doc/share/security/advisories/FreeBSD-EN-15:03.freebsd-update.asc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-15:03.freebsd-update                                 Errata Notice
                                                          The FreeBSD Project

Topic:          freebsd-update updates libraries in suboptimal order

Category:       base
Module:         freebsd-update
Announced:      2015-02-25
Credits:        Brooks Davis
Affects:        All supported versions of FreeBSD.
Corrected:      2015-02-09 09:22:47 UTC (stable/10, 10.1-STABLE)
                2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6)
                2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18)
                2015-02-09 09:45:58 UTC (stable/9, 9.3-STABLE)
                2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10)
                2015-02-09 10:09:46 UTC (stable/8, 8.4-STABLE)
                2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.freebsd.org/>.

I.   Background

The freebsd-update(8) utility is used to apply binary patches to FreeBSD
systems installed from official release images, as an alternative to
rebuilding from source.  A freebsd-update(8) build server generates the
signed update packages, consisting of an index of files and directories
with checksums before the update, a set of binary patches, and an
index of files and directories with checksums after the update.  The
client downloads the indexes, verifies the signatures and checksums,
then downloads and applies the required patches.

II.  Problem Description

In general, the runtime linker needs to be updated before all other
libraries, including the standard C library (libc) and the threading
library (libthr), because these libraries depend on functionality of
the runtime linker.

Before this update, the freebsd-update(8) utility did not enforce
this ordering requirement and would replace libthr (and all other
libraries) before updating the runtime linker.

A recent change to the FreeBSD threading library that would prevent
a deadlock in a child process requires a NULL pointer test in the
runtime linker (/libexec/ld-elf.so.1) be in place.  Since previous
versions of the runtime linker do not have this test, processes will
crash due to a NULL pointer deference.

III. Impact

If a name-service switch module linked to the threading library -- such
as ldap or winbind -- was configured to provide passwd or group services
in /etc/nsswitch.conf, then all attempts to look up a user or group by
name after the threading library was updated would result in a crash.
Most obviously, all further install(1) invocations by freebsd-update(8)
will crash, leaving the system partially updated and largely unusable.

IV.  Workaround

Disabling any name-service switch modules linked to libthr prior to
running the freebsd-update(8) 'upgrade' command works around the issue.
These modules include, but are not limited to, ldap and winbind.

V.   Solution

The freebsd-update(8) utility has been updated to install the runtime
linker before any libraries.

You MUST upgrade systems prior to 10.1 to address this errata notice before
updating to 10.1 or later using freebsd-update(8).

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

2) To update your present system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your present system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/EN-15:03/freebsd-update.patch
# fetch https://security.FreeBSD.org/patches/EN-15:03/freebsd-update.patch.asc
# gpg --verify freebsd-update.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r278446
releng/8.4/                                                       r279265
stable/9/                                                         r278444
releng/9.3/                                                       r279265
stable/10/                                                        r278443
releng/10.0/                                                      r279264
releng/10.1/                                                      r279264
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-15:03.freebsd-update.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.1 (FreeBSD)

iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnkNkQAOJU6l5aKWWwvxU+Bxwc/zV5
DcmGnL+7b/dN2zKdRVz6N54vuFnoUsXMd5EobxdC5MX31Yn/GnL5dQMbJDNAEL8D
I6jYdqf7PQL3v+EBiOFNazjeRbx5EM2gNLfwozv5LHKxER5ggmalmmf168Se4cRX
V+v2i28lCvAgOu3hXLd5gKQ3s8dNh2t/uxWI+fS3Sl6bitC0xVsXFEpTc8qIaJEu
cbVmedRQEoSnQPLdpoSgbmQpjp6/45l/UtLZpK7Cr7h8BHS9wtKdWjjkNL/wyF5j
3p2yanr6koT3P1iAhBJFE/3Dw4h5PlvWH56LP4PJmACuxU02AYrjc/ZVX1IL6bLt
9AuO8W28DTi6q9q8xy+XHcYXuDS4PF3oCDZ92m2iZMHcO747q8UQdKkgCEUfIZ2n
L79Dfkkx0uSmp4FIc1f/T6gDiBkZFRfs4stHRrm9K6nbyvFCAczj8wTUQPDjDUGw
zGH1jN9r/I3mHi3FREd0+w++BYZproepf4yfv5c/UJN9P88vCBAZZqlS1kkxYGUz
jOwzsF/MkpMWW16Xp58f7uwGTVZNTLzoq0r2GTln2R9fQAoQNrJYcBiW48MPSlQe
wef9nRhC8BPOSI70dl5r16/lOu4IuBqwBFiY8QzzDc/DABmaDUQrhLRp+VDHqFeL
taJCUogXb0n1CFub4f9P
=J5C+
-----END PGP SIGNATURE-----