From nobody Tue Jan 11 19:39:32 2022 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6FF9C193A7F4 for ; Tue, 11 Jan 2022 19:39:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JYLcP12TBz3Hy5; Tue, 11 Jan 2022 19:39:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1641929973; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=vzwUHMg+ghT+od1reDVF6Lh2hgeLsqN/vpwJRYrKKcM=; b=Ky+swI0eWo0TDYWyvUOrAbW1SwDIdleoaACnr7LtBlR12WAf34TcPlvOipOxZdiMOC5cO7 orOYyXe79ZijtKHaJKdieJ+q/eA/88u/9r/gRo+v4q9XMq9afM3ViwWnnnIwjL4/KZroxy doxJ9ISv1bU5JIdj0cxhPEt2TO3sz8/PLyA19+wpQHQoXzM2HUhZMOGSrNqddspRUIgEKh kPbnpjwfq7R0OYjGE6oyyVXDr0GsA0Haov/G0SSf85Y2L3UrLD5ps356FjVybZH0ECA/N3 ruvHT7nBIhpg315uWIEj4/anEYq6FOdxE48A1+c9wZIEjxG47gQhPSPFq7CJow== Received: by freefall.freebsd.org (Postfix, from userid 945) id EFD081D6F3; Tue, 11 Jan 2022 19:39:32 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-22:06.libalias Reply-To: freebsd-stable@freebsd.org Precedence: bulk Approved: BingGo! Message-Id: <20220111193932.EFD081D6F3@freefall.freebsd.org> Date: Tue, 11 Jan 2022 19:39:32 +0000 (UTC) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1641929973; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=vzwUHMg+ghT+od1reDVF6Lh2hgeLsqN/vpwJRYrKKcM=; b=ADwiPJUIBxRRvq1JtHFeJ+cUEBIuFwhr9x/t2wFo2jITsBK7PKUstFJng0h01Y86pJ6/U6 0Kd5EzXwzek4+tcrCNYH0JbcIrlzEKQUtAIchPl+LiCD4UaVo00b/6c1zWBHuLZXCZFV5r BfvlF2RbAvm4imTYjbUecxswDzBrt+bzhM/IoOjyUXvD+RTznA4mtHRZHo86DDfJZzWbx0 ZNdlLJLKAPX/CUMOPF+K2s5HP2gONpzYNopnbSh0SqW5QzljU/cIr9Fd/PRJkdtZyzMG24 6sTypbUbD7g865bSzKfOeQI226FXzOaWyCEyda/6kmO+mhkK8H6A9sDVIMEBsw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1641929973; a=rsa-sha256; cv=none; b=CtHNGA4Mi11G4TNtsgSu/aoXu1iGb9sDdb5nAesFzJZD3pV5sbgJPSXGCHieKrgcgQ4TYQ r7tuiONN7VC/T/CLAF8wYrS8nsWe0gCqnviQRCWzgb2CtVyTEZEUvTz1C/VEHI3WOJCazm wfGnnqbJt3mH2pOuh4xa3SBR4sUaMKwyuNRLxjXs53mFketCIIF8Sgs8cC9vGZrh/CNhjY j0JfGBhQBmy1Ern4bt18TryDBVklif61OF0Yd0ZSXTfP++yZ4VWfu9Ywrm2XcugyfQjFO7 RlgBJBGAv03BOTpOg3CyF8Liv8tDnJG3ViRekvLOY5FOEnAdm17PU9bOjhyg5Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-22:06.libalias Errata Notice The FreeBSD Project Topic: Incorrect fragmented IPv4 packet handling in libalias Category: core Module: libalias Announced: 2022-01-11 Affects: All supported versions of FreeBSD. Corrected: 2022-01-09 22:04:56 UTC (stable/13, 13.0-STABLE) 2022-01-11 18:15:02 UTC (releng/13.0, 13.0-RELEASE-p6) 2022-01-09 23:06:52 UTC (stable/12, 12.3-STABLE) 2022-01-11 18:19:32 UTC (releng/12.3, 12.3-RELEASE-p1) Note: This errata notice does not update FreeBSD 12.2. FreeBSD 12.2 users affected by this update should upgrade to FreeBSD 12.3. For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The libalias(3) library is a collection of functions for aliasing and dealiasing of IPv4 packets, intended for masquerading and network address translation (NAT). Additionally, libalias(3) includes modules to support protocols that require additional logic to support address translation. libalias(3) is used by several FreeBSD networking components: ng_nat(4), ipfw(4) and natd(8). II. Problem Description The patch committed for SA-20:12.libalias introduced additional validation of TCP, UDP and ICMP protocol headers. This validation failed to take into account the possibility of IP packet fragmentation, and could cause libalias(3) to return the PKT_ALIAS_IGNORED status code for the first fragment of a packet, rather than applying aliasing rules. III. Impact Depending on the configuration of the consumer, this bug may cause fragmented packets to be dropped, or may cause further processing of fragments without aliasing rules applied. For example, if the NG_NAT_DENY_INCOMING flag is set on an ng_nat(4) node, fragments will be unconditionally dropped. Similarly, if the "deny_in" flag is set for an ipfw(4) NAT rule, fragments will be unconditionally dropped. IV. Workaround No workaround is available. Only systems using NAT via ng_nat(4), ipfw(4) NAT rules, or natd(8) are affected. Systems leveraging pf(4) or ipf(4) to perform NAT are not affected. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for an errata update" 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 13.0] # fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.13.patch # fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.13.patch.asc # gpg --verify libalias.13.patch.asc [FreeBSD 12.3] # fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.12.patch # fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.12.patch.asc # gpg --verify libalias.12.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ ec746e619578 stable/13-n248913 releng/13.0/ 4378aee9f82f releng/13.0-n244772 stable/12/ r371477 releng/12.3/ r371486 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f4ACgkQ05eS9J6n 5cLW2xAAjuMj68hzBt5aSxuRliu4wT+NdXMq/M5VWH9kHSZw2HrMfQuDY25ecwWE VAkeQoIAV/+Uz8OrVKBBqlTgxZyFxmM8a2pNBURPSeY508o7X5h8HMHECaUndqMJ dXfa2YgpUm36RQZfaKCGbBCIXUj4V+fmSFkoq87U0EXexrCim6m5tzMoBsWV7Eob KWbZObwR2PrvYSoHvdbPNWrGF/6CDu/38x9TBxPU+sT3dVa4qJyUD3D/7hhe3Onb VscwvebHNKZwaxxEJJma4xbUcOXJpOUVA/JRjphkzeX5B1Fgix1N4ae8C3ATXiZT H9OhB+AU/EtTU5rbcWjEiNckIh/icGV9lkEuqX4AXKmQHeYJEVCctY+IgcZfppzq MpY1OuDhjObvQtyuBv6up0EN/Lv2AAN8sooXIwwy00DX6ISnjtynP81huCpHLRE9 3xntY/y1JHDlNN5tFOBc+z3YNYRo5ha36UXuhi5IQvxGeN5gonW+cK3BUluK3U+Q 9ibXXaHPZ6V1nowksU1A72RGR2B+axYb7KrNzg+20I/rmjl0t2ZBtULMq1WWks/w nLGY/Wb0uaK7GUiUte8l4ggm0oISGIa0ICCV3OogBeaytsWB0fi2atKJxvMuMvPT XXj+zrqPw33nMu9mf0ClWQwiXWD8AKi3kFgfi6o9aC5zWd1LlCY= =qTdA -----END PGP SIGNATURE-----