Skip to content

Commit ee3f6bf

Browse files
laffer1claude
andcommitted
Add historical 2020 and 2021 advisories
Backfill MNBSD-2020-0..14 and MNBSD-2021-0..10 from the website release notes and the two MIDNIGHTBSD-SA-20:01/02 text advisories, cross-referenced with src UPDATING/git history, release tags, and the corresponding FreeBSD security advisories and errata notices. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 076f569 commit ee3f6bf

26 files changed

Lines changed: 571 additions & 0 deletions
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
id: MNBSD-2020-0
2+
summary: libalias insufficient packet length validation causes memory disclosure
3+
details: |
4+
libalias(3), the library used for NAT (including the in-kernel NAT in ipfw and the userspace natd(8)), performed insufficient packet length validation. The FTP packet handler incorrectly calculated some packet lengths, which could disclose small amounts of memory from the kernel or from the natd process (CVE-2020-7455). More broadly, malicious packets could trigger out-of-bounds read or write conditions in the libalias packet handlers (CVE-2020-7454).
5+
affected:
6+
- package:
7+
name: libalias
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "1.2.2"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:12.libalias.asc
17+
- type: WEB
18+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:13.libalias.asc
19+
- type: WEB
20+
url: https://www.cve.org/CVERecord?id=CVE-2020-7454
21+
- type: WEB
22+
url: https://www.cve.org/CVERecord?id=CVE-2020-7455
23+
aliases:
24+
- CVE-2020-7454
25+
- CVE-2020-7455
26+
modified: "2020-05-12T12:00:00Z"
27+
published: "2020-05-12T12:00:00Z"
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: MNBSD-2020-1
2+
summary: USB network drivers out-of-bounds write via malicious device
3+
details: |
4+
A missing length validation common to the smsc(4), muge(4) and cdceem(4) USB network drivers meant that a malicious USB device could write beyond the end of an allocated network packet buffer, potentially achieving kernel or user-space code execution.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "1.2.6"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:21.usb_net.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2020-7459
19+
aliases:
20+
- CVE-2020-7459
21+
modified: "2020-08-05T12:00:00Z"
22+
published: "2020-08-05T12:00:00Z"
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: MNBSD-2020-10
2+
summary: bhyve does not trap AMD virtualization instructions
3+
details: |
4+
A number of AMD virtualization instructions operate on host physical addresses and are not subject to nested page table translation. Guest use of these instructions was not trapped by bhyve, allowing a malicious guest on an AMD host to write to arbitrary host memory and potentially gain complete control of the host.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "1.2.9"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2020-7467
19+
aliases:
20+
- CVE-2020-7467
21+
modified: "2020-09-15T12:00:00Z"
22+
published: "2020-09-15T12:00:00Z"
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
id: MNBSD-2020-11
2+
summary: udf file entry length validation overflow
3+
details: |
4+
The udf file system did not validate the full file entry length. A corrupted UDF file entry containing invalid extended attribute lengths or allocation descriptor lengths could trigger an overflow when the file entry is loaded, for example when mounting a malicious UDF image. Discovered by C Turt.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "1.2.10"
14+
references:
15+
- type: WEB
16+
url: https://github.com/MidnightBSD/src/commit/fb7977502f94
17+
modified: "2020-09-23T12:00:00Z"
18+
published: "2020-09-23T12:00:00Z"
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: MNBSD-2020-12
2+
summary: ICMPv6 read of freed kernel memory
3+
details: |
4+
A remote host could trigger a read of freed kernel memory by sending malformed ICMPv6 error messages. This may trigger a kernel panic if the address had been unmapped.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.0.2"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:31.icmp6.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2020-7469
19+
aliases:
20+
- CVE-2020-7469
21+
modified: "2020-12-01T12:00:00Z"
22+
published: "2020-12-01T12:00:00Z"
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
id: MNBSD-2020-13
2+
summary: rtsold RDNSS/DNSSL option handling buffer overflow
3+
details: |
4+
Two bugs existed in rtsold(8)'s handling of RDNSS and DNSSL router advertisement options. rtsold(8) failed to perform sufficient bounds checking, not verifying that an option did not extend past the end of the received packet (CVE-2020-25577). In addition, when decoding DNSSL domain name labels, rtsold(8) did not validate label lengths correctly and could overflow the destination buffer (CVE-2020-25583). Because rtsold(8) runs as root, an attacker on the same physical link could potentially achieve remote code execution.
5+
affected:
6+
- package:
7+
name: rtsold
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.0.2"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:32.rtsold.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2020-25577
19+
- type: WEB
20+
url: https://www.cve.org/CVERecord?id=CVE-2020-25583
21+
aliases:
22+
- CVE-2020-25577
23+
- CVE-2020-25583
24+
modified: "2020-12-01T12:00:00Z"
25+
published: "2020-12-01T12:00:00Z"
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
id: MNBSD-2020-14
2+
summary: callout(9) may corrupt another CPU's data structures
3+
details: |
4+
Callouts may be bound to a specific CPU. When a kernel thread attempts to stop a callout while it is actively executing, it sleeps until execution completes; in the meantime the callout may be rescheduled and re-executed on a different CPU. When the sleeping thread finally completed removal of the callout, it could modify the wrong CPU's data structures, leaving them in an invalid state.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "2.0.2"
14+
references:
15+
- type: WEB
16+
url: https://github.com/MidnightBSD/src/commit/c849f305614c
17+
modified: "2020-12-02T12:00:00Z"
18+
published: "2020-12-02T12:00:00Z"
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: MNBSD-2020-2
2+
summary: compat32 sendmsg(2) TOCTOU allows privilege escalation
3+
details: |
4+
When handling a 32-bit sendmsg(2) call, the compat32 subsystem copies the control message into kernel memory and adjusts the alignment of control message headers. The code contained a time-of-check-to-time-of-use (TOCTOU) flaw that allowed a malicious userspace program to modify control message headers after they were validated by the kernel, which could be leveraged for privilege escalation.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "1.2.6"
14+
references:
15+
- type: WEB
16+
url: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:23.sendmsg.asc
17+
- type: WEB
18+
url: https://www.cve.org/CVERecord?id=CVE-2020-7460
19+
aliases:
20+
- CVE-2020-7460
21+
modified: "2020-08-05T12:00:00Z"
22+
published: "2020-08-05T12:00:00Z"
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: MNBSD-2020-3
2+
summary: Memory corruption in kern_getfsstat()
3+
details: |
4+
A memory corruption vulnerability in the kernel's kern_getfsstat() system call. An earlier fix for a related issue (CVE-2018-17154) was incomplete because it incorrectly assumed the problem was a NULL pointer dereference. A local user could trigger memory corruption. Originally published as MIDNIGHTBSD-SA-20:01.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "1.2.8"
14+
references:
15+
- type: WEB
16+
url: https://www.cve.org/CVERecord?id=CVE-2020-24863
17+
- type: WEB
18+
url: https://www.midnightbsd.org/security/adv/MIDNIGHTBSD-SA-20:01.txt
19+
aliases:
20+
- CVE-2020-24863
21+
modified: "2020-09-02T12:00:00Z"
22+
published: "2020-09-02T12:00:00Z"
Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
id: MNBSD-2020-4
2+
summary: NULL pointer dereference in the Linux compatibility subsystem
3+
details: |
4+
A NULL pointer dereference vulnerability in the Linux compatibility subsystem. On systems where the Linux binary compatibility layer is enabled and the protection against mapping low memory addresses has been disabled, a local user could trigger the flaw. Originally published as MIDNIGHTBSD-SA-20:02.
5+
affected:
6+
- package:
7+
name: kernel
8+
ecosystem: MidnightBSD
9+
ranges:
10+
- type: ECOSYSTEM
11+
events:
12+
- introduced: "0"
13+
- fixed: "1.2.8"
14+
references:
15+
- type: WEB
16+
url: https://www.cve.org/CVERecord?id=CVE-2020-24385
17+
- type: WEB
18+
url: https://www.midnightbsd.org/security/adv/MIDNIGHTBSD-SA-20:02.txt
19+
aliases:
20+
- CVE-2020-24385
21+
modified: "2020-09-02T12:00:00Z"
22+
published: "2020-09-02T12:00:00Z"

0 commit comments

Comments
 (0)