1Q61IQXwGaGXNG+fN760x
gYfnbY2ZlJVV66amfTC89HNVwMeq++Imd4AzNlaXV+a9qummNKc=
=VzHc
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,131 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:02.nmount Errata Notice
The FreeBSD Project
Topic: nmount invalid pointer dereference
Category: core
Module: kernel
Announced: 2020-01-28
Credits: Andrew Turner
Affects: FreeBSD 11.3 and FreeBSD 12.0.
Corrected: 2019-10-03 07:17:26 UTC (stable/12, 12.1-STABLE)
2019-10-04 14:10:56 UTC (releng/12.1, 12.1-RELEASE)
2020-01-28 18:54:15 UTC (releng/12.0, 12.0-RELEASE-p13)
2019-10-04 17:27:49 UTC (stable/11, 11.3-STABLE)
2020-01-28 18:54:15 UTC (releng/11.3, 11.3-RELEASE-p6)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The nmount(2) system call is used to mount file systems.
II. Problem Description
VFS option processing related to the nmount(2) system call was missing a
length check. This is generally only available to privileged users unless
the vfs.usermount sysctl is changed from the default to allow non-privileged
users the ability to mount file systems.
III. Impact
A userland process authorized to mount filesystems can possibly trigger a
kernel panic.
IV. Workaround
No workaround is available. However, if the vfs.usermount sysctl has been
changed to allow non-privileged users the ability to mount file systems,
switching back to the default value of 0 will prevent non-privileged users
from triggering the issue.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-20:02/nmount.patch
# fetch https://security.FreeBSD.org/patches/EN-20:02/nmount.patch.asc
# gpg --verify nmount.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r353032
releng/12.1/ r353104
releng/12.0/ r357216
stable/11/ r353109
releng/11.3/ r357216
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:02.nmount.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whcpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJWUQ//UZtfZZXpkmLYet67qmbIj7uLbw9CDc1N5HRwNgnjTDGc4d5o3BQEAr2X
/q1t8US3Ec/rWm5YqzqRNmt+Uei/F7J2u1udRm56vsPPb+eq8tRiRVK6RYY4FYBj
rxPkxf6nNCTqWELFtmQejnCQ0wN2Oy+oNY3fA1j1GzOHm0S7dc9CnlrE75eDX33q
sXezm6/VYRwyKGKEJUMlmn9gn0qzGr3L9go5TCWDw9lhuJoygE/QblnVTQI5mTDv
khjke28RxLkAkOUMvq8EIq1L9j88FeVWEOMIKU2xgaUvh6z6NQE8o6eKTb4D7mDO
Vo4NdB81SdPmCaHISocrEhkS/Vff3rlMcb4xf/DFZgDK3FXzNYkAqLyMrDNw6egv
fV4fbhnyqPpejCDW0Il7nxOwV4KtdmEaMCvKwvQu9VpiL8wUrV9wBSkbavyagS49
un2UYkkv28IIkmhDwbRM7qEcE7Dt6xfsZN4HIZ6R2eUGhGx/ETDXoC9fE74khigF
ubU7QygqWtZ8JDZ8qmnfDM7n0EG1DV3I+XSdupN1ytaxaKOzF5HAnVxcLuMnY5LT
80HaVQazsfCJ5IQinUtiGoOFldQT3NGkvVMcCe+M5R+PP2g4DRJgaCzDCXDIx0k2
My/JU5RjlUl0714OV0VaGlzVnwk5y7RNNLcHWlSx83HBoBSWcnk=
=uOTk
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,131 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:01.libfetch Security Advisory
The FreeBSD Project
Topic: libfetch buffer overflow
Category: core
Module: libfetch
Announced: 2020-01-28
Credits: Duncan Overbruck
Affects: All supported versions of FreeBSD.
Corrected: 2020-01-28 18:40:55 UTC (stable/12, 12.1-STABLE)
2020-01-28 18:55:25 UTC (releng/12.1, 12.1-RELEASE-p2)
2020-01-28 18:55:25 UTC (releng/12.0, 12.0-RELEASE-p13)
2020-01-28 18:42:06 UTC (stable/11, 11.3-STABLE)
2020-01-28 18:55:25 UTC (releng/11.3, 11.3-RELEASE-p6)
CVE Name: CVE-2020-7450
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
libfetch(3) is a multi-protocol file transfer library included with FreeBSD
and used by the fetch(1) command-line tool, pkg(8) package manager, and
others.
II. Problem Description
A programming error allows an attacker who can specify a URL with a username
and/or password components to overflow libfetch(3) buffers.
III. Impact
An attacker in control of the URL to be fetched (possibly via HTTP redirect)
may cause a heap buffer overflow, resulting in program misbehavior or
malicious code execution.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch
# fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch.asc
# gpg --verify libfetch.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r357213
releng/12.1/ r357217
releng/12.0/ r357217
stable/11/ r357214
releng/11.3/ r357217
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7450>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:01.libfetch.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whc5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJw5BAAmi4Mk+an8qJB4GwfOSxWhn42GnN9/HikJwkiTNHQr7n51ANp4sHCgTYG
PCo6UvCFqdIfhpBIrykI7ZwzAetCpldDdIMQFJoi5ChJ7aIcNDpiH06yLjYLgseS
qSxJ+dXt6j7G2FMUWPBka8eTNBi64gT0MbyC7zFdISfJqfNy+p0WvdwYm3UsWkeR
pEV+o6zL+PI3s6IsqQTQzYuyNYgoTLdvhjgNMymI+OMH8uCdBUrdItdSwSYPwVOp
+8SUX47jMFNcIbBmuQ3KnPxu9fHx8JzfqpLDAkmp6hu6sXNTmIZ27mgItu4DRgWN
nvd750H6fv9UCbRYOyvjeuEN8olOpZcoTAuQDtcC/z7BvKAwLC7oAYXZEiQ4pn/D
MGMzlJU7fxiyIWDNJprzyrsgPAUhCC3ePyenTErB+GQKmf1fHTjLWJHN43W2tbqk
kYzMwwLQa3KwOYzHPHbJt6F94b9dN30v8cgIVkvs5ivLr8eErIJAQ71PgxkgRQL1
/C301qeJvgBqLm+so0Ef6wi/D9HvCvyk6IqbQNEvOXD8RNtyqdhBO1jJ93zDVLLK
ey5room7Hln/A3l5bXBzb6O3+q60U7lbxzokkAhNoe+pls6HQ50OeainXDU1dal4
HcBOCM1cnXNjXDdizqdMDvyR7ftXuBxOYeMsxY2JbT4qKjjA19M=
=chN4
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,123 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:02.ipsec Security Advisory
The FreeBSD Project
Topic: Missing IPsec anti-replay window check
Category: core
Module: kernel
Announced: 2020-01-28
Credits: Jean-Francois HREN
Affects: FreeBSD 12.0 only
Corrected: 2020-01-28 18:56:46 UTC (releng/12.0, 12.0-RELEASE-p13)
CVE Name: CVE-2019-5613
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
IPsec is a suite of protocols providing data authentication, integrity, and
confidentiality between two networked hosts.
II. Problem Description
A missing check means that an attacker can reinject an old packet and it will
be accepted and processed by the IPsec endpoint.
III. Impact
The impact depends on the higher-level protocols in use over IPsec. For
example, an attacker who can capture and inject packets could cause an action
that was intentionally performed once to be repeated.
IV. Workaround
No workaround is available. Systems not using IPsec are not vulnerable.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch
# fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch.asc
# gpg --verify ipsec.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
releng/12.0/ r357218
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5613>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:02.ipsec.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIWbQ/9EvRm9/pFezk65B8NR9BJFYzSbFv8GxtxNjcFJ0KpG48s7XxBg9BWNKMs
b7dtGTRlPKGUh0CRfhkCzxx10JZ0Aeu+UNNWQrt7r34pku1bUTrOAqW9nxIBq8zr
tihvShWxWmMb9roeGRQIDpDoRCDs/Ps5eZ9NkTIRIPnGvidm8FTr8eQIHxSQJ/dX
9bnQO1KP3Fz1+ywKA/poMdfXwdrUhiaPaC9AQ704lMiz881Itsi93Xw9HceKar0E
dnbPbXMTQ+mkdVe3U2KLVDIMs119XL3Nuel2y7ACNjH3Bvjeerfjn6rZfiseV5FR
muH0I+HKVdkdgWrFRPPthzUTmZYaStgbgOymsclwCpUJkS/ITgJWTpx6V+0E+4n6
bocwue5xP9EtCKDoEp3RSf17f47nbHgA0oeR+1CU9bh2lU6h2lAxRhxkPcWrgBiJ
HWSJ96UyF3S9Kfj7sbKBE/0wPQYRO2fs2PSfjvjmydyYlg0gcZ25tK3sm5xyvxoG
pVCwMn3gFDchEWnxJaSrGg/xoQCCWM+KdVXkaBSdCEsqs8+o6bTXPrq8ZyU451aO
7qxLPBlw5XNZ87jUEOhT3PwH49H9sAl++4IHUUUvs5pcIigdTNplgVpRt2DdFDzg
ardLO/Cyr1qAAMClC3jXx0I7uTViROt3x7lg2+2V7bF5SnL8VjU=
=tFox
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,131 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:03.thrmisc Security Advisory
The FreeBSD Project
Topic: kernel stack data disclosure
Category: core
Module: kernel
Announced: 2020-01-28
Credits: Ilja Van Sprundel
Affects: All supported versions of FreeBSD.
Corrected: 2019-11-15 16:40:10 UTC (stable/12, 12.1-STABLE)
2020-01-28 18:57:45 UTC (releng/12.1, 12.1-RELEASE-p2)
2020-01-28 18:57:45 UTC (releng/12.0, 12.0-RELEASE-p13)
2019-11-15 16:40:55 UTC (stable/11, 11.3-STABLE)
2020-01-28 18:57:45 UTC (releng/11.3, 11.3-RELEASE-p6)
CVE Name: CVE-2019-15875
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The kernel can create a core dump file when a process crashes that contains
process state, for debugging.
II. Problem Description
Due to incorrect initialization of a stack data structure, up to 20 bytes of
kernel data stored previously stored on the stack will be exposed to a
crashing user process.
III. Impact
Sensitive kernel data may be disclosed.
IV. Workaround
Core dumps may be disabled by setting the kern.coredump sysctl to 0.
See sysctl(8) and sysctl.conf(5).
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch
# fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch.asc
# gpg --verify thrmisc.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r354734
releng/12.1/ r357219
releng/12.0/ r357219
stable/11/ r354735
releng/11.3/ r357219
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15875>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:03.thrmisc.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLOgg/7BAIhE6SQ06BkCKNBerK3jj1sY2gBc7aohLbzdhEpCIrrd+sMsh0tphII
ftR5psPaZahzjP9Mrs/lA1fWVsco1jo4icevGiPTfbEVqBF1S8XINccwQr3AvYJR
33PGUrgzY2rU8MTj0YPJ2EG3ahghb96lKkK3USikoJA5SsXSZkFphp2OFXnUFWbG
TXWOUBWXbHMBUprf/oXcvNo/ZjDcxvJzMqT2YIGwKOsT0Xtx5nD+6C390axRuVEd
sA6z1RhA/EEx6JMNSUAoG5rnJSXDYQTB2kd9ilozXi07CboVZ38loXy8492FGrin
uG3MfnI+PHrMtG+S5yHwzOGhB/20DNoWqLKZobTGr46r8rrdc553F5Cn7ivLEz9Y
Sk+IGjZfB99jv+JxCr/+/4gn3niOyh0MolqG9r0rT13fLmeQX5XtYfyYPJHE1wuR
+JZ9TQSaJ6TX/DcIsy60OWcfWAQOeoYsvTZO6hqpjHt66m2Ah1pdAyc8c0R8yaQG
tFpRhgQvYpiPJviq7NvM5V2afSo16RWWy9A+xEYUrxp0H0inVNOgdqwhln7ZzI4u
YoBis/eZkNAPxqFJyvJ89TQFmsWFPcpHjAGMoL+aCuIotuHHa/MPdT2pfyqHG9iL
E9axI8zhyzNUC+osR2I6DT/R8rF5QHAY8xI8FffiS8jfN3BJVm4=
=3mdJ
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,33 @@
--- lib/libc/secure/stack_protector.c.orig
+++ lib/libc/secure/stack_protector.c
@@ -40,11 +40,29 @@
#include <unistd.h>
#include "libc_private.h"
+/*
+ * We give __guard_setup a defined priority early on so that statically linked
+ * applications have a defined priority at which __stack_chk_guard will be
+ * getting initialized. This will not matter to most applications, because
+ * they're either not usually statically linked or they simply don't do things
+ * in constructors that would be adversely affected by their positioning with
+ * respect to this initialization.
+ *
+ * This conditional should be removed when GCC 4.2 is removed.
+ */
+#if __has_attribute(__constructor__) || __GNUC_PREREQ__(4, 3)
+#define _GUARD_SETUP_CTOR_ATTR \
+ __attribute__((__constructor__ (200), __used__));
+#else
+#define _GUARD_SETUP_CTOR_ATTR \
+ __attribute__((__constructor__, __used__));
+#endif
+
extern int __sysctl(const int *name, u_int namelen, void *oldp,
size_t *oldlenp, void *newp, size_t newlen);
long __stack_chk_guard[8] = {0, 0, 0, 0, 0, 0, 0, 0};
-static void __guard_setup(void) __attribute__((__constructor__, __used__));
+static void __guard_setup(void) _GUARD_SETUP_CTOR_ATTR;
static void __fail(const char *);
void __stack_chk_fail(void);
void __chk_fail(void);

View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4wheBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJjxg/5ATm/M6VVGLH8RR/VVdsEn0MaXnq8K8Mu/z42RzHhApPZuK9Rqxi0KllI
HapRslvyE/PsgxP119jhrqRFpxyXkkQI27t8+muQalENRqMQr1TUzqRz8R/ULm/b
1/O83JSzaCVuVgSSFIEi49PfLdkO7M/UYxSGm8OXKJiYR+5lbWORPdQH8iCx5CCv
hXgE65yTFxS9ekOTlr3kBCe5p+Oy3e8HRmWGpStfWx/KIKZXxoC4Nhwg+zP3DoV+
4S+mCpknPjDAtdEaL9cUxYQ1OUjIII+yQ91ZOkwoTMelvDMU/Aam6LIi6mBPTs3q
nI+hNZlI5t7eE4jhdhDFxnH6hGKIFuQe9AsEz0wlMtyyyAnXWwuNzr9lAw1Stu8c
ksC3rFgP2PWHxO42KzewDiBqLKnNxM8nN5m544qqASo9UNJnnQdooluuMWFlJ7iP
Cr/QPQlNwAGiZ3GxI9t2TnUzUH8raWyKQokkgp5ZYwVIuO2Wxj/dKvbg+bQkXuqv
BRz3TLWjPlGWwPpSCqQG0I5IQbq3YJK+r0lJ1cyONlDRsUTXe2Y2YUFdp4toTFR5
43kQbU1dTcuydYQ8C/gU6wklneGhiswINL+aZHtGGw8IMz9kPvTAti1WmrHAWLph
ADYr+VMT3Hds0FZfDmIhiBBcDI528Bz9pMXZBfP4YJhwRic+nic=
=IKok
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,20 @@
--- sys/kern/vfs_mount.c.orig
+++ sys/kern/vfs_mount.c
@@ -603,7 +603,7 @@
*/
fstypelen = 0;
error = vfs_getopt(optlist, "fstype", (void **)&fstype, &fstypelen);
- if (error || fstype[fstypelen - 1] != '\0') {
+ if (error || fstypelen <= 0 || fstype[fstypelen - 1] != '\0') {
error = EINVAL;
if (errmsg != NULL)
strncpy(errmsg, "Invalid fstype", errmsg_len);
@@ -611,7 +611,7 @@
}
fspathlen = 0;
error = vfs_getopt(optlist, "fspath", (void **)&fspath, &fspathlen);
- if (error || fspath[fspathlen - 1] != '\0') {
+ if (error || fspathlen <= 0 || fspath[fspathlen - 1] != '\0') {
error = EINVAL;
if (errmsg != NULL)
strncpy(errmsg, "Invalid fspath", errmsg_len);

View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whedfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJKTBAAmQXDT2YnQ4jZkHw/ZpiqA5cVJQzaCDX4BC0gtJijdbHiewrxgSK0yw/6
iguZ2YUCi+0SkjqGtSHNZgNk8JZ4Xdqicq47jxuNbh5ckDjlkR8h7BL+MWRYPLU/
DtpUy3u66C/zXCJZMxUTCNwg5eJjCmJW9LXeVLVE3uGWQZ21eA8VM4LAmYnUOgVW
cLjmyu7yQRVBtqkfVOD8yWMy0aLim6iwdxlun8MfFsQRJFiUXnz/3qJWlm85+mhC
Agll8Ea8+VuhYnhqsy6ixEi82ISllKqGsysBH9X/PQevkx6jgNBMlDnvQ4ZNskFt
P1GUZgcLnBW3qYeCvj0ob8kylnK1F8Vm5YLV/GU4m7ja56Q6xZzqfez/WuwB+8Pu
epYZIglBrx1hXjZag9iUwWDNaHCjI+M+Ki49DbCsxBZUsj8/YPfh2OS+NBFcpWDp
rExxzcfN23YeOpFawDeAHcMXRCBozqP/JEG+8Yv3tLmj7kPMxWmaOAc+Zm2EUEBq
KYRAErAPbQUcZExaH/OHcJId0JV6llP+QYu55IhMPY04jAVIjaBAU3jh+Gm0V7CQ
QV462nucMVtt/qCcFjcemVirZMpqYIbJ5ud1+9vqqPHJEOsbEmYTrcm7frBZtT6r
tklX+u2rbl3fWVwhkOYTtax2YhxbKADG+vI2wxuVszn1qDLsZEg=
=w1fm
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,29 @@
--- lib/libfetch/fetch.c.orig
+++ lib/libfetch/fetch.c
@@ -332,6 +332,8 @@
}
if (dlen-- > 0)
*dst++ = c;
+ else
+ return (NULL);
}
return (s);
}
@@ -381,11 +383,15 @@
if (p && *p == '@') {
/* username */
q = fetch_pctdecode(u->user, URL, URL_USERLEN);
+ if (q == NULL)
+ goto ouch;
/* password */
- if (*q == ':')
+ if (*q == ':') {
q = fetch_pctdecode(u->pwd, q + 1, URL_PWDLEN);
-
+ if (q == NULL)
+ goto ouch;
+ }
p++;
} else {
p = URL;

View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whexfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cI8uRAAjHeuD0Mz/5DVcAAY/eAA/hiN/maLEVbNAP+mqv3S5Xa7Iha/XWsq96ih
qu6UnZeAhwRPBDC3tTAd6BlgGBvnAeLVkRto1SJFLjROGJOL9CXM1ohtxkKwSZpd
xH2Y9kUj4vTfa/RL+ctE5xIsaMI5A23YJ4RaP/nB7BGOsXzSM62beeX4ibKrZPP2
gtJC6OsJADnZnX/FGsfit9Ckc3DvYOyuxV/hj2PMwkNUt+xzoJ0wPVmEvglTMlcm
0gFGfRUhvO4IetKpZG1+jfD5EngYsvcyswd1JazTZVflpUfGt6rACYw8rPbBNTXi
pKhTgu4KUicTSq2A74Mfd7ClYyPAhLU5RMav/ydwTDYpjpt6+akWcxap9V4hwW5p
8bxCt0bi/9eXhgt7PuSTV/NvRPvsuhoyXXLLodMAWwHHCvlJEs8PYM/Qwz2yd5V2
FYHf1EaCV79vLYeqVa/CE5p9er783GwEvSmeeNKOHlBeOeb3Is7cdrTpFYwBS+sY
RQhqccfEpSq0bUdpHyiKV6pvq0tfOhLyamTH/4SAPh3hC52uH90zejeGhPMmZ6ld
ud3eN7Lz8sZsJRg9nq8GCfpS1x225twnVz15YAlaQCZ2+y9R/QxKZpt/H0X4o9Hp
8fOpiyxbW79k7/OuZDEwmXk7oAl4z//uM97Z9bLkuLk9heiVgI0=
=Vs4w
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,11 @@
--- sys/netipsec/ipsec.c.orig
+++ sys/netipsec/ipsec.c
@@ -1318,6 +1318,8 @@
__func__, replay->overflow,
ipsec_sa2str(sav, buf, sizeof(buf))));
}
+
+ replay->count++;
return (0);
}

View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whe9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL22hAAp65Q2PDHj0Y5ykuTsXobEH6oD7DDmvL27PtY8mbT01hYu7jNxwycuzv3
7ALZljpJN+1pwN6NV7+lOlVPj/VVCzHBIK1ga7uZi0Qv/CvzIRdazWOTMKDmbo9L
4NzLZTrC4DcQmJI7YZptMy+2jlldBkYf9cEJRC2xPxAiKonLmRrBtR826VOLCV4a
5FPtFObGAp1JYrspExzpyJ5U5Eh6Nxag3kgY3OwXPcIa6CfI2CeY2rp5rUhqwIy/
6CewC4YP2kRL//auKFkXc8jTvgcIdUEPdmAEzKdmlpkE/xQ+twcAYxwkYxox8QVS
dEACEOcVJ3krKo5r5dFrTdeu/fUmptvXsVR5iI/J/r997+fsqKG8O7N3J+HNYJWM
r9zKJjfzRNYuTNwk15KxpfY3qx2d+G09mTVwTYJ/hG+LHyj9qgB/gVCyct/l82zQ
93rlyDKN3EQiLNs1BgoSXSRz3IoS2NErccE5tSKPbphtbpdbxU6f45wHhEWyRO/b
43yJwslmMIgSVoG1B2WftRuQBK9EmQSVpMvP3T6gJqr0ZyQuXLTWHpBg/vX79chQ
R/necLTNP4+aQEDtv9d8GjkEkFqj6fLbe6nJiUdo0hME8WdbGfM+cjRSBUx5LvyS
6yMddT9SPlu4PXiMn3OT1qmqsaUuozWL+UmS5QkmGwgkbBwGS6w=
=wVs3
-----END PGP SIGNATURE-----

View file

@ -0,0 +1,11 @@
--- sys/kern/imgact_elf.c.orig
+++ sys/kern/imgact_elf.c
@@ -2211,7 +2211,7 @@
td = (struct thread *)arg;
if (sb != NULL) {
KASSERT(*sizep == sizeof(thrmisc), ("invalid size"));
- bzero(&thrmisc._pad, sizeof(thrmisc._pad));
+ bzero(&thrmisc, sizeof(thrmisc));
strcpy(thrmisc.pr_tname, td->td_name);
sbuf_bcat(sb, &thrmisc, sizeof(thrmisc));
}

View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whfJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJfyw/+LEyYZDvgLZGxH+vMhpFKaG/s02TCf4qz9alCkn20JvYJYPZQUW6zJfgh
qjRwa4cP1uvbO+on7O0Ez6QHOfCec6QgFOdAh5H0R2u1kt7WZri6NjIZuxidJeuk
BJMdg0uGlCwdI4kFXiRjhRBLDHJImD1WFuoCK+hiCYlYxYaVJ7lDSBPWx0q1MbTA
8FSRcmohlRKjjuw6ANBpw84K9JJcNBw+WcMePdMCmU/JhhDSeVbxfs5UonBPu09o
JIGqX4k5FMbSWFWdCEz4GrtAv8CtO3eT7ykv0B8qaDiW/NGq4l3h6koh/e0ZsWPj
vyvf+989VCnQHvNSxlde+Hdl+5rR2Lu23gj3v9AcRlLNjfE/8nVvosh7QgTtf3oC
ZgElZXBSTO7T4msBKLnFKwyPrHm1B0ZgGDGDHr7gngyYukt+eCyYlvA8qtsv3L+f
UXyutsABSk73O3Jm/qLNad1g51/KTfhesVzaOo1LV1McmfqkEwdt5YDmsW/A4pUO
V5Xhjc8a0pjp2looiIrZHOGqd4pgUhwl9JvdkGm0ab4VQdc67SzgJZYj5PzMeufU
cUdsCzvLS0ioblz6osPEp+fzhXw/F12nSb7mWXTftnTmpkJXBJkepMU7vzxrL4Ds
+KhqpqxM41XOy5my5E3FH9m0ZPhMKF7dRR6IEOkjF3eLOUc+J7M=
=pyQC
-----END PGP SIGNATURE-----

View file

@ -4,6 +4,31 @@
$FreeBSD$
</cvs:keyword>
<year>
<name>2020</name>
<month>
<name>1</name>
<day>
<name>28</name>
<advisory>
<name>FreeBSD-SA-20:03.thrmisc</name>
</advisory>
<advisory>
<name>FreeBSD-SA-20:02.ipsec</name>
</advisory>
<advisory>
<name>FreeBSD-SA-20:01.libfetch</name>
</advisory>
</day>
</month>
</year>
<year>
<name>2019</name>

View file

@ -4,6 +4,27 @@
$FreeBSD$
</cvs:keyword>
<year>
<name>2020</name>
<month>
<name>1</name>
<day>
<name>28</name>
<notice>
<name>FreeBSD-EN-20:02.nmount</name>
</notice>
<notice>
<name>FreeBSD-EN-20:01.ssp</name>
</notice>
</day>
</month>
</year>
<year>
<name>2019</name>