svn commit: r44715 - in head/share: security/advisories security/patches/SA-14:07 security/patches/SA-14:08 security/patches/SA-14:09 xml
Xin LI
delphij at
Wed Apr 30 04:32:40 UTC 2014
Author: delphij
Date: Wed Apr 30 04:32:38 2014
New Revision: 44715
Add 3 new advisories:
Fix devfs rules not applied by default for jails. [SA-14:07]
Fix OpenSSL use-after-free vulnerability. [SA-14:08]
Fix TCP reassembly vulnerability. [SA-14:09]
head/share/security/advisories/FreeBSD-SA-14:07.devfs.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:08.tcp.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:09.openssl.asc (contents, props changed)
head/share/security/patches/SA-14:07/devfs.patch (contents, props changed)
head/share/security/patches/SA-14:07/devfs.patch.asc (contents, props changed)
head/share/security/patches/SA-14:08/tcp.patch (contents, props changed)
head/share/security/patches/SA-14:08/tcp.patch.asc (contents, props changed)
head/share/security/patches/SA-14:09/openssl.patch (contents, props changed)
head/share/security/patches/SA-14:09/openssl.patch.asc (contents, props changed)
Added: head/share/security/advisories/FreeBSD-SA-14:07.devfs.asc
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:07.devfs.asc Wed Apr 30 04:32:38 2014 (r44715)
@@ -0,0 +1,149 @@
+Hash: SHA512
+FreeBSD-SA-14:07.devfs Security Advisory
+ The FreeBSD Project
+Topic: devfs rules not applied by default for jails
+Category: core
+Module: etc_rc.d
+Announced: 2014-04-30
+Affects: FreeBSD 10.0
+Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
+ 2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
+CVE Name: CVE-2014-3001
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:>.
+I. Background
+The device file system, or devfs(5), provides access to kernel's device
+namespace in the global file system namespace.
+The devfs(5) rule subsystem provides a way for the administrator of a system
+to control the attributes of DEVFS nodes. Each DEVFS mount-point has a
+``ruleset'', or a list of rules, associated with it, allowing the
+administrator to change the properties, including the visibility, of certain
+II. Problem Description
+The default devfs rulesets are not loaded on boot, even when jails are used.
+Device nodes will be created in the jail with their normal default access
+permissions, while most of them should be hidden and inaccessible.
+III. Impact
+Jailed processes can get access to restricted resources on the host system.
+For jailed processes running with superuser privileges this implies access
+to all devices on the system. This level of access could lead to information
+leakage and privilege escalation.
+IV. Workaround
+Systems that do not run jails are not affected.
+The system administrator can do the following to load the default ruleset:
+/etc/rc.d/devfs onestart
+Then apply the default ruleset for jails on a devfs mount using:
+devfs -m ${devfs_mountpoint} rule -s 4 applyset
+Or, alternatively, the following command will apply the ruleset over all devfs
+mountpoints except the host one:
+ mount -t devfs | grep -v '^devfs on /dev ' | awk '{print $3;}' | \
+ xargs -n 1 -J % devfs -m % rule -s 4 applyset
+After this, the system administrator should add the following configuration
+to /etc/rc.conf to make it permanent, so the above operations do not have
+to be done each time the host system reboots.
+ devfs_load_rulesets="YES"
+V. Solution
+Perform one of the following:
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+2) To update your vulnerable system via a source code patch:
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+# fetch
+# fetch
+# gpg --verify devfs.patch.asc
+b) Execute the following commands as root:
+# cd /usr/src
+# patch < /path/to/patch
+# install -o root -g wheel -m 444 etc/defaults/rc.conf /etc/defaults/
+Follow the steps described in the "Workaround" section, or reboot the
+3) To update your vulnerable system via a binary patch:
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+# freebsd-update fetch
+# freebsd-update install
+VI. Correction details
+The following list contains the correction revision numbers for each
+affected branch.
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r265122
+releng/10.0/ r265124
+- -------------------------------------------------------------------------
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+# svn diff -cNNNNNN --summarize svn://
+Or visit the following URL, replacing NNNNNN with the revision number:
+VII. References
+The latest revision of this advisory is available at
+Version: GnuPG v2.0.22 (FreeBSD)
Added: head/share/security/advisories/FreeBSD-SA-14:08.tcp.asc
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:08.tcp.asc Wed Apr 30 04:32:38 2014 (r44715)
@@ -0,0 +1,154 @@
+Hash: SHA512
+FreeBSD-SA-14:08.tcp Security Advisory
+ The FreeBSD Project
+Topic: TCP reassembly vulnerability
+Category: core
+Module: inet
+Announced: 2014-04-30
+Credits: Jonathan Looney
+Affects: All supported versions of FreeBSD.
+Corrected: 2014-04-30 04:04:20 UTC (stable/8, 8.4-STABLE)
+ 2014-04-30 04:05:47 UTC (releng/8.4, 8.4-RELEASE-p9)
+ 2014-04-30 04:05:47 UTC (releng/8.3, 8.3-RELEASE-p16)
+ 2014-04-30 04:04:20 UTC (stable/9, 9.2-STABLE)
+ 2014-04-30 04:05:47 UTC (releng/9.2, 9.2-RELEASE-p5)
+ 2014-04-30 04:05:47 UTC (releng/9.1, 9.1-RELEASE-p12)
+ 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
+ 2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
+CVE Name: CVE-2014-3000
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:>.
+I. Background
+The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
+provides a connection-oriented, reliable, sequence-preserving data
+stream service. When network packets making up a TCP stream (``TCP
+segments'') are received out-of-sequence, they are maintained in a
+reassembly queue by the destination system until they can be re-ordered
+and re-assembled.
+II. Problem Description
+FreeBSD may add a reassemble queue entry on the stack into the segment list
+when the reassembly queue reaches its limit. The memory from the stack is
+undefined after the function returns. Subsequent iterations of the
+reassembly function will attempt to access this entry.
+III. Impact
+An attacker who can send a series of specifically crafted packets with a
+connection could cause a denial of service situation by causing the kernel
+to crash.
+Additionally, because the undefined on stack memory may be overwritten by
+other kernel threads, while extremely difficult, it may be possible for
+an attacker to construct a carefully crafted attack to obtain portion of
+kernel memory via a connected socket. This may result in the disclosure of
+sensitive information such as login credentials, etc. before or even
+without crashing the system.
+IV. Workaround
+It is possible to defend to these attacks by doing traffic normalization
+using a firewall. This can be done by including the following /etc/pf.conf
+ scrub in all
+This requires pf(4) to be enabled, and have the mentioned configuration
+V. Solution
+Perform one of the following:
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+2) To update your vulnerable system via a source code patch:
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+# fetch
+# fetch
+# gpg --verify tcp.patch.asc
+b) Apply the patch.
+# cd /usr/src
+# patch < /path/to/patch
+c) Recompile your kernel as described in
+<URL:> and reboot the
+3) To update your vulnerable system via a binary patch:
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+# freebsd-update fetch
+# freebsd-update install
+VI. Correction details
+The following list contains the correction revision numbers for each
+affected branch.
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r265123
+releng/8.3/ r265125
+releng/8.4/ r265125
+stable/9/ r265123
+releng/9.1/ r265125
+releng/9.2/ r265125
+stable/10/ r265122
+releng/10.0/ r265124
+- -------------------------------------------------------------------------
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+# svn diff -cNNNNNN --summarize svn://
+Or visit the following URL, replacing NNNNNN with the revision number:
+VII. References
+The latest revision of this advisory is available at
+Version: GnuPG v2.0.22 (FreeBSD)
Added: head/share/security/advisories/FreeBSD-SA-14:09.openssl.asc
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:09.openssl.asc Wed Apr 30 04:32:38 2014 (r44715)
@@ -0,0 +1,133 @@
+Hash: SHA512
+FreeBSD-SA-14:09.openssl Security Advisory
+ The FreeBSD Project
+Topic: OpenSSL use-after-free vulnerability
+Category: contrib
+Module: openssl
+Announced: 2014-04-30
+Affects: FreeBSD 10.x.
+Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
+ 2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
+CVE Name: CVE-2010-5298
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:>.
+I. Background
+FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
+and Transport Layer Security (TLS v1) protocols as well as a full-strength
+general purpose cryptography library.
+OpenSSL context can be set to a mode called SSL_MODE_RELEASE_BUFFERS, which
+requests the library to release the memory it holds when a read or write buffer
+is no longer needed for the context.
+II. Problem Description
+The buffer may be released before the library have finished using it. It is
+possible that a different SSL connection in the same process would use the
+released buffer and write data into it.
+III. Impact
+An attacker may be able to inject data to a different connection that they
+should not be able to.
+IV. Workaround
+No workaround is available, but systems that do not use OpenSSL to implement
+the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
+protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process
+to handle multiple SSL connections, are not vulnerable.
+The FreeBSD base system service daemons and utilities do not use the
+SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this
+mode to reduce their memory footprint and may therefore be affected by this
+V. Solution
+Perform one of the following:
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+2) To update your vulnerable system via a source code patch:
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+# fetch
+# fetch
+# gpg --verify openssl.patch.asc
+Restart all deamons using the library, or reboot the system.
+3) To update your vulnerable system via a binary patch:
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+# freebsd-update fetch
+# freebsd-update install
+VI. Correction details
+The following list contains the correction revision numbers for each
+affected branch.
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r265122
+releng/10.0/ r265124
+- -------------------------------------------------------------------------
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+# svn diff -cNNNNNN --summarize svn://
+Or visit the following URL, replacing NNNNNN with the revision number:
+VII. References
+The latest revision of this advisory is available at
+Version: GnuPG v2.0.22 (FreeBSD)
Added: head/share/security/patches/SA-14:07/devfs.patch
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:07/devfs.patch Wed Apr 30 04:32:38 2014 (r44715)
@@ -0,0 +1,13 @@
+Index: etc/defaults/rc.conf
+--- etc/defaults/rc.conf (revision 265059)
++++ etc/defaults/rc.conf (working copy)
+@@ -649,7 +649,7 @@
+ devfs_system_ruleset="" # The name (NOT number) of a ruleset to apply to /dev
+ devfs_set_rulesets="" # A list of /mount/dev=ruleset_name settings to
+ # apply (must be mounted already, i.e. fstab(5))
+-devfs_load_rulesets="NO" # Enable to always load the default rulesets
++devfs_load_rulesets="YES" # Enable to always load the default rulesets
+ performance_cx_lowest="HIGH" # Online CPU idle state
+ performance_cpu_freq="NONE" # Online CPU frequency
+ economy_cx_lowest="HIGH" # Offline CPU idle state
Added: head/share/security/patches/SA-14:07/devfs.patch.asc
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:07/devfs.patch.asc Wed Apr 30 04:32:38 2014 (r44715)
@@ -0,0 +1,17 @@
+Version: GnuPG v2.0.22 (FreeBSD)
Added: head/share/security/patches/SA-14:08/tcp.patch
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:08/tcp.patch Wed Apr 30 04:32:38 2014 (r44715)
@@ -0,0 +1,32 @@
+Index: sys/netinet/tcp_reass.c
+--- sys/netinet/tcp_reass.c (revision 264836)
++++ sys/netinet/tcp_reass.c (working copy)
+@@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ * Investigate why and re-evaluate the below limit after the behaviour
+ * is understood.
+ */
+- if (th->th_seq != tp->rcv_nxt &&
++ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+ V_tcp_reass_overflows++;
+ TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ */
+ te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
+ if (te == NULL) {
+- if (th->th_seq != tp->rcv_nxt) {
++ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ TCPSTAT_INC(tcps_rcvmemdrop);
+ m_freem(m);
+ *tlenp = 0;
+@@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
+ TCPSTAT_INC(tcps_rcvduppack);
+ TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ m_freem(m);
+- uma_zfree(V_tcp_reass_zone, te);
++ if (te != &tqs)
++ uma_zfree(V_tcp_reass_zone, te);
+ tp->t_segqlen--;
+ /*
+ * Try to present any queued data
Added: head/share/security/patches/SA-14:08/tcp.patch.asc
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:08/tcp.patch.asc Wed Apr 30 04:32:38 2014 (r44715)
@@ -0,0 +1,17 @@
+Version: GnuPG v2.0.22 (FreeBSD)
Added: head/share/security/patches/SA-14:09/openssl.patch
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:09/openssl.patch Wed Apr 30 04:32:38 2014 (r44715)
@@ -0,0 +1,13 @@
+Index: crypto/openssl/ssl/s3_pkt.c
+--- crypto/openssl/ssl/s3_pkt.c (revision 265054)
++++ crypto/openssl/ssl/s3_pkt.c (working copy)
+@@ -1055,7 +1055,7 @@ start:
+ {
+ s->rstate=SSL_ST_READ_HEADER;
+ rr->off=0;
+- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
++ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
+ ssl3_release_read_buffer(s);
+ }
+ }
Added: head/share/security/patches/SA-14:09/openssl.patch.asc
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:09/openssl.patch.asc Wed Apr 30 04:32:38 2014 (r44715)
@@ -0,0 +1,17 @@
+Version: GnuPG v2.0.22 (FreeBSD)
Modified: head/share/xml/advisories.xml
--- head/share/xml/advisories.xml Tue Apr 29 21:58:22 2014 (r44714)
+++ head/share/xml/advisories.xml Wed Apr 30 04:32:38 2014 (r44715)
@@ -11,6 +11,22 @@
+ <name>30</name>
+ <advisory>
+ <name>FreeBSD-SA-14:09.openssl</name>
+ </advisory>
+ <advisory>
+ <name>FreeBSD-SA-14:08.tcp</name>
+ </advisory>
+ <advisory>
+ <name>FreeBSD-SA-14:07.devfs</name>
+ </advisory>
+ </day>
+ <day>
More information about the svn-doc-head
mailing list