CVE-2020-7461
https://notcve.org/view.php?id=CVE-2020-7461
In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap overflow. The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit. En FreeBSD versiones 12.1-STABLE anteriores a r365010, 11.4-STABLE anteriores a r365011, 12.1-RELEASE anteriores a p9, 11.4-RELEASE anteriores a p3 y 11.3-RELEASE anteriores a p13, dhclient(8) no puede manejar determinadas entradas malformadas relacionadas con el manejo de la opción 119 de DHCP resultando en un desbordamiento de la pila. En principio, el desbordamiento de la pila podría explotarse para lograr una ejecución de código remota. • https://github.com/knqyf263/CVE-2020-7461 https://cert-portal.siemens.com/productcert/pdf/ssa-288459.pdf https://security.FreeBSD.org/advisories/FreeBSD-SA-20:26.dhclient.asc • CWE-787: Out-of-bounds Write •
CVE-2020-7463
https://notcve.org/view.php?id=CVE-2020-7463
In FreeBSD 12.1-STABLE before r364644, 11.4-STABLE before r364651, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, improper handling in the kernel causes a use-after-free bug by sending large user messages from multiple threads on the same SCTP socket. The use-after-free situation may result in unintended kernel behaviour including a kernel panic. En FreeBSD versiones 12.1-STABLE anteriores a r364644, 11.4-STABLE anteriores a r364651, 12.1-RELEASE anteriores a p9, 11.4-RELEASE anteriores a p3 y 11.3-RELEASE anteriores a p13, el manejo inapropiado en el kernel causa un bug de uso de la memoria previamente liberada mediante el envío de mensajes de usuario grandes de múltiples subprocesos en el mismo socket SCTP. La situación del uso de la memoria previamente liberada puede resultar en un comportamiento del kernel no deseado, incluyendo un pánico del kernel. • http://seclists.org/fulldisclosure/2021/Apr/49 http://seclists.org/fulldisclosure/2021/Apr/50 http://seclists.org/fulldisclosure/2021/Apr/57 http://seclists.org/fulldisclosure/2021/Apr/58 http://seclists.org/fulldisclosure/2021/Apr/59 https://security.FreeBSD.org/advisories/FreeBSD-SA-20:25.sctp.asc https://support.apple.com/kb/HT212317 https://support.apple.com/kb/HT212318 https://support.apple.com/kb/HT212319 https://support.apple.com/kb/HT212321 https://support.app • CWE-416: Use After Free •
CVE-2020-25579
https://notcve.org/view.php?id=CVE-2020-25579
In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes. En FreeBSD versiones 12.2-STABLE anteriores a r368969, 11.4-STABLE anteriores a r369047, 12.2-RELEASE anteriores a p3, 12.1-RELEASE anteriores a p13 y 11.4-RELEASE anteriores a p7, msdosfs(5) no lograba llenar con cero un par de campos de relleno en la estructura dirent, resultando en una pérdida de tres bytes no inicializados. • https://security.FreeBSD.org/advisories/FreeBSD-SA-21:01.fsdisclosure.asc https://security.netapp.com/advisory/ntap-20210423-0002 • CWE-909: Missing Initialization of Resource •
CVE-2020-25578
https://notcve.org/view.php?id=CVE-2020-25578
In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems. En FreeBSD versiones 12.2-STABLE anteriores a r368969, 11.4-STABLE anteriores a r369047, 12.2-RELEASE anteriores a p3, 12.1-RELEASE anteriores a p13 y 11.4-RELEASE anteriores a p7, varios sistemas de archivos no estaban inicializando apropiadamente el campo d_off de las estructuras dirent devueltas por VOP_READDIR. En particular, tmpfs(5), smbfs(5), autofs(5) y mqueuefs(5) no lo hicieron. • https://security.FreeBSD.org/advisories/FreeBSD-SA-21:01.fsdisclosure.asc https://security.netapp.com/advisory/ntap-20210423-0002 • CWE-665: Improper Initialization •
CVE-2020-25582
https://notcve.org/view.php?id=CVE-2020-25582
In FreeBSD 12.2-STABLE before r369334, 11.4-STABLE before r369335, 12.2-RELEASE before p4 and 11.4-RELEASE before p8 when a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed. En FreeBSD versiones 12.2-STABLE anteriores a r369334, 11.4-STABLE anteriores a r369335, 12.2-RELEASE anteriores a p4 y 11.4-RELEASE anteriores a p8, cuando un proceso, como jexec(8) o killall(1), llama a jail_attach(2) para ingresar una jail, la root enjaulada puede adjuntarse a él usando ptrace(2) antes de que se cambie el directorio de trabajo actual. • https://security.FreeBSD.org/advisories/FreeBSD-SA-21:05.jail_chdir.asc https://security.netapp.com/advisory/ntap-20210423-0003 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •