Skip to content

Commit 076f569

Browse files
laffer1claude
andcommitted
Add historical 2022 advisories MNBSD-2022-2 through 16
Backfill 2022 security advisories from the website release notes, cross-referenced with src UPDATING/git history and the corresponding FreeBSD security advisories (SA-22:02 through SA-22:14). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent ed51dd6 commit 076f569

15 files changed

Lines changed: 355 additions & 0 deletions
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
id: MNBSD-2022-10
2+
summary: Out-of-bounds read in the ELF core dump handler
3+
details: |
4+
When dumping core and saving process information, proc_getargv() could return an sbuf whose sbuf_len() was 0 or -1, a case that was not handled correctly. A crafted ps_strings could trigger an out-of-bounds read in the ELF core dump handler and crash the kernel.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.2.3"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:09.elf.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2022-23089
19+
- type: WEB
20+
url: https://github.com/MidnightBSD/src/commit/527534a7fa62
21+
aliases:
22+
- CVE-2022-23089
23+
modified: "2022-08-09T12:00:00Z"
24+
published: "2022-08-09T12:00:00Z"
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
id: MNBSD-2022-11
2+
summary: aio_aqueue() credential reference leak leading to use-after-free
3+
details: |
4+
The aio_aqueue() function failed to release a credential reference on an error path. Repeatedly triggering the error could overflow the reference count, leading to a use-after-free that a local user might leverage for privilege escalation.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.2.3"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:10.aio.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2022-23090
19+
- type: WEB
20+
url: https://github.com/MidnightBSD/src/commit/7f83d23ecfce
21+
aliases:
22+
- CVE-2022-23090
23+
modified: "2022-08-09T12:00:00Z"
24+
published: "2022-08-09T12:00:00Z"
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
id: MNBSD-2022-12
2+
summary: Virtual memory use-after-free via retained mapping of a freed page
3+
details: |
4+
A flaw in the virtual memory system allowed an unprivileged local user to maintain a mapping of a page after it had been freed, enabling unauthorized access to sensitive data belonging to other processes or the kernel.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.2.3"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:11.vm.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2022-23091
19+
- type: WEB
20+
url: https://github.com/MidnightBSD/src/commit/0c88ecaa1255
21+
aliases:
22+
- CVE-2022-23091
23+
modified: "2022-08-09T12:00:00Z"
24+
published: "2022-08-09T12:00:00Z"
Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
id: MNBSD-2022-13
2+
summary: Out-of-bounds write in lib9p RWALK message handling
3+
details: |
4+
A missing bounds check in the RWALK message handling of lib9p, used by bhyve's virtio-9p (VirtFS) device, allowed a malicious guest to overwrite unrelated memory in the bhyve process, potentially enabling user-mode code execution on the host.
5+
affected:
6+
- package:
7+
name: lib9p
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.2.3"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:12.lib9p.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2022-23092
19+
- type: WEB
20+
url: https://github.com/MidnightBSD/src/commit/c536045c51da
21+
aliases:
22+
- CVE-2022-23092
23+
modified: "2022-08-09T12:00:00Z"
24+
published: "2022-08-09T12:00:00Z"
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
id: MNBSD-2022-14
2+
summary: Memory corruption in CAM error-recovery command retry
3+
details: |
4+
When a CAM-managed device responds to a command with an error condition, CAM may automatically retry the command following an error recovery protocol, preserving an in-memory copy of the original command. A specific portion of the command state was not saved correctly, so upon retry this could lead to memory corruption.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.2.3"
14+
references:
15+
- type: WEB
16+
url: https://github.com/MidnightBSD/src/commit/dafba4e4618d
17+
modified: "2022-08-10T12:00:00Z"
18+
published: "2022-08-10T12:00:00Z"
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: MNBSD-2022-15
2+
summary: zlib heap buffer over-read/overflow in inflate() via large gzip header extra field
3+
details: |
4+
zlib through 1.2.12 had a heap-based buffer over-read or buffer overflow in inflate() in inflate.c via a large gzip header extra field. Applications that use inflateGetHeader() to process untrusted gzip data with a large extra field could be affected. Fixed on the current branch in 2.2.4 and on the older 1.2.x branch in 1.2.11.
5+
affected:
6+
- package:
7+
name: zlib
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.2.4"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:13.zlib.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2022-37434
19+
aliases:
20+
- CVE-2022-37434
21+
modified: "2022-08-30T12:00:00Z"
22+
published: "2022-08-30T12:00:00Z"
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
id: MNBSD-2022-16
2+
summary: Multiple vulnerabilities in Heimdal Kerberos 5 and the KDC
3+
details: |
4+
Multiple security vulnerabilities were fixed in the Heimdal implementation of the Kerberos 5 network authentication protocols and KDC: a PAC parse integer overflow (CVE-2022-42898); overflows and non-constant-time leaks in DES/DES3 and arcfour (CVE-2022-3437); a NULL pointer dereference denial of service in SPNEGO acceptors (CVE-2021-44758); an invalid free in the ASN.1 codec in the KDC (CVE-2022-44640); and several protocol-transition issues covering validation of client attributes, applying the forwardable policy, and always looking up the impersonated client in the database (CVE-2019-14870).
5+
affected:
6+
- package:
7+
name: heimdal
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.2.6"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:14.heimdal.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2022-42898
19+
- type: WEB
20+
url: https://www.cve.org/CVERecord?id=CVE-2022-3437
21+
- type: WEB
22+
url: https://www.cve.org/CVERecord?id=CVE-2021-44758
23+
- type: WEB
24+
url: https://www.cve.org/CVERecord?id=CVE-2022-44640
25+
- type: WEB
26+
url: https://www.cve.org/CVERecord?id=CVE-2019-14870
27+
aliases:
28+
- CVE-2022-42898
29+
- CVE-2022-3437
30+
- CVE-2021-44758
31+
- CVE-2022-44640
32+
- CVE-2019-14870
33+
modified: "2022-11-15T12:00:00Z"
34+
published: "2022-11-15T12:00:00Z"
Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
id: MNBSD-2022-2
2+
summary: "FragAttacks: 802.11 frame aggregation/fragmentation design flaws in the wireless stack"
3+
details: |
4+
The 802.11 (net80211) wireless stack was affected by the "Fragment and Forge" (FragAttacks) design and implementation flaws in 802.11 frame aggregation and fragmentation handling, together with missing length validation of SSID and information elements. Under certain conditions a nearby attacker may be able to extract sensitive data or inject packets, though abuse generally requires user interaction or is only possible when using uncommon network settings.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.1.6"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:02.wifi.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2020-26147
19+
- type: WEB
20+
url: https://www.cve.org/CVERecord?id=CVE-2020-24588
21+
- type: WEB
22+
url: https://www.cve.org/CVERecord?id=CVE-2020-26144
23+
aliases:
24+
- CVE-2020-26147
25+
- CVE-2020-24588
26+
- CVE-2020-26144
27+
modified: "2022-03-15T12:00:00Z"
28+
published: "2022-03-15T12:00:00Z"
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: MNBSD-2022-3
2+
summary: OpenSSL BN_mod_sqrt() infinite loop when parsing crafted certificates
3+
details: |
4+
The BN_mod_sqrt() function, which is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit curve parameters with a base point encoded in compressed form, could be tricked into an infinite loop by a certificate with invalid explicit curve parameters. Because certificate parsing can happen before signature verification, any process that parses externally supplied certificates may be subject to a denial of service.
5+
affected:
6+
- package:
7+
name: openssl
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.1.6"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:03.openssl.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2022-0778
19+
aliases:
20+
- CVE-2022-0778
21+
modified: "2022-03-15T12:00:00Z"
22+
published: "2022-03-15T12:00:00Z"
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: MNBSD-2022-4
2+
summary: zlib out-of-bounds access in deflate() with the Z_FIXED strategy
3+
details: |
4+
zlib before 1.2.12 contained a bug in the deflate implementation: when using the Z_FIXED strategy (or a compression level that selects it) with a specific memLevel, deflate could perform out-of-bounds accesses, leading to memory corruption. MidnightBSD imported zlib 1.2.12 to correct this.
5+
affected:
6+
- package:
7+
name: zlib
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.1.7"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:08.zlib.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2018-25032
19+
aliases:
20+
- CVE-2018-25032
21+
modified: "2022-04-06T12:00:00Z"
22+
published: "2022-04-06T12:00:00Z"

0 commit comments

Comments
 (0)