|
Lines 58-63
Link Here
|
| 58 |
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.) |
58 |
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.) |
| 59 |
--> |
59 |
--> |
| 60 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
60 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
|
|
61 |
<vuln vid="39270593-ce8f-11e9-86f3-f8b156ac3ff9"> |
| 62 |
<topic>FreeBSD -- Reference count overflow in mqueue filesystem 32-bit compat</topic> |
| 63 |
<affects> |
| 64 |
<package> |
| 65 |
<name>FreeBSD-kernel</name> |
| 66 |
<range><ge>12.0</ge><lt>12.0_10</lt></range> |
| 67 |
<range><ge>11.3</ge><lt>11.3_3</lt></range> |
| 68 |
<range><ge>11.2</ge><lt>11.2_14</lt></range> |
| 69 |
</package> |
| 70 |
</affects> |
| 71 |
<description> |
| 72 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 73 |
<h1>Problem Description:</h1> |
| 74 |
<p>System calls operating on file descriptors obtain a reference to |
| 75 |
relevant struct file which due to a programming error was not always |
| 76 |
put back, which in turn could be used to overflow the counter of |
| 77 |
affected struct file.</p> |
| 78 |
<h1>Impact:</h1> |
| 79 |
<p>A local user can use this flaw to obtain access to files, |
| 80 |
directories, sockets, etc., opened by processes owned by other users. |
| 81 |
If obtained struct file represents a directory from outside of user's |
| 82 |
jail, it can be used to access files outside of the jail. If the |
| 83 |
user in question is a jailed root they can obtain root privileges on |
| 84 |
the host system.</p> |
| 85 |
</body> |
| 86 |
</description> |
| 87 |
<references> |
| 88 |
<cvename>CVE-2019-5603</cvename> |
| 89 |
<freebsdsa>SA-19:24.mqueuefs</freebsdsa> |
| 90 |
</references> |
| 91 |
<dates> |
| 92 |
<discovery>2019-08-20</discovery> |
| 93 |
<entry>2019-09-03</entry> |
| 94 |
</dates> |
| 95 |
</vuln> |
| 96 |
|
| 97 |
<vuln vid="2a5a2fa7-ce8f-11e9-86f3-f8b156ac3ff9"> |
| 98 |
<topic>FreeBSD -- kernel memory disclosure from /dev/midistat</topic> |
| 99 |
<affects> |
| 100 |
<package> |
| 101 |
<name>FreeBSD-kernel</name> |
| 102 |
<range><ge>12.0</ge><lt>12.0_10</lt></range> |
| 103 |
<range><ge>11.3</ge><lt>11.3_3</lt></range> |
| 104 |
<range><ge>11.2</ge><lt>11.2_14</lt></range> |
| 105 |
</package> |
| 106 |
</affects> |
| 107 |
<description> |
| 108 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 109 |
<h1>Problem Description:</h1> |
| 110 |
<p>The kernel driver for /dev/midistat implements a handler for read(2). |
| 111 |
This handler is not thread-safe, and a multi-threaded program can |
| 112 |
exploit races in the handler to cause it to copy out kernel memory |
| 113 |
outside the boundaries of midistat's data buffer.</p> |
| 114 |
<h1>Impact:</h1> |
| 115 |
<p>The races allow a program to read kernel memory within a 4GB window |
| 116 |
centered at midistat's data buffer. The buffer is allocated each |
| 117 |
time the device is opened, so an attacker is not limited to a static |
| 118 |
4GB region of memory.</p> |
| 119 |
<p>On 32-bit platforms, an attempt to trigger the race may |
| 120 |
cause a page fault in kernel mode, leading to a panic.</p> |
| 121 |
</body> |
| 122 |
</description> |
| 123 |
<references> |
| 124 |
<cvename>CVE-2019-5612</cvename> |
| 125 |
<freebsdsa>SA-19:23.midi</freebsdsa> |
| 126 |
</references> |
| 127 |
<dates> |
| 128 |
<discovery>2019-08-20</discovery> |
| 129 |
<entry>2019-09-03</entry> |
| 130 |
</dates> |
| 131 |
</vuln> |
| 132 |
|
| 133 |
<vuln vid="1be14d59-ce8f-11e9-86f3-f8b156ac3ff9"> |
| 134 |
<topic>FreeBSD -- IPv6 remote Denial-of-Service</topic> |
| 135 |
<affects> |
| 136 |
<package> |
| 137 |
<name>FreeBSD-kernel</name> |
| 138 |
<range><ge>12.0</ge><lt>12.0_10</lt></range> |
| 139 |
<range><ge>11.3</ge><lt>11.3_3</lt></range> |
| 140 |
<range><ge>11.2</ge><lt>11.2_14</lt></range> |
| 141 |
</package> |
| 142 |
</affects> |
| 143 |
<description> |
| 144 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 145 |
<h1>Problem Description:</h1> |
| 146 |
<p>Due do a missing check in the code of m_pulldown(9) data returned may |
| 147 |
not be contiguous as requested by the caller.</p> |
| 148 |
<h1>Impact:</h1> |
| 149 |
<p>Extra checks in the IPv6 code catch the error condition and trigger a |
| 150 |
kernel panic leading to a remote DoS (denial-of-service) attack with |
| 151 |
certain Ethernet interfaces. At this point it is unknown if any |
| 152 |
other than the IPv6 code paths can trigger a similar condition.</p> |
| 153 |
</body> |
| 154 |
</description> |
| 155 |
<references> |
| 156 |
<cvename>CVE-2019-5611</cvename> |
| 157 |
<freebsdsa>SA-19:22.mbuf</freebsdsa> |
| 158 |
</references> |
| 159 |
<dates> |
| 160 |
<discovery>2019-08-20</discovery> |
| 161 |
<entry>2019-09-03</entry> |
| 162 |
</dates> |
| 163 |
</vuln> |
| 164 |
|
| 165 |
<vuln vid="0cc30281-ce8f-11e9-86f3-f8b156ac3ff9"> |
| 166 |
<topic>FreeBSD -- Insufficient validation of guest-supplied data (e1000 device)</topic> |
| 167 |
<affects> |
| 168 |
<package> |
| 169 |
<name>FreeBSD</name> |
| 170 |
<range><ge>12.0</ge><lt>12.0_9</lt></range> |
| 171 |
<range><ge>11.3</ge><lt>11.3_2</lt></range> |
| 172 |
<range><ge>11.2</ge><lt>11.2_13</lt></range> |
| 173 |
</package> |
| 174 |
</affects> |
| 175 |
<description> |
| 176 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 177 |
<h1>Problem Description:</h1> |
| 178 |
<p>The e1000 network adapters permit a variety of modifications to an |
| 179 |
Ethernet packet when it is being transmitted. These include the |
| 180 |
insertion of IP and TCP checksums, insertion of an Ethernet VLAN |
| 181 |
header, and TCP segmentation offload ("TSO"). The e1000 device model |
| 182 |
uses an on-stack buffer to generate the modified packet header when |
| 183 |
simulating these modifications on transmitted packets.</p> |
| 184 |
<p>When TCP segmentation offload is requested for a |
| 185 |
transmitted packet, the e1000 device model used a |
| 186 |
guest-provided value to determine the size of the on-stack |
| 187 |
buffer without validation. The subsequent header generation |
| 188 |
could overflow an incorrectly sized buffer or indirect a |
| 189 |
pointer composed of stack garbage.</p> |
| 190 |
<h1>Impact:</h1> |
| 191 |
<p>A misbehaving bhyve guest could overwrite memory in the bhyve process |
| 192 |
on the host.</p> |
| 193 |
</body> |
| 194 |
</description> |
| 195 |
<references> |
| 196 |
<cvename>CVE-2019-5609</cvename> |
| 197 |
<freebsdsa>SA-19:21.bhyve</freebsdsa> |
| 198 |
</references> |
| 199 |
<dates> |
| 200 |
<discovery>2019-08-06</discovery> |
| 201 |
<entry>2019-09-03</entry> |
| 202 |
</dates> |
| 203 |
</vuln> |
| 204 |
|
| 205 |
<vuln vid="1e267a9a-ce71-11e9-86f3-f8b156ac3ff9"> |
| 206 |
<topic>FreeBSD -- Insufficient message length validation in bsnmp library</topic> |
| 207 |
<affects> |
| 208 |
<package> |
| 209 |
<name>FreeBSD</name> |
| 210 |
<range><ge>12.0</ge><lt>12.0_9</lt></range> |
| 211 |
<range><ge>11.3</ge><lt>11.3_2</lt></range> |
| 212 |
<range><ge>11.2</ge><lt>11.2_13</lt></range> |
| 213 |
</package> |
| 214 |
</affects> |
| 215 |
<description> |
| 216 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 217 |
<h1>Problem Description:</h1> |
| 218 |
<p>A function extracting the length from type-length-value encoding is |
| 219 |
not properly validating the submitted length.</p> |
| 220 |
<h1>Impact:</h1> |
| 221 |
<p>A remote user could cause, for example, an out-of-bounds read, |
| 222 |
decoding of unrelated data, or trigger a crash of the software such |
| 223 |
as bsnmpd resulting in a denial of service.</p> |
| 224 |
</body> |
| 225 |
</description> |
| 226 |
<references> |
| 227 |
<cvename>CVE-2019-5610</cvename> |
| 228 |
<freebsdsa>SA-19:20.bsnmp</freebsdsa> |
| 229 |
</references> |
| 230 |
<dates> |
| 231 |
<discovery>2019-08-06</discovery> |
| 232 |
<entry>2019-09-03</entry> |
| 233 |
</dates> |
| 234 |
</vuln> |
| 235 |
|
| 236 |
<vuln vid="14aed964-ce71-11e9-86f3-f8b156ac3ff9"> |
| 237 |
<topic>FreeBSD -- ICMPv6 / MLDv2 out-of-bounds memory access</topic> |
| 238 |
<affects> |
| 239 |
<package> |
| 240 |
<name>FreeBSD-kernel</name> |
| 241 |
<range><ge>12.0</ge><lt>12.0_9</lt></range> |
| 242 |
<range><ge>11.3</ge><lt>11.3_2</lt></range> |
| 243 |
<range><ge>11.2</ge><lt>11.2_13</lt></range> |
| 244 |
</package> |
| 245 |
</affects> |
| 246 |
<description> |
| 247 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 248 |
<h1>Problem Description:</h1> |
| 249 |
<p>The ICMPv6 input path incorrectly handles cases where an MLDv2 |
| 250 |
listener query packet is internally fragmented across multiple mbufs.</p> |
| 251 |
<h1>Impact:</h1> |
| 252 |
<p>A remote attacker may be able to cause an out-of-bounds read or write |
| 253 |
that may cause the kernel to attempt to access an unmapped page and |
| 254 |
subsequently panic.</p> |
| 255 |
</body> |
| 256 |
</description> |
| 257 |
<references> |
| 258 |
<cvename>CVE-2019-5608</cvename> |
| 259 |
<freebsdsa>SA-19:19.mldv2</freebsdsa> |
| 260 |
</references> |
| 261 |
<dates> |
| 262 |
<discovery>2019-08-06</discovery> |
| 263 |
<entry>2019-09-03</entry> |
| 264 |
</dates> |
| 265 |
</vuln> |
| 266 |
|
| 267 |
<vuln vid="c5df0c4c-ce6e-11e9-86f3-f8b156ac3ff9"> |
| 268 |
<topic>FreeBSD -- Multiple vulnerabilities in bzip2</topic> |
| 269 |
<affects> |
| 270 |
<package> |
| 271 |
<name>FreeBSD</name> |
| 272 |
<range><ge>12.0</ge><lt>12.0_9</lt></range> |
| 273 |
<range><ge>11.3</ge><lt>11.3_2</lt></range> |
| 274 |
<range><ge>11.2</ge><lt>11.2_13</lt></range> |
| 275 |
</package> |
| 276 |
</affects> |
| 277 |
<description> |
| 278 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 279 |
<h1>Problem Description:</h1> |
| 280 |
<p>The decompressor used in bzip2 contains a bug which can lead to an |
| 281 |
out-of-bounds write when processing a specially crafted bzip2(1) |
| 282 |
file.</p> |
| 283 |
<p>bzip2recover contains a heap use-after-free bug which can |
| 284 |
be triggered when processing a specially crafted bzip2(1) |
| 285 |
file.</p> |
| 286 |
<h1>Impact:</h1> |
| 287 |
<p>An attacker who can cause maliciously crafted input to be processed |
| 288 |
may trigger either of these bugs. The bzip2recover bug may cause a |
| 289 |
crash, permitting a denial-of-service. The bzip2 decompressor bug |
| 290 |
could potentially be exploited to execute arbitrary code.</p> |
| 291 |
<p>Note that some utilities, including the tar(1) archiver |
| 292 |
and the bspatch(1) binary patching utility (used in |
| 293 |
portsnap(8) and freebsd-update(8)) decompress |
| 294 |
bzip2(1)-compressed data internally; system administrators |
| 295 |
should assume that their systems will at some point |
| 296 |
decompress bzip2(1)-compressed data even if they never |
| 297 |
explicitly invoke the bunzip2(1) utility.</p> |
| 298 |
</body> |
| 299 |
</description> |
| 300 |
<references> |
| 301 |
<cvename>CVE-2016-3189</cvename> |
| 302 |
<cvename>CVE-2019-12900</cvename> |
| 303 |
<freebsdsa>SA-19:18.bzip2</freebsdsa> |
| 304 |
</references> |
| 305 |
<dates> |
| 306 |
<discovery>2019-08-06</discovery> |
| 307 |
<entry>2019-09-03</entry> |
| 308 |
</dates> |
| 309 |
</vuln> |
| 310 |
|
| 61 |
<vuln vid="05463e0a-abd3-4fa4-bd5f-cd5ed132d4c6"> |
311 |
<vuln vid="05463e0a-abd3-4fa4-bd5f-cd5ed132d4c6"> |
| 62 |
<topic>mozilla -- multiple vulnerabilities</topic> |
312 |
<topic>mozilla -- multiple vulnerabilities</topic> |
| 63 |
<affects> |
313 |
<affects> |