git: 4c85a69d0f - main - Add EN-23:13, EN-23:14, SA-23:15, and SA-23:16.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 08 Nov 2023 06:30:37 UTC
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=4c85a69d0f11b191ee161ff8fdba6162d46c0ff4 commit 4c85a69d0f11b191ee161ff8fdba6162d46c0ff4 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2023-11-08 06:29:21 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2023-11-08 06:29:21 +0000 Add EN-23:13, EN-23:14, SA-23:15, and SA-23:16. Approved by: so --- website/data/security/advisories.toml | 8 + website/data/security/errata.toml | 8 + .../advisories/FreeBSD-EN-23:13.freebsd-update.asc | 153 +++++++++++++++++++ .../advisories/FreeBSD-EN-23:14.regcomp.asc | 151 +++++++++++++++++++ .../security/advisories/FreeBSD-SA-23:15.stdio.asc | 167 +++++++++++++++++++++ .../advisories/FreeBSD-SA-23:16.cap_net.asc | 140 +++++++++++++++++ .../security/patches/EN-23:13/freebsd-update.patch | 11 ++ .../patches/EN-23:13/freebsd-update.patch.asc | 16 ++ .../static/security/patches/EN-23:14/regcomp.patch | 33 ++++ .../security/patches/EN-23:14/regcomp.patch.asc | 16 ++ .../security/patches/SA-23:15/stdio.12.patch | 42 ++++++ .../security/patches/SA-23:15/stdio.12.patch.asc | 16 ++ .../security/patches/SA-23:15/stdio.13.patch | 125 +++++++++++++++ .../security/patches/SA-23:15/stdio.13.patch.asc | 16 ++ .../security/patches/SA-23:15/stdio.14.patch | 125 +++++++++++++++ .../security/patches/SA-23:15/stdio.14.patch.asc | 16 ++ .../static/security/patches/SA-23:16/cap_net.patch | 32 ++++ .../security/patches/SA-23:16/cap_net.patch.asc | 16 ++ 18 files changed, 1091 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 6432cceb40..d3995fcc48 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,14 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-23:16.cap_net" +date = "2023-11-08" + +[[advisories]] +name = "FreeBSD-SA-23:15.stdio" +date = "2023-11-08" + [[advisories]] name = "FreeBSD-SA-23:14.smccc" date = "2023-10-03" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 8c61975a0c..df128aa134 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,14 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-23:14.regcomp" +date = "2023-11-08" + +[[notices]] +name = "FreeBSD-EN-23:13.freebsd-update" +date = "2023-11-08" + [[notices]] name = "FreeBSD-EN-23:12.freebsd-update" date = "2023-10-03" diff --git a/website/static/security/advisories/FreeBSD-EN-23:13.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-23:13.freebsd-update.asc new file mode 100644 index 0000000000..08dafcfa78 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-23:13.freebsd-update.asc @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-23:13.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update does not handle deep boot environments + +Category: core +Announced: 2023-11-08 +Affects: All supported versions of FreeBSD. +Corrected: 2023-10-24 00:04:14 UTC (stable/14, 14.0-STABLE) + 2023-10-24 16:12:01 UTC (releng/14.0, 14.0-RC3) + 2023-10-24 00:04:18 UTC (stable/13, 13.2-STABLE) + 2023-11-08 00:59:45 UTC (releng/13.2, 13.2-RELEASE-p5) + 2023-10-24 00:05:10 UTC (stable/12, 12.4-STABLE) + 2023-11-08 01:10:13 UTC (releng/12.4, 12.4-RELEASE-p7) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +freebsd-update will create a new boot environment as a backup when performing +updates. + +II. Problem Description + +Some systems use non-default configurations referred to as "deep" boot +environments. Deep boot environments place datasets belonging to the boot +environment subordinate to the boot environment dataset itself, rather than +elsewhere in the pool structure. + +This kind of boot environment requires the -r flag to bectl(8) for most +operations in order to recurse on these subordinate datasets, but +freebsd-update(8) was not recursing when creating a backup boot environment. + +III. Impact + +Without recursing in bectl(8), backups taken of a deep boot environment are not +complete snapshots of the system state before the upgrade takes place. This +means that it's potentially painful to try and rollback to the pre-upgrade state +after the upgrade has completed. + +IV. Workaround + +No workaround is available, but the default configuration is not affected and +deep boot environment users may create their own backups prior to an upgrade +with a manual `bectl create -r ...` + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-23:13/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-23:13/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 5c2a559876d1 stable/14-n265583 +releng/14.0/ e34fdb7c119e releng/14.0-n265341 +stable/13/ 80f747781f12 stable/13-n256596 +releng/13.2/ e79edfaf68c5 releng/13.2-n254641 +stable/12/ r373256 +releng/12.4/ r373266 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267535> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:13.freebsd-update.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVLKZUACgkQbljekB8A +Gu+SVw/9FKEzcR7kUudFRwnNsY1LI7YphmuEA7xT6pdiMxizHmh/iWOF8yc5l3Ky +lpXcIhbNXwOcI06Jv9OswIZyOXTtLZat+MVLyx4uoMgdHuM4wuPx4N9lo6FwvE1v +Ehtf1GkEnOANcxou0PdrS+fHzUKx/hjn/WVKcdp+YmYzf19LnIqj2H58QWTP7INr +cP/rj3EiqGi7XkBEh4te6nTyy27Wu+ihZZDdLFv43sf/cOEl2wsd8HJxVxfz9aEP +lhJSBVMFq46YfNSLIsYLLN5v6d2C5ag4JJ2tvuX2sazLl3TXafDZ+OtAok0h8iiE +qGrad3dt/g/5/WnSVK68GQ4MfyXJtfywxK18CX3fojeCuDJ5D9j7XUUXaqHHty9r +CdcI4yZkswijkKIhtBRYdGh7Nvue54br6cnf7L8i/6hbPnLbdue3gs+v5OLNEttm +LthNPViDJWid2TD+mRDS/2JubpiHspzb06Z+q2Hpt5wLRdISu1qPnjgGXgzXgPNB +3PYbsPp2i1rHmz52K08hK+582QL5PMS5/hpB6pN2bakugvAGz5ocrBn1C5ejNIeo +4FAFV5w4cvgaJJf7eI8Lo+IzEcg4gA6h8ibDsFXIzMf3Fnn9p7qH7cw85AoemW4a +ZZBDYL81fEy9hJBqhQC4cmjEdzuvptPV5arFzX8J9M6Hirrnt9g= +=l1ce +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-23:14.regcomp.asc b/website/static/security/advisories/FreeBSD-EN-23:14.regcomp.asc new file mode 100644 index 0000000000..796c1e6368 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-23:14.regcomp.asc @@ -0,0 +1,151 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-23:14.regcomp Errata Notice + The FreeBSD Project + +Topic: Incorrect regular expression escape handling + +Category: core +Module: libc +Announced: 2023-11-08 +Affects: All supported versions of FreeBSD. +Corrected: 2023-09-30 01:40:59 UTC (stable/14, 14.0-STABLE) + 2023-10-01 04:46:02 UTC (releng/14.0, 14.0-BETA5) + 2023-09-30 01:41:23 UTC (stable/13, 13.2-STABLE) + 2023-11-08 00:59:51 UTC (releng/13.2, 13.2-RELEASE-p5) + 2023-09-30 01:41:57 UTC (stable/12, 12.4-STABLE) + 2023-11-08 01:11:09 UTC (releng/12.4, 12.4-RELEASE-p7) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The libc regex(3) implementation is responsible for compiling and applying +regular expressions as used in, e.g., grep(1) and sed(1). + +II. Problem Description + +In some instances, the regcomp() implementation would inadvertently sign-extend +a character in the regular expression. Additionally, alphabetic wide-characters +were not properly being considered as such. + +III. Impact + +Regular expressions supplied to grep(1) or sed(1) that contained an alphabetic +wide-character would incorrectly error out as if a bogus trailing backslash had +been supplied. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Rebooting after the update is not strictly necessary, but it is recommended +in case the error affects some daemon in use. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-23:14/regcomp.patch +# fetch https://security.FreeBSD.org/patches/EN-23:14/regcomp.patch.asc +# gpg --verify regcomp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 56b09feb23d9 stable/14-n265274 +releng/14.0/ 408daf2caa92 releng/14.0-n265163 +stable/13/ ac695744e2cf stable/13-n256440 +releng/13.2/ 67264bfe4992 releng/13.2-n254642 +stable/12/ r373222 +releng/12.4/ r373267 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264275> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-23:14.regcomp.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVLKaAACgkQbljekB8A +Gu+LkRAA3/sUdxhrZ2iv6JBThfYSW0d3aTNLz9z4bv41wGqXoYyXnUaQqwi0bxqN +ckbtEB6jpoAArlZvcYnP6vmS7BdFHjaeXCI5pFsVtbhz7xlLVjlEgZwPNv69MT+2 +Uzg+cyHF0PU+7Mfh+Pxx3yURnBCXMljdMKrIkFK61nyHjHjL1HFMS07DxkZh3m24 +rG/WOJ9/fT+ICa3SAeREuydUUbXVvr1nmff8BJDV2PjQp2y8RaeYCjshfvHBA7AJ +kC7y2TNUYtosFZkGAU33d0HZw/LNiWGQR0t4xjDBRNbQOF7vmOwmVHXqb+47bq6Z +DajjnHTZcIs8edXpHC99EQu/1GVpc4zqPYZeO7VRZJg/EnYgXv2WYZr0zr0PsSw5 +mrnXIqt9c1YRZ6h5XEFv6G4L++8/FjbjZZUqriBurvYWwbXRr8Y6UY1r9Mbz6W+z +h5jDwbrXB9kd+7az6m+jF5hFRe+74NQDtPFlRfP5ZpWZUb1NAmfU3x2s28m4ovWk +Pg5kbiU4mDmml0pnLuIEOtr4ukvURY+V9NVhN7QW3WhP6TTvHwilgdfO8QNG847x +eh2xFIF1cH/Ce1PK0PuvNwmWu8RlHaQpDIKWZ5qMzehk3Sk7da+p9cGzXGUyrWTC +AdEAuIwPiNo0Lcj9isRaMB7TDDu4Wgv0Z9UVQtHikRrs1ul5s1c= +=TY3O +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-23:15.stdio.asc b/website/static/security/advisories/FreeBSD-SA-23:15.stdio.asc new file mode 100644 index 0000000000..0e367ac3a7 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:15.stdio.asc @@ -0,0 +1,167 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:15.libc Security Advisory + The FreeBSD Project + +Topic: libc stdio buffer overflow + +Category: core +Module: libc +Announced: 2023-11-07 +Credits: inooo + All supported versions of FreeBSD. +Corrected: 2023-11-07 17:29:20 UTC (stable/14, 14.0-STABLE) + 2023-11-08 00:45:25 UTC (releng/14.0, 14.0-RC4-p1) + 2023-11-07 18:41:49 UTC (stable/13, 13.2-STABLE) + 2023-11-08 00:48:03 UTC (releng/13.2, 13.2-RELEASE-p5) + 2023-11-08 14:30:51 UTC (stable/12, 12.4-STABLE) + 2023-11-08 01:09:31 UTC (releng/12.4, 12.4-RELEASE-p7) +CVE Name: CVE-2023-5941 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The FreeBSD C library (libc) Standard I/O (stdio) component provides +essential functionality for input and output operations including file +handling and buffering. It includes functions like "fopen", "printf", and +"fflush". Streams may be unbuffered, line buffered, or fully buffered. +The library writes buffered data when the buffer is full or when the +application explicitly requests so by calling the fflush(3) function. + +II. Problem Description + +For line-buffered streams the __sflush() function did not correctly update +the FILE object's write space member when the write(2) system call returns +an error. + +III. Impact + +Depending on the nature of an application that calls libc's stdio functions +and the presence of errors returned from the write(2) system call (or an +overridden stdio write routine) a heap buffer overfly may occur. Such +overflows may lead to data corruption or the execution of arbitrary code at +the privilege level of the calling program. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 14.0] +# fetch https://security.FreeBSD.org/patches/SA-23:15/stdio.14.patch +# fetch https://security.FreeBSD.org/patches/SA-23:15/stdio.14.patch.asc +# gpg --verify stdio.14.patch.asc + +[FreeBSD 13.2] +# fetch https://security.FreeBSD.org/patches/SA-23:15/stdio.13.patch +# fetch https://security.FreeBSD.org/patches/SA-23:15/stdio.13.patch.asc +# gpg --verify stdio.13.patch.asc + +[FreeBSD 12.4] +# fetch https://security.FreeBSD.org/patches/SA-23:15/stdio.12.patch +# fetch https://security.FreeBSD.org/patches/SA-23:15/stdio.12.patch.asc +# gpg --verify stdio.12.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ abe12d2f4ce3 stable/14-n265706 +releng/14.0/ 1f9c4610dde5 releng/14.0-n265376 +stable/13/ 59ec3ffdd7ce stable/13-n256680 +releng/13.2/ d51a39b13ee4 releng/13.2-n254639 +stable/12/ r373263 +releng/12.4/ r373265 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5941> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:15.stdio.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVLKaIACgkQbljekB8A +Gu/MXBAA1Aayy2tPhgpV7uwRZWHKLsda8Am0/7Ok6fswejrxntVIlOwg+Vyo1pTW +ojDTG2HS9BovXwdhWdSEObNwk+KxZlF8YIYHMOv5HyU4/iTxiBYVUjnk14J0YQAw +mywyBjOyULXv1gOlvA8FUMk6M8I/RE9fN8dR0D6xHwdY/a/LUbpqqo3H7fftF5D7 +CVZy4Uw0rSJXvJEZIWhgbaqKRyjydXoClX4NS/aMEfLFGDcSQtblVotUVpDedsRZ +uhVKLibhNqoaausR75oLB6izclHQXzXz3eh7UefM7Udz4R/M8IfFtxwtpsWl3KGH +bB/2BfrWgrj6Emhmy455NShd7YDcw4VdIZZUVwofS8kmw9NMxvtU2EgdFp/TITMD +fo/XqMtrwpNTjuyWPY9xM41QansEeidhVBeHsA6B8kmsiZ1XVo8uaAmj5aHldEZx +TCCVWOlg8D/OnHHtOY0nBz50f57Lt8z2UcSlR3nZL/wRgxsGDdwh1doeFJupIxbE +1ZS6x4DoQInUhVNTXmSngMCfNOywatVCaOnS2swZETEawI4xAYKUHVJswpA3E0R4 +MhUEo5gk2dEYhuvvr51eewvNSE9mIt7rPhNxhSU7hioraWkdLqE7rUkv9eeaSOOu +BWaAaCnyS/Vft6aC5nqTg/+2EeRPNJg7JkTHl+pu00h3Y+Q2g48= +=wgNS +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-23:16.cap_net.asc b/website/static/security/advisories/FreeBSD-SA-23:16.cap_net.asc new file mode 100644 index 0000000000..249a838ac8 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:16.cap_net.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:16.cap_net Security Advisory + The FreeBSD Project + +Topic: Incorrect libcap_net limitation list manipulation + +Category: core +Module: libcap_net +Announced: 2023-11-08 +Credits: Shawn Webb, Mariusz Zaborski +Affects: FreeBSD 13.2 and later +Corrected: 2023-11-06 19:19:04 UTC (stable/14, 14.0-STABLE) + 2023-11-08 00:45:34 UTC (releng/14.0, 14.0-RC4-p1) + 2023-11-06 19:19:54 UTC (stable/13, 13.2-STABLE) + 2023-11-08 00:49:31 UTC (releng/13.2, 13.2-RELEASE-p5) +CVE Name: CVE-2023-5978 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +libcasper(3) allows Capsicum-sandboxed applications to define and use system +interfaces which would otherwise be disallowed, through implementing special +services. One of these services, libcap_net, enables networking capabilities +within the restriced environment. + +II. Problem Description + +Casper services allow limiting operations that a process can perform. Each +service maintains a specific list of permitted operations. Certain operations +can be further restricted, such as specifying which domain names can be +resolved. During the verification of limits, the service must ensure that the +new set of constraints is a subset of the previous one. In the case of the +cap_net service, the currently limited set of domain names was fetched +incorrectly. + +III. Impact + +In certain scenarios, if only a list of resolvable domain names was specified +without setting any other limitations, the application could submit a new list +of domains including include entries not previously in the list. + +IV. Workaround + +No workaround is available. Note that no FreeBSD base system software is +vulnerable to this issue. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:16/cap_net.patch +# fetch https://security.FreeBSD.org/patches/SA-23:16/cap_net.patch.asc +# gpg --verify cap_net.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 765757c6301f stable/14-n265696 +releng/14.0/ 5f4fc91cc87c releng/14.0-n265377 +stable/13/ 114c6d9bef76 stable/13-n256672 +releng/13.2/ acd860c3622d releng/13.2-n254640 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5978> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:16.cap_net.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVLKaYACgkQbljekB8A +Gu8Ofg/6AxzPey7hIS6rRO5Mv5ufiKEiYDwPo3t6epUiaLid21KhkLry1CofqFHd +pC0zsYDJiWCkvieGBHhCkNYmffL9TCgLqNxSSH7plwMHwrLLQKxYRVn9V0ReGdc9 +qRY5XB1W0Ocns0CbpEXuMRNde5UNwc63xN0/xlnBESfex6+fP9kPNB7VLoYY4Foj +jDzn6s8YNaUOVO7YtlZDjPRRazwVLriQ3Bf+lCNkJFq4VyyhRPFkeknOFHt5olA2 +dp+DIVQGUVRGjeaZDlxLZ4j0Nw39ZK8T6mSXSskjtSfQtHd6DPgDFBzZKjhtzRFd ++5lutnrXpZemQjUcOKqVG1ZmlbDQChIWVlJ1kyORRjb8ZO+vknhFo/w3a5o4sq1A +ZtK1w2CFo0+jL+oWxJdFEiRFR0jwMtVfMCzZAoLsDXnYbmni/353BKGMlBFgdsAy +Php3E/LsxCoFaZ+r87Z6O2UefEYMCr1FDM99SQkU1Ui3kzWEskHEvPR6JS31Htu2 +9ry3c4T08r1Qhp7J9Zdfnwvtd0fyEWn16ewzeiV4M6+gPErWZncar+86b87IRKof +bTJ4XiK7kcORyD5ksgcBINUd5njOvXGIYTfkqSmlyikAhnoM7MN3npUGyRq6KQTE +NPAr3gWrch7pegBVP3JuDQaYwfJarg6BmPb9sWWfkzQHRf9pfOI= +=XNt1 +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-23:13/freebsd-update.patch b/website/static/security/patches/EN-23:13/freebsd-update.patch new file mode 100644 index 0000000000..76c6b9ff9a --- /dev/null +++ b/website/static/security/patches/EN-23:13/freebsd-update.patch @@ -0,0 +1,11 @@ +--- usr.sbin/freebsd-update/freebsd-update.sh.orig ++++ usr.sbin/freebsd-update/freebsd-update.sh +@@ -916,7 +916,7 @@ + echo -n "Creating snapshot of existing boot environment... " + VERSION=`freebsd-version -ku | sort -V | tail -n 1` + TIMESTAMP=`date +"%Y-%m-%d_%H%M%S"` +- bectl create ${VERSION}_${TIMESTAMP} ++ bectl create -r ${VERSION}_${TIMESTAMP} + if [ $? -eq 0 ]; then + echo "done."; + else diff --git a/website/static/security/patches/EN-23:13/freebsd-update.patch.asc b/website/static/security/patches/EN-23:13/freebsd-update.patch.asc new file mode 100644 index 0000000000..48d1aa9979 --- /dev/null +++ b/website/static/security/patches/EN-23:13/freebsd-update.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVLKZ8ACgkQbljekB8A +Gu/EDRAAzEfC1ThckV63SsbfX/0KSm2XXHIpDppl86ML8F/WpPUhLAHu7KcmSVSG +mxqlqhB9eUa/gMLCibrjBVFOugBwWi3BAiiZIVpwdnH5ycgn0Dpu1ngCxI0PxlLC +sRuwuXMBhDdTRhqq5A1nqMF6pCaAtrhfbThKQU9d/dQTOigHCqB9AILJcM2mf8Kd +pbo/uTidNdFhLkCWueN9hwJOLZwrtlFoIzd3OuEtlnbq5C9OPd2IhIMBHq1EB6vV +cenxpdwxszuuAAawCnKsDq6+8BwFhI5hsubMuWhs1XkR2JLCn8ZmifSD9cEqO4ai +3LxmN8j3CIZiWflWbgB9Kv6dDvDkcZ4wD+pGbRwNpmpLzt2obbrJFvTbV1g8vWaG +03Y3Kt9lsnw2GaXRNtGA5WQrdA8PRgboOvq2ZB6SOEviFQ6IDOO+PspVF48OyS2g +khMQhvZPQxyM5vxgJR3z2q3c+GpBKq5qIzfs2YErCi6y5JSDyzlpiOX0doXNjPc7 +6czhO4bIpXG7XuAerVS1ZnO7KpwxBBO3pK9iTivsR8Yo4gP5h7o73SD8TKCQ4Oq7 +b7wVDKncExUtK/1firP90QWDLETeev+QX87Rt5b0+RnWG+lZiWlnUbMMjkLQoHMh +JNSFsqPNkt06Oc2LgzBnoNAkTOIBqKdfpBx6HmZchn3JdbY0g9U= +=mz0x +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-23:14/regcomp.patch b/website/static/security/patches/EN-23:14/regcomp.patch new file mode 100644 index 0000000000..b3cf36ebd5 --- /dev/null +++ b/website/static/security/patches/EN-23:14/regcomp.patch @@ -0,0 +1,33 @@ +--- lib/libc/regex/regcomp.c.orig ++++ lib/libc/regex/regcomp.c +@@ -828,10 +828,10 @@ + handled = false; + + assert(MORE()); /* caller should have ensured this */ +- c = GETNEXT(); ++ c = (uch)GETNEXT(); + if (c == '\\') { + (void)REQUIRE(MORE(), REG_EESCAPE); +- cc = GETNEXT(); ++ cc = (uch)GETNEXT(); + c = BACKSL | cc; + #ifdef LIBREGEX + if (p->gnuext) { +@@ -992,7 +992,7 @@ + int ndigits = 0; + + while (MORE() && isdigit((uch)PEEK()) && count <= DUPMAX) { +- count = count*10 + (GETNEXT() - '0'); ++ count = count*10 + ((uch)GETNEXT() - '0'); + ndigits++; + } + +@@ -1302,7 +1302,7 @@ + + if ((p->pflags & PFLAG_LEGACY_ESC) != 0) + return (true); +- if (isalpha(ch) || ch == '\'' || ch == '`') ++ if (iswalpha(ch) || ch == '\'' || ch == '`') + return (false); + return (true); + #ifdef NOTYET diff --git a/website/static/security/patches/EN-23:14/regcomp.patch.asc b/website/static/security/patches/EN-23:14/regcomp.patch.asc new file mode 100644 index 0000000000..a39e86454f --- /dev/null +++ b/website/static/security/patches/EN-23:14/regcomp.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVLKaEACgkQbljekB8A +Gu+pIA//Wifwi3NMr++co8mYoIbszyN6kkaA30d5guB8gNdqL834Ipcpai+pYj6Z +Z9ARlVHZkawwBEfPQOXi+0Q1c1o55QsSwpunUJ2gbtcFrAnh7huXLT3gE4QSEEKu +XvepH/mCOmBL4tPC2lGiiRXH7xZ9AGS8N0vyOfryks39DG1N0s900a56qaUs5sQx +6/7Th2tucHM5XR7J6fp2PL2vd4U3/EbtdeYpf3uvdRF01u1qiyHL1gwANLs944wD +u7Clh+3rgHDcuMoZuU+29DRiAAhhB53CMoK+nb981vmYEZ0BvaQ6D1RE+TrLdyaR +YBTHcwUaY4J330hxMAeI+pHD82fZeVze1REepizIaG6zBvYJ0ZgArkJ5kF7zPicq +8cuMx/AnFwjhNj/1HuBSbRcPNj6qjDwbrIM3bh7N0O+r28IrhJdhCkbN4N90shBn +eBx3s2gIQHkvFwpIOzlfF6RagTWJfIoX90agFQcdhzujZaFdYj8u5xXkkGqrlBoL +j/myQeaX34rkus72370EowT5XfmcM7du7968shIU/NvDpT4RKml4yivjFPP4mLNS +9VCj8l9VAeFSv/hLHWkmUh/Y6VS5GCdKGm+bBwVOdHOKUInDNIS0AyPfUjmk4bWw +hT3S0dK7jyKYVG6/TlVhrRsbJ58iOOGBF6fsCBALd9cPZHOyiTE= +=uTh+ +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-23:15/stdio.12.patch b/website/static/security/patches/SA-23:15/stdio.12.patch new file mode 100644 index 0000000000..238780a3d5 --- /dev/null +++ b/website/static/security/patches/SA-23:15/stdio.12.patch @@ -0,0 +1,42 @@ +--- lib/libc/stdio/fflush.c.orig ++++ lib/libc/stdio/fflush.c +@@ -106,10 +106,10 @@ + __sflush(FILE *fp) + { + unsigned char *p; +- int n, t; ++ int n, f, t; + +- t = fp->_flags; +- if ((t & __SWR) == 0) ++ f = fp->_flags; ++ if ((f & __SWR) == 0) + return (0); + + if ((p = fp->_bf._base) == NULL) +@@ -122,19 +122,18 @@ + * exchange buffering (via setvbuf) in user write function. + */ + fp->_p = p; +- fp->_w = t & (__SLBF|__SNBF) ? 0 : fp->_bf._size; ++ fp->_w = f & (__SLBF|__SNBF) ? 0 : fp->_bf._size; + + for (; n > 0; n -= t, p += t) { + t = _swrite(fp, (char *)p, n); + if (t <= 0) { +- /* Reset _p and _w. */ +- if (p > fp->_p) { ++ if (p > fp->_p) + /* Some was written. */ + memmove(fp->_p, p, n); +- fp->_p += n; +- if ((fp->_flags & (__SLBF | __SNBF)) == 0) +- fp->_w -= n; +- } ++ /* Reset _p and _w. */ ++ fp->_p += n; ++ if ((fp->_flags & __SNBF) == 0) ++ fp->_w -= n; + fp->_flags |= __SERR; + return (EOF); + } diff --git a/website/static/security/patches/SA-23:15/stdio.12.patch.asc b/website/static/security/patches/SA-23:15/stdio.12.patch.asc new file mode 100644 index 0000000000..4f33a02361 --- /dev/null +++ b/website/static/security/patches/SA-23:15/stdio.12.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVLKaMACgkQbljekB8A +Gu9duhAAnc7k//U2XNdC4H7Czu9QTZBHwJFh6kMZBN8H70iauT+jrsMfImtHq4CC +rm1n7y0ke63LqA9OTjFzYqYxd13gWC2XxB6Ct/FGEZ+gKqYE4zdGL2qDuQEvU0+C +Z06ZKN6HdR2fXKPxxw5O5/18YEgRg+XANw2kZ9c2+6cd6Gj4QkrCDURFhqYbwTma +hXRK4Bk7eZc/D/rE98M1T1lUObjWiknJYsmEnYwWgVbQuldaAulxhFCKOaU7Nc/4 +czIYP6cQtCKtBq9UdW/kZfqZL1r1mnmZu0gJh4CvhcSOXuBQE5ir8ffHJ0aKSknG +4tenkPpC6IcJ957HYSFanA5q+3lJ2jwzO9Z6lSjS05CGD0mThIwrNcEKtK2EhF9q +4WlY8GpU3QI0gxPfZZDxF40faGc8V7Vx6UhcP/I05hDbUiB4HVtSRyJJU5yq+AXW +TckXDME4N8ix6Ceu4b3frwBXXsAOD9lPPuQkMBjkwRbRei3hnPNaoifhzEhiGU8U +OCDS1CueXZ7gAM62VBWHOylgIfoXdPv2QAn6+p7iFinKz0qPi4ucSxUENbkbR9/u +oRCsmIZIiTjsQaFGgL7HppBEQzMmd5BreHatq5o7488KUxAuS9Eszorn1b8zbnTW +UsjOLrRf5xfYWN+YOp5/gWUFNyGlY2QZHTZ5iQ2j5UoWPB1IyCc= +=yCZH +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-23:15/stdio.13.patch b/website/static/security/patches/SA-23:15/stdio.13.patch new file mode 100644 index 0000000000..3ac8741c35 --- /dev/null +++ b/website/static/security/patches/SA-23:15/stdio.13.patch @@ -0,0 +1,125 @@ +--- lib/libc/stdio/fflush.c.orig ++++ lib/libc/stdio/fflush.c +@@ -105,11 +105,11 @@ + int + __sflush(FILE *fp) + { +- unsigned char *p, *old_p; +- int n, t, old_w; ++ unsigned char *p; ++ int n, f, t; + +- t = fp->_flags; +- if ((t & __SWR) == 0) ++ f = fp->_flags; ++ if ((f & __SWR) == 0) + return (0); + + if ((p = fp->_bf._base) == NULL) +@@ -121,26 +121,19 @@ + * Set these immediately to avoid problems with longjmp and to allow + * exchange buffering (via setvbuf) in user write function. + */ +- old_p = fp->_p; + fp->_p = p; +- old_w = fp->_w; +- fp->_w = t & (__SLBF|__SNBF) ? 0 : fp->_bf._size; ++ fp->_w = f & (__SLBF|__SNBF) ? 0 : fp->_bf._size; + + for (; n > 0; n -= t, p += t) { + t = _swrite(fp, (char *)p, n); + if (t <= 0) { +- /* Reset _p and _w. */ +- if (p > fp->_p) { ++ if (p > fp->_p) + /* Some was written. */ + memmove(fp->_p, p, n); +- fp->_p += n; +- if ((fp->_flags & (__SLBF | __SNBF)) == 0) +- fp->_w -= n; +- /* conditional to handle setvbuf */ +- } else if (p == fp->_p && errno == EINTR) { +- fp->_p = old_p; +- fp->_w = old_w; +- } ++ /* Reset _p and _w. */ ++ fp->_p += n; ++ if ((fp->_flags & __SNBF) == 0) ++ fp->_w -= n; + fp->_flags |= __SERR; + return (EOF); + } +--- lib/libc/stdio/fvwrite.c.orig ++++ lib/libc/stdio/fvwrite.c +@@ -38,7 +38,6 @@ + #include <sys/cdefs.h> + __FBSDID("$FreeBSD$"); + +-#include <errno.h> + #include <stdio.h> + #include <stdlib.h> + #include <string.h> +@@ -55,7 +54,6 @@ + __sfvwrite(FILE *fp, struct __suio *uio) + { + size_t len; +- unsigned char *old_p; + char *p; + struct __siov *iov; + int w, s; +@@ -139,12 +137,8 @@ + COPY(w); + /* fp->_w -= w; */ /* unneeded */ + fp->_p += w; +- old_p = fp->_p; +- if (__fflush(fp) == EOF) { +- if (old_p == fp->_p && errno == EINTR) +- fp->_p -= w; ++ if (__fflush(fp)) + goto err; +- } + } else if (len >= (w = fp->_bf._size)) { + /* write directly */ + w = _swrite(fp, p, w); +@@ -183,12 +177,8 @@ + COPY(w); + /* fp->_w -= w; */ + fp->_p += w; +- old_p = fp->_p; +- if (__fflush(fp) == EOF) { +- if (old_p == fp->_p && errno == EINTR) +- fp->_p -= w; ++ if (__fflush(fp)) + goto err; +- } + } else if (s >= (w = fp->_bf._size)) { + w = _swrite(fp, p, w); + if (w <= 0) +--- lib/libc/stdio/wbuf.c.orig ++++ lib/libc/stdio/wbuf.c +@@ -52,7 +52,6 @@ + int + __swbuf(int c, FILE *fp) + { *** 257 LINES SKIPPED ***