git: 802acbe255 - main - Update EN-23:09 and add EN-23:12, SA-23:12 through SA-23:14.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 03 Oct 2023 22:33:48 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=802acbe255a5bb736abb7ed36d96d7e5c8d104c7
commit 802acbe255a5bb736abb7ed36d96d7e5c8d104c7
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2023-10-03 22:32:32 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2023-10-03 22:32:32 +0000
Update EN-23:09 and add EN-23:12, SA-23:12 through SA-23:14.
---
website/data/security/advisories.toml | 12 ++
website/data/security/errata.toml | 4 +
.../advisories/FreeBSD-EN-23:09.freebsd-update.asc | 46 +++++--
.../advisories/FreeBSD-EN-23:12.freebsd-update.asc | 142 +++++++++++++++++++
.../advisories/FreeBSD-SA-23:12.msdosfs.asc | 152 +++++++++++++++++++++
.../advisories/FreeBSD-SA-23:13.capsicum.asc | 137 +++++++++++++++++++
.../security/advisories/FreeBSD-SA-23:14.smccc.asc | 140 +++++++++++++++++++
.../security/patches/EN-23:12/freebsd-update.patch | 17 +++
.../patches/EN-23:12/freebsd-update.patch.asc | 16 +++
.../security/patches/SA-23:12/msdosfs.12.4.patch | 86 ++++++++++++
.../patches/SA-23:12/msdosfs.12.4.patch.asc | 16 +++
.../security/patches/SA-23:12/msdosfs.13.2.patch | 86 ++++++++++++
.../patches/SA-23:12/msdosfs.13.2.patch.asc | 16 +++
.../security/patches/SA-23:13/capsicum.patch | 22 +++
.../security/patches/SA-23:13/capsicum.patch.asc | 16 +++
.../static/security/patches/SA-23:14/smccc.patch | 107 +++++++++++++++
.../security/patches/SA-23:14/smccc.patch.asc | 16 +++
17 files changed, 1018 insertions(+), 13 deletions(-)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index 9fb568085e..6432cceb40 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,18 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-23:14.smccc"
+date = "2023-10-03"
+
+[[advisories]]
+name = "FreeBSD-SA-23:13.capsicum"
+date = "2023-10-03"
+
+[[advisories]]
+name = "FreeBSD-SA-23:12.msdosfs"
+date = "2023-10-03"
+
[[advisories]]
name = "FreeBSD-SA-23:11.wifi"
date = "2023-09-06"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index b9b5b054e0..8c61975a0c 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,10 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-23:12.freebsd-update"
+date = "2023-10-03"
+
[[notices]]
name = "FreeBSD-EN-23:11.caroot"
date = "2023-09-06"
diff --git a/website/static/security/advisories/FreeBSD-EN-23:09.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-23:09.freebsd-update.asc
index 9f2d14fb2b..7cf538a97f 100644
--- a/website/static/security/advisories/FreeBSD-EN-23:09.freebsd-update.asc
+++ b/website/static/security/advisories/FreeBSD-EN-23:09.freebsd-update.asc
@@ -13,12 +13,17 @@ Announced: 2023-09-06
Affects: FreeBSD 13.2
Corrected: 2023-05-16 21:34:10 UTC (stable/13, 13.2-STABLE)
2023-09-06 16:56:24 UTC (releng/13.2, 13.2-RELEASE-p3)
+ 2023-09-28 13:42:18 UTC (stable/12, 12.4-STABLE)
+ 2023-10-03 22:15:35 UTC (releng/12.4, 12.4-RELEASE-p6)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
+2023-09-06 Initial Revision
+2023-10-03 Updated to include the patch for 12.4-RELEASE.
+
I. Background
freebsd-update provides binary updates for supported releases of FreeBSD on
@@ -87,8 +92,12 @@ Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/13/ 866e5c6b3ce7 stable/13-n255386
releng/13.2/ 0b39d9de2e71 releng/13.2-n254628
+stable/12/ r373221
+releng/12.4/ r373231
- -------------------------------------------------------------------------
+For FreeBSD 13 and later:
+
Run the following command to see which files were modified by a
particular commit:
@@ -103,6 +112,17 @@ nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
VII. References
<URL:https://reviews.freebsd.org/D39973>
@@ -111,17 +131,17 @@ The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:09.freebsd-update.asc>
-----BEGIN PGP SIGNATURE-----
-iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmT4vxEACgkQbljekB8A
-Gu9gmA/7BjuRje8BCxVKXenlsL0FbOLzpQd1Ac6+pQ8sYCotl9Z/S/BF0kgWGEyP
-ezkgQDndc90tzGBkFwSh55utFPDxycRJy2ybhg1ownZDyfwtSokWPSp0qdbu2wYD
-XBW2xwzsIIemvIOVAvCrn3GagIRMlziaFE8brtwiFCqAB4p4x/Ga9SRKvVPS5fVc
-FHBjWRvcNYXanz5VPZA3wbm5CIiGUC+4x22A2DPovcXT8yO1nbIyQpMUnfj+BrJ3
-QPxVmIZsWWbGtkGgplpPuOyP/BPivkDR/TN0TI6fGRKSK517aycCmwF+cgD9Th+S
-oISBwO4jZ50tyi36FtaTT9PnkLqX39McCq9T9kCQ5GBhztepSe7S31C8FLdH95TT
-wgkML9X/7zoh5Y2i8IWvbvSrAJ/eOaO8VR97aITmbOxLj4dRHB1gfc5FhNLlmeF4
-fz+VbVzOUEta/8PkDkEbbkuG2ttPs///KQB1Lu6V3UkZfIl0L40mzS+X8xMjWL9P
-TZBN1skjRcrEx8zaeyzTXEL2e4LX46wrKvm3Gvy0x5JOKgYy8ZHZpT3llChr3yTz
-oSxdEZ+oTttfXieHeDtXrxSnFi8Bvgy8j3jFtam7QNbaWYgaURlc7mUC+aUbd+J8
-hYwE+RQFlK3nBpMvGfrFJhbl9RglpYC9qvK69V1zwDQ1DLjHnfk=
-=GZ0v
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclTsACgkQbljekB8A
+Gu+mvBAAumfz3Q0E3r4JXRaYDUBHgMN+L86xn9gzt/+sbrMtHCdJ1NariCwXO3lH
+tGgPW97xRZG4r1IQYayydYo3N7X4u4egzyz/HNKWhxJjkSBkgQG19IDryi9n/2B4
+g5lFaLUGT57pKJDpbDWwvdKbpgUDEfHVTG2hthDVFcnJRuPVSaqdEcOi0eWuX/Dy
+8t9CA+9TkvmaY9bl4Lbyltsf0ycSYOp2FDVOKorm0D1GvVAcA+5+9pw02IdFZuGo
+CFiXhstcIGs9kKGdtC21tkxemz8oV4Ub9gjsVYyVDzbvKcYtsb/EIKCiTnPcgL9M
+DBrekG3LhUK+pZ+V+eHFGToBukITPcZ/gkSwl59Zu1fB1ITBm9QoriwL5R6udpYA
+mymzlTYTnLIrGAu4u1Ft2RSXvxwfIAtErM0MyijI1KFl9q5EFhSJzSnTG411FJP4
+w51r0iKHtMJdeL+gYFkWUQrZM+oDHOhuvhYwzbh0cZD2DFksCT2OB0F/zVCHvPsD
+uQag2aCttm1uEEhUeMqIYmByR93ctN+TuwmH3Qev0u0lamG5xfzxDEBtDVB2ThyC
+9TLFXTrgR5ENmwaCkRkj1YwHdwfBmqPyoN4BBOIFYCXzvA1UIN3nCcm4FpeHXvWs
+EToL2Z1MUDCc7lfOsPNRrTBrDyqYUjOP9qlKR8F9CJfhR6eSMLc=
+=wkOB
-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-23:12.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-23:12.freebsd-update.asc
new file mode 100644
index 0000000000..9020f53b72
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-23:12.freebsd-update.asc
@@ -0,0 +1,142 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-23:12.freebsd-update Errata Notice
+ The FreeBSD Project
+
+Topic: freebsd-update to 14.0 fails
+
+Category: core
+Module: freebsd-update
+Announced: 2023-10-03
+Affects: All supported versions of FreeBSD.
+Corrected: 2023-10-01 16:33:03 UTC (stable/13, 13.2-STABLE)
+ 2023-10-03 21:22:19 UTC (releng/13.2, 13.2-RELEASE-p4)
+ 2023-10-01 16:35:16 UTC (stable/12, 12.4-STABLE)
+ 2023-10-03 22:15:37 UTC (releng/12.4, 12.4-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+freebsd-update provides binary updates for supported releases of FreeBSD on
+amd64, arm64, and i386.
+
+II. Problem Description
+
+freebsd-update was unable to handle the case where a file in the "old"
+version changed to a directory in the "new" version. This case occurs with
+upgrades to FreeBSD 14.0, as /usr/include/c++/v1/__string exists as a file
+in 12.4 and 13.2, and as a directory in FreeBSD 14.0.
+
+III. Impact
+
+Using freebsd-update to upgrade to FreeBSD 14.0 emits errors during install
+and results in a system with broken C++ headers.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-23:12/freebsd-update.patch
+# fetch https://security.FreeBSD.org/patches/EN-23:12/freebsd-update.patch.asc
+# gpg --verify freebsd-update.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 774cc6348a50 stable/13-n256442
+releng/13.2/ cfb624d7e250 releng/13.2-n254634
+stable/12/ r373223
+releng/12.4/ r373232
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273661>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-12:12.freebsd-update.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclUgACgkQbljekB8A
+Gu+9fRAArZE0IrnLNZedxplzPbqrhErZAvomp04D+FR/FGiawgSuItfYmmX7sfxG
+6MDlnfsIiumrxjWPr7btxN6tD9ouo6M1LLEz2WKRdRJfuhXsghjyP8TqSGb7DBZG
+wIThOxz5akSVGLAWF2ShRGe42bloNfSJjnYWos0bkHpKo/m8ljOMbkQU9kjvsLXR
+jV6vYvWJAkPanGJ30g4Hu1tucPUReCbnXRUJ66MzsAerQPRCYoCYx7to4ljPnwN2
+RBOKSeB+yE5ShVwOSCREcPYlsnE/ah7ayb0P4Vcskfy1CT7bN+yK8+DTfHCdICgr
+R4h0FcmSXGls7S7OmewUZYjqnJHkpE6AH3s+fennOGB3Fv06QX7xxrP3l/5jqFgc
+ffONEv0mYMDE49PnXTttXZL/trIBLWbqIO8KOGlQneOXciQYokbw4hZnyK0G64mn
+M/bszNU2gjwei5BvlcCQLs9n84TgTRhfLPJMR+QFK5bNMlZM/b5/wETYjbqZBEDX
+rjUsIuUzkLKAJr9MA4BItCGhRMjkViRJ06WcfLsSOdlNrNF7vBfGtcLbt7BiyWos
+P4VPMPVKdt3XBR5c4EAC2y4j0s+On2Ts0SMqBXwmQ5/D+gGlIdPgHLMrq8gbvN0Q
+ZF/qdH6EWIFLHAmBcWxYmqRhzmPeV3y8RrHxaPriffb6ko9KW4s=
+=SfBw
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:12.msdosfs.asc b/website/static/security/advisories/FreeBSD-SA-23:12.msdosfs.asc
new file mode 100644
index 0000000000..4cfc8f9e08
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:12.msdosfs.asc
@@ -0,0 +1,152 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:12.msdosfs Security Advisory
+ The FreeBSD Project
+
+Topic: msdosfs data disclosure
+
+Category: core
+Module: msdosfs (FAT) file system driver
+Announced: 2023-10-03
+Credits: Maxim Suhanov
+Affects: All supported versions of FreeBSD.
+Corrected: 2023-07-18 05:46:13 UTC (stable/13, 13.2-STABLE)
+ 2023-10-03 21:23:40 UTC (releng/13.2, 13.2-RELEASE-p4)
+ 2023-09-11 18:51:21 UTC (stable/12, 12.4-STABLE)
+ 2023-10-03 22:15:40 UTC (releng/12.4, 12.4-RELEASE-p6)
+CVE Name: CVE-2023-5368
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The msdosfs driver provides read and write access to MS-DOS (FAT) file
+systems. Systems may be configured to allow unprivileged users to have
+read and write access to mounted msdosfs file systems.
+
+II. Problem Description
+
+In certain cases using the truncate or ftruncate system call to extend a
+file size populates the additional space in the file with unallocated data
+from the underlying disk device, rather than zero bytes.
+
+III. Impact
+
+A user with write access to files on a msdosfs file system may be able to
+read unintended data (for example, from a previously deleted file).
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 13.2]
+# fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.13.2.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.13.2.patch.asc
+# gpg --verify msdosfs.13.2.patch.asc
+
+[FreeBSD 12.4]
+# fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.12.4.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:12/msdosfs.12.4.patch.asc
+# gpg --verify msdosfs.12.4.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 868f3eadc5e0 stable/13-n255824
+releng/13.2/ 7d08a7e6908b releng/13.2-n254635
+stable/12/ r373207
+releng/12.4/ r373233
+- -------------------------------------------------------------------------
+
+For FreeBSD 13 and later:
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+For FreeBSD 12 and earlier:
+
+Run the following command to see which files were modified by a particular
+revision, replacing NNNNNN with the revision number:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5368>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:12.msdosfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclUoACgkQbljekB8A
+Gu9CSw/9G+9cwxNruCQaEOcNGCIUdOe9itmZzVJKVtIIWqXZhq+unXRS0D2YDMdA
+EKkfGj6GYaPnFlRe7T3cfrqUFhlNMb4Na5SW0wJp8HUqhKzKB4/SNZSs+iXNQE2z
+WdhYFl582Gg2+vuoije4Z9Idl0WYPqXHXyRC7TCtSwUHDwRsU9jA6g/GNM0X+0dl
+mOzFxFSSGoORF5aJYtp91KeNwGdNwORc75k6xxMWGGDc0sba9Fbupfrjc/XQ8SaQ
+tYil3Eomh/cbYOKneppGQo9ohY+PAC1u/2XxRBxXYFCDtNLed4SGEWp4pLKjq2QM
+X8jkDooTPLwDiVaM6Cps54PmUI3YBrYKSpt3Z1SdTHWyh0hDtpAJb/1f/sPUu90D
+oWCiFI5p6oZjFNJxskZZ8T6xFgjqiII70ULfHQ3GxGhMZ0Pe5QyzmqIFGvkn0UtX
+uGechgeL+jwqnyviIFyfVTGORmbcWj60WHajUAVUbb5aF/WV5QS0XDOLhTFkeY/P
+WQjOBFAH/pf93ahUnA0NuDqAe5yX/3NEXLzMg8bnSBDJRIPRWsPfIE3lqWl0zNmD
+sdtsugBS74zTM3MUn/Lq5MdtozuvEWK6Hs60i1wuiTMT39X8oE89r5LLVgTyc0Tj
+2nML+7TKutMqWgeRvYsXBp6VtEiZd9Qc6nx8FWtSq8UMODa57C8=
+=T0YO
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:13.capsicum.asc b/website/static/security/advisories/FreeBSD-SA-23:13.capsicum.asc
new file mode 100644
index 0000000000..b04d6fc23d
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:13.capsicum.asc
@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:13.capsicum Security Advisory
+ The FreeBSD Project
+
+Topic: copy_file_range insufficient capability rights check
+
+Category: core
+Module: capsicum
+Announced: 2023-10-03
+Credits: David Chisnall
+Affects: FreeBSD 13.2
+Corrected: 2023-10-02 16:00:27 UTC (stable/13, 13.2-STABLE)
+ 2023-10-03 21:24:41 UTC (releng/13.2, 13.2-RELEASE-p4)
+CVE Name: CVE-2023-5369
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+Capsicum is a lightweight OS capability and sandbox framework. It provides
+two kernel primatives, capability mode and capabilities. Capabilities limit
+operations that can be performed on file descriptors.
+
+copy_file_range is a system call that performs a kernel copy of a byte range
+from one file to another or within one file. copy_file_range accepts
+optional pointers to offsets for the input and output file descriptors.
+
+II. Problem Description
+
+The syscall checked only for the CAP_READ and CAP_WRITE capabilities on the
+input and output file descriptors, respectively. Using an offset is
+logically equivalent to seeking, and the syscall must additionally require
+the CAP_SEEK capability.
+
+III. Impact
+
+A sandboxed process with only read or write but no seek capability on a file
+descriptor may be able to read data from or write data to an arbitrary
+location within the file corresponding to that file descriptor.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:13/capsicum.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:13/capsicum.patch.asc
+# gpg --verify capsicum.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 3f0ce63828dc stable/13-n256458
+releng/13.2/ 2d23f6c33431 releng/13.2-n254636
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://reviews.freebsd.org/D41967>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5369>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:13.capsicum.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclU0ACgkQbljekB8A
+Gu/a3Q//aXO1+HdImFnqAzKEto8E97DEv6vB2HUZAoxrmwSX9VNjkrIo9Z9+LRyL
+q7WXMcok1OPQCCE3ad+g05eqXwnmJ55CpToP/jEXrOOZRDInK0Z5owZbwVpmyAmW
+zF/+xoEjcw90H7ReIQQ3+TNGDf025tCoXlTQKdzWtNN6BcY3px4zuDYHPUKgMwSv
+XJDrjYWBzBede00CnlolwmsBorjvZvRMfllTIpiVTlmtD73s+sRDI7rc768MY0RZ
+gCplCL9S9EkIGL8XJhDWB2+TsG7nvwrUII5M2u0Db252IK7nmgty4l03PtYotx4p
+jH/a3oXWKeqExGHJaqNcaUwS6xdu+pvMRuJgY4mH6rd+uvOMbC5jvac3FopSlmXq
+aVIctA2LCRomyYmVDsWXIGLcBT5cAOhsqkrw+JE0kA/k2Pl6NDNK7HNgo6Fj01TR
+lVf91A1mTsDJxfymU4SWB/KGgImAnR9e7gHUo4gLZCNyYXvcnFa/ntHoswNZ+12L
+e/b4+PnHts2X4/+I4K6qdF522yzF/vpyF6UjfwAGtT6qmbmGyW9VbDcn6TIL9I3p
+IDKJCWeHPBfyspWua2hCUIi3/EwpSFvIECPad3hFT6cej1pZ6hfJt8XT0ma82QGp
+ocbh3tb3E1phSGvgZitk8J0oyWDehuck3YfZ+6nHMwzPBgmr6Lo=
+=lS69
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-23:14.smccc.asc b/website/static/security/advisories/FreeBSD-SA-23:14.smccc.asc
new file mode 100644
index 0000000000..f815574ae2
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-23:14.smccc.asc
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-23:14.smccc Security Advisory
+ The FreeBSD Project
+
+Topic: arm64 boot CPUs may lack speculative execution protections
+
+Category: core
+Module: arm64
+Announced: 2023-10-03
+Affects: FreeBSD 13.2
+Corrected: 2023-09-25 12:13:47 UTC (stable/13, 13.2-STABLE)
+ 2023-10-03 21:29:11 UTC (releng/13.2, 13.2-RELEASE-p4)
+CVE Name: CVE-2023-5370
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+To mitigate speculative execution side channel attacks on some AArch64
+hardware the kernel can call into the boot firmware using the Secure Monitor
+Call Calling Convention (SMCCC) mechanism.
+
+To decide if the kernel needs to use the SMCCC mitigation on a given CPU it
+can query the firmware if the SMCCC workaround is present.
+
+II. Problem Description
+
+On CPU 0 the check for the SMCCC workaround is called before SMCCC support
+has been initialized.
+
+III. Impact
+
+No speculative execution workarounds are installed on CPU 0.
+
+IV. Workaround
+
+No workaround is available. Not all AArch64 CPUs are affected.
+
+Systems where CPU 0 has the CSV2 and PSTATE.SSBS processor
+features are unaffected by the speculative execution attacks.
+The kernel will print the following under CPU 0 on unaffected
+CPUs:
+
+Processor Features 0 = <...CVS2...>
+Processor Features 1 = <...PSTATE.SSBS...>
+
+The Arm Cortex-A35, Cortex-A53, and Cortex-A55 CPUs are
+unaffected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64, i386, or
+(on FreeBSD 13 and later) arm64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-23:14/smccc.patch
+# fetch https://security.FreeBSD.org/patches/SA-23:14/smccc.patch.asc
+# gpg --verify smccc.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected by the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 4df1447f2c76 stable/13-n256420
+releng/13.2/ 485912e051bb releng/13.2-n254637
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5370>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:14.smccc.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclU8ACgkQbljekB8A
+Gu8zqQ//bCjUB/hXZxypEFmnnnyUPr0Y/pzHd1i7EcIFQubd6kosUw4k2VGzwOsi
+/BwKU4W/MrUyr/wwSkjJ/lmeA+CRX2TAPWPTPC0umnN58fOXRqhKpVAi0yfho+L9
+lYUfdLWM0xS4XWsZk7DapjfN8XznLnn6iQrWmFLmZd0ViJFGkGJcxjdWr7aSs7ZX
+C8v8GoqFx6GUUdOgRERdpZ/2mxi7ibs9LbCt4PUTwKV8clAmq4w4Mv+q4xfZPSnM
+nXGrTd+t2G5ZrmEZ9Rq32C9JqGaAaQUTp/NsOw8yQq5YVBXanA12VJLx2kdoVKsj
+84e3rJz/QTpXTpgiSkVmWdT3ziZW8Zs9aygvUXyzK6C/s2ZiKd8o65dnF3MGCyJs
+Y7aNgAS51mX/fgPyXwicF/eYA1nm/1AJAK9J/eUBbsi+hu9DW5XjpiLUYAe10KKf
+9XsgJ1vTJMKXIv/UAlN0d78SfSfcGyUCbH0qk7zCzw9XfLYj+r9a7de/vnAc0qtm
+8Gh0hqbacA6dqtxrNEDC9R1Tp6inf0YYR6gP5HPjjy96FvfZCGmHk5XUmbmk4C4T
+UylvLXrO4gJiyBXhdZ3P3Mib6HdMWkLMRh095Y2revdAGMv0BrGs3G+eaMVIgNt2
+puELCPfLgJF1ljcHV8svdQcuy0Fea2R2R22cqwsT1vPuKqgmP60=
+=lOTX
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-23:12/freebsd-update.patch b/website/static/security/patches/EN-23:12/freebsd-update.patch
new file mode 100644
index 0000000000..c5c4f5f45a
--- /dev/null
+++ b/website/static/security/patches/EN-23:12/freebsd-update.patch
@@ -0,0 +1,17 @@
+--- usr.sbin/freebsd-update/freebsd-update.sh.orig
++++ usr.sbin/freebsd-update/freebsd-update.sh
+@@ -2905,7 +2905,13 @@
+ while read FPATH TYPE OWNER GROUP PERM FLAGS HASH LINK; do
+ case ${TYPE} in
+ d)
+- # Create a directory
++ # Create a directory. A file may change to a directory
++ # on upgrade (PR273661). If that happens, remove the
++ # file first.
++ if [ -e "${BASEDIR}/${FPATH}" ] && \
++ ! [ -d "${BASEDIR}/${FPATH}" ]; then
++ rm -f -- "${BASEDIR}/${FPATH}"
++ fi
+ install -d -o ${OWNER} -g ${GROUP} \
+ -m ${PERM} ${BASEDIR}/${FPATH}
+ ;;
diff --git a/website/static/security/patches/EN-23:12/freebsd-update.patch.asc b/website/static/security/patches/EN-23:12/freebsd-update.patch.asc
new file mode 100644
index 0000000000..2d27e72457
--- /dev/null
+++ b/website/static/security/patches/EN-23:12/freebsd-update.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclUkACgkQbljekB8A
+Gu82vBAAta3FgMcbU/T/c7xWQEwAGvzQRaC/T6+una4Mgv14u8ni++Nk0bSRpZZy
+A06SdazAfLVJiMLRc1beXmr393/2SpPf2Luby9ySA1hTKapFbwB5YrmRTo58HgoO
+7XxwYEkM+G1gKvta61q7suW9vX9N7q1oP8LmTIlUn8w6u1Qjr+BjyOTG8tLir4q+
+CmoBbpOXbiNNPj8W4Kqwz1dvjYk9XeVMik67mksk8bqvilgtPnCVPYA4wiul1mv2
+IGJq/26YVPuNbOOiVctIlfuWjaG+xfPjl9pq6Ld6cHf/Y0s95JPm0YmeVcfeHu34
+Otmdj860IQc3ZHZyNwPAbgRwxaq/5LxFORNSdN+1vwuqgLW2kofpAM2DgY+y9czr
+hx1AusiAfWiBFPIUBAVCInSJIVkmRtjZaoWkakUTy0SQ7H9BUeSTuGC+b6Ifj01H
+SKdvQlVATy3ttWT5darsEWJJ0ZeHWYwbH8BXTLhUL1HSaiZDAi1/6iaknh048UWF
+O3VMDOe3Cfg3IBJVpyZYvtoU/W0EM7eisStBM9ar0nXCFsAYZNiW+0/IRZtNcGmr
+iRz/dOxJjoCVHNWWcOhOWvHBKI0Ck0CxDRizu4oluYvD2n3Qp8NpwJb3Qyq7LQ8T
+XSdzb0z1nO6Xtkz32XwVXcTePMA6HAXWuvc1PM3mAHWss3xhlHU=
+=+nla
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:12/msdosfs.12.4.patch b/website/static/security/patches/SA-23:12/msdosfs.12.4.patch
new file mode 100644
index 0000000000..07232f9791
--- /dev/null
+++ b/website/static/security/patches/SA-23:12/msdosfs.12.4.patch
@@ -0,0 +1,86 @@
+--- sys/fs/msdosfs/msdosfs_denode.c.orig
++++ sys/fs/msdosfs/msdosfs_denode.c
+@@ -365,10 +365,8 @@
+ return (EINVAL);
+ }
+
+- if (dep->de_FileSize < length) {
+- vnode_pager_setsize(DETOV(dep), length);
++ if (dep->de_FileSize < length)
+ return deextend(dep, length, cred);
+- }
+
+ /*
+ * If the desired length is 0 then remember the starting cluster of
+@@ -477,13 +475,16 @@
+ deextend(struct denode *dep, u_long length, struct ucred *cred)
+ {
+ struct msdosfsmount *pmp = dep->de_pmp;
++ struct vnode *vp = DETOV(dep);
++ struct buf *bp;
++ off_t eof_clusteroff;
+ u_long count;
+ int error;
+
+ /*
+ * The root of a DOS filesystem cannot be extended.
+ */
+- if ((DETOV(dep)->v_vflag & VV_ROOT) && !FAT32(pmp))
++ if ((vp->v_vflag & VV_ROOT) != 0 && !FAT32(pmp))
+ return (EINVAL);
+
+ /*
+@@ -503,15 +504,47 @@
+ if (count > pmp->pm_freeclustercount)
+ return (ENOSPC);
+ error = extendfile(dep, count, NULL, NULL, DE_CLEAR);
+- if (error) {
+- /* truncate the added clusters away again */
+- (void) detrunc(dep, dep->de_FileSize, 0, cred);
+- return (error);
+- }
++ if (error != 0)
++ goto rewind;
+ }
++
++ /*
++ * For the case of cluster size larger than the page size, we
++ * need to ensure that the possibly dirty partial buffer at
++ * the old end of file is not filled with invalid pages by
++ * extension. Otherwise it has a contradictory state of
++ * B_CACHE | B_DELWRI but with invalid pages, and cannot be
++ * neither written out nor validated.
++ *
++ * Fix it by proactively clearing extended pages. Need to do
++ * both vfs_bio_clrbuf() to mark pages valid, and to zero
++ * actual buffer content which might exist in the tail of the
++ * already valid cluster.
++ */
++ error = bread(vp, de_cluster(pmp, dep->de_FileSize), pmp->pm_bpcluster,
++ NOCRED, &bp);
++ if (error != 0)
++ goto rewind;
++ vfs_bio_clrbuf(bp);
++ eof_clusteroff = de_cn2off(pmp, de_cluster(pmp, dep->de_FileSize));
++ vfs_bio_bzero_buf(bp, dep->de_FileSize - eof_clusteroff,
++ pmp->pm_bpcluster - dep->de_FileSize + eof_clusteroff);
++ if (!DOINGASYNC(vp))
++ (void)bwrite(bp);
++ else if (vm_page_count_severe() || buf_dirty_count_severe())
++ bawrite(bp);
++ else
++ bdwrite(bp);
++
++ vnode_pager_setsize(vp, length);
+ dep->de_FileSize = length;
+ dep->de_flag |= DE_UPDATE | DE_MODIFIED;
+- return (deupdat(dep, !DOINGASYNC(DETOV(dep))));
++ return (deupdat(dep, !DOINGASYNC(vp)));
++
++rewind:
++ /* truncate the added clusters away again */
++ (void)detrunc(dep, dep->de_FileSize, 0, cred);
++ return (error);
+ }
+
+ /*
diff --git a/website/static/security/patches/SA-23:12/msdosfs.12.4.patch.asc b/website/static/security/patches/SA-23:12/msdosfs.12.4.patch.asc
new file mode 100644
index 0000000000..c112ba1cf7
--- /dev/null
+++ b/website/static/security/patches/SA-23:12/msdosfs.12.4.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmUclUsACgkQbljekB8A
+Gu9MVA//eFP/Ak5QSSTRlWlwrP9kAF1+Gce8Kx1rYfrvGfSIv8VfI/1Ppe3UPZn1
+zepSumcgCDWDRaezcn0lMqcII5X6bdF88k7Gb+dmuOB9nsm54cM7O62391N8eJ3Q
+mn86RzmUU6kHQ1LoaqMB59cgMxgCx9qSBvM/+rNs2Xujo/PUWNfjQRIYe30wyg54
+aTtIM+zeIf4ZRWIo4xwsmy7KoLsVQvVS4UYd7303VpDyxw+nhbupMAUcapKkE9nn
+WEraYT3Z/zxAbuOk1PHjAEr6Q6b9ReiVexuZRSIfxt1jy7jzZLpdOaZ7NTsMXOYW
+j3aCGxf8tSsRGNxA7PXpcmTEwOvq7igzBGkbVBG25Ww0y7v5JxZ8NUBFy0ih4pNE
+6soAR9/mSbu1AYBPc5KpKYfnJFjKWza+5aixufFRuU+th2TH0LiMNZH4OgyQmnp3
+351tbDm3cykj2sLeVhfoeGNeoc+ebAJR7YDawoD6ql/OIi2TUXaTS0Bb8kywC31g
+fh9aWzg2omzVNuFTawExWaHFWI0yzMgCgupv6QYSfOhCHV0eqFFuWfsiXKW1Yvrk
+24Gfn2kXt3HH3I4qUpoTRkQ/nbPjNdglhTOuHZ7ZUvaOMybXeRCrZWqLHIfrWsd3
+TKTYTXDERGHF6gago87NdlIjwukLHWfCCZYQ4bEumVWgToVjVYQ=
+=oKB1
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-23:12/msdosfs.13.2.patch b/website/static/security/patches/SA-23:12/msdosfs.13.2.patch
new file mode 100644
index 0000000000..1e66928461
--- /dev/null
+++ b/website/static/security/patches/SA-23:12/msdosfs.13.2.patch
@@ -0,0 +1,86 @@
+--- sys/fs/msdosfs/msdosfs_denode.c.orig
++++ sys/fs/msdosfs/msdosfs_denode.c
+@@ -384,10 +384,8 @@
+ return (EINVAL);
+ }
+
+- if (dep->de_FileSize < length) {
+- vnode_pager_setsize(DETOV(dep), length);
++ if (dep->de_FileSize < length)
+ return (deextend(dep, length, cred));
+- }
+
+ /*
+ * If the desired length is 0 then remember the starting cluster of
+@@ -496,13 +494,16 @@
+ deextend(struct denode *dep, u_long length, struct ucred *cred)
+ {
+ struct msdosfsmount *pmp = dep->de_pmp;
++ struct vnode *vp = DETOV(dep);
++ struct buf *bp;
++ off_t eof_clusteroff;
+ u_long count;
+ int error;
+
+ /*
+ * The root of a DOS filesystem cannot be extended.
+ */
+- if ((DETOV(dep)->v_vflag & VV_ROOT) && !FAT32(pmp))
++ if ((vp->v_vflag & VV_ROOT) != 0 && !FAT32(pmp))
+ return (EINVAL);
+
+ /*
+@@ -522,15 +523,47 @@
+ if (count > pmp->pm_freeclustercount)
+ return (ENOSPC);
+ error = extendfile(dep, count, NULL, NULL, DE_CLEAR);
+- if (error) {
+- /* truncate the added clusters away again */
+- (void) detrunc(dep, dep->de_FileSize, 0, cred);
+- return (error);
+- }
++ if (error != 0)
++ goto rewind;
+ }
++
++ /*
++ * For the case of cluster size larger than the page size, we
++ * need to ensure that the possibly dirty partial buffer at
++ * the old end of file is not filled with invalid pages by
++ * extension. Otherwise it has a contradictory state of
++ * B_CACHE | B_DELWRI but with invalid pages, and cannot be
++ * neither written out nor validated.
++ *
++ * Fix it by proactively clearing extended pages. Need to do
++ * both vfs_bio_clrbuf() to mark pages valid, and to zero
++ * actual buffer content which might exist in the tail of the
++ * already valid cluster.
++ */
++ error = bread(vp, de_cluster(pmp, dep->de_FileSize), pmp->pm_bpcluster,
++ NOCRED, &bp);
++ if (error != 0)
++ goto rewind;
++ vfs_bio_clrbuf(bp);
++ eof_clusteroff = de_cn2off(pmp, de_cluster(pmp, dep->de_FileSize));
++ vfs_bio_bzero_buf(bp, dep->de_FileSize - eof_clusteroff,
++ pmp->pm_bpcluster - dep->de_FileSize + eof_clusteroff);
++ if (!DOINGASYNC(vp))
++ (void)bwrite(bp);
++ else if (vm_page_count_severe() || buf_dirty_count_severe())
++ bawrite(bp);
++ else
++ bdwrite(bp);
++
*** 220 LINES SKIPPED ***