From owner-freebsd-security-notifications@freebsd.org Mon Oct 10 07:51:45 2016 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15564C0529E for ; Mon, 10 Oct 2016 07:51:45 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id EE41B175; Mon, 10 Oct 2016 07:51:44 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id E937E16A5; Mon, 10 Oct 2016 07:51:44 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:27.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20161010075144.E937E16A5@freefall.freebsd.org> Date: Mon, 10 Oct 2016 07:51:44 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 07:51:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:27.openssl Security Advisory The FreeBSD Project Topic: Regression in OpenSSL suite Category: contrib Module: openssl Announced: 2016-10-10 Credits: OpenSSL Project Affects: All supported versions of FreeBSD. Corrected: 2016-09-26 14:30:19 UTC (stable/11, 11.0-STABLE) 2016-09-26 20:26:19 UTC (releng/11.0, 11.0-RELEASE-p1) CVE Name: CVE-2016-7052 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description The OpenSSL version included in FreeBSD 11.0-RELEASE is 1.0.2i. The version has bug fix for CVE-2016-7052, which should have included CRL sanity check, but the check was omitted. III. Impact Any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:27/openssl.patch # fetch https://security.FreeBSD.org/patches/SA-16:27/openssl.patch.asc # gpg --verify openssl.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/11/ r306343 releng/11.0/ r306354 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.13 (FreeBSD) iQIcBAEBCgAGBQJX+0OlAAoJEO1n7NZdz2rnEPYQAOewieypFMknEi5Q02IBVhcC Bs1sczFLXaSz+4c9lNRi+m6Q5TXbW0MM9ZhZDnoLOXZ9OZ7DsQ0OVJcmWPHCSTkT WAlZgiB5B2xtZpLUNi0XAVPyegh+YxWCKa5mq/e4gC7BL+QhtTQqIlzsNylBDcI0 2Tp5fPfO3vIJlSwPpsUA2peYlm2c75/dusE0+bvWnqickWbEmFdCAd8rzTLrsm9R w5essD2o6BzFPA9j+3X/LNaMI6ZKKa4EkaXXB42KHruDfNTV8dmYL/LLxWs6aj1f Li++71GPh3aZZCA5SCo6NYdI25kg4xORZzqUmYzT856kdmpaemLd8oVT8/ojOCTX CoNtA9yVphhYgfSGLy2BIs0u7U3H16SVjZ1oC5MjTAY6kUsEDt6x2vlKOt5452yN 3v2fHf9I8/ibgo4d4ovpGGzvrj/8EfodmDLhjYP5RcwZH4FW1jCUzXTflsYmPWMi 8+COC+K19MNIXR0M8ajs2M8z2ILc3pOUZ1sdrNhU1jEIyYCl8EDMEU0Bc13XlUKS UE92RKfxIAMh+Zyu44++8UizfOorBVKhQVd+9NthMnfXW6xlnwujjbabam8k2E5V Za4sBQ57JvL9aKrsbmB/hhVnxXE6jYqtp7tagXK+wwULO1SarpRp7HENd50ggH5l yu2DM4rkIcwzTaJEdvyT =5rNc -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Mon Oct 10 07:51:50 2016 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 99400C052F1 for ; Mon, 10 Oct 2016 07:51:50 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8ACAA20D; Mon, 10 Oct 2016 07:51:50 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 89F2A1704; Mon, 10 Oct 2016 07:51:50 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:28.bind Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20161010075150.89F2A1704@freefall.freebsd.org> Date: Mon, 10 Oct 2016 07:51:50 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 07:51:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:28.bind Security Advisory The FreeBSD Project Topic: BIND remote Denial of Service vulnerability Category: contrib Module: bind Announced: 2016-10-10 Credits: ISC Affects: FreeBSD 9.x Corrected: 2016-09-28 06:11:01 UTC (stable/9, 9.3-STABLE) 2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48) CVE Name: CVE-2016-2776 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description Testing by ISC has uncovered a critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address is not allowed to make queries (i.e. doesn't match 'allow-query'). [CVE-2016-2776] III. Impact A remote attacker who can send queries to a server running BIND can cause the server to crash, resulting in a Denial of Service condition. IV. Workaround No workaround is available, but hosts not running named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:28/bind.patch # fetch https://security.FreeBSD.org/patches/SA-16:28/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the named service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r306394 releng/9.3/ r306942 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.13 (FreeBSD) iQIcBAEBCgAGBQJX+0OlAAoJEO1n7NZdz2rnt/cQAJJ/P9/cNH4mB3Oq9kks1TJI thye1Bmd6BAS16UYj+S2POSkrwkTJLhg/Rtch/4O1TUJ7q86Dko/0nciF/4Qin/J LrNhX2TUUTpQygfWdzTqdk9EiHLKT46sNh1Two4Lb9gMuBulES9Fy40gj8y81ypv uys05i6DMAlY/EsmidTHFKUGGC9160XLS7wFWnlw9XglDHn2+pIDALHl77mmoXwR VKiCbGO6IybDV5bATh12eflCSb+IJRT0MMOwJAt3Nhzp//7t2tf+izazzfs43IH4 HRkiDfkkxqAMus6h0Dm4xR91oe/oSzlEedKFM3ctHfQqyIi+AP0FKixf8pS72n7o M0W5vIbkMSuTsiOTzyQUJpQ3tExvWeZjhNZj9U5trs2YNdPCRaM3pETUdF6GZmNC tnPiTZFst3ARsy/4oJg8Eeo/cyrd/sfPm4fXCbXkakL7ml/Mu+/KEyq5qw43FIXn 96/btRfHsPSpy74KRtLsqSM29eCK9puGhJIk1iBtuhuTvze/48Od7U5zWOjn8XiS o4oOyCtm3nQfB8VIzfypFAIUFFOqfHmsfP3s51J9tUXjxvORO3UWD3/R2wXLre2Y Z5+s7IUhesunZztGtaUFCqG28KCrzmSiIVXGRd/IsQCuTJ4DNiUFZofKYdI0B7fE hrSETFwDg/OYusZ5/96D =v9vM -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Mon Oct 10 07:51:55 2016 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E420FC05333 for ; Mon, 10 Oct 2016 07:51:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id D9BC25E8; Mon, 10 Oct 2016 07:51:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id D8F4317B0; Mon, 10 Oct 2016 07:51:55 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:29.bspatch Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20161010075155.D8F4317B0@freefall.freebsd.org> Date: Mon, 10 Oct 2016 07:51:55 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 07:51:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:29.bspatch Security Advisory The FreeBSD Project Topic: Heap overflow vulnerability in bspatch Category: core Module: bsdiff Announced: 2016-10-10 Affects: All supported versions of FreeBSD. 2016-09-22 21:05:21 UTC (stable/11, 11.0-STABLE) 2016-09-27 19:36:12 UTC (releng/11.0, 11.0-RELEASE-p1) 2016-09-22 21:16:54 UTC (stable/10, 10.3-STABLE) 2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10) 2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23) 2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40) 2016-09-23 01:52:06 UTC (stable/9, 9.3-STABLE) 2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The bspatch utility generates newfile from oldfile and patchfile where patchfile is a binary patch built by bsdiff(1). II. Problem Description The implementation of bspatch is susceptible to integer overflows with carefully crafted input, potentially allowing an attacker who can control the patch file to write at arbitrary locations in the heap. This issue was partially addressed in FreeBSD-SA-16:25.bspatch, but some possible integer overflows remained. III. Impact An attacker who can control the patch file can cause a crash or run arbitrary code under the credentials of the user who runs bspatch, in many cases, root. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. No reboot is needed. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility. Because this vulnerability exists in bspatch, a component used by freebsd-update, a special procedure must be followed to safely update. First, truncate bspatch to a zero byte file: # :> /usr/bin/bspatch FreeBSD-update will fall back to replacing bspatch, rather than applying a binary patch. Proceed with FreeBSD-update as usual: # freebsd-update fetch # freebsd-update install No reboot is needed. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:29/bspatch.patch # fetch https://security.FreeBSD.org/patches/SA-16:29/bspatch.patch.asc # gpg --verify bspatch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r306222 releng/9.3/ r306942 stable/10/ r306215 releng/10.1/ r306941 releng/10.2/ r306941 releng/10.3/ r306941 stable/11/ r306213 releng/11.0/ r306379 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.13 (FreeBSD) iQIcBAEBCgAGBQJX+0OmAAoJEO1n7NZdz2rnMHQQALyzQ6rIFLMV+qfIKr/dxUmv frrY3rE8GbHNI6UYnlB7T97SZBVG2lOGpUO7sGNzsqAol+aBEn44mX88ijCQk+mc pIHcbwACkAG6u5c6nyelHAa3ZLc8PkPbNaryjfc9Y0vZxGFKI5ETpdN1nFxUBKRA eGt4h4GW3ZxHTkc3DDogDM6kBds3DYAnQjnqvkH6QesM/cMIdnU2NMjIrYDdtcsJ Mp92PqRl8/qCZxcpfoHSl3S190Dmu9KNjEwXdk8gvtr7aTe/OG9fcIOAwIJHMi/n E3tojTrSGLl0v9yuznG8rU0Hr6VyFNRv9i5QhPEQF4ZQ0HT2/naV0v/THMB1JdeR 8rszvO8HIdYkKEYPEp4RZ+QWJX36xK0ZOA0BSF3+OW6VYMIEB+iMvK1xAlGWmyJq D6f5AQuw559o4MNZ9gh1tXl+PXjYHvwSOrHb1EZ7mDZ3zVarn8TwUjxaE2ILIhjW wS+wqbxZt1eENfKbhLHxSavIE+Bi59ab/iymmOFtFdgDDDpQhzx13MUFM17v270g 1OCXnx7HLMIr5ibndJBQbjPmZT0InMM9856Hij8UhcFjyFpytCJie7sVcDFG9nNp z3VXrSIdEIA5MwaD6MYGW8nUfBwQnD/rSh6t2Tt4qz24FPk9K9pbzpb8CDIOImiF GnLZXJQlgmJ55XOa0EgR =uRNW -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Mon Oct 10 07:51:58 2016 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E9D32C05353 for ; Mon, 10 Oct 2016 07:51:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id DE2076AF; Mon, 10 Oct 2016 07:51:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id DD727180E; Mon, 10 Oct 2016 07:51:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:30.portsnap Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20161010075158.DD727180E@freefall.freebsd.org> Date: Mon, 10 Oct 2016 07:51:58 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 07:51:59 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:30.portsnap Security Advisory The FreeBSD Project Topic: Multiple portsnap vulnerabilities Category: core Module: portsnap Announced: 2016-10-10 Affects: All supported versions of FreeBSD. Corrected: 2016-09-28 21:33:35 UTC (stable/11, 11.0-STABLE) 2016-09-28 22:04:07 UTC (releng/11.0, 11.0-RELEASE-p1) 2016-10-05 00:33:06 UTC (stable/10, 10.3-STABLE) 2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10) 2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23) 2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40) 2016-10-05 01:01:10 UTC (stable/9, 9.3-STABLE) 2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The portsnap utility is used to fetch and update compressed snapshots of the FreeBSD ports tree. Portsnap fetches snapshots and updates over http, and then cryptographically verifies the downloaded files. II. Problem Description Flaws in portsnap's verification of downloaded tar files allows additional files to be included without causing the verification to fail. Portsnap may then use or execute these files. III. Impact An attacker who can conduct man in the middle attack on the network at the time when portsnap is run can cause portsnap to execute arbitrary commands under the credentials of the user who runs portsnap, typically root. IV. Workaround The ports tree may be obtained by methods other than portsnap, as described in the FreeBSD handbook. V. Solution portsnap has been modified to explicitly validate compressed files within the tar file by full name, rather than relying on gunzip's filename search logic. portsnap now verifies that snapshots contain only the expected files. Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. No reboot is needed. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility. This advisory is released concurrently with FreeBSD-SA-16:29.bspatch which contains special instructions for using freebsd-update. Following the instructions in that advisory will safely apply updates for FreeBSD-SA-16:29.bspatch, FreeBSD-SA-16:30.portsnap, and FreeBSD-SA-16:31.libarchive. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-10.patch # fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-10.patch.asc # gpg --verify portsnap-10.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-9.3.patch # fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-9.3.patch.asc # gpg --verify portsnap-9.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r306701 releng/9.3/ r306942 stable/10/ r306697 releng/10.1/ r306941 releng/10.2/ r306941 releng/10.3/ r306941 stable/11/ r306418 releng/11.0/ r306419 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.13 (FreeBSD) iQIcBAEBCgAGBQJX+0OqAAoJEO1n7NZdz2rns54P/3N6V4ZGWZ8jXDSw7KPRhF16 gUs2AQx+rL+o5rOVsMZ6DulVtFP+AzUvEsLIJeARdaOJar9St1cQVTZHa+8CtWr5 aCSgx5r39srcvvMuQ34z0yss7eEkHRubzkIzrjHcD6MweFg4tAIufXHgxmhNVuKp QOQCwUbWIp8MssNbd/nYr1fpNoEvhkuzEv+EsvU+gTXeYNbHDS8zN/XC1a4167Q9 flFCqVn45ZpYR+2ifeLv0s+Rj4MQdnaCUYPpt1JoY5pIr/1GbNuywam9YgUQJZ7o gbY+S9Un0aByEOmPgD2e6qb8qhQFtaJgAbhB51dsI/qpZUljQKERmV1vd78drqWB 1gss/MFe5oyxZ5IbmHLBabIcKvvtH72gSaD8Zp973TbD72usjC/ZfdkukNBlWkbm M4PFTK+VQA1y5c8R2RduVoz3ioaBtRisxqqGOi0i3AUgiWx6IeP9jkIana28dGtJ Mkm4ZiWBj12lT5B+gafpy7+bLkbYl2sEFYIt+YUlJ1GqAumyDnnmYt5rDhZwMLFo 7ywCpCwtoBc49sCV7szV4MdFw0Zmo8tT0uiWBehferN1SHygKVNGnXIj+NotRXx0 mp0j7pgK4AcML2y7pJLEUwyWUKE5tBkPKmHg+4ELhqPb0mjm+A+KHX/8vXxlPpRJ 2yVhfIubEhECQJeJKAqm =y+kG -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Mon Oct 10 07:52:02 2016 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19A2DC05389 for ; Mon, 10 Oct 2016 07:52:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 0D614798; Mon, 10 Oct 2016 07:52:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 0C4281857; Mon, 10 Oct 2016 07:52:02 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:31.libarchive Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20161010075202.0C4281857@freefall.freebsd.org> Date: Mon, 10 Oct 2016 07:52:02 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 07:52:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:31.libarchive Security Advisory The FreeBSD Project Topic: Multiple libarchive vulnerabilities Category: core Module: portsnap Announced: 2016-10-05 Affects: All supported versions of FreeBSD. Corrected: 2016-09-25 22:02:27 UTC (stable/11, 11.0-STABLE) 2016-09-27 19:36:12 UTC (releng/11.0, 11.0-RELEASE-p1) 2016-09-25 22:04:02 UTC (stable/10, 10.3-STABLE) 2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10) 2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23) 2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The libarchive(3) library provides a flexible interface for reading and writing streaming archive files such as tar(1) and cpio(1), and has been the basis for the FreeBSD implementation of the tar(1) and cpio(1) utilities since FreeBSD 5.3. II. Problem Description Flaws in libarchive's handling of symlinks and hard links allow overwriting files outside the extraction directory, or permission changes to a directory outside the extraction directory. III. Impact An attacker who can control freebsd-update's or portsnap's input to tar can change file content or permisssions on files outside of the update tool's working sandbox. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. No reboot is needed. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility. This advisory is released concurrently with FreeBSD-SA-16:29.bspatch which contains special instructions for using freebsd-update. Following the instructions in that advisory will safely apply updates for FreeBSD-SA-16:29.bspatch, FreeBSD-SA-16:30.portsnap, and FreeBSD-SA-16:31.libarchive. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch # fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch.asc # gpg --verify libarchive.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r306322 releng/10.1/ r306941 releng/10.2/ r306941 releng/10.3/ r306941 stable/11/ r306321 releng/11.0/ r306379 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.13 (FreeBSD) iQIcBAEBCgAGBQJX+0OrAAoJEO1n7NZdz2rnkaAP/i5Njok8Lg3ogwRGVo/HVQfA AzRz2oQ5oAuwZhmpkQ3CzHArRsaTGuKK5C1SNJpmEDuq5XM2u5Td2ph/R5ry0fwF 7B58Ci+o7ngRWtJ/N8dYk3cXfg0sjPZKDO1otIyfh8HF3UAq5uB3/w/8UFOpqcxQ guMKahd/r9PnfrD8GtS+t/2V+KHInNH0J4YD/+hoqcdZPzMKtlE5D5OjqOov9rVn myQwAuN+w2buPj2gXSuubq5wTNFOvj8u06mVpRj+0X0VoybdN5cohuqSx7s4vlw+ /qV7gT2993aijXp43dGGSUeuGl1ZbrKp233vntkIYrsjJzaw56YMHL3ushopGGhj OfC/ilXmsUjrlHgCrWpMiTuN7cdWDXrpMnaf4c99yMxdYUuRtbbnVthdOpZB8iOt 7xeVnvHiYTYbQu+4xy4SPOWqPLOnrbwVqIocXU1QjWJice5A3EU/mSAd2IpX04a2 prdlaGxBNZlziLgzsZoiER+5u0S3owbx7y2SVhMEslHyrRQ92X7SZjfu4NrvlX5k Dw6xjpHD51pshj4GXTPuznbCyd8246u1fRnH3fnlNLhz5/XhrYbG+OVQ9WDbnX2C 6SzS/oOcjA9qcq1+Ghmz6G7S2MuWZ0XcKfzV0ygX2RZEhU1p0rZfsF/2cGrKIGY1 JguXI1tZdrjfSZisAI+l =vqSJ -----END PGP SIGNATURE-----