From nobody Tue Nov 29 23:36:57 2022 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMJdk1V61z4hsT3 for ; Tue, 29 Nov 2022 23:36:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMJdk14dMz41cP; Tue, 29 Nov 2022 23:36:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669765018; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=O87tOPhJ/o8cMS2EOU3zOy3tADEgBsh6+DyDCj4GkYE=; b=IDhlQeEXtKMCmW6RSsXsHZ++kXpo6ULyQU6Ih4sJxWp2Qg1VdaX3SNwI685bFGERKq1Lf8 hrxkgKPmkE1A20y1rbhZ1uSyJQWp0ErQNe0EAstTnZwQB1ieNBrUkMtyl6q0OxN1Xw4iUI PkdI0nrs0WBgAdXHVlSichBsak4JMr1yOjkY2ai4fGTsZmblVgm2m97j0+NHOYuamgtmtI z2bPe8zV8CyJKALPK/atuALrdqRF6+V2aQV/Z7nvLVvpsHE6g3lSNzBx4dq6DV+8qxNOFw cqZfL7EpgUWozr3u6/hwO2ohITAG7Ehhe3DklCT2h9FzHdn2Pt2tx732t1iZMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1669765018; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=O87tOPhJ/o8cMS2EOU3zOy3tADEgBsh6+DyDCj4GkYE=; b=YJDBNYTlpqmGsOR3MyLfA/uwAs37Tyxp7V19NPd6SE1bEQGlgmCZi3q1QvmarEV0+ogqhi vVWgKuwJD25acBF7XpnUtUkMAuGTd7Pds7qdqZuND1aW2KUW+e7VLzg0k3uSJeWrOWwFbY JCGETejby+zNpFculTx5LaPPbBUOj+5uoVc2UpxfVG8rMXN0pdJ2XCEIr4p+VULEMKRgNn wzxJ7tvpfdhz4Y53Q8Y+HwjJ15rh5njFaKiSS5ZGC63/g4/8i4sLAUWb95CaXB5CDfeokK fGp/V0JUxt3s+rYIq4X0TdeNAP3L8/Qe2sfMz1LQU33eXzFH3dJgLYSXRtNEng== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1669765018; a=rsa-sha256; cv=none; b=XgC5WFFAUeh9ZhRDoOcM9CpfW7Ghwh0jfzXZWLjYdePIfF50Q3dnkIMCy0GV5Vx5Wwu86Y mstVLLjVgF11NEdl06kslk2R8D2kXeYLiAyYwEz+/RH7UzklZ3NjhKDHXRSv7c45R/167L 4dtufkLeQxVRAtFvhAQyyoy5TQ+DT40W1pQwBgRrEFPBa3e+yJF5mhn+qMzqWtRvgvEA6t LZrVEImyKZ4W9WVZxLlQMQ5p2jmFDXJ9JjQiefil/JmajGuA3DW9C3EUCD2SZzB3J0U+14 +Pka7A25VnIbsktevgfQZ5OyWiGYmMHfSItjt99A7HcNjsiROn6wut40LOAEqA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NMJdk078BzbT6; Tue, 29 Nov 2022 23:36:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2ATNavL4057202; Tue, 29 Nov 2022 23:36:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2ATNavl7057200; Tue, 29 Nov 2022 23:36:57 GMT (envelope-from git) Date: Tue, 29 Nov 2022 23:36:57 GMT Message-Id: <202211292336.2ATNavl7057200@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Gordon Tetlow Subject: git: 40b6db4afe - main - Add EN-22:28 and SA-22:15. Revise SA-22:14. List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 40b6db4afe1f149f24cfad6b60d9b141c59cbb05 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by gordon (src committer): URL: https://cgit.FreeBSD.org/doc/commit/?id=40b6db4afe1f149f24cfad6b60d9b141c59cbb05 commit 40b6db4afe1f149f24cfad6b60d9b141c59cbb05 Author: Gordon Tetlow AuthorDate: 2022-11-29 23:36:25 +0000 Commit: Gordon Tetlow CommitDate: 2022-11-29 23:36:25 +0000 Add EN-22:28 and SA-22:15. Revise SA-22:14. Approved by: so --- website/data/security/advisories.toml | 4 + website/data/security/errata.toml | 4 + .../advisories/FreeBSD-EN-22:28.heimdal.asc | 158 ++++++++++++++++++++ .../advisories/FreeBSD-SA-22:14.heimdal.asc | 52 +++++-- .../security/advisories/FreeBSD-SA-22:15.ping.asc | 161 +++++++++++++++++++++ .../static/security/patches/EN-22:28/heimdal.patch | 16 ++ .../security/patches/EN-22:28/heimdal.patch.asc | 16 ++ .../static/security/patches/SA-22:15/ping.patch | 114 +++++++++++++++ .../security/patches/SA-22:15/ping.patch.asc | 16 ++ 9 files changed, 526 insertions(+), 15 deletions(-) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 9f761f4ff7..6a3d6ed32c 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,10 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-22:15.ping" +date = "2022-11-29" + [[advisories]] name = "FreeBSD-SA-22:14.heimdal" date = "2022-11-15" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index abe9329081..b4a4a7c26d 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,10 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-22:28.heimdal" +date = "2022-11-29" + [[notices]] name = "FreeBSD-EN-22:27.loader" date = "2022-11-01" diff --git a/website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc b/website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc new file mode 100644 index 0000000000..e8fef4cc8a --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc @@ -0,0 +1,158 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:28.heimdal Errata Notice + The FreeBSD Project + +Topic: Regression in Heimdal KDC + +Category: contrib +Module: heimdal +Announced: 2022-11-29 +Affects: All supported versions of FreeBSD. +Corrected: 2022-11-18 01:09:42 UTC (stable/13, 13.1-STABLE) + 2022-11-29 23:04:48 UTC (releng/13.1, 13.1-RELEASE-p5) + 2022-11-18 01:10:53 UTC (stable/12, 12.4-STABLE) + 2022-11-29 23:19:12 UTC (releng/12.4, 12.4-RC2-p2) + 2022-11-29 23:16:21 UTC (releng/12.3, 12.3-RELEASE-p10) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +Heimdal implements the Kerberos 5 network authentication protocols. + +A Key Distribution Center (KDC) is trusted by all principals registered +in that administrative "realm" to store a secret key in confidence, of +which, the proof of knowledge is used to verify the authenticity of a +principal. + +FreeBSD-SA-22:14.heimdal corrected multiple vulnerabilities in the Heimdal +implementation of the Kerberos 5 network authentication protocols and KDC +included as part of the FreeBSD base system. + +II. Problem Description + +The patch released with FreeBSD-SA-22:14.heimdal included an inadvertently +merged block of code which prevents the KDC from issuing valid tickets. + +III. Impact + +A system patched with FreeBSD-SA-22:14.heimdal will have a defective KDC. + +IV. Workaround + +No workaround is available. Systems that were not updated with the patch from +FreeBSD-SA-22:14.heimdal are not affected. Note that unpatched systems are +vulnerable to multiple security issues. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +A reboot is recommended. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is recommended. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch +# fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch.asc +# gpg --verify heimdal.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons that use Kerberos, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ b23fe6badeba stable/13-n253102 +releng/13.1/ 10571c04c9dd releng/13.1-n250173 +stable/12/ r372759 +releng/12.4/ r372779 +releng/12.3/ r372776 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n +5cISog/8DVRGrMXWSdmaqa5KpO3SZ1o5mmhZDWYKRxDQZv0puJ6lTus44VtixzM6 +ft1zRe2yQy3YoTtcxho2jY8zppcdg5r4rIR4rXsxIAjufxd53hxmWYXjN6zObxTB +Owebw+xvJSG5ls020iRECI+YjE32ssXLBI7XkqOVnErF/UmxkTQM86VPHene3WwU +EhwwM1i7ZUdl/11tGPft975u5waKUFxeRF4jpFLu/pbDqHBoFgY4AT2ivs+6jwaO +o4X0gBDKDh/xXU7yFSdPfF09PRgSCosPMr8UNWXBlS6WYEmGPiRlS3NDB8EMFDw/ +AElMEqlT55DzdFi4qD91x+FPeIQ+NbJCNjFuZDXv4lZtAvGF/ue4wfxH/ZNcAo06 +SH1tJolwu0l6Q7e/6a+cU7RsonVhv7K2j5DKddoNSZcla/kg9z1IkYGgt0OrtOWn +eMhuiLNsBZwebWsYWT/MG5nHaL79jWKPy69c+b8yXcpdrpfC4DNVmnTiiHzpus46 +9K4X5aOgCMW6C19hIWvH74s6sWo8ZoEz4BaslJZ7AeHSv6HPGfUZBygtYm739a/J +U8WN+rRIzsaxHQXts6LF8xroJtUvxQ76TZgK58k/Pma+Xa0vdYLcyqd/XEaFm1CW +7rLqVzTsHTlOz7JaMLnNm1aY6KKyERnJ94ii+LOjeldCAVWMNE0= +=aUbR +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:14.heimdal.asc b/website/static/security/advisories/FreeBSD-SA-22:14.heimdal.asc index 93947ecf2c..663a2236bf 100644 --- a/website/static/security/advisories/FreeBSD-SA-22:14.heimdal.asc +++ b/website/static/security/advisories/FreeBSD-SA-22:14.heimdal.asc @@ -5,11 +5,12 @@ Hash: SHA512 FreeBSD-SA-22:14.heimdal Security Advisory The FreeBSD Project -Topic: Multiple vulnerabilities in Heimdal +Topic: Multiple vulnerabilities in Heimdal [REVISED] Category: contrib Module: heimdal Announced: 2022-11-15 +Revised: 2022-11-29 Affects: All supported versions of FreeBSD. Corrected: 2022-11-15 21:15:35 UTC (stable/13, 13.1-STABLE) 2022-11-16 01:50:27 UTC (releng/13.1, 13.1-RELEASE-p4) @@ -19,6 +20,11 @@ Corrected: 2022-11-15 21:15:35 UTC (stable/13, 13.1-STABLE) CVE Name: CVE-2019-14870, CVE-2022-3437, CVE-2022-42898, CVE-2022-44640, CVE-2021-44758 +0. Revision history + +v1.0 2022-11-15 Initial release. +v1.1 2022-11-29 Updated with reference to FreeBSD-EN-22:28.heimdal. + For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . @@ -97,7 +103,20 @@ b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch -c) Recompile the operating system using buildworld and installworld as +c) The original revision of this advisory included a patch which renders the +KDC inoperative. This was corrected in FreeBSD-EN-22:28.heimdal. Systems +using the KDC must download and verify an additional patch: + +# fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch +# fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch.asc +# gpg --verify heimdal.patch.asc + +d) Apply the additional patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +e) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the Kerberos, or reboot the system. @@ -153,21 +172,24 @@ VII. References + + + The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmN0Ud0ACgkQ05eS9J6n -5cKIKA//bRccdsoilKJvyQw9RazwJ0HENGbPF1RdjyG1nmMsp5wG+rqAdnN0LF8p -SgEqfZjCx+KXNJBkzblKzduFK9VQ211dbjouwd/BVCbMYemUIs1DqobF6uvYnMbn -vhQ2lUtZ46WbgvjXOcfsHakmCV2V2kCzBFsCKCQFPcYSch5n9gGW+I4cfewF8+fB -+sjvhz7MDyLaCVB3UpxPUIMc3w/G18zzyhHdhuJOaCrCjf00Mt4Er40ICr+IkRy5 -PpwdX60yvwk3uxzzMyIC5zcS3CD6qFUOaSIXfEuGWGl7Wo7MjoCXECE1sbwLVat8 -K1FJtNIADZJkURzkgjvp9rHQHwZFkLMawrkyik4apHgGsY2pXktZGhcw/qN2BNNn -uo3HILrjbYK5eU5zLU17FS9X5qTurIcqdVJCIklvjNqW7DAuN3K1I9ryat4w5sST -ToW5LpLtP9DoI9M9Bh3Mqba629iuXRmQ6LZ6p9EGSFr2i7e3VDEcvMxkGO6Sh8M3 -w67FpqWzeQ1RT2q2YL013emKq6C+oYDjMDDejAqH2Wwwae/7yQiNnXBqvokIXmi4 -KLupHptt0CPFPOFBLloxXBPenYu/49SRWeUoxBqspQuvCY708j1mUntaVtAFm/ax -QElUUEEmcuJhsBzTzBnS82oe7IRwv3NQm55zkOn+DQZ2HjV/GaY= -=jmOK +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlpAACgkQ05eS9J6n +5cJFGQ//TbsJox2faNwQaBoQy/gFSP6TgauZTZJR5A5Y6bRMcvkNJyl3KIM2XlWD +W+lJlxL7kERjv9zD6iI8rns4+FOO2p9f4ICZsWy88ABQrmpuz2N22MSd8NyXeRv0 +30HyftaUMZdAPHVk5Piu7l3U6S4tPiO1BZEoMucG8cby1eWlPMtuH3K/0/CLZmPc +F8U+oRDwB5KnZgP39JmvejvGoXik1lhCrvaLZ5fG1QEmyb1xtjHfT+QSkh9FWLxz +jrHfwgpZFERprpMzqZAicbinV/LjZMfEbckJygzGNzSTTPD+uqT/jDmY+iHnkdF1 +Lw9R8pJoJIpvckRrPLQIOZZuz/Xd4FRB7Gc/q4/x4HTP/8y/x1uKZmcbrh86W9xu +9jCLMgpqETEjHhqADX7Z4+7oxhCPmgSJP8dX5o0HvORs4bqqxbkLqkCsp8QXdcES +vftJGgpt1IPO8MBcr4pG6+cEcZQuk7qX0/D3PArxLkwU2coimP2MmjxyeWBX5GrI +zgdF2HiUYvuZXyt1FMgve+8JkS1RYEE+yPWeOJ5RnIuHnIaNTD81o1gIYuFL3ECb +UAREi6FYskzeJQ/W2ZRMwQPGMPDQI901+msfStjxgx92rKhxLW+rDsg0EUsApoOv +DzIaeCtOGCZMG/mLvVhOLYbqmFrHDbWy8cMoSti/lnx7OdLpnn4= +=L299 -----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-22:15.ping.asc b/website/static/security/advisories/FreeBSD-SA-22:15.ping.asc new file mode 100644 index 0000000000..53807fc550 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:15.ping.asc @@ -0,0 +1,161 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:15.ping Security Advisory + The FreeBSD Project + +Topic: Stack overflow in ping(8) + +Category: core +Module: ping +Announced: 2022-11-29 +Credits: Tom Jones +Affects: All supported versions of FreeBSD. +Corrected: 2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE) + 2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5) + 2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE) + 2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2) + 2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10) +CVE Name: CVE-2022-23093 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +ping(8) is a program that can be used to test reachability of a remote +host using ICMP messages. To send and receive ICMP messages, ping makes +use of raw sockets and therefore requires elevated privileges. To make +ping's functionality available to unprivileged users, it is installed +with the setuid bit set. When ping runs, it creates the raw socket +needed to do its work, and then revokes its elevated privileges. + +II. Problem Description + +ping reads raw IP packets from the network to process responses in the +pr_pack() function. As part of processing a response ping has to +reconstruct the IP header, the ICMP header and if present a "quoted +packet," which represents the packet that generated an ICMP error. The +quoted packet again has an IP header and an ICMP header. + +The pr_pack() copies received IP and ICMP headers into stack buffers +for further processing. In so doing, it fails to take into account the +possible presence of IP option headers following the IP header in +either the response or the quoted packet. When IP options are present, +pr_pack() overflows the destination buffer by up to 40 bytes. + +III. Impact + +The memory safety bugs described above can be triggered by a remote +host, causing the ping program to crash. It may be possible for a +malicious host to trigger remote code execution in ping. + +The ping process runs in a capability mode sandbox on all affected +versions of FreeBSD and is thus very constrainted in how it can interact +with the rest of the system at the point where the bug can occur. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch +# fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc +# gpg --verify ping.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 186f495d4be1 stable/13-n253187 +releng/13.1/ 66c7b53d9516 releng/13.1-n250172 +stable/12/ r372774 +releng/12.4/ r372778 +releng/12.3/ r372775 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat + +Or visit the following URL, replacing NNNNNN with the hash: + + + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n +5cIQGw//ZiF50YbtOc7oYgVcJTGlBEAbKWV6OteTDpXWb/OlwkznGxwzrG0DPvWN +wHyItOPSAmdxqC4xZUsZh9HNxlim80r5TR1y4BE22Lsg2vL5Ir0h3tcqOKKpHYLS +KzNgishF1+J56JeU3TpTjOe5QbXK3EZiw092lH8uSXTp3PqcHxBfFuW9Cjc1Rq/u +ewjHWI7zNCMOpGh3w/v14ZxGl3aFusL1jmrcyi5kZub2Pr0N3bUKgS3/3wXfWF6o +hcFhl1ChmAwpT/1313LNE7SHPl4HCC5XK4r3w+wniLjOJUhnioOBjay29QLt5O53 +0rYaINNvo7ooBSpcPO9ixta+7dqah+uuW3vnFewuahqNCaAGLhMDSPqyZW7KfYgU +F7TIDoBRHPHASFb3FOiAAcCNMCvmGl7vFyVoWe0xJ1ion2jqO83R8XOGgnHsPL/l +cTYTPdECPMIDMvmfIH9UAbNCzKEYdNjWsXUjFJKkxCBtwUcBRsn1TEu24zU2j9mS +hRlY1DAYVy8raYUnQp/f6Llroim5DKyUYpJpeB3j//Fk6KACRnZKsqsSIj9U3OYf +KD6zfJ35RrolPHePMPmy6vGPDYFocDo+YQSm1eauwfSeDGnsjBmIdzxahkgEav4Z +5agsPd2naEntMiJkGGgeuYCifEvkCttJbuTn2s+7VkuTap0uTuA= +=rown +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-22:28/heimdal.patch b/website/static/security/patches/EN-22:28/heimdal.patch new file mode 100644 index 0000000000..9480536044 --- /dev/null +++ b/website/static/security/patches/EN-22:28/heimdal.patch @@ -0,0 +1,16 @@ +--- crypto/heimdal/lib/asn1/gen_free.c.orig ++++ crypto/heimdal/lib/asn1/gen_free.c +@@ -61,13 +61,6 @@ + case TNull: + case TGeneralizedTime: + case TUTCTime: +- /* +- * This doesn't do much, but it leaves zeros where garbage might +- * otherwise have been found. Gets us closer to having the equivalent +- * of a memset()-to-zero data structure after calling the free +- * functions. +- */ +- fprintf(codefile, "*%s = 0;\n", name); + break; + case TBitString: + if (ASN1_TAILQ_EMPTY(t->members)) diff --git a/website/static/security/patches/EN-22:28/heimdal.patch.asc b/website/static/security/patches/EN-22:28/heimdal.patch.asc new file mode 100644 index 0000000000..8a6745962a --- /dev/null +++ b/website/static/security/patches/EN-22:28/heimdal.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n +5cJJvQ//cupNZsqRq3PRK8cxeHVHLGLFxRhpA8nhQKjCb3Nkk0FccuCZ6exTjktS +ADbFwdmrDCDbnkBWsGT4p+zH0p13QFCvyKiVriC3KeYA9lJmjupyslM8lVsFjzw0 +9BmoAMQ6Wvh5Rm3MyElRBCBAZXxZP3+eqP+m4zDLiPxZ5jsV/DhZ8IMeaNyXl6tI +dPtED9mom3Png9oqZ9hpl3RqqExpdbmlqd1pXifftGj28t9x3IKsMhplPKuW2QZm +xd+CygChbLin2IaM+PkhhX3umqi5WVH68EToWR/iP/mfHPRmb9PUKVWxiTY8rkz/ +ZCG9VJjpQGE/tFdbG/eIS5ZgNM8cNLDiclDs2Yv1896yTFGv/Eirc031VslOYn17 +3HMDJpnNTktaKRgAyjJ1Nq31Ct2KMcrnq97rBKOq5S9Hg1d50FVfXIaJMjhK6AT5 ++ydICdjJkTI+9WOvUtYkwE8g4cX3kZqGLnPaYysAThhgUg5bvlZHZkXJe2ujjeth +uIPXXU6b5C/J3zDET1LwxFgWEA6n24PNEhi+pL6yYP6nf9BBHr2BUa1jZCezZOeX +0gtZ2uhE7PxgganAtt5TM19RwYee2gULz6feBX4lLmb4ECPatVZDbNASo8IKw8cO +JxeOiNCjRRNq1I5oSy1rMQSx5B/d86+BaaN4ZyHJTdf2iAd1Trg= +=xBq4 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-22:15/ping.patch b/website/static/security/patches/SA-22:15/ping.patch new file mode 100644 index 0000000000..a9de7f3481 --- /dev/null +++ b/website/static/security/patches/SA-22:15/ping.patch @@ -0,0 +1,114 @@ +--- sbin/ping/ping.c.orig ++++ sbin/ping/ping.c +@@ -963,6 +963,9 @@ + warn("recvmsg"); + continue; + } ++ /* If we have a 0 byte read from recvfrom continue */ ++ if (cc == 0) ++ continue; + #ifdef SO_TIMESTAMP + if (cmsg != NULL && + cmsg->cmsg_level == SOL_SOCKET && +@@ -1144,8 +1147,10 @@ + struct icmp icp; + struct ip ip; + const u_char *icmp_data_raw; ++ ssize_t icmp_data_raw_len; + double triptime; +- int dupflag, hlen, i, j, recv_len; ++ int dupflag, i, j, recv_len; ++ uint8_t hlen; + uint16_t seq; + static int old_rrlen; + static char old_rr[MAX_IPOPTLEN]; +@@ -1155,15 +1160,27 @@ + const u_char *oicmp_raw; + + /* +- * Get size of IP header of the received packet. The +- * information is contained in the lower four bits of the +- * first byte. ++ * Get size of IP header of the received packet. ++ * The header length is contained in the lower four bits of the first ++ * byte and represents the number of 4 byte octets the header takes up. ++ * ++ * The IHL minimum value is 5 (20 bytes) and its maximum value is 15 ++ * (60 bytes). + */ + memcpy(&l, buf, sizeof(l)); + hlen = (l & 0x0f) << 2; +- memcpy(&ip, buf, hlen); + +- /* Check the IP header */ ++ /* Reject IP packets with a short header */ ++ if (hlen < sizeof(struct ip)) { ++ if (options & F_VERBOSE) ++ warn("IHL too short (%d bytes) from %s", hlen, ++ inet_ntoa(from->sin_addr)); ++ return; ++ } ++ ++ memcpy(&ip, buf, sizeof(struct ip)); ++ ++ /* Check packet has enough data to carry a valid ICMP header */ + recv_len = cc; + if (cc < hlen + ICMP_MINLEN) { + if (options & F_VERBOSE) +@@ -1175,6 +1192,7 @@ + #ifndef icmp_data + icmp_data_raw = buf + hlen + offsetof(struct icmp, icmp_ip); + #else ++ icmp_data_raw_len = cc - (hlen + offsetof(struct icmp, icmp_data)); + icmp_data_raw = buf + hlen + offsetof(struct icmp, icmp_data); + #endif + +@@ -1304,12 +1322,45 @@ + * as root to avoid leaking information not normally + * available to those not running as root. + */ ++ ++ /* ++ * If we don't have enough bytes for a quoted IP header and an ++ * ICMP header then stop. ++ */ ++ if (icmp_data_raw_len < ++ (ssize_t)(sizeof(struct ip) + sizeof(struct icmp))) { ++ if (options & F_VERBOSE) ++ warnx("quoted data too short (%zd bytes) from %s", ++ icmp_data_raw_len, inet_ntoa(from->sin_addr)); ++ return; ++ } ++ + memcpy(&oip_header_len, icmp_data_raw, sizeof(oip_header_len)); + oip_header_len = (oip_header_len & 0x0f) << 2; +- memcpy(&oip, icmp_data_raw, oip_header_len); ++ ++ /* Reject IP packets with a short header */ ++ if (oip_header_len < sizeof(struct ip)) { ++ if (options & F_VERBOSE) ++ warnx("inner IHL too short (%d bytes) from %s", ++ oip_header_len, inet_ntoa(from->sin_addr)); ++ return; ++ } ++ ++ /* ++ * Check against the actual IHL length, to protect against ++ * quoated packets carrying IP options. ++ */ ++ if (icmp_data_raw_len < ++ (ssize_t)(oip_header_len + sizeof(struct icmp))) { ++ if (options & F_VERBOSE) ++ warnx("inner packet too short (%zd bytes) from %s", ++ icmp_data_raw_len, inet_ntoa(from->sin_addr)); ++ return; ++ } ++ ++ memcpy(&oip, icmp_data_raw, sizeof(struct ip)); + oicmp_raw = icmp_data_raw + oip_header_len; +- memcpy(&oicmp, oicmp_raw, offsetof(struct icmp, icmp_id) + +- sizeof(oicmp.icmp_id)); ++ memcpy(&oicmp, oicmp_raw, sizeof(struct icmp)); + + if (((options & F_VERBOSE) && uid == 0) || + (!(options & F_QUIET2) && diff --git a/website/static/security/patches/SA-22:15/ping.patch.asc b/website/static/security/patches/SA-22:15/ping.patch.asc new file mode 100644 index 0000000000..b83c424912 --- /dev/null +++ b/website/static/security/patches/SA-22:15/ping.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n +5cKnpQ//YlHq4Bwq2PnC64jlhvfkeu7CrC9Y/+XQwen/X5QLr3+RCVeWZKcc+I9r +ILhIm/B3fw96ruwSHuvp9fP5NUn0RwA7cEku2lWvWErYiadncvDwir2/ShOuRwzw +0N4zGLx8mZoRJX2cQLSUBeu901pnxbuG1LucfL604j5+wngnQjvuzcXu1ET4N/rZ +7mif1ruu1SVzarcxKNTGGedbYEqu1x5c5E6wSA7I9KLt4bkFQLrNNfNm3rf7/f1X +UBe0Ii+kX7MigSu5kLd1cuBEEve+x1PqJ+ccHjIpNIKyrrBttqOtvowmhZCib20D +kWdna2NUl6O2JmGzQZ2skHbnDeH/f99sCgjmAZodG562r3psQF3PFget9vGIFDNu +gXlcaT96HwOIzRx36EhZjjV0FZxwvt5uJYokRM6DoYdlsyB2r/vh17ZPhdQJ1N4N +TZgxp+26bwW4fRHsIosL8/SiDdFtZB5csPDxHz4tEFs830zyCWBSITGfmMcUK6fH +hpWASCz5Mlez8N2JGLBdfpMFtjaqOlmfzXxd8RkIGja320mizMlEbM5I2B3SLz6L +B4eeZZmbJGr70LhcZ9wBk3YKPYzpsmwuskgFGaXuKS9iQz/Bc5yJfzyjhBhDKacv +nmytF6yrwKp6ftvU8yilBbN+/ILvfM3Xqmx2bapSt3D01XR42f8= +=D5F/ +-----END PGP SIGNATURE-----