Re: FreeBSD Security Advisory FreeBSD-SA-22:01.vt

From: Gordon Tetlow <gordon_at_tetlows.org>
Date: Fri, 14 Jan 2022 00:23:23 UTC
Sorry for the delay in sending this to the security mailing list.
Since the mailing list change over, we've had a few hiccups on
delivery to the lists and with this email, we should hopefully be back
to a state where we consistently deliver. Again, apologies for the
weirdness, but I believe we have ironed out all the wrinkles and will
be in a better spot going forward. Thanks to the postmaster team for
the work in getting this all sorted.

Gordon
Hat: security-officer

On Thu, Jan 13, 2022 at 4:19 PM FreeBSD Security Advisories
<security-advisories@freebsd.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =============================================================================
> FreeBSD-SA-22:01.vt                                         Security Advisory
>                                                           The FreeBSD Project
>
> Topic:          vt console buffer overflow
>
> Category:       kernel
> Module:         vt
> Announced:      2022-01-11
> Credits:        Oleg Bulyzhin
> Affects:        FreeBSD 12.2 and FreeBSD 13.0
> Corrected:      2021-09-22 18:41:00 UTC (stable/13, 13.0-STABLE)
>                 2022-01-11 18:15:03 UTC (releng/13.0, 13.0-RELEASE-p6)
>                 2021-09-25 18:15:49 UTC (stable/12, 12.2-STABLE)
>                 2022-01-11 18:33:21 UTC (releng/12.2, 12.2-RELEASE-p12)
> CVE Name:       CVE-2021-29632
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I.   Background
>
> FreeBSD's system console is provided by the vt(4) virtual terminal console
> driver.
>
> II.  Problem Description
>
> Under certain conditions involving use of the highlight buffer while
> text is scrolling on the console, console data may overwrite data
> structures associated with the system console or other kernel memory.
>
> III. Impact
>
> Users with access to the system console may be able to cause system
> misbehaviour.
>
> IV.  Workaround
>
> No workaround is available.
>
> V.   Solution
>
> Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date,
> and reboot.
>
> Perform one of the following:
>
> 1) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the amd64, i386, or
> (on FreeBSD 13 and later) arm64 platforms can be updated via the
> freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
> # shutdown -r +10min "Rebooting for a security update"
>
> 2) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch https://security.FreeBSD.org/patches/SA-22:01/vt.patch
> # fetch https://security.FreeBSD.org/patches/SA-22:01/vt.patch.asc
> # gpg --verify vt.patch.asc
>
> b) Apply the patch.  Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI.  Correction details
>
> This issue is corrected by the corresponding Git commit hash or Subversion
> revision number in the following stable and release branches:
>
> Branch/path                             Hash                     Revision
> - -------------------------------------------------------------------------
> stable/13/                              9352de39c3dc    stable/13-n247428
> releng/13.0/                            3e0a1e124169  releng/13.0-n244773
> stable/12/                                                        r370674
> releng/12.2/                                                      r371491
> - -------------------------------------------------------------------------
>
> For FreeBSD 13 and later:
>
> Run the following command to see which files were modified by a
> particular commit:
>
> # git show --stat <commit hash>
>
> Or visit the following URL, replacing NNNNNN with the hash:
>
> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
>
> To determine the commit count in a working tree (for comparison against
> nNNNNNN in the table above), run:
>
> # git rev-list --count --first-parent HEAD
>
> For FreeBSD 12 and earlier:
>
> Run the following command to see which files were modified by a particular
> revision, replacing NNNNNN with the revision number:
>
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>
> Or visit the following URL, replacing NNNNNN with the revision number:
>
> <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>
> VII. References
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29632>
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:01.vt.asc>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f4ACgkQ05eS9J6n
> 5cIgEBAAkXpnKSElsT96dj4RYWJLkqB4+OBkGoOGrsZj8zd5Ei85oohhL38xiYAE
> jQpSwblgYCqmOxRL4hGgKN6fBPMnc/zXCdZhJzAfgkKXsn4eY5mObN1jus7owsmC
> RnFNOLSr1VVJZs8H1RAeAjJT2I6DF0oLb/f1u3ik+bPFJ8Y4hvPEliSH7rpzVBq7
> hpmiH1HxAArVwtJ15N+7u6vNUce57dWSh4NzPHLduzMRpatPKVqtkC7UJIvqisxl
> bQTK46MYo454SgbZjRPistwnV9NFKjuKy5Rh38/FURbnBxg8w2HVkabidMy5lJyU
> geSOvV4wc2LraRdSvJHZlNXu1BJKnPpTpsl6XNr8ePzAl9rRPjZKo8cEBMmTlqK0
> KdMeKsf1OfspA/8L6mCpg4NDeOoHktCrICWTi4/E6nGX/e1hZrCXKcxf0KYbhcfO
> xNvrYtKkCtCbEnbzZbW6rjY/RAmRwwMNngVw2FWRuSWU6BCmfKZndUXFO7aghj6Q
> JKISfctwtcHWn/QzI2BN9pNWZlzAJ8BfxR+/bV6VJNuRILOhrvgjnUzpies1xv7z
> GRN9JlpxzqihhlX8JED7jDOm99YflEG0Ep7Cr1OYXLDVx1xxh8dQLCOwl5qjnKgd
> ELae8IKnUn5pI1Og44AsjY9xWOvxxz28luwFxsbYf+3UMo6M4eE=
> =hcWy
> -----END PGP SIGNATURE-----
>