diff options
author | Gordon Tetlow <gordon@FreeBSD.org> | 2020-09-15 22:00:07 +0000 |
---|---|---|
committer | Gordon Tetlow <gordon@FreeBSD.org> | 2020-09-15 22:00:07 +0000 |
commit | a83b2ae035f137b43e4cd45d510ee581ea2b89dd (patch) | |
tree | b38d522e906acff8b5f9f5c2738dead29bbb7ce6 /share/security | |
parent | 6b7473e71a0055b22431cc8125a134c7004056f7 (diff) | |
download | doc-a83b2ae035f137b43e4cd45d510ee581ea2b89dd.tar.gz doc-a83b2ae035f137b43e4cd45d510ee581ea2b89dd.zip |
Add SA-20:27 to SA-20:30.
Approved by: so
Notes
Notes:
svn path=/head/; revision=54498
Diffstat (limited to 'share/security')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-20:27.ure.asc | 149 | ||||
-rw-r--r-- | share/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc | 137 | ||||
-rw-r--r-- | share/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc | 136 | ||||
-rw-r--r-- | share/security/advisories/FreeBSD-SA-20:30.ftpd.asc | 140 | ||||
-rw-r--r-- | share/security/patches/SA-20:27/ure.11.patch | 13 | ||||
-rw-r--r-- | share/security/patches/SA-20:27/ure.11.patch.asc | 18 | ||||
-rw-r--r-- | share/security/patches/SA-20:27/ure.12.patch | 16 | ||||
-rw-r--r-- | share/security/patches/SA-20:27/ure.12.patch.asc | 18 | ||||
-rw-r--r-- | share/security/patches/SA-20:28/bhyve_vmcs.patch | 29 | ||||
-rw-r--r-- | share/security/patches/SA-20:28/bhyve_vmcs.patch.asc | 18 | ||||
-rw-r--r-- | share/security/patches/SA-20:29/bhyve_svm.patch | 163 | ||||
-rw-r--r-- | share/security/patches/SA-20:29/bhyve_svm.patch.asc | 18 | ||||
-rw-r--r-- | share/security/patches/SA-20:30/ftpd.patch | 27 | ||||
-rw-r--r-- | share/security/patches/SA-20:30/ftpd.patch.asc | 18 |
14 files changed, 900 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-20:27.ure.asc b/share/security/advisories/FreeBSD-SA-20:27.ure.asc new file mode 100644 index 0000000000..09e3dc1738 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:27.ure.asc @@ -0,0 +1,149 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:27.ure Security Advisory + The FreeBSD Project + +Topic: ure device driver susceptible to packet-in-packet attack + +Category: core +Module: ure +Announced: 2020-09-15 +Credits: John-Mark Gurney +Affects: All supported versions of FreeBSD. +Corrected: 2020-09-14 19:39:43 UTC (stable/12, 12.2-STABLE) + 2020-09-15 21:42:05 UTC (releng/12.2, 12.2-BETA1-p1) + 2020-09-15 21:42:05 UTC (releng/12.1, 12.1-RELEASE-p10) + 2020-09-15 00:22:30 UTC (stable/11, 11.4-STABLE) + 2020-09-15 21:42:05 UTC (releng/11.4, 11.4-RELEASE-p4) + 2020-09-15 21:42:05 UTC (releng/11.3, 11.3-RELEASE-p14) +CVE Name: CVE-2020-7464 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The ure(4) driver provides support for USB Ethernet adapters based on the +Realtek RTL8152 and RTL8153 USB Ethernet controllers. + +II. Problem Description + +A programming error in the ure(4) device driver caused some Realtek USB +Ethernet interfaces to incorrectly report packets with more than 2048 bytes +in a single USB transfer as having a length of only 2048 bytes. + +An adversary can exploit this to cause the driver to misinterpret part of the +payload of a large packet as a separate packet, and thereby inject packets +across security boundaries such as VLANs. + +III. Impact + +An attacker that can send large frames (larger than 2048 bytes in size) to be +received by the host (be it VLAN, or non-VLAN tagged packet), can inject +arbitrary packets to be received and processed by the host. This includes +spoofing packets from other hosts, or injecting packets to other VLANs than +the host is on. + +IV. Workaround + +No workaround is available. However, an attacker needs to be able to inject +large frames. If a switch can prevent large frames (>2048 bytes) from being +received, or connecting the machine to a switch that does not forward large +frames will mitigate this attack. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 12.1, FreeBSD 12.2] +# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.12.patch +# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.12.patch.asc +# gpg --verify ure.12.patch.asc + +[FreeBSD 11.3, FreeBSD 11.4] +# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.11.patch +# fetch https://security.FreeBSD.org/patches/SA-20:27/ure.11.patch.asc +# gpg --verify ure.11.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r365730 +releng/12.2/ r365778 +releng/12.1/ r365778 +stable/11/ r365738 +releng/11.4/ r365778 +releng/11.3/ r365778 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7464> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:27.ure.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOIxfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJY9A//Z+Rt20iUnM79er+CYF4EQNrzR8dOKr2/6L5ho5L1kJt0MdZtamN+f5Bq +Jpzem060oAv+0mgAiK3VR7unlkEk+wFNvMwhgItvI8l2TME3+n/A0nsYQkP9QPPp +SwHmKcIAbwkdtv913zy7AGc/vE+2+D8x84WHp6WDhRmDVgU5QAPGgP4yv0qhgkpy +L8ndLDte3tXMk0eWArxWTpMfxqKGmp9Cgy88QRoIpguazS+ocSVt6h3emxQPtTc/ +7SQOEqjg4IiEXW/t2SSDqB1cvNPmN82yJt4mQg1m8v/SjFjFQ2qgFC+47cYezI1F +nLuoDw16kYUu65DyePiXfCsBwSjkLU1IgpBSgmmxjMzwoVgE7/9AtRqiCwe2xkEF +E6c1VWAQAw2AiZmsISv8T9RNLegLnNjyhO9iSsaeuOfLbTIeQ9zbcUL6xgZB6AxO +tk/fkt+NHwuRoXNx2SC959r+hwhdnrpgxTEphjCFuuMdMGKsxm3TQGdwD6ZvQ1r2 +HkVV1m4ukgpxw8ONa88Lgo+2f1HZhZKWLzp3EsTA3LMpgk+5uJjIuL/ctuddscWY +Do9VapPTIGxjZqABGtxJL7NrzCz2pXE0CHzAjFWD830kujgcdihe6FbJx0cJe3m8 ++CxaGBXvSINHyPwgDArnKR3Hrd57/T6RSUWqsksB7fBCpmFdQaI= +=S9sW +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc b/share/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc new file mode 100644 index 0000000000..af9c18885b --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:28.bhyve_vmcs Security Advisory + The FreeBSD Project + +Topic: bhyve privilege escalation via VMCS access + +Category: core +Module: bhyve +Announced: 2020-09-15 +Credits: Patrick Mooney +Affects: All supported versions of FreeBSD. +Corrected: 2020-09-15 21:28:47 UTC (stable/12, 12.2-STABLE) + 2020-09-15 21:43:41 UTC (releng/12.2, 12.2-BETA1-p1) + 2020-09-15 21:43:41 UTC (releng/12.1, 12.1-RELEASE-p10) + 2020-09-15 21:28:47 UTC (stable/11, 11.4-STABLE) + 2020-09-15 21:43:41 UTC (releng/11.4, 11.4-RELEASE-p4) + 2020-09-15 21:43:41 UTC (releng/11.3, 11.3-RELEASE-p14) +CVE Name: CVE-2020-24718 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that supports running a variety of guest operating +systems in virtual machines on AMD and Intel CPUs. + +II. Problem Description + +AMD and Intel CPUs support hardware virtualization using specialized data +structures that control various aspects of guest operation. These are the +Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual +Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow +root users, including those running in a jail, to change these data +structures. + +III. Impact + +An attacker with host root access (including to a jailed bhyve instance) can +use this vulnerability to achieve kernel code execution. + +IV. Workaround + +No workaround is available. This issue is likely of concern only to systems +relying on running bhyve in jail(8) for security domain separation. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:28/bhyve_vmcs.patch +# fetch https://security.FreeBSD.org/patches/SA-20:28/bhyve_vmcs.patch.asc +# gpg --verify bhyve_vmcs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r365777 +releng/12.2/ r365779 +releng/12.1/ r365779 +stable/11/ r365777 +releng/11.4/ r365779 +releng/11.3/ r365779 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24718> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJdfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKJBQ//UOwIgcc2n+Yr0MrNIs2XzLjmKBsuVfIrFni0GGJFFSAUd7Kzw7oeY4ng +e9JURtfV6NlU63QkaRw+QqgvnXm5vLbgO+oWuedsj33eNgUNdUinZinieZuFAyAt +BBgfMJ3D9X7HffIw1iKN/DWaealFJ1SHtKYzVssTBx/7ju+SFj5HkwLh/7QzKBYO +CoeNE7RN2kSDmvvEKMdN17QyM4+H3wYpsnylWHa89slIe1xj0eVqgnGw2NrjjKlV +N2DAQM+MvdJ+W8oA0idEvBZj55uHV9OlgIwJCDi0/u5yHPJkhuYYuHsf0oyW+NT6 +gWvzwTI27IAAyYKK57pGVP7x4sy8VhsDItzqubhDqa/zjNZM9SYOtLYiOnDjev2B +nqC2mV08XpC9lfwd3EDPGv+FYbTTe9OzirlJBnbMnwhj/p0sPMYCtuWKp/MyQyyD +1yhUJJlZgI6HdrTOOeqhObNDtEz75MI1bpLVmjq9VMLz1PtzdNFDcNmyvtTOpMut +vZDFgCqtkpcukqxfqV1EJAWr0UWnaUyPc0klbmLwrQCpTWDOBT7QK+S5ZtNLQqu4 +c6UJ7CQLNPn9nEjf16D8dZ1Iy3AJyPmtv7ehEkKFjJtNIwitCx/AIzKiXXzzxe56 +boJoQL0pmgJkv3tjP5dEMeSx5SA4mrhtKCL+ri3/ZFXHxtcDNsQ= +=Jluz +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc b/share/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc new file mode 100644 index 0000000000..0816bc0205 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:29.bhyve_svm Security Advisory + The FreeBSD Project + +Topic: bhyve SVM guest escape + +Category: core +Module: bhyve +Announced: 2020-09-15 +Credits: Maxime Villard +Affects: All supported versions of FreeBSD. +Corrected: 2020-09-15 20:25:30 UTC (stable/12, 12.2-STABLE) + 2020-09-15 21:46:39 UTC (releng/12.2, 12.2-BETA1-p1) + 2020-09-15 21:46:39 UTC (releng/12.1, 12.1-RELEASE-p10) + 2020-09-15 20:26:31 UTC (stable/11, 11.4-STABLE) + 2020-09-15 21:46:39 UTC (releng/11.4, 11.4-RELEASE-p4) + 2020-09-15 21:46:39 UTC (releng/11.3, 11.3-RELEASE-p14) +CVE Name: CVE-2020-7467 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that supports running a variety of guest operating +systems in virtual machines on AMD and Intel CPUs. AMD and Intel provide +broadly similar virtualization interfaces, but each provides its own specific +instructions for manipulating virtual machine state. + +II. Problem Description + +A number of AMD virtualization instructions operate on host physical +addresses, are not subject to nested page table translation, and guest use of +these instructions was not trapped. + +III. Impact + +- From kernel mode a malicious guest can write to arbitrary host memory (with +some constraints), affording the guest full control of the host. + +IV. Workaround + +No workaround is available. Systems not using bhyve, and systems that +use bhyve with an Intel CPU, are not vulnerable. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:29/bhyve_svm.patch +# fetch https://security.FreeBSD.org/patches/SA-20:29/bhyve_svm.patch.asc +# gpg --verify bhyve_svm.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r365767 +releng/12.2/ r365780 +releng/12.1/ r365780 +stable/11/ r365769 +releng/11.4/ r365780 +releng/11.3/ r365780 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7467> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:29.bhyve_svm.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJxjxAAjy783UUnVvhtiJt4p5TGMpaU+ZrLnKaOASiTDdbp6z3IFuLZ1VbkekAM +aMGgZNmYkRotcTM0mbhoeRROSrYlmO2ZHNmJyxchbOaIfKXL3iTFYP5gRirN1r+Q +i8+Gr5HzTL5SkvTEx0wKUp6uRqD26nf7i4KrdOWmf5ivhB66Z2vk/56aX53eSNJ5 +iPZYvlFnVIcy1wKPE1RIP67H+nqqWBApavWUMK6f01cAMr5w0BE+f4RdSvzEFnuG +p2Id8A3ptt0VoIdZzbJkLKog4/dlC1C+PVPPLND2gcCY2c/+gG0nNTy9Fjdvsoor +AnmRvlarCCcEVOSxGk+WNUwWdQnQPFykpZxGtid53km3Yjw1smPmfOVwvNhTkzoP +tPZ568wFyaBGLI+39hC0u0AtLT93MBHpxpCMpQZ9rlFauxn5OuyBFkxgCuEyq728 +GcrMVggyrzOetW7GqdlOEzFDj3nxHme+08qmbLXjv5X8N1RK+TGZDAjYFqLU1NXi +cyPhbGqV4SuYw3dW7E0C8eOocuVmpXTEW82R9ff1pobUZUNVGKZse1rjT344VTSc +DazL/q2TIo5fyDWEaNWsPad8mdyQGWft2cfYHYrO+Y6Smn/oKS3LmX61bGC37FEF +b0rqunbDdq4775q6H6KKbRgVTKGiVyC/Nt/2xkg//GymzNnuFvY= +=lplz +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-20:30.ftpd.asc b/share/security/advisories/FreeBSD-SA-20:30.ftpd.asc new file mode 100644 index 0000000000..35d9b43567 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-20:30.ftpd.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-20:30.ftpd Security Advisory + The FreeBSD Project + +Topic: ftpd privilege escalation via ftpchroot feature + +Category: core +Module: ftpd +Announced: 2020-09-15 +Credits: Anonymous working with Trend Micro Zero Day Initiative +Affects: All supported versions of FreeBSD. +Corrected: 2020-09-15 20:55:13 UTC (stable/12, 12.2-STABLE) + 2020-09-15 21:47:44 UTC (releng/12.2, 12.2-BETA1-p1) + 2020-09-15 21:47:44 UTC (releng/12.1, 12.1-RELEASE-p10) + 2020-09-15 20:56:14 UTC (stable/11, 11.4-STABLE) + 2020-09-15 21:47:44 UTC (releng/11.4, 11.4-RELEASE-p4) + 2020-09-15 21:47:44 UTC (releng/11.3, 11.3-RELEASE-p14) +CVE Name: CVE-2020-7468 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +ftpd(8) is a daemon that implements an FTP server. To restrict +filesystem access of authenticated clients, ftpd(8) supports the +ftpchroot(5) feature, which allows the system administrator to designate +a root directory for each FTP user. This is implemented using the +chroot(2) system call. + +II. Problem Description + +A ftpd(8) bug in the implementation of the file system sandbox, combined +with capabilities available to an authenticated FTP user, can be used to +escape the file system restriction configured in ftpchroot(5). +Moreover, the bug allows a malicious client to gain root privileges. + +III. Impact + +A malicious FTP user can gain privileged access to an affected system. + +IV. Workaround + +No workaround is available. Systems not running ftpd(8) or not making +use of ftpchroot(5) are not affected. Exploitation of the bug requires +that a malicious FTP client have login access to the server. Anonymous +access is not sufficient. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart the applicable daemons, or reboot the system. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-20:30/ftpd.patch +# fetch https://security.FreeBSD.org/patches/SA-20:30/ftpd.patch.asc +# gpg --verify ftpd.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r365772 +releng/12.2/ r365781 +releng/12.1/ r365781 +stable/11/ r365773 +releng/11.4/ r365781 +releng/11.3/ r365781 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7468> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:30.ftpd.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJCRA//Zuuqyaim3BnR0Qs9mSI3fm37AQN9NyV0GzaP6ayAeCu7xuyzMzFD58jU +SZAkrH16buh34dfelwofPSO8ZIAHZ0X6PpVWHwrTkrT8ADHCuJwEe0imG5MDDJn4 +mMJSA9OVyQXgHXApnOhJ4hHMUfGF0QJvsOvPQ4f8J3J9K9pTa78HgekaNWkgpTzo +eAGV+lug/UwsK//FrcyYaifZF1xl0ZKSAl6RVFVaqxxVXZGZ2txlew4I03NEfqjJ +PAmviQ1p0BO5tMqVSG+/VkuYFJNyUGvuSrvUeIoQnoWljvKx5VnAq5KVCD6La1nn +o5JzNEvlqzOC1ClribxALyv/VJHJt6PDBF4S26ATwIdr8TCzSpe2Byjj9KN/qC94 +JuT6hScERpT4ARIsJiDIDe0+9zBeglJuS/3sJozI+ani+VL/7uBL6MB50twgioFG +4+5MNgc4VYgX35U0z+fStncZAScByXWdxaMDYx9brfZeaeEhiZA6wXYCf8kpaW94 +zDOvBCH+GR1O2nALdlMVFrThQdTkq1AtMQ58Uuaxpu1LBGrMVfz/VCDEurWog+U1 +7uxRwx9o6lJvno3oPQTfHkcuHZosOE0KdfdJ1Tcmj1pVZVjeaxu7HEW2H73YRhBN +Fc4XIxaO7URyYwtzxzH9yU18wKCp+g/mm5apgbbcz1kBS+fR3Go= +=zvW4 +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:27/ure.11.patch b/share/security/patches/SA-20:27/ure.11.patch new file mode 100644 index 0000000000..aa3299131d --- /dev/null +++ b/share/security/patches/SA-20:27/ure.11.patch @@ -0,0 +1,13 @@ +--- sys/dev/usb/net/if_ure.c.orig ++++ sys/dev/usb/net/if_ure.c +@@ -710,7 +710,9 @@ + ~URE_RXDY_GATED_EN); + + /* Set Rx mode. */ +- rxmode = URE_RCR_APM; ++ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA); ++ rxmode &= ~URE_RCR_ACPT_ALL; ++ rxmode |= URE_RCR_APM; + + /* If we want promiscuous mode, set the allframes bit. */ + if (ifp->if_flags & IFF_PROMISC) diff --git a/share/security/patches/SA-20:27/ure.11.patch.asc b/share/security/patches/SA-20:27/ure.11.patch.asc new file mode 100644 index 0000000000..d75cbf1e12 --- /dev/null +++ b/share/security/patches/SA-20:27/ure.11.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJdfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cIisRAAlVB+hNBKrmr7kjc+cOeeLofnAppEywIJsQoKus4y7P23K2gguL+zJX6p +UTMSysmDXJG1OVEzpLpq7R6mGWD18vOMvKyNgijnGJeeIwjGqACHK68v2tFosW61 +g4kRKIuuLMxeqrySn4P8IgKRVV6Em+/LuYkqr5v3BuKFpAzPxNmvmLEVzaoqh+wS +SJgVucuogTxjYwb2pTcIig+rtkE3FHD+x5WxS5DzfCDlp3mqaMSCyoNeF8JMzs7y +EXV57iDRjRC5IDBnr2dB55uHFielJioVmfLjMCMRAHlBX7q4Fu3Hobt8oHaOKtTD +mk2q3efR3MeIIfLTqwu/Xrzz7c+vCucg9ccpyjK561Kt38W8bUBhMUxN2nQXtUyR +ABsWQK8tE7Ie5cJhwF3ajcESEZ8nx0s9NrQYdFE/od+MVlWeXpGNsBoFDUoGILqS +sgpn+2QUoruEVUujUyfMK8H5bG4DrPeoN8Tn9VopA8VR0N7p00lyfKX3g1knGMyh +Bq778Est5lKi++h02YV8c25/T2pVd6rhPqpebggxVKaGoTgsTd7i5ty8/ExqOgUF +Y8CAF3MwAVwn0kdeUkcwexykPnb1VFPDmBFrN2EoJYERRqh+fTp44ifldeYr7dhl +hYHJDvtRY7mlTPekn0oXBJYuY1NJ77nOmxhXVBoVOuWJrjMcl5A= +=NUJu +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:27/ure.12.patch b/share/security/patches/SA-20:27/ure.12.patch new file mode 100644 index 0000000000..1f13241ab6 --- /dev/null +++ b/share/security/patches/SA-20:27/ure.12.patch @@ -0,0 +1,16 @@ +--- sys/dev/usb/net/if_ure.c.orig ++++ sys/dev/usb/net/if_ure.c +@@ -816,9 +816,10 @@ + + URE_LOCK_ASSERT(sc, MA_OWNED); + +- rxmode = URE_RCR_APM; +- if (ifp->if_flags & IFF_BROADCAST) +- rxmode |= URE_RCR_AB; ++ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA); ++ rxmode &= ~(URE_RCR_AAP | URE_RCR_AM); ++ rxmode |= URE_RCR_APM; /* accept physical match packets */ ++ rxmode |= URE_RCR_AB; /* always accept broadcasts */ + if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) { + if (ifp->if_flags & IFF_PROMISC) + rxmode |= URE_RCR_AAP; diff --git a/share/security/patches/SA-20:27/ure.12.patch.asc b/share/security/patches/SA-20:27/ure.12.patch.asc new file mode 100644 index 0000000000..c65c7b96ce --- /dev/null +++ b/share/security/patches/SA-20:27/ure.12.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJdfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJpVQ//c2z6nk+LDQaFYnDyg9Fkl0GqmVsJ0Ml3Wog1lUU0nOqacAhBmZTwq3Oq +dzQ2jstcf1dqj9Bt/6Q525Odt8Bk5zzzN6qHFL+kJiHDWB0aYCfACucYykVH7uIM +LF5XVX8zzHrCW3kvcAwukRB4XhN5eo4uPGpVcm9css5yIEYL++Bxq5UrrL6LgXd3 +kDNMeCXe/RjhnUjwcfjSw+EgUhNlvWmWjV6d2tTxhzqtIfsovTfJuw6tqHsLFhCG +PGUmNi7dH1/OmdzPCrVuxzPy2VaZe8H8s6VXL8orbpw+RWZ6W8E/WOktK2S6HHLb +X0jv3fZ37K3SnydCKlCl5ATPhvhZWhVGSGXVEg4jA7MTU/rjMh1VlH8cPmH66z1x +DxhGH1dO9v/E6v4/YQ6fwMMGnmH0fDRRNs9rodPi6goj70OxvHPAIpbPvm4ZS26c +XvENpnz7rVZyJ8+iehnLQvsarNQ/neJipI7SpIVb1+2g/tHMbq77Mw6wpkB1kKyn +jB9uZZwVn7SlK3XvXZN3jTgTrMhuvTzPJ/0Ek3qYSqWbAPIen+GUC8XJZlO1QLoL +ShkEKWFZBuLmx+/emDG8tiu4WidmeCRHva3gjgOMijyNWETiajMFk7sVbKk974zi +DBquYG/wHWnsOOtSbOTAtIWopZdaxaA7HQVEcGY/6iB8/twlOl8= +=Adwg +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:28/bhyve_vmcs.patch b/share/security/patches/SA-20:28/bhyve_vmcs.patch new file mode 100644 index 0000000000..1dde8c91ed --- /dev/null +++ b/share/security/patches/SA-20:28/bhyve_vmcs.patch @@ -0,0 +1,29 @@ +--- sys/amd64/vmm/amd/svm.c.orig ++++ sys/amd64/vmm/amd/svm.c +@@ -2198,8 +2198,11 @@ + return (svm_modify_intr_shadow(svm_sc, vcpu, val)); + } + +- if (vmcb_write(svm_sc, vcpu, ident, val) == 0) { +- return (0); ++ /* Do not permit user write access to VMCB fields by offset. */ ++ if (!VMCB_ACCESS_OK(ident)) { ++ if (vmcb_write(svm_sc, vcpu, ident, val) == 0) { ++ return (0); ++ } + } + + reg = swctx_regptr(svm_get_guest_regctx(svm_sc, vcpu), ident); +--- sys/amd64/vmm/intel/vmx.c.orig ++++ sys/amd64/vmm/intel/vmx.c +@@ -3341,6 +3341,10 @@ + if (vmxctx_setreg(&vmx->ctx[vcpu], reg, val) == 0) + return (0); + ++ /* Do not permit user write access to VMCS fields by offset. */ ++ if (reg < 0) ++ return (EINVAL); ++ + error = vmcs_setreg(&vmx->vmcs[vcpu], running, reg, val); + + if (error == 0) { diff --git a/share/security/patches/SA-20:28/bhyve_vmcs.patch.asc b/share/security/patches/SA-20:28/bhyve_vmcs.patch.asc new file mode 100644 index 0000000000..57bbe3c503 --- /dev/null +++ b/share/security/patches/SA-20:28/bhyve_vmcs.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJOpA//d8gbQS8I5HdY/xWmt4RoQ8yhvE1v3AmOqt7o14CfKCfMSMFqu7lGXcB/ +rkpIgKmGGS/j+XMeLAvmHtw4zdM1PdkJ4bk71GLfpT91YF9cC7eKHJreidDiMD9z +48DTlCz0lWg7sGLpas5viXZkX7WRhtHHLBzMAHh6k1Ew4N1A/668cH/ZU1C4w4pm +yXzY+su5yXKgdqhibOPlpvuYhITVkqHnkDyMqlppo/hxfjYNKBii+sDBAieGJBmp +1+sW6iCEXdZK+m9LCfiNPOWLE2dkZEqwOazoFBJDmjyp/EZW4sdGhkEgVsADodym +WOqZi8Ca2qfWm7NumGr20zsVbVe9Qx4dspRGLYcs3POaqa1LOg82lcys/h47t4Vw +0uM2UBRGS5XD1V5bB0BWOLYZc7ZlGljASzzZmhBt7MiBJcuzeTwhDGQO3L2otVG6 +SAV1H46onKOU997Br9wH5yFNFgvHf26OjDrE4b9hgSDZsXafSk9mE1rWLLxKRKWT +//ZhN7F/L5JHmRtFMsHa2kKbYiwrxX/T17s9yupn/iOUdu0er+ECqER629PATrxx +5bQxE9geVD7LIEIyYSs7u9H0gP00N656gXIRTr4yQ77O7+AHfJYelHEo6XJNRSdb +Lql9kgsikbH3G2V4HdGBLdxOR/FeCuC5kP9Qoa2L0YVUbfadpUY= +=nYIH +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:29/bhyve_svm.patch b/share/security/patches/SA-20:29/bhyve_svm.patch new file mode 100644 index 0000000000..52b3f8acd2 --- /dev/null +++ b/share/security/patches/SA-20:29/bhyve_svm.patch @@ -0,0 +1,163 @@ +--- sys/amd64/vmm/amd/svm.c.orig ++++ sys/amd64/vmm/amd/svm.c +@@ -488,10 +488,23 @@ + svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, VMCB_INTCPT_SHUTDOWN); + svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, + VMCB_INTCPT_FERR_FREEZE); ++ svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, VMCB_INTCPT_INVD); ++ svm_enable_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, VMCB_INTCPT_INVLPGA); + + svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_MONITOR); + svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_MWAIT); + ++ /* ++ * Intercept SVM instructions since AMD enables them in guests otherwise. ++ * Non-intercepted VMMCALL causes #UD, skip it. ++ */ ++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_VMLOAD); ++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_VMSAVE); ++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_STGI); ++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_CLGI); ++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_SKINIT); ++ svm_enable_intercept(sc, vcpu, VMCB_CTRL2_INTCPT, VMCB_INTCPT_ICEBP); ++ + /* + * From section "Canonicalization and Consistency Checks" in APMv2 + * the VMRUN intercept bit must be set to pass the consistency check. +@@ -1236,43 +1249,45 @@ + static const char * + exit_reason_to_str(uint64_t reason) + { ++ int i; + static char reasonbuf[32]; +- +- switch (reason) { +- case VMCB_EXIT_INVALID: +- return ("invalvmcb"); +- case VMCB_EXIT_SHUTDOWN: +- return ("shutdown"); +- case VMCB_EXIT_NPF: +- return ("nptfault"); +- case VMCB_EXIT_PAUSE: +- return ("pause"); +- case VMCB_EXIT_HLT: +- return ("hlt"); +- case VMCB_EXIT_CPUID: +- return ("cpuid"); +- case VMCB_EXIT_IO: +- return ("inout"); +- case VMCB_EXIT_MC: +- return ("mchk"); +- case VMCB_EXIT_INTR: +- return ("extintr"); +- case VMCB_EXIT_NMI: +- return ("nmi"); +- case VMCB_EXIT_VINTR: +- return ("vintr"); +- case VMCB_EXIT_MSR: +- return ("msr"); +- case VMCB_EXIT_IRET: +- return ("iret"); +- case VMCB_EXIT_MONITOR: +- return ("monitor"); +- case VMCB_EXIT_MWAIT: +- return ("mwait"); +- default: +- snprintf(reasonbuf, sizeof(reasonbuf), "%#lx", reason); +- return (reasonbuf); ++ static const struct { ++ int reason; ++ const char *str; ++ } reasons[] = { ++ { .reason = VMCB_EXIT_INVALID, .str = "invalvmcb" }, ++ { .reason = VMCB_EXIT_SHUTDOWN, .str = "shutdown" }, ++ { .reason = VMCB_EXIT_NPF, .str = "nptfault" }, ++ { .reason = VMCB_EXIT_PAUSE, .str = "pause" }, ++ { .reason = VMCB_EXIT_HLT, .str = "hlt" }, ++ { .reason = VMCB_EXIT_CPUID, .str = "cpuid" }, ++ { .reason = VMCB_EXIT_IO, .str = "inout" }, ++ { .reason = VMCB_EXIT_MC, .str = "mchk" }, ++ { .reason = VMCB_EXIT_INTR, .str = "extintr" }, ++ { .reason = VMCB_EXIT_NMI, .str = "nmi" }, ++ { .reason = VMCB_EXIT_VINTR, .str = "vintr" }, ++ { .reason = VMCB_EXIT_MSR, .str = "msr" }, ++ { .reason = VMCB_EXIT_IRET, .str = "iret" }, ++ { .reason = VMCB_EXIT_MONITOR, .str = "monitor" }, ++ { .reason = VMCB_EXIT_MWAIT, .str = "mwait" }, ++ { .reason = VMCB_EXIT_VMRUN, .str = "vmrun" }, ++ { .reason = VMCB_EXIT_VMMCALL, .str = "vmmcall" }, ++ { .reason = VMCB_EXIT_VMLOAD, .str = "vmload" }, ++ { .reason = VMCB_EXIT_VMSAVE, .str = "vmsave" }, ++ { .reason = VMCB_EXIT_STGI, .str = "stgi" }, ++ { .reason = VMCB_EXIT_CLGI, .str = "clgi" }, ++ { .reason = VMCB_EXIT_SKINIT, .str = "skinit" }, ++ { .reason = VMCB_EXIT_ICEBP, .str = "icebp" }, ++ { .reason = VMCB_EXIT_INVD, .str = "invd" }, ++ { .reason = VMCB_EXIT_INVLPGA, .str = "invlpga" }, ++ }; ++ ++ for (i = 0; i < nitems(reasons); i++) { ++ if (reasons[i].reason == reason) ++ return (reasons[i].str); + } ++ snprintf(reasonbuf, sizeof(reasonbuf), "%#lx", reason); ++ return (reasonbuf); + } + #endif /* KTR */ + +@@ -1524,6 +1539,20 @@ + case VMCB_EXIT_MWAIT: + vmexit->exitcode = VM_EXITCODE_MWAIT; + break; ++ case VMCB_EXIT_SHUTDOWN: ++ case VMCB_EXIT_VMRUN: ++ case VMCB_EXIT_VMMCALL: ++ case VMCB_EXIT_VMLOAD: ++ case VMCB_EXIT_VMSAVE: ++ case VMCB_EXIT_STGI: ++ case VMCB_EXIT_CLGI: ++ case VMCB_EXIT_SKINIT: ++ case VMCB_EXIT_ICEBP: ++ case VMCB_EXIT_INVD: ++ case VMCB_EXIT_INVLPGA: ++ vm_inject_ud(svm_sc->vm, vcpu); ++ handled = 1; ++ break; + default: + vmm_stat_incr(svm_sc->vm, vcpu, VMEXIT_UNKNOWN, 1); + break; +--- sys/amd64/vmm/amd/vmcb.h.orig ++++ sys/amd64/vmm/amd/vmcb.h +@@ -71,8 +71,8 @@ + #define VMCB_INTCPT_INVD BIT(22) + #define VMCB_INTCPT_PAUSE BIT(23) + #define VMCB_INTCPT_HLT BIT(24) +-#define VMCB_INTCPT_INVPG BIT(25) +-#define VMCB_INTCPT_INVPGA BIT(26) ++#define VMCB_INTCPT_INVLPG BIT(25) ++#define VMCB_INTCPT_INVLPGA BIT(26) + #define VMCB_INTCPT_IO BIT(27) + #define VMCB_INTCPT_MSR BIT(28) + #define VMCB_INTCPT_TASK_SWITCH BIT(29) +@@ -134,12 +134,21 @@ + #define VMCB_EXIT_POPF 0x71 + #define VMCB_EXIT_CPUID 0x72 + #define VMCB_EXIT_IRET 0x74 ++#define VMCB_EXIT_INVD 0x76 + #define VMCB_EXIT_PAUSE 0x77 + #define VMCB_EXIT_HLT 0x78 ++#define VMCB_EXIT_INVLPGA 0x7A + #define VMCB_EXIT_IO 0x7B + #define VMCB_EXIT_MSR 0x7C + #define VMCB_EXIT_SHUTDOWN 0x7F ++#define VMCB_EXIT_VMRUN 0x80 ++#define VMCB_EXIT_VMMCALL 0x81 ++#define VMCB_EXIT_VMLOAD 0x82 + #define VMCB_EXIT_VMSAVE 0x83 ++#define VMCB_EXIT_STGI 0x84 ++#define VMCB_EXIT_CLGI 0x85 ++#define VMCB_EXIT_SKINIT 0x86 ++#define VMCB_EXIT_ICEBP 0x88 + #define VMCB_EXIT_MONITOR 0x8A + #define VMCB_EXIT_MWAIT 0x8B + #define VMCB_EXIT_NPF 0x400 diff --git a/share/security/patches/SA-20:29/bhyve_svm.patch.asc b/share/security/patches/SA-20:29/bhyve_svm.patch.asc new file mode 100644 index 0000000000..9afad84eb8 --- /dev/null +++ b/share/security/patches/SA-20:29/bhyve_svm.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cI5PhAAgsXuFNy2fRvNjAgJoY41AIwBr/5T+0WM09YykMcTC1EQBm1AjRI9jgAm +V4HUQeH7ygs9TVkn+F02iLHSSCJAneu2nPNIalCxyKwhpXpJiYktrJ5wLVC7Q2DC +63Lc7WrfJ858+9ehXh4bvCTJeOJxOIyvaoOLEPslaGje/YD+plqdNWO036D0w+7j +Fbx2rvCILLKIaxVYLCmhm/6V46dT1HHwXJP1dGuKr1ZSq6MGley3KGl7b5b7xb0E +gfZh09QBH7tfATTHnAv2FvLzSBCDn4aZlFZl0uvK8qbK5ZFyfEPicu4SGHtXrMzK +0tBATwLwf1JwgBvYKLR+kywxceVgbLTY0iAo354/GcjHzXR3JE4hxDD4/2FL+r10 +Q8A75AV1/SPf4UOczgapzvqY1zj6M8/ibOPEU+0qaN8YotabGEUr3DLR0d5nWWm1 +BQnBifkyb9ux8AfWjtWHYu6zY5r4sHCZQQXUJHOyCUGpG0mX2p+MxZWCuTJGrYOs +PZyZoJw1vH2rpUcgLikDYkDXCpWNCzwUH7p+tmOAC7EnlFCfxzuv4qgzC538XB76 +wMkfVM2W1h5BXJQP/G+ELCvXX0REQRO1cMn4rIxmO0EOWpL9SVYUHQ53/MbEOBkf +QBkb0COWyNblj6eKG8Cigv0OP1p8iXNXT3zmG6eXeOHckgt6tPA= +=+DkR +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-20:30/ftpd.patch b/share/security/patches/SA-20:30/ftpd.patch new file mode 100644 index 0000000000..92608c68ad --- /dev/null +++ b/share/security/patches/SA-20:30/ftpd.patch @@ -0,0 +1,27 @@ +--- libexec/ftpd/ftpd.c.orig ++++ libexec/ftpd/ftpd.c +@@ -1596,13 +1596,20 @@ + * (uid 0 has no root power over NFS if not mapped explicitly.) + */ + if (seteuid(pw->pw_uid) < 0) { +- reply(550, "Can't set uid."); +- goto bad; ++ if (guest || dochroot) { ++ fatalerror("Can't set uid."); ++ } else { ++ reply(550, "Can't set uid."); ++ goto bad; ++ } + } ++ /* ++ * Do not allow the session to live if we're chroot()'ed and chdir() ++ * fails. Otherwise the chroot jail can be escaped. ++ */ + if (chdir(homedir) < 0) { + if (guest || dochroot) { +- reply(550, "Can't change to base directory."); +- goto bad; ++ fatalerror("Can't change to base directory."); + } else { + if (chdir("/") < 0) { + reply(550, "Root is inaccessible."); diff --git a/share/security/patches/SA-20:30/ftpd.patch.asc b/share/security/patches/SA-20:30/ftpd.patch.asc new file mode 100644 index 0000000000..de0644e6c6 --- /dev/null +++ b/share/security/patches/SA-20:30/ftpd.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl9hOJhfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKBCQ//ZA1qgbTQomNYbe+s3EsrdvULsyheLjx/Do9P8FjN84pASt4ILIDCykRf +vGEMeAB5u4ngvHIUuTm2C0DWeLyyzy9kqoRT8l8CiN7TjAkzHc12vI/c9ruO9nbk +f4C7ia01AaRhaktHjz3vgctzGKHAFEKZ9EvjHftW4Qbv4FOLWrCV2ys2icfW2wEI +ZLuDZIrcMbQj60mO62h+HJUcAIZ+ssOPEM1+tLhmCd3qvqaiHYeTgnm5llAZAS6X +hfH44FgZ/YRXXPj0Asx9aI/RQX8sLIVW7frgDdn6/n3xffl7pdvWjhRf5q4Cy2pl +w9hkc1KGUtACaVoz8SlT+FxeKKwdwX1xlX1sb8vrAuyskZmy1Ne05p0xGX5YDrL0 +QVGEQjndhgi6k2OXjvukME1C7SotC8guMbZtanhCVIsnyE2HdOlsySXvBY4txAl8 +FgbDhrHnGFRdLFAFdwNaxooKkEG6oiF5FcSkfkOCcW43yh6zEJvybC7BVpzJd7Ry +PUZOfytXZAyzB9fqWnku93O4qRakY/do9q3olfk0hRzqoFBpakZ/kMp0dpdWS7Nt +DKdUUtf7MKkt3dxxLSqVNvLkLICnzTjj+E5hRU6Y9XDhvs89/Ut5nDNUJE8crQf2 +juy1ajNlmo5/Pp/0wI9fybDen2YEBPzqN1U1Gm9qKKuyb76POzc= +=IcX7 +-----END PGP SIGNATURE----- |