FreeBSD Bugzilla – Attachment 207171 Details for
Bug 240322
security/vuxml: Add August FreeBSD Security Advisories
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
FreeBSD SA entries
2019-09-03_vuln.xml.patch (text/plain), 9.53 KB, created by
Miroslav Lachman
on 2019-09-03 22:47:10 UTC
(
hide
)
Description:
FreeBSD SA entries
Filename:
MIME Type:
Creator:
Miroslav Lachman
Created:
2019-09-03 22:47:10 UTC
Size:
9.53 KB
patch
obsolete
>--- files/vuln.xml 2019-09-03 23:54:36.810345000 +0200 >+++ files/vuln.xml.new 2019-09-04 00:27:17.303346000 +0200 >@@ -58,6 +58,256 @@ > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="39270593-ce8f-11e9-86f3-f8b156ac3ff9"> >+ <topic>FreeBSD -- Reference count overflow in mqueue filesystem 32-bit compat</topic> >+ <affects> >+ <package> >+ <name>FreeBSD-kernel</name> >+ <range><ge>12.0</ge><lt>12.0_10</lt></range> >+ <range><ge>11.3</ge><lt>11.3_3</lt></range> >+ <range><ge>11.2</ge><lt>11.2_14</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <h1>Problem Description:</h1> >+ <p>System calls operating on file descriptors obtain a reference to >+ relevant struct file which due to a programming error was not always >+ put back, which in turn could be used to overflow the counter of >+ affected struct file.</p> >+ <h1>Impact:</h1> >+ <p>A local user can use this flaw to obtain access to files, >+ directories, sockets, etc., opened by processes owned by other users. >+ If obtained struct file represents a directory from outside of user's >+ jail, it can be used to access files outside of the jail. If the >+ user in question is a jailed root they can obtain root privileges on >+ the host system.</p> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2019-5603</cvename> >+ <freebsdsa>SA-19:24.mqueuefs</freebsdsa> >+ </references> >+ <dates> >+ <discovery>2019-08-20</discovery> >+ <entry>2019-09-03</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="2a5a2fa7-ce8f-11e9-86f3-f8b156ac3ff9"> >+ <topic>FreeBSD -- kernel memory disclosure from /dev/midistat</topic> >+ <affects> >+ <package> >+ <name>FreeBSD-kernel</name> >+ <range><ge>12.0</ge><lt>12.0_10</lt></range> >+ <range><ge>11.3</ge><lt>11.3_3</lt></range> >+ <range><ge>11.2</ge><lt>11.2_14</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <h1>Problem Description:</h1> >+ <p>The kernel driver for /dev/midistat implements a handler for read(2). >+ This handler is not thread-safe, and a multi-threaded program can >+ exploit races in the handler to cause it to copy out kernel memory >+ outside the boundaries of midistat's data buffer.</p> >+ <h1>Impact:</h1> >+ <p>The races allow a program to read kernel memory within a 4GB window >+ centered at midistat's data buffer. The buffer is allocated each >+ time the device is opened, so an attacker is not limited to a static >+ 4GB region of memory.</p> >+ <p>On 32-bit platforms, an attempt to trigger the race may >+ cause a page fault in kernel mode, leading to a panic.</p> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2019-5612</cvename> >+ <freebsdsa>SA-19:23.midi</freebsdsa> >+ </references> >+ <dates> >+ <discovery>2019-08-20</discovery> >+ <entry>2019-09-03</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="1be14d59-ce8f-11e9-86f3-f8b156ac3ff9"> >+ <topic>FreeBSD -- IPv6 remote Denial-of-Service</topic> >+ <affects> >+ <package> >+ <name>FreeBSD-kernel</name> >+ <range><ge>12.0</ge><lt>12.0_10</lt></range> >+ <range><ge>11.3</ge><lt>11.3_3</lt></range> >+ <range><ge>11.2</ge><lt>11.2_14</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <h1>Problem Description:</h1> >+ <p>Due do a missing check in the code of m_pulldown(9) data returned may >+ not be contiguous as requested by the caller.</p> >+ <h1>Impact:</h1> >+ <p>Extra checks in the IPv6 code catch the error condition and trigger a >+ kernel panic leading to a remote DoS (denial-of-service) attack with >+ certain Ethernet interfaces. At this point it is unknown if any >+ other than the IPv6 code paths can trigger a similar condition.</p> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2019-5611</cvename> >+ <freebsdsa>SA-19:22.mbuf</freebsdsa> >+ </references> >+ <dates> >+ <discovery>2019-08-20</discovery> >+ <entry>2019-09-03</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="0cc30281-ce8f-11e9-86f3-f8b156ac3ff9"> >+ <topic>FreeBSD -- Insufficient validation of guest-supplied data (e1000 device)</topic> >+ <affects> >+ <package> >+ <name>FreeBSD</name> >+ <range><ge>12.0</ge><lt>12.0_9</lt></range> >+ <range><ge>11.3</ge><lt>11.3_2</lt></range> >+ <range><ge>11.2</ge><lt>11.2_13</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <h1>Problem Description:</h1> >+ <p>The e1000 network adapters permit a variety of modifications to an >+ Ethernet packet when it is being transmitted. These include the >+ insertion of IP and TCP checksums, insertion of an Ethernet VLAN >+ header, and TCP segmentation offload ("TSO"). The e1000 device model >+ uses an on-stack buffer to generate the modified packet header when >+ simulating these modifications on transmitted packets.</p> >+ <p>When TCP segmentation offload is requested for a >+ transmitted packet, the e1000 device model used a >+ guest-provided value to determine the size of the on-stack >+ buffer without validation. The subsequent header generation >+ could overflow an incorrectly sized buffer or indirect a >+ pointer composed of stack garbage.</p> >+ <h1>Impact:</h1> >+ <p>A misbehaving bhyve guest could overwrite memory in the bhyve process >+ on the host.</p> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2019-5609</cvename> >+ <freebsdsa>SA-19:21.bhyve</freebsdsa> >+ </references> >+ <dates> >+ <discovery>2019-08-06</discovery> >+ <entry>2019-09-03</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="1e267a9a-ce71-11e9-86f3-f8b156ac3ff9"> >+ <topic>FreeBSD -- Insufficient message length validation in bsnmp library</topic> >+ <affects> >+ <package> >+ <name>FreeBSD</name> >+ <range><ge>12.0</ge><lt>12.0_9</lt></range> >+ <range><ge>11.3</ge><lt>11.3_2</lt></range> >+ <range><ge>11.2</ge><lt>11.2_13</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <h1>Problem Description:</h1> >+ <p>A function extracting the length from type-length-value encoding is >+ not properly validating the submitted length.</p> >+ <h1>Impact:</h1> >+ <p>A remote user could cause, for example, an out-of-bounds read, >+ decoding of unrelated data, or trigger a crash of the software such >+ as bsnmpd resulting in a denial of service.</p> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2019-5610</cvename> >+ <freebsdsa>SA-19:20.bsnmp</freebsdsa> >+ </references> >+ <dates> >+ <discovery>2019-08-06</discovery> >+ <entry>2019-09-03</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="14aed964-ce71-11e9-86f3-f8b156ac3ff9"> >+ <topic>FreeBSD -- ICMPv6 / MLDv2 out-of-bounds memory access</topic> >+ <affects> >+ <package> >+ <name>FreeBSD-kernel</name> >+ <range><ge>12.0</ge><lt>12.0_9</lt></range> >+ <range><ge>11.3</ge><lt>11.3_2</lt></range> >+ <range><ge>11.2</ge><lt>11.2_13</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <h1>Problem Description:</h1> >+ <p>The ICMPv6 input path incorrectly handles cases where an MLDv2 >+ listener query packet is internally fragmented across multiple mbufs.</p> >+ <h1>Impact:</h1> >+ <p>A remote attacker may be able to cause an out-of-bounds read or write >+ that may cause the kernel to attempt to access an unmapped page and >+ subsequently panic.</p> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2019-5608</cvename> >+ <freebsdsa>SA-19:19.mldv2</freebsdsa> >+ </references> >+ <dates> >+ <discovery>2019-08-06</discovery> >+ <entry>2019-09-03</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="c5df0c4c-ce6e-11e9-86f3-f8b156ac3ff9"> >+ <topic>FreeBSD -- Multiple vulnerabilities in bzip2</topic> >+ <affects> >+ <package> >+ <name>FreeBSD</name> >+ <range><ge>12.0</ge><lt>12.0_9</lt></range> >+ <range><ge>11.3</ge><lt>11.3_2</lt></range> >+ <range><ge>11.2</ge><lt>11.2_13</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <h1>Problem Description:</h1> >+ <p>The decompressor used in bzip2 contains a bug which can lead to an >+ out-of-bounds write when processing a specially crafted bzip2(1) >+ file.</p> >+ <p>bzip2recover contains a heap use-after-free bug which can >+ be triggered when processing a specially crafted bzip2(1) >+ file.</p> >+ <h1>Impact:</h1> >+ <p>An attacker who can cause maliciously crafted input to be processed >+ may trigger either of these bugs. The bzip2recover bug may cause a >+ crash, permitting a denial-of-service. The bzip2 decompressor bug >+ could potentially be exploited to execute arbitrary code.</p> >+ <p>Note that some utilities, including the tar(1) archiver >+ and the bspatch(1) binary patching utility (used in >+ portsnap(8) and freebsd-update(8)) decompress >+ bzip2(1)-compressed data internally; system administrators >+ should assume that their systems will at some point >+ decompress bzip2(1)-compressed data even if they never >+ explicitly invoke the bunzip2(1) utility.</p> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2016-3189</cvename> >+ <cvename>CVE-2019-12900</cvename> >+ <freebsdsa>SA-19:18.bzip2</freebsdsa> >+ </references> >+ <dates> >+ <discovery>2019-08-06</discovery> >+ <entry>2019-09-03</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="05463e0a-abd3-4fa4-bd5f-cd5ed132d4c6"> > <topic>mozilla -- multiple vulnerabilities</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=207171">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 240322
: 207171 |
208587