From owner-freebsd-security-notifications@freebsd.org Wed Nov 15 23:18:55 2017 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C406FDEA50E for ; Wed, 15 Nov 2017 23:18:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9E6FB80C39; Wed, 15 Nov 2017 23:18:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id DD76818FBC; Wed, 15 Nov 2017 23:18:54 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-17:08.ptrace Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20171115231854.DD76818FBC@freefall.freebsd.org> Date: Wed, 15 Nov 2017 23:18:54 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 23:18:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:08.ptrace Security Advisory The FreeBSD Project Topic: Kernel data leak via ptrace(PT_LWPINFO) Category: core Module: ptrace Announced: 2017-11-15 Credits: John Baldwin Affects: All supported versions of FreeBSD. Corrected: 2017-11-10 12:28:43 UTC (stable/11, 11.1-STABLE) 2017-11-15 22:39:41 UTC (releng/11.1, 11.1-RELEASE-p4) 2017-11-15 22:40:15 UTC (releng/11.0, 11.0-RELEASE-p15) 2017-11-10 12:31:58 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:40:32 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:40:46 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1086 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ptrace(2) syscall provides the facility for a debugger to control the execution of the target process and to obtain necessary status information about it. The struct ptrace_lwpinfo structure is reported by one of the ptrace(2) subcommand and contains a lot of the information about the stopped thread (light-weight process or LWP, thus the name). II. Problem Description Not all information in the struct ptrace_lwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information of the kernel stack of the thread is possible from the debugger. III. Impact Some bytes from the kernel stack of the thread using ptrace(PT_LWPINFO) call can be observed in userspace. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch # fetch https://security.FreeBSD.org/patches/SA-17:08/ptrace.patch.asc # gpg --verify ptrace.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r325643 releng/10.3/ r325871 releng/10.4/ r325870 stable/11/ r325642 releng/11.0/ r325869 releng/11.1/ r325868 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxftfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P audQ+hAA2+cjqNVUJ/Polwo9cu61QxKLEXO1DItlMIFWBxpFpXXlRSLbqH+RGmaO 6aR4Q1xcOnLm8e57KcLFppl77uOZyO0IJ0lyK6P30ouSxuYIW3aHbW+p3pVYBE+J aqF3mNxSh9xQRgXvxUB/CM3w/SMKkxXtkZMvhNSGFCShGQTNpjGfAgIwOZD8mNFi WvYbPgzwfeE4tsaStZ91SZ8wf2nxdRXhybDXEOCAJvicP6IqYA1Zfr7RG2N3swK7 JKLXW7tiVu+zbRYYFiWYX4FIWatIlsTjpD0GyuZs0j2PCEu80z1muFnrp/dGg3Bn APGVzIrkFjKvmXfkuFZFPMWCL+u9cUgOMNGkMFDXrLppLL7aXCGrz3BWECg581Pr dnUrrz/iEcXGDcnTJ3Ff+OidqdhdpVQz59Ek90TMd5iO+nZ+xeVjVzxdLHb82/wt KlgXRpwTg3Q72xDSF84UmRSkk1M/V5AZMrZiy2RjIwtvLqIJ9ZpLAMnrwTTWRDjB YurHHNWKjMVkdKCdbpBVGRjNmS6XYS6QukmA4M85d2r0Dmb8J6Gd6juHc3Essrz+ 3qEMKAcYsSWbQ5ZSMywUOzM74Dk+wUTf7jCJ1IsSqn8hYHOqvUSF0ftwXkdS1+cv GT25iduAMCdTP15Qp57Wlhv9WCF8eOUoYKHiSpXcVa6XMqazLy4= =Uqz2 -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed Nov 15 23:19:47 2017 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A10FBDEA635 for ; Wed, 15 Nov 2017 23:19:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8576D108B; Wed, 15 Nov 2017 23:19:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id DE98619134; Wed, 15 Nov 2017 23:19:46 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-17:09.shm Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20171115231946.DE98619134@freefall.freebsd.org> Date: Wed, 15 Nov 2017 23:19:46 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 23:19:47 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:09.shm Security Advisory The FreeBSD Project Topic: POSIX shm allows jails to access global namespace Category: core Module: shm Announced: 2017-11-15 Credits: Whitewinterwolf Affects: FreeBSD 10.x Corrected: 2017-11-13 23:21:17 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:45:50 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:45:13 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1087 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background POSIX shared memory objects allow realtime inter-process communication by sharing a memory area through the use of a named path (see shm_open(2)). This is used by some multi-process applications to share data between running processes, such as a common cache or to implement a producer-consumer model where several worker processes handle requests pushed by a producer process. II. Problem Description Named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system. III. Impact A malicious user that has access to a jailed system is able to abuse shared memory by injecting malicious content in the shared memory region. This memory region might be executed by applications trusting the shared memory, like Squid. This issue could lead to a Denial of Service or local privilege escalation. IV. Workaround No workaround is available, but systems without jails or jails not having local users are not vulnerable. V. Solution 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Reboot the system for the update to take effect. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Reboot the system for the update to take effect. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.4, FreeBSD 10-STABLE] # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.patch.asc # gpg --verify shm-10.patch.asc [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch # fetch https://security.FreeBSD.org/patches/SA-17:09/shm-10.3.patch.asc # gpg --verify shm-10.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r325783 releng/10.3/ r325873 releng/10.4/ r325874 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxg1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P auciExAAhd9IcZrWpAqjKSGQWHrG7wJxrbCyyVVmZeoVQYQCihXJOnp+mhmVoJp5 zvyjIBG23F/dR8ukRO/LnqzM2bhCj7OcijlvZboH3L4os8iIeB2Tc6k9YlnFQeij wYK0CNnQjECf5S4OIBmQ+irpBYATZKk2EEDdmKDltcauSlIhJIzUedGdmMySOFzl jpx3+dHNb+D9v4luOgvF3mVTYPpjYmJ2HIYel3m0XdElW+okM+L4Q5Nt4Krm+DDp L0fUG5tqS+a++53mNIGeGiBhomD0zZMJZ8LXe/FAACHPWA0yUMhCVrZTwzVTHhA7 g5W1prFW3WYui7x1qF2LIA+SnGFTWXRlIhlAA/1n94Jl6shHnV6guZbzLAX0zk/C 6WFydhrYhmPXd3o5uWz+oQQHXQCcHeGrNc+fmPKg/bpkyJvgfLc6YaY2gEQmfIrI 3w/xqhN8mWVVhpHsHK+Wcz44T9uGH4NlYeDYy3TJ1ECri28fbxufAzr8hgbNRDtw B8YTijrPUSjwKBG815oO5JsOmHVCkCkIRx7nW72bHIs8ralXX563HK3RPjlFzr2G tzk9DF2w2TUQlgzS4wbZk9lXmlgvV0vRzsz+7jcJe1K+ZgyweNg+QIVet3BvobIA zeiRFfZuhH3ExNoJKqfZhBtOiePD0JR6JnkhvjEJm1NoHvoDOAQ= =epmQ -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@freebsd.org Wed Nov 15 23:20:15 2017 Return-Path: Delivered-To: freebsd-security-notifications@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 42EA2DEA96E for ; Wed, 15 Nov 2017 23:20:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0488414D9; Wed, 15 Nov 2017 23:20:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id 272BE192AC; Wed, 15 Nov 2017 23:20:14 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-17:10.kldstat Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20171115232014.272BE192AC@freefall.freebsd.org> Date: Wed, 15 Nov 2017 23:20:14 +0000 (UTC) X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 23:20:15 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:10.kldstat Security Advisory The FreeBSD Project Topic: Information leak in kldstat(2) Category: core Module: kernel Announced: 2017-11-15 Credits: TJ Corley Affects: All supported versions of FreeBSD. Corrected: 2017-11-15 22:34:15 UTC (stable/11, 11.1-STABLE) 2017-11-15 22:49:47 UTC (releng/11.1, 11.1-RELEASE-p4) 2017-11-15 22:50:20 UTC (releng/11.0, 11.0-RELEASE-p15) 2017-11-15 22:35:16 UTC (stable/10, 10.4-STABLE) 2017-11-15 22:50:47 UTC (releng/10.4, 10.4-RELEASE-p3) 2017-11-15 22:51:08 UTC (releng/10.3, 10.3-RELEASE-p24) CVE Name: CVE-2017-1088 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The kldstat(2) syscall provides information about loaded kld files. The syscall takes a userland argument of struct kld_file_stat which is then filled with data about the kld file requested. II. Problem Description The kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible. III. Impact Some bytes from the kernel stack can be observed in userspace. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch # fetch https://security.FreeBSD.org/patches/SA-17:10/kldstat.patch.asc # gpg --verify kldstat.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r325867 releng/10.3/ r325878 releng/10.4/ r325877 stable/11/ r325866 releng/11.0/ r325876 releng/11.1/ r325875 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAloMxhRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P audjZhAA29uguakBjkQtnAlWceN0BOQlkp03iYQh61dFpdH98f7RQcr5cq77XKrM pkONtdEVbZNF9g6sly6n9dq5ivAuC9K1KGPtylMcPzHLTzDtV1B13vk2iwwgqkZ7 GgB+m305kcL85knaASn3PBYwKTKzGOrhZFUZuTTI4VAnbbEmIwTHnJlVHvNwFDIj je1XxdDBr4jq7SdCZH8YW9LZAMDi9b+0hg72u20ZQ66uNeadxN4i9DuWtMeHJHb7 2aZRtHhdw4imryUpHM4FnCp5zp9V87Gyv4wy7IrkOKYtbl4nWqxqVakL7T9yVmY5 Q4cGqreYq8bF2aM3LyT26VmDfMOovovHJpCRHf9fvlIMj6ajS39FKWMkEeU23ykg EiTNk090h/G3REWiPnWjbxt8VGnFGyLe3K1VQqUvS+LlQ4lc45WCJnEHcpbvXT/E TNTQ/85nE4BklV1d9wiLy26C21W92IguZam0HdRYJHgEc9Mug+62MfqDzHf0w5HP 3pu8IV5KMwEjGxzaiDMETIZU+K5fkdzPDNBhscxZ6OOab4zQ0+pZgdT1CSbXV6Ru xuOjSyBdz5vVdbq/298VJJ7hNyoP1MgnyaxPrG2ImNDKjUGqbtOgv0m3ISqtsyfs pEvyO2MxWWZqdNhtGJuQpOYyzAMxfJdmdOz1PMFFayQiBR7F0ao= =N2rs -----END PGP SIGNATURE-----