Add SA-15:24.rpcbind.

4 files changed, 245 insertions, 0 deletions

diff --git a/share/security/advisories/FreeBSD-SA-15:24.rpcbind.asc b/share/security/advisories/FreeBSD-SA-15:24.rpcbind.asc
new file mode 100644
index 0000000000..f718d3f4d8
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-15:24.rpcbind.asc
@@ -0,0 +1,155 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-15:24.rpcbind                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          rpcbind(8) remote denial of service
+
+Category:       core
+Module:         rpcbind
+Announced:      2015-09-29
+Affects:        All supported versions of FreeBSD.
+Corrected:      2015-09-29 18:06:27 UTC (stable/10, 10.2-STABLE)
+                2015-09-29 18:07:18 UTC (releng/10.2, 10.2-RELEASE-p4)
+                2015-09-29 18:07:18 UTC (releng/10.1, 10.1-RELEASE-p21)
+                2015-09-29 18:06:27 UTC (stable/9, 9.3-STABLE)
+                2015-09-29 18:07:18 UTC (releng/9.3, 9.3-RELEASE-p27)
+CVE Name:       CVE-2015-7236
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+Sun RPC is a remote procedure call framework which allows clients to invoke
+procedures in a server process over a network transparently.
+
+The rpcbind(8) utility is a server that converts RPC program numbers into
+universal addresses.  It must be running on the host to be able to make RPC
+calls on a server on that machine.
+
+The Sun RPC framework uses a netbuf structure to represent the transport
+specific form of a universal transport address.  The structure is expected
+to be opaque to consumers.  In the current implementation, the structure
+contains a pointer to a buffer that holds the actual address.
+
+II.  Problem Description
+
+In rpcbind(8), netbuf structures are copied directly, which would result in
+two netbuf structures that reference to one shared address buffer.  When one
+of the two netbuf structures is freed, access to the other netbuf structure
+would result in an undefined result that may crash the rpcbind(8) daemon.
+
+III. Impact
+
+A remote attacker who can send specifically crafted packets to the rpcbind(8)
+daemon can cause it to crash, resulting in a denial of service condition.
+
+IV.  Workaround
+
+No workaround is available, but systems that do not provide the rpcbind(8)
+service to untrusted systems, or do not provide any RPC services are not
+vulnerable.  On FreeBSD, typical RPC based services includes NIS and NFS.
+
+Alternatively, rpcbind(8) can be configured to bind on specific IP
+address(es) by using the '-h' option.  This may be used to reduce the attack
+vector when the system has multiple network interfaces and when some of them
+would face an untrusted network.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Restart the applicable daemons, or reboot the system.  Because rpcbind(8)
+is an essential service to all RPC service daemons, these daemons may also
+need to be restarted.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart the applicable daemons, or reboot the system.  Because rpcbind(8)
+is an essential service to all RPC service daemons, these daemons may also
+need to be restarted.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch
+# fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch.asc
+# gpg --verify rpcbind.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r288384
+releng/9.3/                                                       r288385
+stable/10/                                                        r288384
+releng/10.1/                                                      r288385
+releng/10.2/                                                      r288385
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236>
+
+<URL:https://bugzilla.suse.com/show_bug.cgi?id=946204>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:24.rpcbind.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAEBCgAGBQJWCtQJAAoJEO1n7NZdz2rnqrcQAMpVQGhgOE2Qz7seLSeKyorU
+lYjMQteAxsYFF7t6BCQxMcfnKVYS9fTUwega6bvBMVQqG7bWg3IKr/esH/pExC22
+XbVemdOKot63Qvu+qdQ33DMr0mb4B9NqWQDV4cFu2sj1yHtZjwufFsvTDC8B89Za
+OfJsKrdxFbR57uOPnm1jhbb/m46O2q6HnD0GsPCXAA9SWAAk6hrjtVsRURjs654e
+iuHa6umSADKeVj0FYiFOyrBM0FgyxmSpBikJD3aaLJa1qCFTPDrGG29283krtSlp
+JgbWm0+dj9O6pl9NapuE2dKtXmp/bdjLzWKnj2qDWMpsX31uqLFSzcP6/AxxiIiI
+S9Uvb9ucQJRqidJ5jgQkicLd7IIM20HWXOltA4uMovoqF8xOVkCyLZ5Nyg4Yiueg
+vsjQ5lQipsOJQBtDO11HjLhZTm4a8c3pHASt0HadvxstNYjB0Kqtm2YySQGdk9H/
+/mvjsWE227fJkqwayBlmUviOX39Cz/9AzpkPtaQYsYKNUEOy0hr04i/yIF40RH/Z
+wIChfTR10KkRvr4dAWT7Kg2bm2Xd0Gs6bEI5YX3PE3aROVwnwmVWCd/rpdkrnVsV
+Pi5MWtPHNATPwRa2UmKbYtwB9mF3GXuBOSssW3K+DfPS+0/ZfYa5CedyeHA3aDGW
+f5ih6/YFCvSB/NURgvcU
+=WO98
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-15:24/rpcbind.patch b/share/security/patches/SA-15:24/rpcbind.patch
new file mode 100644
index 0000000000..6ed2937191
--- /dev/null
+++ b/share/security/patches/SA-15:24/rpcbind.patch
@@ -0,0 +1,65 @@
+Index: usr.sbin/rpcbind/rpcb_svc_com.c
+===================================================================
+--- usr.sbin/rpcbind/rpcb_svc_com.c	(revision 288019)
++++ usr.sbin/rpcbind/rpcb_svc_com.c	(working copy)
+@@ -47,6 +47,7 @@
+ #include <rpc/rpc.h>
+ #include <rpc/rpcb_prot.h>
+ #include <rpc/svc_dg.h>
++#include <assert.h>
+ #include <netconfig.h>
+ #include <errno.h>
+ #include <syslog.h>
+@@ -1047,19 +1048,31 @@ netbufcmp(struct netbuf *n1, struct netbuf *n2)
+ 	return ((n1->len != n2->len) || memcmp(n1->buf, n2->buf, n1->len));
+ }
+ 
++static bool_t
++netbuf_copybuf(struct netbuf *dst, const struct netbuf *src)
++{
++
++	assert(dst->buf == NULL);
++
++	if ((dst->buf = malloc(src->len)) == NULL)
++		return (FALSE);
++
++	dst->maxlen = dst->len = src->len;
++	memcpy(dst->buf, src->buf, src->len);
++	return (TRUE);
++}
++
+ static struct netbuf *
+ netbufdup(struct netbuf *ap)
+ {
+ 	struct netbuf  *np;
+ 
+-	if ((np = malloc(sizeof(struct netbuf))) == NULL)
++	if ((np = calloc(1, sizeof(struct netbuf))) == NULL)
+ 		return (NULL);
+-	if ((np->buf = malloc(ap->len)) == NULL) {
++	if (netbuf_copybuf(np, ap) == FALSE) {
+ 		free(np);
+ 		return (NULL);
+ 	}
+-	np->maxlen = np->len = ap->len;
+-	memcpy(np->buf, ap->buf, ap->len);
+ 	return (np);
+ }
+ 
+@@ -1067,6 +1080,7 @@ static void
+ netbuffree(struct netbuf *ap)
+ {
+ 	free(ap->buf);
++	ap->buf = NULL;
+ 	free(ap);
+ }
+ 
+@@ -1184,7 +1198,7 @@ xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
+ {
+ 	u_int32_t *xidp;
+ 
+-	*(svc_getrpccaller(xprt)) = *(fi->caller_addr);
++	netbuf_copybuf(svc_getrpccaller(xprt), fi->caller_addr);
+ 	xidp = __rpcb_get_dg_xidp(xprt);
+ 	*xidp = fi->caller_xid;
+ }
diff --git a/share/security/patches/SA-15:24/rpcbind.patch.asc b/share/security/patches/SA-15:24/rpcbind.patch.asc
new file mode 100644
index 0000000000..d2e43fc9e2
--- /dev/null
+++ b/share/security/patches/SA-15:24/rpcbind.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAABCgAGBQJWCtQUAAoJEO1n7NZdz2rniJUQANmSbRy/klFblUh7QpeeDAuH
+oTugGv4LxEja5OXrHyWQMDQGewY0CQFIt+lWqOh8RxwIiw96xVLntI4RfwkmdXsW
+c5Q/HMJ2eyaI8rSdn+L2Zqw7yXvKemxF91R8DWy0FNNZOqStVPjgInYdkPx/uKjF
+p7kNPWhycMwa5SKdYbNu14Ftw7epcRp/3vtnWzNQgEhMRD2JFqh1cOcGLAFuzCJ9
+v2jNokXFsIb8N77MCLAcZNn5n2jBQHU6PVetrUU3+BYTjn66YqPhWd1VjppwLZTX
+suLolac8SDDG/TOf9f3c2p1BJ5iHeRvKpcj+vP3QvY+PGMcQqOCiU174DoG0lRku
++M6zo4rlzReEqgZT+6kNtsP06CWUmE7pbD+fuqu+9JTPI21Xl+Ck7oGkLq8hqccg
+2hl1EK86Wltmd825IqLDgFYAKfcsvAlQnrUk46X5eEOcDn6FMi/y/tb+wZb+FJn/
+tVA3LRTO6uuPTLIT6qEhuuDXj9yy7+KVZP3mAawrKGLa5cffzvG5J+VQxhl2P1/X
+7V8x8z3S2uWHQflLQuX22565CaBF5KT4/Bwe6h8m/DUdpUFxmazjofzJ4h+tjq5s
+jJ6w7zMJ88pyDvYqVsgVIiqVCicV0go1b+0o//b73d6wTOyfpzAJavh9tDASr0+P
+O0Coptza3F8VscwY2pXu
+=D7Pg
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index da45d4a844..55f453c706 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -11,6 +11,14 @@
       <name>9</name>
 
       <day>
+        <name>29</name>
+
+        <advisory>
+          <name>FreeBSD-SA-15:24.rpcbind</name>
+        </advisory>
+      </day>
+
+      <day>
         <name>2</name>
 
         <advisory>