
CVE-2022-23085 – Potential jail escape vulnerabilities in netmap
https://notcve.org/view.php?id=CVE-2022-23085
20 Sep 2022 — A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment. Se pasó una opción de entero proporcionada por el usuario a nmreq_copyin() sin comprobar si se desbordaría. Esta comprobación de los límites insuficiente podría provocar daños en la memoria del kernel. • https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVE-2022-23084 – Potential jail escape vulnerabilities in netmap
https://notcve.org/view.php?id=CVE-2022-23084
20 Sep 2022 — The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment. El tamaño total del nmreq proporcionado por el usuario a nmreq_copyin() se calculó primero y luego se confió en él durante la copia. Este error de tiempo de verificación a tiempo de u... • https://security.freebsd.org/advisories/FreeBSD-SA-22:04.netmap.asc • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •

CVE-2022-23086 – mpr/mps/mpt driver ioctl heap out-of-bounds write
https://notcve.org/view.php?id=CVE-2022-23086
20 Sep 2022 — Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group. Los controladores para *_CFG_PAGE lectura/escritura ioctls e... • https://security.freebsd.org/advisories/FreeBSD-SA-22:06.ioctl.asc • CWE-122: Heap-based Buffer Overflow •

CVE-2022-32264
https://notcve.org/view.php?id=CVE-2022-32264
06 Sep 2022 — sys/netinet/tcp_timer.h in FreeBSD before 7.0 contains a denial-of-service (DoS) vulnerability due to improper handling of TSopt on TCP connections. NOTE: This vulnerability only affects products that are no longer supported by the maintainer El archivo sys/netinet/tcp_timer.h en FreeBSD versiones anteriores a 7.0, contiene una vulnerabilidad de denegación de servicio (DoS) debido a un manejo inapropiado de TSopt en conexiones TCP. NOTA: Esta vulnerabilidad sólo afecta a productos que ya no son soportados p... • http://jvn.jp/en/jp/JVN20930118 • CWE-755: Improper Handling of Exceptional Conditions •

CVE-2022-23090 – AIO credential reference count leak
https://notcve.org/view.php?id=CVE-2022-23090
18 Aug 2022 — The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case. An attacker may cause the reference count to overflow, leading to a use after free (UAF). La función aio_aqueue, utilizada por la llamada al sistema lio_listio, no puede liberar una referencia a una credencial en un caso de error. Un atacante puede provocar que el recuento de referencias se desborde, lo que provocará un use after free (UAF). • https://packetstorm.news/files/id/168105 • CWE-416: Use After Free •

CVE-2022-23088 – 802.11 heap buffer overflow
https://notcve.org/view.php?id=CVE-2022-23088
31 May 2022 — The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution. La rutina de manejo de balizas 802.11 no pudo validar la longitud de un ID de malla IEEE 802.11 antes de copiarlo en un búfer asignado en montón. Mientras un cliente Wi-Fi de FreeBSD está en modo de esc... • https://security.freebsd.org/advisories/FreeBSD-SA-22:07.wifi_meshid.asc • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2021-29632
https://notcve.org/view.php?id=CVE-2021-29632
18 Jan 2022 — In FreeBSD 13.0-STABLE before n247428-9352de39c3dc, 12.2-STABLE before r370674, 13.0-RELEASE before p6, and 12.2-RELEASE before p12, certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory. En FreeBSD versión 13.0-STABLE anteriores a n247428-9352de39c3dc, 12.2-STABLE anteriores a r370674, 13.0-RELEASE anteriores a p6 y 12.2-RELEASE anteriores a p12, en determinadas co... • https://security.freebsd.org/advisories/FreeBSD-SA-22:01.vt.asc •

CVE-2011-1075
https://notcve.org/view.php?id=CVE-2011-1075
19 Oct 2021 — FreeBSD's crontab calculates the MD5 sum of the previous and new cronjob to determine if any changes have been made before copying the new version in. In particular, it uses the MD5File() function, which takes a pathname as an argument, and is called with euid 0. A race condition in this process may lead to an arbitrary MD5 comparison regardless of the read permissions. El crontab de FreeBSD calcula la suma MD5 del cronjob anterior y del nuevo para determinar si se han realizado cambios antes de copiar la n... • https://marc.info/?l=full-disclosure&m=129891323028897&w=2 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVE-2021-29630
https://notcve.org/view.php?id=CVE-2021-29630
30 Aug 2021 — In FreeBSD 13.0-STABLE before n246938-0729ba2f49c9, 12.2-STABLE before r370383, 11.4-STABLE before r370381, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, the ggatec daemon does not validate the size of a response before writing it to a fixed-sized buffer allowing a malicious attacker in a privileged network position to overwrite the stack of ggatec and potentially execute arbitrary code. En FreeBSD versiones 13.0-STABLE anteriores a n246938-0729ba2f49c9, 12.2-STABLE anteriore... • https://security.FreeBSD.org/advisories/FreeBSD-SA-21:14.ggatec.asc • CWE-787: Out-of-bounds Write •

CVE-2021-29631
https://notcve.org/view.php?id=CVE-2021-29631
30 Aug 2021 — In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain VirtIO-based device models in bhyve failed to handle errors when fetching I/O descriptors. A malicious guest may cause the device model to operate on uninitialized I/O vectors leading to memory corruption, crashing of the bhyve process, and possibly arbitrary code execution in the bhyve process. En FreeBSD versiones ... • https://security.FreeBSD.org/advisories/FreeBSD-SA-21:13.bhyve.asc • CWE-908: Use of Uninitialized Resource •