Bugzilla – Bug 990660
VUL-0: CVE-2014-9862: bsdiff: Improper checking of input allows arbitrary write on heap
Last modified: 2022-10-03 09:42:15 UTC
http://seclists.org/bugtraq/2016/Jul/122 ============================================================================= FreeBSD-SA-16:25.bspatch Security Advisory The FreeBSD Project Topic: Heap vulnerability in bspatch Category: core Module: bsdiff Announced: 2016-07-25 Affects: All supported versions of FreeBSD. Corrected: 2016-07-25 14:52:12 UTC (stable/11, 11.0-BETA2-p1) 2016-07-25 14:52:12 UTC (stable/11, 11.0-BETA1-p1) 2016-07-25 14:53:04 UTC (stable/10, 10.3-STABLE) 2016-07-25 15:04:17 UTC (releng/10.3, 10.3-RELEASE-p6) 2016-07-25 15:04:17 UTC (releng/10.2, 10.2-RELEASE-p20) 2016-07-25 15:04:17 UTC (releng/10.1, 10.1-RELEASE-p37) 2016-07-25 14:53:04 UTC (stable/9, 9.3-STABLE) 2016-07-25 15:04:17 UTC (releng/9.3, 9.3-RELEASE-p45) CVE Name: CVE-2014-9862 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The bspatch utility generates newfile from oldfile and patchfile where patchfile is a binary patch built by bsdiff(1). II. Problem Description The implementation of bspatch does not check for a negative value on numbers of bytes read from the diff and extra streams, allowing an attacker who can control the patch file to write at arbitrary locations in the heap. This issue was first discovered by The Chromium Project and reported independently by Lu Tung-Pin to the FreeBSD project. III. Impact An attacker who can control the patch file can cause a crash or run arbitrary code under the credentials of the user who runs bspatch, in many cases, root. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. No reboot is needed. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install No reboot is needed. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:25/bspatch.patch # fetch https://security.FreeBSD.org/patches/SA-16:25/bspatch.patch.asc # gpg --verify bspatch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r303301 releng/9.3/ r303304 stable/10/ r303301 releng/10.1/ r303304 releng/10.2/ r303304 releng/10.3/ r303304 stable/11/ r303300 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://bugs.chromium.org/p/chromium/issues/detail?id=372525> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:25.bspatch.asc> References: https://bugzilla.redhat.com/show_bug.cgi?id=1360201 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9862 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9862.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
Created attachment 685590 [details] bspatch.patch
openSUSE (all) seems affected.
This is an autogenerated message for OBS integration: This bug (990660) was mentioned in https://build.opensuse.org/request/show/415294 13.2 / bsdiff https://build.opensuse.org/request/show/415295 42.1 / bsdiff
Thank you.
This is an autogenerated message for OBS integration: This bug (990660) was mentioned in https://build.opensuse.org/request/show/415543 Factory / bsdiff
This is an autogenerated message for OBS integration: This bug (990660) was mentioned in https://build.opensuse.org/request/show/415569 13.2+42.1 / bsdiff
openSUSE-SU-2016:1977-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 990660 CVE References: CVE-2014-9862 Sources used: openSUSE Leap 42.1 (src): bsdiff-4.3-9.2 openSUSE 13.2 (src): bsdiff-4.3-2.5.2