src, branch releng/14.3

src, branch releng/14.3 FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.3 2026-04-30T21:21:34Z Add UPDATING entries and bump version 2026-04-30T21:21:34Z Mark Johnston markj@FreeBSD.org 2026-04-30T21:12:58Z urn:sha1:4f4b48e8a5478657f343953ef30ce992f2a6b68f Approved by: so dhclient: Improve server and filename validation 2026-04-30T21:21:27Z Dag-Erling Smørgrav des@FreeBSD.org 2026-04-30T16:45:35Z urn:sha1:5bad905eb37f69a8ac90f5e10c07527aded70b5b * Don't iterate over each string three times; once is enough. * Reject control characters (anything below space) in addition to the double quote and backslash. * If an unsafe character is encountered, discard the string instead of rejecting the entire lease. * If backslashes are encountered in the file name option, convert them to forward slashes instead of rejecting the option. * Tweak the warning messages a bit. Looking through the rest of the code, it seems to me that notes generally end with a period while warnings generally don't. Approved by: so Security: FreeBSD-EN-26:11.dhclient Fixes: 8008e4b88daf ("dhclient: Check for unexpected characters in some DHCP server options") PR: 294886 MFC after: 1 week Reviewed by: brooks, markj Differential Revision: https://reviews.freebsd.org/D56740 (cherry picked from commit 873a195ba63575e46686cfd6ea9670a0ca340fa0) (cherry picked from commit 2f9478ad42c442c49a7eff60227148bf2b90b48c) Add UPDATING entries and bump version 2026-04-28T20:33:05Z Mark Johnston markj@FreeBSD.org 2026-04-28T20:29:58Z urn:sha1:31900fbe281f595718d20c0aa26b10ab2efa138d Approved by: so libnv: fix heap overflow in nvlist_recv() 2026-04-28T20:33:04Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:36:09Z urn:sha1:aa15809f85deef33167bf74f82144d714a884548 nvlist_check_header() validated nvlh_size for overflow before performing conversion. An mallicous user can set NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that the orginall value passes the check, but after the conversion the sizeof(nvlist_header) + size can overflow. This can lead to a heap buffer overflow. Approved by: so Security: FreeBSD-SA-26:17.libnv Security: CVE-2026-35547 Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56342 libnv: switch fd_wait() from select(2) to poll(2) 2026-04-28T20:33:04Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:35:10Z urn:sha1:a872c32f389eb855f1a2caae69485c834c4c1d5c The previous implementation used FD_SET() on a stack-allocated fd_set, which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE (1024). Approved by: so Security: FreeBSD-SA-26:16.libnv Security: CVE-2026-39457 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56689 libnv: add tests to verify potential overflow issues 2026-04-28T20:33:04Z Mariusz Zaborski oshogbo@FreeBSD.org 2024-08-29T13:46:01Z urn:sha1:0963be1dbf8886423c0c4efade79661989db9a77 Approved by: so Differential Revision: https://reviews.freebsd.org/D46131 (cherry picked from commit 241a7ddd7112982ed41ccdd047c1dad59ee0256e) libnv: add test to verify null termination of string in array 2026-04-28T20:33:04Z Mariusz Zaborski oshogbo@FreeBSD.org 2024-08-29T13:44:03Z urn:sha1:bba29d772b1006579b365405a34fa107b11670df Approved by: so Differential Revision: https://reviews.freebsd.org/D46138 (cherry picked from commit 2981431e044fae3bc87e6fa891b8230b484dc84b) dhclient: Fix reallocation of dhclient script environments 2026-04-28T20:33:04Z Mark Johnston markj@FreeBSD.org 2026-04-27T20:56:21Z urn:sha1:76734958a0986bdd4cf7edfe845b5e7b4e152360 When the number of DHCP options exceeds a threshold, script_set_env() will reallocate the environment, stored as an array of pointers. The calculation of the array size failed to multiply by the pointer size, resulting in a smaller than expected buffer which admits out-of-bounds writes. Approved by: so Security: FreeBSD-SA-26:15.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) dhclient: Check for unexpected characters in some DHCP server options 2026-04-28T20:33:04Z Mark Johnston markj@FreeBSD.org 2026-04-27T20:03:09Z urn:sha1:dda71167a1013aceb1c4236a9297a24dd62754ac Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) execve: Fix an operator precedence bug 2026-04-28T20:33:04Z Mark Johnston markj@FreeBSD.org 2026-04-22T17:58:35Z urn:sha1:f04c40607b8fb38720d57631c674f07d4207c976 The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665