FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F12.2 2022-03-22T16:20:05Z 2022-03-22T16:20:05Z Gordon Tetlow gordon@FreeBSD.org 2022-03-22T16:20:05Z urn:sha1:7dac93b9215ee061b5bf4c3a756d119fdb14de42 Approved by: so 2022-03-22T15:54:07Z Philip Paeps philip@FreeBSD.org 2022-03-22T15:54:07Z urn:sha1:69c6703ee2d74403a1b48d008f2c47cf41f31ca1 Merge commit '971fa603f2bdf16273135a00ff16c5585520c53f' Changes: https://github.com/eggert/tz/blob/2022a/NEWS With this merge, we return to our previous long-standing practice of distributing the IANA Time Zone Database unmodified. Releases of tzdb since 2021b have merged some time zones where clocks have agreed since 1970. The overwhelming majority of users will not be affected by this change. A port of the newly created global-tz fork of the IANA Time Zone database (misc/global-tz) is available for users who need more granular pre-1970 time zone history. Approved by: so Security: FreeBSD-EN-22:14.tzdata (cherry picked from commit 8ea5af2b77f2b43c250cacb257f42c0a54d644c4) (cherry picked from commit 803b4b7f22ef9be408d81480cf70ca3afb7c7c53) 2022-03-15T17:42:16Z Mark Johnston markj@FreeBSD.org 2022-03-15T17:42:16Z urn:sha1:717ed842180a5b9a65ffeec916cacb9fedaf2d7b Approved by: so 2022-03-15T17:40:55Z Mathy Vanhoef Mathy.Vanhoef@kuleuven.be 2021-06-06T22:10:56Z urn:sha1:409819ae9998eed7ef852e4b392d76ab01416864 No longer accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL. This is done by only accepting EAPOL packets that are included in non-aggregated 802.11 frames. Note that before this patch, FreeBSD also only accepted EAPOL frames that are sent in a non-aggregated 802.11 frame due to bugs in processing EAPOL packets inside A-MSDUs. In other words, compatibility with legitimate devices remains the same. This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26144 PR: 256120 (cherry picked from commit ffc19cf52da5546973965f78cf32aa0f2c9657f8) (cherry picked from commit 8b2ba742cc2c732bc4bc1d43f8256adce06657d0) (cherry picked from commit 2d09e4366b67dd719ebae5390436868e5430d833) Approved by: so Security: FreeBSD-SA-22:02.wifi 2022-03-15T17:40:34Z Mathy Vanhoef Mathy.Vanhoef@kuleuven.be 2021-06-06T22:10:41Z urn:sha1:a780210457fe7448c6f4cdd81578f377974b2925 ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments are not encrypted. Track whether the fragments are encrypted or not and only accept successive ones if they match the state of the first fragment. This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-26147 PR: 256118 (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55) (cherry picked from commit e13d483c5677d12b52f1c81537d54faa85ed43b9) (cherry picked from commit 00cd5a2f614ae2cf1daa30cde7f91de9cdde2393) Approved by: so Security: FreeBSD-SA-22:02.wifi 2022-03-15T17:39:55Z Bjoern A. Zeeb bz@FreeBSD.org 2021-10-06T18:41:37Z urn:sha1:b2107e60f62ed2a232900d77ec54804228d1bfc8 A user supplied SSID length is used without proper checks in setmlme_assoc_adhoc() which can lead to copies beyond the end of the user supplied buffer. The ssid is a fixed size array for the ioctl and the argument to setmlme_assoc_adhoc(). In addition to an ssid_len check of 0 also error in case the ssid_len is larger than the size of the ssid array to prevent problems. PR: 254737 Reported by: Tommaso (cutesmilee.research protonmail.com) (cherry picked from commit 526370fb85db4b659cff4625eb2f379acaa4a1a8) (cherry picked from commit 0525ece3554edce14fa68a7fb61078ae2110c44b) (cherry picked from commit ab5678c6c0d0b28feafdb2fd397866d6088f37d8) (cherry picked from commit f4d0e8787a09f4cdfb856924aaca97f1c78b65b1) Approved by: so Security: FreeBSD-SA-22:02.wifi 2022-03-15T17:39:17Z Bjoern A. Zeeb bz@FreeBSD.org 2021-10-06T18:09:39Z urn:sha1:a4c0d14bbc9bfe8e7dff3657d4b4bb1705d8668b In ieee80211_ies_expand() we are looping over Elements (also known as Information Elements or IEs). The comment suggests that we assume well-formedness of the IEs themselves. Checking the buffer length being least 2 (1 byte Element ID and 1 byte Length fields) rather than just 1 before accessing ie[1] is still good practise and can prevent and out-of-bounds read in case the input is not behaving according to the comment. Reported by: (coypu sdf.org) admbugs: 857 MFC after: 3 days Reviewed by: adrian, markj Differential Revision: https://reviews.freebsd.org/D32340 (cherry picked from commit 09dd08f167812a5fdb516fc98f14dbb43221432f) (cherry picked from commit 8dc4c0a922b7e7a0ee682f4e1426f876692c0828) Approved by: so Security: FreeBSD-SA-22:02.wifi 2022-03-15T17:39:02Z Mathy Vanhoef Mathy.Vanhoef@kuleuven.be 2021-06-06T22:10:52Z urn:sha1:ae6d654f4fa167f473a40417479e607029670679 Mitigate A-MSDU injection attacks by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-24588 PR: 256119 (cherry picked from commit f024bdf1155f36d2d8c4caa533b66e4040c4c469) (cherry picked from commit 41ca1d50a8657959df2009daa300dda56a090d5e) (cherry picked from commit 76ee776f4d9f146f7a97ac9bab388c51a1c787c9) Approved by: so Security: FreeBSD-SA-22:02.wifi 2022-03-15T17:36:40Z Gordon Tetlow gordon@FreeBSD.org 2022-03-15T16:48:59Z urn:sha1:d35c456500515b1b3e6f3be478da6be9869aa1af Approved by: so Obtained from: OpenSSL Project Security: CVE-2022-0778 Security: FreeBSD-SA-22:03.openssl (cherry picked from commit fdc418f15e92732a3551832bcb625ba9b47242df) (cherry picked from commit c2a7d6e643bbc8801b1b83c9e64d57e726eeed98) 2022-02-01T17:54:20Z Gordon Tetlow gordon@FreeBSD.org 2022-02-01T17:54:20Z urn:sha1:054503caa96ba6349d82fe2b9ed6f43f7141eaf9 Approved by: so