FreeBSD Security Advisory FreeBSD-SA-23:18.nfsclient

submited 18 December 2023

When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead replaced with whatever data had been in the packet buffer previously. Thus, an unprivileged user with access to an affected system may abuse the bug to trigger disclosure of sensitive information. In particular, the leak is limited to data previously stored in mbufs, which are used for network transmission and reception, and for certain types of inter-process communication. The bug can also be triggered unintentionally by system applications, in which case the data written by the application to an NFS mount may be corrupted. Corrupted data is written over the network to the NFS server, and thus also susceptible to being snooped by other hosts on the network. Note that the bug exists only in the NFS client; the version and implementation of the server has no effect on whether a given system is affected by the problem.

The BSD community linklog
Made a script? Written a blog post? Found a useful tutorial? Share it with the BSD community here or just enjoy what everyone else has found!

Submit

20 February 2024
Valuable News – 2024/02/19  

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX or BSD systems.

19 February 2024
FreeBSD 14.0 Installation on Xneelo Dedicated Server  

Xneelo is a South African hosting provider offering dedicated servers. FreeBSD is not available as an operating system to install, however, it can installed from the rescue console using the depenguin.me installer. This article describes how to do that.

Run Your Own Mastodon Server on FreeBSD in a Potluck Container  

This article describes how Mastodon can easily be set up as a container (i.e. jail) with the help of Ansible, Pot and Potluck.

OpenBSD -current moves to 7.5-beta  

Theo de Raadt changed the version string for the OpenBSD development branch (i.e. -current) to 7.5-beta. With the upcoming release expected to appear in May, testing is particularly welcome. 7.5-beta snapshots are already appearing on the mirrors.

New wi-fi driver, qwx(4), enabled in OpenBSD -current  

The driver currently supports only 11a/b/g modes.

Enjoying DiscoverBSD? There is more...

Subscribe to BSD Weekly, our free, once–weekly e-mail round-up of BSD news and articles. It is currated from your content on DiscoverBSD and BSDSec (a deadsimple BSD Security Advisories and Announcements).

You can also support the work on Patreon.
17 February 2024
October-December 2023 Status Report  

This is the last 2023 quarter. As you have probably noticed, this status report comes later than usual and with fewer reports than the preceding quarter. Indeed, please keep in mind that the last quarter of every year is for many members of our community the quarter of the celebrations for Christmas and for the New Year, which implies that those members will spend more time with their families and will have less time for their favorite voluntary software projects. Thus there is less to report and reports tend to arrive later. But finally, here they are.

BSD Now 546 - Debunking FreeBSD Myths  

Debunking Common Myths About FreeBSD, Please, don’t force me to log in, Exploring FreeBSD service(8) basics, Failed Product Designs: A Laptop with Seven Screens, What’s a Permissive License – and Why Should I Care?, Beginning of the year Laugh.

16 February 2024
OpenBSD Errata: February 13, 2024 (unbound unwind)  

Errata patches for unbound and unwind have been released for OpenBSD 7.4 and 7.3. Binary updates for the amd64, arm64 and i386 platform are available via the syspatch utility.

15 February 2024
FreeBSD Errata Notice FreeBSD-EN-24:04.ip  

The race condition can trigger a NULL pointer dereference in the kernel, resulting in a kernel panic.

FreeBSD Errata Notice FreeBSD-EN-24:03.kqueue  

Using kqueue(2) with a process using rfork(2) can panic the system.

FreeBSD Security Advisory FreeBSD-SA-24:02.tty  

Attacker can get information about TTYs allocated on the host or in other jails. Effectively, the information printed by "pstat -t" may be leaked.

FreeBSD Errata Notice FreeBSD-EN-24:02.libutil  

An unprivileged user may bypass the administrator's resource limits and/or CPU mask settings stemming from his login class provided he can run a (setuid) login-like program that: - - Calls setusercontext() with the LOGINSETRESOURCES and/or LOGINSETCPUMASK flags but without LOGINSETUSER (which excludes the use of LOGINSETALL), and with a non-NULL 'pwd' argument. - - Does so before changing the effective user ID to the target user. No programs in FreeBSD's base system, including login(1) and su(1), meet these requirements, but third-party programs may. In particular, sudo(8) does when using the default sudoers(5) plugin configured with the 'use_loginclass' flag enabled. doas(8) does not.

FreeBSD Errata Notice FreeBSD-EN-24:01.tzdata  

An incorrect time will be displayed on a system configured to use one of the affected time zones if the /usr/share/zoneinfo and /etc/localtime files are not updated, and all applications on the system that rely on the system time, such as cron(8) and syslog(8), will be affected. With the default configuration, FreeBSD systems cannot file updates to the installed leap-seconds.list file. Since no leap second was introduced at the end of 2023, the leap-seconds.list file included with all supported FreeBSD releases is still accurate. Moreover, ntpd(8) is able to receive updated leap second information from its peers. However, a diagnostic warning about an expired leap-seconds.list is printed at startup.

FreeBSD Security Advisory FreeBSD-SA-24:01.bhyveload  

In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.

load more