Add EN-20:01, EN-20:01, and SA-20:01 through SA-20:03.

Approved by:	so

share/security/advisories/FreeBSD-EN-20:01.ssp.asc

@@ -0,0 +1,138 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:01.ssp                                            Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Imprecise ordering of SSP canary initialization
+
+Category:       core
+Module:         libc
+Announced:      2020-01-28
+Credits:        Kyle Evans
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-11-25 03:49:38 UTC (stable/12, 12.1-STABLE)
+                2020-01-28 18:53:14 UTC (releng/12.1, 12.1-RELEASE-p2)
+                2020-01-28 18:53:14 UTC (releng/12.0, 12.0-RELEASE-p13)
+                2019-11-25 03:49:38 UTC (stable/11, 11.3-STABLE)
+                2020-01-28 18:53:14 UTC (releng/11.3, 11.3-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The Stack Smashing Protector ("SSP") relies on a stack canary being
+initialized early on in application startup.  On FreeBSD, this is
+accomplished with a constructor in libc.
+
+II.  Problem Description
+
+When a binary is statically linked, constructor invocation order is based on
+priority and sorted arbitrarily within a priority level across all
+constructors present in the single statically linked object.  The stack
+canary guard constructor had no priority, so statically linked binary could
+not predictably order their constructors to avoid bad interactions with
+respect to the stack canary constructor leading to false-positive detection
+of a stack overflow condition and erroneous process abort in some rare cases.
+
+Dynamically linked binaries are generally not affected, since the stack
+canary is initialized in libc and libc is ordered very early in constructor
+invocation.
+
+III. Impact
+
+Affected programs will abort and log a "stack overflow detected" message to
+syslog(3).
+
+IV.  Workaround
+
+No workaround is available, but dynamically linked binaries are not affected.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.  Statically linked binaries
+should be relinked against the updated base system.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:01/ssp.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:01/ssp.patch.asc
+# gpg --verify ssp.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r355080
+releng/12.1/                                                      r357215
+releng/12.0/                                                      r357215
+stable/11/                                                        r355080
+releng/11.3/                                                      r357215
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241905>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:01.ssp.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whbdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKWSA/8CINmMeEm76kGRoyuDiTD+h1Ra28DM81+HNsTuEb8W8uhNT/ZJf61lWZe
+c5BEO8uJMP8XUjGEzIEu4ARkZcV2pvLxyUIoWgq1TGTYB7jp8zXeJZj/wPqLLpI4
+lwXl19hWPprz1CDgukR87+flDZyNEe62YfAtL3WRqGuYU8Yb6AmNoKSwOphset4m
+6F7pg8wPFnHfW2EOl6/jFZsv41C+2SlIXa8HIXFJj0TnfltLsCqEWhpDhVE0Wv0D
+f2MCGs03xS+UN/kUGIE6G2WBD/Etfy4DMr7RsRxu1lta6FhOk8sR27FCcSnqyKPM
+MqXK0PxN5qx8D2UbQUhNCmmclnOVjzGEn9ECzxW5XrDsz17bhodtL4f29GmLEw4l
+wdHcttUlQduzolZlBgKgNyp6ZuKXXYzPYsATgJTG9LBQShyQeWa4rCz21Nh+vrmA
+NdSAY/LEvq6R8IKHFljDwFIPITnV6xQObMIDgrsJMFyFyIUGiZEo0Jo51I28aUJ/
+EM76+SULzxY50Agw5KFgCM1iXPfGnEfPN03wNCzrbvpv3y67qduGF4jbmLMZPcnv
+aZBVQj4Cx9Q/pC/TCFNilmmEa3/xYDB6hGnQn9cIYBV1Q61IQXwGaGXNG+fN760x
+gYfnbY2ZlJVV66amfTC89HNVwMeq++Imd4AzNlaXV+a9qummNKc=
+=VzHc
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-EN-20:02.nmount.asc

@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-20:02.nmount                                         Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          nmount invalid pointer dereference
+
+Category:       core
+Module:         kernel
+Announced:      2020-01-28
+Credits:        Andrew Turner
+Affects:        FreeBSD 11.3 and FreeBSD 12.0.
+Corrected:      2019-10-03 07:17:26 UTC (stable/12, 12.1-STABLE)
+                2019-10-04 14:10:56 UTC (releng/12.1, 12.1-RELEASE)
+                2020-01-28 18:54:15 UTC (releng/12.0, 12.0-RELEASE-p13)
+                2019-10-04 17:27:49 UTC (stable/11, 11.3-STABLE)
+                2020-01-28 18:54:15 UTC (releng/11.3, 11.3-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The nmount(2) system call is used to mount file systems.
+
+II.  Problem Description
+
+VFS option processing related to the nmount(2) system call was missing a
+length check.  This is generally only available to privileged users unless
+the vfs.usermount sysctl is changed from the default to allow non-privileged
+users the ability to mount file systems.
+
+III. Impact
+
+A userland process authorized to mount filesystems can possibly trigger a
+kernel panic.
+
+IV.  Workaround
+
+No workaround is available.  However, if the vfs.usermount sysctl has been
+changed to allow non-privileged users the ability to mount file systems,
+switching back to the default value of 0 will prevent non-privileged users
+from triggering the issue.
+
+V.   Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date, and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for an errata update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-20:02/nmount.patch
+# fetch https://security.FreeBSD.org/patches/EN-20:02/nmount.patch.asc
+# gpg --verify nmount.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r353032
+releng/12.1/                                                      r353104
+releng/12.0/                                                      r357216
+stable/11/                                                        r353109
+releng/11.3/                                                      r357216
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:02.nmount.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whcpfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJWUQ//UZtfZZXpkmLYet67qmbIj7uLbw9CDc1N5HRwNgnjTDGc4d5o3BQEAr2X
+/q1t8US3Ec/rWm5YqzqRNmt+Uei/F7J2u1udRm56vsPPb+eq8tRiRVK6RYY4FYBj
+rxPkxf6nNCTqWELFtmQejnCQ0wN2Oy+oNY3fA1j1GzOHm0S7dc9CnlrE75eDX33q
+sXezm6/VYRwyKGKEJUMlmn9gn0qzGr3L9go5TCWDw9lhuJoygE/QblnVTQI5mTDv
+khjke28RxLkAkOUMvq8EIq1L9j88FeVWEOMIKU2xgaUvh6z6NQE8o6eKTb4D7mDO
+Vo4NdB81SdPmCaHISocrEhkS/Vff3rlMcb4xf/DFZgDK3FXzNYkAqLyMrDNw6egv
+fV4fbhnyqPpejCDW0Il7nxOwV4KtdmEaMCvKwvQu9VpiL8wUrV9wBSkbavyagS49
+un2UYkkv28IIkmhDwbRM7qEcE7Dt6xfsZN4HIZ6R2eUGhGx/ETDXoC9fE74khigF
+ubU7QygqWtZ8JDZ8qmnfDM7n0EG1DV3I+XSdupN1ytaxaKOzF5HAnVxcLuMnY5LT
+80HaVQazsfCJ5IQinUtiGoOFldQT3NGkvVMcCe+M5R+PP2g4DRJgaCzDCXDIx0k2
+My/JU5RjlUl0714OV0VaGlzVnwk5y7RNNLcHWlSx83HBoBSWcnk=
+=uOTk
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-20:01.libfetch.asc

@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:01.libfetch                                   Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          libfetch buffer overflow
+
+Category:       core
+Module:         libfetch
+Announced:      2020-01-28
+Credits:        Duncan Overbruck
+Affects:        All supported versions of FreeBSD.
+Corrected:      2020-01-28 18:40:55 UTC (stable/12, 12.1-STABLE)
+                2020-01-28 18:55:25 UTC (releng/12.1, 12.1-RELEASE-p2)
+                2020-01-28 18:55:25 UTC (releng/12.0, 12.0-RELEASE-p13)
+                2020-01-28 18:42:06 UTC (stable/11, 11.3-STABLE)
+                2020-01-28 18:55:25 UTC (releng/11.3, 11.3-RELEASE-p6)
+CVE Name:       CVE-2020-7450
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+libfetch(3) is a multi-protocol file transfer library included with FreeBSD
+and used by the fetch(1) command-line tool, pkg(8) package manager, and
+others.
+
+II.  Problem Description
+
+A programming error allows an attacker who can specify a URL with a username
+and/or password components to overflow libfetch(3) buffers.
+
+III. Impact
+
+An attacker in control of the URL to be fetched (possibly via HTTP redirect)
+may cause a heap buffer overflow, resulting in program misbehavior or
+malicious code execution.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch.asc
+# gpg --verify libfetch.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r357213
+releng/12.1/                                                      r357217
+releng/12.0/                                                      r357217
+stable/11/                                                        r357214
+releng/11.3/                                                      r357217
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7450>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:01.libfetch.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whc5fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJw5BAAmi4Mk+an8qJB4GwfOSxWhn42GnN9/HikJwkiTNHQr7n51ANp4sHCgTYG
+PCo6UvCFqdIfhpBIrykI7ZwzAetCpldDdIMQFJoi5ChJ7aIcNDpiH06yLjYLgseS
+qSxJ+dXt6j7G2FMUWPBka8eTNBi64gT0MbyC7zFdISfJqfNy+p0WvdwYm3UsWkeR
+pEV+o6zL+PI3s6IsqQTQzYuyNYgoTLdvhjgNMymI+OMH8uCdBUrdItdSwSYPwVOp
++8SUX47jMFNcIbBmuQ3KnPxu9fHx8JzfqpLDAkmp6hu6sXNTmIZ27mgItu4DRgWN
+nvd750H6fv9UCbRYOyvjeuEN8olOpZcoTAuQDtcC/z7BvKAwLC7oAYXZEiQ4pn/D
+MGMzlJU7fxiyIWDNJprzyrsgPAUhCC3ePyenTErB+GQKmf1fHTjLWJHN43W2tbqk
+kYzMwwLQa3KwOYzHPHbJt6F94b9dN30v8cgIVkvs5ivLr8eErIJAQ71PgxkgRQL1
+/C301qeJvgBqLm+so0Ef6wi/D9HvCvyk6IqbQNEvOXD8RNtyqdhBO1jJ93zDVLLK
+ey5room7Hln/A3l5bXBzb6O3+q60U7lbxzokkAhNoe+pls6HQ50OeainXDU1dal4
+HcBOCM1cnXNjXDdizqdMDvyR7ftXuBxOYeMsxY2JbT4qKjjA19M=
+=chN4
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-20:02.ipsec.asc

@@ -0,0 +1,123 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:02.ipsec                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Missing IPsec anti-replay window check
+
+Category:       core
+Module:         kernel
+Announced:      2020-01-28
+Credits:        Jean-Francois HREN
+Affects:        FreeBSD 12.0 only
+Corrected:      2020-01-28 18:56:46 UTC (releng/12.0, 12.0-RELEASE-p13)
+CVE Name:       CVE-2019-5613
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+IPsec is a suite of protocols providing data authentication, integrity, and
+confidentiality between two networked hosts.
+
+II.  Problem Description
+
+A missing check means that an attacker can reinject an old packet and it will
+be accepted and processed by the IPsec endpoint.
+
+III. Impact
+
+The impact depends on the higher-level protocols in use over IPsec.  For
+example, an attacker who can capture and inject packets could cause an action
+that was intentionally performed once to be repeated.
+
+IV.  Workaround
+
+No workaround is available.  Systems not using IPsec are not vulnerable.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch.asc
+# gpg --verify ipsec.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+releng/12.0/                                                      r357218
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5613>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:02.ipsec.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdFfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIWbQ/9EvRm9/pFezk65B8NR9BJFYzSbFv8GxtxNjcFJ0KpG48s7XxBg9BWNKMs
+b7dtGTRlPKGUh0CRfhkCzxx10JZ0Aeu+UNNWQrt7r34pku1bUTrOAqW9nxIBq8zr
+tihvShWxWmMb9roeGRQIDpDoRCDs/Ps5eZ9NkTIRIPnGvidm8FTr8eQIHxSQJ/dX
+9bnQO1KP3Fz1+ywKA/poMdfXwdrUhiaPaC9AQ704lMiz881Itsi93Xw9HceKar0E
+dnbPbXMTQ+mkdVe3U2KLVDIMs119XL3Nuel2y7ACNjH3Bvjeerfjn6rZfiseV5FR
+muH0I+HKVdkdgWrFRPPthzUTmZYaStgbgOymsclwCpUJkS/ITgJWTpx6V+0E+4n6
+bocwue5xP9EtCKDoEp3RSf17f47nbHgA0oeR+1CU9bh2lU6h2lAxRhxkPcWrgBiJ
+HWSJ96UyF3S9Kfj7sbKBE/0wPQYRO2fs2PSfjvjmydyYlg0gcZ25tK3sm5xyvxoG
+pVCwMn3gFDchEWnxJaSrGg/xoQCCWM+KdVXkaBSdCEsqs8+o6bTXPrq8ZyU451aO
+7qxLPBlw5XNZ87jUEOhT3PwH49H9sAl++4IHUUUvs5pcIigdTNplgVpRt2DdFDzg
+ardLO/Cyr1qAAMClC3jXx0I7uTViROt3x7lg2+2V7bF5SnL8VjU=
+=tFox
+-----END PGP SIGNATURE-----

share/security/advisories/FreeBSD-SA-20:03.thrmisc.asc

@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:03.thrmisc                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          kernel stack data disclosure
+
+Category:       core
+Module:         kernel
+Announced:      2020-01-28
+Credits:        Ilja Van Sprundel
+Affects:        All supported versions of FreeBSD.
+Corrected:      2019-11-15 16:40:10 UTC (stable/12, 12.1-STABLE)
+                2020-01-28 18:57:45 UTC (releng/12.1, 12.1-RELEASE-p2)
+                2020-01-28 18:57:45 UTC (releng/12.0, 12.0-RELEASE-p13)
+                2019-11-15 16:40:55 UTC (stable/11, 11.3-STABLE)
+                2020-01-28 18:57:45 UTC (releng/11.3, 11.3-RELEASE-p6)
+CVE Name:       CVE-2019-15875
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The kernel can create a core dump file when a process crashes that contains
+process state, for debugging.
+
+II.  Problem Description
+
+Due to incorrect initialization of a stack data structure, up to 20 bytes of
+kernel data stored previously stored on the stack will be exposed to a
+crashing user process.
+
+III. Impact
+
+Sensitive kernel data may be disclosed.
+
+IV.  Workaround
+
+Core dumps may be disabled by setting the kern.coredump sysctl to 0.
+See sysctl(8) and sysctl.conf(5).
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch.asc
+# gpg --verify thrmisc.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r354734
+releng/12.1/                                                      r357219
+releng/12.0/                                                      r357219
+stable/11/                                                        r354735
+releng/11.3/                                                      r357219
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15875>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:03.thrmisc.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdVfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cLOgg/7BAIhE6SQ06BkCKNBerK3jj1sY2gBc7aohLbzdhEpCIrrd+sMsh0tphII
+ftR5psPaZahzjP9Mrs/lA1fWVsco1jo4icevGiPTfbEVqBF1S8XINccwQr3AvYJR
+33PGUrgzY2rU8MTj0YPJ2EG3ahghb96lKkK3USikoJA5SsXSZkFphp2OFXnUFWbG
+TXWOUBWXbHMBUprf/oXcvNo/ZjDcxvJzMqT2YIGwKOsT0Xtx5nD+6C390axRuVEd
+sA6z1RhA/EEx6JMNSUAoG5rnJSXDYQTB2kd9ilozXi07CboVZ38loXy8492FGrin
+uG3MfnI+PHrMtG+S5yHwzOGhB/20DNoWqLKZobTGr46r8rrdc553F5Cn7ivLEz9Y
+Sk+IGjZfB99jv+JxCr/+/4gn3niOyh0MolqG9r0rT13fLmeQX5XtYfyYPJHE1wuR
++JZ9TQSaJ6TX/DcIsy60OWcfWAQOeoYsvTZO6hqpjHt66m2Ah1pdAyc8c0R8yaQG
+tFpRhgQvYpiPJviq7NvM5V2afSo16RWWy9A+xEYUrxp0H0inVNOgdqwhln7ZzI4u
+YoBis/eZkNAPxqFJyvJ89TQFmsWFPcpHjAGMoL+aCuIotuHHa/MPdT2pfyqHG9iL
+E9axI8zhyzNUC+osR2I6DT/R8rF5QHAY8xI8FffiS8jfN3BJVm4=
+=3mdJ
+-----END PGP SIGNATURE-----

share/security/patches/EN-20:01/ssp.patch

@@ -0,0 +1,33 @@
+--- lib/libc/secure/stack_protector.c.orig
++++ lib/libc/secure/stack_protector.c
+@@ -40,11 +40,29 @@
+ #include <unistd.h>
+ #include "libc_private.h"
+ 
++/*
++ * We give __guard_setup a defined priority early on so that statically linked
++ * applications have a defined priority at which __stack_chk_guard will be
++ * getting initialized.  This will not matter to most applications, because
++ * they're either not usually statically linked or they simply don't do things
++ * in constructors that would be adversely affected by their positioning with
++ * respect to this initialization.
++ *
++ * This conditional should be removed when GCC 4.2 is removed.
++ */
++#if __has_attribute(__constructor__) || __GNUC_PREREQ__(4, 3)
++#define	_GUARD_SETUP_CTOR_ATTR	 \
++    __attribute__((__constructor__ (200), __used__));
++#else
++#define	_GUARD_SETUP_CTOR_ATTR	\
++    __attribute__((__constructor__, __used__));
++#endif
++
+ extern int __sysctl(const int *name, u_int namelen, void *oldp,
+     size_t *oldlenp, void *newp, size_t newlen);
+ 
+ long __stack_chk_guard[8] = {0, 0, 0, 0, 0, 0, 0, 0};
+-static void __guard_setup(void) __attribute__((__constructor__, __used__));
++static void __guard_setup(void) _GUARD_SETUP_CTOR_ATTR;
+ static void __fail(const char *);
+ void __stack_chk_fail(void);
+ void __chk_fail(void);

share/security/patches/EN-20:01/ssp.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4wheBfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJjxg/5ATm/M6VVGLH8RR/VVdsEn0MaXnq8K8Mu/z42RzHhApPZuK9Rqxi0KllI
+HapRslvyE/PsgxP119jhrqRFpxyXkkQI27t8+muQalENRqMQr1TUzqRz8R/ULm/b
+1/O83JSzaCVuVgSSFIEi49PfLdkO7M/UYxSGm8OXKJiYR+5lbWORPdQH8iCx5CCv
+hXgE65yTFxS9ekOTlr3kBCe5p+Oy3e8HRmWGpStfWx/KIKZXxoC4Nhwg+zP3DoV+
+4S+mCpknPjDAtdEaL9cUxYQ1OUjIII+yQ91ZOkwoTMelvDMU/Aam6LIi6mBPTs3q
+nI+hNZlI5t7eE4jhdhDFxnH6hGKIFuQe9AsEz0wlMtyyyAnXWwuNzr9lAw1Stu8c
+ksC3rFgP2PWHxO42KzewDiBqLKnNxM8nN5m544qqASo9UNJnnQdooluuMWFlJ7iP
+Cr/QPQlNwAGiZ3GxI9t2TnUzUH8raWyKQokkgp5ZYwVIuO2Wxj/dKvbg+bQkXuqv
+BRz3TLWjPlGWwPpSCqQG0I5IQbq3YJK+r0lJ1cyONlDRsUTXe2Y2YUFdp4toTFR5
+43kQbU1dTcuydYQ8C/gU6wklneGhiswINL+aZHtGGw8IMz9kPvTAti1WmrHAWLph
+ADYr+VMT3Hds0FZfDmIhiBBcDI528Bz9pMXZBfP4YJhwRic+nic=
+=IKok
+-----END PGP SIGNATURE-----

share/security/patches/EN-20:02/nmount.patch

@@ -0,0 +1,20 @@
+--- sys/kern/vfs_mount.c.orig
++++ sys/kern/vfs_mount.c
+@@ -603,7 +603,7 @@
+ 	 */
+ 	fstypelen = 0;
+ 	error = vfs_getopt(optlist, "fstype", (void **)&fstype, &fstypelen);
+-	if (error || fstype[fstypelen - 1] != '\0') {
++	if (error || fstypelen <= 0 || fstype[fstypelen - 1] != '\0') {
+ 		error = EINVAL;
+ 		if (errmsg != NULL)
+ 			strncpy(errmsg, "Invalid fstype", errmsg_len);
+@@ -611,7 +611,7 @@
+ 	}
+ 	fspathlen = 0;
+ 	error = vfs_getopt(optlist, "fspath", (void **)&fspath, &fspathlen);
+-	if (error || fspath[fspathlen - 1] != '\0') {
++	if (error || fspathlen <= 0 || fspath[fspathlen - 1] != '\0') {
+ 		error = EINVAL;
+ 		if (errmsg != NULL)
+ 			strncpy(errmsg, "Invalid fspath", errmsg_len);

share/security/patches/EN-20:02/nmount.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whedfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJKTBAAmQXDT2YnQ4jZkHw/ZpiqA5cVJQzaCDX4BC0gtJijdbHiewrxgSK0yw/6
+iguZ2YUCi+0SkjqGtSHNZgNk8JZ4Xdqicq47jxuNbh5ckDjlkR8h7BL+MWRYPLU/
+DtpUy3u66C/zXCJZMxUTCNwg5eJjCmJW9LXeVLVE3uGWQZ21eA8VM4LAmYnUOgVW
+cLjmyu7yQRVBtqkfVOD8yWMy0aLim6iwdxlun8MfFsQRJFiUXnz/3qJWlm85+mhC
+Agll8Ea8+VuhYnhqsy6ixEi82ISllKqGsysBH9X/PQevkx6jgNBMlDnvQ4ZNskFt
+P1GUZgcLnBW3qYeCvj0ob8kylnK1F8Vm5YLV/GU4m7ja56Q6xZzqfez/WuwB+8Pu
+epYZIglBrx1hXjZag9iUwWDNaHCjI+M+Ki49DbCsxBZUsj8/YPfh2OS+NBFcpWDp
+rExxzcfN23YeOpFawDeAHcMXRCBozqP/JEG+8Yv3tLmj7kPMxWmaOAc+Zm2EUEBq
+KYRAErAPbQUcZExaH/OHcJId0JV6llP+QYu55IhMPY04jAVIjaBAU3jh+Gm0V7CQ
+QV462nucMVtt/qCcFjcemVirZMpqYIbJ5ud1+9vqqPHJEOsbEmYTrcm7frBZtT6r
+tklX+u2rbl3fWVwhkOYTtax2YhxbKADG+vI2wxuVszn1qDLsZEg=
+=w1fm
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:01/libfetch.patch

@@ -0,0 +1,29 @@
+--- lib/libfetch/fetch.c.orig
++++ lib/libfetch/fetch.c
+@@ -332,6 +332,8 @@
+ 		}
+ 		if (dlen-- > 0)
+ 			*dst++ = c;
++		else
++			return (NULL);
+ 	}
+ 	return (s);
+ }
+@@ -381,11 +383,15 @@
+ 	if (p && *p == '@') {
+ 		/* username */
+ 		q = fetch_pctdecode(u->user, URL, URL_USERLEN);
++		if (q == NULL)
++			goto ouch;
+ 
+ 		/* password */
+-		if (*q == ':')
++		if (*q == ':') {
+ 			q = fetch_pctdecode(u->pwd, q + 1, URL_PWDLEN);
+-
++			if (q == NULL)
++				goto ouch;
++		}
+ 		p++;
+ 	} else {
+ 		p = URL;

share/security/patches/SA-20:01/libfetch.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whexfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cI8uRAAjHeuD0Mz/5DVcAAY/eAA/hiN/maLEVbNAP+mqv3S5Xa7Iha/XWsq96ih
+qu6UnZeAhwRPBDC3tTAd6BlgGBvnAeLVkRto1SJFLjROGJOL9CXM1ohtxkKwSZpd
+xH2Y9kUj4vTfa/RL+ctE5xIsaMI5A23YJ4RaP/nB7BGOsXzSM62beeX4ibKrZPP2
+gtJC6OsJADnZnX/FGsfit9Ckc3DvYOyuxV/hj2PMwkNUt+xzoJ0wPVmEvglTMlcm
+0gFGfRUhvO4IetKpZG1+jfD5EngYsvcyswd1JazTZVflpUfGt6rACYw8rPbBNTXi
+pKhTgu4KUicTSq2A74Mfd7ClYyPAhLU5RMav/ydwTDYpjpt6+akWcxap9V4hwW5p
+8bxCt0bi/9eXhgt7PuSTV/NvRPvsuhoyXXLLodMAWwHHCvlJEs8PYM/Qwz2yd5V2
+FYHf1EaCV79vLYeqVa/CE5p9er783GwEvSmeeNKOHlBeOeb3Is7cdrTpFYwBS+sY
+RQhqccfEpSq0bUdpHyiKV6pvq0tfOhLyamTH/4SAPh3hC52uH90zejeGhPMmZ6ld
+ud3eN7Lz8sZsJRg9nq8GCfpS1x225twnVz15YAlaQCZ2+y9R/QxKZpt/H0X4o9Hp
+8fOpiyxbW79k7/OuZDEwmXk7oAl4z//uM97Z9bLkuLk9heiVgI0=
+=Vs4w
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:02/ipsec.patch

@@ -0,0 +1,11 @@
+--- sys/netipsec/ipsec.c.orig
++++ sys/netipsec/ipsec.c
+@@ -1318,6 +1318,8 @@
+ 		    __func__, replay->overflow,
+ 		    ipsec_sa2str(sav, buf, sizeof(buf))));
+ 	}
++
++	replay->count++;
+ 	return (0);
+ }
+ 

share/security/patches/SA-20:02/ipsec.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whe9fFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cL22hAAp65Q2PDHj0Y5ykuTsXobEH6oD7DDmvL27PtY8mbT01hYu7jNxwycuzv3
+7ALZljpJN+1pwN6NV7+lOlVPj/VVCzHBIK1ga7uZi0Qv/CvzIRdazWOTMKDmbo9L
+4NzLZTrC4DcQmJI7YZptMy+2jlldBkYf9cEJRC2xPxAiKonLmRrBtR826VOLCV4a
+5FPtFObGAp1JYrspExzpyJ5U5Eh6Nxag3kgY3OwXPcIa6CfI2CeY2rp5rUhqwIy/
+6CewC4YP2kRL//auKFkXc8jTvgcIdUEPdmAEzKdmlpkE/xQ+twcAYxwkYxox8QVS
+dEACEOcVJ3krKo5r5dFrTdeu/fUmptvXsVR5iI/J/r997+fsqKG8O7N3J+HNYJWM
+r9zKJjfzRNYuTNwk15KxpfY3qx2d+G09mTVwTYJ/hG+LHyj9qgB/gVCyct/l82zQ
+93rlyDKN3EQiLNs1BgoSXSRz3IoS2NErccE5tSKPbphtbpdbxU6f45wHhEWyRO/b
+43yJwslmMIgSVoG1B2WftRuQBK9EmQSVpMvP3T6gJqr0ZyQuXLTWHpBg/vX79chQ
+R/necLTNP4+aQEDtv9d8GjkEkFqj6fLbe6nJiUdo0hME8WdbGfM+cjRSBUx5LvyS
+6yMddT9SPlu4PXiMn3OT1qmqsaUuozWL+UmS5QkmGwgkbBwGS6w=
+=wVs3
+-----END PGP SIGNATURE-----

share/security/patches/SA-20:03/thrmisc.patch

@@ -0,0 +1,11 @@
+--- sys/kern/imgact_elf.c.orig
++++ sys/kern/imgact_elf.c
+@@ -2211,7 +2211,7 @@
+ 	td = (struct thread *)arg;
+ 	if (sb != NULL) {
+ 		KASSERT(*sizep == sizeof(thrmisc), ("invalid size"));
+-		bzero(&thrmisc._pad, sizeof(thrmisc._pad));
++		bzero(&thrmisc, sizeof(thrmisc));
+ 		strcpy(thrmisc.pr_tname, td->td_name);
+ 		sbuf_bcat(sb, &thrmisc, sizeof(thrmisc));
+ 	}

share/security/patches/SA-20:03/thrmisc.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whfJfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJfyw/+LEyYZDvgLZGxH+vMhpFKaG/s02TCf4qz9alCkn20JvYJYPZQUW6zJfgh
+qjRwa4cP1uvbO+on7O0Ez6QHOfCec6QgFOdAh5H0R2u1kt7WZri6NjIZuxidJeuk
+BJMdg0uGlCwdI4kFXiRjhRBLDHJImD1WFuoCK+hiCYlYxYaVJ7lDSBPWx0q1MbTA
+8FSRcmohlRKjjuw6ANBpw84K9JJcNBw+WcMePdMCmU/JhhDSeVbxfs5UonBPu09o
+JIGqX4k5FMbSWFWdCEz4GrtAv8CtO3eT7ykv0B8qaDiW/NGq4l3h6koh/e0ZsWPj
+vyvf+989VCnQHvNSxlde+Hdl+5rR2Lu23gj3v9AcRlLNjfE/8nVvosh7QgTtf3oC
+ZgElZXBSTO7T4msBKLnFKwyPrHm1B0ZgGDGDHr7gngyYukt+eCyYlvA8qtsv3L+f
+UXyutsABSk73O3Jm/qLNad1g51/KTfhesVzaOo1LV1McmfqkEwdt5YDmsW/A4pUO
+V5Xhjc8a0pjp2looiIrZHOGqd4pgUhwl9JvdkGm0ab4VQdc67SzgJZYj5PzMeufU
+cUdsCzvLS0ioblz6osPEp+fzhXw/F12nSb7mWXTftnTmpkJXBJkepMU7vzxrL4Ds
++KhqpqxM41XOy5my5E3FH9m0ZPhMKF7dRR6IEOkjF3eLOUc+J7M=
+=pyQC
+-----END PGP SIGNATURE-----

share/xml/advisories.xml

@@ -4,6 +4,31 @@
       $FreeBSD$
     </cvs:keyword>
 
+  <year>
+    <name>2020</name>
+
+    <month>
+      <name>1</name>
+
+      <day>
+	<name>28</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-20:03.thrmisc</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-20:02.ipsec</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-20:01.libfetch</name>
+	</advisory>
+
+      </day>
+    </month>
+  </year>
+
   <year>
     <name>2019</name>
 

share/xml/notices.xml

@@ -4,6 +4,27 @@
       $FreeBSD$
     </cvs:keyword>
 
+  <year>
+    <name>2020</name>
+
+    <month>
+      <name>1</name>
+
+      <day>
+	<name>28</name>
+
+	<notice>
+	  <name>FreeBSD-EN-20:02.nmount</name>
+	</notice>
+
+	<notice>
+	  <name>FreeBSD-EN-20:01.ssp</name>
+	</notice>
+
+      </day>
+    </month>
+  </year>
+
   <year>
     <name>2019</name>