svn commit: r54498 - in head/share: security/advisories security/patches/SA-20:27 security/patches/SA-20:28 security/patches/SA-20:29 security/patches/SA-20:30 xml
Gordon Tetlow
gordon at FreeBSD.org
Tue Sep 15 22:00:11 UTC 2020
Author: gordon (src committer)
Date: Tue Sep 15 22:00:07 2020
New Revision: 54498
URL: https://svnweb.freebsd.org/changeset/doc/54498
Log:
Add SA-20:27 to SA-20:30.
Approved by: so
Added:
head/share/security/advisories/FreeBSD-SA-20:27.ure.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-20:30.ftpd.asc (contents, props changed)
head/share/security/patches/SA-20:27/
head/share/security/patches/SA-20:27/ure.11.patch (contents, props changed)
head/share/security/patches/SA-20:27/ure.11.patch.asc (contents, props changed)
head/share/security/patches/SA-20:27/ure.12.patch (contents, props changed)
head/share/security/patches/SA-20:27/ure.12.patch.asc (contents, props changed)
head/share/security/patches/SA-20:28/
head/share/security/patches/SA-20:28/bhyve_vmcs.patch (contents, props changed)
head/share/security/patches/SA-20:28/bhyve_vmcs.patch.asc (contents, props changed)
head/share/security/patches/SA-20:29/
head/share/security/patches/SA-20:29/bhyve_svm.patch (contents, props changed)
head/share/security/patches/SA-20:29/bhyve_svm.patch.asc (contents, props changed)
head/share/security/patches/SA-20:30/
head/share/security/patches/SA-20:30/ftpd.patch (contents, props changed)
head/share/security/patches/SA-20:30/ftpd.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-20:27.ure.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-20:27.ure.asc Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,149 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:27.ure Security Advisory
+ The FreeBSD Project
+
+Topic: ure device driver susceptible to packet-in-packet attack
+
+Category: core
+Module: ure
+Announced: 2020-09-15
+Credits: John-Mark Gurney
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-09-14 19:39:43 UTC (stable/12, 12.2-STABLE)
+ 2020-09-15 21:42:05 UTC (releng/12.2, 12.2-BETA1-p1)
+ 2020-09-15 21:42:05 UTC (releng/12.1, 12.1-RELEASE-p10)
+ 2020-09-15 00:22:30 UTC (stable/11, 11.4-STABLE)
+ 2020-09-15 21:42:05 UTC (releng/11.4, 11.4-RELEASE-p4)
+ 2020-09-15 21:42:05 UTC (releng/11.3, 11.3-RELEASE-p14)
+CVE Name: CVE-2020-7464
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The ure(4) driver provides support for USB Ethernet adapters based on the
+Realtek RTL8152 and RTL8153 USB Ethernet controllers.
+
+II. Problem Description
+
+A programming error in the ure(4) device driver caused some Realtek USB
+Ethernet interfaces to incorrectly report packets with more than 2048 bytes
+in a single USB transfer as having a length of only 2048 bytes.
+
+An adversary can exploit this to cause the driver to misinterpret part of the
+payload of a large packet as a separate packet, and thereby inject packets
+across security boundaries such as VLANs.
+
+III. Impact
+
+An attacker that can send large frames (larger than 2048 bytes in size) to be
+received by the host (be it VLAN, or non-VLAN tagged packet), can inject
+arbitrary packets to be received and processed by the host. This includes
+spoofing packets from other hosts, or injecting packets to other VLANs than
+the host is on.
+
+IV. Workaround
+
+No workaround is available. However, an attacker needs to be able to inject
+large frames. If a switch can prevent large frames (>2048 bytes) from being
+received, or connecting the machine to a switch that does not forward large
+frames will mitigate this attack.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 12.1, FreeBSD 12.2]
+# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.12.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.12.patch.asc
+# gpg --verify ure.12.patch.asc
+
+[FreeBSD 11.3, FreeBSD 11.4]
+# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.11.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.11.patch.asc
+# gpg --verify ure.11.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r365730
+releng/12.2/ r365778
+releng/12.1/ r365778
+stable/11/ r365738
+releng/11.4/ r365778
+releng/11.3/ r365778
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7464>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:27.ure.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOIxfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJY9A//Z+Rt20iUnM79er+CYF4EQNrzR8dOKr2/6L5ho5L1kJt0MdZtamN+f5Bq
+Jpzem060oAv+0mgAiK3VR7unlkEk+wFNvMwhgItvI8l2TME3+n/A0nsYQkP9QPPp
+SwHmKcIAbwkdtv913zy7AGc/vE+2+D8x84WHp6WDhRmDVgU5QAPGgP4yv0qhgkpy
+L8ndLDte3tXMk0eWArxWTpMfxqKGmp9Cgy88QRoIpguazS+ocSVt6h3emxQPtTc/
+7SQOEqjg4IiEXW/t2SSDqB1cvNPmN82yJt4mQg1m8v/SjFjFQ2qgFC+47cYezI1F
+nLuoDw16kYUu65DyePiXfCsBwSjkLU1IgpBSgmmxjMzwoVgE7/9AtRqiCwe2xkEF
+E6c1VWAQAw2AiZmsISv8T9RNLegLnNjyhO9iSsaeuOfLbTIeQ9zbcUL6xgZB6AxO
+tk/fkt+NHwuRoXNx2SC959r+hwhdnrpgxTEphjCFuuMdMGKsxm3TQGdwD6ZvQ1r2
+HkVV1m4ukgpxw8ONa88Lgo+2f1HZhZKWLzp3EsTA3LMpgk+5uJjIuL/ctuddscWY
+Do9VapPTIGxjZqABGtxJL7NrzCz2pXE0CHzAjFWD830kujgcdihe6FbJx0cJe3m8
++CxaGBXvSINHyPwgDArnKR3Hrd57/T6RSUWqsksB7fBCpmFdQaI=
+=S9sW
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,137 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:28.bhyve_vmcs Security Advisory
+ The FreeBSD Project
+
+Topic: bhyve privilege escalation via VMCS access
+
+Category: core
+Module: bhyve
+Announced: 2020-09-15
+Credits: Patrick Mooney
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-09-15 21:28:47 UTC (stable/12, 12.2-STABLE)
+ 2020-09-15 21:43:41 UTC (releng/12.2, 12.2-BETA1-p1)
+ 2020-09-15 21:43:41 UTC (releng/12.1, 12.1-RELEASE-p10)
+ 2020-09-15 21:28:47 UTC (stable/11, 11.4-STABLE)
+ 2020-09-15 21:43:41 UTC (releng/11.4, 11.4-RELEASE-p4)
+ 2020-09-15 21:43:41 UTC (releng/11.3, 11.3-RELEASE-p14)
+CVE Name: CVE-2020-24718
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+bhyve(8) is a hypervisor that supports running a variety of guest operating
+systems in virtual machines on AMD and Intel CPUs.
+
+II. Problem Description
+
+AMD and Intel CPUs support hardware virtualization using specialized data
+structures that control various aspects of guest operation. These are the
+Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual
+Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow
+root users, including those running in a jail, to change these data
+structures.
+
+III. Impact
+
+An attacker with host root access (including to a jailed bhyve instance) can
+use this vulnerability to achieve kernel code execution.
+
+IV. Workaround
+
+No workaround is available. This issue is likely of concern only to systems
+relying on running bhyve in jail(8) for security domain separation.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:28/bhyve_vmcs.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:28/bhyve_vmcs.patch.asc
+# gpg --verify bhyve_vmcs.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r365777
+releng/12.2/ r365779
+releng/12.1/ r365779
+stable/11/ r365777
+releng/11.4/ r365779
+releng/11.3/ r365779
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24718>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKJBQ//UOwIgcc2n+Yr0MrNIs2XzLjmKBsuVfIrFni0GGJFFSAUd7Kzw7oeY4ng
+e9JURtfV6NlU63QkaRw+QqgvnXm5vLbgO+oWuedsj33eNgUNdUinZinieZuFAyAt
+BBgfMJ3D9X7HffIw1iKN/DWaealFJ1SHtKYzVssTBx/7ju+SFj5HkwLh/7QzKBYO
+CoeNE7RN2kSDmvvEKMdN17QyM4+H3wYpsnylWHa89slIe1xj0eVqgnGw2NrjjKlV
+N2DAQM+MvdJ+W8oA0idEvBZj55uHV9OlgIwJCDi0/u5yHPJkhuYYuHsf0oyW+NT6
+gWvzwTI27IAAyYKK57pGVP7x4sy8VhsDItzqubhDqa/zjNZM9SYOtLYiOnDjev2B
+nqC2mV08XpC9lfwd3EDPGv+FYbTTe9OzirlJBnbMnwhj/p0sPMYCtuWKp/MyQyyD
+1yhUJJlZgI6HdrTOOeqhObNDtEz75MI1bpLVmjq9VMLz1PtzdNFDcNmyvtTOpMut
+vZDFgCqtkpcukqxfqV1EJAWr0UWnaUyPc0klbmLwrQCpTWDOBT7QK+S5ZtNLQqu4
+c6UJ7CQLNPn9nEjf16D8dZ1Iy3AJyPmtv7ehEkKFjJtNIwitCx/AIzKiXXzzxe56
+boJoQL0pmgJkv3tjP5dEMeSx5SA4mrhtKCL+ri3/ZFXHxtcDNsQ=
+=Jluz
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:29.bhyve_svm Security Advisory
+ The FreeBSD Project
+
+Topic: bhyve SVM guest escape
+
+Category: core
+Module: bhyve
+Announced: 2020-09-15
+Credits: Maxime Villard
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-09-15 20:25:30 UTC (stable/12, 12.2-STABLE)
+ 2020-09-15 21:46:39 UTC (releng/12.2, 12.2-BETA1-p1)
+ 2020-09-15 21:46:39 UTC (releng/12.1, 12.1-RELEASE-p10)
+ 2020-09-15 20:26:31 UTC (stable/11, 11.4-STABLE)
+ 2020-09-15 21:46:39 UTC (releng/11.4, 11.4-RELEASE-p4)
+ 2020-09-15 21:46:39 UTC (releng/11.3, 11.3-RELEASE-p14)
+CVE Name: CVE-2020-7467
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+bhyve(8) is a hypervisor that supports running a variety of guest operating
+systems in virtual machines on AMD and Intel CPUs. AMD and Intel provide
+broadly similar virtualization interfaces, but each provides its own specific
+instructions for manipulating virtual machine state.
+
+II. Problem Description
+
+A number of AMD virtualization instructions operate on host physical
+addresses, are not subject to nested page table translation, and guest use of
+these instructions was not trapped.
+
+III. Impact
+
+- From kernel mode a malicious guest can write to arbitrary host memory (with
+some constraints), affording the guest full control of the host.
+
+IV. Workaround
+
+No workaround is available. Systems not using bhyve, and systems that
+use bhyve with an Intel CPU, are not vulnerable.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:29/bhyve_svm.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:29/bhyve_svm.patch.asc
+# gpg --verify bhyve_svm.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r365767
+releng/12.2/ r365780
+releng/12.1/ r365780
+stable/11/ r365769
+releng/11.4/ r365780
+releng/11.3/ r365780
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7467>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:29.bhyve_svm.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJxjxAAjy783UUnVvhtiJt4p5TGMpaU+ZrLnKaOASiTDdbp6z3IFuLZ1VbkekAM
+aMGgZNmYkRotcTM0mbhoeRROSrYlmO2ZHNmJyxchbOaIfKXL3iTFYP5gRirN1r+Q
+i8+Gr5HzTL5SkvTEx0wKUp6uRqD26nf7i4KrdOWmf5ivhB66Z2vk/56aX53eSNJ5
+iPZYvlFnVIcy1wKPE1RIP67H+nqqWBApavWUMK6f01cAMr5w0BE+f4RdSvzEFnuG
+p2Id8A3ptt0VoIdZzbJkLKog4/dlC1C+PVPPLND2gcCY2c/+gG0nNTy9Fjdvsoor
+AnmRvlarCCcEVOSxGk+WNUwWdQnQPFykpZxGtid53km3Yjw1smPmfOVwvNhTkzoP
+tPZ568wFyaBGLI+39hC0u0AtLT93MBHpxpCMpQZ9rlFauxn5OuyBFkxgCuEyq728
+GcrMVggyrzOetW7GqdlOEzFDj3nxHme+08qmbLXjv5X8N1RK+TGZDAjYFqLU1NXi
+cyPhbGqV4SuYw3dW7E0C8eOocuVmpXTEW82R9ff1pobUZUNVGKZse1rjT344VTSc
+DazL/q2TIo5fyDWEaNWsPad8mdyQGWft2cfYHYrO+Y6Smn/oKS3LmX61bGC37FEF
+b0rqunbDdq4775q6H6KKbRgVTKGiVyC/Nt/2xkg//GymzNnuFvY=
+=lplz
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-20:30.ftpd.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-20:30.ftpd.asc Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,140 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:30.ftpd Security Advisory
+ The FreeBSD Project
+
+Topic: ftpd privilege escalation via ftpchroot feature
+
+Category: core
+Module: ftpd
+Announced: 2020-09-15
+Credits: Anonymous working with Trend Micro Zero Day Initiative
+Affects: All supported versions of FreeBSD.
+Corrected: 2020-09-15 20:55:13 UTC (stable/12, 12.2-STABLE)
+ 2020-09-15 21:47:44 UTC (releng/12.2, 12.2-BETA1-p1)
+ 2020-09-15 21:47:44 UTC (releng/12.1, 12.1-RELEASE-p10)
+ 2020-09-15 20:56:14 UTC (stable/11, 11.4-STABLE)
+ 2020-09-15 21:47:44 UTC (releng/11.4, 11.4-RELEASE-p4)
+ 2020-09-15 21:47:44 UTC (releng/11.3, 11.3-RELEASE-p14)
+CVE Name: CVE-2020-7468
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+ftpd(8) is a daemon that implements an FTP server. To restrict
+filesystem access of authenticated clients, ftpd(8) supports the
+ftpchroot(5) feature, which allows the system administrator to designate
+a root directory for each FTP user. This is implemented using the
+chroot(2) system call.
+
+II. Problem Description
+
+A ftpd(8) bug in the implementation of the file system sandbox, combined
+with capabilities available to an authenticated FTP user, can be used to
+escape the file system restriction configured in ftpchroot(5).
+Moreover, the bug allows a malicious client to gain root privileges.
+
+III. Impact
+
+A malicious FTP user can gain privileged access to an affected system.
+
+IV. Workaround
+
+No workaround is available. Systems not running ftpd(8) or not making
+use of ftpchroot(5) are not affected. Exploitation of the bug requires
+that a malicious FTP client have login access to the server. Anonymous
+access is not sufficient.
+
+V. Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart the applicable daemons, or reboot the system.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:30/ftpd.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:30/ftpd.patch.asc
+# gpg --verify ftpd.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/12/ r365772
+releng/12.2/ r365781
+releng/12.1/ r365781
+stable/11/ r365773
+releng/11.4/ r365781
+releng/11.3/ r365781
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7468>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:30.ftpd.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJCRA//Zuuqyaim3BnR0Qs9mSI3fm37AQN9NyV0GzaP6ayAeCu7xuyzMzFD58jU
+SZAkrH16buh34dfelwofPSO8ZIAHZ0X6PpVWHwrTkrT8ADHCuJwEe0imG5MDDJn4
+mMJSA9OVyQXgHXApnOhJ4hHMUfGF0QJvsOvPQ4f8J3J9K9pTa78HgekaNWkgpTzo
+eAGV+lug/UwsK//FrcyYaifZF1xl0ZKSAl6RVFVaqxxVXZGZ2txlew4I03NEfqjJ
+PAmviQ1p0BO5tMqVSG+/VkuYFJNyUGvuSrvUeIoQnoWljvKx5VnAq5KVCD6La1nn
+o5JzNEvlqzOC1ClribxALyv/VJHJt6PDBF4S26ATwIdr8TCzSpe2Byjj9KN/qC94
+JuT6hScERpT4ARIsJiDIDe0+9zBeglJuS/3sJozI+ani+VL/7uBL6MB50twgioFG
+4+5MNgc4VYgX35U0z+fStncZAScByXWdxaMDYx9brfZeaeEhiZA6wXYCf8kpaW94
+zDOvBCH+GR1O2nALdlMVFrThQdTkq1AtMQ58Uuaxpu1LBGrMVfz/VCDEurWog+U1
+7uxRwx9o6lJvno3oPQTfHkcuHZosOE0KdfdJ1Tcmj1pVZVjeaxu7HEW2H73YRhBN
+Fc4XIxaO7URyYwtzxzH9yU18wKCp+g/mm5apgbbcz1kBS+fR3Go=
+=zvW4
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-20:27/ure.11.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:27/ure.11.patch Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,13 @@
+--- sys/dev/usb/net/if_ure.c.orig
++++ sys/dev/usb/net/if_ure.c
+@@ -710,7 +710,9 @@
+ ~URE_RXDY_GATED_EN);
+
+ /* Set Rx mode. */
+- rxmode = URE_RCR_APM;
++ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
++ rxmode &= ~URE_RCR_ACPT_ALL;
++ rxmode |= URE_RCR_APM;
+
+ /* If we want promiscuous mode, set the allframes bit. */
+ if (ifp->if_flags & IFF_PROMISC)
Added: head/share/security/patches/SA-20:27/ure.11.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:27/ure.11.patch.asc Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cIisRAAlVB+hNBKrmr7kjc+cOeeLofnAppEywIJsQoKus4y7P23K2gguL+zJX6p
+UTMSysmDXJG1OVEzpLpq7R6mGWD18vOMvKyNgijnGJeeIwjGqACHK68v2tFosW61
+g4kRKIuuLMxeqrySn4P8IgKRVV6Em+/LuYkqr5v3BuKFpAzPxNmvmLEVzaoqh+wS
+SJgVucuogTxjYwb2pTcIig+rtkE3FHD+x5WxS5DzfCDlp3mqaMSCyoNeF8JMzs7y
+EXV57iDRjRC5IDBnr2dB55uHFielJioVmfLjMCMRAHlBX7q4Fu3Hobt8oHaOKtTD
+mk2q3efR3MeIIfLTqwu/Xrzz7c+vCucg9ccpyjK561Kt38W8bUBhMUxN2nQXtUyR
+ABsWQK8tE7Ie5cJhwF3ajcESEZ8nx0s9NrQYdFE/od+MVlWeXpGNsBoFDUoGILqS
+sgpn+2QUoruEVUujUyfMK8H5bG4DrPeoN8Tn9VopA8VR0N7p00lyfKX3g1knGMyh
+Bq778Est5lKi++h02YV8c25/T2pVd6rhPqpebggxVKaGoTgsTd7i5ty8/ExqOgUF
+Y8CAF3MwAVwn0kdeUkcwexykPnb1VFPDmBFrN2EoJYERRqh+fTp44ifldeYr7dhl
+hYHJDvtRY7mlTPekn0oXBJYuY1NJ77nOmxhXVBoVOuWJrjMcl5A=
+=NUJu
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-20:27/ure.12.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:27/ure.12.patch Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,16 @@
+--- sys/dev/usb/net/if_ure.c.orig
++++ sys/dev/usb/net/if_ure.c
+@@ -816,9 +816,10 @@
+
+ URE_LOCK_ASSERT(sc, MA_OWNED);
+
+- rxmode = URE_RCR_APM;
+- if (ifp->if_flags & IFF_BROADCAST)
+- rxmode |= URE_RCR_AB;
++ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
++ rxmode &= ~(URE_RCR_AAP | URE_RCR_AM);
++ rxmode |= URE_RCR_APM; /* accept physical match packets */
++ rxmode |= URE_RCR_AB; /* always accept broadcasts */
+ if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) {
+ if (ifp->if_flags & IFF_PROMISC)
+ rxmode |= URE_RCR_AAP;
Added: head/share/security/patches/SA-20:27/ure.12.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:27/ure.12.patch.asc Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJdfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJpVQ//c2z6nk+LDQaFYnDyg9Fkl0GqmVsJ0Ml3Wog1lUU0nOqacAhBmZTwq3Oq
+dzQ2jstcf1dqj9Bt/6Q525Odt8Bk5zzzN6qHFL+kJiHDWB0aYCfACucYykVH7uIM
+LF5XVX8zzHrCW3kvcAwukRB4XhN5eo4uPGpVcm9css5yIEYL++Bxq5UrrL6LgXd3
+kDNMeCXe/RjhnUjwcfjSw+EgUhNlvWmWjV6d2tTxhzqtIfsovTfJuw6tqHsLFhCG
+PGUmNi7dH1/OmdzPCrVuxzPy2VaZe8H8s6VXL8orbpw+RWZ6W8E/WOktK2S6HHLb
+X0jv3fZ37K3SnydCKlCl5ATPhvhZWhVGSGXVEg4jA7MTU/rjMh1VlH8cPmH66z1x
+DxhGH1dO9v/E6v4/YQ6fwMMGnmH0fDRRNs9rodPi6goj70OxvHPAIpbPvm4ZS26c
+XvENpnz7rVZyJ8+iehnLQvsarNQ/neJipI7SpIVb1+2g/tHMbq77Mw6wpkB1kKyn
+jB9uZZwVn7SlK3XvXZN3jTgTrMhuvTzPJ/0Ek3qYSqWbAPIen+GUC8XJZlO1QLoL
+ShkEKWFZBuLmx+/emDG8tiu4WidmeCRHva3gjgOMijyNWETiajMFk7sVbKk974zi
+DBquYG/wHWnsOOtSbOTAtIWopZdaxaA7HQVEcGY/6iB8/twlOl8=
+=Adwg
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-20:28/bhyve_vmcs.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:28/bhyve_vmcs.patch Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,29 @@
+--- sys/amd64/vmm/amd/svm.c.orig
++++ sys/amd64/vmm/amd/svm.c
+@@ -2198,8 +2198,11 @@
+ return (svm_modify_intr_shadow(svm_sc, vcpu, val));
+ }
+
+- if (vmcb_write(svm_sc, vcpu, ident, val) == 0) {
+- return (0);
++ /* Do not permit user write access to VMCB fields by offset. */
++ if (!VMCB_ACCESS_OK(ident)) {
++ if (vmcb_write(svm_sc, vcpu, ident, val) == 0) {
++ return (0);
++ }
+ }
+
+ reg = swctx_regptr(svm_get_guest_regctx(svm_sc, vcpu), ident);
+--- sys/amd64/vmm/intel/vmx.c.orig
++++ sys/amd64/vmm/intel/vmx.c
+@@ -3341,6 +3341,10 @@
+ if (vmxctx_setreg(&vmx->ctx[vcpu], reg, val) == 0)
+ return (0);
+
++ /* Do not permit user write access to VMCS fields by offset. */
++ if (reg < 0)
++ return (EINVAL);
++
+ error = vmcs_setreg(&vmx->vmcs[vcpu], running, reg, val);
+
+ if (error == 0) {
Added: head/share/security/patches/SA-20:28/bhyve_vmcs.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:28/bhyve_vmcs.patch.asc Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJOpA//d8gbQS8I5HdY/xWmt4RoQ8yhvE1v3AmOqt7o14CfKCfMSMFqu7lGXcB/
+rkpIgKmGGS/j+XMeLAvmHtw4zdM1PdkJ4bk71GLfpT91YF9cC7eKHJreidDiMD9z
+48DTlCz0lWg7sGLpas5viXZkX7WRhtHHLBzMAHh6k1Ew4N1A/668cH/ZU1C4w4pm
+yXzY+su5yXKgdqhibOPlpvuYhITVkqHnkDyMqlppo/hxfjYNKBii+sDBAieGJBmp
+1+sW6iCEXdZK+m9LCfiNPOWLE2dkZEqwOazoFBJDmjyp/EZW4sdGhkEgVsADodym
+WOqZi8Ca2qfWm7NumGr20zsVbVe9Qx4dspRGLYcs3POaqa1LOg82lcys/h47t4Vw
+0uM2UBRGS5XD1V5bB0BWOLYZc7ZlGljASzzZmhBt7MiBJcuzeTwhDGQO3L2otVG6
+SAV1H46onKOU997Br9wH5yFNFgvHf26OjDrE4b9hgSDZsXafSk9mE1rWLLxKRKWT
+//ZhN7F/L5JHmRtFMsHa2kKbYiwrxX/T17s9yupn/iOUdu0er+ECqER629PATrxx
+5bQxE9geVD7LIEIyYSs7u9H0gP00N656gXIRTr4yQ77O7+AHfJYelHEo6XJNRSdb
+Lql9kgsikbH3G2V4HdGBLdxOR/FeCuC5kP9Qoa2L0YVUbfadpUY=
+=nYIH
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-20:29/bhyve_svm.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:29/bhyve_svm.patch Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,163 @@
+--- sys/amd64/vmm/amd/svm.c.orig
++++ sys/amd64/vmm/amd/svm.c
+@@ -488,10 +488,23 @@
+ svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, VMCB_INTCPT_SHUTDOWN);
+ svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT,
+ VMCB_INTCPT_FERR_FREEZE);
++ svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, VMCB_INTCPT_INVD);
++ svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, VMCB_INTCPT_INVLPGA);
+
+ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_MONITOR);
+ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_MWAIT);
+
++ /*
++ * Intercept SVM instructions since AMD enables them in guests otherwise.
++ * Non-intercepted VMMCALL causes #UD, skip it.
++ */
++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_VMLOAD);
++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_VMSAVE);
++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_STGI);
++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_CLGI);
++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_SKINIT);
++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_ICEBP);
++
+ /*
+ * From section "Canonicalization and Consistency Checks" in APMv2
+ * the VMRUN intercept bit must be set to pass the consistency check.
+@@ -1236,43 +1249,45 @@
+ static const char *
+ exit_reason_to_str(uint64_t reason)
+ {
++ int i;
+ static char reasonbuf[32];
+-
+- switch (reason) {
+- case VMCB_EXIT_INVALID:
+- return ("invalvmcb");
+- case VMCB_EXIT_SHUTDOWN:
+- return ("shutdown");
+- case VMCB_EXIT_NPF:
+- return ("nptfault");
+- case VMCB_EXIT_PAUSE:
+- return ("pause");
+- case VMCB_EXIT_HLT:
+- return ("hlt");
+- case VMCB_EXIT_CPUID:
+- return ("cpuid");
+- case VMCB_EXIT_IO:
+- return ("inout");
+- case VMCB_EXIT_MC:
+- return ("mchk");
+- case VMCB_EXIT_INTR:
+- return ("extintr");
+- case VMCB_EXIT_NMI:
+- return ("nmi");
+- case VMCB_EXIT_VINTR:
+- return ("vintr");
+- case VMCB_EXIT_MSR:
+- return ("msr");
+- case VMCB_EXIT_IRET:
+- return ("iret");
+- case VMCB_EXIT_MONITOR:
+- return ("monitor");
+- case VMCB_EXIT_MWAIT:
+- return ("mwait");
+- default:
+- snprintf(reasonbuf, sizeof(reasonbuf), "%#lx", reason);
+- return (reasonbuf);
++ static const struct {
++ int reason;
++ const char *str;
++ } reasons[] = {
++ { .reason = VMCB_EXIT_INVALID, .str = "invalvmcb" },
++ { .reason = VMCB_EXIT_SHUTDOWN, .str = "shutdown" },
++ { .reason = VMCB_EXIT_NPF, .str = "nptfault" },
++ { .reason = VMCB_EXIT_PAUSE, .str = "pause" },
++ { .reason = VMCB_EXIT_HLT, .str = "hlt" },
++ { .reason = VMCB_EXIT_CPUID, .str = "cpuid" },
++ { .reason = VMCB_EXIT_IO, .str = "inout" },
++ { .reason = VMCB_EXIT_MC, .str = "mchk" },
++ { .reason = VMCB_EXIT_INTR, .str = "extintr" },
++ { .reason = VMCB_EXIT_NMI, .str = "nmi" },
++ { .reason = VMCB_EXIT_VINTR, .str = "vintr" },
++ { .reason = VMCB_EXIT_MSR, .str = "msr" },
++ { .reason = VMCB_EXIT_IRET, .str = "iret" },
++ { .reason = VMCB_EXIT_MONITOR, .str = "monitor" },
++ { .reason = VMCB_EXIT_MWAIT, .str = "mwait" },
++ { .reason = VMCB_EXIT_VMRUN, .str = "vmrun" },
++ { .reason = VMCB_EXIT_VMMCALL, .str = "vmmcall" },
++ { .reason = VMCB_EXIT_VMLOAD, .str = "vmload" },
++ { .reason = VMCB_EXIT_VMSAVE, .str = "vmsave" },
++ { .reason = VMCB_EXIT_STGI, .str = "stgi" },
++ { .reason = VMCB_EXIT_CLGI, .str = "clgi" },
++ { .reason = VMCB_EXIT_SKINIT, .str = "skinit" },
++ { .reason = VMCB_EXIT_ICEBP, .str = "icebp" },
++ { .reason = VMCB_EXIT_INVD, .str = "invd" },
++ { .reason = VMCB_EXIT_INVLPGA, .str = "invlpga" },
++ };
++
++ for (i = 0; i < nitems(reasons); i++) {
++ if (reasons[i].reason == reason)
++ return (reasons[i].str);
+ }
++ snprintf(reasonbuf, sizeof(reasonbuf), "%#lx", reason);
++ return (reasonbuf);
+ }
+ #endif /* KTR */
+
+@@ -1524,6 +1539,20 @@
+ case VMCB_EXIT_MWAIT:
+ vmexit->exitcode = VM_EXITCODE_MWAIT;
+ break;
++ case VMCB_EXIT_SHUTDOWN:
++ case VMCB_EXIT_VMRUN:
++ case VMCB_EXIT_VMMCALL:
++ case VMCB_EXIT_VMLOAD:
++ case VMCB_EXIT_VMSAVE:
++ case VMCB_EXIT_STGI:
++ case VMCB_EXIT_CLGI:
++ case VMCB_EXIT_SKINIT:
++ case VMCB_EXIT_ICEBP:
++ case VMCB_EXIT_INVD:
++ case VMCB_EXIT_INVLPGA:
++ vm_inject_ud(svm_sc->vm, vcpu);
++ handled = 1;
++ break;
+ default:
+ vmm_stat_incr(svm_sc->vm, vcpu, VMEXIT_UNKNOWN, 1);
+ break;
+--- sys/amd64/vmm/amd/vmcb.h.orig
++++ sys/amd64/vmm/amd/vmcb.h
+@@ -71,8 +71,8 @@
+ #define VMCB_INTCPT_INVD BIT(22)
+ #define VMCB_INTCPT_PAUSE BIT(23)
+ #define VMCB_INTCPT_HLT BIT(24)
+-#define VMCB_INTCPT_INVPG BIT(25)
+-#define VMCB_INTCPT_INVPGA BIT(26)
++#define VMCB_INTCPT_INVLPG BIT(25)
++#define VMCB_INTCPT_INVLPGA BIT(26)
+ #define VMCB_INTCPT_IO BIT(27)
+ #define VMCB_INTCPT_MSR BIT(28)
+ #define VMCB_INTCPT_TASK_SWITCH BIT(29)
+@@ -134,12 +134,21 @@
+ #define VMCB_EXIT_POPF 0x71
+ #define VMCB_EXIT_CPUID 0x72
+ #define VMCB_EXIT_IRET 0x74
++#define VMCB_EXIT_INVD 0x76
+ #define VMCB_EXIT_PAUSE 0x77
+ #define VMCB_EXIT_HLT 0x78
++#define VMCB_EXIT_INVLPGA 0x7A
+ #define VMCB_EXIT_IO 0x7B
+ #define VMCB_EXIT_MSR 0x7C
+ #define VMCB_EXIT_SHUTDOWN 0x7F
++#define VMCB_EXIT_VMRUN 0x80
++#define VMCB_EXIT_VMMCALL 0x81
++#define VMCB_EXIT_VMLOAD 0x82
+ #define VMCB_EXIT_VMSAVE 0x83
++#define VMCB_EXIT_STGI 0x84
++#define VMCB_EXIT_CLGI 0x85
++#define VMCB_EXIT_SKINIT 0x86
++#define VMCB_EXIT_ICEBP 0x88
+ #define VMCB_EXIT_MONITOR 0x8A
+ #define VMCB_EXIT_MWAIT 0x8B
+ #define VMCB_EXIT_NPF 0x400
Added: head/share/security/patches/SA-20:29/bhyve_svm.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:29/bhyve_svm.patch.asc Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cI5PhAAgsXuFNy2fRvNjAgJoY41AIwBr/5T+0WM09YykMcTC1EQBm1AjRI9jgAm
+V4HUQeH7ygs9TVkn+F02iLHSSCJAneu2nPNIalCxyKwhpXpJiYktrJ5wLVC7Q2DC
+63Lc7WrfJ858+9ehXh4bvCTJeOJxOIyvaoOLEPslaGje/YD+plqdNWO036D0w+7j
+Fbx2rvCILLKIaxVYLCmhm/6V46dT1HHwXJP1dGuKr1ZSq6MGley3KGl7b5b7xb0E
+gfZh09QBH7tfATTHnAv2FvLzSBCDn4aZlFZl0uvK8qbK5ZFyfEPicu4SGHtXrMzK
+0tBATwLwf1JwgBvYKLR+kywxceVgbLTY0iAo354/GcjHzXR3JE4hxDD4/2FL+r10
+Q8A75AV1/SPf4UOczgapzvqY1zj6M8/ibOPEU+0qaN8YotabGEUr3DLR0d5nWWm1
+BQnBifkyb9ux8AfWjtWHYu6zY5r4sHCZQQXUJHOyCUGpG0mX2p+MxZWCuTJGrYOs
+PZyZoJw1vH2rpUcgLikDYkDXCpWNCzwUH7p+tmOAC7EnlFCfxzuv4qgzC538XB76
+wMkfVM2W1h5BXJQP/G+ELCvXX0REQRO1cMn4rIxmO0EOWpL9SVYUHQ53/MbEOBkf
+QBkb0COWyNblj6eKG8Cigv0OP1p8iXNXT3zmG6eXeOHckgt6tPA=
+=+DkR
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-20:30/ftpd.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:30/ftpd.patch Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,27 @@
+--- libexec/ftpd/ftpd.c.orig
++++ libexec/ftpd/ftpd.c
+@@ -1596,13 +1596,20 @@
+ * (uid 0 has no root power over NFS if not mapped explicitly.)
+ */
+ if (seteuid(pw->pw_uid) < 0) {
+- reply(550, "Can't set uid.");
+- goto bad;
++ if (guest || dochroot) {
++ fatalerror("Can't set uid.");
++ } else {
++ reply(550, "Can't set uid.");
++ goto bad;
++ }
+ }
++ /*
++ * Do not allow the session to live if we're chroot()'ed and chdir()
++ * fails. Otherwise the chroot jail can be escaped.
++ */
+ if (chdir(homedir) < 0) {
+ if (guest || dochroot) {
+- reply(550, "Can't change to base directory.");
+- goto bad;
++ fatalerror("Can't change to base directory.");
+ } else {
+ if (chdir("/") < 0) {
+ reply(550, "Root is inaccessible.");
Added: head/share/security/patches/SA-20:30/ftpd.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-20:30/ftpd.patch.asc Tue Sep 15 22:00:07 2020 (r54498)
@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cKBCQ//ZA1qgbTQomNYbe+s3EsrdvULsyheLjx/Do9P8FjN84pASt4ILIDCykRf
+vGEMeAB5u4ngvHIUuTm2C0DWeLyyzy9kqoRT8l8CiN7TjAkzHc12vI/c9ruO9nbk
+f4C7ia01AaRhaktHjz3vgctzGKHAFEKZ9EvjHftW4Qbv4FOLWrCV2ys2icfW2wEI
+ZLuDZIrcMbQj60mO62h+HJUcAIZ+ssOPEM1+tLhmCd3qvqaiHYeTgnm5llAZAS6X
+hfH44FgZ/YRXXPj0Asx9aI/RQX8sLIVW7frgDdn6/n3xffl7pdvWjhRf5q4Cy2pl
+w9hkc1KGUtACaVoz8SlT+FxeKKwdwX1xlX1sb8vrAuyskZmy1Ne05p0xGX5YDrL0
+QVGEQjndhgi6k2OXjvukME1C7SotC8guMbZtanhCVIsnyE2HdOlsySXvBY4txAl8
+FgbDhrHnGFRdLFAFdwNaxooKkEG6oiF5FcSkfkOCcW43yh6zEJvybC7BVpzJd7Ry
+PUZOfytXZAyzB9fqWnku93O4qRakY/do9q3olfk0hRzqoFBpakZ/kMp0dpdWS7Nt
+DKdUUtf7MKkt3dxxLSqVNvLkLICnzTjj+E5hRU6Y9XDhvs89/Ut5nDNUJE8crQf2
+juy1ajNlmo5/Pp/0wI9fybDen2YEBPzqN1U1Gm9qKKuyb76POzc=
+=IcX7
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Tue Sep 15 20:40:04 2020 (r54497)
+++ head/share/xml/advisories.xml Tue Sep 15 22:00:07 2020 (r54498)
@@ -11,6 +11,27 @@
<name>9</name>
<day>
+ <name>15</name>
+
+ <advisory>
+ <name>FreeBSD-SA-20:30.ftpd</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-20:29.bhyve_svm</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-20:28.bhyve_vmcs</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-20:27.ure</name>
+ </advisory>
+
+ </day>
+
+ <day>
<name>2</name>
<advisory>
More information about the svn-doc-head
mailing list