Add EN-20:10, EN-20:11, and SA-20:17.

Approved by:	so

1 files changed, 133 insertions, 0 deletions

diff --git a/share/security/advisories/FreeBSD-SA-20:17.usb.asc b/share/security/advisories/FreeBSD-SA-20:17.usb.asc
new file mode 100644
index 0000000000..c29141dc2b
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-20:17.usb.asc
@@ -0,0 +1,133 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-20:17.usb                                        Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          USB HID descriptor parsing error
+
+Category:       core
+Module:         kernel
+Announced:      2020-06-09
+Credits:        Andy Nguyen, Google
+Affects:        All supported versions of FreeBSD.
+Corrected:      2020-06-08 09:32:57 UTC (stable/12, 12.1-STABLE)
+                2020-06-09 16:13:54 UTC (releng/12.1, 12.1-RELEASE-p6)
+                2020-06-08 09:33:37 UTC (stable/11, 11.4-STABLE)
+                2020-06-09 16:13:54 UTC (releng/11.4, 11.4-RC2-p1)
+                2020-06-09 16:13:54 UTC (releng/11.3, 11.3-RELEASE-p10)
+CVE Name:       CVE-2020-7456
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+USB Human Interface Device (HID) descriptors may push/pop the current state
+to allow description of items residing in a so-called union.  FreeBSD
+supports 4 such pop levels.
+
+II.  Problem Description
+
+If the push/pop level is not restored within the processing of the same HID
+item, an invalid memory location may be used for subsequent HID item
+processing.
+
+III. Impact
+
+An attacker with physical access to a USB port may be able to use a specially
+crafted USB device to gain kernel or user-space code execution.
+
+IV.  Workaround
+
+Setting "sysctl hw.usb.disable_enumeration=1" disables USB device
+enumeration preventing the error from occurring.
+
+V.   Solution
+
+Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date,
+and reboot.
+
+Perform one of the following:
+
+1) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# shutdown -r +10min "Rebooting for a security update"
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-20:17/usb.patch
+# fetch https://security.FreeBSD.org/patches/SA-20:17/usb.patch.asc
+# gpg --verify usb.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/12/                                                        r361918
+releng/12.1/                                                      r361972
+stable/11/                                                        r361919
+releng/11.4/                                                      r361972
+releng/11.3/                                                      r361972
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7456>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:17.usb.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuFhfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
+MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
+5cJ4Iw/6AuTNBD33WaEZTW7mAfigc1sp8cjnKCvm+DObx1CNpSr9fxiy+Dy5DMjg
+/Hv4ijv4flte3txXohdXvYcAKqYrbP1BBr6ptlQYE/V+61sTtxV18XGnID1fgSOZ
+WPHGaXMAUNeeVxJSEVJ5rJ+lRo90Rlp/n9pMZlU+tIDFjE0BQ5lJkicg/xgFO9rg
+tRaeotoXmdNo3HlkMfXnIZ8q5tOQrcsfSZP6DgQWKspinCJTVTr1eQ9p6mHNV7Ip
+XZGuXNaktYxwNk2oWP2dmk6FAkyldReyi856DurhOldmAxPbY5zh4NfwOuL78pSa
+draF1up4Vkb/aSQHN1xkaOjlBEmLYHgzND83M9gnE2RdtGVLeerI6Gdd6Pp4D8a2
+vPgWZOQfO82lUjSx/B/XHCA0Ztu4uinPuCkrf9vcteg/juJxQRRyFWUfqGbo3qpC
+U9a1AN9Ojgy0eFDKTo7vWUf34kB1RApEEt3y3XNwwbwDWtKdWMRLJfD4oIhbB6Re
+URYpBUv5wnkhOq5LR15VJc6jL/DZxqsjByALwtnEdNH6bAYM+6WTmnTYFgUyuvlF
+n2tZeD5LXM0GLs377edmAeGR7TUd+rFfndEGFKiDXeSNrmb0Ro6E4vvbUwu5PalA
+kf+suJS0noAH+SPmk0YyxKm12plPxyO2zLFIMRpjWz6v1joH+Qk=
+=4v1s
+-----END PGP SIGNATURE-----