subject:"advisory"

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:21.bhyve  Security Advisory
  The FreeBSD Project

Topic:  Insufficient validation of guest-supplied data (e1000 device)

Category:   core
Module: bhyve
Announced:  2019-08-06
Credits:Reno Robert
Affects:All supported versions of FreeBSD.
Corrected:  2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name:   CVE-2019-5609

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

bhyve(8) is a hypervisor that supports running a variety of guest operating
systems in virtual machines.  bhyve(8) includes an emulated Intel 82545
network interface adapter ("e1000").

II.  Problem Description

The e1000 network adapters permit a variety of modifications to an Ethernet
packet when it is being transmitted.  These include the insertion of IP and
TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation
offload ("TSO").  The e1000 device model uses an on-stack buffer to generate
the modified packet header when simulating these modifications on transmitted
packets.

When TCP segmentation offload is requested for a transmitted packet, the
e1000 device model used a guest-provided value to determine the size of the
on-stack buffer without validation.  The subsequent header generation could
overflow an incorrectly sized buffer or indirect a pointer composed of stack
garbage.

III. Impact

A misbehaving bhyve guest could overwrite memory in the bhyve process on the
host.

IV.  Workaround

Only the e1000 device model is affected; the virtio-net device is not
affected by this issue.  If supported by the guest operating system
presenting only the virtio-net device to the guest is a suitable workaround.
No workaround is available if the e1000 device model is required.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and restart any affected virtual machines.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch
# fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc
# gpg --verify bhyve.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable virtual machines, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350619
releng/12.0/  r350647
stable/11/r350619
releng/11.3/  r350647
releng/11.2/  r350647
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5609>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:21.bhyve.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6Hiu

FreeBSD Security Advisory FreeBSD-SA-19:20.bsnmp

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:20.bsnmp  Security Advisory
  The FreeBSD Project

Topic:  Insufficient message length validation in bsnmp library

Category:   contrib
Module: bsnmp
Announced:  2019-08-06
Credits:Guido Vranken 
Affects:All supported versions of FreeBSD.
Corrected:  2019-08-06 16:11:16 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:12:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-06 16:12:43 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:12:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:12:17 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name:   CVE-2019-5610

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The bsnmp software library is used for the Internet SNMP (Simple Network
Management Protocol).  As part of this it includes functions to handle ASN.1
(Abstract Syntax Notation One).

II.  Problem Description

A function extracting the length from type-length-value encoding is not
properly validating the submitted length.

III. Impact

A remote user could cause, for example, an out-of-bounds read, decoding of
unrelated data, or trigger a crash of the software such as bsnmpd resulting
in a denial of service.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch
# fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch.asc
# gpg --verify bsnmp.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all daemons that use the library, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350637
releng/12.0/  r350646
stable/11/r350638
releng/11.3/  r350646
releng/11.2/  r350646
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5610>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1lfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKtBBAAltxFzxuMqWCgJoL9SemLRQxGGk0hRFdN5b78mgVdk2lfDgVz8U7mVM6v
XbcCa4lIy7wMYpUdEySAZLR2ENt0xdpx7oQ6lAg5fnnvrUvom4wU9ruxEs5txFVL
K6RaJnQJyOkI2c/LYvI/ZYmuc29/Nt3p/DvVe7wq86taoqUufN11MXkrRHgn68N3
7vewixzWpqH5L/aY2qP1d+Xe3QmHX0IcFqeo4U3/3G4wUGRCfHtaENY4w5eUbCa2
1Qk0oS9iUdX1IJjM5l1ccoFqsjbcO6vNS337qeYNKhLspXMQPwoS0K0HfB6LKt1D
dCBFoXu/qUFjf3qqbpcqGEFrFPZjlNmC4R0Ngx1rfZ1t1dXbj83NOOE1okd3Gb/V
TPDU/jzwt+/6DE6ryNQpeanPdim83w/j+qeA0UaTyxlbj+oSz1gU9Ckaauf+9peI
GT8TPnrgmFlYg2tkYl4tbq5LtRstPGZYguqEt5SHCxBOg3dxByMPzikSFUL9oNxS
9GX7JZT36J20f62hG8Watp2y3W0QsMjJpxF9OojRU6B15Z4Q2aCht4F6DnvEkVfN
1GvS5NAHPHU09TniSgYK3ThkoYrLYykhsXPmJmETV7DU1Qhny1p8H0NwIwB20

FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:19.mldv2  Security Advisory
  The FreeBSD Project

Topic:  ICMPv6 / MLDv2 out-of-bounds memory access

Category:   core
Module: net
Announced:  2019-08-06
Credits:CJD of Apple
Affects:All supported versions of FreeBSD.
Corrected:  2019-08-06 17:13:41 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:11:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-06 17:15:46 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:11:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:11:17 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name:   CVE-2019-5608

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

MLDv2 is the Multicast Listener Discovery protocol, version 2.  It is used
by IPv6 routers to discover multicast listeners.

II.  Problem Description

The ICMPv6 input path incorrectly handles cases where an MLDv2 listener
query packet is internally fragmented across multiple mbufs.

III. Impact

A remote attacker may be able to cause an out-of-bounds read or write that
may cause the kernel to attempt to access an unmapped page and subsequently
panic.

IV.  Workaround

No workaround is available.  Systems not using IPv6 are not affected.

V.   Solution

Perform one of the following:

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Reboot for security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2, FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch.asc
# gpg --verify mldv2.11.patch.asc

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch.asc
# gpg --verify mldv2.12.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350648
releng/12.0/  r350644
stable/11/r350650
releng/11.3/  r350644
releng/11.2/  r350644
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5608>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:19.mldv2.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1RfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLzTA/+OyyukXWH7rfwMhOlpD60UH4hxN3purvdNeBe4ZxlYvtf8gSUzS1VbK5r
NR9D2HiYRlmaePOil5myan6cVkrKoANoWTrQsCcsFLe6KKbiKlQDx/btbENmCMsR
VoS0ZPx3l9iGuVUwDk6k1JXwKCcO3U3dCDYEI941hEKxYadR+twUP3JOceg8Zn0h
oODXW7LcPXWQKAyFc0Kun1VrjrUGdRGfqk30joR20GP2IjgQceFHKUbiOyBbbIjW
+UVvp2wPBxXvcXNPTpcIpTW5UGJBHCT2OsDulh7hqpiWf78VE8BoksKAvDjtI4i0
15fmwn7tmQ3aGWK3WoaKWUOXZUlKrxRQDzGyAZ3LzOqPWhv12tJjNJhjnRmCVLfo
+F4I/MHzPgjitZhv8gfn+MRiPG4E1ueAYnPQWiR3qRCLQGhemVdKZIAVnYg6NGpQ
Jgsr1QS8

FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:18.bzip2  Security Advisory
  The FreeBSD Project

Topic:  Multiple vulnerabilities in bzip2

Category:   contrib
Module: bzip2
Announced:  2019-08-06
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-04 07:29:18 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:09:47 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-07-04 07:32:25 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:09:47 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:09:47 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name:   CVE-2016-3189, CVE-2019-12900

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The bzip2(1)/bunzip2(1) utilities and the libbz2 library compress and
decompress files using an algorithm based on the Burrows-Wheeler transform.
They are generally slower than Lempel-Ziv compressors such as gzip, but
usually provide a greater compression ratio.

The bzip2recover utility extracts blocks from a damaged bzip2(1) file,
permitting partial recovery of the contents of the file.

II.  Problem Description

The decompressor used in bzip2 contains a bug which can lead to an
out-of-bounds write when processing a specially crafted bzip2(1) file.

bzip2recover contains a heap use-after-free bug which can be triggered
when processing a specially crafted bzip2(1) file.

III. Impact

An attacker who can cause maliciously crafted input to be processed
may trigger either of these bugs.  The bzip2recover bug may cause a
crash, permitting a denial-of-service.  The bzip2 decompressor bug
could potentially be exploited to execute arbitrary code.

Note that some utilities, including the tar(1) archiver and the bspatch(1)
binary patching utility (used in portsnap(8) and freebsd-update(8))
decompress bzip2(1)-compressed data internally; system administrators should
assume that their systems will at some point decompress bzip2(1)-compressed
data even if they never explicitly invoke the bunzip2(1) utility.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and restart daemons if necessary.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch.asc
# gpg --verify bzip2.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all daemons that use the library, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r349717
releng/12.0/  r350643
stable/11/r349718
releng/11.3/  r350643
releng/11.2/  r350643
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc>
-BEGIN PGP SIGNATU

FreeBSD Security Advisory FreeBSD-SA-19:16.bhyve

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:16.bhyve  Security Advisory
  The FreeBSD Project

Topic:  Bhyve out-of-bounds read in XHCI device

Category:   core
Module: bhyve
Announced:  2019-07-24
Credits:Reno Robert
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-23 17:48:37 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:56:06 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-23 17:48:37 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:56:06 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:56:06 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-5604

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

bhyve(8) is a hypervisor that supports running a variety of virtual
machines (guests).  bhyve includes an emulated XHCI device.

II.  Problem Description

The pci_xhci_device_doorbell() function does not validate the 'epid' and
'streamid' provided by the guest, leading to an out-of-bounds read.

III. Impact

A misbehaving bhyve guest could crash the system or access memory that
it should not be able to.

IV.  Workaround

No workaround is available, however systems not using bhyve(8) for
virtualization are not vulnerable.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

No reboot is required.  Rather the bhyve(8) process for vulnerable virtual
machines should be restarted.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Restart any bhyve virtual machines or reboot the system.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch
# fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch.asc
# gpg --verify bhyve.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart any bhyve virtual machines, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350246
releng/12.0/  r350285
stable/11/r350247
releng/11.2/  r350285
releng/11.3/  r350285
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5604>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:16.bhyve.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cI+Jw//TcrKrFaXkEJtqzspjoeK9YKwNwj30ewdb/Ph3GdcgVoQmfJVsWPcmcM9
+dewKdl7gGLhVhoJ+3f3oFzlDcqSxFLHcNwSW5J7P8Zt+7ZpQzwH8pfB6S8T1Nk6
77Sv5hYrjy8kdSh6Z/c8BkAQrhEFYO09xej8ekQ1B+iL2N4ErexpCNTMKlP96pGS
0/4tso5gdcwrc1t6HHGffFkjItgnE8Lvgr1ZsSHbcRGAc3nqy3n21U+VH+fecAzK
0NBO3HQeCbRIEdAms3jMLcAJGrs60VBN0nnWqLxlGBb10hY7Si0NkgbWOP2g/Elf
J+K4SHTFXbhIGrpsrEdvSVPvytQ8gKOSys5luvtLjt0Yhll08eEUDVzaIk//Hsak
BcUSlKHULLkVTJZvdZAHUMHJOMPpSAh61DuFcM+pxAt5E9rmgX+HnPBs1yLbgd23
NaQadFC126T+AW5W5GyOs2BIEo4bdTNHqONF7gmR4a5bv6/7GWZz/QNsep43jDZH
43lur

FreeBSD Security Advisory FreeBSD-SA-19:17.fd

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:17.fd Security Advisory
  The FreeBSD Project

Topic:  File description reference count leak

Category:   core
Module: unix
Announced:  2019-07-24
Credits:Mark Johnston
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-22 19:25:05 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:57:49 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-22 19:27:23 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:57:49 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:57:49 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-5607

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

UNIX-domain sockets are used for inter-process communication.  It is
possible to use UNIX-domain sockets to transfer rights, encoded as file
descriptors, to another process.  Rights are encapsulated in control
messages, and multiple such messages may be transmitted with a single
system call.

II.  Problem Description

If a process attempts to transmit rights over a UNIX-domain socket and
an error causes the attempt to fail, references acquired on the rights
are not released and are leaked.  This bug can be used to cause the
reference counter to wrap around and free the corresponding file
structure.

III. Impact

A local user can exploit the bug to gain root privileges or escape from
a jail.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch.asc
# gpg --verify fd.11.2.patch.asc

[FreeBSD 11.3]
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch.asc
# gpg --verify fd.11.patch.asc

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch.asc
# gpg --verify fd.12.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350222
releng/12.0/  r350286
stable/11/r350223
releng/11.2/  r350286
releng/11.3/  r350286
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5607>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:17.fd.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WnBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIOTQ/+KQMGXwNiuMVNib5ErewD9QdT48NYaU/hYUub3VMAfQltvWmbiPw7zXj7
yJGm9FxWrMvZ6hFnKskV60u9d7PMYkOv4nzcaFgPoadByXXlALQGd

FreeBSD Security Advisory FreeBSD-SA-19:15.mqueuefs

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:15.mqueuefs   Security Advisory
  The FreeBSD Project

Topic:  Reference count overflow in mqueue filesystem

Category:   core
Module: kernel
Announced:  2019-07-24
Credits:Mateusz Guzik
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-23 21:12:32 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:55:16 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-23 21:15:28 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:55:16 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:55:16 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-5603

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

mqueuefs(5) implements POSIX message queue file system which can be used
by processes as a communication mechanism.

'struct file' represents open files, directories, sockets and other
entities.

II.  Problem Description

System calls operating on file descriptors obtain a reference to
relevant struct file which due to a programming error was not always put
back, which in turn could be used to overflow the counter of affected
struct file.

III. Impact

A local user can use this flaw to obtain access to files, directories,
sockets etc. opened by processes owned by other users.  If obtained
struct file represents a directory from outside of user's jail, it can
be used to access files outside of the jail.  If the user in question is
a jailed root they can obtain root privileges on the host system.

IV.  Workaround

No workaround is available.  Note that the mqueuefs file system is not
enabled by default.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch
# fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch.asc
# gpg --verify mqueuefs.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350261
releng/12.0/  r350284
stable/11/r350263
releng/11.2/  r350284
releng/11.3/  r350284
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:15.mqueuefs.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIWpBAAg9BmPamkj7wLJODR8SvNk+qYqEbYeakiSGnvXllz2l+qI2dhMVsuQRGQ
ko7VY0P2Wuh68UiiDG63Oq3hbOWPPkL1axk6n275rZSdoVj856tjrHjnUtP3UX5S
WQUKRAREjhVjM9dAOwCYrmAmcpX4SkslklhfiR6AR62t4eptMlfJ6ACQATs6FPnX
WRdyDe7yq0mL4UHWg+PvotQ+rxGiynwgVRMXwaglKOldGOuPOeuj7azM4nb6/qkN
GjJlJOIRwfU1/sXVI

FreeBSD Security Advisory FreeBSD-SA-19:14.freebsd32

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:14.freebsd32  Security Advisory
  The FreeBSD Project

Topic:  Kernel memory disclosure in freebsd32_ioctl

Category:   core
Module: kernel
Announced:  2019-07-24
Credits:Ilja van Sprundel, IOActive
Affects:FreeBSD 11.2 and FreeBSD 11.3
Corrected:  2019-07-22 18:14:34 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:54:10 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:54:10 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-5605

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The FreeBSD kernel supports executing 32-bit applications on a 64-bit
kernel, including the ioctl(2) interface.

II.  Problem Description

Due to insufficient initialization of memory copied to userland in the
components listed above small amounts of kernel memory may be disclosed
to userland processes.

III. Impact

A user who can invoke 32-bit FreeBSD ioctls may be able to read the
contents of small portions of kernel memory.

Such memory might contain sensitive information, such as portions of the
file cache or terminal buffers.  This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way; for example, a terminal buffer might include a user-entered
password.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch
# fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch.asc
# gpg --verify freebsd32.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/11/r350217
releng/11.2/  r350283
releng/11.3/  r350283
- -

Note: This issue was addressed in a different way prior to the branch point
for stable/12. As such, no patch is needed for FreeBSD 12.x.

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5605>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:14.freebsd32.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIavw//emdRXVNpGREW1FfUvWmUPpdgk6rFck9nEG0KUKYCcfhqN83BN9XtqaWu
lBQ1jbB/CsalwL6Gpn2yuMvgS8W4yUidyPHLpzuoAThlsy5bHID1/oRftJt0T0BS
kHbTD0tTUt3QDV51FoLBjvXfjRRb8xJ+wIGJ0NzOscWgjgu6JPUysHEJD3+vSOKN
X3qJd3zcoYqswcvuhoVE2cFrSaZKEyIi1pJVr9CGItQTWXIisgdXdGYTnBdZU8jq
iJGaI1BXiNUl/p/21JA32T+ZD7cdMtx6KiuoKlY7Bzgj7Qk3XW7xsQsYu724LIJT
pVhIxntMrQSak7wIaqNPGR/FgkkKDsoo6iCHXlGxXv6tLg7pnioZIaHhc5+UZqmT
8I0UogWhQZS03/nwFRVDLPp+ka2P0g2gsm/dX1UVuucMT+hGeqn2c/iaSU76duoR
qavRPjLPJDnfVrpXhpqco9rq1+UwA/1uSNe0cFX0ArX040hCReDsMphcxgrkZ0sD
u71Px2ZLE5rpWmFd8LD0X2y1l4OEcTmoTPUtJxHlVrMFztuNbAlRny

FreeBSD Security Advisory FreeBSD-SA-19:12.telnet

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:12.telnet Security Advisory
  The FreeBSD Project

Topic:  telnet(1) client multiple vulnerabilities

Category:   contrib
Module: contrib/telnet
Announced:  2019-07-24
Credits:Juniper Networks
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-19 15:37:29 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:51:52 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-19 15:27:53 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:51:52 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:51:52 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-0053

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The telnet(1) command is a TELNET protocol client, used primarily to
establish terminal sessions across a network.

II.  Problem Description

Insufficient validation of environment variables in the telnet client
supplied in FreeBSD can lead to stack-based buffer overflows.  A stack-
based overflow is present in the handling of environment variables when
connecting via the telnet client to remote telnet servers.

This issue only affects the telnet client.  Inbound telnet sessions to
telnetd(8) are not affected by this issue.

III. Impact

These buffer overflows may be triggered when connecting to a malicious
server, or by an active attacker in the network path between the client
and server.  Specially crafted TELNET command sequences may cause the
execution of arbitrary code with the privileges of the user invoking
telnet(1).

IV.  Workaround

Do not use telnet(1) to connect to untrusted machines or over an
untrusted network.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch
# fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch.asc
# gpg --verify telnet.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r350139
releng/12.0/  r350281
stable/11/r350140
releng/11.2/  r350281
releng/11.3/  r350281
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:12.telnet.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WltfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLOzA//YxRZNUr+d8B+t6DnBUbVvthJiY9sQ1YPXUIJmp4QA7wvXr5UjURw+6qv
raxEp6JmF06wZK4RjeIFckQD6s2wnjO5VHO80Zbs0nD4NejQGeDAIlVdKqofOtJv
bBQNSY3vPAtumyfElc+N19rKetAjGbsUjOMbn87GlWrit4lqcavBQsdmSlQB5gVA
dFAFsVxr+ujjATnrCmIpFiaDk0unyJ7Gtz7jiM9I8xZueJtM49/9kNCFFLKCMUl8
HpB2k0cb18GVNJoKtzo1nELOM/oIJVO5HZt1fmYG/RgeL1BSyzg

FreeBSD Security Advisory FreeBSD-SA-19:13.pts

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:13.ptsSecurity Advisory
  The FreeBSD Project

Topic:  pts(4) write-after-free

Category:   core
Module: kernel
Announced:  2019-07-24
Credits:syzkaller
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-07 14:19:46 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:53:06 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-07 14:20:14 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:53:06 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:53:06 UTC (releng/11.3, 11.3-RELEASE-p1)
CVE Name:   CVE-2019-5606

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The posix_openpt(2) system call allocates a pseudo-terminal device and
returns a descriptor referencing that device.  Such a descriptor may be
configured such that a SIGIO signal will be sent to a designated process
or process group when the device is ready to perform I/O.

II.  Problem Description

The code which handles a close(2) of a descriptor created by
posix_openpt(2) fails to undo the configuration which causes SIGIO to be
raised.  This bug can lead to a write-after-free of kernel memory.

III. Impact

The bug permits malicious code to trigger a write-after-free, which may
be used to gain root privileges or escape a jail.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch
# fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch.asc
# gpg --verify pts.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r349805
releng/12.0/  r350282
stable/11/r349806
releng/11.2/  r350282
releng/11.3/  r350282
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5606>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:13.pts.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04Wl9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLZDA//SGC+7Vghtofm/CzylIXhC1drFOxNYJOF7KEJqDwsRR3U9S99Q9NBWS5+
e+/vJzvV0+epZNQXDlit5a76jGwy4fNuutNh0J3APHe/l0Zp/PhM56IwRWQgqAkQ
hF67xhHxFZs8AH6/bw21N4IkRrAZHmrrCY8ubZArjoUi0gCoFzAYRw1Nh/JTQoLS
IGuqUFaMZWKvu3aeJiikLjHiJUMRAY7sxh+iSBSp99dsLkASqQZtx1grmosljttN
fuD7qO2f067EWUpC50JTbNt9V7za854hrlOp8jn1g51O4fWWJoEEL2/0VUeOO+fr
aGS9UNal25NPr2zGzx2t0u1VNE3/YKoZ0tq+mQYtaXke32ZO15Ufby0YcLU4DF8d
dU1ZoG2AGbWmBqgQ982hocq5Dn0r5yCHXDeEGguE1DsfyBuUEZw6zfYRtzIQ0swk
wDrdETxpIMa8jaSGtDw2bilrLNRIVqYkXBJftC3fpXhlz6PyU6bZaFm00xrs7z1D
EJMkuIWho9oMqLTU7bZNHv7JD4G3ziTF1h2tGXGcEKp02ImNZQnw3w5PBberFgto
H4uJQC

Deutsche Telekom CERT Advisory [DTC-A-20170323-001]

2019-07-16 Thread cert

Deutsche Telekom CERT Advisory [DTC-A-20170323-001]

Summary:
Information leakage found in FRITZ!OS 6.83 & 6.80 (AVM DSL Router Fritz!Box 
7490)

Recommendation:
Update to the newest Version of FRITZ!OS

Details:
a) application
b) problem
c) CVSS
d) detailed description
e) credits



a) FRITZ!OS 6.83 & 6.80 (AVM DSL Router Fritz!Box 7490)

b) Memory leakage within the PPPoE/PPP padding 

c) 4.7 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/RL:U

d)  
Multiple DSL access router (aka Homegateway / CPE) handle PPPoE frame padding 
incorrectly.
Instead of padding frames with zeroes, frames are padded with random memory, 
allowing an attacker (with physical access to wire between PPPoE endpoints) to 
view slices of previously transmitted packets or portions of kernel memory.
This seems to be similar to 
http://www.securiteam.com/securitynews/5BP01208UO.html.

AVM DSL Router Fritz!Box 7490 (tested with FRITZ!OS 6.83 & 6.80) sends portion 
of memory within PPPoE Discovery protocol PADT frames because arbitrary memory 
is used in the padding to reach the minimum Ethernet frame length.

Further research shows that short PPP LCP frames are also padded with random 
memory.

e) Christian Kagerhuber

FreeBSD Security Advisory FreeBSD-SA-19:10.ufs

2019-07-03 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:10.ufsSecurity Advisory
  The FreeBSD Project

Topic:  Kernel stack disclosure in UFS/FFS

Category:   core
Module: Kernel
Announced:  2019-07-02
Credits:David G. Lawrence 
Affects:All supported versions of FreeBSD.
Corrected:  2019-05-10 23:45:16 UTC (stable/12, 12.0-STABLE)
2019-07-02 00:02:16 UTC (releng/12.0, 12.0-RELEASE-p7)
2019-05-10 23:46:42 UTC (stable/11, 11.2-STABLE)
2019-07-02 00:02:16 UTC (releng/11.2, 11.2-RELEASE-p11)
CVE Name:   CVE-2019-5601

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The Berkeley Fast File System (FFS) is an implementation of the UNIX File
System (UFS) filesystem used by FreeBSD.

II.  Problem Description

A bug causes up to three bytes of kernel stack memory to be written to disk
as uninitialized directory entry padding.  This data can be viewed by any
user with read access to the directory.  Additionally, a malicious user with
write access to a directory can cause up to 254 bytes of kernel stack memory
to be exposed.

III. Impact

Some amount of the kernel stack is disclosed and written out to the
filesystem.

IV.  Workaround

No workaround is available but systems not using UFS/FFS are not affected.

V.   Solution

Special note: This update also adds the -z flag to fsck_ffs to have it scrub
the leaked information in the name padding of existing directories.  It only
needs to be run once on each UFS/FFS filesystem after a patched kernel is
installed and running.

Upgrade your vulnerable system to a supported FreeBSD stable or release /
security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, reboot the system and run:

# fsck -t ufs -f -p -T ufs:-z

to clean up your existing filesystems.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch.asc
# gpg --verify ufs.12.patch.asc

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch.asc
# gpg --verify ufs.11.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system and run:

# fsck -t ufs -f -p -T ufs:-z

to clean up your existing filesystems.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r347474
releng/12.0/  r349623
stable/11/r347475
releng/11.2/  r349623
- -

Note: This patch was applied to the stable/11 branch before the branch point
for releng/11.3. As such, no patch is needed for any 11.3-BETA or -RC.

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5601>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:10.ufs.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIAC

FreeBSD Security Advisory FreeBSD-SA-19:11.cd_ioctl

2019-07-03 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:11.cd_ioctl   Security Advisory
  The FreeBSD Project

Topic:  Privilege escalation in cd(4) driver

Category:   core
Module: kernel
Announced:  2019-07-02
Credits:Alex Fortune
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-03 00:11:31 UTC (stable/12, 12.0-STABLE)
2019-07-02 00:03:55 UTC (releng/12.0, 12.0-RELEASE-p7)
2019-07-03 00:12:50 UTC (stable/11, 11.3-PRERELEASE)
2019-07-02 00:03:55 UTC (releng/11.3, 11.3-RC3-p1)
2019-07-02 00:03:55 UTC (releng/11.2, 11.2-RELEASE-p11)
CVE Name:   CVE-2019-5602

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The cd(4) driver implements a number of ioctls to permit low-level access to
the media in the CD-ROM device.  The Linux emulation layer provides a
corresponding set of ioctls, some of which are implemented as wrappers of
native cd(4) ioctls.

These ioctls are available to users in the operator group, which gets
read-only access to cd(4) devices by default.

II.  Problem Description

To implement one particular ioctl, the Linux emulation code used a special
interface present in the cd(4) driver which allows it to copy subchannel
information directly to a kernel address.  This interface was erroneously
made accessible to userland, allowing users with read access to a cd(4)
device to arbitrarily overwrite kernel memory when some media is present in
the device.

III. Impact

A user in the operator group can make use of this interface to gain root
privileges on a system with a cd(4) device when some media is present in the
device.

IV.  Workaround

devfs.conf(5) and devfs.rules(5) can be used to remove read permissions from
cd(4) devices.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or release /
security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, reboot the system.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch.asc
# gpg --verify cd_ioctl.12.patch.asc

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch.asc
# gpg --verify cd_ioctl.11.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r349628
releng/12.0/  r349625
stable/11/r349629
releng/11.3/  r349625
releng/11.2/  r349625
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5602>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:11.cd_ioctl.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0

FreeBSD Security Advisory FreeBSD-SA-19:09.iconv

2019-07-03 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:09.iconv  Security Advisory
  The FreeBSD Project

Topic:  iconv buffer overflow

Category:   core
Module: libc
Announced:  2019-07-02
Credits:Andrea Venturoli , NetFence
Affects:All supported versions of FreeBSD.
Corrected:  2019-07-03 00:01:38 UTC (stable/12, 12.0-STABLE)
2019-07-03 00:00:39 UTC (releng/12.0, 12.0-RELEASE-p7)
2019-07-03 00:03:14 UTC (stable/11, 11.3-PRERELEASE)
2019-07-03 00:00:39 UTC (releng/11.3, 11.3-RC3-p1)
2019-07-03 00:00:39 UTC (releng/11.2, 11.2-RELEASE-p11)
CVE Name:   CVE-2019-5600

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The iconv(3) API converts text data from one character encoding to another
and is available as part of the standard C library (libc).

II.  Problem Description

With certain inputs, iconv may write beyond the end of the output buffer.

III. Impact

Depending on the way in which iconv is used, an attacker may be able to
create a denial of service, provoke incorrect program behavior, or induce a
remote code execution.  iconv is a libc library function and the nature of
possible attacks will depend on the way in which iconv is used by
applications or daemons.

IV.  Workaround

No workaround is available.  Stack canaries (-fstack-protector), which are
enabled by default, provide a degreee of defense against code injection but
not against denial of service.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or release /
security branch (releng) dated after the correction date.  Restart any
potentially affected daemons.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch
# fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch.asc
# gpg --verify iconv.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all daemons that use the library, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r349622
releng/12.0/  r349621
stable/11/r349624
releng/11.3/  r349621
releng/11.2/  r349621
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5600>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:09.iconv.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cK8qg//bXSYMJQUBC0POTT5zGXSAmXfKjxbCi4N67cfTrQkEvW672QX4Jw9smkK
D3PwyQs8QWIwsXL69rRgKDFHhPplOmTkx1vaPrA3DckYliwNvLRV3I6G2bRnx3E3
DoAyDmBvFK5lJWa3WxbCpeJA69yZ/JbX1Yw6HsRLk74hGkfvlkruKkfxsNjXzaq4
0+d+ZYs/vRDmIW5/R/bYy1+iyDamyCMl2xXtlZBKrGe6lhj8Vi4/evJjipFtskc2
RnGKolNoZQc03pgX0QS2JZDb+ay23elkOCbhYPqGr1f++M95oOktX3epsJNSH++u
pmJ72FNRsnZSVFxoX7o14eh4k6OGYIvGFSkXQ9VG1NV7PQO8VZAQk9gw264O/1Mi
2aW88e78GLallQO

FreeBSD Security Advisory FreeBSD-SA-19:08.rack

2019-06-24 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:08.rack Security Advisory
The FreeBSD Project

Topic: Resource exhaustion in non-default RACK TCP stack

Category: core
Module: inet
Announced: 2019-06-19
Credits:Jonathan Looney (Netflix)
Peter Lei (Netflix)
Affects:FreeBSD 12.0 and later
Corrected: 2019-06-19 16:25:39 UTC (stable/12, 12.0-STABLE)
2019-06-19 16:43:05 UTC (releng/12.0, 12.0-RELEASE-p6)
CVE Name: CVE-2019-5599

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I. Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides
a connection-oriented, reliable, sequence-preserving data stream service.

A TCP loss detection algorithm called RACK ("Recent ACKnowledgment") uses the
notion of time, in addition to packet or sequence counts, to detect losses
for modern TCP implementations that support per-packet timestamps and the
selective acknowledgment (SACK) option.

FreeBSD ships an optional implementation of RACK. Please note this is not
included by default. If RACK was not specifically compiled, installed, and
loaded, the system is not vulnerable.

II. Problem Description

While processing acknowledgements, the RACK code uses several linked lists to
maintain state entries. A malicious attacker can cause the lists to grow
unbounded. This can cause an expensive list traversal on every packet being
processed, leading to resource exhaustion and a denial of service.

III. Impact

An attacker with the ability to send specially crafted TCP traffic to a
victim system can degrade network performance and/or consume excessive CPU by
exploiting the inefficiency of traversing the potentially very large RACK
linked lists with relatively small bandwidth cost.

IV. Workaround

By default RACK is not compiled or loaded into the TCP stack. To determine
if you are using RACK, check the net.inet.tcp.functions_available sysctl.
If it includes a line with "rack", the RACK stack is loaded.

To disable RACK, unload the kernel module with:

# kldunload tcp_rack

Note: it may be required to use the force flag (-f) with the kldunload.

V. Solution

Upgrade your vulnerable system to a supported FreeBSD stable or release /
security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Since the tcp_rack kernel module is not built by default, recompile,
reinstall, and reload the kernel module.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch
# fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch.asc
# gpg --verify rack.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile, reinstall, and reload the tcp_rack kernel module.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -
stable/12/r349197
releng/12.0/ r349199
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:08.rack.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZy1fFIAALgAo
aXNzdWVyLWZwckBub3RhdG

X41 D-Sec GmbH Security Advisory X41-2019-004: Type confusion in Thunderbird

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-004

Type confusion in Thunderbird
=
Severity Rating: Medium
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11706
CWE: 843
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird

Summary and Impact
==
A type confusion has been identified in the Thunderbird email
client. The issue is present in the libical implementation, which was
forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash the process or leak
information from the client system via calendar replies.
X41 did not perform a full test or audit on the software.

Product Description
===
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis

A type confusion in icalproperty.c
icaltimezone_get_vtimezone_properties() can be triggered while parsing a
malformed calendar attachment. Missing sanity checks allows a TZID
property to be parsed as ICALFLOATVALUE but it is later used as a
string.
The bug manifests with strdup(tzid); being called with tzid containing
a bad pointer obtained by casting to char* from a float value, which
typically means segfaulting by dereferencing a non-mapped memory page.
An attacker might be able to deliver an input file containing specially
crafted float values as TZID properties which could point to arbitrary
memory positions.
Certain conditions could allow to exfiltrate information via a calendar
reply or other undetermined impact.

Proof of Concept

A reproducer eml file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-004

Workarounds
===
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline

2019-05-30 Issues reported to the vendor
2019-06-07 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.

Custom research and a IT security consulting and support services are
core competencies of X41.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtO0ACgkQo5Klpg50
CxCkuA/+L513gnHCf0hOFGuFsGaEX6dPSmJi1g2Wom28cXJw7dEd6/qU4k5H64cI
yRDQR7vVt7+xUTlPIh8sguaPjB7xOlw+3pHpLo5+pfIuUuK/gK4Wm8ZF1Qv4okBs
e046d2Nd+UAX/WbEXLt4UHOowgVEJWHfq54WkKHNTseWpeww/sBNdv1qlliiUCWa
qnFMzA7rbgtOJl/LxS9xDOp5PufD3inR/Apvh49P8IhDj6L7+02fxGt0WdwA/8vF
TiI2V4bHEYrLmsUptSHSj10HKfMlEqKgWWQCunTGvUZvWWYHS6cS6a9EbHuWWyNY
8BNj045D0Gw0xL1697erebeIxOZ33+QdEp1NopVzpJkeZBZtx/XYPY3PnQ+HMRjr
4LwsjdDBeaMVgiUIZ2EZ08779MBYPNB+6p0byaWgyTbyHk0GRVxqRNwkU/8xS0f4
M9NUt75T7FjqU8VX/KyZsmXs+/8tauh0T3J9CYoQ73r/WoRxB0xeJCEJueRegctu
gSnIf+KApkmE+2WRc8CrPSZx42XhTjcoEgbcYSxGebEitd+bGz2j2gjwqxDGC8nr
QK30hr/lOaC0y6nblfCygx+G6hZH1dc2+fi6ZboWZRqRTtB2zIM+SulMj+QjtHCm
UMPFQeB8stxBfIAxLu8DojBq4YWP8N2wQ5MyAW3/TzTd+JO1Wbk=
=Hy9J
-END PGP SIGNATURE-

X41 D-Sec GmbH Security Advisory X41-2019-003: Stack-based buffer overflow in Thunderbird

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-003

Stack-based buffer overflow in Thunderbird
==
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11705
CWE: 121
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird

Summary and Impact
==
A stack-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.
X41 did not perform a full test or audit on the software.

Product Description
===
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis

A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.

~~~
static int icalrecuraddbydayrules(struct icalrecurparser *parser,
const char *vals)
{
short *array = parser->rt.byday;
// ...
while (n != 0) {
// ...
if (wd != ICALNOWEEKDAY) {
array[i++] = (short) (sign * (wd + 8 * weekno));
array[i] = ICALRECURRENCEARRAYMAX;
}
}
~~~

Missing sanity checks in `icalrecuradd_bydayrules()can lead to
out of bounds write in aarraywhenweekno` takes an invalid value.
The issue manifests as an out-of-bounds write in a stack allocated
buffer overflow.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution when proper stack smashing mitigations
are missing.

Proof of Concept

A reproducer eml file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-003

Workarounds
===
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline

2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.

Custom research and a IT security consulting and support services are
core competencies of X41.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtJsACgkQo5Klpg50
CxALNg//RiEGsoszNtnBzS/tvL5UIniG6oBXHaqu+9XZUJeM+tYzs4Z3JvvHWx1y
exGt3nM3PMXgw21lr8NumJGHibMDckIrOIpetphg9GqRfk/iS4NivcHcbhSq7sNz
NajGpulM6HtgDflFgpB1GKfekE/DJlbiULq5SBgv/bARRARGGgGNtWp863sQPKG+
rvjSOnTyQw1ypYjozMYrmUasgC4jsLmB0LUIWqHy6lEN5OWehnO9pOpiV8xTA0qc
Y9C0IDkf6YGH6xwOxaUXc9HXGBOiQATexNGOtOmWoUsg7cpRdnuoo8YOP9V+kbeX
OK301LlXUtt0th5zu6tVGo4WK75sI8gmpxUtcbIyCxTzRC7fqAlbHGaKlQURZ23s
/2Tv5pzpBBjIO4T2t8v1O/10pDyfH2zUCXik3il2GY+zpNprR1Va6asB4y3nEPl1
ghLYCjHt58CZJZILMmK/lZap6I3ea9UaW3TsZuC07zv8A9bf+I6xcgA0+4Ms6e0P
1d1T/ygVluKRay5fgiiubTYAqtngFTOXMCioj/JmeDvL+wTYpwduukhZxDuGT6P/
OV0MuvDW1RQpj2hsw+dbcVnE+Y7X/WZDVbq3ByOj5VQz/mTPkcGaJVh37kI9Sp6A
YFJYuJrFqmdMFh365aUmAOp26hYdY9++wwWAqAlYAVFjLXst5is=
=E1se
-END PGP SIGNATURE-

X41 D-Sec GmbH Security Advisory X41-2019-002: Heap-based buffer overflow in Thunderbird

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-002

Heap-based buffer overflow in Thunderbird
=
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11703
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1281041

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis

A heap-based buffer overflow in icalparser.c parser_get_next_char()
can be triggered while parsing a calendar attachment containing a
malformed or specially crafted string.
The issue initially manifests with out of bounds read, but we don't
discard it could later lead to out of bounds write.
It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept

A reproducer ical file can be found in

https://github.com/x41sec/advisories/tree/master/X41-2019-002

Workarounds
===
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline

2016-06-20 Issue reported by Brandon Perry to the vendor
2019-05-23 Issues reported to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.

Custom research and a IT security consulting and support services are
core competencies of X41.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtHsACgkQo5Klpg50
CxD5DRAAnruhd0PEjQV3ELUiM/9PHe5hC8rpWLqPNcuDY/dbPvg4w1qOAoXops9e
d3hJlMM2zaUeAv5MZGgxT7FIO116IFafALMjMssIC9zw3yM9oKF4s1amL/GzF+P9
vMamD3A5t5j2mHYuWFaDe+bcHak8QfmVgSRqKNvNp/rF27oWE3SgCraYFP1+RlpR
s0qbFcjLdo9SBqvpbSt3cbolrIOiS2nXER1cthmd2Ig7ga3oElEfWKZ19d+twBxx
oKqtS607p9ASfql29HDwC0VtgQPx1ySRBestYDtjsD2d97bAaAhA2/Kkpx6A/H91
EbiSyKByO3vs+nQzTdkI/xNN9edBly6se3WKaDBIfZOzWCsXwcUtUKpnAw5YMf/n
BoaDzv/D70Sk3GfXOD9qb2bMNFCEQdeZh3O1Tmmzi3kXa9kQJfdIDdjfeeDd7h87
r6vtYeHA7mVM2BGteO5FHQhooJVSi+gcGg9esj5656YznRS9zbc7KgkWJiItwMhj
hiBL7r8v2M0Gzx4qhhCg+gxl+ikBaYCgZh9WGi4fsekwufwEnnCnQxN52ZE9vBia
BJJGpPbGkVaxDCJXOfQDvJiovbG4ekK54tavqLBXaH/KuucMFGaE95gPSKnxn8LD
0QwpeLzad2bSiolSHux5RBR/t5d4znzjce/qxIpRQdWcgu9kzTs=
=1OOu
-END PGP SIGNATURE-

X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer overflow in Thunderbird

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-001

Heap-based buffer overflow in Thunderbird
=
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11704
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1280832

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis

A heap-based buffer overflow in icalvalue.c
icalmemory_strdup_and_dequote() can be triggered while parsing a
calendar attachment containing a malformed or specially crafted
string.

~~~
static char *icalmemorystrdupanddequote(const char *str)
{
char *out = (char *)malloc(sizeof(char) * strlen(str) + 1);
char *pout = out;
// ...
for (p = str; *p!=0; p++){
if( *p == '\')
{
p++;
// ...
else
{
*pout = *p;
}
}
~~~

Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the
inputp` ends with a backslash, which enables an attacker to read out
of bounds of the input buffer and writing out of bounds of a
heap-allocated
output buffer.
The issue manifests in several ways, including out of bounds read and
write, null-pointer dereference and frequently leads to heap corruption.

It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept

A reproducer EML file can be found in:

https://github.com/x41sec/advisories/tree/master/X41-2019-001

Workarounds
===
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline

2016-06-19 Issue reported by Brandon Perry to the vendor
2019-05-23 Issue reported by X41 D-SEC to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtFQACgkQo5Klpg50
CxDziQ/+JVKmkCHu3UXeNTrf3nFAcg3pzopaADVMK4yo7P/iQW/HMtvlz3sbi/ND
8nkTzXjPwTXmPZqrcr8X28lsffx2wu4ehIZNp2izTkfQkbIeA0co1bM2KhGJU+p+
GQP8yGsVi00+UvQfd5KxB4ydc7/Q4nTFH325yx7D4OHW/rDuETt5p8h1h7zmFBW+
SV09t4qQQx8HeWj2pQS6wF6pWo80/nqJbS8f540PQ+XTysvYsflxiybAqYK2mW2j
QzvjT/YosR39JCMHBKscptwVgJFT6b2DsSq+Lt+1BTn0Ef0XoIY/rMvLFX1ww8HK
nsViFPjtyhkX7CftIjZK6y4oK4nKsgyDiOieNKodfkr1jTmipUIIjwtGM99pKcv2
wNDY4ySB7RSbW+W+yrWc75vEX+Ev1enXkeM6xcJiPO0CiWfceZpVzZVcjoFqt9H6
57Uy10OMzZDi3reIMsMs3SxpRyXQqcyjlPkk7PlkzHx2XjAMKqwW6t5QZwMpIHrm
M4BQOzxz9UuhnfZI80ZmJhYCh9zOOdjmJXGxOp5cB1GSXjQQ7PH/0aqTbfI0Hp+b
uxqXsxBJ0YTO0qhHluuPkInqLEKlewHvNT4P5YE7US3TNCHPuei7P3zTq7fqSPjW
sgj9XXjf4cbB7N+txXnq55BpHemGKAd4spgvQvo0L35m2RribBs=
=sYWR
-END PGP SIGNATURE-

X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer overflow in Thunderbird

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2019-001

Heap-based buffer overflow in Thunderbird
=
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11704
CWE: 122
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird

Summary and Impact
==
A heap-based buffer overflow has been identified in the Thunderbird
email client. The issue is present in the libical implementation, which
was forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash or gain remote code
execution in the client system.

This issue was initially reported by Brandon Perry here:

https://bugzilla.mozilla.org/show_bug.cgi?id=1280832

and fixed in libical upstream, but was never fixed in Thunderbird.
X41 did not perform a full test or audit on the software.

Product Description
===
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.

Analysis

A heap-based buffer overflow in icalvalue.c
icalmemory_strdup_and_dequote() can be triggered while parsing a
calendar attachment containing a malformed or specially crafted
string.

~~~
static char *icalmemorystrdupanddequote(const char *str)
{
char *out = (char *)malloc(sizeof(char) * strlen(str) + 1);
char *pout = out;
// ...
for (p = str; *p!=0; p++){
if( *p == '\')
{
p++;
// ...
else
{
*pout = *p;
}
}
~~~

Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the
inputp` ends with a backslash, which enables an attacker to read out
of bounds of the input buffer and writing out of bounds of a
heap-allocated
output buffer.
The issue manifests in several ways, including out of bounds read and
write, null-pointer dereference and frequently leads to heap corruption.

It is expected that an attacker can exploit this vulnerability to
achieve remote code execution.

Proof of Concept

A reproducer EML file can be found in:

https://github.com/x41sec/advisories/tree/master/X41-2019-001

Workarounds
===
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.

Timeline

2016-06-19 Issue reported by Brandon Perry to the vendor
2019-05-23 Issue reported by X41 D-SEC to the vendor
2019-05-23 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CsOUACgkQo5Klpg50
CxA8/A/+KajTIDyZwSInPe0uftrEG/c+DNJLQfpH53sBH4qI9G8F+FPquEibdCEm
WIXlbdxxo7iVGkBUxws3+aqOXYtBYRGUQvSMDxcM9bmLWkzIOWCZ7RW4h4KOngWu
NiWqFkdpRLxSjHgEFn3eegvcnwEmpOlV4eBw5oY1rTFCg44hbrLXTKEZqOOVFII/
n754abauYhol2SezeuJL2Du1hf7n0e4T6DPdYsrwB4+3XwAdp6n86hy9DdXniqdk
XvJ2WFTKPljkt2suHmkM28zx8q52O5kMIK0Szc5MVZRiFIrPNh/oYFkCoBVYTqFQ
/ui0YJZOy8O6mA1l7j7A3I+t3DSUu4Cs0fCVCqrBVKm1LNcmnWIyDrGRCpY5WOTI
S8lllwEeUv5UoSaoPAWIXhvo1J4ISUX0qoNWNqtRENJCXjZvsmOvZkwWy0bMdu5g
1iWZ3Ro/hx7eAbakWKPrzRdnLI7wz7bBcnm3BSY4gelAhtTMLds/OSplDUpYL1cI
KRMsnosf2CBiRGlGqdpXVlXcsmi3dozRY7q87Kxh58x50efGTqYQ+yAmR1pMrQgH
O0yWaspEQOnqoPiw9dvT3gTqopk0qNdPWwbr599NAVOP5d0H3AKyeJxzTzVUIsxg
Jynb/E4hQxgyYN8tSqH/2SXqmXiOPJrJgLt0O4KmKVjMwvnS/OU=
=3l5l
-END PGP SIGNATURE-

Crowd Security Advisory - 2019-05-22

2019-05-27 Thread Atlassian

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/3ADVOQ .


CVE ID:

* CVE-2019-11580.


Product: Crowd and Crowd Data Center.

Affected Crowd and Crowd Data Center product versions:

2.1.0 <= version < 3.0.5
3.1.0 <= version < 3.1.6
3.2.0 <= version < 3.2.8
3.3.0 <= version < 3.3.5
3.4.0 <= version < 3.4.4


Fixed Crowd and Crowd Data Center product versions:

* Crowd and Crowd Data Center 3.0.5 have been released with a fix for this
issue.
* for 3.1.x, Crowd and Crowd Data Center 3.1.6 have been released with a fix for
this issue.
* for 3.2.x, Crowd and Crowd Data Center 3.2.8 have been released with a fix for
this issue.
* for 3.3.x, Crowd and Crowd Data Center 3.3.5 have been released with a fix for
this issue.
* for 3.4.x, Crowd and Crowd Data Center 3.4.4 have been released with a fix for
this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed
version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for
3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from
version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from version 3.4.0
before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.



Customers who have upgraded Crowd and Crowd Data Center to version 3.0.5 or
3.1.6 or 3.2.8 or 3.3.5 or 3.4.4 are not affected.

Customers who have downloaded and installed Crowd and/or Crowd Data Center
>= 2.1.0 but less than 3.0.5 or who have downloaded and installed Crowd and
Crowd Data Center >= 3.1.0 but less than 3.1.6 (the fixed version for 3.1.x)
or who have downloaded and installed Crowd and Crowd Data Center >= 3.2.0
but less than 3.2.8 (the fixed version for 3.2.x) or who have downloaded and
installed Crowd and Crowd Data Center >= 3.3.0 but less than 3.3.5
(the fixed version for 3.3.x) or who have downloaded and installed Crowd and
Crowd Data Center >= 3.4.0 but less than 3.4.4 (the fixed version for 3.4.x)
please upgrade your Crowd and Crowd Data Center installations immediately to
fix this vulnerability.



pdkinstall development plugin incorrectly enabled - CVE-2019-11580

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly
enabled in release builds. Attackers who can send unauthenticated or
authenticated requests to a Crowd or Crowd Data Center instance can exploit this
vulnerability to install arbitrary plugins, which permits remote code execution
on systems running a vulnerable version of Crowd or Crowd Data Center.
Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5
(the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed
version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for
3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from
version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this
vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/CWD-5388 .



Fix:

To address this issue, we've released the following versions containing a fix:

* Crowd and Crowd Data Center version 3.0.5
* Crowd and Crowd Data Center version 3.1.6
* Crowd and Crowd Data Center version 3.2.8
* Crowd and Crowd Data Center version 3.3.5
* Crowd and Crowd Data Center version 3.4.4

Remediation:

Atlassian recommends customers running a version of Crowd below version 3.3.0
upgrade to version 3.2.8 to avoid https://jira.atlassian.com/browse/CWD-5352,
for customers running a version above or equal to 3.3.0 Atlassian recommends
to upgrade to the latest version.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Crowd and Crowd Data Center 3.1.x and cannot upgrade to
3.4.4, upgrade to version 3.1.6.
If you are running Crowd and Crowd Data Center 3.2.x and cannot upgrade to
3.4.4, upgrade to version 3.2.8.
If you are running Crowd and Crowd Data Center 3.3.x and cannot upgrade to
3.4.4, upgrade to version 3.3.5.


For a full description of the latest version of Crowd and Crowd Data Center,
see
the release notes found at
https://confluence.atlassian.com/display/CROWD/Crowd+Release+Notes. You can
download the latest version of Crowd and Crowd Data Center from the download
centre found at https://www.atlassian.com/software/crowd/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://

Bitbucket Server security advisory 2019-05-22

2019-05-23 Thread Anton Black

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

This email refers to the advisory found at
https://confluence.atlassian.com/x/V87JOQ .


CVE ID:

* CVE-2019-3397.


Product: Bitbucket Server.

Affected Bitbucket Server product versions:

5.13.0 <= version < 5.13.5
5.14.0 <= version < 5.14.3
5.15.0 <= version < 5.5.2
6.0.0 <= version < 6.0.3
6.1.0 <= version < 6.1.1


Fixed Bitbucket Server product versions:

* for 5.13.x, Bitbucket Server 5.13.5 has been released with a fix for this
issue.
* for 5.14.x, Bitbucket Server 5.14.3 has been released with a fix for this
issue.
* for 5.15.x, Bitbucket Server 5.5.2 has been released with a fix for this
issue.
* for 6.0.x, Bitbucket Server 6.0.3 has been released with a fix for this
issue.
* for 6.1.x, Bitbucket Server 6.1.1 has been released with a fix for this
issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Bitbucket Server starting with 5.13.0 before 5.13.6 (the fixed version for
5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0
before 5.15.3 (fixed version for 5.13.x), from 6.0.0 before 6.0.3 (fixed version
for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x)  are
affected by this vulnerability.



Customers who have upgraded Bitbucket Server to version 5.13.6 or 5.14.4 or
5.15.3 or 6.0.3 or 6.1.2 are not affected.

Customers who have downloaded and installed Bitbucket Server >= 5.13.0 but less
than 5.13.5 (the fixed version for 5.13.x) or who have downloaded and installed
Bitbucket Server >= 5.14.0 but less than 5.14.3 (the fixed version for 5.14.x)
or who have downloaded and installed Bitbucket Server >= 5.15.0 but less than
5.5.2 (the fixed version for 5.15.x) or who have downloaded and installed
Bitbucket Server >= 6.0.0 but less than 6.0.3 (the fixed version for 6.0.x) or
who have downloaded and installed Bitbucket Server >= 6.1.0 but less than 6.1.1
(the fixed version for 6.1.x) please upgrade your Bitbucket Server installations
immediately to fix this vulnerability.



Path traversal in the migration tool RCE (CVE-2019-3397)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

Bitbucket Data Center had a path traversal vulnerability in the Data Center
migration tool. A remote attacker with authenticated user with admin permissions
can exploit this path traversal vulnerability to write files to arbitrary
locations which can lead to remote code execution on systems that run a
vulnerable version of Bitbucket Data Center. Bitbucket Server versions without a
Data Center license are not vulnerable to this vulnerability.
Versions of Bitbucket Server starting with 5.13.0 before 5.13.6 (the fixed
version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from
5.15.0 before 5.15.3 (fixed version for 5.13.x), from 6.0.0 before 6.0.3 (fixed
version for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x)
are affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/BSERV-11706 .



Fix:

To address this issue, we've released the following versions containing a fix:

* Bitbucket Server version 5.13.6
* Bitbucket Server version 5.14.4
* Bitbucket Server version 5.15.3
* Bitbucket Server version 6.0.3
* Bitbucket Server version 6.1.2

Remediation:

Upgrade Bitbucket Server to version 6.1.2 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Bitbucket Server 5.13.x and cannot upgrade to 6.1.2, upgrade
to version 5.13.5.
If you are running Bitbucket Server 5.14.x and cannot upgrade to 6.1.2, upgrade
to version 5.14.3.
If you are running Bitbucket Server 5.15.x and cannot upgrade to 6.1.2, upgrade
to version 5.5.2.
If you are running Bitbucket Server 6.0.x and cannot upgrade to 6.1.2, upgrade
to version 6.0.3.


For a full description of the latest version of Bitbucket Server, see
the release notes found at
https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Server+release+notes.
You can download the latest version of Bitbucket Server from the download centre
found at https://www.atlassian.com/software/bitbucket/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAlzl3DEACgkQJCCXorxS
dqCoZQ/+NGRDr27asjsEg1d9ft2qC/hl+0B2jFaOg3rJoZYBUyPJUNL59pgayu2x
99/NleRCU12VNK4xenhQGHPwbDXfvAh7eSuWksc0q+gN9VudqVZhnKNKZKajn9H3
pfESjk8e2sEVUEtHOKX4RjYd95VrTwFQdVagyu8fUSkHfQa1DU3sEmYqO67ySH6d
R6pxSaEQVhpQgFkZrTY

WebKitGTK and WPE WebKit Security Advisory WSA-2019-0003

2019-05-20 Thread Michael Catanzaro



WebKitGTK and WPE WebKit Security Advisory WSA-2019-0003


Date reported : May 20, 2019
Advisory ID : WSA-2019-0003
WebKitGTK Advisory URL : 
https://webkitgtk.org/security/WSA-2019-0003.html
WPE WebKit Advisory URL : 
https://wpewebkit.org/security/WSA-2019-0003.html

CVE identifiers : CVE-2019-6237, CVE-2019-8571, CVE-2019-8583,
 CVE-2019-8584, CVE-2019-8586, CVE-2019-8587,
 CVE-2019-8594, CVE-2019-8595, CVE-2019-8596,
 CVE-2019-8597, CVE-2019-8601, CVE-2019-8607,
 CVE-2019-8608, CVE-2019-8609, CVE-2019-8610,
 CVE-2019-8615, CVE-2019-8611, CVE-2019-8619,
 CVE-2019-8622, CVE-2019-8623.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2019-6237
   Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
   Credit to G. Geshev working with Trend Micro Zero Day Initiative,
   Liu Long of Qihoo 360 Vulcan Team.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8571
   Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
   Credit to 01 working with Trend Micro's Zero Day Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8583
   Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
   Credit to sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of
   Tencent Keen Lab, and dwfault working at ADLab of Venustech.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8584
   Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
   Credit to G. Geshev of MWR Labs working with Trend Micro Zero Day
   Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8586
   Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
   Credit to an anonymous researcher.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8587
   Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
   Credit to G. Geshev working with Trend Micro Zero Day Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8594
   Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
   Credit to Suyoung Lee and Sooel Son of KAIST Web Security & Privacy
   Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8595
   Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
   Credit to G. Geshev from MWR Labs working with Trend Micro Zero Day
   Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8596
   Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
   Credit to Wen Xu of SSLab at Georgia Tech.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8597
   Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
   Credit to 01 working with Trend Micro Zero Day Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8601
   Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
   Credit to Fluoroacetate working with Trend Micro's Zero Day
   Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8607
   Versions affected: WebKitGTK and WPE WebKit before 2.24.2.
   Credit to Junho Jang and Hanul Choi of LINE Security Team.
   Processing maliciously crafted web content may result in the
   disclosure of process memory. An out-of-bounds read was addressed
   with improved input validation.

CVE-2019-8608
   Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
   Credit to G. Geshev working with Trend Micro Zero Day Initiative.

Advisory: security controls configured in php.ini could be bypassed on Linux

2019-05-20 Thread Imre Rad

"PHP is a popular general-purpose scripting language that is
especially suited to web development."

PHP has deployed several features over the years that are prone to
incorrect architectural decisions (safe mode
https://www.php.net/manual/en/features.safe-mode.php or open_basedir
http://news.php.net/php.internals/105606), to have unexpected security
implications (register globals
https://www.php.net/manual/en/security.globals.php), or simply
violated architectural patterns and ended up in a mess (magic quotes
gpc - https://www.php.net/manual/en/security.magicquotes.php).

This advisory is about to expand this list: security controls
configured via php.ini directives at the PHP_INI_SYSTEM level are
ineffective as they could be bypassed by malicious scripts via writing
their own process memory on the Linux platform.
As an example, a threat actor could exploit this flaw to execute PHP
functions that have been disabled via the disable_functions directive.
It is quite common to disable the exec family of PHP functions aiming
to prevent OS command execution in PHP scripts. This weakness enables
executing OS commands in restricted configurations.

The attack has been reported to the PHP maintainers
(https://bugs.php.net/bug.php?id=78006) along with a proof of concept
code (https://github.com/irsl/php-bypass-disable-functions) and the
recommendation to introduce a new security measure via the fopen
wrappers to prevent tampering with /proc/self/mem. The issue was
acknowledged but the proposal was rejected saying the attack could be
mounted via PHP extensions as well, and this shall be addressed at the
operating system level instead.

At this point, I decided to publish this advisory, so that system
administrators who rely on php.ini settings as their primary/only line
of defense shall revisit their configuration and follow another
approaches to secure their applications.

FreeBSD Security Advisory FreeBSD-SA-19:07.mds [REVISED]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:07.mdsSecurity Advisory
  The FreeBSD Project

Topic:  Microarchitectural Data Sampling (MDS)

Category:   core
Module: kernel
Announced:  2019-05-14
Credits:Refer to Intel's security advisory at the URL below for
detailed acknowledgements.
Affects:All supported versions of FreeBSD.
Corrected:  2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

0.   Revision history

v1.0   2019-05-14  Initial release.
v1.1   2019-05-15  Fixed date on microcode update package.
v1.2   2019-05-15  Userland startup microcode update details added.
   Add language specifying which manufacturers is affected.

I.   Background

Modern processors make use of speculative execution, an optimization
technique which performs some action in advance of knowing whether the
result will actually be used.

II.  Problem Description

On some Intel processors utilizing speculative execution a local process may
be able to infer stale information from microarchitectural buffers to obtain
a memory disclosure.

III. Impact

An attacker may be able to read secret data from the kernel or from a
process when executing untrusted code (for example, in a web browser).

IV.  Workaround

No workaround is available.

Only Intel x86 based processors are affected.  x86 processors from other
manufacturers (eg, AMD) are not believed to be vulnerable.

Systems with users or processors in different trust domains should disable
Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:

# echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf'
# shutdown -r +10min "Security update"

V.   Solution

Perform one of the following:

Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD
stable or release / security branch (releng) dated after the correction date,
evaluate mitigation and Hyper Threading controls, and reboot the system.

New CPU microcode may be available in a BIOS update from your system vendor,
or by installing the devcpu-data package or sysutils/devcpu-data port.
Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14.

If using the package or port the Intel microcode update can be applied at
boot time (only on FreeBSD 12 and later) by adding the following lines to the
system's /boot/loader.conf:

cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"

To automatically load microcode during userland startup (supported on all
FreeBSD versions), add the following to /etc/rc.conf:

microcode_update_enable="YES"

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Follow additional details under "Mitigation Configuration" below.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc
# gpg --verify mds.12-stable.patch.asc

[FreeBSD 12.0-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc
# gpg --verify mds.12.0.patch.asc

[FreeBSD 11.3-PRERELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc
# gpg --verify mds.11-stable.patch.asc

[FreeBSD 11.2-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc
# gpg --verify mds.11.2.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html&

FreeBSD Security Advisory FreeBSD-SA-19:07.mds

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:07.mdsSecurity Advisory
  The FreeBSD Project

Topic:  Microarchitectural Data Sampling (MDS)

Category:   core
Module: kernel
Announced:  2019-05-14
Credits:Refer to Intel's security advisory at the URL below for
detailed acknowledgements.
Affects:All supported versions of FreeBSD.
Corrected:  2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE)
2019-05-15 13:44:27 UTC (releng/12.0, 12.0-RELEASE-p5)
2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

0.   Revision history

v1.0   2019-05-14  Initial release.
v1.1   2019-05-15  Fixed date on microcode update package.
v1.2   2019-05-15  Userland startup microcode update details added.
   Add language specifying which manufacturers is affected.
v1.3   2019-05-15  Minor quoting nit for the HT disable loader config.
v2.0   2019-05-15  Rerelease 12.0-RELEASE patch as -p5 due to i386 panic bug.

I.   Background

Modern processors make use of speculative execution, an optimization
technique which performs some action in advance of knowing whether the
result will actually be used.

II.  Problem Description

On some Intel processors utilizing speculative execution a local process may
be able to infer stale information from microarchitectural buffers to obtain
a memory disclosure.

III. Impact

An attacker may be able to read secret data from the kernel or from a
process when executing untrusted code (for example, in a web browser).

IV.  Workaround

No workaround is available.

Only Intel x86 based processors are affected.  x86 processors from other
manufacturers (eg, AMD) are not believed to be vulnerable.

Systems with users or processors in different trust domains should disable
Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:

# echo 'machdep.hyperthreading_allowed=0' >> /boot/loader.conf
# shutdown -r +10min "Security update"

V.   Solution

Perform one of the following:

Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD
stable or release / security branch (releng) dated after the correction date,
evaluate mitigation and Hyper Threading controls, and reboot the system.

New CPU microcode may be available in a BIOS update from your system vendor,
or by installing the devcpu-data package or sysutils/devcpu-data port.
Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14.

If using the package or port the Intel microcode update can be applied at
boot time (only on FreeBSD 12 and later) by adding the following lines to the
system's /boot/loader.conf:

cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"

To automatically load microcode during userland startup (supported on all
FreeBSD versions), add the following to /etc/rc.conf:

microcode_update_enable="YES"

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Follow additional details under "Mitigation Configuration" below.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[*** v2.0 NOTE *** Only applies to 12.0-RELEASE ***]
Due to an error in the 12.0-RELEASE affecting the i386 architecture, a new
set of patches is being released.  If your 12.0-RELEASE sources are not yet
patched using the initially published patch, then you need to apply the
mds.12.0.patch. If your sources are already updated, or patched with the
patch from the initial advisory, then you need to apply the incremental
patch, named mds.12.0.p4p5.patch

[FreeBSD 12.0-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc
# gpg --verify mds.12-stable.patch.asc

[FreeBSD 12.0-RELEASE, not patched with initial SA-19:07.mds patch]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc
#

FreeBSD Security Advisory FreeBSD-SA-19:07.mds

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:07.mdsSecurity Advisory
  The FreeBSD Project

Topic:  Microarchitectural Data Sampling (MDS)

Category:   core
Module: kernel
Announced:  2019-05-14
Credits:Refer to Intel's security advisory at the URL below for
detailed acknowledgements.
Affects:All supported versions of FreeBSD.
Corrected:  2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

Modern processors make use of speculative execution, an optimization
technique which performs some action in advance of knowing whether the
result will actually be used.

II.  Problem Description

On some Intel processors utilizing speculative execution a local process may
be able to infer stale information from microarchitectural buffers to obtain
a memory disclosure.

III. Impact

An attacker may be able to read secret data from the kernel or from a
process when executing untrusted code (for example, in a web browser).

IV.  Workaround

No workaround is available.

Systems with users or processors in different trust domains should disable
Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0:

# echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf'
# shutdown

V.   Solution

Perform one of the following:

Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD
stable or release / security branch (releng) dated after the correction date,
evaluate mitigation and Hyper Threading controls, and reboot the system.

New CPU microcode may be available in a BIOS update from your system vendor,
or by installing the devcpu-data package or sysutils/devcpu-data port.
Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14.

If using the package or port the microcode update can be applied at boot time
by adding the following lines to the system's /boot/loader.conf:

cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"

Microcode updates can also be applied while the system is running.  See
cpucontrol(8) for details.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Follow additional details under "Mitigation Configuration" below.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc
# gpg --verify mds.12-stable.patch.asc

[FreeBSD 12.0-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc
# gpg --verify mds.12.0.patch.asc

[FreeBSD 11.3-PRERELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc
# gpg --verify mds.11-stable.patch.asc

[FreeBSD 11.2-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc
# gpg --verify mds.11.2.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html>.

Mitigation Configuration

Systems with users, processes, or virtual machines in different trust
domains should disable Hyper-Threading by setting the
machdep.hyperthreading_allowed tunable to 0:

# echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf

To activate the MDS mitigation set the hw.mds_disable sysctl.  The settings
are:

0 - mitigation disabled
1 - VERW instruction (microcode) mitigation enabled
2 - Software sequence mitigation enabled (not recommended)
3 - Automatic VERW or Software selection

Automatic

FreeBSD Security Advisory FreeBSD-SA-19:05.pf

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:05.pf Security Advisory
  The FreeBSD Project

Topic:  IPv6 fragment reassembly panic in pf(4)

Category:   contrib
Module: pf
Announced:  2019-05-14
Credits:Synacktiv
Affects:All supported versions of FreeBSD
Corrected:  2019-03-01 18:12:05 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:10:21 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-03-01 18:12:07 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:10:21 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2019-5597

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

pf(4) is an Internet Protocol packet filter originally written for OpenBSD.
In addition to filtering packets, it also has packet normalization
capabilities.

II.  Problem Description

A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last
extension header offset from the last received packet instead of from the
first packet.

III. Impact

Malicious IPv6 packets with different IPv6 extensions could cause a kernel
panic or potentially a filtering rule bypass.

IV.  Workaround

Only systems leveraging the pf(4) firewall and include packet scrubbing using
the recommended 'scrub all in' or similar are affected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Afterwards, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch
# fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch.asc
# gpg --verify pf.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r344706
releng/12.0/  r347591
stable/11/r344707
releng/11.2/  r347591
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://www.synacktiv.com/ressources/Synacktiv_OpenBSD_PacketFilter_CVE-2019-5597_ipv6_frag.pdf>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:05.pf.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL1cxAAjYy90WBfuBkU/FddQWMJkXOn2YqABFxY/BfFpJEbGrnXXuxz9YJByK3b
6ikWq5HcxgL/9ek6QULwEOoNvms8tT4m4waJOLa3hZPoPlgD2ArgvdcEI00R/8T9
Z+k1YlT0oLOY4XbVynPGNmiFNTAcsg7Ognp9yam3kmPZTMGYm6cKIBy1idrzCCmI
nj0SscyoL4Z09kSWe3UOitjh8cpxqGuvGosCb7YGPl6yTSalBUgP44Lyg7jS4nrZ
xjZxqhAfp7tk9peF4rov8apZIsrBF5GMaahnIGIwZzmRn/E1pND9qx1lB1Uh7rfR
nb8OmwbshJTWdnS1GXyLxRGJOd0zmh+YZ10ygZAQTM5sNaxfn6pWJFmr2S/mR+kN
RG/Bhj+lN7jh1eUNdwk/pAm0aZZ+J8GX4/QOrqPfGDko/s/S7YwJB/DKR/14uPY7
Fwcgv4tvgoRstSKHdIe45d7/N0SgQCS/EfzVIO5XPQtkrk9/zalQubionijObr1Q
ARVl7H5M7m7kP8PJz/vRNvhar0c0xTk9ov2JDxKHKTd+7D78LQEAFvEGPIFREBsY
VBW8BqZbuVcsgrhr/YWFE3TEw4O0YbnY5g9wmVv+d/pdDngLuTsfbNEsAQewW

FreeBSD Security Advisory FreeBSD-SA-19:06.pf

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:06.pf Security Advisory
  The FreeBSD Project

Topic:  ICMP/ICMP6 packet filter bypass in pf

Category:   contrib
Module: pf
Announced:  2019-05-14
Credits:Synacktiv
Affects:All supported versions of FreeBSD
Corrected:  2019-03-21 14:17:10 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:12:22 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-03-21 14:17:12 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:12:22 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2019-5598

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

pf(4) is an Internet Protocol packet filter originally written for OpenBSD.
In addition to filtering packets, it also has packet normalization
capabilities.

II.  Problem Description

States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in
their payload matching an existing condition.  pf(4) does not check if the
outer ICMP or ICMP6 packet has the same destination IP as the source IP of
the inner protocol packet.

III. Impact

A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules
and be passed to a host that would otherwise be unavailable.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Afterwards, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch
# fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch.asc
# gpg --verify pf.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r345377
releng/12.0/  r347593
stable/11/r345378
releng/11.2/  r347593
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://www.synacktiv.com/posts/systems/icmp-reachable.html>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5598>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:06.pf.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIjXA/9FevC+Ygihzb0J9MN0znEM883dk5sPCSvMwiivsNRkDMXreYqPXU+Fkt0
iV1OZ8tKwKAihm+iGJ5mzS5l40wWF1oDcqJrC0myICdvreraoJKZvTLhgGIBqKkE
b8yIuzPueWdnnudoAzTV38RhyaP2aOb44OMUNPQZsEB/6hHsNvp9m6yAua/F+x9+
N9J38Y/C6udsNfhqDeuCI4G8yiN33XfFiRbF+31rt3s0rUm6KGNsJanJe8dNAEvE
DN4tA4+MORnQ7QTLgOobGuLFhWJ2urC6psH8duO72hcSTzSkTZpxrC3f6SW8RlZ+
Pbr4LZ6FA3bZp/sCmWPOot94hotBDr03MZwrxURokeDHZU1nUBsw0rmTG4aypujl
JrGPOAp89TtqrR0zV8DhpGO/RWoBeMDf7ZGvIplOIEF5rijQWEyC5pnYlBKPfSdm
UTxcN9RoJCfz7O4KLAAqhHiuu6xc+CqlQH1dvyLbqGVv9LzUQlziTNsbQ4cGryuj
g1TztU0VfpvHDkAKBh0iHwkoUqDSut3K19rFAQ3zkM/EodqSTkE1OG77pmsjYaVq
AfcnN/se8lklq0lKi3BwNvVIWTjhMAwY63otVxvVD4wrJrgQH8NKgOeYuGBreXeW
Uv569bIhR0/vsyGJK/SMKxBiAGfzkE7LqDMJqdXLsompX97nOwI=
=m3as
-END PGP SIGNATURE-

FreeBSD Security Advisory FreeBSD-SA-19:03.wpa

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:03.wpaSecurity Advisory
  The FreeBSD Project

Topic:  Multiple vulnerabilities in hostapd and wpa_supplicant

Category:   contrib
Module: wpa
Announced:  2019-05-14
Affects:All supported versions of FreeBSD.
Corrected:  2019-05-01 01:42:38 UTC (stable/12, 12.0-STABLE)
2019-05-14 22:57:29 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-05-01 01:43:17 UTC (stable/11, 11.2-STABLE)
2019-05-14 22:59:32 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497,
CVE-2019-9498, CVE-2019-9499, CVE-2019-11555

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

Wi-Fi Protected Access II (WPA2) is a security protocol developed by the
Wi-Fi Alliance to secure wireless computer networks.

hostapd(8) and wpa_supplicant(8) are implementations of user space daemon for
access points and wireless client that implements the WPA2 protocol.

II.  Problem Description

Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8)
implementations.  For more details, please see the reference URLs in the
References section below.

III. Impact

Security of the wireless network may be compromised.  For more details,
please see the reference URLS in the References section below.

IV.  Workaround

No workaround is available, but systems not using hostapd(8) or
wpa_supplicant(8) are not affected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterwards, restart hostapd(8) or wpa_supplicant(8).

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, restart hostapd(8) or wpa_supplicant(8).

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch
# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch.asc
# gpg --verify wpa-12.patch.asc

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch
# fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch.asc
# gpg --verify wpa-11.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r346980
releng/12.0/  r347587
stable/11/r346981
releng/11.2/  r347588
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://w1.fi/security/2019-1>
https://w1.fi/security/2019-2>
https://w1.fi/security/2019-3>
https://w1.fi/security/2019-4>
https://w1.fi/security/2019-5>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9494>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9495>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9496>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9497>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9498>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9499>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11555>

The la

FreeBSD Security Advisory FreeBSD-SA-19:04.ntp

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:04.ntpSecurity Advisory
  The FreeBSD Project

Topic:  Authenticated denial of service in ntpd

Category:   contrib
Module: ntp
Announced:  2019-05-14
Credits:Magnus Stubman
Affects:All supported versions of FreeBSD
Corrected:  2019-03-07 13:45:36 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:02:56 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-03-07 13:45:36 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:06:26 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name:   CVE-2019-8936

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The ntpd(8) daemon is an implementation of the Network Time Protocol
(NTP) used to synchronize the time of a computer system to a reference
time source.  The ntpd(8) daemon uses a protocol called mode 6 to both get
status information from the running ntpd(8) daemon and configure it on the
fly.  This protocol is typically used by the ntpq(8) program, among others.

II.  Problem Description

A crafted malicious authenticated mode 6 packet from a permitted network
address can trigger a NULL pointer dereference.

Note for this attack to work, the sending system must be on an address from
which the target ntpd(8) accepts mode 6 packets, and must use a private key
that is specifically listed as being used for mode 6 authorization.

III. Impact

The ntpd daemon can crash due to the NULL pointer dereference, causing a
denial of service.

IV.  Workaround

Use 'restrict noquery' in the ntpd configuration to limit addresses that
can send mode 6 queries.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, restart the ntpd service:
# service ntpd restart

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch.asc
# gpg --verify ntp.patch.asc

[FreeBSD 11.2-RELEASE/11.3-PRERELEASE]
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch.asc
# gpg --verify ntp-11.2.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the ntpd service, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r344884
releng/12.0/  r347589
stable/11/r344884
releng/11.2/  r347590
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

http://support.ntp.org/bin/view/Main/SecurityNotice#March_2019_ntp_4_2_8p13_NTP_Rele>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:04.ntp.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLGtw/8CNAYnLxARrMUK1QeC9sE7

Confluence Security Advisory - 2019-04-17

2019-04-24 Thread Atlassian

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/d5e8OQ .


CVE ID:

* CVE-2019-3398.


Product: Confluence Server and Confluence Data Center.

Affected Confluence Server and Confluence Data Center versions:

6.6.0 <= version < 6.6.13
6.7.0 <= version < 6.12.4
6.13.0 <= version < 6.13.4
6.14.0 <= version < 6.14.3
6.15.0 <= version < 6.15.2


Fixed Confluence Server and Data Center versions:

* for 6.6.x, Confluence Server 6.6.13 has been released with a fix for this
issue.
* Confluence Server 6.12.4 has been released with a fix for this issue.
* for 6.13.x, Confluence Server 6.13.4 has been released with a fix for this
issue.
* for 6.14.x, Confluence Server 6.14.3 has been released with a fix for this
issue.
* for 6.15.x, Confluence Server 6.15.2 has been released with a fix for this
issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Confluence starting with version 2.0.0 before 6.6.13 (the fixed version
for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0
before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the
fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this
vulnerability.



Customers who have upgraded Confluence to version 6.6.13 or 6.12.4 or
6.13.4 or 6.14.3 or 6.15.2 are not affected.

Customers who have downloaded and installed Confluence >= 6.6.0 but less
than 6.6.13 (the fixed version for 6.6.x) or who have downloaded and installed
Confluence >= 6.7.0 but less than 6.12.4 or who have downloaded and
installed Confluence >= 6.13.0 but less than 6.13.4 (the fixed version
for 6.13.x) or who have downloaded and installed Confluence >= 6.14.0 but
less than 6.14.3 (the fixed version for 6.14.x) or who have downloaded and
installed Confluence >= 6.15.0 but less than 6.15.2 (the fixed version
for 6.15.x) please upgrade your Confluence installations immediately to
fix this vulnerability.



Path traversal in the downloadallattachments resource - CVE-2019-3398

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

Confluence Server and Data Center had a path traversal vulnerability in the
downloadallattachments resource. A remote attacker who has permission to add
attachments to pages and / or blogs, or to create a new space or personal space,
or who has 'Admin' permissions for a space, can exploit this path
traversal vulnerability to write files to arbitrary locations which can lead to
remote code execution on systems that run a vulnerable version of Confluence
Server or Data Center.
Versions of Confluence starting with version 2.0.0 before 6.6.13 (the
fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for
6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0
before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are
affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/CONFSERVER-58102 .



Fix:

To address this issue, we've released the following versions containing a fix:

* Confluence Server and Confluence Data Center version 6.6.13
* Confluence Server and Confluence Data Center version 6.12.4
* Confluence Server and Confluence Data Center version 6.13.4
* Confluence Server and Confluence Data Center version 6.14.3
* Confluence Server and Confluence Data Center version 6.15.2

Remediation:

Upgrade Confluence to version 6.15.2 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Confluence Server 6.6.x and cannot upgrade to 6.15.2, upgrade
to version 6.6.13.
If you are running Confluence Server 6.13.x and cannot upgrade to 6.15.2,
upgrade to version 6.13.4.
If you are running Confluence Server 6.14.x and cannot upgrade to 6.15.2,
upgrade to version 6.14.3.


For a full description of the latest version of Confluence Server, see
the release notes found at
https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can
download the latest version of Confluence Server from the download centre found
at https://www.atlassian.com/software/confluence/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.
-BEGIN PGP SIGNATURE-

iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAly+dZ8XHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqA0SQ//WMRRM5cK9rtS9waf+By0pyNb
RKpwqcOVmM9Xuh1gv7D1lJtOC28NcXzGsXNiRQEoAhzkFbNDMDGQ6xcTIzGTr6HR
Owgj

WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002

2019-04-11 Thread Michael Catanzaro



WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002


Date reported : April 10, 2019
Advisory ID : WSA-2019-0002
WebKitGTK Advisory URL : 
https://webkitgtk.org/security/WSA-2019-0002.html
WPE WebKit Advisory URL : 
https://wpewebkit.org/security/WSA-2019-0002.html

CVE identifiers : CVE-2019-6201, CVE-2019-6251, CVE-2019-7285,
 CVE-2019-7292, CVE-2019-8503, CVE-2019-8506,
 CVE-2019-8515, CVE-2019-8518, CVE-2019-8523,
 CVE-2019-8524, CVE-2019-8535, CVE-2019-8536,
 CVE-2019-8544, CVE-2019-8551, CVE-2019-8558,
 CVE-2019-8559, CVE-2019-8563, CVE-2019-11070.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2019-6201
   Versions affected: WebKitGTK before 2.22.6 and WPE WebKit before
   2.22.4.
   Credit to dwfault working with ADLab of Venustech.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-6251
   Versions affected: WebKitGTK and WPE WebKit before 2.24.1.
   Credit to Dhiraj.
   Processing maliciously crafted web content may lead to spoofing.
   WebKitGTK and WPE WebKit were vulnerable to a URI spoofing attack
   similar to the CVE-2018-8383 issue in Microsoft Edge.

CVE-2019-7285
   Versions affected: WebKitGTK before 2.22.6 and WPE WebKit before
   2.22.4.
   Credit to dwfault working at ADLab of Venustech.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A use after free issue was addressed with improved
   memory management.

CVE-2019-7292
   Versions affected: WebKitGTK before 2.22.6 and WPE WebKit before
   2.22.4.
   Credit to Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team.
   Processing maliciously crafted web content may result in the
   disclosure of process memory. A validation issue was addressed with
   improved logic.

CVE-2019-8503
   Versions affected: WebKitGTK before 2.22.6 and WPE WebKit before
   2.22.4.
   Credit to Linus Särud of Detectify.
   A malicious website may be able to execute scripts in the context of
   another website. A logic issue was addressed with improved
   validation.

CVE-2019-8506
   Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
   Credit to Samuel Groß of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A type confusion issue was addressed with improved
   memory handling.

CVE-2019-8515
   Versions affected: WebKitGTK before 2.22.6 and WPE WebKit before
   2.22.4.
   Credit to James Lee, @Windowsrcer.
   Processing maliciously crafted web content may disclose sensitive
   user information. A cross-origin issue existed with the fetch API.
   This was addressed with improved input validation.

CVE-2019-8518
   Versions affected: WebKitGTK before 2.22.7 and WPE WebKit before
   2.22.5.
   Credit to Samuel Groß of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8523
   Versions affected: WebKitGTK before 2.22.7 and WPE WebKit before
   2.22.5.
   Credit to Apple.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8524
   Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
   Credit to G. Geshev working with Trend Micro Zero Day Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-8535
   Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
   Credit to Zhiyang Zeng, @Wester, of Tencent Blade Team.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A memory corruption issue was addressed with
   improved state management.

CVE-2019-8536
   Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
   Credit to Apple.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A memory corruption issue was addressed with
   improved memory handling.

CVE-2019-8544
   Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
   Credit to an anonymous researcher.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A memory corruption issue was addressed with
   improved memory handling.

CVE-2019-8551
   Versions affected: WebKitGTK and WPE WebKit before 2.24.0.
   Credit to Ryan Pickren, ryanpickren.com.
   Processing maliciously crafted web content may lead to universal
   cross site scripting. A logic issue was

Atlassian - Confluence Security Advisory - 2019-03-20

2019-03-25 Thread Atlassian

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20
.


CVE ID:

* CVE-2019-3395.
* CVE-2019-3396.


Product: Confluence Server and Confluence Data Center.

Affected Confluence Server and Confluence Data Center product versions:

6.6.0 <= version < 6.6.12
6.12.0 <= version < 6.12.3
6.13.0 <= version < 6.13.3
6.14.0 <= version < 6.14.2


Fixed Confluence Server and Confluence Data Center product versions:

* for 6.6.x, Confluence Server and Data Center 6.6.12 have been
released with a fix for these issues.
* for 6.12.x, Confluence Server and Data Center 6.12.3 have been
released with a fix for these issues.
* for 6.13.x, Confluence Server and Data Center 6.13.3 have been
released with a fix for these issues.
* for 6.14.x, Confluence Server and Data Center 6.14.2 have been
released with a fix for these issues.


Summary:
This advisory discloses critical severity security vulnerabilities. Versions of
Confluence Server and Data Center before 6.6.12 (the fixed version for 6.6.x),
from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version
6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0
before 6.14.2 (the fixed version for 6.14.x) are affected by these
vulnerabilities.



Customers who have upgraded Confluence to version 6.6.12 or 6.12.3 or
6.13.3 or 6.14.2 are not affected.

Customers who have downloaded and installed Confluence >= 6.6.0 but less
than 6.6.12 (the fixed version for 6.6.x) or who have downloaded and installed
Confluence >= 6.12.0 but less than 6.12.3 (the fixed version for 6.12.x)
or who have downloaded and installed Confluence >= 6.13.0 but less than
6.13.3 (the fixed version for 6.13.x) or who have downloaded and installed
Confluence >= 6.14.0 but less than 6.14.2 (the fixed version for 6.14.x)
please upgrade your Confluence installations immediately to fix these
vulnerabilities.



WebDAV vulnerability (CVE-2019-3395)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

A remote attacker is able to exploit a Server-Side Request Forgery (SSRF)
vulnerability via the WebDAV plugin to send arbitrary HTTP and WebDAV requests
from a Confluence Server or Data Center instance.
Versions of Confluence before version 6.6.7 (the fixed version for
6.6.x), from version 6.7.0 before 6.7.3 (the fixed version for 6.7.x), from
version 6.8.0 before 6.8.5 (the fixed version for 6.8.x) and from version 6.9.0
before 6.9.3 (the fixed version for 6.9.x) are affected by this vulnerability.
This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-57971
.

Remote code execution via Widget Connector macro (CVE-2019-3396)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

There was a server-side template injection vulnerability in Confluence
via Widget Connector. An attacker is able to exploit this issue to achieve path
traversal and remote code execution on systems that run a vulnerable version of
Confluence.
Versions of Confluence before version 6.6.12 (the fixed version for
6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from
version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version
6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by this
vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/CONFSERVER-57974 .



Fix:

To address these issues, we have released the following versions of
Confluence Server and Data Center containing a fix:

* version 6.6.12
* version 6.12.3
* version 6.13.3
* version 6.14.2

Remediation:

Upgrade Confluence Server and Data Center to version 6.14.2 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Confluence Server and or Data Center 6.6.x and cannot
upgrade to 6.14.2, upgrade to version 6.6.12.
If you are running Confluence Server and or Data Center 6.12.x and cannot
upgrade to 6.14.2, to version 6.12.3.
If you are running Confluence Server and or Data Center 6.13.x and cannot
upgrade to 6.14.2, upgrade to version 6.13.3.


For a full description of the latest version of Confluence Server and
Data Center, see the release notes found at
https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can
downl

March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities

2019-03-20 Thread Erin Jensby

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

This email refers to the advisory found at
https://confluence.atlassian.com/display/SOURCETREEKB/Sourcetree+Security+Advisory+2018-03-06
.

CVE ID:

* CVE-2018-17456.
* CVE-2018-20234.
* CVE-2018-20235.
* CVE-2018-20236.

Product: Sourcetree.

Affected Sourcetree product versions:

1.2 <= version < 3.1.1
0.5a <= version < 3.0.17

Fixed Sourcetree product versions:

* for macOS, Sourcetree 3.1.1 has been released with a fix for these issues.
* for Windows, Sourcetree 3.0.17 has been released with a fix for these issues.

Summary:
This advisory discloses critical severity security vulnerabilities. Versions of
Sourcetree are affected by these vulnerabilities.

Customers who have upgraded Sourcetree to version 3.1.1 (Sourcetree for macOS)
or 3.0.17 (Sourcetree for Windows) are not affected.

Customers who have downloaded and installed Sourcetree >= 1.2 but less than
3.1.1 (the fixed version for macOS) or who have downloaded and installed
Sourcetree >= 0.5a but less than 3.0.17 (the fixed version for Windows) please
upgrade your Sourcetree installations immediately to fix these vulnerabilities.

Sourcetree for macOS - Git submodules vulnerability (CVE-2018-17456)

Description:

The embedded version of Git used in Sourcetree for macOS was vulnerable to
CVE-2018-17456. An attacker can exploit this issue if they can commit to a Git
repository linked in Sourcetree for macOS. This allows them to execute arbitrary
code on systems running a vulnerable version of Sourcetree for macOS.
Versions of Sourcetree for macOS starting with version 1.2 before version 3.1.1
are affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/SRCTREE-6394 .

Sourcetree for Windows - Git submodules vulnerability (CVE-2018-17456)

Description:

The embedded version of Git used in Sourcetree for Windows was vulnerable to
CVE-2018-17456. An attacker can exploit this issue if they can commit to a Git
repository linked in Sourcetree for Windows. This allows them to execute
arbitrary code on systems running a vulnerable version of Sourcetree for
Windows.
Versions of Sourcetree for Windows starting with version 0.5a before version
3.0.17 are affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/SRCTREEWIN-11292 .

Sourcetree for macOS - Mercurial hooks vulnerability (CVE-2018-20234)

Description:

There was an argument injection vulnerability in Sourcetree for macOS via
filenames in Mercurial repositories. A remote attacker with permission to commit
to a Mercurial repository linked in Sourcetree for macOS is able to exploit this
issue to gain code execution on the system.
Versions of Sourcetree for macOS starting with version 1.2 before version 3.1.1
are affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/SRCTREE-6391 .

Sourcetree for Windows - Mercurial hooks vulnerability (CVE-2018-20235)

Description:

There was an argument injection vulnerability in Sourcetree for Windows via
filenames in Mercurial repositories. A remote attacker with permission to commit
to a Mercurial repository linked in Sourcetree for Windows is able to exploit
this issue to gain code execution on the system.
Versions of Sourcetree for Windows starting with version 0.5a before version
3.0.15 are affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/SRCTREEWIN-11289 .

Sourcetree for Windows - URI handling vulnerability (CVE-2018-20236)

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels

WebKitGTK+ and WPE WebKit Security Advisory WSA-2019-0001

2019-02-10 Thread Michael Catanzaro



WebKitGTK+ and WPE WebKit Security Advisory WSA-2019-0001


Date reported : February 08, 2019
Advisory ID : WSA-2019-0001
WebKitGTK+ Advisory URL : 
https://webkitgtk.org/security/WSA-2019-0001.html
WPE WebKit Advisory URL : 
https://wpewebkit.org/security/WSA-2019-0001.html

CVE identifiers : CVE-2019-6212, CVE-2019-6215, CVE-2019-6216,
 CVE-2019-6217, CVE-2019-6226, CVE-2019-6227,
 CVE-2019-6229, CVE-2019-6233, CVE-2019-6234.

Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

CVE-2019-6212
   Versions affected: WebKitGTK+ before 2.22.6 and WPE WebKit before
   2.22.4.
   Credit to an anonymous researcher.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-6215
   Versions affected: WebKitGTK+ before 2.22.6 and WPE WebKit before
   2.22.4.
   Credit to Lokihardt of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A type confusion issue was addressed with improved
   memory handling.

CVE-2019-6216
   Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before
   2.22.3.
   Credit to Fluoroacetate working with Trend Micro's Zero Day
   Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-6217
   Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before
   2.22.3.
   Credit to Fluoroacetate working with Trend Micro's Zero Day
   Initiative, Proteas, Shrek_wzw, and Zhuo Liang of Qihoo 360 Nirvan
   Team.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-6226
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to Apple.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2019-6227
   Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before
   2.22.3.
   Credit to Qixun Zhao of Qihoo 360 Vulcan Team.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A memory corruption issue was addressed with
   improved memory handling.

CVE-2019-6229
   Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before
   2.22.3.
   Credit to Ryan Pickren.
   Processing maliciously crafted web content may lead to universal
   cross site scripting. A logic issue was addressed with improved
   validation.

CVE-2019-6233
   Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before
   2.22.2.
   Credit to G. Geshev from MWR Labs working with Trend Micro's Zero
   Day Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A memory corruption issue was addressed with
   improved memory handling.

CVE-2019-6234
   Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before
   2.22.2.
   Credit to G. Geshev from MWR Labs working with Trend Micro's Zero
   Day Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A memory corruption issue was addressed with
   improved memory handling.


We recommend updating to the latest stable versions of WebKitGTK+ and
WPE WebKit. It is the best way to ensure that you are running safe
versions of WebKit. Please check our websites for information about the
latest stable releases.

Further information about WebKitGTK+ and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.

The WebKitGTK+ and WPE WebKit team,
February 08, 2019

FreeBSD Security Advisory FreeBSD-SA-19:02.fd

2019-02-05 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:02.fd Security Advisory
  The FreeBSD Project

Topic:  File description reference count leak

Category:   core
Module: unix
Announced:  2019-02-05
Credits:Peter Holm
Affects:FreeBSD 12.0
Corrected:  2019-02-05 17:56:22 UTC (stable/12, 12.0-STABLE)
2019-02-05 18:11:15 UTC (releng/12.0, 12.0-RELEASE-p3)
2019-02-05 17:57:30 UTC (stable/11, 11.2-STABLE)
CVE Name:   CVE-2019-5596

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

UNIX-domain sockets are used for inter-process communication.  It is
possible to use UNIX-domain sockets to transfer rights, encoded as file
descriptors, to another process.

II.  Problem Description

FreeBSD 12.0 attempts to handle the case where the receiving process does
not provide a sufficiently large buffer for an incoming control message
containing rights.  In particular, to avoid leaking the corresponding
descriptors into the receiving process' descriptor table, the kernel handles
the truncation case by closing descriptors referenced by the discarded
message.

The code which performs this operation failed to release a reference obtained
on the file corresponding to a received right.  This bug can be used to cause
the reference counter to wrap around and free the file structure.

III. Impact

A local user can exploit the bug to gain root privileges or escape from
a jail.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +30 "Rebooting for security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch
# fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch.asc
# gpg --verify fd.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r343785
releng/12.0/  r343790
stable/11/r343786
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5596>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:02.fd.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1YFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cK7+w/+JeFIVM0QQC1R4wJFmT3bBaRumxGCx5PN5Ufe7ub/ztwsKQKJeps1aiS3
fzw3Ck1K7+joeG+cNwZNihmAyEa2Hgk+FDhQBX531yrwF1jQ2A2oKGfkhs5e02Ng
k16MV9pVlNP1zQ3wFVBjFCCvBuVJ0A8XTxALY7ivZlj2edgSH1eL4SaP1mrSD2Xu
pR2amN7WkAaIqvATK0VkWjYp6kUXtI8CBtdP3hpKz88rpYoZfWxupqtghnxgjIqt
iuTOhbemvYuBvB+ErbtU/6Z4ffoHt9Csrk2MM56/RZRwyHmtC4CFqtxClrUpOoa2
2OcEbR8cZyEardSES78UBjbTwlOTVd5F4o86Q1bKytHjI72ycB5yKZkyiHmdJCjs
EhlaDC/rnHxdYGvBuiLqFcNU5tJiGawZZwyozCQz67dGD89QzKQurKEWQ1YJvMsW
ZwwJRSHrllUyJQBdqV/R3Qoaz2koeE9633jtqHDdUYKCZAgeFdic/6u9r4Rx2Nj5
JpTZU01bwvxNZPf35WbI2L+JbygR40b3FYbZ3skBqZylp+EkPGPxGpHGAxdKWeOy
rzGBukIuWnLy9pmJ574oTZymw8P

FreeBSD Security Advisory FreeBSD-SA-19:01.syscall

2019-02-05 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-19:01.syscallSecurity Advisory
  The FreeBSD Project

Topic:  System call kernel data register leak

Category:   core
Module: kernel
Announced:  2019-02-05
Credits:Konstantin Belousov
Affects:All supported versions of FreeBSD.
Corrected:  2019-02-05 17:52:06 UTC (stable/12, 12.0-STABLE)
2019-02-05 18:05:05 UTC (releng/12.0, 12.0-RELEASE-p3)
2019-02-05 17:54:02 UTC (stable/11, 11.2-STABLE)
2019-02-05 18:07:45 UTC (releng/11.2, 11.2-RELEASE-p9)
CVE Name:   CVE-2019-5595

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The FreeBSD/amd64 architecture defines the SYSCALL instruction for syscalls,
and uses registers calling conventions for passing syscalls arguments and
return values in addition to the registers usage imposed by the SYSCALL and
SYSRET instructions in long mode.  In particular, the arguments are passed in
registers specified by the C ABI, and the content of the registers specified
as caller-save, is undefined after the return from syscall.

II.  Problem Description

The callee-save registers are used by kernel and for some of them (%r8, %r10,
and for non-PTI configurations, %r9) the content is not sanitized before
return from syscalls, potentially leaking sensitive information.

III. Impact

Typically an address of some kernel data structure used in the syscall
implementation, is exposed.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10m "Rebooting for security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch.asc
# gpg --verify syscall.patch.asc

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch.asc
# gpg --verify syscall.patch.11.2.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r343781
releng/12.0/  r343788
stable/11/r343782
releng/11.2/  r343789
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5595>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-19:01.syscall.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1X9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKPZBAAlwCVtNNIuq0s8FB9LjLaVJww1WWmbVJbhw1TJyBV2yRCkWwGDLag3dJ0
EH8HwpWeL41lppjFeL6OMDZ2+wUnuShv3pAUGwodSRXsKWsp+aWqMPcNJifkVPxs
DENrziUHnXkbOnbnP25eA12j0ztCz8FjKoDh+wrjuY4BL8jzBK4ZJtmYaubrFEcD
GDStnEcvCNYDK8tf0rUW2lpv4oStTex5gFpZALPjq0g28kHPuctYzoOXOf9/So1i
0kwdstsIdgydsDCHv5nXij7IDohNo+5KEJuee1cIptKftm

X41 D-Sec GmbH Security Advisory X41-2018-009: ReDoS Vulnerability in UA-Parser

2019-01-10 Thread X41 D-Sec GmbH Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-SEC GmbH Security Advisory: X41-2018-009

ReDoS Vulnerability in UA-Parser

Severity Rating: Medium
Confirmed Affected Versions: 2015-05-14 and newer, commit
6fd6c261274254bcbbacd77ef4b12534c7f9923d
Confirmed Patched Versions: v0.6.0 released 2018-12-14, commit
010ccdc7303546cd22b9da687c29f4a996990014
Vendor: UA-Parser Project
Vendor URL: https://github.com/ua-parser
Vector: HTTP request
Credit: X41 D-SEC GmbH, Luc Gommans
Status: Public
CVE: CVE-2018-20164
CVSSv3 Score: 5.3
CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser/

Summary and Impact
==
The programming library UA-Parser uses regular expressions to identify
user agent strings. The complexity of some of the regular expressions
is such that an attacker can craft special patterns that keep the
server busy for a long time. By sending many requests in short order,
an attacker can exhaust the amount of processing power available. This
causes the website to become unavailable for legitimate visitors.

In common setups, the user agent string is parsed whenever a page is
visited. This means that anyone can abuse the bug, typically without
authentication. There are no common circumstances which would prevent
an attack from working reliably, i.e. an attacker can consistently and
repeatedly exploit the issue until the site has become unreachable.
For more information on regular expression-based denial of service,
see the OWASP page on ReDoS:

https://www.owasp.org/index.php/RegularexpressionDenialofService-ReDoS

The UA-Parser project consists of a core repository, uap-core, and
implementations in various languages. The regular expressions are
defined in the core project and each implementation is automatically
vulnerable.

Product Description
===
When a user agent (such as a browser) connects to a website, it
identifies itself with a 'user agent string'. This string helps the
server determine relevant content, for example to serve the
appropriate installer for visitors with different operating systems.
The UA-Parser project collects regular expressions that extract the
type of device and operating system from these strings.
Implementations in different languages are automatically vulnerable,
including the reference implementation in JavaScript:
<https://github.com/ua-parser/uap-ref-impl>

Proof of Concept

There are multiple vulnerable regular expressions. They are collected
in the file regex.yaml, for example on lines 911 and 4961. The regular
expression on line 911 is as follows:

(x86_64|aarch64)\ (\d+)+\.(\d+)+\.(\d+)+.*Chrome.*(?:CitrixChromeApp)$

Any implementation using this library will hang for a few seconds (on
comodity hardware) when sending the following HTTP request:

GET / HTTP/1.0
User-Agent: x86_64

Normal user agent strings can be over a hundred bytes long: this
string of 35 bytes is not an abnormal request. Adding one more byte
makes the processing significantly longer.
This particular regular expression was introduced in September 2018. The
regular expression on line 4961 was introduced in May 2015 and can be
exploited as follows:

GET / HTTP/1.0
User-Agent:
HbbTV/1.1.1CE-HTML/1.1;THOM;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;LF

Each additional repetition of SW-Version/1; will multiply the
processing time by roughly a factor 6.2. Where eleven repetitions take
about seven seconds, fourteen repetitions already occupy a server for
half an hour.

Workarounds
===
As demonstrated, the input does not have to be particularly long to
exploit the issue. This may be the case, and a few hundred kilobytes
may slow down most regular expressions, but limiting the maximum
length is not a solution by itself.
The root cause is the regular expression, which should be limited in
complexity. This involves manual work and there is no solution that
can be applied to all regular expressions in the project.

To aid in identifying problematic regular expressions, one may use
projects such as <https://github.com/jagracey/RegEx-DoS>.

Timeline

2018-11-26 Issue found.
2018-11-29 Permission from customer to disclose to upstream.
2018-11-29 Requested secure channel from vendor for communication.
2018-12-04 Disclosed to vendor.
2018-12-14 Patch released by vendor, CVE number requested.
2018-12-15 CVE-2018-20164 assigned.
2019-01-10 Advisory released.

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of ap

FreeBSD Security Advisory FreeBSD-SA-18:15.bootpd

2018-12-19 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:15.bootpd Security Advisory
  The FreeBSD Project

Topic:  bootpd buffer overflow

Category:   core
Module: bootpd
Announced:  2018-12-19
Credits:Reno Robert
Affects:All supported versions of FreeBSD.
Corrected:  2018-12-19 18:17:59 UTC (stable/12, 12.0-STABLE)
2018-12-19 18:21:07 UTC (releng/12.0, 12.0-RELEASE-p1)
2018-12-19 18:19:15 UTC (stable/11, 11.2-STABLE)
2018-12-19 18:22:25 UTC (releng/11.2, 11.2-RELEASE-p7)
CVE Name:   CVE-2018-17161

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The bootpd utility implements an Internet Bootstrap Protocol (BOOTP)
server as defined in RFC951, RFC1532, and RFC1533.

II.  Problem Description

Due to insufficient validation of network-provided data it may be possible
for a malicious attacker to craft a bootp packet which could cause a stack
buffer overflow.

III. Impact

It is possible that the buffer overflow could lead to a Denial of Service
or remote code execution.

IV.  Workaround

Firewall rules may be used to limit reception of bootp packets to only
trusted networks or hosts.  Note that the bootp protocol is typically
limited to a common layer 2 broadcast domain, although the bootpgw gateway
can forward bootp requests and responses between subnets.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart bootpd if it is running in standalone mode.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch
# fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch.asc
# gpg --verify bootpd.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/12/r342228
releng/12.0/  r342230
stable/11/r348229
releng/11.2/  r342231
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17161>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:15.bootpd.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwane5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKfzg/+PhmA1AKfXFSkeJJPvdF/7hjKpWaCdVAyUZsuWH5L1Tmb4Lc/pLjw22Ba
Xh/sAKik6pa/nVTZCBgAqoCqmV8CdhScwvRZdVSP5CQ9vnM+6fFcybP0aCZOmiJC
NGAE8nIBdazqWJfNM9HUSIbdqEOtMlVcyE0Ni/TxzcAFdzFowfDnyRm1wqI4zhM7
YL7pU0kTYJfydjK540rHB1tNBaYHSJ/6ckK3tkjwjVgMsQwNSizKrPsqycoMlMmD
TqQMfDwU8W/jFLsr7OZE66eQBysSiuzYAv3IsipL+50SYgS0aoo3LwKrCcYGN6c/
S/0SOfNHDgd/7wregI5adKqWJceaqZCVedSVLm6ZaG1Vt3alIjczX9D7wIjuXPlD
AkSKa0HnmSwDC8yWLJYMxuny7vy3uBAUnPiwIT3RrsDC0b28/uwNPbeSbG0Wrf9F
21PDMfeCPc2Vr/TVj9uSIo20pNtVhy+tGbx1Ilsgi3POa3n7pTOuFWHMzQVe3rZA
DLYEbliPxpq9NFJ/2UZQg25weOD5ygwaYZnbsXAMY47D4kteeQOjzomgiacVhE56
oT8z804nGgGdCe4LpiHihDVzCbBvvuEPw9Edffzm7E

WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0009

2018-12-13 Thread Michael Catanzaro



WebKitGTK+ and WPE WebKit Security AdvisoryWSA-2018-0009


Date reported   : December 13, 2018
Advisory ID : WSA-2018-0009
WebKitGTK+ Advisory URL : 
https://webkitgtk.org/security/WSA-2018-0009.html
WPE WebKit Advisory URL : 
https://wpewebkit.org/security/WSA-2018-0009.html

CVE identifiers : CVE-2018-4437, CVE-2018-4438, CVE-2018-4441,
 CVE-2018-4442, CVE-2018-4443, CVE-2018-4464.

Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

CVE-2018-4437
   Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before
   2.22.3.
   Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST
   Softsec Lab, Korea.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2018-4438
   Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before
   2.22.1.
   Credit to lokihardt of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A logic issue existed resulting in memory
   corruption. This was addressed with improved state management.

CVE-2018-4441
   Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before
   2.22.1.
   Credit to lokihardt of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A memory corruption issue was addressed with
   improved memory handling.

CVE-2018-4442
   Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before
   2.22.1.
   Credit to lokihardt of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A memory corruption issue was addressed with
   improved memory handling.

CVE-2018-4443
   Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before
   2.22.1.
   Credit to lokihardt of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A memory corruption issue was addressed with
   improved memory handling.

CVE-2018-4464
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST
   Softsec Lab, Korea.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.


We recommend updating to the latest stable versions of WebKitGTK+ and
WPE WebKit. It is the best way to ensure that you are running safe
versions of WebKit. Please check our websites for information about the
latest stable releases.

Further information about WebKitGTK+ and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.

The WebKitGTK+ and WPE WebKit team,
December 13, 2018

FreeBSD Security Advisory FreeBSD-SA-18:14.bhyve

2018-12-04 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:14.bhyve  Security Advisory
  The FreeBSD Project

Topic:  Insufficient bounds checking in bhyve(8) device model

Category:   core
Module: bhyve
Announced:  2018-12-04
Credits:Reno Robert
Affects:All supported versions of FreeBSD.
Corrected:  2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE)
2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6)
CVE Name:   CVE-2018-17160

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The bhyve hypervisor uses the bhyve(8) program to emulate support for most
virtual devices used by guest operating systems.

II.  Problem Description

Insufficient bounds checking in one of the device models provided by bhyve(8)
can permit a guest operating system to overwrite memory in the bhyve(8)
processing possibly permitting arbitary code execution.

III. Impact

A guest OS using a firmware image can cause the bhyve process to crash, or
possibly execute arbitrary code on the host as root.

IV.  Workaround

The device model in question is only enabled when booting guests with a
firmware image such as the UEFI images from the bhyve-firmware package.
Guests booted using bhyveload(8) or grub2-bhyve are not affected.  Guests
using operating systems supported by bhyveload(8) or grub2-bhyve can be
booted using these tools as a workaround.

No workaround is available for guest operating systems such as Windows that
require a firmware image.

V.   Solution

Perform one of the following:

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterward, restart guests using firmware images.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch
# fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc
# gpg --verify bhyve.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Afterward, restart guests using firmware images.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/11/r341486
releng/11.2/  r341488
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:14.bhyve.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3
nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg
3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv
9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9
rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR
AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt
jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx
MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68
vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc
fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ

FreeBSD Security Advisory FreeBSD-SA-18:13.nfs

2018-11-27 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:13.nfsSecurity Advisory
  The FreeBSD Project

Topic:  Multiple vulnerabilities in NFS server code

Category:   core
Module: nfs
Announced:  2018-11-27
Credits:Jakub Jirasek, Secunia Research at Flexera
Affects:All supported versions of FreeBSD.
Corrected:  2018-11-23 20:41:54 UTC (stable/11, 11.2-STABLE)
2018-11-27 19:42:16 UTC (releng/11.2, 11.2-RELEASE-p5)
CVE Name:   CVE-2018-17157, CVE-2018-17158, CVE-2018-17159

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The Network File System (NFS) allows a host to export some or all of its file
systems so that other hosts can access them over the network and mount them
as if they were local.  FreeBSD includes both server and client
implementations of NFS.

II.  Problem Description

Insufficient and improper checking in the NFS server code could cause a
denial of service or possibly remote code execution via a specially crafted
network packet.

III. Impact

A remote attacker could cause the NFS server to crash, resulting in a denial
of service, or possibly execute arbitrary code on the server. 

IV.  Workaround

No workaround is available, but systems that do not provide NFS services are
not vulnerable.

Additionally, it is highly recommended the NFS service port (default port
number 2049) is protected via a host or network based firewall to prevent
arbitrary, untrusted clients from being able to connect.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterward, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterward, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch
# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch.asc
# gpg --verify nfs.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/11/r340854
releng/11.2/  r341088
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://www.flexerasoftware.com/enterprise/company/about/secunia-research/>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17157>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17158>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17159>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:13.nfs.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n85fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKJEg//Umbe1QOUgV0Z6EsdlQffNMo9MHbAz75vCqeaibI36Ng9vmkLKGlS6nCA
5mKFS+BvM5CkekBaiQ6BR8t0xWsrFwX6JCUayQ2FsCSo4rwCZms3AIbvt68vjQAm
xWuQIMJzYku5+kALtcXXvVkLhMCaioVDpZmuPCO+rY79OVM4xP1MsnTfqEZSNo+n
Cz2urH4eO60YsM8w05coQ3hnOsUjTCk8yCh3+R/uYK1VouLDgD8q96T1eG2ozny6
vwEMK3AjmcpvFkTIF3/2I6TTA5K+Zd+nqzhzPM5HjbLZmdQV02NHcoGaZrK1wsQw
D+3wf8icBMfLt9rTUbEqVdvg5FRDkTo8/dH1wY85gWZ2wsSgCqI2wRuqBH4bp3bb
Gcf2+D4vgX6YY5cZ/wFDcYWpghhrmXUbgnH7PnyVfYB0Ufta9utgMOQKMS0mUWwM
DlHP+fL/A8lhPvXIhl1DtSa/TQAiAdMG1

WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0008

2018-11-21 Thread Michael Catanzaro



WebKitGTK+ and WPE WebKit Security AdvisoryWSA-2018-0008


Date reported   : November 21, 2018
Advisory ID : WSA-2018-0008
WebKitGTK+ Advisory URL : 
https://webkitgtk.org/security/WSA-2018-0008.html
WPE WebKit Advisory URL : 
https://wpewebkit.org/security/WSA-2018-0008.html

CVE identifiers : CVE-2018-4345, CVE-2018-4372, CVE-2018-4373,
 CVE-2018-4375, CVE-2018-4376, CVE-2018-4378,
 CVE-2018-4382, CVE-2018-4386, CVE-2018-4392,
 CVE-2018-4416.

Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

CVE-2018-4345
   Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before
   2.22.1.
   Credit to an anonymous researcher.
   A cross-site scripting issue existed in WebKit. This issue was
   addressed with improved URL validation.

CVE-2018-4372
   Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before
   2.22.2.
   Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST
   Softsec Lab, Korea.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2018-4373
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to ngg, alippai, DirtYiCE, KT of Tresorit working with Trend
   Micro’s Zero Day Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2018-4375
   Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
   2.22.0.
   Credit to Yu Haiwan and Wu Hongjun From Nanyang Technological
   University working with Trend Micro's Zero Day Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2018-4376
   Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
   2.22.0.
   Credit to 010 working with Trend Micro's Zero Day Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2018-4378
   Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
   2.22.0.
   Credit to an anonymous researcher, zhunki of 360 ESG Codesafe Team.
   Processing maliciously crafted web content may lead to code
   execution. A memory corruption issue was addressed with improved
   validation.

CVE-2018-4382
   Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
   2.22.0.
   Credit to lokihardt of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2018-4386
   Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before
   2.22.1.
   Credit to lokihardt of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2018-4392
   Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
   2.22.0.
   Credit to zhunki of 360 ESG Codesafe Team.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2018-4416
   Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before
   2.22.0.
   Credit to lokihardt of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.


We recommend updating to the latest stable versions of WebKitGTK+ and
WPE WebKit. It is the best way to ensure that you are running safe
versions of WebKit. Please check our websites for information about the
latest stable releases.

Further information about WebKitGTK+ and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.

The WebKitGTK+ and WPE WebKit team,
November 21, 2018

October 2018 Sourcetree Advisory

2018-10-31 Thread Anton Black

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

This email refers to the advisory found at
https://confluence.atlassian.com/display/SOURCETREEKB/Sourcetree+Security+Advisory+2018-10-31
.

CVE ID:

* CVE-2018-13396.
* CVE-2018-13397.

Product: Sourcetree.

Affected Sourcetree product versions:

1.0b2 <= version < 3.0.0
0.5.1.0 <= version < 3.0.0

Fixed Sourcetree product versions:

* for macOS, Sourcetree 3.0.0 has been released with a fix for these issues.
* for Windows, Sourcetree 3.0.0 has been released with a fix for these issues.

Summary:
This advisory discloses critical severity security vulnerabilities. Versions of
Sourcetree are affected by these vulnerabilities.

Customers who have upgraded Sourcetree to version 3.0.0 (Sourcetree for macOS)
or 3.0.0 (Sourcetree for Windows) are not affected.

Customers who have downloaded and installed Sourcetree >= 1.0b2 but less than
3.0.0 (the fixed version for macOS) or who have downloaded and installed
Sourcetree >= 0.5.1.0 but less than 3.0.0 (the fixed version for
Windows), please
upgrade your Sourcetree installations immediately to fix these vulnerabilities.

Sourcetree for macOS - Git submodules vulnerability (CVE-2018-13396)

Description:

The embedded version of Git used in Sourcetree for macOS was vulnerable to
CVE-2018-13396. An attacker can exploit this issue if they can commit to a Git
repository linked in Sourcetree for macOS. This allows them to execute arbitrary
code on systems running a vulnerable version of Sourcetree for macOS.
Versions of Sourcetree for macOS starting with version 1.02b before version
3.0.0 are affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/SRCTREE-5985 .

Sourcetree for Windows - Git submodules vulnerability (CVE-2018-13397)

Description:

The embedded version of Git used in Sourcetree for Windows was vulnerable to
CVE-2018-13397. An attacker can exploit this issue if they can commit to a Git
repository linked in Sourcetree for Windows. This allows them to execute
arbitrary code on systems running a vulnerable version of Sourcetree for
Windows.
Versions of Sourcetree for Windows starting with version 0.5.1.0 before version
3.0.0 are affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/SRCTREEWIN-9077 .

Fix:

To address these issues, we've released the following versions containing a
fix:

* Sourcetree version 3.0.0 (Sourcetree for macOS)
* Sourcetree version 3.0.0 (Sourcetree for Windows)

Remediation:

Upgrade Sourcetree to version 3.0.0 (macOS or Windows) or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

For a full description of the latest version of Sourcetree, see
the release notes found at
https://product-downloads.atlassian.com/software/sourcetree/ReleaseNotes/Sourcetree_3.0.html
. You can download
the latest version of Sourcetree from the download centre found at
https://www.sourcetreeapp.com/ .

Acknowledgements:
Atlassian would like to credit Terry Zhang at Tophant for reporting these issues
to us.

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAlvaHbQACgkQJCCXorxS
dqDfQBAAna3i7bxPHk7WrmfoZi08GjxlfWwaLNlEQooILsCXxRyiZjvCi722Et2t
OoaH5W0CerizN8edElN+nGFnHHdjKiFnXH7v20f8Ua51Ye05huA63U8CvBBdIkjZ
XAXRpfGQkTtnkI6nQE5wxr2AEqb+tL6eOk4Qt9WyQkP1/51RobOjkz4k/+NbGw9c
HgLrO918u4HsltlHcr4/m8yGmg7qrth2Rcoa8OQg/JaDtLf+Omj7IohpaBtRcI7g
B+ilyuY0LSDk2pIil2LTRP1klV7cVFJ3mhq4nzugxGju37h4O5hOVMvT/LJ+1uo+
Yuw7Lb9yr9BcZoRXJC45btzWMGXWMNnDk0HsZe1WBJoyzs0tg9aUgHZ8cDFPZFsH
mdt1QjMP7WrhyDnoyxrkDjlm79VE/jYP5q6sFs5W0LgCaCCVWXkZf1OI3JdoNs1V
L3SMsmOPyMpMpMlcscLgTUn/GxIeCbXUq2SjxNVGklufz5/t0MSSAN23ZbsgGen/
DX0M5BQxV9UdLLt2SmXHjI/pspXKyWAk5MOYmK68kkMdvImLPfEmvGaRxS8qlhNx
b5RhyxGtCANBFQPR2Sn4HRDIZYk1tvnNlynUgMK8dvgsqf2FprngIPT1NcMAolhl
sJGBPYMG+Hy3NBiYPLy3hS3UIOExsoS+Q7vnC1iNj1p9eOEPM2A=
=D+B5
-END PGP SIGNATURE-

e2 Security GmbH Advisory 2018-01: MensaMax Android app / Unencrypted transmission and usage of hardcoded encryption key

2018-10-01 Thread Stefan Pietsch

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

## e2 Security GmbH Advisory 2018-01 ##
###


Unencrypted transmission and usage of hardcoded encryption key
~~


Overview


Advisory ID: E2SA-2018-01
Advisory Version: 1.0
Advisory Status: Public
Advisory URL: https://advisories.e2security.de/2018/E2SA-2018-01.txt
Affected Product: MensaMax Android app
Affected Version: 4.3
Vendor: Breustedt GmbH, https://mensamax.de
Credits: Stefan Pietsch, e2 Security GmbH


Issue Details
#

1) The MensaMax Android application uses plain HTTP to communicate with the web
server. Authentication information is transmitted in plain text with a HTTP GET
request. An attacker is able to eavesdrop the communication between the
application and the server because the transport layer is not encrypted.

Severity: High
CVSS Score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
CVE ID: CVE-2018-15752
CWE ID: CWE-319


2) The MensaMax Android application encrypts the login username and password
with a static DES key. The key is hardcoded in the Android application file. An
attacker is able to retrieve the encryption key from the apk file and decrypt
the login credentials retrieved from the unencrypted HTTP transmission.

Severity: High
CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE ID: CVE-2018-15753
CWE ID: CWE-321


PoC (Proof of Concept)
##

Sample HTTP request with invalid credentials:

~~~
GET 
/MM_Android/Service1.svc/getURLVonProjekt/GtBWTDhwry4=,s7eTGwGP_h0=,N9NkXQvJkIQ=,iDZZxd4IXZ0=,A3smkmlKRzw=,mensahome
 HTTP/1.1
Host: mensahome.de
Connection: close
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
~~~

The GET parameters are Base64 encoded and encrypted with a static DES key.

~~~
# echo "N9NkXQvJkIQ=" | openssl enc -a -des-ecb -d -K 436f65653130
user1
~~~


Solution and Workaround
###

Do not use the MensaMax Android app until a fixed version is released.


History
###

2018-08-10: Issue found
2018-08-13: Initial Vendor contact, Issue details reported to Vendor
2018-08-15: Vendor acknowledged vulnerabilities
2018-08-23: CVE IDs added
2018-10-01: Advisory published
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEENetcDna8vCUjklqvmSVmYknuuOMFAluyLA0ACgkQmSVmYknu
uOOHdQ//VFjBl+sOKkuCc/y4nH9MezI3wqMnsuk9rXgQpbdUjmZD+H9MO/Y3ylQN
0QkdQ1MSkFFHazHQD+VHJSYm/Ps7ma4+zcKAhId5zuiBFYIM2fyh6pZSGtLLB+F1
bYAWNTY45yPH/5EfeOUYd60pPPI57uic8fWLJPICnYvI5JW+1geE1I+ljNKrhSmf
HCaU4JYXr19J8pZU2cVU2GWQ55CPOrIsgmGPoAbncnWguM/Seh2VL29kfy12sN3d
fH70VvyZA6fBne/tKaueeYEBOYlZw0PAdBOBcktrOj19VK18xp2yE9W884F1n6fM
N+EocPG2wj8irmagLvIKQZuSCbydxTC58W41WtKwSgA8LsvvOr2yZeqU+B59ouB4
Ibn6TfXSScfFj4ohPiqaPNpakGHeoREyH5sg7ipiBeELT+JyRQRNnZIQ33LFAGfN
8KkVrt6i0rkc0rXeIPLso6utng0Z52n7T3BJmny7XVqYb/YWocE0SWJ4V5TIqSw9
B0M3jD6NyMqYIJSfmDBOyangEUU6Ww0c1C272tJ/Mt5YOYK9OFo/zBERdIWXm9I+
f3yD3mauZK/oLQoVheWcqLy2ThsU5Vss6fbLobhY5EF08BaUlAIdp7ietVlbz3vQ
G1yzvhgLfgWteP6nTwghyznkBqZbkC/gJ49G9/YZDpm25/inOtc=
=7Jzx
-END PGP SIGNATURE-

WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0007

2018-10-01 Thread Michael Catanzaro


---
WebKitGTK+ and WPE WebKit Security AdvisoryWSA-2018-0007


Date reported   : September 26, 2018
Advisory ID : WSA-2018-0007
WebKitGTK+ Advisory URL : 
https://webkitgtk.org/security/WSA-2018-0007.html
WPE WebKit Advisory URL : 
https://wpewebkit.org/security/WSA-2018-0007.html

CVE identifiers : CVE-2018-4207, CVE-2018-4208, CVE-2018-4209,
 CVE-2018-4210, CVE-2018-4212, CVE-2018-4213,
 CVE-2018-4191, CVE-2018-4197, CVE-2018-4299,
 CVE-2018-4306, CVE-2018-4309, CVE-2018-4311,
 CVE-2018-4312, CVE-2018-4314, CVE-2018-4315,
 CVE-2018-4316, CVE-2018-4317, CVE-2018-4318,
 CVE-2018-4319, CVE-2018-4323, CVE-2018-4328,
 CVE-2018-4358, CVE-2018-4359, CVE-2018-4361.

Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit.

CVE-2018-4207
   Versions affected: WebKitGTK+ before 2.20.0.
   Credit to Google OSS-Fuzz.
   Unexpected interaction causes an ASSERT failure. This issue was
   addressed with improved checks.

CVE-2018-4208
   Versions affected: WebKitGTK+ before 2.20.0.
   Credit to Google OSS-Fuzz.
   Unexpected interaction causes an ASSERT failure. This issue was
   addressed with improved checks.

CVE-2018-4209
   Versions affected: WebKitGTK+ before 2.20.0.
   Credit to Google OSS-Fuzz.
   Unexpected interaction causes an ASSERT failure. This issue was
   addressed with improved checks.

CVE-2018-4210
   Versions affected: WebKitGTK+ before 2.20.0.
   Credit to Google OSS-Fuzz.
   Unexpected interaction with indexing types caused a failure. An
   array indexing issue existed in the handling of a function in
   JavaScriptCore. This issue was addressed with improved checks.

CVE-2018-4212
   Versions affected: WebKitGTK+ before 2.20.0.
   Credit to Google OSS-Fuzz.
   Unexpected interaction causes an ASSERT failure. This issue was
   addressed with improved checks.

CVE-2018-4213
   Versions affected: WebKitGTK+ before 2.20.0.
   Credit to Google OSS-Fuzz.
   Unexpected interaction causes an ASSERT failure. This issue was
   addressed with improved checks.

CVE-2018-4191
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to Google OSS-Fuzz.
   Unexpected interaction causes an ASSERT failure. A memory corruption
   issue was addressed with improved validation.

CVE-2018-4197
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to Ivan Fratric of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A use after free issue was addressed with improved
   memory management.

CVE-2018-4299
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to Samuel Groβ (saelo) working with Trend Micro's Zero Day
   Initiative.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. Multiple memory corruption issues were addressed
   with improved memory handling.

CVE-2018-4306
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to Ivan Fratric of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A use after free issue was addressed with improved
   memory management.

CVE-2018-4309
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to an anonymous researcher working with Trend Micro's Zero
   Day Initiative.
   A malicious website may be able to execute scripts in the context of
   another website. A cross-site scripting issue existed in WebKit.
   This issue was addressed with improved URL validation.

CVE-2018-4311
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to Erling Alf Ellingsen (@steike).
   Cross-origin SecurityErrors includes the accessed frame’s origin.
   The issue was addressed by removing origin information.

CVE-2018-4312
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to Ivan Fratric of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A use after free issue was addressed with improved
   memory management.

CVE-2018-4314
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to Ivan Fratric of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A use after free issue was addressed with improved
   memory management.

CVE-2018-4315
   Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0.
   Credit to Ivan Fratric of Google Project Zero.
   Processing maliciously crafted web content may lead to arbitrary
   code execution. A use after free issue was addressed with improved
   memory management.

CVE

X41 D-Sec GmbH Security Advisory X41-2018-007: Multiple Vulnerabilities in mgetty

2018-09-19 Thread X41 D-Sec GmbH Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-007

Multiple Vulnerabilities in mgetty
==


Overview
- 
Confirmed Affected Versions: 1.2.0
Patched Versions: 1.2.1
Vendor: mgetty
Vendor URL: http://mgetty.greenie.net
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty


Summary and Impact
- --
Multiple issues have been identified in the mgetty fax software. These
might be used by local users to elevate their privileges.
X41 did not perform a full test or audit on the software.


Product Description
- ---
- From the vendor: For those of you that do not know mgetty+sendfax yet:
it's a reliable and proven fax send and receive solution for unix and
Linux. But it can do much more... so read the docs and be surprised.

Shell injection via faxq-helper
===
Severity Rating: Medium
Vector: Fax Job
CVE: CVE-2018-16741
CWE: 78
CVSS Score: 6.1
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
In fax/faxq-helper.c function do_activate(), not all characters are
properly sanitized to prevent command injection. It is possible to use
||, && or > to change the control flow.

{% highlight c %}
/* replace all quote characters, backslash and ';' by '' */
for( q = buf; *q != '\0'; q++ )
{
if ( *q == '\'' || *q == '"' || *q == '`' ||
 *q == '\' || *q == ';' )
{ *q = ''; }
}
{% endhighlight %}

A job file containing malicious input can be constructed using
faxq-helper activate . One faxrunq is started, the code is
executed as the user running the command.

{% highlight bash %}
/* replace all quote characters, backslash and ';' by '' */
#   "   '\$   ;
command=tr -d '\042\047\140\134\044\073'  (pwd ? 0 : 1))
badlogin(tbuf);
failures = 0;
}
(void)strcpy(tbuf, username);
{% endhighlight %}


Stack Based Buffer Overflow With Long Argument in contrib/scrts.c
=
Severity Rating: Low
Vector: Command Line Parameter
CVE: CVE-2018-16742
CWE: 121
CVSS Score: 2.9
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
In file contrib/scrts.c a stack buffer overflow can be triggered via
command line parameter.

{% highlight c %}
int main( int argc, char ** argv )
{
int i, fd;
struct termios tio;
char device[1000];

for ( i=1; i/dev/null 2>&1", MAILER, mailto );
pipefp = popen( buf, "w" );
{% endhighlight %}


Endless loop in g3/g32pbm.c
===
When converting g32 files using g3/g32pbm.c, an endless loop can be
triggered by malformed input file. Example can be found at
files/g32pmbinfiniteloop.

Out Of Bounds Access in g3/pbm2g3.c
===
When converting pbm files using g3/pbm2g3.c, out of bounds accesses
can occur with malformed input files in putwhitespan(). An example can
be found with files/pbm2g2oobaccess.

{% highlight c %}
 putcode( twhite[l].bitcode, twhite[l].bitlength );
{% endhighlight %}


Workaround
- --
None.


Timeline
- 
2018-06-07 Issues found
2018-08-27 Issue reported to vendor
2018-08-28 Vendor reply
2018-09-08 Vendors sends patches
2018-09-08 CVE IDs requested
2018-09-09 CVE IDs assigned
2018-09-11 Patched Version released
2018-09-11 Advisory released

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.

- -- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschäftsführer: Markus Vervier


-BEGIN PGP SIGNATURE-

iQJLBAEBCAA1FiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlui40AXHGFkdmlzb3Jp
ZXNAeDQxLWRzZWMuZGUACgkQo5Klpg50CxDAKg/6AmXcOmQnCDVgORX9xbmLvCXc
EcfNX7MNKlvegdm4D0TWb9WZKbWC0ubv1vSMB35qtYKMtdIwh/lYReb01/+WmRwV
alZTSnoPZmy3Wt0e1mzkSEjJqauawbVAZfi9bfgUmX1faWDkntkoOhfJVcGy2Tia
g0eiang5lg1v4m5yjiE4EHyzBKy+DqEYf6VNCje7cIQG/tFhuvatmd1HulZpFgK5
D/VBRCctKXaLNuoe5cIRmRD2tJZ4O7NmhudBVxJSrShTtv4cO0M6xPD0ddzhSHtn
JnuNdqYY0+sdVO+uf9kOF8qHG6iW1fLKiQAuyYZCTCZELDOUzby1x0IN2XwNxiX4
b2sl1vp/XoPvlIlo

X41 D-Sec GmbH Security Advisory X41-2018-008: Multiple Vulnerabilities in HylaFAX

2018-09-19 Thread X41 D-Sec GmbH Advisories

X41 D-SEC GmbH Security Advisory: X41-2018-008

Multiple Vulnerabilities in HylaFAX
===


Overview

Confirmed Affected Versions: HylaFAX 6.0.6, HylaFAX+ 5.6.0
Confirmed Patched Versions: HylaFAX 6.0.7, HylaFAX+ 5.6.1
Vendor: Hylafax, Hylafax+
Vendor URL: https://www.hylafax.org/, http://hylafax.sourceforge.net/
Credit: X41 D-SEC GmbH, Luis Merino, Eric Sesterhenn, Markus Vervier
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-008-Hylafax/


Summary and Impact
--
Severity Rating: Critical
Vector: Incoming fax call
CVE: CVE-2018-17141
CWE: 122, 457
CVSS Score: 9.0
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Multiple bugs were found in the code handling fax page reception in JPEG
format that allow arbitrary writes to an uninitialized pointer by remote
parties dialing in. When processing an specially crafted input, the issue
could lead to remote code execution.
Although JPEG reception is not announced as an available capability
by HylaFAX and is explicitly disabled during capabilities announcement,
there is code for JPEG support in HylaFAX that can be reached by a remote
party when setting certain flags during session negotiation.
X41 did not perform a full test or audit on the software.


Product Description
---
HylaFAX is an open-source system for sending and receiving faxes using
one or multiple fax modems.

Analysis

X41 discovered several vulnerabilities in HylaFAX that are exploitable
by local or remote attackers.


Uninitialized pointer write in FaxModem::writeECMData()
---
In CopyQuality.c++:990 recvRow is initialized only when params.jp is
exactly JP_GREY or JP_COLOR and also params.df is exactly zero.

{% highlight c %}
uint dataform = params.df + (params.jp ? params.jp + 4 : 0);
//...
switch (dataform) {
//...
case JPGREY+4:
case JPCOLOR+4:
recvEOLCount = 0;
recvRow = (uchar) malloc(10241000); // 1M should do it?
{% endhighlight %}
However, later in the same function recvRow is used as a target for
memcpy() when params.jp is JP_GREY or JP_COLOR, irrespective of
params.df.  Consequently, if a sender crafts a DCS signal that leads to
params.df being non-zero while params.jp is JP_GREY or JP_COLOR, then
recvRow will be uninitialized when it is used as a target for memcpy().
{% highlight c %}
if (params.jp != JPGREY && params.jp != JPCOLOR) {
flushRawData(tif, 0, (const u_char) buf, cc);
} else {
memcpy(recvRow, (const char) buf, cc);
recvRow += cc;
}
{% endhighlight %}


Out of bounds write in FaxModem::writeECMData()
---
The same piece of code for memcpy at CopyQuality.c++:1045 can be
abused to perform an out of bounds write to recvRow, as there is no
bounds check before writing to and incrementing recvRow. This can
lead to remote code execution when an attacker sends an specially
crafted input.


Out of bounds write in FaxModem::recvPageDLEData()
--
CopyQuality:c++:446 presents another unbounded memcpy that can be
abused to perform an out of bounds write to recvRow.

{% highlight c %}
if (n >= RCVBUFSIZ)
flushRawData(tif, 0, (const u_char) raw, n);
else {
memcpy(recvRow, (const char) raw, n);
recvRow += n;
}
{% endhighlight %}

The code doesn't seem to be reachable, as JPEG flag forces ECM
reception.


Workaround
--
None.

Timeline

2018-06-07 Issues found
2018-08-24 Issue reported to vendor
2018-09-02 Vendor sends patches
2018-09-17 CVE ID assigned
2018-09-18 Patches released
2018-09-19 Advisory released

External links
==
See https://www.x41-dsec.de/lab/blog/fax/ for a blog post related to this
advisory.

About X41 D-SEC GmbH

X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.

- -- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschäftsführer: Markus Vervier

FreeBSD Security Advisory FreeBSD-SA-18:12.elf

2018-09-12 Thread FreeBSD Security Advisories

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:12.elfSecurity Advisory
  The FreeBSD Project

Topic:  Improper ELF header parsing

Category:   core
Module: kernel
Announced:  2018-09-12
Credits:Thomas Barabosch, Fraunhofer FKIE; Mark Johnston
Affects:All supported versions of FreeBSD.
Corrected:  2018-09-12 05:02:11 UTC (stable/11, 11.1-STABLE)
2018-09-12 05:07:35 UTC (releng/11.2, 11.2-RELEASE-p3)
2018-09-12 05:07:35 UTC (releng/11.1, 11.1-RELEASE-p14)
2018-09-12 05:03:30 UTC (stable/10, 10.4-STABLE)
2018-09-12 05:07:35 UTC (releng/10.4, 10.4-RELEASE-p12)
CVE Name:   CVE-2018-6924

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

To execute a binary the kernel must parse the ELF header to determine the
entry point address, the program interpreter, and other parameters.

II.  Problem Description

Insufficient validation was performed in the ELF header parser, and malformed
or otherwise invalid ELF binaries were not rejected as they should be.

III. Impact

Execution of a malicious ELF binary may result in a kernel crash or may
disclose kernel memory.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot.

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +30 "Rebooting for security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch
# fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch.asc
# gpg --verify elf.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/10/r338605
releng/10.4/  r338606
stable/11/r338604
releng/11.1/  r338606
releng/11.2/  r338606
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6924>

The latest revision of this advisory is available at
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:12.elf.asc>
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoK9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKA+BAApeUtPHpy5mEHC8ftJ+3NZpfI8gcfuPE0dlJi6CpXq8/ruXN5Yt5X0E0l
hlbNGqEMckfe3F81rCXLbtu0zeAnSBfAFcm9xSBa6aSRfP4GAZtKDKwilPqqT9F8
sOrPR/mAfxWmWcfDt8ggAx6akr2Tt48t7TiBP/kA14+CzVmp/pMU/ceFDLk8JYjY
PQzVM4fHC5xeBWtA2JjMNHnhR6XMeiDOLkgeRiRW1LhB/OwWwcb0uzVixxR34mCT
vFm1eJteAitoVclgnI//GkzZZ6b7SZkqyqODWKVLWXaYgb8/Z6SaKAQm2TWuHPEh
nzIpPGhnXZc+36Nn9/HYDKVn3skD1sYAnTMgPcUYZH3KfkohvFdHlnoGqkcnMwTy
mSKkQx9ojuLfwot7tyJCbgU/6e82ed1g9EiFZXwW8x4ePClaAvrDozz0QGwlXgyY
1jBbFp/gYznhxTetVRHo5ug5SHZgD2Ye46TCoglHX0CprhkWwpKenoCEyfyjlHXH
uI+RPd46TlQfuK4bqURRpWvNWprXGqQ0ypFVW2JJgqLPBX0QS79gzqO++C8tRqQv
e16mqzBGNIre/8FOCBpV/Z61NgxqeYo2ndHxc9VTMiFXK/2v3TDK9AvYZ1/xEvwC
IRpC+qo870B5XT/ihC/KpYI4jgM2/pK/Mdez6Q4s5M6eeCBHAgw=
=J/a5
-END PGP SIGNATURE-

FreeBSD Security Advisory FreeBSD-SA-18:11.hostapd

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:11.hostapdSecurity Advisory
  The FreeBSD Project

Topic:  Unauthenticated EAPOL-Key Decryption Vulnerability

Category:   contrib
Module: wpa
Announced:  2018-08-14
Credits:Mathy Vanhoef of the imec-DistriNet research group of
KU Leuven
Affects:All supported versions of FreeBSD.
Corrected:  2018-08-15 05:03:54 UTC (stable/11, 11.1-STABLE)
2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
2018-08-15 05:05:02 UTC (stable/10, 10.4-STABLE)
2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11)
CVE Name:   CVE-2018-14526

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The wpa_supplicant(8) utility is a client (supplicant) with support for WPA
and WPA2 (IEEE 802.11i / RSN).  It is suitable for both desktop and laptop
computers as well as embedded systems.  Supplicant is the IEEE 802.1X/WPA
component that is used in the client stations.  It implements key negotiation
with a WPA Authenticator and it controls the roaming and IEEE 802.11
authentication/association of the wlan(4) driver.

The wpa_supplicant(8) utility is designed to be a "daemon" program that runs
in the background and acts as the backend component controlling the wireless
connection.  The wpa_supplicant(8) utility supports separate frontend programs
and a text-based frontend (wpa_cli(8)) and a GUI (wpa_gui) are included with
wpa_supplicant(8).

II.  Problem Description

When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC
flag set, the data field was decrypted first without verifying the MIC.  When
the dta field was encrypted using RC4, for example, when negotiating TKIP as
a pairwise cipher, the unauthenticated but decrypted data was subsequently
processed.  This opened wpa_supplicant(8) to abuse by decryption and recovery
of sensitive information contained in EAPOL-Key messages.

See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
for a detailed description of the bug.

III. Impact

All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for
example, the group key.

IV.  Workaround

Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks in
wpa_supplicant.conf(5) by changing 'pairwise=CCMP TKIP' to 'pariwise=CCMP'.

This can also be mitigated by removing TKIP as a cipher on the AP.

Systems and users who do not use WPA2 TKIP are not affected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch
# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch.asc
# gpg --verify hostapd.patch.asc

[FreeBSD 10.4]
# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch
# fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch.asc
# gpg --verify hostapd-10.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/10/r337832
releng/10.4/  r337829
stable/11/r337831
releng/11.1/  r337828
releng/11.2/  r337828
- --

FreeBSD Security Advisory FreeBSD-SA-18:10.ip

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:10.ip Security Advisory
  The FreeBSD Project

Topic:  Resource exhaustion in IP fragment reassembly

Category:   core
Module: inet
Announced:  2018-08-14
Credits:Juha-Matti Tilli  from
Aalto University, Department of Communications and Networking
and Nokia Bell Labs
Affects:All supported versions of FreeBSD.
Corrected:  2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE)
2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
CVE Name:   CVE-2018-6923

Special note:   Due to source code differences in FreeBSD 10-stable a patch
is not yet available for FreeBSD 10.4.  This will follow at
a later date.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of
packets which are too big to traverse all the links between two end
stations. Any router along the path between two end hosts may fragment
packets which are larger than a link's maximum transmission unit
(MTU). FreeBSD's implementation of some IPv4 protocols (such as the
Transmission Control Protocol [TCP]) perform path MTU discovery to
avoid the need for fragmentation.

IP version 6 (IPv6) retains the concept of packet fragmentation. It
changed the fragmentation operation to require that the originating
end-system perform path MTU discovery and fragment packets which are
too large for any MTU along the path between two end systems.

While all hosts attached to the Internet are required to support
fragmentation and reassembly, many hosts will encounter very few
legitimate fragmented packets due to the operation of path MTU discovery.

II.  Problem Description

A researcher has notified us of a DoS attack applicable to another
operating system. While FreeBSD may not be vulnerable to that exact
attack, we have identified several places where inadequate DoS protection
could allow an attacker to consume system resources.

It is not necessary that the attacker be able to establish two-way
communication to carry out these attacks. These attacks impact both
IPv4 and IPv6 fragment reassembly.

III. Impact

In the worst case, an attacker could send a stream of crafted
fragments with a low packet rate which would consume a substantial
amount of CPU.

Other attack vectors allow an attacker to send a stream of crafted
fragments which could consume a large amount of CPU or all available
mbuf clusters on the system.

These attacks could temporarily render a system unreachable through
network interfaces or temporarily render a system unresponsive. The
effects of the attack should clear within 60 seconds after the attack stops.

IV.  Workaround

Disable fragment reassembly, using these commands:
 % sysctl net.inet.ip.maxfragpackets=0
 % sysctl net.inet6.ip6.maxfrags=0

On systems compiled with VIMAGE, these sysctls will need to be
executed for each VNET.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or release or
security branch (releng) dated after the correction date, and reboot.

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterward, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
Afterward, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch
# fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc
# gpg --verify ip.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
-

FreeBSD Security Advisory FreeBSD-SA-18:09.l1tf

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:09.l1tf   Security Advisory
  The FreeBSD Project

Topic:  L1 Terminal Fault (L1TF) Kernel Information Disclosure

Category:   core
Module: Kernel
Announced:  2018-08-14
Affects:All supported versions of FreeBSD.
Corrected:  2018-08-14 17:51:12 UTC (stable/11, 11.1-STABLE)
2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
CVE Name:   CVE-2018-3620, CVE-2018-3646

Special Note:   Speculative execution vulnerability mitigation remains a work
in progress.  This advisory addresses the issue in FreeBSD
11.1 and later.  We expect to update this advisory to include
10.4 at a later time.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.

I.   Background

When a program accesses data in memory via a logical address it is translated
to a physical address in RAM by the CPU.  Accessing an unmapped logical
address results in what is known as a terminal fault.

II.  Problem Description

On certain Intel 64-bit x86 systems there is a period of time during terminal
fault handling where the CPU may use speculative execution to try to load
data.  The CPU may speculatively access the level 1 data cache (L1D).  Data
which would otherwise be protected may then be determined by using side
channel methods.

This issue affects bhyve on FreeBSD/amd64 systems.

III. Impact

An attacker executing user code, or kernel code inside of a virtual machine,
may be able to read secret data from the kernel or from another virtual
machine.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +30 "Rebooting for security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch.asc
# gpg --verify l1tf-11.2.patch.asc

[FreeBSD 11.1]
# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch
# fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch.asc
# gpg --verify l1tf-11.1.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

CVE-2018-3620 (L1 Terminal Fault-OS)
- 
FreeBSD reserves the the memory page at physical address 0, so it will not
contain secret data.  FreeBSD zeros the paging data structures for unmapped
addresses, so that speculatively executed L1 Terminal Faults will access only
the reserved, unused page.

CVE-2018-3646 (L1 Terminal Fault-VMM)
- -
Patched systems flush the L1 data cache prior to guest entry, so that there
is no secret data in cache for a terminal fault (from the the guest) to
access.

The following list contains the correction revision numbers for each
affected branch.

Branch/path  Revision
- -
stable/11/r337794
releng/11.1/  r337828
releng/11.2/  r337828
- -

To see which files were modified by a particular revision, run the
following command, replacing NN with the revision number, on a
machine with Subversion installed:

# svn diff -cNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NN with the revision number:

https://svnweb.freebsd.org/base?view=revision&revision=NN>

VII. References

More information on L1 Terminal Fault is available at:

htt

FreeBSD Security Advisory FreeBSD-SA-18:08.tcp

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

=
FreeBSD-SA-18:08.tcpSecurity Advisory
  The FreeBSD Project

Topic:  Resource exhaustion in TCP reassembly 

Category:   core
Module: inet
Announced:  2018-08-06
Credits:Juha-Matti Tilli  from
Aalto University, Department of Communications and Networking
and Nokia Bell Labs
Affects:All supported versions of FreeBSD.
Corrected:  2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE)
2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2)
2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13)
2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE)
2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11)
CVE Name:   CVE-2018-6922

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit https://security.FreeBSD.org/>.


0.   Revision history

v1.0   2018-08-06  Initial release.
v1.1   2018-08-14  Fixed documentation date in manual pages.

I.   Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service.

To transmit a stream of data, TCP breaks the data stream into segments
for transmission through the Internet, and reassembles the segments at
the receiving side to recreate the data stream.

II.  Problem Description

One of the data structures that holds TCP segments uses an inefficient
algorithm to reassemble the data. This causes the CPU time spent on
segment processing to grow linearly with the number of segments in the
reassembly queue.

III. Impact

An attacker who has the ability to send TCP traffic to a victim system
can degrade the victim system's network performance and/or consume
excessive CPU by exploiting the inefficiency of TCP reassembly
handling, with relatively small bandwidth cost.

IV.  Workaround

As a workaround, system administrators should configure their systems
to only accept TCP connections from trusted end-stations, if it is
possible to do so.

For systems which must accept TCP connections from untrusted
end-stations, the workaround is to limit the size of each reassembly
queue. The capability to do that is added by the patches noted in the
"Solution" section below.

V.   Solution

As a temporary solution to this problem, these patches limit the size
of each TCP connection's reassembly queue. The value is controlled by
a sysctl (net.inet.tcp.reass.maxqueuelen), which sets the maximum
number of TCP segments that can be outstanding on a session's
reassembly queue. This value defaults to 100.

Note that setting this value too low could impact the throughput of
TCP connections which experience significant loss or
reordering. However, the higher this number is set, the more resources
can be consumed on TCP reassembly processing.

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterward, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterward, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 10.4]
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch.asc
# gpg --verify tcp-10.patch.asc

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc
# gpg --verify tcp-11.patch.asc

[*** v1.1 NOTE ***] Patchsets are provided for completeness, it have
little impact to runtime behavior.

[FreeBSD 10.4]
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch.asc
# gpg --verify tcp-man-10.patch.asc

[FreeBSD 11.x]
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch
# fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch.asc
# gpg --verify tcp-man-11.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
https://www.FreeBSD.org/handbook/kernelconfig.h

X41 D-Sec GmbH Security Advisory X41-2018-004: Multiple Vulnerabilities in Yubico libykneomgr

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-004

Multiple Vulnerabilities in Yubico libykneomgr
==


Overview
- 
Confirmed Affected Versions: 0.1.9
Confirmed Patched Versions: -
Vendor: Yubico / Depreciated
Vendor URL: https://www.yubico.com/
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/


Summary and Impact
- --
An out of bounds write and read was discovered when malicious
responses from a smartcard are received. These might lead to memory
corruptions. We assume that these are not easily exploitable.
X41 did not perform a full test or audit on the software.
Please note that the library is deprecated for more than a year and no
update
will be published by the vendor.


Product Description
- ---
This is a C library to interact with the CCID-part of the YubiKey NEO.
There is a command line tool "ykneomgr" for interactive use.  It
supports querying the YubiKey NEO for firmware version, operation mode
(OTP/CCID) and serial number.  You may also mode switch the device and
manage applets (list, delete and install).

Out of Bounds Read/Writes
=
Severity Rating: Medium
Vector: APDU Response
CVE:
CWE: 120
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


Summary and Impact
- --
File lib/backendpcsc.c contains the following code in function
`backendappletlist()`

{% highlight c %}
 {
   sizet i;
   sizet thislen = recv[length++];
   for (i = 0; i < thislen; i++)
{
  if (appletstr)
{
 if (reallen + 2 > *len)
{
  return YKNEOMGRBACKENDERROR;
}
  sprintf (p, "%02x", recv[length]);
  p += 2;
}
  reallen += 2;
  length++;
}
  if (appletstr)
{
  if (reallen + 1 > *len)
{
  return YKNEOMGRBACKENDERROR;
}
  *p = '\0';
  p++;
}
  reallen++;
  length += 2;
}
{% endhighlight %}

There is an off-by-one write of a '\x00' when the sprintf() is called,
since it terminates the string with a trailing null-byte. Additionally
reads are performed based on thislen, which is retrieved from the data
without further safety checks.


Workarounds
- ---
It is advised to migrate to YubiKey Manager since the vendor does not
support the library anymore and will not issue a patch.

Timeline

2018-02-03 Issues found
2018-05-22 Vendor contacted
2018-05-22 Vendor reply
2018-06-05 Requesting technical feedback from the vendor
2018-06-06 Vendor confirms bug, but states that library is
depreciated, will not be fixed
2018-08-11 Advisory released
- -- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschäftsführer: Markus Vervier
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3PMACgkQo5Klpg50
CxCvvA//RdQkadlV9yD1IFM7+lqkfMYCyeRyjEg19NWY7QL3Y6C0BeMNiMv/q74i
TUw3G30X6ehgsaef5VWzpC7IibUC2DbltIZV3tYpNHePvc4GeMAl9dytqAy4MGnM
EIxC7RrT4w85EDnaK9NvEXdo2QOlSuzt1MtePYhmoa23wZFH328w1WVhxgAYffna
Cu7LCJIgWkh1y5jqc66553g34SRH3jiuVYSwTgIzC2MhVnXrjktbIwgddJLkV5Zr
eRktqby13iWZns/oGE4GYjsmryoXaoDfGS5wuro7CNua+JqiEPwsH0bURvJDUxGi
MvEEMl5TwoCeTzDqsofLBou1RNLVyI6W19MnYhNC6RCSUuFRXFF3nHqO7vQ5Gpft
JS6URDUKWd/reh0Xwy3dlaEaXEIUPEHBcLwd0wmKqVgMTjUrOvgIAED8woS+Rzn9
qI+NbooNGt1OzlXR4RojKjRMJtWcwya8bhlNLk/ZFl/pokAEh6bZ1jcMg/U0NG9Q
R4AI2u2NX3lE39ku/dcTQQCJpTTcr0DdGUw6kux0dkJXEhEc6YixgFzrHH1CPS/y
2sYLICX3iWjAtd81CO0PL4QXte2ekh8YWaf/1qV2BusOxwlHQjODO8o3kLueU2DC
Uy4ftml35nu+qVS+vYA85N4+4/Fri6UkbjkgbI2fODgE3pImc+A=
=dyfA
-END PGP SIGNATURE-

X41 D-Sec GmbH Security Advisory X41-2018-005: Multiple Vulnerabilities in Apple smartcardservices

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-005

Multiple Vulnerabilities in Apple smartcardservices
===


Overview
- 
Confirmed Affected Versions: e3eb96a6eff9d02497a51b3c155a10fa5989021f
Confirmed Patched Versions: 8eef01a5e218ae78cc358de32213b50a601662de
Vendor: Apple
Vendor URL: https://smartcardservices.github.io/
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-005-smartcardservices/


Summary and Impact
- --
Attackers with local access can exploit security issues in the
smartcard driver. These result in memory corruptions, which might lead
to code execution. Since smartcards can be used for authentication,
the vulnerabilities may allow an attacker to login to the system
without valid credentials as any user.
X41 did not perform a full test or audit on the software.


Product Description
- ---
The Smart Card Services project is comprised of several components
which, when combined, provide the necessary abstraction layer and
integration of smart cards into Apple’s CDSA implementation.

Stack based buffer overflow
===
Severity Rating: Medium
Vector: APDU Response
CVE: CVE-2018-4300
CWE: 120
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


Summary and Impact
- --
In file Tokend/CAC/CACRecord.cpp the function
CACCertificateRecord::getDataAttribute() might overwrite the value
certificate and possibly other stack data, if a smartcard provides
malicious data.

{% highlight c++ %}
unsigned char command[] = { 0x80, 0x36, 0x00, 0x00, 0x64 };
unsigned char result[MAXBUFFERSIZE];
sizet resultLength = sizeof(result);
uint8 certificate[CACMAXSIZECERT];
uint8 uncompressed[CACMAXSIZECERT];
sizet certificateLength = 0;
try
{
PCSC::Transaction (cacToken);
cacToken.select(mApplication);
uint32t cacreturn;
do
{
cacreturn = cacToken.exchangeAPDU(command,
sizeof(command), result,
resultLength);
if ((cacreturn & 0xFF00) != 0x6300)
CACError::check(cacreturn);
sizet requested = command[4];
if (resultLength != requested + 2)
PCSC::Error::throwMe(SCARDEPROTOMISMATCH);
memcpy(certificate + certificateLength,
result, resultLength - 2);
certificateLength += resultLength - 2;
// Number of bytes to fetch next time around
is in the last byte
// returned.
command[4] = cacreturn & 0xFF;
} while ((cacreturn & 0xFF00) == 0x6300);
}
catch (...)
{
return NULL;
}
{% endhighlight %}

As long as the smartcard returns a return code of 0x63FF, more data is
copied into the certificate buffer, causing a stack based overflow. A
malicious smartcard is able to control all of the overflowed bytes.


Workarounds
- ---
None

Stack based buffer overflow with limited input
==
Severity Rating: Medium
Vector: APDU Response
CVE: CVE-2018-4301
CWE: 120
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


Summary and Impact
- --
In file Tokend/PKCS11/GemaltoKeyHandle.cpp the function
GemaltoPrivateKeyRecord::computeDecrypt() might overwrite the value
strData if the supplied dataLength is too big.

{% highlight c++ %}
void GemaltoPrivateKeyRecord::computeDecrypt(GemaltoToken
&gemaltoToken, CKULONG mech, const AccessCredentials *cred, unsigned
char *data, sizet dataLength, unsigned char output, size_t &outputLength)
{
GemaltoToken::log("\nGemaltoPrivateKeyRecord::computeDecrypt
\n");
GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt -
mechanism <%lu>\n", mech);
GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt -
cred <%p>\n", cred);
char strData[6000];
memset(strData, '\0', sizeof(strData));
char str = strData;
for (size_t i=0; i - data <%s>\n", dataLength, strData);
GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt -
output <%p>\n", output);
GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt -
outputLength <%lu>\n", outputLength);
{% endhighlight %}

The attacker might control the data which is to be decrypted, but
exploitation is limited by the sprintf() format string.


Workarounds
- ---
None

Timeline

2018-02-03 Issues found
2018-05-22 Vendor contacted
2

X41 D-Sec GmbH Security Advisory X41-2018-003: Multiple Vulnerabilities in pam_pkcs11

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-003

Multiple Vulnerabilities in pam_pkcs11
==


Overview
- 
Confirmed Affected Versions: 0.6.9
Confirmed Patched Versions: -
Vendor: Unmaintained
Vendor URL: https://github.com/OpenSC/pampkcs11
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-003-pampkcs11/


Summary and Impact
- --
It is possible to replay an authentication by using a specially
prepared smartcard or token in case pam-pkcs11 is compiled with NSS
support. Furthermore two minor implementation issues have been identified.
X41 did not perform a full test or audit on the software.


Product Description
- ---
This Linux-PAM login module allows a X.509 certificate based user
login. The certificate and its dedicated private key are thereby
accessed by means of an appropriate PKCS #11 module. For the
verification of the users' certificates, locally stored CA
certificates as well as either online or locally accessible CRLs are
used.

Authentication Replay
=
Severity Rating: High
Vector: Login attempt at compromised machine
CVE: -
CWE: 125
CVSS Score: 7.0 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N


Summary and Impact
- --
A replay attack is possible due to a logic bug in file pampkcs11.c. In
function `pamsmauthenticate()a nonce is generated and signed with the
card to verify that the card holds the matching secret key, if a valid
certifiate is found. This is done using the functiongetrandomvalue(),
which in turn callsPK11GenerateRandom()`, which queries the smartcard
for random data.
This allows for a replay attack with a malicious smartcard. If a user
plugins in his card into a compromised computer, the nonce and answer
can be recorded by an attacker. The attacker then modifies a smartcard
or a smartcard emulator to replay with the exact same nonce and signed
data, which allows the attacker to login to another computer without
having further access to the smartcard.


Workarounds
- ---
Switch to pam_p11.

Buffer Overflow
===
Severity Rating: Low
Vector: Overly long user home directory
CVE: -
CWE: 121
CVSS Score: -
CVSS Vector: -


Summary and Impact
- --
In file opensshmapper.c a stack based buffer overflow is possible if a
user has a home directory with a length of more than 512 bytes. This
allows to overwrite the passwd structure and possibly the return
address in `opensshmappermatchuser()`;

{% highlight c %}
opensshmapper.c
static int opensshmappermatchuser(X509 *x509, const char *user, void
*context) {
struct passwd *pw;
char filename[512];
if (!x509) return -1;
if (!user) return -1;
pw = getpwnam(user);
if (!pw || isemptystr(pw->pwdir) ) {
DBG1("User '%s' has no home directory",user);
return -1;
}
sprintf(filename,"%s/.ssh/authorizedkeys",pw->pwdir);
return opensshmappermatchkeys(x509,filename);
}
{% endhighlight %}


Workarounds
- ---
Switch to pam_p11.

Memory not cleaned properly before free()
=
Severity Rating: Low
Vector: -
CVE: -
CWE: 244
CVSS Score: -
CVSS Vector: -
_

Summary and Impact
- --
In several places memory is set to zero using memset() and passed on
to free() afterwards. This is a pattern which modern compilers
optimize away, which renders the call to memset() useless. This causes
sensitive data such as passwords to remain in the memory, which
defeats the original intention of the code.

{% highlight c %}
   memset(password, 0, strlen(password));
   free(password);
{% endhighlight %}


Workarounds
- ---
Switch to pam_p11.

Timeline

2018-02-03 Issues found
2018-04-18 Vendor contacted
2018-04-18 Vendor reply
2018-05-18 Technical details provided
2018-05-24 Private git branch created, issues fixed
2018-08-08 Patched version released at
https://github.com/x41sec/pam_pkcs11
2018-08-11 Advisory released
- -- 
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
Geschäftsführer: Markus Vervier
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3K4ACgkQo5Klpg50
CxDfHhAAiANUMfz5YSGvQS8HJYcAwiDwL5Z6TRJEKg4RRS94hehzpDCHaVaABsnB
6BtRCx6Jp8hDs9Iz36y+E8txg349OSUyrRSL9RQ6/G7MrLOJ0kOxijkAWbvJg/nD
elgsGa65DKWwqHvc5AsRXxWZFtyNs6CTWGyfJJvyC3cpHM0E0jru5xjuwklm1YAG
DOcqadZav2FPzKJz5tYsDa42aAWYyjE2MMXzkY7kT3aQ2G70DhN2mJqnnmsmMFcH
GZaZO+4SaWq97SNVzzvKXk9m0T8S2HmumAF8g9mGLuCTfBVsbi4DmGyb9mvZOK2S
djwBCHf0rRqXP83hszwHD/zQoW796r7tj9PGmKmvRoDeX76aGuLgQoZ55zged9R1
QkPiD89w+7YANMHumsfLXgXRdhxWaObFvtJWtFCd+v0iS5r249zYukJXn89lnY4p
1x3eBPOzYfSvdHBV0d8/l8uiqZGM9mN55Y4AvkOQ

X41 D-Sec GmbH Security Advisory X41-2018-002: Multiple Vulnerabilities in OpenSC

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

X41 D-Sec GmbH Security Advisory: X41-2018-002

Multiple Vulnerabilities in OpenSC
==


Overview
- 
Confirmed Affected Versions: 0.18.0
Confirmed Patched Versions: possibly 0.19.0
Vendor: OpenSC
Vendor URL: https://github.com/OpenSC/OpenSC
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/


Summary and Impact
- --
Multiple issues have been identified in OpenSC, ranging from stack
based buffer overflows to out of bounds reads and writes on the heap.
They can be triggered by malicious smartcards sending malformed
responses to APDU commands. Additionally to those fixes reported here,
a lot of minor issues (eg. OOB reads and similar) have been reported
and fixed. The OpenSC team (especially Frank Morgner) did an excellent
job on identifying and fixing further issues.
Due to the large amount of issues, no individual issues have been
rated with CVSS / CVE ID yet.
X41 did not perform a full test or audit on the software, but tried to
help identifying as many bugs as possible in over the course of a year.


Product Description
- ---
OpenSC provides a set of libraries and utilities to work with smart
cards. Its main focus is on cards that support cryptographic
operations, and facilitate their use in security applications such as
authentication, mail encryption and digital signatures.

OOB Write in musclelistfiles()
==
In function muscle_list_files() in file src/libopensc/card-muscle.c an
out of bounds write might occur, since bufLen is not checked.

{% highlight c %}
static int musclelistfiles(sccardt card, u8 *buf, sizet bufLen)
{
muscleprivate_t priv = MUSCLEDATA(card);
mscfst fs = priv->fs;
int x;
int count = 0;
mscfscheckcache(priv->fs);
for(x = 0; x < fs->cache.size; x++) {
u8 oid= fs->cache.array[x].objectId.id;
scdebug(card->ctx, SCLOGDEBUGNORMAL,
"FILE: %02X%02X%02X%02X\n",
oid[0],oid[1],oid[2],oid[3]);
if(0 == memcmp(fs->currentPath, oid, 2)) {
buf[0] = oid[2];
buf[1] = oid[3];
if(buf[0] == 0x00 && buf[1] == 0x00) continue;
/* No directories/null names outside of root */
buf += 2;
count+=2;
}
}
return count;
}
{% endhighlight %}


OOB Write in tcosselectfile()
=
In function tcos_select_file) in file src/libopensc/card-tcos.c a
filename is extracted from an APDU response and written into the
internal file->name variable.

{% highlight c %}
case 0x84:
memcpy(file->name, d, len);
file->namelen = len;
break;
{% endhighlight %}

No check is performed whether the string retrieved from the card fits
into the buffer, which could trigger an OOB write.

OOB Write in pivvalidategeneral_authentication()

In case piv_validate_general_authentication()in
src/libopensc/card-piv.c is called with a datalen parameter greater
than 4096, an out of bound write occurs. Currently no caller seems to
do this.

OOB Write in gemsafegetcert_len()
=
The function gemsafe_get_cert_len() in file
src/libopensc/pkcs15-gemsafeV1.c might write beyond the gemsafe_prkeys
and gemsafe_cert arrays in case more than 12 containers are stored on
the card.

{% highlight c %}
ind = 2; /* skip length */
while (ibuf[ind] == 0x01) {
if (ibuf[ind+1] == 0xFE) {
gemsafeprkeys[i].ref = ibuf[ind+4];
sclog(card->ctx, "Key container %d is
allocated and uses keyref %d",
i+1, gemsafeprkeys[i].ref);
ind += 9;
}
else {
gemsafeprkeys[i].label = NULL;
gemsafecert[i].label = NULL;
sc_log(card->ctx, "Key container %d is
unallocated", i+1);
ind += 8;
}
i++;
}
{% endhighlight %}


OOB Write in utilaclto_str()

In function util_acl_to_str() in file src/tools/util.c no checks are
performed whether the string put together fits into line, which could
be abused to trigger limited out of bounds writes.

OOB Write in readpublickey() and readprivatekey()
=
In function read_public_key() in file src/tools/cryptoflex-tool.c the
bufsize variable is overwritten with file->size retrieved from the
smartcard. This

X41 D-Sec GmbH Security Advisory X41-2018-001: Multiple Vulnerabilities in Yubico Piv