svn commit: r47162 - in head/share: security/advisories security/patches/SA-15:18 security/patches/SA-15:19 xml

Xin LI delphij at FreeBSD.org
Wed Aug 5 22:18:34 UTC 2015


Author: delphij
Date: Wed Aug  5 22:18:29 2015
New Revision: 47162
URL: https://svnweb.freebsd.org/changeset/doc/47162

Log:
  Add SA-15:18 and SA-15:19.

Added:
  head/share/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-15:19.routed.asc   (contents, props changed)
  head/share/security/patches/SA-15:18/
  head/share/security/patches/SA-15:18/bsdpatch.patch   (contents, props changed)
  head/share/security/patches/SA-15:18/bsdpatch.patch.asc   (contents, props changed)
  head/share/security/patches/SA-15:19/
  head/share/security/patches/SA-15:19/routed.patch   (contents, props changed)
  head/share/security/patches/SA-15:19/routed.patch.asc   (contents, props changed)
Modified:
  head/share/xml/advisories.xml

Added: head/share/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc	Wed Aug  5 22:18:29 2015	(r47162)
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:18.bsdpatch                                   Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          shell injection vulnerability in patch(1)
+
+Category:       contrib
+Module:         patch
+Announced:      2015-08-05
+Credits:        Martin Natano
+Affects:        FreeBSD 10.x.
+Corrected:      2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE)
+                2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3)
+                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2)
+                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1)
+                2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17)
+CVE Name:       CVE-2015-1418
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The patch(1) utility takes a patch file produced by the diff(1) program and
+apply the differences to an original file, producing a patched version.
+
+The patch(1) utility supports patches that uses ed(1) script format, as
+required by the POSIX.1-2008 standard.
+
+ed(1) is a line-oriented text editor.
+
+II.  Problem Description
+
+Due to insufficient sanitization of the input patch stream, it is possible
+for a patch file to cause patch(1) to pass certain ed(1) scripts to the
+ed(1) editor, which would run commands.
+
+III. Impact
+
+This issue could be exploited to execute arbitrary commands as the user
+invoking patch(1) against a specically crafted patch file, which could be
+leveraged to obtain elevated privileges.
+
+IV.  Workaround
+
+No workaround is available, but systems where a privileged user does not
+make use of patches without proper validation are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+A reboot is not required after updating.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is not required after updating.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch.asc
+# gpg --verify bsdpatch.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r286348
+releng/10.1/                                                      r286351
+releng/10.2/                                                      r286350
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1418>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:18.bsdpatch.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVwoplAAoJEO1n7NZdz2rn8D4QAM0077U1nLiJFIU1VcM9IOKp
+GeZ/w9SnkrKqKzAQpq3QS1hmw0TxvP8kuJNuRVFF6M15Woprfxccb8mDxM0ntru4
+t8rq/QLO2jMWopf67Spv6jr6GLLQXkiyRwLEyr7L8a7MbrFwjO1wYt+8GnQ6Nsvn
+kNfCnbNKPr1gNYM1XsLS7Ej1kl7aBx3xGQXU4d9HlOs/1X7rnPCnGKuc3ZD2Z/N4
+zu8pV4NMFhWyJsax+FVYEFxwyd2uEb73A35nz/sQhGiwGOCtL424KG+hwj9mnm45
+8f4m+53b6RDcBh6xU41fghMsac2PVCzY2r9GXXXJNlfEa+KnSN8yC+CvtXYEM9BX
+9Y5g6i++RVLLT7mwFdG86FjZxSGpDBXlkpZ4I9qiS4YC8MFO4qC7SFzufxtfOcg+
+R+QSj+DWOfeHDcXjEkHGlqTW9poE2EDWXDLwlEoOykh9NLyWl6enYd8ZEI3GUqyJ
+FgKiICrs1vUuGhOhTCgjyQjQUc6jaV/GzhLBJfyxz5xYDpr7DIILxJ8uki2FJcHS
+tZhlNu6JNqpBlsWNspqjw7NSP2j58Uj0bBdwWvFNX8otQiIXVfkdY8RCjxstq5lT
+3bcF6akAFEBx/f/VYM1lswLM/XdbORYC3asLu84BP541EDqdx9d88TeTKNPvyb4Q
+sGJ763WSlsoLrQDr8CUt
+=iR0L
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-15:19.routed.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:19.routed.asc	Wed Aug  5 22:18:29 2015	(r47162)
@@ -0,0 +1,164 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:19.routed                                     Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          routed(8) remote denial of service vulnerability
+
+Category:       core
+Module:         routed
+Announced:      2015-08-05
+Credits:        Hiroki Sato
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE)
+                2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3)
+                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2)
+                2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1)
+                2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17)
+                2015-08-05 22:05:07 UTC (stable/9, 9.3-STABLE)
+                2015-08-05 22:05:24 UTC (releng/9.3, 9.3-RELEASE-p22)
+CVE Name:       CVE-2015-5674
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+The routing information protocol (RIP) is an older routing protocol
+which, while not as capable as more recent protocols such as OSPF and
+BGP, is sometimes preferred for its simplicity and therefore still
+used as an interior gateway protocol on smaller networks.
+
+Routers in a RIP network periodically broadcast their routing table on
+all enabled interfaces.  Neighboring routers and hosts receive these
+broadcasts and update their routing tables accordingly.
+
+The routed(8) daemon is a RIP implementation for FreeBSD.  The
+rtquery(8) utility can be used to send a RIP query to a router and
+display the result without updating the routing table.
+
+II.  Problem Description
+
+The input path in routed(8) will accept queries from any source and
+attempt to answer them.  However, the output path assumes that the
+destination address for the response is on a directly connected
+network.
+
+III. Impact
+
+Upon receipt of a query from a source which is not on a directly
+connected network, routed(8) will trigger an assertion and terminate.
+The affected system's routing table will no longer be updated.  If the
+affected system is a router, its routes will eventually expire from
+other routers' routing tables, and its networks will no longer be
+reachable unless they are also connected to another router.
+
+IV.  Workaround
+
+Note that this problem does not affect a system on which routed(8)
+is not enabled.  The routed(8) daemon is not enabled by default.
+
+Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP
+packets with destination port 520 that did not originate on the same
+subnet as the destination address.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The routed service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The routed service has to be restarted after the update.  A reboot is
+recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-15:19/routed.patch
+# fetch http://security.FreeBSD.org/patches/SA-15:19/routed.patch.asc
+# gpg --verify routed.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/routed.patch
+
+c) Recompile routed.  Execute the following commands as root:
+
+# cd /usr/src/sbin/routed
+# make && make install
+
+Restart the routed daemon, or reboot the system.
+
+To restart the affected service after updating the system, either
+reboot the system or execute the following command as root:
+
+# service routed restart
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r286349
+releng/9.3/                                                       r286352
+stable/10/                                                        r286348
+releng/10.1/                                                      r286351
+releng/10.2/                                                      r286350
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5674>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-15:19.routed.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVwoplAAoJEO1n7NZdz2rnMFAP/3HWG6FrFxM3jgMcK7a5+nKP
+O6BqVXpFdia0UUN5JlcEZXc89957mXdMXCDqNeTj3CeDc0p9GbPX1zV/vlYoOqhM
+eIPwgERbMRFnDRaWm2ClG+aatJvdpeDEioNy8b8tmKq94JcpXIJnwX8dhY3WrMwj
+Mc3QBGT08XLImHqNw6d6/0wavFeOZ/3g1ZoloAktsgA9KhTUOai6dUhIbIJzk6gh
+0oa4NRkhzRNmUKyHOS6HDrghhQ/kZGtE8joVBxLBljK0Thi0mIZtn3UFGsNAgAWw
+7WGAiTN2o8c48IUJosmiGsJ7rV1wCFt5zXrZVCcnq6dr60He16Z2Zwif2tugiTvm
+5x9lDbTEnYOTxM38Ya5gMtMf733YgAtoRCkf3ROsnwXukJYVsJXms7Ej4NihoKMd
+aYOLDItl+AXUGIyQ44GuUm2955wo9Fb5RlkDSCLAvdgnkPk+k0puLp0MR0B2MOAI
+tdKNecRNg0fDR5gJbfdzdjVhsGBZXdYlxo4VjXUXDSZJ+8+jkAg2LA9DTRKIfbgX
+BX5GiOhkhIivFlgvSePv0LRuIbgt0H1cxiJdk6OqNS5gROuqwo7wwUnaig8KVKOI
+887gfpf7PepYD4xWTo3nAoEcGM0rBwUyq1X3pbx9OJADcqRvOhxfMcHFcCv75uxa
+OISkQhkWdZUv6ls76rRu
+=p5Rl
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-15:18/bsdpatch.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:18/bsdpatch.patch	Wed Aug  5 22:18:29 2015	(r47162)
@@ -0,0 +1,57 @@
+Index: usr.bin/patch/pathnames.h
+===================================================================
+--- usr.bin/patch/pathnames.h	(revision 286254)
++++ usr.bin/patch/pathnames.h	(working copy)
+@@ -9,4 +9,4 @@
+ 
+ #include <paths.h>
+ 
+-#define	_PATH_ED		"/bin/ed"
++#define	_PATH_RED		"/bin/red"
+Index: usr.bin/patch/pch.c
+===================================================================
+--- usr.bin/patch/pch.c	(revision 286254)
++++ usr.bin/patch/pch.c	(working copy)
+@@ -1,4 +1,3 @@
+-
+ /*-
+  * Copyright 1986, Larry Wall
+  * 
+@@ -1409,6 +1408,7 @@ do_ed_script(void)
+ 	char	*t;
+ 	off_t	beginning_of_this_line;
+ 	FILE	*pipefp = NULL;
++	int	continuation;
+ 
+ 	if (!skip_rest_of_patch) {
+ 		if (copy_file(filearg[0], TMPOUTNAME) < 0) {
+@@ -1415,7 +1415,7 @@ do_ed_script(void)
+ 			unlink(TMPOUTNAME);
+ 			fatal("can't create temp file %s", TMPOUTNAME);
+ 		}
+-		snprintf(buf, buf_size, "%s%s%s", _PATH_ED,
++		snprintf(buf, buf_size, "%s%s%s", _PATH_RED,
+ 		    verbose ? " " : " -s ", TMPOUTNAME);
+ 		pipefp = popen(buf, "w");
+ 	}
+@@ -1433,7 +1433,19 @@ do_ed_script(void)
+ 		    (*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) {
+ 			if (pipefp != NULL)
+ 				fputs(buf, pipefp);
+-			if (*t != 'd') {
++			if (*t == 's') {
++				for (;;) {
++					continuation = 0;
++					t = strchr(buf, '\0') - 1;
++					while (--t >= buf && *t == '\\')
++						continuation = !continuation;
++					if (!continuation ||
++					    pgets(true) == 0)
++						break;
++					if (pipefp != NULL)
++						fputs(buf, pipefp);
++				}
++			} else if (*t != 'd') {
+ 				while (pgets(true)) {
+ 					p_input_line++;
+ 					if (pipefp != NULL)

Added: head/share/security/patches/SA-15:18/bsdpatch.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:18/bsdpatch.patch.asc	Wed Aug  5 22:18:29 2015	(r47162)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVwoqMAAoJEO1n7NZdz2rnGmIP/2c1n/1iGLa0zLO1GHMP7Fuu
+RCjmhJs2EWNnItUevHAf8kv5fYw9re3Dmn+zRPAEQw2ElmaEl7RIbT4ciG33n+ax
+nn2CaqaRbwHmVtCQhvWAy0Rb8DOl0zvdw2eJxj4UxqTrXex7IDIZgdKJX5JtkY/A
+W8w5ZB5x/7f6lcVUv85wUiBCYKCdrUFyfxwxeqUuCZ1fXhX5Y/7eDEZW7OmAox3R
+6y87nwucjaisnctSeMSL8xRsIPW2P9wsIHxWm/8ixWsC7rdhRIBqtIpLTBO+jZEI
+W87nUUL082nFKp3bvMHnCc2gtwhBu0VzFpCEAXD/ggotOXvMDx+d0td0BFnRcmZZ
+xly4bED85SGz6RbS06eDB3ZG0aOzRzpm7PNRrzR/YDkbbadOprVJvMWav1iCurvJ
+rf3ABrgt4Vb8aN5reAwmUjmDesNy6CP5u9UimFEUF+fWrwFvLiGkTl6NkHTCBP34
+HWAX4FpeeJbvt0yYJS+8+nv2qns0myd+UQjc9OjOMDTcw1DX9RoBBTe+K3JQlslx
+uZwek6v/ahT2yblN92x2Di8ayEwQlRsPkKAKKFYtfwO6hRrQtYkPDwNSZ+MnQF1v
+LbO2L1d3TZWGjdPnS4AvFLTQd+ckSFAldMsF46nB7Nf45RYV3f9lnb0COk0UPvYI
+U3gKJ20S8tAF+VO7hZZV
+=DXel
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-15:19/routed.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:19/routed.patch	Wed Aug  5 22:18:29 2015	(r47162)
@@ -0,0 +1,17 @@
+Index: sbin/routed/input.c
+===================================================================
+--- sbin/routed/input.c	(revision 286262)
++++ sbin/routed/input.c	(working copy)
+@@ -160,6 +160,12 @@ input(struct sockaddr_in *from,		/* received from
+ 
+ 	trace_rip("Recv", "from", from, sifp, rip, cc);
+ 
++	if (sifp == 0) {
++		trace_pkt("    discard a request from an indirect router"
++		    " (possibly an attack)");
++		return;
++	}
++
+ 	if (rip->rip_vers == 0) {
+ 		msglim(&bad_router, FROM_NADDR,
+ 		       "RIP version 0, cmd %d, packet received from %s",

Added: head/share/security/patches/SA-15:19/routed.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-15:19/routed.patch.asc	Wed Aug  5 22:18:29 2015	(r47162)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVwoqMAAoJEO1n7NZdz2rnWTMP/Rs3RWs7vpS5kjD46iM5KZv9
+BY011+7N5uaa9yxCIBXe2KwjRbmzd480eU3nfOMZh3XHo/aehAyJdI4QtnFCXFLq
+5+JnixcfHmVjtNvrjz29OyRi6Y9E9biW9M2yTisGdNjM5aYMlPNBhi+eSoB0QfLa
+H5q7tDM6h/iuotXbJtqzTHRLb+TuFTieSyDndFLX9Dk5CFi7vTZeCkV2qSm2uVFi
+msBrWSckl6F/wrWjJkvB4khPdzdBKslG4m2mxfIRLEUM2V31CTmqmyJiNhjHXL4U
+JW+3uq02jz+zYHuMf6IxpEB5eK6JaieqaQhaTzyGQd6XImRtXp9T3wEyuahm+s0C
+pBnO4ky+/oTWqwcAGjEdAwxXw1IL594ZcZIpbTdSNhRApNWRXyk08uS9ktP3W/kV
+eOZW6HB19oJipyNZE3zCFHDInUMh6OMWQFxKpOBxYid08vYy8bKhXLG+Di+ddfnF
+6ITFHLetyw0RT306gHm1GGbHY8SkuZpsqo67R8fUOilsc5RE9J0qJg3BRYmIzhbA
+I+JkXpZ33Wxi9BO8nPdZxTC7UylKJT1Nd6rk511gAtKjta2dZvoisFIQ0XxIVBdC
+vLO0pferZj4jDEkAlaH8UlmHGl483oRW7P4OfpLWlxZ2imWH2LTh/mxEDiJMqAjR
+6Cf6RRTd14yoQha24Osf
+=wxDr
+-----END PGP SIGNATURE-----

Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml	Wed Aug  5 14:17:16 2015	(r47161)
+++ head/share/xml/advisories.xml	Wed Aug  5 22:18:29 2015	(r47162)
@@ -8,6 +8,22 @@
     <name>2015</name>
 
     <month>
+      <name>8</name>
+
+      <day>
+        <name>5</name>
+
+        <advisory>
+          <name>FreeBSD-SA-15:19.routed</name>
+        </advisory>
+
+        <advisory>
+          <name>FreeBSD-SA-15:18.bsdpatch</name>
+        </advisory>
+      </day>
+    </month>
+
+    <month>
       <name>7</name>
 
       <day>


More information about the svn-doc-all mailing list