svn commit: r47162 - in head/share: security/advisories security/patches/SA-15:18 security/patches/SA-15:19 xml
Xin LI
delphij at FreeBSD.org
Wed Aug 5 22:18:34 UTC 2015
Author: delphij
Date: Wed Aug 5 22:18:29 2015
New Revision: 47162
URL: https://svnweb.freebsd.org/changeset/doc/47162
Log:
Add SA-15:18 and SA-15:19.
Added:
head/share/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-15:19.routed.asc (contents, props changed)
head/share/security/patches/SA-15:18/
head/share/security/patches/SA-15:18/bsdpatch.patch (contents, props changed)
head/share/security/patches/SA-15:18/bsdpatch.patch.asc (contents, props changed)
head/share/security/patches/SA-15:19/
head/share/security/patches/SA-15:19/routed.patch (contents, props changed)
head/share/security/patches/SA-15:19/routed.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc Wed Aug 5 22:18:29 2015 (r47162)
@@ -0,0 +1,136 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:18.bsdpatch Security Advisory
+ The FreeBSD Project
+
+Topic: shell injection vulnerability in patch(1)
+
+Category: contrib
+Module: patch
+Announced: 2015-08-05
+Credits: Martin Natano
+Affects: FreeBSD 10.x.
+Corrected: 2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE)
+ 2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3)
+ 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2)
+ 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1)
+ 2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17)
+CVE Name: CVE-2015-1418
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The patch(1) utility takes a patch file produced by the diff(1) program and
+apply the differences to an original file, producing a patched version.
+
+The patch(1) utility supports patches that uses ed(1) script format, as
+required by the POSIX.1-2008 standard.
+
+ed(1) is a line-oriented text editor.
+
+II. Problem Description
+
+Due to insufficient sanitization of the input patch stream, it is possible
+for a patch file to cause patch(1) to pass certain ed(1) scripts to the
+ed(1) editor, which would run commands.
+
+III. Impact
+
+This issue could be exploited to execute arbitrary commands as the user
+invoking patch(1) against a specically crafted patch file, which could be
+leveraged to obtain elevated privileges.
+
+IV. Workaround
+
+No workaround is available, but systems where a privileged user does not
+make use of patches without proper validation are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+A reboot is not required after updating.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+A reboot is not required after updating.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:18/bsdpatch.patch.asc
+# gpg --verify bsdpatch.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/10/ r286348
+releng/10.1/ r286351
+releng/10.2/ r286350
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1418>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:18.bsdpatch.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVwoplAAoJEO1n7NZdz2rn8D4QAM0077U1nLiJFIU1VcM9IOKp
+GeZ/w9SnkrKqKzAQpq3QS1hmw0TxvP8kuJNuRVFF6M15Woprfxccb8mDxM0ntru4
+t8rq/QLO2jMWopf67Spv6jr6GLLQXkiyRwLEyr7L8a7MbrFwjO1wYt+8GnQ6Nsvn
+kNfCnbNKPr1gNYM1XsLS7Ej1kl7aBx3xGQXU4d9HlOs/1X7rnPCnGKuc3ZD2Z/N4
+zu8pV4NMFhWyJsax+FVYEFxwyd2uEb73A35nz/sQhGiwGOCtL424KG+hwj9mnm45
+8f4m+53b6RDcBh6xU41fghMsac2PVCzY2r9GXXXJNlfEa+KnSN8yC+CvtXYEM9BX
+9Y5g6i++RVLLT7mwFdG86FjZxSGpDBXlkpZ4I9qiS4YC8MFO4qC7SFzufxtfOcg+
+R+QSj+DWOfeHDcXjEkHGlqTW9poE2EDWXDLwlEoOykh9NLyWl6enYd8ZEI3GUqyJ
+FgKiICrs1vUuGhOhTCgjyQjQUc6jaV/GzhLBJfyxz5xYDpr7DIILxJ8uki2FJcHS
+tZhlNu6JNqpBlsWNspqjw7NSP2j58Uj0bBdwWvFNX8otQiIXVfkdY8RCjxstq5lT
+3bcF6akAFEBx/f/VYM1lswLM/XdbORYC3asLu84BP541EDqdx9d88TeTKNPvyb4Q
+sGJ763WSlsoLrQDr8CUt
+=iR0L
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-15:19.routed.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-15:19.routed.asc Wed Aug 5 22:18:29 2015 (r47162)
@@ -0,0 +1,164 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:19.routed Security Advisory
+ The FreeBSD Project
+
+Topic: routed(8) remote denial of service vulnerability
+
+Category: core
+Module: routed
+Announced: 2015-08-05
+Credits: Hiroki Sato
+Affects: All supported versions of FreeBSD.
+Corrected: 2015-08-05 22:05:02 UTC (stable/10, 10.2-PRERELEASE)
+ 2015-08-05 22:05:02 UTC (stable/10, 10.2-BETA2-p3)
+ 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC1-p2)
+ 2015-08-05 22:05:12 UTC (releng/10.2, 10.2-RC2-p1)
+ 2015-08-05 22:05:18 UTC (releng/10.1, 10.1-RELEASE-p17)
+ 2015-08-05 22:05:07 UTC (stable/9, 9.3-STABLE)
+ 2015-08-05 22:05:24 UTC (releng/9.3, 9.3-RELEASE-p22)
+CVE Name: CVE-2015-5674
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I. Background
+
+The routing information protocol (RIP) is an older routing protocol
+which, while not as capable as more recent protocols such as OSPF and
+BGP, is sometimes preferred for its simplicity and therefore still
+used as an interior gateway protocol on smaller networks.
+
+Routers in a RIP network periodically broadcast their routing table on
+all enabled interfaces. Neighboring routers and hosts receive these
+broadcasts and update their routing tables accordingly.
+
+The routed(8) daemon is a RIP implementation for FreeBSD. The
+rtquery(8) utility can be used to send a RIP query to a router and
+display the result without updating the routing table.
+
+II. Problem Description
+
+The input path in routed(8) will accept queries from any source and
+attempt to answer them. However, the output path assumes that the
+destination address for the response is on a directly connected
+network.
+
+III. Impact
+
+Upon receipt of a query from a source which is not on a directly
+connected network, routed(8) will trigger an assertion and terminate.
+The affected system's routing table will no longer be updated. If the
+affected system is a router, its routes will eventually expire from
+other routers' routing tables, and its networks will no longer be
+reachable unless they are also connected to another router.
+
+IV. Workaround
+
+Note that this problem does not affect a system on which routed(8)
+is not enabled. The routed(8) daemon is not enabled by default.
+
+Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP
+packets with destination port 520 that did not originate on the same
+subnet as the destination address.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+The routed service has to be restarted after the update. A reboot is
+recommended but not required.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+The routed service has to be restarted after the update. A reboot is
+recommended but not required.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-15:19/routed.patch
+# fetch http://security.FreeBSD.org/patches/SA-15:19/routed.patch.asc
+# gpg --verify routed.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/routed.patch
+
+c) Recompile routed. Execute the following commands as root:
+
+# cd /usr/src/sbin/routed
+# make && make install
+
+Restart the routed daemon, or reboot the system.
+
+To restart the affected service after updating the system, either
+reboot the system or execute the following command as root:
+
+# service routed restart
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r286349
+releng/9.3/ r286352
+stable/10/ r286348
+releng/10.1/ r286351
+releng/10.2/ r286350
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5674>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-15:19.routed.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAEBCgAGBQJVwoplAAoJEO1n7NZdz2rnMFAP/3HWG6FrFxM3jgMcK7a5+nKP
+O6BqVXpFdia0UUN5JlcEZXc89957mXdMXCDqNeTj3CeDc0p9GbPX1zV/vlYoOqhM
+eIPwgERbMRFnDRaWm2ClG+aatJvdpeDEioNy8b8tmKq94JcpXIJnwX8dhY3WrMwj
+Mc3QBGT08XLImHqNw6d6/0wavFeOZ/3g1ZoloAktsgA9KhTUOai6dUhIbIJzk6gh
+0oa4NRkhzRNmUKyHOS6HDrghhQ/kZGtE8joVBxLBljK0Thi0mIZtn3UFGsNAgAWw
+7WGAiTN2o8c48IUJosmiGsJ7rV1wCFt5zXrZVCcnq6dr60He16Z2Zwif2tugiTvm
+5x9lDbTEnYOTxM38Ya5gMtMf733YgAtoRCkf3ROsnwXukJYVsJXms7Ej4NihoKMd
+aYOLDItl+AXUGIyQ44GuUm2955wo9Fb5RlkDSCLAvdgnkPk+k0puLp0MR0B2MOAI
+tdKNecRNg0fDR5gJbfdzdjVhsGBZXdYlxo4VjXUXDSZJ+8+jkAg2LA9DTRKIfbgX
+BX5GiOhkhIivFlgvSePv0LRuIbgt0H1cxiJdk6OqNS5gROuqwo7wwUnaig8KVKOI
+887gfpf7PepYD4xWTo3nAoEcGM0rBwUyq1X3pbx9OJADcqRvOhxfMcHFcCv75uxa
+OISkQhkWdZUv6ls76rRu
+=p5Rl
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-15:18/bsdpatch.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:18/bsdpatch.patch Wed Aug 5 22:18:29 2015 (r47162)
@@ -0,0 +1,57 @@
+Index: usr.bin/patch/pathnames.h
+===================================================================
+--- usr.bin/patch/pathnames.h (revision 286254)
++++ usr.bin/patch/pathnames.h (working copy)
+@@ -9,4 +9,4 @@
+
+ #include <paths.h>
+
+-#define _PATH_ED "/bin/ed"
++#define _PATH_RED "/bin/red"
+Index: usr.bin/patch/pch.c
+===================================================================
+--- usr.bin/patch/pch.c (revision 286254)
++++ usr.bin/patch/pch.c (working copy)
+@@ -1,4 +1,3 @@
+-
+ /*-
+ * Copyright 1986, Larry Wall
+ *
+@@ -1409,6 +1408,7 @@ do_ed_script(void)
+ char *t;
+ off_t beginning_of_this_line;
+ FILE *pipefp = NULL;
++ int continuation;
+
+ if (!skip_rest_of_patch) {
+ if (copy_file(filearg[0], TMPOUTNAME) < 0) {
+@@ -1415,7 +1415,7 @@ do_ed_script(void)
+ unlink(TMPOUTNAME);
+ fatal("can't create temp file %s", TMPOUTNAME);
+ }
+- snprintf(buf, buf_size, "%s%s%s", _PATH_ED,
++ snprintf(buf, buf_size, "%s%s%s", _PATH_RED,
+ verbose ? " " : " -s ", TMPOUTNAME);
+ pipefp = popen(buf, "w");
+ }
+@@ -1433,7 +1433,19 @@ do_ed_script(void)
+ (*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) {
+ if (pipefp != NULL)
+ fputs(buf, pipefp);
+- if (*t != 'd') {
++ if (*t == 's') {
++ for (;;) {
++ continuation = 0;
++ t = strchr(buf, '\0') - 1;
++ while (--t >= buf && *t == '\\')
++ continuation = !continuation;
++ if (!continuation ||
++ pgets(true) == 0)
++ break;
++ if (pipefp != NULL)
++ fputs(buf, pipefp);
++ }
++ } else if (*t != 'd') {
+ while (pgets(true)) {
+ p_input_line++;
+ if (pipefp != NULL)
Added: head/share/security/patches/SA-15:18/bsdpatch.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:18/bsdpatch.patch.asc Wed Aug 5 22:18:29 2015 (r47162)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVwoqMAAoJEO1n7NZdz2rnGmIP/2c1n/1iGLa0zLO1GHMP7Fuu
+RCjmhJs2EWNnItUevHAf8kv5fYw9re3Dmn+zRPAEQw2ElmaEl7RIbT4ciG33n+ax
+nn2CaqaRbwHmVtCQhvWAy0Rb8DOl0zvdw2eJxj4UxqTrXex7IDIZgdKJX5JtkY/A
+W8w5ZB5x/7f6lcVUv85wUiBCYKCdrUFyfxwxeqUuCZ1fXhX5Y/7eDEZW7OmAox3R
+6y87nwucjaisnctSeMSL8xRsIPW2P9wsIHxWm/8ixWsC7rdhRIBqtIpLTBO+jZEI
+W87nUUL082nFKp3bvMHnCc2gtwhBu0VzFpCEAXD/ggotOXvMDx+d0td0BFnRcmZZ
+xly4bED85SGz6RbS06eDB3ZG0aOzRzpm7PNRrzR/YDkbbadOprVJvMWav1iCurvJ
+rf3ABrgt4Vb8aN5reAwmUjmDesNy6CP5u9UimFEUF+fWrwFvLiGkTl6NkHTCBP34
+HWAX4FpeeJbvt0yYJS+8+nv2qns0myd+UQjc9OjOMDTcw1DX9RoBBTe+K3JQlslx
+uZwek6v/ahT2yblN92x2Di8ayEwQlRsPkKAKKFYtfwO6hRrQtYkPDwNSZ+MnQF1v
+LbO2L1d3TZWGjdPnS4AvFLTQd+ckSFAldMsF46nB7Nf45RYV3f9lnb0COk0UPvYI
+U3gKJ20S8tAF+VO7hZZV
+=DXel
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-15:19/routed.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:19/routed.patch Wed Aug 5 22:18:29 2015 (r47162)
@@ -0,0 +1,17 @@
+Index: sbin/routed/input.c
+===================================================================
+--- sbin/routed/input.c (revision 286262)
++++ sbin/routed/input.c (working copy)
+@@ -160,6 +160,12 @@ input(struct sockaddr_in *from, /* received from
+
+ trace_rip("Recv", "from", from, sifp, rip, cc);
+
++ if (sifp == 0) {
++ trace_pkt(" discard a request from an indirect router"
++ " (possibly an attack)");
++ return;
++ }
++
+ if (rip->rip_vers == 0) {
+ msglim(&bad_router, FROM_NADDR,
+ "RIP version 0, cmd %d, packet received from %s",
Added: head/share/security/patches/SA-15:19/routed.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-15:19/routed.patch.asc Wed Aug 5 22:18:29 2015 (r47162)
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.6 (FreeBSD)
+
+iQIcBAABCgAGBQJVwoqMAAoJEO1n7NZdz2rnWTMP/Rs3RWs7vpS5kjD46iM5KZv9
+BY011+7N5uaa9yxCIBXe2KwjRbmzd480eU3nfOMZh3XHo/aehAyJdI4QtnFCXFLq
+5+JnixcfHmVjtNvrjz29OyRi6Y9E9biW9M2yTisGdNjM5aYMlPNBhi+eSoB0QfLa
+H5q7tDM6h/iuotXbJtqzTHRLb+TuFTieSyDndFLX9Dk5CFi7vTZeCkV2qSm2uVFi
+msBrWSckl6F/wrWjJkvB4khPdzdBKslG4m2mxfIRLEUM2V31CTmqmyJiNhjHXL4U
+JW+3uq02jz+zYHuMf6IxpEB5eK6JaieqaQhaTzyGQd6XImRtXp9T3wEyuahm+s0C
+pBnO4ky+/oTWqwcAGjEdAwxXw1IL594ZcZIpbTdSNhRApNWRXyk08uS9ktP3W/kV
+eOZW6HB19oJipyNZE3zCFHDInUMh6OMWQFxKpOBxYid08vYy8bKhXLG+Di+ddfnF
+6ITFHLetyw0RT306gHm1GGbHY8SkuZpsqo67R8fUOilsc5RE9J0qJg3BRYmIzhbA
+I+JkXpZ33Wxi9BO8nPdZxTC7UylKJT1Nd6rk511gAtKjta2dZvoisFIQ0XxIVBdC
+vLO0pferZj4jDEkAlaH8UlmHGl483oRW7P4OfpLWlxZ2imWH2LTh/mxEDiJMqAjR
+6Cf6RRTd14yoQha24Osf
+=wxDr
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Wed Aug 5 14:17:16 2015 (r47161)
+++ head/share/xml/advisories.xml Wed Aug 5 22:18:29 2015 (r47162)
@@ -8,6 +8,22 @@
<name>2015</name>
<month>
+ <name>8</name>
+
+ <day>
+ <name>5</name>
+
+ <advisory>
+ <name>FreeBSD-SA-15:19.routed</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-15:18.bsdpatch</name>
+ </advisory>
+ </day>
+ </month>
+
+ <month>
<name>7</name>
<day>
More information about the svn-doc-head
mailing list