diff options
Diffstat (limited to 'website/static/security/advisories/FreeBSD-SA-22:15.ping.asc')
-rw-r--r-- | website/static/security/advisories/FreeBSD-SA-22:15.ping.asc | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-SA-22:15.ping.asc b/website/static/security/advisories/FreeBSD-SA-22:15.ping.asc new file mode 100644 index 0000000000..5c4224ec06 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-22:15.ping.asc @@ -0,0 +1,165 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-22:15.ping Security Advisory + The FreeBSD Project + +Topic: Stack overflow in ping(8) + +Category: core +Module: ping +Announced: 2022-11-29 +Credits: NetApp, Inc. +Affects: All supported versions of FreeBSD. +Corrected: 2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE) + 2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5) + 2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE) + 2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2) + 2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10) +CVE Name: CVE-2022-23093 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +0. Revision History + +v1.0 2022-11-29 -- Initial release +v1.1 2022-12-14 -- Corrected Credits and updated Impact section. + +I. Background + +ping(8) is a program that can be used to test reachability of a remote +host using ICMP messages. To send and receive ICMP messages, ping makes +use of raw sockets and therefore requires elevated privileges. To make +ping's functionality available to unprivileged users, it is installed +with the setuid bit set. When ping runs, it creates the raw socket +needed to do its work, and then revokes its elevated privileges. + +II. Problem Description + +ping reads raw IP packets from the network to process responses in the +pr_pack() function. As part of processing a response ping has to +reconstruct the IP header, the ICMP header and if present a "quoted +packet," which represents the packet that generated an ICMP error. The +quoted packet again has an IP header and an ICMP header. + +The pr_pack() copies received IP and ICMP headers into stack buffers +for further processing. In so doing, it fails to take into account the +possible presence of IP option headers following the IP header in +either the response or the quoted packet. When IP options are present, +pr_pack() overflows the destination buffer by up to 40 bytes. + +III. Impact + +The memory safety bugs described above can be triggered by a remote +host, causing the ping program to crash. + +The ping process runs in a capability mode sandbox on all affected +versions of FreeBSD and is thus very constrained in how it can interact +with the rest of the system at the point where the bug can occur. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch +# fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc +# gpg --verify ping.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 186f495d4be1 stable/13-n253187 +releng/13.1/ 66c7b53d9516 releng/13.1-n250172 +stable/12/ r372774 +releng/12.4/ r372778 +releng/12.3/ r372775 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23093> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:15.ping.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOatTwACgkQ05eS9J6n +5cJuig/8DQ3kQmQN8R7W+tFrtYmA/tIQYs+t5Eenx2Qc3XynQOuk7KQTHv0mFWLJ +zEPy5fB8iwcZnR5ZDL2H5J3vJ2tBdukFMU/nGqIWeJEzIJa0G2/KriZFxz5QnJFQ +bJ/4IVWNPyW0G4jredOVtjOo1J3FuftNJ/cpcbcYM0/f+7WfmVxAwN7ngtV0DtMT +G+s883BsVXNNHOShqulGelIa1fAgTjP9N9cZyFwgW8sGmDtqswoUOcpLnSxkPrK9 +N06gNKPePhN47LUr02JVIQe+ERO5ss8bXQrSO1GNWt4tPynWYXfmiqDBmIjAdhIK +/gEbEnR/roD5qX86hr5sFqPe90hurrXRT0gNo6mrWVKVUTHsTjvr+DBWy8WlEhzM +e8SmJzK06rD1T9bjRnobzF3dD46VccdMYVdakFeAfwNa2bplmABWcGBAdCrwgOyU +qs+cv9DdAfyHVmniKZrsZWTC9KBsi+8hSqhsF5uR+J5hAynBt9rsCXig9lQaFojW +uzOaLsIwtrvjn977S/Smkq9vAMh0k4QuQgwZqZAZZTGpYHqEtDIho7sJfTO+vuPP +t4N23FnrMyK8sCiwweYI4hNHqPVwRGD/nvRadZYOgSLTLN5rZAi+JhJWXc7J5unE +ssgWSH/7mcxHbOT7aW6Rs40zCWkMcrgrp33fEBgXWwuStGOQ6jY= +=ADME +-----END PGP SIGNATURE----- |