diff options
author | Gordon Tetlow <gordon@FreeBSD.org> | 2019-08-06 17:31:19 +0000 |
---|---|---|
committer | Gordon Tetlow <gordon@FreeBSD.org> | 2019-08-06 17:31:19 +0000 |
commit | c0889e8ec6e1283b90c00c217e2eeed8d8d42867 (patch) | |
tree | b9e69443b181934d6993cebab1fc394925e09ccf /share/security | |
parent | 5d8fe221ffa13462d5795aa03475b385e13f004b (diff) | |
download | doc-c0889e8ec6e1283b90c00c217e2eeed8d8d42867.tar.gz doc-c0889e8ec6e1283b90c00c217e2eeed8d8d42867.zip |
Add EN-19:14, EN-19:15, and SA-19:18 to SA-19:21.
Approved by: so
Notes
Notes:
svn path=/head/; revision=53296
Diffstat (limited to 'share/security')
20 files changed, 1918 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-EN-19:14.epoch.asc b/share/security/advisories/FreeBSD-EN-19:14.epoch.asc new file mode 100644 index 0000000000..079671b589 --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-19:14.epoch.asc @@ -0,0 +1,125 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:14.epoch Errata Notice + The FreeBSD Project + +Topic: Incorrect locking in epoch(9) + +Category: core +Module: kernel +Announced: 2019-08-06 +Credits: Mark Johnston +Affects: FreeBSD 12.0 +Corrected: 2019-07-27 16:11:04 UTC (stable/12, 12.0-STABLE) + 2019-08-06 17:07:43 UTC (releng/12.0, 12.0-RELEASE-p9) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +Some parts of the kernel use a new synchronization primitive, epoch(9), +which can be used to implement safe memory reclamation. In this usage, +threads can use the epoch(9) KPI to ensure that no other threads hold +a reference to a given object in memory. + +II. Problem Description + +In the case where epoch(9) must wait for a thread that is blocked on +a lock, it will use the turnstile(9) KPI to propagate the current +thread's priority to the lock holder. However, in the case where the +lock has no designated owner - for example, it is a reader-writer lock +owned by one or more readers - a bug in the interaction with the +turnstile meant that pair of spin locks were left locked when they +should have been unlocked. + +III. Impact + +In rare cases and under heavy load, the kernel may panic or lock up. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for errata update" + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-19:14/epoch.patch +# fetch https://security.FreeBSD.org/patches/EN-19:14/epoch.patch.asc +# gpg --verify epoch.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350373 +releng/12.0/ r350641 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:14.epoch.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1JtztfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJgXA//Wbh6Nv6OL+Aer7oZ8uiZEhDTj+a+IMG617uCyeD+x4/8Hj73J7Pg6vaT +CGqGAslxy8GMmvrO8Jmn0RFDyfJb+mW1M9FqQS4u9DNm1r7nNuOBWj9UcAC9TQOY +rIEoqe/wD6a+EKQ01tgsWm2TYA2hX/WwtKJiYuPJOyuTzm9d3PhQ2SPmU0NaqyfU ++0YT3QHRYUEYHU/tZwAV3axcihYP7NfrgEWmE3LY7fBX1ShxFOYZVlexY4604wyc +SLxCMVnfqFiB8vH5X8R4J9OlsK00j1W2B+PJodocDzNjvHgnRb3RSHeo+EC+3y7k +/P3qRCxtgPzb/VHCCRry0LAmeijxQDWVf4vydjaMVDQEv/zQ+Y5ujAucRAtvtjRm +gYLRTOHnXVTpZk/c8h2Gch9g3sB9aqrsMYtPUqSfRRUFDYJjN3NVmVLo4ciAhjwY +EvGr7HloO3O4n+zYWOagvSvu05TjOA1SGGURAkslthjTXRpmiqDSS6yawW23v7Jw +gC7pvVUnmGSGzlwGPojE6LBSX3CWlgwJV/6g2s0wizPGv3K/IQMMQn7NaaLl09xw +X6TND7mVGqk2w3do1k9ZSkvqI+jr4MkJbGh5Vl8q1J/oW9KPTVO3+mQEi91SvgU+ +YEyzryregBP69ta7gqT0Pgb2+LR9733qPLSh3Hgn/4zRI/seSkU= +=pBEN +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-EN-19:15.libunwind.asc b/share/security/advisories/FreeBSD-EN-19:15.libunwind.asc new file mode 100644 index 0000000000..89f82f720c --- /dev/null +++ b/share/security/advisories/FreeBSD-EN-19:15.libunwind.asc @@ -0,0 +1,130 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:15.libunwind Errata Notice + The FreeBSD Project + +Topic: Incorrect exception handling + +Category: contrib +Module: libunwind +Announced: 2019-08-06 +Affects: FreeBSD 11.2, FreeBSD 12.0 +Corrected: 2019-08-06 17:08:30 UTC (releng/12.0, 12.0-RELEASE-p9) + 2019-08-06 17:08:30 UTC (releng/11.2, 11.2-RELEASE-p13) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The libunwind library, which originates from the LLVM project, is responsible +for handling the unwinding of stack frames, when programs throw C or C++ +style exceptions. It uses exception handling information embedded in the +executable file to determine the layout of the stack, at the time the +exception is being processed. + +II. Problem Description + +In some cases, the exception handling information embedded in executables is +not correctly interpreted by libunwind. This causes it to emit a runtime +error, and abort the affected program. + +III. Impact + +Affected programs will show an message on the standard error stream, when +they attempt to throw an exception: + +libunwind: getEncodedP \ + /usr/src/contrib/llvm/projects/libunwind/src/AddressSpace.hpp:280 - \ + unknown pointer encoding + +After this message, the program will be aborted using the abort(3) function, +which usually results in a core dump. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot. + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-19:15/libunwind.patch +# fetch https://security.FreeBSD.org/patches/EN-19:15/libunwind.patch.asc +# gpg --verify libunwind.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>, and +reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +releng/12.0/ r350642 +releng/11.2/ r350642 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234201> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:15.libunwind.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt0pfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJOkQ/+N8Esx4GPWNOzNOGJAnBgtujVeCDjbubny9ktMElEw6mZJKWqcgFmG1bm +hdz5iAz6xn/W6Y5fUR07aM6KFLTN7Is0LqaC+4mWFgbmPu9t0DVgjjsSHAJk6+fu +NpkSMDYq0tUqhNUFlP36EoTHUuM7KlD3/a1dlGZwSOmT3tQitosD8MYNm8bXdsiG +Fx8xXJz8l7qtSw5a1HI2yrRmR7hZHEblGVDP1BjU+QVh7O+0oTeSWHjtriCeYXOl +KUNypPNU5HTySLI0XE+wXJ8S3SblmCOJSdEy/EDZYd8KxG2ib+abn6KdewQl0dIL +0evKaSeIfrVyHfbQporrUotpuTgHrxdD63vowtyH4fL/JzNmw38ZBRzu/4Lib4eF +uaMr7IXyUvifJRBNHCSV5waEQXdcaZ4/YiNg93kiBCC1FhqKEEel0TLARTqtCEVu +ByQVjjZ5v45OAq74uFSYfnSReLt96VnQFD8J5JIKlYaR145tSUKzgetUy+iekjq2 +7sRr0kh7lGFFNoOhbFDBURr3HrFgfpWgRA12/AuAVelXPTG4ik8tU6X/vNlvysK6 +TJel41R8++MPUQuaQPU9KfUiAycvV4P9/hHEodnjhNY7NaWkXaP+fJpxCtctcFGd +eIcI3nIoJX+6W2KjZkJcrbuZsqkVSsz0MXgfLNuoNZruzdppLAY= +=Sq9+ +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-19:18.bzip2.asc b/share/security/advisories/FreeBSD-SA-19:18.bzip2.asc new file mode 100644 index 0000000000..fe300211c9 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-19:18.bzip2.asc @@ -0,0 +1,144 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:18.bzip2 Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in bzip2 + +Category: contrib +Module: bzip2 +Announced: 2019-08-06 +Affects: All supported versions of FreeBSD. +Corrected: 2019-07-04 07:29:18 UTC (stable/12, 12.0-STABLE) + 2019-08-06 17:09:47 UTC (releng/12.0, 12.0-RELEASE-p9) + 2019-07-04 07:32:25 UTC (stable/11, 11.3-STABLE) + 2019-08-06 17:09:47 UTC (releng/11.3, 11.3-RELEASE-p2) + 2019-08-06 17:09:47 UTC (releng/11.2, 11.2-RELEASE-p13) +CVE Name: CVE-2016-3189, CVE-2019-12900 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The bzip2(1)/bunzip2(1) utilities and the libbz2 library compress and +decompress files using an algorithm based on the Burrows-Wheeler transform. +They are generally slower than Lempel-Ziv compressors such as gzip, but +usually provide a greater compression ratio. + +The bzip2recover utility extracts blocks from a damaged bzip2(1) file, +permitting partial recovery of the contents of the file. + +II. Problem Description + +The decompressor used in bzip2 contains a bug which can lead to an +out-of-bounds write when processing a specially crafted bzip2(1) file. + +bzip2recover contains a heap use-after-free bug which can be triggered +when processing a specially crafted bzip2(1) file. + +III. Impact + +An attacker who can cause maliciously crafted input to be processed +may trigger either of these bugs. The bzip2recover bug may cause a +crash, permitting a denial-of-service. The bzip2 decompressor bug +could potentially be exploited to execute arbitrary code. + +Note that some utilities, including the tar(1) archiver and the bspatch(1) +binary patching utility (used in portsnap(8) and freebsd-update(8)) +decompress bzip2(1)-compressed data internally; system administrators should +assume that their systems will at some point decompress bzip2(1)-compressed +data even if they never explicitly invoke the bunzip2(1) utility. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and restart daemons if necessary. + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch +# fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch.asc +# gpg --verify bzip2.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r349717 +releng/12.0/ r350643 +stable/11/ r349718 +releng/11.3/ r350643 +releng/11.2/ r350643 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189> +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt09fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJWEQ//dBiFwPCKcUaeSBuM9opVUxWzFYrpWdYwwagQXzNqO3Z77Vi2hHQnfpkD +bM8WgWwChOJmlTja7sjnF+QjoV9/elzYhFrD6q0W1nLZ2XHcXyHrbFLMJ+CrvCWR +AuVCEkmT2fchE/5c71l/v8I452EpGZG7P0fwG1bpf84p1PFLl3esfeo8+CzN1x2h +YLnvfp69/tC18LR0/yozRUuFSqoYBhbnJsclB1JkrGx0fPOcE9y3sudVhBIDbH7h +nYSTJl/KkTHf6tbJVXWUVr5gJzCgGvvhUer49RCdJMAwj6hKYT49vWnOFl1T8DAL ++co0ZzTiKoCdrrrguijh4QTEUe4UAGS3PPAwhUiOu+y8Bry06/U565uO9y9iILef +M5oYTbM7h/TErPxSE421fWeexeK0seCHqmj/rO1Yf7RkRvLg/QaJk5YWM0KoP3NH +QQRdX8qNiy4liEqGvJwfUdNcVXA3d7BKifl6MKH+5/2i5B23wHItIeuIGYo5LgdI +mnH59L5wylhWGa0Dc+N9fP0jFvBfk7/4a0joXYIQ7/KDQg0X+WdiGZ/mzZ4GEisX +hwI2laAh/oyksInrMcLCbvgWql+lrUvK3ltHo17U+wrMeb+8btDLR5T/9XlLPWGp +s101XS6ewcwpZ8g5uBtlFBLmp8BGkALTAJtwwqJ2eoLfLYCXq3I= +=3O6m +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-19:19.mldv2.asc b/share/security/advisories/FreeBSD-SA-19:19.mldv2.asc new file mode 100644 index 0000000000..5780ab4a4a --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-19:19.mldv2.asc @@ -0,0 +1,137 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:19.mldv2 Security Advisory + The FreeBSD Project + +Topic: ICMPv6 / MLDv2 out-of-bounds memory access + +Category: core +Module: net +Announced: 2019-08-06 +Credits: CJD of Apple +Affects: All supported versions of FreeBSD. +Corrected: 2019-08-06 17:13:41 UTC (stable/12, 12.0-STABLE) + 2019-08-06 17:11:17 UTC (releng/12.0, 12.0-RELEASE-p9) + 2019-08-06 17:15:46 UTC (stable/11, 11.3-STABLE) + 2019-08-06 17:11:17 UTC (releng/11.3, 11.3-RELEASE-p2) + 2019-08-06 17:11:17 UTC (releng/11.2, 11.2-RELEASE-p13) +CVE Name: CVE-2019-5608 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +MLDv2 is the Multicast Listener Discovery protocol, version 2. It is used +by IPv6 routers to discover multicast listeners. + +II. Problem Description + +The ICMPv6 input path incorrectly handles cases where an MLDv2 listener +query packet is internally fragmented across multiple mbufs. + +III. Impact + +A remote attacker may be able to cause an out-of-bounds read or write that +may cause the kernel to attempt to access an unmapped page and subsequently +panic. + +IV. Workaround + +No workaround is available. Systems not using IPv6 are not affected. + +V. Solution + +Perform one of the following: + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot. + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Reboot for security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2, FreeBSD 11.3] +# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch +# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch.asc +# gpg --verify mldv2.11.patch.asc + +[FreeBSD 12.0] +# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch +# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch.asc +# gpg --verify mldv2.12.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350648 +releng/12.0/ r350644 +stable/11/ r350650 +releng/11.3/ r350644 +releng/11.2/ r350644 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5608> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:19.mldv2.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1RfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLzTA/+OyyukXWH7rfwMhOlpD60UH4hxN3purvdNeBe4ZxlYvtf8gSUzS1VbK5r +NR9D2HiYRlmaePOil5myan6cVkrKoANoWTrQsCcsFLe6KKbiKlQDx/btbENmCMsR +VoS0ZPx3l9iGuVUwDk6k1JXwKCcO3U3dCDYEI941hEKxYadR+twUP3JOceg8Zn0h +oODXW7LcPXWQKAyFc0Kun1VrjrUGdRGfqk30joR20GP2IjgQceFHKUbiOyBbbIjW ++UVvp2wPBxXvcXNPTpcIpTW5UGJBHCT2OsDulh7hqpiWf78VE8BoksKAvDjtI4i0 +15fmwn7tmQ3aGWK3WoaKWUOXZUlKrxRQDzGyAZ3LzOqPWhv12tJjNJhjnRmCVLfo ++F4I/MHzPgjitZhv8gfn+MRiPG4E1ueAYnPQWiR3qRCLQGhemVdKZIAVnYg6NGpQ +Jgsr1QS8/3GHZ8yrMXUOSNOSuiMmRHbI9915vVzu+hWkfnrCcSr3uVkJeQvx4CZJ +gdTL083Knnkdo4IPOdHWnQjGfrv2rGRyvCJ88m/DIC6hw4weR1LyFWMEHeJCEcJl +5LHiVWmOUJE4ltJXrRoXwxuh9Dia0Mq6KfNA0343JFpQF9rdt3JQ/54FPGtK6NUO +LyX5a42RIKRxWNTN+ADrSk8czbHFIg8MfTwpjiRGx2rYtxjp1qU= +=WaXC +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-19:20.bsnmp.asc b/share/security/advisories/FreeBSD-SA-19:20.bsnmp.asc new file mode 100644 index 0000000000..be75d912eb --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-19:20.bsnmp.asc @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:20.bsnmp Security Advisory + The FreeBSD Project + +Topic: Insufficient message length validation in bsnmp library + +Category: contrib +Module: bsnmp +Announced: 2019-08-06 +Credits: Guido Vranken <guidovranken@gmail.com> +Affects: All supported versions of FreeBSD. +Corrected: 2019-08-06 16:11:16 UTC (stable/12, 12.0-STABLE) + 2019-08-06 17:12:17 UTC (releng/12.0, 12.0-RELEASE-p9) + 2019-08-06 16:12:43 UTC (stable/11, 11.3-STABLE) + 2019-08-06 17:12:17 UTC (releng/11.3, 11.3-RELEASE-p2) + 2019-08-06 17:12:17 UTC (releng/11.2, 11.2-RELEASE-p13) +CVE Name: CVE-2019-5610 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The bsnmp software library is used for the Internet SNMP (Simple Network +Management Protocol). As part of this it includes functions to handle ASN.1 +(Abstract Syntax Notation One). + +II. Problem Description + +A function extracting the length from type-length-value encoding is not +properly validating the submitted length. + +III. Impact + +A remote user could cause, for example, an out-of-bounds read, decoding of +unrelated data, or trigger a crash of the software such as bsnmpd resulting +in a denial of service. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch +# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch.asc +# gpg --verify bsnmp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350637 +releng/12.0/ r350646 +stable/11/ r350638 +releng/11.3/ r350646 +releng/11.2/ r350646 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5610> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1lfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKtBBAAltxFzxuMqWCgJoL9SemLRQxGGk0hRFdN5b78mgVdk2lfDgVz8U7mVM6v +XbcCa4lIy7wMYpUdEySAZLR2ENt0xdpx7oQ6lAg5fnnvrUvom4wU9ruxEs5txFVL +K6RaJnQJyOkI2c/LYvI/ZYmuc29/Nt3p/DvVe7wq86taoqUufN11MXkrRHgn68N3 +7vewixzWpqH5L/aY2qP1d+Xe3QmHX0IcFqeo4U3/3G4wUGRCfHtaENY4w5eUbCa2 +1Qk0oS9iUdX1IJjM5l1ccoFqsjbcO6vNS337qeYNKhLspXMQPwoS0K0HfB6LKt1D +dCBFoXu/qUFjf3qqbpcqGEFrFPZjlNmC4R0Ngx1rfZ1t1dXbj83NOOE1okd3Gb/V +TPDU/jzwt+/6DE6ryNQpeanPdim83w/j+qeA0UaTyxlbj+oSz1gU9Ckaauf+9peI +GT8TPnrgmFlYg2tkYl4tbq5LtRstPGZYguqEt5SHCxBOg3dxByMPzikSFUL9oNxS +9GX7JZT36J20f62hG8Watp2y3W0QsMjJpxF9OojRU6B15Z4Q2aCht4F6DnvEkVfN +1GvS5NAHPHU09TniSgYK3ThkoYrLYykhsXPmJmETV7DU1Qhny1p8H0NwIwB20DEm +AOAcYzLhiXHGpniE5y+MT9Pvt3BDBt36k6WgZ4eZ4RWuzGOumiU= +=rH6X +-----END PGP SIGNATURE----- diff --git a/share/security/advisories/FreeBSD-SA-19:21.bhyve.asc b/share/security/advisories/FreeBSD-SA-19:21.bhyve.asc new file mode 100644 index 0000000000..fc75aba842 --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-19:21.bhyve.asc @@ -0,0 +1,142 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:21.bhyve Security Advisory + The FreeBSD Project + +Topic: Insufficient validation of guest-supplied data (e1000 device) + +Category: core +Module: bhyve +Announced: 2019-08-06 +Credits: Reno Robert +Affects: All supported versions of FreeBSD. +Corrected: 2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE) + 2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9) + 2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE) + 2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2) + 2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13) +CVE Name: CVE-2019-5609 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +bhyve(8) is a hypervisor that supports running a variety of guest operating +systems in virtual machines. bhyve(8) includes an emulated Intel 82545 +network interface adapter ("e1000"). + +II. Problem Description + +The e1000 network adapters permit a variety of modifications to an Ethernet +packet when it is being transmitted. These include the insertion of IP and +TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation +offload ("TSO"). The e1000 device model uses an on-stack buffer to generate +the modified packet header when simulating these modifications on transmitted +packets. + +When TCP segmentation offload is requested for a transmitted packet, the +e1000 device model used a guest-provided value to determine the size of the +on-stack buffer without validation. The subsequent header generation could +overflow an incorrectly sized buffer or indirect a pointer composed of stack +garbage. + +III. Impact + +A misbehaving bhyve guest could overwrite memory in the bhyve process on the +host. + +IV. Workaround + +Only the e1000 device model is affected; the virtio-net device is not +affected by this issue. If supported by the guest operating system +presenting only the virtio-net device to the guest is a suitable workaround. +No workaround is available if the e1000 device model is required. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and restart any affected virtual machines. + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch +# fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc +# gpg --verify bhyve.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable virtual machines, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r350619 +releng/12.0/ r350647 +stable/11/ r350619 +releng/11.3/ r350647 +releng/11.2/ r350647 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5609> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:21.bhyve.asc> +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1xfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cL0qA//ZdapXUMl6KuuvtZIveMZgNdMVLYaqB1K8yHXO5udd58fTsH6+Khei0LT +gYGxDEJkHinM1EWy688xE+PSzb9twmEmawW4N4WMhWB9oMoTuLQ5E4Zm9my1TdDh +ducK6Q4GqOojIXJ0LtHDqs9qveAfkgB6L6jmLt/1jpZelLupte3S+bPmI4yta7ge +7k54V9GcN05i7wX2TaZA7H3ROQziW537ZeoRB8BQwt7bekFw2uBfO9s0CWcJZPnG ++0D6QEsRqbtYMJr5RkUCc1y4qaqnWBBn/Zyyr0P+bXZklU/IW2GJTDWNObXN7DPE +NOhuVY7PQHN6jv3u+nKa1AY7mjI3zBo009iAfPQFCb9Kn08tJ2A9WrExEMwZdcbI +nXVqCRdp7xCSPO73vjNv4btzvAU7iwbaBkpGFs721cH72ImvmXi7TwepPEAul0do +VwKYMxhStZtoDQhEea1eq41KNvqxmA/mkbEjpKcTZCUJq7xVyV4uaVme3Uq45uaa +mKMWx+Gg09A2Y5NfSCiz9AGuMkIGn05hKIOK39yAG159uTks60Ybsw/bOnE9WnMJ +5igcI+U6utIMi2M6nH4rn/wKBYM9cHWmQLfo6kECUi2CCTmR5VL8BTJ/8vHCqXi1 +vCcAPacKYAROsvGQyynSVLiXJAXOrc8/VyoXRHC5cAapVeParcw= +=0XzG +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-19:14/epoch.patch b/share/security/patches/EN-19:14/epoch.patch new file mode 100644 index 0000000000..55912d93bc --- /dev/null +++ b/share/security/patches/EN-19:14/epoch.patch @@ -0,0 +1,87 @@ +--- sys/kern/subr_epoch.c.orig ++++ sys/kern/subr_epoch.c +@@ -325,24 +325,20 @@ + */ + critical_enter(); + thread_unlock(td); +- owner = turnstile_lock(ts, &lock); +- /* +- * The owner pointer indicates that the lock succeeded. Only +- * in case we hold the lock and the turnstile we locked is still +- * the one that curwaittd is blocked on can we continue. Otherwise +- * The turnstile pointer has been changed out from underneath +- * us, as in the case where the lock holder has signalled curwaittd, +- * and we need to continue. +- */ +- if (owner != NULL && ts == curwaittd->td_blocked) { +- MPASS(TD_IS_INHIBITED(curwaittd) && TD_ON_LOCK(curwaittd)); +- critical_exit(); +- turnstile_wait(ts, owner, curwaittd->td_tsqueue); +- counter_u64_add(turnstile_count, 1); +- thread_lock(td); +- return; +- } else if (owner != NULL) ++ ++ if (turnstile_lock(ts, &lock, &owner)) { ++ if (ts == curwaittd->td_blocked) { ++ MPASS(TD_IS_INHIBITED(curwaittd) && ++ TD_ON_LOCK(curwaittd)); ++ critical_exit(); ++ turnstile_wait(ts, owner, ++ curwaittd->td_tsqueue); ++ counter_u64_add(turnstile_count, 1); ++ thread_lock(td); ++ return; ++ } + turnstile_unlock(ts, lock); ++ } + thread_lock(td); + critical_exit(); + KASSERT(td->td_locks == locksheld, +--- sys/kern/subr_turnstile.c.orig ++++ sys/kern/subr_turnstile.c +@@ -566,14 +566,15 @@ + return (ts); + } + +-struct thread * +-turnstile_lock(struct turnstile *ts, struct lock_object **lockp) ++bool ++turnstile_lock(struct turnstile *ts, struct lock_object **lockp, ++ struct thread **tdp) + { + struct turnstile_chain *tc; + struct lock_object *lock; + + if ((lock = ts->ts_lockobj) == NULL) +- return (NULL); ++ return (false); + tc = TC_LOOKUP(lock); + mtx_lock_spin(&tc->tc_lock); + mtx_lock_spin(&ts->ts_lock); +@@ -580,10 +581,11 @@ + if (__predict_false(lock != ts->ts_lockobj)) { + mtx_unlock_spin(&tc->tc_lock); + mtx_unlock_spin(&ts->ts_lock); +- return (NULL); ++ return (false); + } + *lockp = lock; +- return (ts->ts_owner); ++ *tdp = ts->ts_owner; ++ return (true); + } + + void +--- sys/sys/turnstile.h.orig ++++ sys/sys/turnstile.h +@@ -100,7 +100,8 @@ + struct turnstile *turnstile_trywait(struct lock_object *); + void turnstile_unpend(struct turnstile *); + void turnstile_wait(struct turnstile *, struct thread *, int); +-struct thread *turnstile_lock(struct turnstile *, struct lock_object **); ++bool turnstile_lock(struct turnstile *, struct lock_object **, ++ struct thread **); + void turnstile_unlock(struct turnstile *, struct lock_object *); + void turnstile_assert(struct turnstile *); + #endif /* _KERNEL */ diff --git a/share/security/patches/EN-19:14/epoch.patch.asc b/share/security/patches/EN-19:14/epoch.patch.asc new file mode 100644 index 0000000000..bde9659ec7 --- /dev/null +++ b/share/security/patches/EN-19:14/epoch.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt2lfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLIBg//ekpEak+WE5KSx7vvkel/UzUPtLMDHdcgb6w4xps5I0/jvbjGLp0JuNsW +Tj73NBDA3KkzTlZSaus38yauUzq8Io6Q11/6ovI15TR58V6R35RSDnI2Df9ML0Wg +GcTnm1bTYbJ1TADQtILO6hxCNR1rvHcj0GycT8NGRNFSerNAhpF+YfMba+Tc3rOU +BeOacXDr8WCTgpa46nltcKE7Qmov2JdMS4yMH21KqXSU3ZCnwHZK+pWthPbeAVyO +NzsRPDn9PKp6sYVc5t7BE5Vn3cg76QNYZBNrHcHJNxhJ1IXOyL/SWg1j3zeiOygp +lDxZPja+mKXerEALBdGVfr/eg1ZeySlKRdETezCuzKnUSMbrQEVGL4pgaPepBCg6 +eGa6PRiwVz+y93w1UpVl8aDOTr/u2O/LeRZX5lLBSa4nBp7sOLilzbDQNsgHWXCX +R4G72PnAkPNwA158u+/vvz1moLWggVeO8edjKNEwiH/i2gyNllXFOtG1TuBL1+EV +T8ySrByEJ/0/Hq+prZCr7ELry+EZcnaag6+Jg29bfxMOK8RAfjqFHgmtSzblWllg +RCTr6Wttw85XcAKYwTXR9CwBf7yuIJb3taMp7XXHljjaMAvQIybRiHphwZSFOh1q +mktgzP1Yp/CdUw8BKFR1cbB5kkQY6Ezq1XTUDH3qebdWLpTqizI= +=Wj+f +-----END PGP SIGNATURE----- diff --git a/share/security/patches/EN-19:15/libunwind.patch b/share/security/patches/EN-19:15/libunwind.patch new file mode 100644 index 0000000000..5a05e45847 --- /dev/null +++ b/share/security/patches/EN-19:15/libunwind.patch @@ -0,0 +1,13 @@ +--- contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp.orig ++++ contrib/llvm/projects/libunwind/src/EHHeaderParser.hpp +@@ -68,7 +68,9 @@ + ehHdrInfo.eh_frame_ptr = + addressSpace.getEncodedP(p, ehHdrEnd, eh_frame_ptr_enc, ehHdrStart); + ehHdrInfo.fde_count = +- addressSpace.getEncodedP(p, ehHdrEnd, fde_count_enc, ehHdrStart); ++ fde_count_enc == DW_EH_PE_omit ++ ? 0 ++ : addressSpace.getEncodedP(p, ehHdrEnd, fde_count_enc, ehHdrStart); + ehHdrInfo.table = p; + } + diff --git a/share/security/patches/EN-19:15/libunwind.patch.asc b/share/security/patches/EN-19:15/libunwind.patch.asc new file mode 100644 index 0000000000..eb2112c420 --- /dev/null +++ b/share/security/patches/EN-19:15/libunwind.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt25fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJ1hw/+I2Gj+htbN2MhOodcLa4e4LsgxP9rGW9NZw3F9MbjgDNlVnlVLXrvyKjB +sCBuzLWGWMPkrhyh8zkHTHBq+0An3dCPk5LW5jHy6k31mofL8Jj7SyqQVigK93BN +24NcJP51ScUV0sBrhArd2We1bqmVWXsw0ZZYwm0iHVNFqaxJ1+kkvcw4KQmer+/d +E8+bCKszDyPU3rVVlb6OIsXhMrLgW8Qu0LDP9Ym6qNsfXIGwpFhrtuG1OUiSLiT8 +lnDpB9x5tDYTBVv9//XVZinoTQY4aJ/IcMdK8B7TS2CTyjCL+n+xXgW3bj0u8zKE +gNoxFwH8JNg3srVSelvEkhxGta35JefjIxu0aqD38DHTcyWoqOfdHFcnsQob9SEq +5/afVzFFUutqjfENmYoQ2CvSt3d4GALRGeoNbp0uysIhw1IqIGGuYt5loAYwDApc +4ic6l4bZ+eNXz7GNYBS+CRqHhMdJH5/YxT0UO2uY7Cpd/FtgcM1kHf9xItnL5Kru +cgo35Aw/LWWC5xI1B9ivERtYuQkvQ1KA4wabAhiblA/2bzbEzuc+zB9NDof1nqFp +4BPSYOm8CYYPX8psoKLvxQzeWind1VlJ8NNKQijTmlSsJcR9OjGq5P5KiGYM41X7 +29hUiG8WFFn/3+VglGM6MrGxTCwYTGJ3ry0yFq5LhxDTdH1Yrrg= +=pcMq +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:18/bzip2.patch b/share/security/patches/SA-19:18/bzip2.patch new file mode 100644 index 0000000000..d4ee655d3d --- /dev/null +++ b/share/security/patches/SA-19:18/bzip2.patch @@ -0,0 +1,490 @@ +--- contrib/bzip2/CHANGES.orig ++++ contrib/bzip2/CHANGES +@@ -2,8 +2,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +@@ -325,3 +325,16 @@ + Izdebski. + + * Make the documentation build on Ubuntu 10.04 ++ ++1.0.7 (27 Jun 19) ++~~~~~~~~~~~~~~~~~ ++ ++* Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH ++ ++* bzip2: Fix return value when combining --test,-t and -q. ++ ++* bzip2recover: Fix buffer overflow for large argv[0] ++ ++* bzip2recover: Fix use after free issue with outFile (CVE-2016-3189) ++ ++* Make sure nSelectors is not out of range (CVE-2019-12900) +--- contrib/bzip2/LICENSE.orig ++++ contrib/bzip2/LICENSE +@@ -36,7 +36,7 @@ + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +-Julian Seward, jseward@bzip.org +-bzip2/libbzip2 version 1.0.6 of 6 September 2010 ++Julian Seward, jseward@acm.org ++bzip2/libbzip2 version 1.0.7 of 27 June 2019 + + -------------------------------------------------------------------------- +--- contrib/bzip2/README.orig ++++ contrib/bzip2/README +@@ -6,8 +6,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +-bzip2/libbzip2 version 1.0.6 of 6 September 2010 +-Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in this file. + +@@ -73,7 +73,7 @@ + + It's difficult for me to support compilation on all these platforms. + My approach is to collect binaries for these platforms, and put them +-on the master web site (http://www.bzip.org). Look there. However ++on the master web site (https://sourceware.org/bzip2/). Look there. However + (FWIW), bzip2-1.0.X is very standard ANSI C and should compile + unmodified with MS Visual C. If you have difficulties building, you + might want to read README.COMPILATION.PROBLEMS. +@@ -161,33 +161,12 @@ + * Many small improvements in file and flag handling. + * A Y2K statement. + +-WHAT'S NEW IN 1.0.0 ? ++WHAT'S NEW IN 1.0.x ? + + See the CHANGES file. + +-WHAT'S NEW IN 1.0.2 ? +- +- See the CHANGES file. +- +-WHAT'S NEW IN 1.0.3 ? +- +- See the CHANGES file. +- +-WHAT'S NEW IN 1.0.4 ? +- +- See the CHANGES file. +- +-WHAT'S NEW IN 1.0.5 ? +- +- See the CHANGES file. +- +-WHAT'S NEW IN 1.0.6 ? +- +- See the CHANGES file. +- +- + I hope you find bzip2 useful. Feel free to contact me at +- jseward@bzip.org ++ jseward@acm.org + if you have any suggestions or queries. Many people mailed me with + comments, suggestions and patches after the releases of bzip-0.15, + bzip-0.21, and bzip2 versions 0.1pl2, 0.9.0, 0.9.5, 1.0.0, 1.0.1, +@@ -194,10 +173,10 @@ + 1.0.2 and 1.0.3, and the changes in bzip2 are largely a result of this + feedback. I thank you for your comments. + +-bzip2's "home" is http://www.bzip.org/ ++bzip2's "home" is https://sourceware.org/bzip2/ + + Julian Seward +-jseward@bzip.org ++jseward@acm.org + Cambridge, UK. + + 18 July 1996 (version 0.15) +@@ -213,3 +192,4 @@ + 20 December 2006 (bzip2, version 1.0.4) + 10 December 2007 (bzip2, version 1.0.5) + 6 Sept 2010 (bzip2, version 1.0.6) ++27 June 2019 (bzip2, version 1.0.7) +--- contrib/bzip2/README.COMPILATION.PROBLEMS.orig ++++ contrib/bzip2/README.COMPILATION.PROBLEMS +@@ -2,8 +2,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +-bzip2/libbzip2 version 1.0.6 of 6 September 2010 +-Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +@@ -12,7 +12,7 @@ + in the file LICENSE. + ------------------------------------------------------------------ + +-bzip2-1.0.6 should compile without problems on the vast majority of ++bzip2 should compile without problems on the vast majority of + platforms. Using the supplied Makefile, I've built and tested it + myself for x86-linux and amd64-linux. With makefile.msc, Visual C++ + 6.0 and nmake, you can build a native Win32 version too. Large file +--- contrib/bzip2/blocksort.c.orig ++++ contrib/bzip2/blocksort.c +@@ -8,8 +8,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +@@ -202,9 +202,9 @@ + bhtab [ 0 .. 2+(nblock/32) ] destroyed + */ + +-#define SET_BH(zz) bhtab[(zz) >> 5] |= (1 << ((zz) & 31)) +-#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~(1 << ((zz) & 31)) +-#define ISSET_BH(zz) (bhtab[(zz) >> 5] & (1 << ((zz) & 31))) ++#define SET_BH(zz) bhtab[(zz) >> 5] |= ((UInt32)1 << ((zz) & 31)) ++#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~((UInt32)1 << ((zz) & 31)) ++#define ISSET_BH(zz) (bhtab[(zz) >> 5] & ((UInt32)1 << ((zz) & 31))) + #define WORD_BH(zz) bhtab[(zz) >> 5] + #define UNALIGNED_BH(zz) ((zz) & 0x01f) + +--- contrib/bzip2/bzip2.1.orig ++++ contrib/bzip2/bzip2.1 +@@ -1,6 +1,6 @@ + .TH bzip2 1 + .SH NAME +-bzip2, bunzip2 \- a block-sorting file compressor, v1.0.6 ++bzip2, bunzip2 \- a block-sorting file compressor, v1.0.7 + .br + bzcat \- decompresses files to stdout + .br +@@ -404,7 +404,7 @@ + tries hard to detect I/O errors and exit cleanly, but the details of + what the problem is sometimes seem rather misleading. + +-This manual page pertains to version 1.0.6 of ++This manual page pertains to version 1.0.7 of + .I bzip2. + Compressed data created by this version is entirely forwards and + backwards compatible with the previous public releases, versions +@@ -426,9 +426,9 @@ + + + .SH AUTHOR +-Julian Seward, jsewardbzip.org. ++Julian Seward, jseward@acm.org. + +-http://www.bzip.org ++https://sourceware.org/bzip2/ + + The ideas embodied in + .I bzip2 +--- contrib/bzip2/bzip2.c.orig ++++ contrib/bzip2/bzip2.c +@@ -7,8 +7,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +@@ -554,7 +554,7 @@ + Bool testStream ( FILE *zStream ) + { + BZFILE* bzf = NULL; +- Int32 bzerr, bzerr_dummy, ret, nread, streamNo, i; ++ Int32 bzerr, bzerr_dummy, ret, streamNo, i; + UChar obuf[5000]; + UChar unused[BZ_MAX_UNUSED]; + Int32 nUnused; +@@ -577,7 +577,7 @@ + streamNo++; + + while (bzerr == BZ_OK) { +- nread = BZ2_bzRead ( &bzerr, bzf, obuf, 5000 ); ++ BZ2_bzRead ( &bzerr, bzf, obuf, 5000 ); + if (bzerr == BZ_DATA_ERROR_MAGIC) goto errhandler; + } + if (bzerr != BZ_STREAM_END) goto errhandler; +@@ -749,7 +749,7 @@ + "\n%s: PANIC -- internal consistency error:\n" + "\t%s\n" + "\tThis is a BUG. Please report it to me at:\n" +- "\tjseward@bzip.org\n", ++ "\tjseward@acm.org\n", + progName, s ); + showFileNames(); + cleanUpAndFail( 3 ); +@@ -829,7 +829,7 @@ + " The user's manual, Section 4.3, has more info on (1) and (2).\n" + " \n" + " If you suspect this is a bug in bzip2, or are unsure about (1)\n" +- " or (2), feel free to report it to me at: jseward@bzip.org.\n" ++ " or (2), feel free to report it to me at: jseward@acm.org.\n" + " Section 4.3 of the user's manual describes the info a useful\n" + " bug report should have. If the manual is available on your\n" + " system, please try and read it before mailing me. If you don't\n" +@@ -852,7 +852,7 @@ + " The user's manual, Section 4.3, has more info on (2) and (3).\n" + " \n" + " If you suspect this is a bug in bzip2, or are unsure about (2)\n" +- " or (3), feel free to report it to me at: jseward@bzip.org.\n" ++ " or (3), feel free to report it to me at: jseward@acm.org.\n" + " Section 4.3 of the user's manual describes the info a useful\n" + " bug report should have. If the manual is available on your\n" + " system, please try and read it before mailing me. If you don't\n" +@@ -1609,7 +1609,7 @@ + " \n" + " This program is free software; you can redistribute it and/or modify\n" + " it under the terms set out in the LICENSE file, which is included\n" +- " in the bzip2-1.0.6 source distribution.\n" ++ " in the bzip2 source distribution.\n" + " \n" + " This program is distributed in the hope that it will be useful,\n" + " but WITHOUT ANY WARRANTY; without even the implied warranty of\n" +@@ -2005,12 +2005,14 @@ + testf ( aa->name ); + } + } +- if (testFailsExist && noisy) { +- fprintf ( stderr, +- "\n" +- "You can use the `bzip2recover' program to attempt to recover\n" +- "data from undamaged sections of corrupted files.\n\n" +- ); ++ if (testFailsExist) { ++ if (noisy) { ++ fprintf ( stderr, ++ "\n" ++ "You can use the `bzip2recover' program to attempt to recover\n" ++ "data from undamaged sections of corrupted files.\n\n" ++ ); ++ } + setExit(2); + exit(exitValue); + } +--- contrib/bzip2/bzip2recover.c.orig ++++ contrib/bzip2/bzip2recover.c +@@ -7,8 +7,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +@@ -309,11 +309,12 @@ + UInt32 buffHi, buffLo, blockCRC; + Char* p; + +- strcpy ( progName, argv[0] ); ++ strncpy ( progName, argv[0], BZ_MAX_FILENAME-1); ++ progName[BZ_MAX_FILENAME-1]='\0'; + inFileName[0] = outFileName[0] = 0; + + fprintf ( stderr, +- "bzip2recover 1.0.6: extracts blocks from damaged .bz2 files.\n" ); ++ "bzip2recover 1.0.7: extracts blocks from damaged .bz2 files.\n" ); + + if (argc != 2) { + fprintf ( stderr, "%s: usage is `%s damaged_file_name'.\n", +@@ -457,6 +458,7 @@ + bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); + bsPutUInt32 ( bsWr, blockCRC ); + bsClose ( bsWr ); ++ outFile = NULL; + } + if (wrBlock >= rbCtr) break; + wrBlock++; +--- contrib/bzip2/bzlib.c.orig ++++ contrib/bzip2/bzlib.c +@@ -8,8 +8,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +@@ -47,7 +47,7 @@ + fprintf(stderr, + "\n\nbzip2/libbzip2: internal error number %d.\n" + "This is a bug in bzip2/libbzip2, %s.\n" +- "Please report it to me at: jseward@bzip.org. If this happened\n" ++ "Please report it to me at: jseward@acm.org. If this happened\n" + "when you were using some program which uses libbzip2 as a\n" + "component, you should also report this bug to the author(s)\n" + "of that program. Please make an effort to report this bug;\n" +--- contrib/bzip2/bzlib.h.orig ++++ contrib/bzip2/bzlib.h +@@ -8,8 +8,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +--- contrib/bzip2/bzlib_private.h.orig ++++ contrib/bzip2/bzlib_private.h +@@ -8,8 +8,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +@@ -36,7 +36,7 @@ + + /*-- General stuff. --*/ + +-#define BZ_VERSION "1.0.6, 6-Sept-2010" ++#define BZ_VERSION "1.0.7, 27-Jun-2019" + + typedef char Char; + typedef unsigned char Bool; +--- contrib/bzip2/compress.c.orig ++++ contrib/bzip2/compress.c +@@ -8,8 +8,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +--- contrib/bzip2/crctable.c.orig ++++ contrib/bzip2/crctable.c +@@ -8,8 +8,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +--- contrib/bzip2/decompress.c.orig ++++ contrib/bzip2/decompress.c +@@ -8,8 +8,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +@@ -285,9 +285,9 @@ + + /*--- Now the selectors ---*/ + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); +- if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); ++ if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR); + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); + for (i = 0; i < nSelectors; i++) { + j = 0; + while (True) { +--- contrib/bzip2/huffman.c.orig ++++ contrib/bzip2/huffman.c +@@ -8,8 +8,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +--- contrib/bzip2/randtable.c.orig ++++ contrib/bzip2/randtable.c +@@ -8,8 +8,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +--- contrib/bzip2/spewG.c.orig ++++ contrib/bzip2/spewG.c +@@ -13,8 +13,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +--- contrib/bzip2/unzcrash.c.orig ++++ contrib/bzip2/unzcrash.c +@@ -17,8 +17,8 @@ + This file is part of bzip2/libbzip2, a program and library for + lossless, block-sorting data compression. + +- bzip2/libbzip2 version 1.0.6 of 6 September 2010 +- Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> ++ bzip2/libbzip2 version 1.0.7 of 27 June 2019 ++ Copyright (C) 1996-2010 Julian Seward <jseward@acm.org> + + Please read the WARNING, DISCLAIMER and PATENTS sections in the + README file. +--- contrib/bzip2/words2.orig ++++ contrib/bzip2/words2 +@@ -1,5 +1,5 @@ + + Checking test results. If any of the four "cmp"s which follow + report any differences, something is wrong. If you can't easily +-figure out what, please let me know (jseward@bzip.org). ++figure out what, please let me know (jseward@acm.org). + diff --git a/share/security/patches/SA-19:18/bzip2.patch.asc b/share/security/patches/SA-19:18/bzip2.patch.asc new file mode 100644 index 0000000000..1fecad4cf9 --- /dev/null +++ b/share/security/patches/SA-19:18/bzip2.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt3ZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLgdBAAmQQ+moDndbNdPyCwkOOBA0UaVA4J+XBuJxtSK9hm8WxvXjy3hpo26vwM +JUho+ftP7igYL/oyOQPrSO0AUpVgHiEMROOHnfpwTETU4jNUhRZmkkahvmskocuA +Xi+Up4v2ED7E97k+LpN6FwUOZsaqoNfXlYxsRf3gze9VzmtcUGDoP2V3q2icqy0X +HHcvI5BTpU4AJWXeH1KA/XCWWXsbmQAqV4pysJeSLFnaN4ZMb3Z7rYikGimnfiKE +s9ihgr5zJxIbEWACwhhcSRRzBzLB6PrN4J/bZoUzZXAVcYktmhOWmEYSZMZgbzDY +aSKxpXO6yw+w4TM1JzXdatCca0HN0Isml6Mq+EsPE8PWwzu2QcV3jv4L1reW422b +8wSMkjpJElmz4+S5gw2NHOrIC7/W365A//BdqHfdQwkCzkm+Vnuzf7Y3D7eorwa+ +Z0RqZ/J5LmMqA6pdzfNgXKVMzCaGNLYelOkZAQYwBDR/buJcbu6WWpa+LU4GKy0Y +RdTevl+vqwyArcASRFZm0RAROO3dkE8C4DL4qBVn8AXn+5yLF1vgOirpwF83bEiG +A85bsRgQS0aFVau+ih9WYYxl51+L0ZuE94/o6s2aZnhJMyQDzl5stH1HIRJrAk+a +WVue+uo9LyK6AtvXymLzIoVs1K0x486FFAILGFN3r/SP31DxkrI= +=9IqU +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:19/mldv2.11.patch b/share/security/patches/SA-19:19/mldv2.11.patch new file mode 100644 index 0000000000..a9efb81762 --- /dev/null +++ b/share/security/patches/SA-19:19/mldv2.11.patch @@ -0,0 +1,138 @@ +--- sys/netinet6/mld6.c.orig ++++ sys/netinet6/mld6.c +@@ -137,7 +137,7 @@ + struct in6_multi *, const int, const int, const int, + const int); + static int mld_v2_input_query(struct ifnet *, const struct ip6_hdr *, +- struct mbuf *, const int, const int); ++ struct mbuf *, struct mldv2_query *, const int, const int); + static int mld_v2_merge_state_changes(struct in6_multi *, + struct mbufq *); + static void mld_v2_process_group_timers(struct mld_ifsoftc *, +@@ -144,7 +144,8 @@ + struct mbufq *, struct mbufq *, + struct in6_multi *, const int); + static int mld_v2_process_group_query(struct in6_multi *, +- struct mld_ifsoftc *mli, int, struct mbuf *, const int); ++ struct mld_ifsoftc *mli, int, struct mbuf *, ++ struct mldv2_query *, const int); + static int sysctl_mld_gsr(SYSCTL_HANDLER_ARGS); + static int sysctl_mld_ifinfo(SYSCTL_HANDLER_ARGS); + +@@ -794,16 +795,16 @@ + * Process a received MLDv2 general, group-specific or + * group-and-source-specific query. + * +- * Assumes that the query header has been pulled up to sizeof(mldv2_query). ++ * Assumes that mld points to a struct mldv2_query which is stored in ++ * contiguous memory. + * + * Return 0 if successful, otherwise an appropriate error code is returned. + */ + static int + mld_v2_input_query(struct ifnet *ifp, const struct ip6_hdr *ip6, +- struct mbuf *m, const int off, const int icmp6len) ++ struct mbuf *m, struct mldv2_query *mld, const int off, const int icmp6len) + { + struct mld_ifsoftc *mli; +- struct mldv2_query *mld; + struct in6_multi *inm; + uint32_t maxdelay, nsrc, qqi; + int is_general_query; +@@ -828,8 +829,6 @@ + + CTR2(KTR_MLD, "input v2 query on ifp %p(%s)", ifp, if_name(ifp)); + +- mld = (struct mldv2_query *)(mtod(m, uint8_t *) + off); +- + maxdelay = ntohs(mld->mld_maxdelay); /* in 1/10ths of a second */ + if (maxdelay >= 32768) { + maxdelay = (MLD_MRC_MANT(maxdelay) | 0x1000) << +@@ -954,7 +953,7 @@ + * group-specific or group-and-source query. + */ + if (mli->mli_v2_timer == 0 || mli->mli_v2_timer >= timer) +- mld_v2_process_group_query(inm, mli, timer, m, off); ++ mld_v2_process_group_query(inm, mli, timer, m, mld, off); + + /* XXX Clear embedded scope ID as userland won't expect it. */ + in6_clearscope(&mld->mld_addr); +@@ -975,9 +974,8 @@ + */ + static int + mld_v2_process_group_query(struct in6_multi *inm, struct mld_ifsoftc *mli, +- int timer, struct mbuf *m0, const int off) ++ int timer, struct mbuf *m0, struct mldv2_query *mld, const int off) + { +- struct mldv2_query *mld; + int retval; + uint16_t nsrc; + +@@ -985,7 +983,6 @@ + MLD_LOCK_ASSERT(); + + retval = 0; +- mld = (struct mldv2_query *)(mtod(m0, uint8_t *) + off); + + switch (inm->in6m_state) { + case MLD_NOT_MEMBER: +@@ -1005,6 +1002,15 @@ + + nsrc = ntohs(mld->mld_numsrc); + ++ /* Length should be checked by calling function. */ ++ KASSERT((m0->m_flags & M_PKTHDR) == 0 || ++ m0->m_pkthdr.len >= off + sizeof(struct mldv2_query) + ++ nsrc * sizeof(struct in6_addr), ++ ("mldv2 packet is too short: (%d bytes < %zd bytes, m=%p)", ++ m0->m_pkthdr.len, off + sizeof(struct mldv2_query) + ++ nsrc * sizeof(struct in6_addr), m0)); ++ ++ + /* + * Deal with group-specific queries upfront. + * If any group query is already pending, purge any recorded +@@ -1046,28 +1052,20 @@ + * report for those sources. + */ + if (inm->in6m_nsrc > 0) { +- struct mbuf *m; +- uint8_t *sp; ++ struct in6_addr srcaddr; + int i, nrecorded; + int soff; + +- m = m0; + soff = off + sizeof(struct mldv2_query); + nrecorded = 0; + for (i = 0; i < nsrc; i++) { +- sp = mtod(m, uint8_t *) + soff; +- retval = in6m_record_source(inm, +- (const struct in6_addr *)sp); ++ m_copydata(m0, soff, sizeof(struct in6_addr), ++ (caddr_t)&srcaddr); ++ retval = in6m_record_source(inm, &srcaddr); + if (retval < 0) + break; + nrecorded += retval; + soff += sizeof(struct in6_addr); +- if (soff >= m->m_len) { +- soff = soff - m->m_len; +- m = m->m_next; +- if (m == NULL) +- break; +- } + } + if (nrecorded > 0) { + CTR1(KTR_MLD, +@@ -1276,8 +1274,8 @@ + if (mld_v1_input_query(ifp, ip6, mld) != 0) + return (0); + } else if (icmp6len >= sizeof(struct mldv2_query)) { +- if (mld_v2_input_query(ifp, ip6, m, off, +- icmp6len) != 0) ++ if (mld_v2_input_query(ifp, ip6, m, ++ (struct mldv2_query *)mld, off, icmp6len) != 0) + return (0); + } + break; diff --git a/share/security/patches/SA-19:19/mldv2.11.patch.asc b/share/security/patches/SA-19:19/mldv2.11.patch.asc new file mode 100644 index 0000000000..2d670a3f34 --- /dev/null +++ b/share/security/patches/SA-19:19/mldv2.11.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt4dfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJ3OQ/+IaP24bKUpPEK2xAzOrYJ0aWGFxL4Xee0X6hH0LTBQhOheomRaLQhPzcZ +YevSFHc099f7Bw3lPTloc/A7TnQkl9cpsV8a6SD2B6NuDPP+q4sSza8AAJFBSc8K +CDw9VAhz99Arjm6o3pKSj9RLq2JbSPyFKUBxpWEpfNE4Kom6UfSumxbEGix8/+Zp +P2yd6DfrzDoNZCFO2XIvauoK3Ypa9znlZ+S06TzxeST2IF3jtRkhdLXgQuwGmZ2a +nUxkUsP6Zdj8x6oEKTf+sGWb1K4zRekLIsEFP5xGeOcej8NAQZ2Kk4NaXw798zoD +/Zn3gpojxzSkWGmsREkOZcGh/fRcHeAI06JDn/A+l3CqCiVXLwHgKrlilQQkfChN +FrgogibC9ZSAQveNjE2vw7SphQwmN2nJ479h2qNkLy98TRqo1YhWLCLGFV/N+SUB +vIS92pM7rklfp++yeyvhyXT511wWtJR8dppJRywY1OfO5odHnlKrDMdCj1Q7l8+W +eHeYoHKcKxWkWrbrw9O/bBUYy+oBXN8cu552OjnzSl4vv+aNQ79mCwUhFdawFE6J +jNbbC/mYZO2sn9jk3gLzdtyARhTQ4h3dLPTryZ6xqINn9iY3O5d38qaaTRK5arme +nIcqS3Q1zqXnZhw+lQ6fwK2KAqHPnae7ZrScwdLAQjQ+eaHsCTw= +=/GVp +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:19/mldv2.12.patch b/share/security/patches/SA-19:19/mldv2.12.patch new file mode 100644 index 0000000000..ddbf0d270b --- /dev/null +++ b/share/security/patches/SA-19:19/mldv2.12.patch @@ -0,0 +1,138 @@ +--- sys/netinet6/mld6.c.orig ++++ sys/netinet6/mld6.c +@@ -139,7 +139,7 @@ + struct in6_multi *, const int, const int, const int, + const int); + static int mld_v2_input_query(struct ifnet *, const struct ip6_hdr *, +- struct mbuf *, const int, const int); ++ struct mbuf *, struct mldv2_query *, const int, const int); + static int mld_v2_merge_state_changes(struct in6_multi *, + struct mbufq *); + static void mld_v2_process_group_timers(struct in6_multi_head *, +@@ -146,7 +146,8 @@ + struct mbufq *, struct mbufq *, + struct in6_multi *, const int); + static int mld_v2_process_group_query(struct in6_multi *, +- struct mld_ifsoftc *mli, int, struct mbuf *, const int); ++ struct mld_ifsoftc *mli, int, struct mbuf *, ++ struct mldv2_query *, const int); + static int sysctl_mld_gsr(SYSCTL_HANDLER_ARGS); + static int sysctl_mld_ifinfo(SYSCTL_HANDLER_ARGS); + +@@ -803,16 +804,16 @@ + * Process a received MLDv2 general, group-specific or + * group-and-source-specific query. + * +- * Assumes that the query header has been pulled up to sizeof(mldv2_query). ++ * Assumes that mld points to a struct mldv2_query which is stored in ++ * contiguous memory. + * + * Return 0 if successful, otherwise an appropriate error code is returned. + */ + static int + mld_v2_input_query(struct ifnet *ifp, const struct ip6_hdr *ip6, +- struct mbuf *m, const int off, const int icmp6len) ++ struct mbuf *m, struct mldv2_query *mld, const int off, const int icmp6len) + { + struct mld_ifsoftc *mli; +- struct mldv2_query *mld; + struct in6_multi *inm; + uint32_t maxdelay, nsrc, qqi; + int is_general_query; +@@ -844,8 +845,6 @@ + + CTR2(KTR_MLD, "input v2 query on ifp %p(%s)", ifp, if_name(ifp)); + +- mld = (struct mldv2_query *)(mtod(m, uint8_t *) + off); +- + maxdelay = ntohs(mld->mld_maxdelay); /* in 1/10ths of a second */ + if (maxdelay >= 32768) { + maxdelay = (MLD_MRC_MANT(maxdelay) | 0x1000) << +@@ -970,7 +969,7 @@ + * group-specific or group-and-source query. + */ + if (mli->mli_v2_timer == 0 || mli->mli_v2_timer >= timer) +- mld_v2_process_group_query(inm, mli, timer, m, off); ++ mld_v2_process_group_query(inm, mli, timer, m, mld, off); + + /* XXX Clear embedded scope ID as userland won't expect it. */ + in6_clearscope(&mld->mld_addr); +@@ -991,9 +990,8 @@ + */ + static int + mld_v2_process_group_query(struct in6_multi *inm, struct mld_ifsoftc *mli, +- int timer, struct mbuf *m0, const int off) ++ int timer, struct mbuf *m0, struct mldv2_query *mld, const int off) + { +- struct mldv2_query *mld; + int retval; + uint16_t nsrc; + +@@ -1001,7 +999,6 @@ + MLD_LOCK_ASSERT(); + + retval = 0; +- mld = (struct mldv2_query *)(mtod(m0, uint8_t *) + off); + + switch (inm->in6m_state) { + case MLD_NOT_MEMBER: +@@ -1021,6 +1018,15 @@ + + nsrc = ntohs(mld->mld_numsrc); + ++ /* Length should be checked by calling function. */ ++ KASSERT((m0->m_flags & M_PKTHDR) == 0 || ++ m0->m_pkthdr.len >= off + sizeof(struct mldv2_query) + ++ nsrc * sizeof(struct in6_addr), ++ ("mldv2 packet is too short: (%d bytes < %zd bytes, m=%p)", ++ m0->m_pkthdr.len, off + sizeof(struct mldv2_query) + ++ nsrc * sizeof(struct in6_addr), m0)); ++ ++ + /* + * Deal with group-specific queries upfront. + * If any group query is already pending, purge any recorded +@@ -1062,28 +1068,20 @@ + * report for those sources. + */ + if (inm->in6m_nsrc > 0) { +- struct mbuf *m; +- uint8_t *sp; ++ struct in6_addr srcaddr; + int i, nrecorded; + int soff; + +- m = m0; + soff = off + sizeof(struct mldv2_query); + nrecorded = 0; + for (i = 0; i < nsrc; i++) { +- sp = mtod(m, uint8_t *) + soff; +- retval = in6m_record_source(inm, +- (const struct in6_addr *)sp); ++ m_copydata(m0, soff, sizeof(struct in6_addr), ++ (caddr_t)&srcaddr); ++ retval = in6m_record_source(inm, &srcaddr); + if (retval < 0) + break; + nrecorded += retval; + soff += sizeof(struct in6_addr); +- if (soff >= m->m_len) { +- soff = soff - m->m_len; +- m = m->m_next; +- if (m == NULL) +- break; +- } + } + if (nrecorded > 0) { + CTR1(KTR_MLD, +@@ -1292,8 +1290,8 @@ + if (mld_v1_input_query(ifp, ip6, mld) != 0) + return (0); + } else if (icmp6len >= sizeof(struct mldv2_query)) { +- if (mld_v2_input_query(ifp, ip6, m, off, +- icmp6len) != 0) ++ if (mld_v2_input_query(ifp, ip6, m, ++ (struct mldv2_query *)mld, off, icmp6len) != 0) + return (0); + } + break; diff --git a/share/security/patches/SA-19:19/mldv2.12.patch.asc b/share/security/patches/SA-19:19/mldv2.12.patch.asc new file mode 100644 index 0000000000..5e9800764c --- /dev/null +++ b/share/security/patches/SA-19:19/mldv2.12.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt4pfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLmARAAoqKzX/k9KMiZOAJAcY90Lv9w5d701GkJXjoEmPPQ+qS/9o4zSfEqhRsX +/dmDAANkdn3ure+QkbpM95/IedCyrFJQymNQX+L1G5rRJ6bMiMCOZeht5mNZ8hTv ++qqDRcZyq31+VP4Qx/JNMRLcGNIB7Z+kvXAUlX6Kw0APbVRIGd7mXCZl7OyEwbk5 +A8BAifJEfZMA3CNv6vCDDCPvxvKKI9enxbeQ52o5/cSQvW5vFtIMD9HsFgxEbUGN +V8BrWyKZkRJmLQNU76u5UBo0/b2XfCowopcNhT/Q43ptmolCxodbmFDH4Zxk5HC3 +4+BRSXd0Nn5CaSoAssPrQRMU+X/8OZU401LfOOzwRBztt73hSg7En+rS/AnN2aYa +wKi2QvZkFctYW+CCjVPHLfRYPyYWbiiMV0GiEL2Fd72Ke7ooQOr5QR8M5SxaG80i +cytYHb+Obhq4qgOlM0mGmDxrPSSa8uRuYsofje5uTANQW2PjUriBnKfvEwW2tgGk +CN5Xk/2RjXiYWiYF05D2MaJ7cxUNqm/hnWDP7D/MRYrWk+EQVfrv2vf+tPQBDokQ +IO7AjCGYjmB0h22oRtMTr5KyvOroTxxwEdZxmIEHvsiwiOPgAyJJtva6Od3ega/G +q4zBU6P/Mypim74SYxHc2iwjtaqH9JK2UWy/MlsfoT4KOAoT0I0= +=yhZI +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:20/bsnmp.patch b/share/security/patches/SA-19:20/bsnmp.patch new file mode 100644 index 0000000000..c0876ebce5 --- /dev/null +++ b/share/security/patches/SA-19:20/bsnmp.patch @@ -0,0 +1,14 @@ +--- contrib/bsnmp/lib/asn1.c ++++ contrib/bsnmp/lib/asn1.c +@@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, as + *len = *b->asn_cptr++; + b->asn_len--; + } ++ if (*len > b->asn_len) { ++ asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len); ++ return (ASN_ERR_EOBUF); ++ } ++ + return (ASN_ERR_OK); + } + diff --git a/share/security/patches/SA-19:20/bsnmp.patch.asc b/share/security/patches/SA-19:20/bsnmp.patch.asc new file mode 100644 index 0000000000..20bfa68317 --- /dev/null +++ b/share/security/patches/SA-19:20/bsnmp.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt3pfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKf6A/+LoGq57ql7ySBBZxXNuOvFEjtBVI4X+bGGlbnWl+tqmfNwym9NkG/zpIW +qM3Hc80nsGDSmtCeO4sfx3rhNadY0tE4qZWn4L3JcDmspwJzLwEuRxIxMjITb492 +cCnBOhRrytlxEUjLwqgWsUeBn+fpb3TgP1gDB5SWOiEYnv2pySDZOsXk9bdsbkvl +JoFkPCo0lzH+rzYe/fuP8X1/38oyxk18VTIyGwcErik8e3f+7odzf5TGTwOp2CVf +pYmwefd6t+MgnuF+k3UpZUrHJjznGkakqA0DmyK5nUQ1sApL5FRA5yvbf1yczOVt +Z9nFGkrw2TgJb6HN/EFrKtAuTMWBbS+lyz0IB3MQ0ol0IgJvCzvlugwH+I1pcimF +ibq8V8Y1NqBJ+LuCMQSPb3v0XoNwAPr05tY8s2GAsUFKWtHDXdCbWNOMmJKddyA1 +KzXIBcTvdyOQb8YuVdS22i7WvM/kcuqbG0oYsARg5lOOLTT9aOuDMJ0EUHwTOu8x +HQbh89AVpxX6KEWEQqnHVhdEwNID/RGRMwzamV11IJVsiydv6gr1xSy6b9duQtOz +FNMSHR5VUbimrQ8Y5zOXnV71R5KI7+0hMYVaIXJNd0AyuN46vihDe2ctV0pC6MkC +FGEEtaKPX4W2XxGatXs6nyTaTVMpjklblL9ZgGEwLVlwzT4txqg= +=ri0D +-----END PGP SIGNATURE----- diff --git a/share/security/patches/SA-19:21/bhyve.patch b/share/security/patches/SA-19:21/bhyve.patch new file mode 100644 index 0000000000..4577c92cdc --- /dev/null +++ b/share/security/patches/SA-19:21/bhyve.patch @@ -0,0 +1,103 @@ +--- usr.sbin/bhyve/pci_e82545.c.orig ++++ usr.sbin/bhyve/pci_e82545.c +@@ -1078,8 +1078,9 @@ + struct ck_info ckinfo[2]; + struct iovec *iov; + union e1000_tx_udesc *dsc; +- int desc, dtype, len, ntype, iovcnt, tlen, hdrlen, vlen, tcp, tso; ++ int desc, dtype, len, ntype, iovcnt, tlen, tcp, tso; + int mss, paylen, seg, tiovcnt, left, now, nleft, nnow, pv, pvoff; ++ unsigned hdrlen, vlen; + uint32_t tcpsum, tcpseq; + uint16_t ipcs, tcpcs, ipid, ohead; + +@@ -1223,6 +1224,68 @@ + } else { + /* In case of TSO header length provided by software. */ + hdrlen = sc->esc_txctx.tcp_seg_setup.fields.hdr_len; ++ ++ /* ++ * Cap the header length at 240 based on 7.2.4.5 of ++ * the Intel 82576EB (Rev 2.63) datasheet. ++ */ ++ if (hdrlen > 240) { ++ WPRINTF("TSO hdrlen too large: %d\r\n", hdrlen); ++ goto done; ++ } ++ ++ /* ++ * If VLAN insertion is requested, ensure the header ++ * at least holds the amount of data copied during ++ * VLAN insertion below. ++ * ++ * XXX: Realistic packets will include a full Ethernet ++ * header before the IP header at ckinfo[0].ck_start, ++ * but this check is sufficient to prevent ++ * out-of-bounds access below. ++ */ ++ if (vlen != 0 && hdrlen < ETHER_ADDR_LEN*2) { ++ WPRINTF("TSO hdrlen too small for vlan insertion " ++ "(%d vs %d) -- dropped\r\n", hdrlen, ++ ETHER_ADDR_LEN*2); ++ goto done; ++ } ++ ++ /* ++ * Ensure that the header length covers the used fields ++ * in the IP and TCP headers as well as the IP and TCP ++ * checksums. The following fields are accessed below: ++ * ++ * Header | Field | Offset | Length ++ * -------+-------+--------+------- ++ * IPv4 | len | 2 | 2 ++ * IPv4 | ID | 4 | 2 ++ * IPv6 | len | 4 | 2 ++ * TCP | seq # | 4 | 4 ++ * TCP | flags | 13 | 1 ++ * UDP | len | 4 | 4 ++ */ ++ if (hdrlen < ckinfo[0].ck_start + 6 || ++ hdrlen < ckinfo[0].ck_off + 2) { ++ WPRINTF("TSO hdrlen too small for IP fields (%d) " ++ "-- dropped\r\n", hdrlen); ++ goto done; ++ } ++ if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) { ++ if (hdrlen < ckinfo[1].ck_start + 14 || ++ (ckinfo[1].ck_valid && ++ hdrlen < ckinfo[1].ck_off + 2)) { ++ WPRINTF("TSO hdrlen too small for TCP fields " ++ "(%d) -- dropped\r\n", hdrlen); ++ goto done; ++ } ++ } else { ++ if (hdrlen < ckinfo[1].ck_start + 8) { ++ WPRINTF("TSO hdrlen too small for UDP fields " ++ "(%d) -- dropped\r\n", hdrlen); ++ goto done; ++ } ++ } + } + + /* Allocate, fill and prepend writable header vector. */ +@@ -1244,7 +1307,8 @@ + iovcnt++; + iov->iov_base = hdr; + iov->iov_len = hdrlen; +- } ++ } else ++ hdr = NULL; + + /* Insert VLAN tag. */ + if (vlen != 0) { +@@ -1286,7 +1350,9 @@ + DPRINTF("tx %s segmentation offload %d+%d/%d bytes %d iovs\r\n", + tcp ? "TCP" : "UDP", hdrlen, paylen, mss, iovcnt); + ipid = ntohs(*(uint16_t *)&hdr[ckinfo[0].ck_start + 4]); +- tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]); ++ tcpseq = 0; ++ if (tcp) ++ tcpseq = ntohl(*(uint32_t *)&hdr[ckinfo[1].ck_start + 4]); + ipcs = *(uint16_t *)&hdr[ckinfo[0].ck_off]; + tcpcs = 0; + if (ckinfo[1].ck_valid) /* Save partial pseudo-header checksum. */ diff --git a/share/security/patches/SA-19:21/bhyve.patch.asc b/share/security/patches/SA-19:21/bhyve.patch.asc new file mode 100644 index 0000000000..c52eadc7f4 --- /dev/null +++ b/share/security/patches/SA-19:21/bhyve.patch.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt35fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLaSA/7Bk8eZ0AGuu9qv+qXk/H2Do+n4JN2rZChHe3Lxhami2w1G4M6XQ6FBwsw +Fax8Z/Q9TlySrUjzKbQe9tr+jPJ1JMJGTv18WWUbK0OIPR7tupvpIadxrHHkUMMX +B5yXHoXqT0KUBCGb+5d72U7JgCwzHQ4x71oGCZVOirtJk3gN8p7D0z5LHYG7WvLW +8V1I9n1rkDp9np3lOa0a2ErB1Qno6F7CFuPaxh61xMacmmtxRV83vXcfrFxxIgXy +eKI0faAUkIcXsbsdVM2w3hzburMREJk1A69VDqyjaFVarWCR6uormAYS6r2NNlDl +7GGKO8G+U21wnNKtWjE4f0/zV5TB7t+f2SEEAO/Fs6BIH/OQDWqmkwPEKPUYzRbX +3YXqiNe/3Kn4B3Bsr0jhrDCYbeRmX8g/p13f7IUXDgEvr2hDGQpJYJI6ZTFzQArK +ocQnLtMdcqSBS8SC2YtdShKHzonbCZ3m9pauNTnuVYb6CopS3kBdkkBbJxYQhItb +HGPxsjYFQzT4GAj5GHxzqnFtcIqX6bYZb4UUgSp4BU7z7Bx/dWzh2fHNFHG9076o +Nh9/e+CG8z4ydLcdgkydDvRp7c2ru10RKDezGE3gf/ENGGKlh6xmCJOpwgWe2d7l +G2HK3Nb2aaY2mZ9kgBP3t94Q9vE9I2x1hClgC8QdQRiT4zdUBYI= +=9NBj +-----END PGP SIGNATURE----- |