git: d6f580f7470f - main - security/vuxml: catch up with recent FreeBSD SAs

From: Philip Paeps <philip_at_FreeBSD.org>
Date: Thu, 31 Aug 2023 06:03:32 UTC
The branch main has been updated by philip:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d6f580f7470f1b7714bb26ea743ccc83344add2b

commit d6f580f7470f1b7714bb26ea743ccc83344add2b
Author:     Philip Paeps <philip@FreeBSD.org>
AuthorDate: 2023-08-31 06:01:56 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2023-08-31 06:01:56 +0000

    security/vuxml: catch up with recent FreeBSD SAs
    
    Add FreeBSD SAs issued since FreeBSD-SA-22:13.zlib in August 2022.
    
    2022-11-15  FreeBSD-SA-22:14.heimdal
    2022-11-29  FreeBSD-SA-22:15.ping
    2023-02-08  FreeBSD-SA-23:01.geli
    2023-02-16  FreeBSD-SA-23:02.openssh
    2023-02-16  FreeBSD-SA-23:03.openssl
    2023-06-21  FreeBSD-SA-23:04.pam_krb5
    2023-06-21  FreeBSD-SA-23:05.openssh
    2023-08-01  FreeBSD-SA-23:06.ipv6
    2023-08-01  FreeBSD-SA-23:07.bhyve
    2023-08-01  FreeBSD-SA-23:08.ssh
    2023-08-01  FreeBSD-SA-23:09.pam_krb5
---
 security/vuxml/vuln/2023.xml | 451 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 451 insertions(+)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 2a5ec150d30c..004ff289d908 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,454 @@
+  <vuln vid="9b0d9832-47c1-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- Network authentication attack via pam_krb5</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>13.2</ge><lt>13.2_2</lt></range>
+	<range><ge>13.1</ge><lt>13.1_9</lt></range>
+	<range><ge>12.4</ge><lt>12.4_4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following
+	the patch for that advisory.</p>
+	<h1>Impact:</h1>
+	<p>The impact described in FreeBSD-SA-23:04.pam_krb5 persists.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2023-3326</cvename>
+      <freebsdsa>SA-23:09.pam_krb5</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2023-08-01</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="291d0953-47c1-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- Potential remote code execution via ssh-agent forwarding</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>13.2</ge><lt>13.2_2</lt></range>
+	<range><ge>13.1</ge><lt>13.1_9</lt></range>
+	<range><ge>12.4</ge><lt>12.4_4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The server may cause ssh-agent to load shared libraries other than
+	those required for PKCS#11 support.  These shared libraries may have
+	side effects that occur on load and unload (dlopen and dlclose).</p>
+	<h1>Impact:</h1>
+	<p>An attacker with access to a server that accepts a forwarded
+	ssh-agent connection may be able to execute code on the machine running
+	ssh-agent.  Note that the attack relies on properties of operating
+	system-provided libraries.  This has been demonstrated on other
+	operating systems; it is unknown whether this attack is possible using
+	the libraries provided by a FreeBSD installation.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2023-38408</cvename>
+      <freebsdsa>SA-23:08.ssh</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2023-08-01</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="ab437561-47c0-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- bhyve privileged guest escape via fwctl</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>13.2</ge><lt>13.2_2</lt></range>
+	<range><ge>13.1</ge><lt>13.1_9</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>The fwctl driver implements a state machine which is executed when
+	the guest accesses certain x86 I/O ports.  The interface lets the guest
+	copy a string into a buffer resident in the bhyve process' memory.  A
+	bug in the state machine implementation can result in a buffer
+	overflowing when copying this string.</p>
+	<h1>Impact:</h1>
+	<p>A malicious, privileged software running in a guest VM can exploit
+	the buffer overflow to achieve code execution on the host in the bhyve
+	userspace process, which typically runs as root.  Note that bhyve runs
+	in a Capsicum sandbox, so malicious code is constrained by the
+	capabilities available to the bhyve process.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2023-3494</cvename>
+      <freebsdsa>SA-23:07.bhyve</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2023-08-01</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="3dabf5b8-47c0-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- Remote denial of service in IPv6 fragment reassembly</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>13.2</ge><lt>13.2_2</lt></range>
+	<range><ge>13.1</ge><lt>13.1_9</lt></range>
+	<range><ge>12.4</ge><lt>12.4_4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>Each fragment of an IPv6 packet contains a fragment header which
+	specifies the offset of the fragment relative to the original packet,
+	and each fragment specifies its length in the IPv6 header.  When
+	reassembling the packet, the kernel calculates the complete IPv6 payload
+	length.  The payload length must fit into a 16-bit field in the IPv6
+	header.</p>
+	<p>Due to a bug in the kernel, a set of carefully crafted packets can
+	trigger an integer overflow in the calculation of the reassembled
+	packet's payload length field.</p>
+	<h1>Impact:</h1>
+	<p>Once an IPv6 packet has been reassembled, the kernel continues
+	processing its contents.  It does so assuming that the fragmentation
+	layer has validated all fields of the constructed IPv6 header.  This bug
+	violates such assumptions and can be exploited to trigger a remote
+	kernel panic, resulting in a denial of service.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2023-3107</cvename>
+      <freebsdsa>SA-23:06.ipv6</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2023-08-01</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="e31a8f8e-47bf-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- ssh-add does not honor per-hop destination constraints</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>12.4</ge><lt>12.4_3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>When using ssh-add(1) to add smartcard keys to ssh-agent(1) with
+	per-hop destination constraints, a logic error prevented the constraints
+	from being sent to the agent resulting in keys being added to the agent
+	without constraints.</p>
+	<h1>Impact:</h1>
+	<p>A malicious server could leverage the keys provided by a forwarded
+	agent that would normally not be allowed due to the logic error.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2023-28531</cvename>
+      <freebsdsa>SA-23:05.openssh</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2023-06-21</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="41af0277-47bf-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- Network authentication attack via pam_krb5</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>13.2</ge><lt>13.2_1</lt></range>
+	<range><ge>13.1</ge><lt>13.1_8</lt></range>
+	<range><ge>12.4</ge><lt>12.4_3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>pam_krb5 authenticates the user by essentially running kinit(1) with
+	the password, getting a `ticket-granting ticket' (tgt) from the Kerberos
+	KDC (Key Distribution Center) over the network, as a way to verify the
+	password.</p>
+	<p>Normally, the system running the pam_krb5 module will also have a
+	keytab, a key provisioned by the KDC. The pam_krb5 module will use the
+	tgt to get a service ticket and validate it against the keytab, ensuring
+	the tgt is valid and therefore, the password is valid.</p>
+	<p>However, if a keytab is not provisioned on the system, pam_krb5 has
+	no way to validate the response from the KDC, and essentially trusts the
+	tgt provided over the network as being valid.</p>
+	<h1>Impact:</h1>
+	<p>In a non-default FreeBSD installation that leverages pam_krb5 for
+	authentication and does not have a keytab provisioned, an attacker that
+	is able to control both the password and the KDC responses can return a
+	valid tgt, allowing authentication to occur for any user on the
+	system.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2023-3326</cvename>
+      <freebsdsa>SA-23:04.pam_krb5</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2023-06-21</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="c8eb4c40-47bd-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- Multiple vulnerabilities in OpenSSL</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>13.1</ge><lt>13.1_7</lt></range>
+	<range><ge>12.4</ge><lt>12.4_2</lt></range>
+	<range><ge>12.3</ge><lt>12.3_12</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<h2>X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)</h2>
+	<p>There is a type confusion vulnerability relating to X.400 address processing
+	inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
+	the public structure definition for GENERAL_NAME incorrectly specified the type
+	of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
+	the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
+	ASN1_STRING.</p>
+	<h2>Timing Oracle in RSA Decryption (CVE-2022-4304)</h2>
+	<p>A timing based side channel exists in the OpenSSL RSA Decryption
+	implementation.</p>
+	<h2>Use-after-free following BIO_new_NDEF (CVE-2023-0215)</h2>
+	<p>The public API function BIO_new_NDEF is a helper function used for streaming
+	ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support
+	the SMIME, CMS and PKCS7 streaming capabilities, but may also be called
+	directly by end user applications.</p>
+	<p>The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter
+	BIO onto the front of it to form a BIO chain, and then returns the new head
+	of the BIO chain to the caller. Under certain conditions, for example if a
+	CMS recipient public key is invalid, the new filter BIO is freed and the
+	function returns a NULL result indicating a failure. However, in this case,
+	the BIO chain is not properly cleaned up and the BIO passed by the caller
+	still retains internal pointers to the previously freed filter BIO.</p>
+	<h2>Double free after calling PEM_read_bio_ex (CVE-2022-4450)</h2>
+	<p>The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
+	decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
+	data.  If the function succeeds then the "name_out", "header" and "data"
+	arguments are populated with pointers to buffers containing the relevant
+	decoded data. The caller is responsible for freeing those buffers. It is
+	possible to construct a PEM file that results in 0 bytes of payload data. In
+	this case PEM_read_bio_ex() will return a failure code but will populate the
+	header argument with a pointer to a buffer that has already been freed.</p>
+	<h1>Impact:</h1>
+	<h2>X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)</h2>
+	<p>When CRL checking is enabled (i.e. the application sets the
+	X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
+	arbitrary pointers to a memcmp call, enabling them to read memory contents or
+	enact a denial of service. In most cases, the attack requires the attacker to
+	provide both the certificate chain and CRL, neither of which need to have a
+	valid signature. If the attacker only controls one of these inputs, the other
+	input must already contain an X.400 address as a CRL distribution point, which
+	is uncommon. As such, this vulnerability is most likely to only affect
+	applications which have implemented their own functionality for retrieving CRLs
+	over a network.</p>
+	<h2>Timing Oracle in RSA Decryption (CVE-2022-4304)</h2>
+	<p>A timing based side channel exists in the OpenSSL RSA Decryption implementation
+	which could be sufficient to recover a plaintext across a network in a
+	Bleichenbacher style attack. To achieve a successful decryption an attacker
+	would have to be able to send a very large number of trial messages for
+	decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
+	RSA-OEAP and RSASVE.</p>
+	<h2>Use-after-free following BIO_new_NDEF (CVE-2023-0215)</h2>
+	<p>A use-after-free will occur under certain conditions. This will most likely
+	result in a crash.</p>
+	<h2>Double free after calling PEM_read_bio_ex (CVE-2022-4450)</h2>
+	<p>A double free may occur. This will most likely lead to a crash. This could be
+	exploited by an attacker who has the ability to supply malicious PEM files
+	for parsing to achieve a denial of service attack.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2023-0286</cvename>
+      <cvename>2023-0215</cvename>
+      <cvename>2022-4450</cvename>
+      <cvename>2022-4304</cvename>
+      <freebsdsa>SA-23:03.openssl</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2023-02-16</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="09b7cd39-47bd-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- OpenSSH pre-authentication double free</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>12.4</ge><lt>12.4_2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>A flaw in the backwards-compatibility key exchange route allows a
+	pointer to be freed twice.</p>
+	<h1>Impact:</h1>
+	<p>A remote, unauthenticated attacker may be able to cause a denial of
+	service, or possibly remote code execution.</p>
+	<p>Note that FreeBSD 12.3 and FreeBSD 13.1 include older versions of
+	OpenSSH, and are not affected.  FreeBSD 13.2-BETA1 and later include the
+	fix.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2023-25136</cvename>
+      <freebsdsa>SA-23:02.openssh</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2023-02-16</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="3fcab88b-47bc-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- GELI silently omits the keyfile if read from stdin</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>13.1</ge><lt>13.1_6</lt></range>
+	<range><ge>12.4</ge><lt>12.4_1</lt></range>
+	<range><ge>12.3</ge><lt>12.3_11</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>When GELI reads a key file from a standard input, it doesn't store it
+	anywhere.  If the user tries to initialize multiple providers at once,
+	for the second and subsequent devices the standard input stream will be
+	already empty.  In this case, GELI silently uses a NULL key as the user
+	key file.  If the user used only a key file without a user passphrase,
+	the master key was encrypted with an empty key file.  This might not be
+	noticed if the devices were also decrypted in a batch operation.</p>
+	<h1>Impact:</h1>
+	<p>Some GELI providers might be silently encrypted with a NULL key
+	file.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2023-0751</cvename>
+      <freebsdsa>SA-23:01.geli</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2023-02-08</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="a005aea9-47bb-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- Stack overflow in ping(8)</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>13.1</ge><lt>13.1_5</lt></range>
+	<range><ge>12.3</ge><lt>12.3_10</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>ping reads raw IP packets from the network to process responses in
+	the pr_pack() function.  As part of processing a response ping has to
+	reconstruct the IP header, the ICMP header and if present a "quoted
+	packet," which represents the packet that generated an ICMP error.
+	The quoted packet again has an IP header and an ICMP header.</p>
+	<p>The pr_pack() copies received IP and ICMP headers into stack buffers
+	for further processing.  In so doing, it fails to take into account the
+	possible presence of IP option headers following the IP header in either
+	the response or the quoted packet.  When IP options are present,
+	pr_pack() overflows the destination buffer by up to 40 bytes.</p>
+	<h1>Impact:</h1>
+	<p>The memory safety bugs described above can be triggered by a remote
+	host, causing the ping program to crash.</p>
+	<p>The ping process runs in a capability mode sandbox on all affected
+	versions of FreeBSD and is thus very constrained in how it can interact
+	with the rest of the system at the point where the bug can occur.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2022-23093</cvename>
+      <freebsdsa>SA-22:15.ping</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2022-11-29</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="97c1b0f7-47b9-11ee-8e38-002590c1f29c">
+    <topic>FreeBSD -- Multiple vulnerabilities in Heimdal</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>13.1</ge><lt>13.1_4</lt></range>
+	<range><ge>12.3</ge><lt>12.3_9</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	<p>Multiple security vulnerabilities have been discovered in the Heimdal
+	implementation of the Kerberos 5 network authentication
+	protocols and KDC.</p>
+	<ul>
+	  <li>CVE-2022-42898 PAC parse integer overflows</li>
+	  <li>CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour</li>
+	  <li>CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors</li>
+	  <li>CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec</li>
+	  <li>CVE-2019-14870 Validate client attributes in protocol-transition</li>
+	  <li>CVE-2019-14870 Apply forwardable policy in protocol-transition</li>
+	  <li>CVE-2019-14870 Always lookup impersonate client in DB</li>
+	</ul>
+	<h1>Impact:</h1>
+	<p>A malicious actor with control of the network between a client and a
+	service using Kerberos for authentication can impersonate either the
+	client or the service, enabling a man-in-the-middle (MITM) attack
+	circumventing mutual authentication.</p>
+	<p>Note that, while CVE-2022-44640 is a severe vulnerability, possibly
+	enabling remote code execution on other platforms, the version of
+	Heimdal included with the FreeBSD base system cannot be exploited in
+	this way on FreeBSD.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>2019-14870</cvename>
+      <cvename>2021-44758</cvename>
+      <cvename>2022-3437</cvename>
+      <cvename>2022-42898</cvename>
+      <cvename>2022-44640</cvename>
+      <freebsdsa>SA-22:14.heimdal</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2022-11-15</discovery>
+      <entry>2023-08-31</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="22fffa69-46fa-11ee-8290-a8a1599412c6">
     <topic>chromium -- use after free in MediaStream</topic>
     <affects>