138 lines
5.2 KiB
Text
138 lines
5.2 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-20:18.posix_spawnp Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: posix_spawnp(3) buffer overflow
|
|
|
|
Category: core
|
|
Module: libc
|
|
Announced: 2020-07-08
|
|
Credits: Andrew Gierth
|
|
Affects: FreeBSD 11.4
|
|
Corrected: 2020-06-17 16:22:08 UTC (stable/12, 12.1-STABLE)
|
|
2020-06-17 16:22:08 UTC (stable/11, 11.4-STABLE)
|
|
2020-07-08 20:08:05 UTC (releng/11.4, 11.4-RELEASE-p1)
|
|
CVE Name: CVE-2020-7458
|
|
|
|
Note: This vulnerability was introduced after the release of FreeBSD 11.3 and
|
|
FreeBSD 12.1; FreeBSD 11.4 is the only affected release.
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
posix_spawnp(3) is a lightweight process creation mechanism provided by libc
|
|
for general application usage.
|
|
|
|
II. Problem Description
|
|
|
|
posix_spawnp spawns a new thread with a limited stack allocated on the heap
|
|
before delegating to execvp for the final execution within that thread.
|
|
|
|
execvp would previously make unbounded allocations on the stack, directly
|
|
proportional to the length of the user-controlled PATH environment variable.
|
|
|
|
III. Impact
|
|
|
|
Long values in the user-controlled PATH environment variable cause
|
|
posix_spawnp to write beyond the end of stack that was allocated, ultimately
|
|
overflowing the heap-allocated stack with a direct copy of the value stored
|
|
in PATH.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available. Few applications in the base system use
|
|
posix_spawnp(3) and none of them are particularly viable candidates for an
|
|
exploit. Use by third-party applications has not been investigated.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date,
|
|
and reboot.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
# shutdown -r +10min "Rebooting for a security update"
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 11.4]
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:18/posix_spawnp.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:18/posix_spawnp.patch.asc
|
|
# gpg --verify posix_spawnp.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart all daemons that use the library, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r362281
|
|
stable/11/ r362281
|
|
releng/11.4/ r363025
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7458>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:18.posix_spawnp.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl8GLlNfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cLdthAAgchE9dOcTvmFerK/SEAI7G/+3l1GRQ/hKJfvGbvNuZKKudpMdCmLHzil
|
|
MepCvRO7ft6OTBF66PaAscbdadD54CluQGjD96eLNnQ6dMgU5yZdWTUvvjdJze1R
|
|
200oAlAu2eoZvuRghSNFqh4s8iffYN/T4Tc1ubRCAyZUXYbq5rg3r21P9FugXX+Y
|
|
RZhYzUNRMCi4ZSGkUmcqLltZZtSrI9GOU2H4cKpedYaHJ+b76tALt1fCsSVZwMJK
|
|
7WKiqKkw4ilRH5gbUuTqngVjt7Uy9JGyS2WrAwhnxLIr6+4qxAkiOltwZdFNUhSJ
|
|
HGvTzl2As/gxxjqpqmvzegKfrGOd4pz2i7ZdAhhPWEK0sHNp1NttPQ7wWnU1Ikt3
|
|
bkoiy+eJTF43GL7IpxurOOMDdH9MWL/RAZBZNpTof4XCjhEHvvMaSoeO/GLpcSja
|
|
+dYFoip65b1tlBtGt/tlgHVqlzCD86o6pBiRdZ7mYYLTxurDc/dcTpebypQPogcB
|
|
agD3IO0hMXnt1Q/UQVl1pC3LDnSvabeHVI7xuB1T9UP/CsAxTt1nhEM4b9/YnJv5
|
|
Bt1cZFlBvZgrVFVvegYAf7lVz3TsF3xz2pKZD6wxezAk+QbH4ho6aTHWJkRotE4z
|
|
C5bcIEbIz6OX+J7VjOxcgkTu+bFykWb9xcTjtKpRexxICMOef+E=
|
|
=2OBY
|
|
-----END PGP SIGNATURE-----
|