From nobody Wed Apr 06 03:54:13 2022 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A92651A96ACD for ; Wed, 6 Apr 2022 03:54:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KY9cP4Jp1z3GP9; Wed, 6 Apr 2022 03:54:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649217253; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nhEyPjwLVcf+BJDnLbg9d00LfU0VGOl1QD1HKJW6tHw=; b=XsvSSqi36Y8e5H4AKPx0ZwLb18kLkVf/cgmbtqPBtiOBjhPFm4+j//D/o3Dg6xpvei7D0N 3tUQz/jgqpBPs0HrNOchxzhZsrFNLpPehGDAiIjYDWgSyBzmkCQZ9SiF5rpD9mMRciORnz qFXJlEF0FnvnKW/12cJ41cOym+AHcymckFrP23/5GgIErpDpXw1IP0kqkwrsXJlvZUPBcM +DOcRbXp95/hFA7ZGj8VCOA5nIbuF9ntPKxJ5oVmohaiXkxVKE07D6/rr+WBgwmle8WQue lYVw225tx5w8/NjslUzbJF9gJt5f7a3NRpfif0OGaleyTeViOyLWcWQPi/Nawg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6FE43140A6; Wed, 6 Apr 2022 03:54:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2363sDeK003479; Wed, 6 Apr 2022 03:54:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2363sDwx003477; Wed, 6 Apr 2022 03:54:13 GMT (envelope-from git) Date: Wed, 6 Apr 2022 03:54:13 GMT Message-Id: <202204060354.2363sDwx003477@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: 2bc6ddc2ba - main - Add EN-22:15 and SA-22:04 through SA-22:08. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2bc6ddc2baefa8c681fe47056e03c4c9efa3e8a3 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649217253; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nhEyPjwLVcf+BJDnLbg9d00LfU0VGOl1QD1HKJW6tHw=; b=fowy5sy4b53f7ysgRq5MOr9g+zM/F8JySmh9wxnpbMas7ZeKbACjEcVYa47e3VkzbS/Zxh DzZjlH7K5z/u6Jh7xGh8KHO8qx0v2W3NZiTRo+RHFByXsOx2bAkyZsEWDNzOk/iyDviUPI KNr87evUZf4bJHyWmcjWqOcvh2Iglb+AuK/Uw9/oqqis2OBtfpU+et3kQkIgFImT7KFv3/ MONKRrm6znywCbWe37XcZJr5KhJ4Agxj83mUNYPfHrW2lFcEQyc9zllr9dUEo6RwkB3Pm1 Gy4ky/XLDAPVvHJf+NQ0/T7WxWQXJl0DJzzvUV7BQ9Lm5LIGK+jhVhAu2In47Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649217253; a=rsa-sha256; cv=none; b=nWNwT8kDff9ZOIJHWN1DLAkmTBWkWYgU4PG3lpAiJkyEDbCYKjVcLvoo9j/fw/tWuqXo1j waHaMpqgL37WadlcyxEaojBnWfL6a8h5kqqOReWXz6SUX3m8PhN4A3iY8e4q9rMwzKKpqY mNY1B3PphnILn7hFHJksEwt0VQAD7E3IniZXH9c2YGmiEyepqkoAqQxoH0csgTpP1l5xac lPQiq+qhyHDiB7W3hVleS1QnM40gpIBslc3XhXkPUzyL7B10iJAo+RAJ3Y/9Pd7SUn3a9X W6wZ2P764tdcU2llzXmxbHOVYLp2KUG6veCnus7hVzdwzKgc/ysdsnOBoTs1Gg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by gordon (src committer): URL: https://cgit.FreeBSD.org/doc/commit/?id=2bc6ddc2baefa8c681fe47056e03c4c9efa3e8a3 commit 2bc6ddc2baefa8c681fe47056e03c4c9efa3e8a3 Author: Gordon Tetlow AuthorDate: 2022-04-06 03:53:31 +0000 Commit: Gordon Tetlow CommitDate: 2022-04-06 03:53:31 +0000 Add EN-22:15 and SA-22:04 through SA-22:08. Approved by: so --- website/data/security/advisories.toml | 20 ++ website/data/security/errata.toml | 4 + .../security/advisories/FreeBSD-EN-22:15.pf.asc | 128 +++++++++ .../advisories/FreeBSD-SA-22:04.netmap.asc | 155 +++++++++++ .../security/advisories/FreeBSD-SA-22:05.bhyve.asc | 160 +++++++++++ .../security/advisories/FreeBSD-SA-22:06.ioctl.asc | 153 ++++++++++ .../advisories/FreeBSD-SA-22:07.wifi_meshid.asc | 147 ++++++++++ .../security/advisories/FreeBSD-SA-22:08.zlib.asc | 155 +++++++++++ website/static/security/patches/EN-22:15/pf.patch | 25 ++ .../static/security/patches/EN-22:15/pf.patch.asc | 16 ++ .../static/security/patches/SA-22:04/netmap.patch | 70 +++++ .../security/patches/SA-22:04/netmap.patch.asc | 16 ++ .../static/security/patches/SA-22:05/bhyve.patch | 26 ++ .../security/patches/SA-22:05/bhyve.patch.asc | 16 ++ .../static/security/patches/SA-22:06/ioctl.patch | 108 ++++++++ .../security/patches/SA-22:06/ioctl.patch.asc | 16 ++ .../security/patches/SA-22:07/wifi_meshid.patch | 15 + .../patches/SA-22:07/wifi_meshid.patch.asc | 16 ++ .../static/security/patches/SA-22:08/zlib.patch | 308 +++++++++++++++++++++ .../security/patches/SA-22:08/zlib.patch.asc | 16 ++ 20 files changed, 1570 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 6a60b5b67b..78389d84e8 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,26 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-22:08.zlib" +date = "2022-04-06" + +[[advisories]] +name = "FreeBSD-SA-22:07.wifi_meshid" +date = "2022-04-06" + +[[advisories]] +name = "FreeBSD-SA-22:06.ioctl" +date = "2022-04-06" + +[[advisories]] +name = "FreeBSD-SA-22:05.bhyve" +date = "2022-04-06" + +[[advisories]] +name = "FreeBSD-SA-22:04.netmap" +date = "2022-04-06" + [[advisories]] name = "FreeBSD-SA-22:03.openssl" date = "2022-03-15" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 069d06d5ea..04aeec64c2 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,10 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-22:15.pf" +date = "2022-04-06" + [[notices]] name = "FreeBSD-EN-22:14.tzdata" date = "2022-03-22" diff --git a/website/static/security/advisories/FreeBSD-EN-22:15.pf.asc b/website/static/security/advisories/FreeBSD-EN-22:15.pf.asc new file mode 100644 index 0000000000..83c6bf2721 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:15.pf.asc @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:15.pf Errata Notice + The FreeBSD Project + +Topic: pf(4) tables may fail to load + +Category: core +Module: pf +Announced: 2022-04-06 +Affects: FreeBSD 13.0 +Corrected: 2022-04-06 03:04:11 UTC (releng/13.0, 13.0-RELEASE-p11) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +pf is an Internet Protocol packet filter originally written for OpenBSD. +pf rules may reference address tables when applying policies to large +sets of source or destination addresses. pf rulesets may optionally set +a limit on the number of table entries allocated by the kernel, via the +"set limit" pf.conf(5) syntax. + +II. Problem Description + +pf rulesets that set a limit on the number of table entries and include +one or more address tables may occasionally fail to load. An initial +load of the rules will succeed, but an attempt to re-load can fail. In +this case, the problem persists until the system is rebooted. + +III. Impact + +Administrators may be prevented from modifying or updating pf rule +sets. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for an errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:15/pf.patch +# fetch https://security.FreeBSD.org/patches/EN-22:15/pf.patch.asc +# gpg --verify pf.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +releng/13.0/ 5b789e0c92a7 releng/13.0-n244792 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDfcACgkQ05eS9J6n +5cLFghAAkmY0crSbL/btcZ0h/Yoj9L6GGpoLzH68TPX2MK+e+fqoUZGiYdTPGnnW +B+Px5/mEJKGb7kNmib2C/RfdwFiRzGIn+VQk/RrOlZxRz/vjSw9Z5yleMuXD0eFA +r02BdZQS/lL5QVRaUr4GR9cPEdrvzl30NZmCc3Ejj3hTIimOIlGptuD681eIiQ7M +3fwJC8TxSuZVdbrmP9U6uXQdiTxS18QbtscuBJhldhaBDI7+ZVL1ELHU10c+vs5U +vp0AFJ8l87z2oonT2EHy4cOrjlW2T1OQknwdXIW/t9/6MZ7snMVubXjwqKxQVX1z +v7tr9NBSf+FGeb/UdMZ39TxrXYm3kSgMfV4RX9JW2hCUNCbnGAJT8X9HRnK7/x1n +zLY1v2GWbx9V+18oW8apYItEPSp7BcR+qCXMcMbyZaZpfOiYBugO92tkvK1JJlga +BurDLFy+Fkv9L2+BQn++IlEOwTH8XQ9BfALlHMCEZSc//t6ALb9IIg3Wnra+4sZe +EmfSFG7kKt0xa7ww0Xljt3XVsr6y8vEO/sHWopdm7Ydku1jh/ZT2VVPyEJiQpCHk +dqDSZLI+MzXKb0uSFib+nfNlArbwtxv+NjzfTj0PHbBLuVVdtdWwcM45Yv/aNrjN +SkYBk8eXEfhb+kUhfe7hnuwmmYfnFZg9JW4r6C//RBOVYB9u2Fs= +=YFs6 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:04.netmap.asc b/website/static/security/advisories/FreeBSD-SA-22:04.netmap.asc new file mode 100644 index 0000000000..989e7458f9 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:04.netmap.asc @@ -0,0 +1,155 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:04.netmap Security Advisory + The FreeBSD Project + +Topic: Potential jail escape vulnerabilities in netmap + +Category: core +Module: netmap +Announced: 2022-04-06 +Credits: Reno Robert and Lucas Leong (@_wmliang_) + Trend Micro Zero Day Initiative +Affects: All supported versions of FreeBSD. +Corrected: 2022-03-19 17:53:35 UTC (stable/13, 13.1-STABLE) + 2022-04-06 03:26:07 UTC (releng/13.1, 13.1-RC1-p1) + 2022-04-06 03:04:13 UTC (releng/13.0, 13.0-RELEASE-p11) + 2022-03-20 09:08:23 UTC (stable/12, 12.3-STABLE) + 2022-04-06 03:06:25 UTC (releng/12.3, 12.3-RELEASE-p5) +CVE Name: CVE-2022-23084, CVE-2022-23085 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +netmap is a framework for extremely fast and efficient packet I/O for +userspace and kernel clients, and for Virtual Machines. + +II. Problem Description + +The total size of the user-provided nmreq to nmreq_copyin() was first +computed and then trusted during the copyin. This time-of-check to +time-of-use bug could lead to kernel memory corruption. [CVE-2022-23084] + +A user-provided integer option was passed to nmreq_copyin() without checking +if it would overflow. This insufficient bounds checking could lead to kernel +memory corruption. [CVE-2022-23085] + +III. Impact + +On systems configured to include netmap in their devfs_ruleset, a privileged +process running in a jail can affect the host environment. + +IV. Workaround + +No workaround is available. Systems that do not include netmap in their +devfs_ruleset are unaffected. A default installation of FreeBSD does not +include netmap in its devfs_ruleset. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-22:04/netmap.patch +# fetch https://security.FreeBSD.org/patches/SA-22:04/netmap.patch.asc +# gpg --verify netmap.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 9f600a260a73 stable/13-n250049 +releng/13.1/ 7c55c52696d2 releng/13.1-n250081 +releng/13.0/ 4996f46e03a4 releng/13.0-n244794 +stable/12/ r371757 +releng/12.3/ r371870 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgUACgkQ05eS9J6n +5cJ5oA/7BbWWbR3NEYYOSYBYDGtuRVUFFQYFLh35qcammhfATek0yMyqN47wHwq1 +/Nh+91ZHJBV/wNkr5aFsMcNda9c/a9CVQLjWwiT5wtOGHt3tip0dy4Kalc1bwewI +tGhlCX5bROy0x7xP0+qNHmDRvEVDviash3Wp7Ysk2uzpZsXl0bew1dBwH/9dxnYv +XwfCHfU3fUdeyWtAvswwTlx5XXXBdgvGAShsdZTjYlowUioL6E+m3w0xFdyae7q+ +MjaI9w06p+WJ89WTnwefLq5DwAi6eS+3qmZNJaU3Shq6tQo0TqrOfIuT3l8Id8tv +f6XJBjZHDFJBbEofUREHjl0q7qAbZ2tBzxvDJWzGmBp98lSg0diIzyMmgOeUBT/1 +MG8LLK3e4Z+l5ZknDRJJ38yiUCR4ANaUEygYFVXAcb7QylMhmqcJ6hIAMpCiJ7NJ +S+ftBNjC1S6RccATBJUX3/IyTvwigvQIybNzKlqIMEjSPd8mVSTpbir43dK8Vr5v +kKmaqSsTN5Df3s+yPn8uBG9VXhO0cNtLBxFJ8eWsI5mLigpCFD2KkvO06oLE9ALa +fhEZxIy0bD4GbambenfZ2xxaSoZSIeAh1pM5aL4x/C4r7R0p8dH3ldkTDKWfqtfE +/gaVGCSle/K0I6y1LUhWLdD7FlOLScHRkVF2sIGSDP4KTbH7H18= +=EwyH +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc b/website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc new file mode 100644 index 0000000000..3d8ba5176c --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:05.bhyve.asc @@ -0,0 +1,160 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:05.bhyve Security Advisory + The FreeBSD Project + +Topic: Bhyve e82545 device emulation out-of-bounds write + +Category: core +Module: bhyve +Announced: 2022-04-06 +Credits: Mehdi Talbi, Synacktiv +Affects: All supported versions of FreeBSD. +Corrected: 2022-04-05 22:59:52 UTC (stable/13, 13.1-STABLE) + 2022-04-06 01:56:57 UTC (releng/13.1, 13.1-RC1-p1) + 2022-04-06 03:04:14 UTC (releng/13.0, 13.0-RELEASE-p11) + 2022-04-05 23:03:35 UTC (stable/12, 12.3-STABLE) + 2022-04-06 03:06:28 UTC (releng/12.3, 12.3-RELEASE-p5) +CVE Name: CVE-2022-23087 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +bhyve(8) is a hypervisor that supports running a variety of guest +operating systems in virtual machines. It implements a number of device +models, including an emulated Intel 82545 network interface adapter. + +II. Problem Description + +The e1000 network adapters permit a variety of modifications to an Ethernet +packet when it is being transmitted. These include the insertion of IP and +TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation +offload ("TSO"). The e1000 device model uses an on-stack buffer to generate +the modified packet header when simulating these modifications on transmitted +packets. + +When checksum offload is requested for a transmitted packet, the e1000 device +model used a guest-provided value to specify the checksum offset in the on- +stack buffer. The offset was not validated for certain packet types. + +III. Impact + +A misbehaving bhyve guest could overwrite memory in the bhyve process on the +host, possibly leading to code execution in the host context. + +The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD +version and bhyve configuration) limits the impact of exploiting this issue. + +IV. Workaround + +Only the e1000 device model is affected; the virtio-net device is not +affected by this issue. If supported by the guest operating system, +presenting only the virtio-net device to the guest is a suitable workaround. +No workaround is available if the e1000 device model is required. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and restart bhyve virtual machines. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386 platforms can +be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-22:05/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-22:05/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart the applicable bhyve virtual machines, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 53f722094798 stable/13-n250272 +releng/13.1/ 5a28d8befda0 releng/13.1-n250078 +releng/13.0/ b85c68857da3 releng/13.0-n244795 +stable/12/ r371867 +releng/12.3/ r371871 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgYACgkQ05eS9J6n +5cJERBAAoqZXVIwucgIMLepm3hQdmYsuYGDhfp12ggOR8GO/a9oL9c21u5JSSNUq +w966VU8u2Tv3JjKhNpXWSR9hbUSTuEWarkcrutNDe69GwcWv0Q8DU3DwhfrT6e9K ++IO/yMNUUBL9LlWRW4XftiowNV2r9KvqzYsGbk8Wi+bN1Vd9gXo1r31Nu3Y3JBls +EOjk8aoDuCCUqZKVjKw7VNXDjAo3MKnnt7s6nRLSJRvJH7iDGxttWGbAiREqLO07 +Aqg0ZUbbtUs8PvOL38yj/eiC4tLdOGna+Nm7VNoiS+Ee2uL/tbGU079UCgqgSJ7k +/0U8nrDss8NRirsFEbpYiNFs2zi+6dtRKjAzMGKxMU6TTnHodzfLBGsrOws5TmlS +bblLVykXBT1egNT180gCNjBRdK2mYaF23wVEPbd8bg0+JPfG5MyylG137uJJw2B0 +24RZpY3ciRCUw6xn9mRk//SOQh4fvtLSdNPfGtoYtHmzhao8wvWBqPw7SvkMkUP4 +hsdNeutyIZjqTCDvtUD4Ge81BPLnW8fUkd7yNLbWFLGBqZGlCs/xBdmTqCS/XLF7 +y9cPEsS7wb1sZS087uULgUrEDFPCnktozZ1ycCwoqCZy7dt6/zYFrYH1xu3AN+Ji +hso4aoM18gVNadHfMRqHNClBDO0iaxuXPrg+SMqffOrdQCznQ3k= +=CgB+ +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:06.ioctl.asc b/website/static/security/advisories/FreeBSD-SA-22:06.ioctl.asc new file mode 100644 index 0000000000..59e4942f2f --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:06.ioctl.asc @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:06.ioctl Security Advisory + The FreeBSD Project + +Topic: mpr/mps/mpt driver ioctl heap out-of-bounds write + +Category: core +Module: mpr, mps, mpt +Announced: 2022-04-06 +Credits: Lucas Leong (@_wmliang_), Trend Micro Zero Day Initiative +Affects: All supported versions of FreeBSD. +Corrected: 2022-04-04 00:46:25 UTC (stable/13, 13.1-STABLE) + 2022-04-04 16:24:36 UTC (releng/13.1, 13.1-RC1-p1) + 2022-04-06 03:04:16 UTC (releng/13.0, 13.0-RELEASE-p11) + 2022-04-04 00:47:44 UTC (stable/12, 12.3-STABLE) + 2022-04-06 03:06:31 UTC (releng/12.3, 12.3-RELEASE-p5) +CVE Name: CVE-2022-23086 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +mpr(4), mps(4), and mpt(4) are disk controller drivers. They export an +ioctl(2) interface used by command-line utilities to query or set properties +on the device. + +II. Problem Description + +Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers +allocated a buffer of a caller-specified size, but copied to it a fixed size +header. Other heap content would be overwritten if the specified size was +too small. + +III. Impact + +Users with access to the mpr, mps or mpt device node may overwrite heap data, +potentially resulting in privilege escalation. Note that the device node is +only accessible to root and members of the operator group. + +IV. Workaround + +No workaround is available. Systems that do not use mpr(4), mps(4) or +mpt(4) are not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-22:06/ioctl.patch +# fetch https://security.FreeBSD.org/patches/SA-22:06/ioctl.patch.asc +# gpg --verify ioctl.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 0b29e1b9f9df stable/13-n250225 +releng/13.1/ aef190f298af releng/13.1-n250066 +releng/13.0/ e724f3ce7970 releng/13.0-n244796 +stable/12/ r371855 +releng/12.3/ r371872 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgYACgkQ05eS9J6n +5cJ1FRAAopRAsQL1viniZ9DvKUbq5cDwRvvaoTn4nzTs5+T51KoTwkzwfsAZy6jR +ixOlaGTSRxWzTrLa5Kq6DxHEevrzxmJRc03YZ0GrfbSQNoaW6SGv+lXY9SEbm86K +T3D//J42pSAmxLOteQDXqds5I4Xd9eDrrLzQjATxb9KqO1BYCWXCvPUQfRNksL6t +eXnwT0+1AluGOw0YkyZ4nB62mtO5qwFPI1T/paIRAe8G38gW5xn821fYcJUR/fbd +K6GUDdHvVsobI99nohiZcPoMH8peAoBntmWsOxMtd2goc6useAGE5xdvXB1EDBMe +W/4ZCUNg5jhw+ceVIPw248DcvT9YVp6NtYbqvxcz2SQ5MNY3B4sgZCSuYeDUqtYF +uYmJN5EHALyQPe1vPwTqM+INm5/T3Ft3Y3kWKgk5+PNSrClJNpkOASPps3hnJmM+ +i7kK/GnH0TEZbinPY4J//8o6IuZpX1o+5JWWbSZPcDo/2IxlR+sAe72hOVq5w/Bp +2GT9aJmktRlJ8Spfr7QYy2LJBRUVN9zAlnfyZJ2Hil4i03lrmP/nByEBiAWxSfo4 +ECIs5viR34U0gTJ8qbl6YJQrikWqUcYPcrPcx3iMT0fLXCaVGfB7jxZZc7jXsVc+ +nf+uJPY4z95eqbCrTHuLj9ReBLOA7nG3Vi/FI0N3sEJkBOb1tHU= +=kPAj +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:07.wifi_meshid.asc b/website/static/security/advisories/FreeBSD-SA-22:07.wifi_meshid.asc new file mode 100644 index 0000000000..c2ce62f3b0 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:07.wifi_meshid.asc @@ -0,0 +1,147 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:07.wifi_meshid Security Advisory + The FreeBSD Project + +Topic: 802.11 heap buffer overflow + +Category: core +Module: net80211 +Announced: 2022-04-06 +Credits: m00nbsd working with Trend Micro Zero Day Initiative +Affects: All supported versions of FreeBSD. +Corrected: 2022-04-05 22:59:53 UTC (stable/13, 13.1-STABLE) + 2022-04-06 01:56:58 UTC (releng/13.1, 13.1-RC1-p1) + 2022-04-06 03:04:17 UTC (releng/13.0, 13.0-RELEASE-p11) + 2022-04-05 23:03:40 UTC (stable/12, 12.3-STABLE) + 2022-04-06 03:06:33 UTC (releng/12.3, 12.3-RELEASE-p5) +CVE Name: CVE-2022-23088 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD's net80211 kernel subsystem provides infrastructure and drivers +for IEEE 802.11 wireless (Wi-Fi) communications. + +II. Problem Description + +The 802.11 beacon handling routine failed to validate the length of an +IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. + +III. Impact + +While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with +a SSID) a malicious beacon frame may overwrite kernel memory, leading to +remote code execution. + +IV. Workaround + +No workaround is available. Systems not using Wi-Fi are not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-22:07/wifi_meshid.patch +# fetch https://security.FreeBSD.org/patches/SA-22:07/wifi_meshid.patch.asc +# gpg --verify wifi_meshid.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 72617f9246e3 stable/13-n250273 +releng/13.1/ 00cc1ce78da3 releng/13.1-n250079 +releng/13.0/ b2b23824272d releng/13.0-n244797 +stable/12/ r371868 +releng/12.3/ r371873 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmJNDgYACgkQ05eS9J6n +5cL+FQ/9FPr6zxTpQ9HMQym2BYnZZHXLFWE2ALDLXE8UYiNa6vLaeIvO4f/bzS6b +StHq4YoLTU6tPtTVXu1MTv+BZmDcavtKtBohppkcSdV2Xs2zHrlcUGNBlJdWWUR6 +vgcRsI8EhdrFltKoeJ+L7bfHCzE4oGAFKhvap7DL8URrt+a7S0mkfdaX9o7RSQi3 +vku98kns+ylV4T+DgY5KO21rnzwopIkmw3XlRO+S0XILK/h+7EWvcrOTTEV+byQM +vZL17NlumXhrZvg3nQIgpTmai7B8hFCVvRYy8aT8ygRSgEWG5ZtJVuPtgmJ7TMPg +mZneNAQ3eJep4l53nRu3mlxvwJYm9KR/RYDIf6iHhkVStPGv4+9wPSqHZXzn/bDy +MLTHNcOi6wBmRMi+JsR4QkhS6VukFlZvNl4UhXRG7Lx2Tss5CG/SKXCEHcwOYcZY +TEIJY2iDoTTU3jEYWclvcmLMKn3yRfyox1vpv71Ugh33L0lgM22P/5+p/jebeQvL +xl62ZEZZUzOeHfDzMNKi4yFhi4RvRA8exmVTKjPbqiDPIpUQFrCLWvbzeQhUbeSm +zsldDRAf51jeJbahwSfujqjJ7NOum0iY1qTSqgV3JLvAjShQHCMYCK12zlwT42CM +3Op+ruTU7mx9UhjerQtklrzP1qE9i6A9D5Kk/MZSOA4zRbuFTRw= +=uFZx +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:08.zlib.asc b/website/static/security/advisories/FreeBSD-SA-22:08.zlib.asc new file mode 100644 index 0000000000..14ba774c80 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:08.zlib.asc @@ -0,0 +1,155 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:08.zlib Security Advisory + The FreeBSD Project + +Topic: zlib compression out-of-bounds write + +Category: zlib +Module: contrib +Announced: 2022-04-06 +Credits: Danilo Ramos of Eideticom + Tavis Ormandy of Google Project Zero +Affects: All supported versions of FreeBSD. +Corrected: 2022-04-04 19:30:33 UTC (stable/13, 13.1-STABLE) + 2022-04-04 20:02:42 UTC (releng/13.1, 13.1-RC1-p1) + 2022-04-06 03:04:19 UTC (releng/13.0, 13.0-RELEASE-p11) + 2022-04-04 01:07:59 UTC (stable/12, 12.3-STABLE) + 2022-04-06 03:06:39 UTC (releng/12.3, 12.3-RELEASE-p5) +CVE Name: CVE-2018-25032 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +zlib is a compression library used by numerous applications, as well as some +FreeBSD kernel components, to provide data compression/decompression +routines. + +II. Problem Description + +Certain inputs can cause zlib's compression routine to overwrite an internal +buffer with compressed data. This issue may require the use of uncommon or +non-default compression parameters. + +III. Impact + +The out-of-bounds write may result in memory corruption and an application +crash or kernel panic. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-22:08/zlib.patch +# fetch https://security.FreeBSD.org/patches/SA-22:08/zlib.patch.asc +# gpg --verify zlib.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +. + +Recompile the operating system using buildworld and installworld as +described in . + +Reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ c4727a47f18c stable/13-n250251 +releng/13.1/ f5196112e8bd releng/13.1-n250070 +releng/13.0/ 9854ff088002 releng/13.0-n244799 +stable/12/ r371856 +releng/12.3/ r371875 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base *** 749 LINES SKIPPED ***