135 lines
5 KiB
Text
135 lines
5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-19:14.freebsd32 Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Kernel memory disclosure in freebsd32_ioctl
|
|
|
|
Category: core
|
|
Module: kernel
|
|
Announced: 2019-07-24
|
|
Credits: Ilja van Sprundel, IOActive
|
|
Affects: FreeBSD 11.2 and FreeBSD 11.3
|
|
Corrected: 2019-07-22 18:14:34 UTC (stable/11, 11.2-STABLE)
|
|
2019-07-24 12:54:10 UTC (releng/11.2, 11.2-RELEASE-p12)
|
|
2019-07-24 12:54:10 UTC (releng/11.3, 11.3-RELEASE-p1)
|
|
CVE Name: CVE-2019-5605
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The FreeBSD kernel supports executing 32-bit applications on a 64-bit
|
|
kernel, including the ioctl(2) interface.
|
|
|
|
II. Problem Description
|
|
|
|
Due to insufficient initialization of memory copied to userland in the
|
|
components listed above small amounts of kernel memory may be disclosed
|
|
to userland processes.
|
|
|
|
III. Impact
|
|
|
|
A user who can invoke 32-bit FreeBSD ioctls may be able to read the
|
|
contents of small portions of kernel memory.
|
|
|
|
Such memory might contain sensitive information, such as portions of the
|
|
file cache or terminal buffers. This information might be directly
|
|
useful, or it might be leveraged to obtain elevated privileges in some
|
|
way; for example, a terminal buffer might include a user-entered
|
|
password.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
# shutdown -r +10min "Security update"
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch.asc
|
|
# gpg --verify freebsd32.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/11/ r350217
|
|
releng/11.2/ r350283
|
|
releng/11.3/ r350283
|
|
- -------------------------------------------------------------------------
|
|
|
|
Note: This issue was addressed in a different way prior to the branch point
|
|
for stable/12. As such, no patch is needed for FreeBSD 12.x.
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5605>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:14.freebsd32.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmNfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cIavw//emdRXVNpGREW1FfUvWmUPpdgk6rFck9nEG0KUKYCcfhqN83BN9XtqaWu
|
|
lBQ1jbB/CsalwL6Gpn2yuMvgS8W4yUidyPHLpzuoAThlsy5bHID1/oRftJt0T0BS
|
|
kHbTD0tTUt3QDV51FoLBjvXfjRRb8xJ+wIGJ0NzOscWgjgu6JPUysHEJD3+vSOKN
|
|
X3qJd3zcoYqswcvuhoVE2cFrSaZKEyIi1pJVr9CGItQTWXIisgdXdGYTnBdZU8jq
|
|
iJGaI1BXiNUl/p/21JA32T+ZD7cdMtx6KiuoKlY7Bzgj7Qk3XW7xsQsYu724LIJT
|
|
pVhIxntMrQSak7wIaqNPGR/FgkkKDsoo6iCHXlGxXv6tLg7pnioZIaHhc5+UZqmT
|
|
8I0UogWhQZS03/nwFRVDLPp+ka2P0g2gsm/dX1UVuucMT+hGeqn2c/iaSU76duoR
|
|
qavRPjLPJDnfVrpXhpqco9rq1+UwA/1uSNe0cFX0ArX040hCReDsMphcxgrkZ0sD
|
|
u71Px2ZLE5rpWmFd8LD0X2y1l4OEcTmoTPUtJxHlVrMFztuNbAlRnyCxTV8c2uId
|
|
zN44wRj6c2ZEV/w+kBVTV+L7NSt1eHDZ5tgUL7boEOylEgkHTl30aZ8nV2wvpaM3
|
|
1Y/IwBnGmI4iNLMnRoIDlac6rR3dMUS4gtH+lkfxlBri9Qc3Qso=
|
|
=8LlB
|
|
-----END PGP SIGNATURE-----
|