git: a612fa54ab - main - Add EN-25:09 through EN-25:11 and SA-25:06.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 02 Jul 2025 18:43:50 UTC
The branch main has been updated by gordon:
URL: https://cgit.FreeBSD.org/doc/commit/?id=a612fa54abb9b14eec99e07f45bf00b2b400f9a0
commit a612fa54abb9b14eec99e07f45bf00b2b400f9a0
Author: Gordon Tetlow <gordon@FreeBSD.org>
AuthorDate: 2025-07-02 18:43:22 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2025-07-02 18:43:22 +0000
Add EN-25:09 through EN-25:11 and SA-25:06.
Approved by: so
---
website/data/security/advisories.toml | 4 +
website/data/security/errata.toml | 12 ++
.../security/advisories/FreeBSD-EN-25:09.libc.asc | 140 ++++++++++++++++
.../security/advisories/FreeBSD-EN-25:10.zfs.asc | 145 ++++++++++++++++
.../security/advisories/FreeBSD-EN-25:11.ena.asc | 155 ++++++++++++++++++
.../security/advisories/FreeBSD-SA-25:06.xz.asc | 136 +++++++++++++++
.../static/security/patches/EN-25:09/libc.patch | 93 +++++++++++
.../security/patches/EN-25:09/libc.patch.asc | 16 ++
website/static/security/patches/EN-25:10/zfs.patch | 22 +++
.../static/security/patches/EN-25:10/zfs.patch.asc | 16 ++
website/static/security/patches/EN-25:11/ena.patch | 66 ++++++++
.../static/security/patches/EN-25:11/ena.patch.asc | 16 ++
website/static/security/patches/SA-25:06/xz.patch | 182 +++++++++++++++++++++
.../static/security/patches/SA-25:06/xz.patch.asc | 16 ++
14 files changed, 1019 insertions(+)
diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml
index fb54b5d5e6..103be4c068 100644
--- a/website/data/security/advisories.toml
+++ b/website/data/security/advisories.toml
@@ -1,6 +1,10 @@
# Sort advisories by year, month and day
# $FreeBSD$
+[[advisories]]
+name = "FreeBSD-SA-25:06.xz"
+date = "2025-07-02"
+
[[advisories]]
name = "FreeBSD-SA-25:05.openssh"
date = "2025-02-21"
diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index bd86e232cc..c58cf02825 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,6 +1,18 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-25:11.ena"
+date = "2025-07-02"
+
+[[notices]]
+name = "FreeBSD-EN-25:10.zfs"
+date = "2025-07-02"
+
+[[notices]]
+name = "FreeBSD-EN-25:09.libc"
+date = "2025-07-02"
+
[[notices]]
name = "FreeBSD-EN-25:08.caroot"
date = "2025-04-10"
diff --git a/website/static/security/advisories/FreeBSD-EN-25:09.libc.asc b/website/static/security/advisories/FreeBSD-EN-25:09.libc.asc
new file mode 100644
index 0000000000..5153f41871
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:09.libc.asc
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:09.libc Errata Notice
+ The FreeBSD Project
+
+Topic: Dynamically-loaded C++ libraries crashing at exit
+
+Category: core
+Module: libc
+Announced: 2025-07-02
+Affects: FreeBSD 13.5 and FreeBSD 14.2
+Corrected: 2025-04-17 01:01:36 UTC (stable/14, 14.2-STABLE)
+ 2025-07-02 18:28:08 UTC (releng/14.2, 14.2-RELEASE-p4)
+ 2025-04-17 01:02:12 UTC (stable/13, 13.5-STABLE)
+ 2025-07-02 18:28:28 UTC (releng/13.5, 13.5-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+In C++, global objects' destructors are called at unload or exit time.
+Global objects may be created either as objects in a global scope, or as
+objects in a function scope declared with the `static` keyword.
+
+II. Problem Description
+
+Object destructors can create further global objects through the second
+mechanism described above, function-scoped objects with the `static` keyword.
+
+Creation of these objects adds more destructors that should be called at
+unload or exit time while the application is already in the middle of
+processing those destructors in reverse order from when they're added. As a
+result, these newly added destructors are not called at unload time when the
+C++ library has been loaded dynamically via dlopen() and subsequently
+unloaded with dlclose().
+
+III. Impact
+
+The destructors that are not called at unload time are later attempted to be
+called when the program exits, which may result in a crash as the library's
+code has already been unmapped from the program's address space.
+
+IV. Workaround
+
+No workaround is available. C++ libraries that do not create more objects in
+destructors are not affected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and restart any affected
+services, or reboot the system.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:09/libc.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:09/libc.patch.asc
+# gpg --verify libc.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ c43ae65b4b89 stable/14-n271080
+releng/14.2/ 89a2823e17e5 releng/14.2-n269525
+stable/13/ 04f7496f89e2 stable/13-n259249
+releng/13.5/ f936833911d7 releng/13.5-n259167
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285870>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:09.libc.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSIACgkQbljekB8A
+Gu8InA/6A0/ctlk0xDhDe7kMcu3NzV8lFmBz2d1577WU8E+A8F9KAEEGEHS1wPeK
+qZL4YtcVQ4hGDKot5yg9Cvdmvqsvuv0sP7RmG2xyQKnx6THHezlzxXcKC+UYRgtg
+9mDWB8/1zC/L8XYcBdJtog0HZnRRjQ8fVVJKVySItCz9rGCmc0XKX1PhKqR4ZQDL
+ErfrUlymDCB8CW0NCeRUO5sPniT+dCf8Bv/OJdB3NFvuVYA6XqIlo397dDPGkltV
+K4bDEbjuRi4ELuTlybEtzMDWrDb+YOAuFF8cWCzyJpkRiSZQAarIwBhxoqVdw6+p
+9JN6i2p5RIis1DNCXomyip8JrgH8iDzUbGgehwEjhMbDi4YY6FK9ZQ5nTve5X/oX
+o4q+oMIoCItAl4x1GqUNlZ/TP6Zk1fk9pObNb9IuM9W9kQJIWI/DQ3XMlYN57cTC
+oS47PlJR+h09N6jA0Zfmek7ciFLGmhRpdc1MVfgTHNkT532HLpzHztckECWD0l7C
+ni92CH7JW2rBI0AKDYGEA/s9fhhlkdyrQjASdSJwDFfpVQyuUWLja7NaFAmtPCEF
+PjY+ZQsAQlZiusvHXDGNxlUE27LxFR44AdR4UhVGvkPfbjuQNPuxV+vsxZa743zt
+GsVUwI4FmwaUf1IygAd9akFikRcS0s57wOHqcWh/B+iv/OW+MA4=
+=VsbO
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc b/website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc
new file mode 100644
index 0000000000..61bd74761c
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:10.zfs.asc
@@ -0,0 +1,145 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:10.zfs Errata Notice
+ The FreeBSD Project
+
+Topic: Corruption in ZFS replication streams from encrypted datasets
+
+Category: contrib
+Module: zfs
+Announced: 2025-07-02
+Credits: Klara, Inc.
+Affects: All supported versions of FreeBSD.
+Corrected: 2025-06-21 22:05:40 UTC (stable/14, 14.3-STABLE)
+ 2025-07-02 18:27:44 UTC (releng/14.3, 14.3-RELEASE-p1)
+ 2025-07-02 18:28:09 UTC (releng/14.2, 14.2-RELEASE-p4)
+ 2025-06-27 20:07:48 UTC (stable/13, 13.5-STABLE)
+ 2025-07-02 18:28:29 UTC (releng/13.5, 13.5-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+ZFS is an advanced and scalable file system originally developed by Sun
+Microsystems for its Solaris operating system. ZFS was integrated as part of
+the FreeBSD starting with FreeBSD 7.0, and it has since become a prominent
+and preferred choice for storage management.
+
+II. Problem Description
+
+ZFS has built-in replication and backup functionality, which serializes a
+filesystem for transport to another system, known as "ZFS send". ZFS send
+also supports incremental updates between a pair of snapshots. When sending
+an encrypted dataset, the dataset can either be left encrypted for
+transit/receipt (raw mode), or decrypted. During a decrypting (normal) send,
+a bug in the code caused some metadata (key mappings) in the snapshots to be
+decrypted in memory, but not properly released. As a result, the key mappings
+used for decryption were not freed from the in-memory table.
+
+III. Impact
+
+The leaked mappings can cause two problems. The first is that they can result
+in spurious checksum errors when they are incorrectly used to access data
+later. In the second case, in order to export a pool, ZFS requires that all
+the mappings be freed. These leaked mappings were never cleaned up, resulting
+in any attempt to export the pool causing the command to hang.
+
+IV. Workaround
+
+No workaround is available. Systems not using ZFS, or not using ZFS native
+encryption are unaffected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date. A reboot is required following the
+upgrade.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# reboot
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:10/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:10/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 6abe6a8a0d54 stable/14-n271756
+releng/14.3/ cb24a62cd75b releng/14.3-n271433
+releng/14.2/ c5feebf38389 releng/14.2-n269526
+stable/13/ eae830109571 stable/13-n259318
+releng/13.5/ 4d9c4ecf6a48 releng/13.5-n259168
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://github.com/openzfs/zfs/pull/17340>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:10.zfs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSMACgkQbljekB8A
+Gu8z2hAAzcl0BfP5P3suB3ywY8dbh8LZ/MbKrN+VOgdrP00plRFhVMpL8W+v7MjX
+t3fDU3wEg+1PNEJ3j20vTCH4qdwuRQiuWo/MRz/7/kF21PufMx34pLGQd7ghG6q/
+1PGqxgs4C4snSJsgixzgxyedTZsO5D4ZKL3o8s5DPfvHR7bnSI7MdHFg7DynvpU6
+pcYZ7bZL1WhzTG4lL32oDFZqmLGac5iwiJPekVzJwlkSmoYlc8ScMV43FpDdGCfD
+5jbalhD0T/r4+Uzc+dTPulHjR8Q4YQ5XTZJvo5am9JV4HoQztASDsGw2Av9SpMKz
+TAehn5A48J+E3hcKncKivoRlSAA3EF/LTfCH/9ZLLEaEl3qbmp/iSPwuC9KWH8u/
+4E44tlTWDXfnr1UTnqqYwrq+SoY/UDQ0DWOXPEanS2BTSxzu3I/MI9OWzR0eZaow
+KDw7P4NFTnGLZ1ZWeGj2vrqrDDjb5SHqj8y0T1oyCqASph/t5e5AAsRzNp2Zr+YL
+nKAJAr5TEFIpYEjAsTj8WY+fu+KUOgh4sQpXe9xrD++aIRR64VbIJE6XSNo1TOtu
+TzXS7ysRZmZygoJOqCldsti7jUdlX5Pn31x4IRCaJAcQzfngZYyIQDLwkxg4b6LQ
+VLgtP7hmulByj7XBkCpekGb6kYoudIDqPP+vR+LSWgbzEyZ1LIo=
+=rdcw
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-EN-25:11.ena.asc b/website/static/security/advisories/FreeBSD-EN-25:11.ena.asc
new file mode 100644
index 0000000000..5ff789182e
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-25:11.ena.asc
@@ -0,0 +1,155 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-25:11.ena Errata Notice
+ The FreeBSD Project
+
+Topic: ena resets and kernel panic on Nitro v4 or newer instances
+
+Category: core
+Module: ena
+Announced: 2025-07-02
+Credits: Arthur Kiyanovski
+Affects: FreeBSD 13.5 and FreeBSD 14.2
+Corrected: 2025-05-01 17:56:11 UTC (stable/14, 14.3-STABLE)
+ 2025-07-02 18:28:12 UTC (releng/14.2, 14.2-RELEASE-p4)
+ 2025-05-01 18:15:18 UTC (stable/13, 13.5-STABLE)
+ 2025-07-02 18:28:31 UTC (releng/13.5, 13.5-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The ena(4) driver is used to access the Elastic Network Adapter network
+interface on recent Amazon Elastic Compute Cloud (EC2) instances. It is
+designed to make full use of the EC2 cloud architecture for optimal network
+performance.
+
+ENA Express is a feature that allows increased bandwidth and reduced latency
+in the AWS cloud. For optimal performance of the ENA Express feature, it is
+necessary to reduce LLQ width to 128.
+
+AWS instances that use Nitro card v4 or newer have a maximum tx burst size
+when sending tx packets. The driver is responsible to adhere to this maximum
+burst size by sending a doorbell to the device with no more than this burst
+size packets. If the burst size is exceeded a device reset happens.
+
+Since driver 2.8.0 it is possible to change the width of the tx queue LLQ
+(Low Latency Queues) entries. There are 2 possible widths: 128 and 256 bytes.
+The default is 256, however in some cases, i.e. when using the ENA Express
+feature, it is recommended to use a width of 128.
+
+II. Problem Description
+
+When running on instances that have a max tx burst size and the ENA device
+supports 256-byte wide LLQ entries, if 128-byte wide entries are selected,
+either by setting hw.ena.force_large_llq_header = 0 via sysctl or by turning
+on ENA Express for the interface, the ena(4) driver does not initialize a
+stack variable which is later used to setup the maximum tx burst size.
+
+III. Impact
+
+Due to the uninitialized stack variable, the ena(4) driver will exceed the
+maximum tx burst size, leading to device resets, making the device unusable.
+
+Additionally, the calculation of the tx burst size includes division by the
+uninitialized stack variable. If the stack variable is 0, this will cause
+division by 0 in the kernel, leading to a kernel panic.
+
+IV. Workaround
+
+It is possible to force the LLQ width to 256 by setting
+hw.ena.force_large_llq_header=1 via sysctl, however this causes peformance
+degredation when using the ENA Express feature.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date and reboot.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for erratum update"
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-25:11/ena.patch
+# fetch https://security.FreeBSD.org/patches/EN-25:11/ena.patch.asc
+# gpg --verify ena.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 3f4a674a8ee4 stable/14-n271320
+releng/14.2/ ca1f7650a80d releng/14.2-n269528
+stable/13/ 162b5bbb4048 stable/13-n259268
+releng/13.5/ 575644144d5c releng/13.5-n259170
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ena-express.html>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:11.ena.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSUACgkQbljekB8A
+Gu9/qBAAsP6QA+6kpRo94XBr7mRIvrsxK76sGMDcoTX+7WhQpVOQ3NP7VteNfTJc
+L0NF/PPhxxjJsYzz+o5SmW7RMgLlqL/Ofi4/VWqwwW8KTAjc4nAzKn5QNWb0fdWM
+gBYHGWrxYb8jt8twzIZ5HCOL47mN7obbEhi/y+WN+TehjJso2GiyM7gD+haaPlBa
+uAjSHYh+gf2tO7o9uSvIWYHP/qqjOphShJAwyX73ePZ9DLdra4FknWzryOU4Y3LP
+H4ToBZHkYJV/1P/GHSGYr5hqDuqxmxoCrzr+57IyfQiKPRiRvYsRMhAzlsrMp3aJ
+TQucgS5wN/TbHcSIXWLkO/DZ3poKjx73pBdayR2sS1ue3zz6FktNxMSub786jtPw
+icqPc24nsQt3PZI6wKViZAWJgDn4U/WfJhzWTR3mix3s8oal+Y8xYviYa9GQbo9p
+bzld/8Of6HVcbEhg+Ayq1WI3Cez3ahvek74/KnJc9EHX+20lI3OEpIzKWw/Q6wNy
+L+C1s4vG6dMY8Hr7OSUVJADiVCcvX+/7WGMppqua07jbuBpGSpZyAKBUlEoiGyyu
+aFob0xHlcYb/ongNzyDkmGufAGl+TpqJYcajvy/jDVXQpG3zlmAqizP2IfDlzcF5
+ojgxw7B9KaccauMDdASM7nGDR/Q1s8O1MMWGnwptjcmpEuC2D7s=
+=nJXg
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-25:06.xz.asc b/website/static/security/advisories/FreeBSD-SA-25:06.xz.asc
new file mode 100644
index 0000000000..d7a8a32d1d
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-SA-25:06.xz.asc
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-25:06.xz Security Advisory
+ The FreeBSD Project
+
+Topic: Use-after-free in multi-threaded xz decoder
+
+Category: contrib
+Module: xz
+Announced: 2025-07-02
+Affects: FreeBSD 13.5 and FreeBSD 14.2
+Corrected: 2025-05-07 21:26:00 UTC (stable/14, 14.2-STABLE)
+ 2025-07-02 18:28:13 UTC (releng/14.2, 14.2-RELEASE-p4)
+ 2025-05-07 21:25:59 UTC (stable/13, 13.4-STABLE)
+ 2025-07-02 18:28:32 UTC (releng/13.5, 13.5-RELEASE-p2)
+CVE Name: CVE-2025-31115
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+XZ Utils is a set of free software command-line lossless data compressors,
+including the programs lzma and xz.
+
+II. Problem Description
+
+A worker thread could free its input buffer after decoding, while the
+main thread might still be writing to it. This leads to an use-after-free
+condition on heap memory.
+
+III. Impact
+
+An attacker may use specifically crafted .xz file to cause multi-threaded
+xz decoder to crash, or potentially run arbitrary code under the credential
+the decoder was executed.
+
+IV. Workaround
+
+No workaround is available, but systems where xz decoding was not used in
+multi-threaded mode are not affected.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+Unless the decoder is running as a daemon, no reboot is required.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-25:06/xz.patch
+# fetch https://security.FreeBSD.org/patches/SA-25:06/xz.patch.asc
+# gpg --verify xz.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the liblzma library, or reboot the system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash in the
+following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/14/ 5cf27a49a2de stable/14-n271423
+releng/14.2/ 49b07b94662b releng/14.2-n269529
+stable/13/ 346bb5d3fe19 stable/13-n259281
+releng/13.5/ 95e9c54b3961 releng/13.5-n259171
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat <commit hash>
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31115>
+
+<URL:https://tukaani.org/xz/threaded-decoder-early-free.html>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:06.xz.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfTUACgkQbljekB8A
+Gu/LnA//WD66vLyMS5V+GcwJO3+Txq502F7U/HRoq0TRNJoEkSL5u+tpJD/hZUn4
+tkBayhSdJKs6d6UURZdhlEsCF4V7bjMzmudOwUnEwFZNXoUZHe0DHPMzFpGvVrD/
+zlN2QZptcP5IU0mPlSFbhQzrUwLnKhjN0NqDZSdaM+7jWDN2zdQFTwijHLFZV66a
+FYK8Gr+x4OJHn2CtxBz2ST2S4Aaju38D02IdwX/MQFTtVpLHvt2w/j84Ks2c/MXp
+BJxHKcyohEZRd0jO2XKaX1gBANoLNSRcJbeamJ8zYXSygakbqTkgfW8QHi09WSJH
+cLqp/NNi4D5v83j11vKlMHAujLgvgTupF7KTG5FXVYF0KZ0URXGEprC9mCWPbIOo
+5AD1pbDW1G/OO/cmBn63nILu0U5YLqjcIh2UkJxROs8BBCWouh3k6ZEx2mxQZ9Jy
+U2aDrC8TwYf1Sqwr063L+WNo38SUSILNaP17xWpeDToDMYHqnrdMOtj/OFDV1g1U
+ra0CYfp2yWpMZ9UibS6GV+mvtiPe/exxqMNFmkpZ/+uTBbH3vPX/rVbJIJkIsOsA
+Re9OUfhOYTsPV/bK+NRPAqaLTrmifEECYlskmAgvGoVdMldeL47nGt0EyZLKZ75y
+xY4qPHPJEv7TXA8ZOpQ85M491TfwoETZ6CytmwjeXQmOEY8KRtQ=
+=TZId
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-25:09/libc.patch b/website/static/security/patches/EN-25:09/libc.patch
new file mode 100644
index 0000000000..2a5687affd
--- /dev/null
+++ b/website/static/security/patches/EN-25:09/libc.patch
@@ -0,0 +1,93 @@
+--- lib/libc/stdlib/atexit.c.orig
++++ lib/libc/stdlib/atexit.c
+@@ -38,6 +38,7 @@
+ #include "namespace.h"
+ #include <errno.h>
+ #include <link.h>
++#include <stdbool.h>
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+@@ -59,6 +60,8 @@
+ #define ATEXIT_FN_CXA 2
+
+ static pthread_mutex_t atexit_mutex = PTHREAD_MUTEX_INITIALIZER;
++static void *current_finalize_dso = NULL;
++static bool call_finalize_again = false;
+
+ #define _MUTEX_LOCK(x) if (__isthreaded) _pthread_mutex_lock(x)
+ #define _MUTEX_UNLOCK(x) if (__isthreaded) _pthread_mutex_unlock(x)
+@@ -118,6 +121,9 @@
+ __atexit = p;
+ }
+ p->fns[p->ind++] = *fptr;
++ if (current_finalize_dso != NULL &&
++ current_finalize_dso == fptr->fn_dso)
++ call_finalize_again = true;
+ _MUTEX_UNLOCK(&atexit_mutex);
+ return 0;
+ }
+@@ -211,33 +217,38 @@
+ }
+
+ _MUTEX_LOCK(&atexit_mutex);
+- for (p = __atexit; p; p = p->next) {
+- for (n = p->ind; --n >= 0;) {
+- if (p->fns[n].fn_type == ATEXIT_FN_EMPTY)
+- continue; /* already been called */
+- fn = p->fns[n];
+- if (dso != NULL && dso != fn.fn_dso) {
+- /* wrong DSO ? */
+- if (!has_phdr || global_exit ||
+- !__elf_phdr_match_addr(&phdr_info,
+- fn.fn_ptr.cxa_func))
+- continue;
++ current_finalize_dso = dso;
++ do {
++ call_finalize_again = false;
++ for (p = __atexit; p; p = p->next) {
++ for (n = p->ind; --n >= 0;) {
++ if (p->fns[n].fn_type == ATEXIT_FN_EMPTY)
++ continue; /* already been called */
++ fn = p->fns[n];
++ if (dso != NULL && dso != fn.fn_dso) {
++ /* wrong DSO ? */
++ if (!has_phdr || global_exit ||
++ !__elf_phdr_match_addr(&phdr_info,
++ fn.fn_ptr.cxa_func))
++ continue;
++ }
++ /*
++ Mark entry to indicate that this particular
++ handler has already been called.
++ */
++ p->fns[n].fn_type = ATEXIT_FN_EMPTY;
++ _MUTEX_UNLOCK(&atexit_mutex);
++
++ /* Call the function of correct type. */
++ if (fn.fn_type == ATEXIT_FN_CXA)
++ fn.fn_ptr.cxa_func(fn.fn_arg);
++ else if (fn.fn_type == ATEXIT_FN_STD)
++ fn.fn_ptr.std_func();
++ _MUTEX_LOCK(&atexit_mutex);
+ }
+- /*
+- Mark entry to indicate that this particular handler
+- has already been called.
+- */
+- p->fns[n].fn_type = ATEXIT_FN_EMPTY;
+- _MUTEX_UNLOCK(&atexit_mutex);
+-
+- /* Call the function of correct type. */
+- if (fn.fn_type == ATEXIT_FN_CXA)
+- fn.fn_ptr.cxa_func(fn.fn_arg);
+- else if (fn.fn_type == ATEXIT_FN_STD)
+- fn.fn_ptr.std_func();
+- _MUTEX_LOCK(&atexit_mutex);
+ }
+- }
++ } while (call_finalize_again);
++ current_finalize_dso = NULL;
+ _MUTEX_UNLOCK(&atexit_mutex);
+ if (dso == NULL)
+ _MUTEX_DESTROY(&atexit_mutex);
diff --git a/website/static/security/patches/EN-25:09/libc.patch.asc b/website/static/security/patches/EN-25:09/libc.patch.asc
new file mode 100644
index 0000000000..e4ccc67b7f
--- /dev/null
+++ b/website/static/security/patches/EN-25:09/libc.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSIACgkQbljekB8A
+Gu+2Mg//VC3nCmbD+MCiqR5fsFXO++U0MfMQ5w/jVkB9DKqZm0xkQoZ74EHhnXAW
+N2u17xLR4vq65YLe4KDhnfCE2JuWmVuMtIqSZ7966co6cddmotxGxPh5rSG/nmfW
+zWdJG6DWdRGK4UHL35wbFPfOlkMj/1JAAvFxGm80LrjvCqzCJo3owOViqzOkmzGa
+tNWZRh+fKhBgx3rLUURCmvuhgWsFDN5kVOilxM51U+iNRMFYsVA5E5wThuFDJUHu
+8uVMte8QlI/r/lWhzr87ROJ/OvpCXmSyNqJCPKlCOl4Y0zCOddJwptD6amAxbiks
+gOWBt2CKgt5W2ZwHe2S5lAr5mbR6C8SFIqy5BRObgmpRAW854IoMeos/1RNk0U4K
+6JLcpAqvUYA5RzZtVBhMVOKrsp1eJj1ZufSkAqWjgNzAY/iyD2GehO/n5AxF5EYe
+NLufX60czw3/qtW7XtS1dxMlmpbPyfyGyPAd5FivVx9akrGlX6nK0EHgQUfhFbga
+CLaQALRFAqZq8BugYb9WbapmvPDOGfpu5WeGHcoWqFYsUApuIeE4oNVcNowtfWwA
+vvpdRGljXoca5tn3FgTr2glJAqFgln2pbAEPiRx4yOjaJddaxteCfT7pTGvX1MVG
+B00sBJW0h5GfYFbJn9cseVgs7Qj5kF3ym/Z3i3MID6O5SGED9Zg=
+=ktxu
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-25:10/zfs.patch b/website/static/security/patches/EN-25:10/zfs.patch
new file mode 100644
index 0000000000..1125c937b9
--- /dev/null
+++ b/website/static/security/patches/EN-25:10/zfs.patch
@@ -0,0 +1,22 @@
+--- sys/contrib/openzfs/module/zfs/dmu_send.c.orig
++++ sys/contrib/openzfs/module/zfs/dmu_send.c
+@@ -2676,8 +2676,8 @@
+ }
+
+ if (fromsnap != 0) {
+- err = dsl_dataset_hold_obj_flags(dspp.dp, fromsnap, dsflags,
+- FTAG, &fromds);
++ err = dsl_dataset_hold_obj(dspp.dp, fromsnap, FTAG, &fromds);
++
+ if (err != 0) {
+ dsl_dataset_rele_flags(dspp.to_ds, dsflags, FTAG);
+ dsl_pool_rele(dspp.dp, FTAG);
+@@ -2729,7 +2729,7 @@
+ kmem_free(dspp.fromredactsnaps,
+ dspp.numfromredactsnaps * sizeof (uint64_t));
+
+- dsl_dataset_rele(dspp.to_ds, FTAG);
++ dsl_dataset_rele_flags(dspp.to_ds, dsflags, FTAG);
+ return (err);
+ }
+
diff --git a/website/static/security/patches/EN-25:10/zfs.patch.asc b/website/static/security/patches/EN-25:10/zfs.patch.asc
new file mode 100644
index 0000000000..76df7de385
--- /dev/null
+++ b/website/static/security/patches/EN-25:10/zfs.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSQACgkQbljekB8A
+Gu/6Gg/+MnOh5EePCKIEHRjqbpOq+q+tLPuH+Mm66rs2bEnInVRRSeDi6jBX8sld
+mMgLTprKQnDw4UK4JsTJGYNnr09U3dPF/laiXxr//vw6HYZdv2e1pOtLKOq8xLZr
+Vuk6tQX0IprR7DQTVh88jKSeiYjU34tiS9mUT523dZP5Zcwd1vOdmOAnib8x3XE8
+d2e0zKOuMLYHDHokqP5Mh7unyuapjPuRptF6mcdOLxvQ4xGTmwCvalTViDMCzY0X
+DBDD32QDNeDcDf4SgZRHA0+MI3bqp5bcFjpR63Ox/TwUO9sscB3cfA6MCMEVx1nU
+mk3dQEVGBTPjhHixfXq/PBjA4Jim9CboLNJdxiZfDStGaB8HkD24/Ran/FK1eASc
+TjaBvNuRJcaIPKijkzCDP07290iWdWUgBNpxd94lHmoCpHEzJOuh4MTgRLX7xlD8
+uYv9hXX9MPA+AekDs0msCUQHz55jnzG7NExkAiFnMuNe0HyHyEhYr0HMYwK/sBxO
+kbUZ9nL75mYrnxsAl31GmKHbURwWUkLOVk6aJE00qC+CNk/XpIq0gN/235E/6qAu
+C3d8YXuj50bHRZZH8db2sGfGz25KqK//0gbQdU/zSt27XVSd7mZSFEu9aSRHst+s
+LKiP67gRX60FaoP+VTgBUFYl8/TAr7gpyV/qMA90c3iOlzhq4M0=
+=xDJw
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-25:11/ena.patch b/website/static/security/patches/EN-25:11/ena.patch
new file mode 100644
index 0000000000..818b244777
--- /dev/null
+++ b/website/static/security/patches/EN-25:11/ena.patch
@@ -0,0 +1,66 @@
+--- sys/dev/ena/ena.c.orig
++++ sys/dev/ena/ena.c
+@@ -2759,22 +2759,41 @@
+ ena_set_llq_configurations(struct ena_llq_configurations *llq_config,
+ struct ena_admin_feature_llq_desc *llq, struct ena_adapter *adapter)
+ {
++ bool use_large_llq;
++
+ llq_config->llq_header_location = ENA_ADMIN_INLINE_HEADER;
+ llq_config->llq_stride_ctrl = ENA_ADMIN_MULTIPLE_DESCS_PER_ENTRY;
+ llq_config->llq_num_decs_before_header =
+ ENA_ADMIN_LLQ_NUM_DESCS_BEFORE_HEADER_2;
+- if ((llq->entry_size_ctrl_supported & ENA_ADMIN_LIST_ENTRY_SIZE_256B) != 0) {
+- if ((ena_force_large_llq_header == ENA_LLQ_HEADER_SIZE_POLICY_LARGE) ||
+- (ena_force_large_llq_header == ENA_LLQ_HEADER_SIZE_POLICY_DEFAULT &&
+- llq->entry_size_recommended == ENA_ADMIN_LIST_ENTRY_SIZE_256B)) {
+- llq_config->llq_ring_entry_size =
+- ENA_ADMIN_LIST_ENTRY_SIZE_256B;
+- llq_config->llq_ring_entry_size_value = 256;
+- adapter->llq_policy = ENA_ADMIN_LIST_ENTRY_SIZE_256B;
+- }
++
++ switch (ena_force_large_llq_header)
++ {
++ case ENA_LLQ_HEADER_SIZE_POLICY_REGULAR:
++ use_large_llq = false;
++ break;
++ case ENA_LLQ_HEADER_SIZE_POLICY_LARGE:
++ use_large_llq = true;
++ break;
++ case ENA_LLQ_HEADER_SIZE_POLICY_DEFAULT:
++ use_large_llq =
++ (llq->entry_size_recommended == ENA_ADMIN_LIST_ENTRY_SIZE_256B);
++ break;
++ default:
++ use_large_llq = false;
++ ena_log(adapter->pdev, WARN,
++ "force_large_llq_header should have values [0-2]\n");
++ break;
++ }
++
++ if (!(llq->entry_size_ctrl_supported & ENA_ADMIN_LIST_ENTRY_SIZE_256B))
++ use_large_llq = false;
++
++ if (use_large_llq) {
++ llq_config->llq_ring_entry_size = ENA_ADMIN_LIST_ENTRY_SIZE_256B;
++ llq_config->llq_ring_entry_size_value = 256;
++ adapter->llq_policy = ENA_ADMIN_LIST_ENTRY_SIZE_256B;
+ } else {
+- llq_config->llq_ring_entry_size =
+- ENA_ADMIN_LIST_ENTRY_SIZE_128B;
++ llq_config->llq_ring_entry_size = ENA_ADMIN_LIST_ENTRY_SIZE_128B;
+ llq_config->llq_ring_entry_size_value = 128;
+ adapter->llq_policy = ENA_ADMIN_LIST_ENTRY_SIZE_128B;
+ }
+--- sys/dev/ena/ena.h.orig
++++ sys/dev/ena/ena.h
+@@ -39,7 +39,7 @@
+
+ #define ENA_DRV_MODULE_VER_MAJOR 2
+ #define ENA_DRV_MODULE_VER_MINOR 8
+-#define ENA_DRV_MODULE_VER_SUBMINOR 0
++#define ENA_DRV_MODULE_VER_SUBMINOR 1
+
+ #define ENA_DRV_MODULE_NAME "ena"
+
diff --git a/website/static/security/patches/EN-25:11/ena.patch.asc b/website/static/security/patches/EN-25:11/ena.patch.asc
new file mode 100644
index 0000000000..765b9038aa
--- /dev/null
+++ b/website/static/security/patches/EN-25:11/ena.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfSYACgkQbljekB8A
+Gu+ynA/+LPSLPlJ/k5I41mYxPaS8nuUqvvxOEGWmwsMrRlJRAvLJSP+daZa7QLyb
+QpEUq6Ln+svzIa2EhA44DRg+zP8xPDoHCtvzemXNxo5slWTs2wikpl6DvMuLuQgS
+0N/JLUWw/NX3XdeN9YMpOBy05GM8H7Zkgx6O6WRBHC8G7eeTEq3l6a6Tq4RdrIR8
+9z7xbKzzJ40ZHmzjX7oJo6zRzLH4GRsTszc3eht+IPGEor1YCwmu98hKt4oddWhK
+RaY87zoMXvDF2/T2PN4pH8UzC9Bv3zDmFJKfRvjpvH/3FZupRhNzJqqiIaMM2aMH
+7YapfYmDgoWdfu4Y7IDtBLx758poGNPlocbrdAGCbl6pZ7tSdLemzHrJYHiNlaY/
+q0VyTDyUaZc7JemoYTrMcqfAm32u7mo1V9Yh6lk7NZH5V55cEeBvWoUEG649z78Q
+/VHNeVeiKR1GcWagbLqZ+8NgZxpwze79eodUulPR4P1YZ+QpokPon5cbdGF88xTL
+ORIufqEzczmWZElwRaK7+gEnFli/lKEHd07sh2gztY36D3RQGW/xD/O/F/ovpmsr
+1rHKT/NinOPWaN+/O24RCu97ySBuDyQH7IRScJ8Pjk18Mtuhqn+2ip/il7992dDE
+NChDoZmh1GSSdFmO6AfChLYNKtEgKD5Ipi69d6b8fHQev8N8trQ=
+=MVMj
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/SA-25:06/xz.patch b/website/static/security/patches/SA-25:06/xz.patch
new file mode 100644
index 0000000000..9cad7b0f76
--- /dev/null
+++ b/website/static/security/patches/SA-25:06/xz.patch
@@ -0,0 +1,182 @@
+--- contrib/xz/src/liblzma/common/stream_decoder_mt.c.orig
++++ contrib/xz/src/liblzma/common/stream_decoder_mt.c
+@@ -23,15 +23,10 @@
+ THR_IDLE,
+
+ /// Decoding is in progress.
+- /// Main thread may change this to THR_STOP or THR_EXIT.
++ /// Main thread may change this to THR_IDLE or THR_EXIT.
+ /// The worker thread may change this to THR_IDLE.
+ THR_RUN,
+
+- /// The main thread wants the thread to stop whatever it was doing
+- /// but not exit. Main thread may change this to THR_EXIT.
+- /// The worker thread may change this to THR_IDLE.
+- THR_STOP,
+-
+ /// The main thread wants the thread to exit.
+ THR_EXIT,
+
+@@ -346,27 +341,6 @@
+ }
+
+
+-/// Things do to at THR_STOP or when finishing a Block.
+-/// This is called with thr->mutex locked.
+-static void
+-worker_stop(struct worker_thread *thr)
+-{
+- // Update memory usage counters.
+- thr->coder->mem_in_use -= thr->in_size;
+- thr->in_size = 0; // thr->in was freed above.
+-
+- thr->coder->mem_in_use -= thr->mem_filters;
+- thr->coder->mem_cached += thr->mem_filters;
+-
+- // Put this thread to the stack of free threads.
+- thr->next = thr->coder->threads_free;
+- thr->coder->threads_free = thr;
+-
+- mythread_cond_signal(&thr->coder->cond);
+- return;
+-}
+-
+-
+ static MYTHREAD_RET_TYPE
+ worker_decoder(void *thr_ptr)
+ {
*** 157 LINES SKIPPED ***