153 lines
5.6 KiB
Text
153 lines
5.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-19:10.ufs Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Kernel stack disclosure in UFS/FFS
|
|
|
|
Category: core
|
|
Module: Kernel
|
|
Announced: 2019-07-02
|
|
Credits: David G. Lawrence <dg@dglawrence.com>
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2019-05-10 23:45:16 UTC (stable/12, 12.0-STABLE)
|
|
2019-07-02 00:02:16 UTC (releng/12.0, 12.0-RELEASE-p7)
|
|
2019-05-10 23:46:42 UTC (stable/11, 11.2-STABLE)
|
|
2019-07-02 00:02:16 UTC (releng/11.2, 11.2-RELEASE-p11)
|
|
CVE Name: CVE-2019-5601
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The Berkeley Fast File System (FFS) is an implementation of the UNIX File
|
|
System (UFS) filesystem used by FreeBSD.
|
|
|
|
II. Problem Description
|
|
|
|
A bug causes up to three bytes of kernel stack memory to be written to disk
|
|
as uninitialized directory entry padding. This data can be viewed by any
|
|
user with read access to the directory. Additionally, a malicious user with
|
|
write access to a directory can cause up to 254 bytes of kernel stack memory
|
|
to be exposed.
|
|
|
|
III. Impact
|
|
|
|
Some amount of the kernel stack is disclosed and written out to the
|
|
filesystem.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available but systems not using UFS/FFS are not affected.
|
|
|
|
V. Solution
|
|
|
|
Special note: This update also adds the -z flag to fsck_ffs to have it scrub
|
|
the leaked information in the name padding of existing directories. It only
|
|
needs to be run once on each UFS/FFS filesystem after a patched kernel is
|
|
installed and running.
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or release /
|
|
security branch (releng) dated after the correction date.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Afterwards, reboot the system and run:
|
|
|
|
# fsck -t ufs -f -p -T ufs:-z
|
|
|
|
to clean up your existing filesystems.
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 12.x]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch.asc
|
|
# gpg --verify ufs.12.patch.asc
|
|
|
|
[FreeBSD 11.x]
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch.asc
|
|
# gpg --verify ufs.11.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system and run:
|
|
|
|
# fsck -t ufs -f -p -T ufs:-z
|
|
|
|
to clean up your existing filesystems.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r347474
|
|
releng/12.0/ r349623
|
|
stable/11/ r347475
|
|
releng/11.2/ r349623
|
|
- -------------------------------------------------------------------------
|
|
|
|
Note: This patch was applied to the stable/11 branch before the branch point
|
|
for releng/11.3. As such, no patch is needed for any 11.3-BETA or -RC.
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5601>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:10.ufs.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WVfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cJgRhAAic+yb4boY5k2TotBe9xBBO2VEGwvcolARpvUg+78ya4RGh1d3FBH5R36
|
|
N6uEvaAclrRsPHnDSeCD3BVmQkWBzD5a7t+z+m5Siye+01mA4XjKycNDl9BXm7sT
|
|
t01GP7TPBmaJZ45RPqT4M/iB1Ulud0kdKvi/apwDLbqJrbzcuxyBNs+wiQhbG2Ip
|
|
07REBqabnsL8dV2ysPtBlHd1nxyNyyF8EzkDUKYUWDnwPxzlrfrJAt+F7sneRrPf
|
|
tL3UsN+qh3JThI39CjFWPllVRv412QCFBDmGXHdbm+mWrxIecX5pUEoLfQQLJ82x
|
|
03TOYbZpu4d4CvgeSEXl3VkbHl6F6u/ii8ls/7aUDNnZcHWamraP84aJpLBG2cUa
|
|
ExDDL6K0x1LMhlGWxjGr0qp2ObdQ0sKTgQZ/RUmJO4pc4zuPc0yY3jOv4U+kP2G/
|
|
znHEVVRs8/X95OYA0fdvnG0rOdcKGdqKEDxeTvFhyvxM372erT/dMz9flGnptA51
|
|
30eAwyKmzj5Mzpo5y/NARyGLRTfOB2F6++BFrlqbsKCXcyK1R5jtxu1TLaliPvA/
|
|
Aux8D4OQHIXIGk/sVQSJKOO4oH6U7S2aNtYTxaYHAJrtbC9udnyjVau2txlObEZr
|
|
pCbd+a02Btid0bBRUSFYugl4XHtakTVvtu93Fa19wASYDnZJIUE=
|
|
=uUz9
|
|
-----END PGP SIGNATURE-----
|