FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F13.5 2026-03-26T01:30:59Z 2026-03-26T01:30:59Z Mark Johnston markj@FreeBSD.org 2026-03-24T02:12:42Z urn:sha1:c4f53a1adbd4d5209b45043d25e590f0c27b5314 svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini <npc@anthropic.com> Reviewed by: rmacklem Fixes: a9148abd9da5d 2025-08-07T23:50:06Z Martin Matuska mm@FreeBSD.org 2025-06-01T20:16:26Z urn:sha1:798b7b161a71282aff73d532ffe381b65dd04251 libarchive 3.8.1 New features: #2088 7-zip reader: improve self-extracting archive detection #2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support #2403 zip writer: added LZMA + RISCV BCJ filter #2601 bsdtar: support --mtime and --clamp-mtime #2602 libarchive: mbedtls 3.x compatibility Security fixes: #2422 tar reader: Handle truncation in the middle of a GNU long linkname (CVE-2024-57970) #2532 tar reader: fix unchecked return value in list_item_verbose() (CVE-2025-25724) #2532 unzip: fix null pointer dereference (CVE-2025-1632) #2568 warc: prevent signed integer overflow (CVE-2025-5916) #2584 rar: do not skip past EOF while reading (CVE-2025-5918) #2588 tar: fix overflow in build_ustar_entry (CVE-2025-5917) #2598 rar: fix double free with over 4 billion nodes (CVE-2025-5914) #2599 rar: fix heap-buffer-overflow (CVE-2025-5915) Important bugfixes: #2399 7-zip reader: add SPARC filter support for non-LZMA compressors #2405 tar reader: ignore ustar size when pax size is present #2435 tar writer: fix bug when -s/a/b/ used more than once with b flag #2459 7-zip reader: add POWERPC filter support for non-LZMA compressors #2519 libarchive: handle ARCHIVE_FILTER_LZOP in archive_read_append_filter #2539 libarchive: add missing seeker function to archive_read_open_FILE() #2544 gzip: allow setting the original filename for gzip compressed files #2564 libarchive: improve lseek handling #2582 rar: support large headers on 32 bit systems #2587 bsdtar: don't hardlink negative inode files together #2596 rar: support large headers on 32 bit systems #2606 libarchive: support @-prefixed Unix epoch timestamps as date strings #2634 tar: Support negative time values with pax #2637 tar: Keep block alignment after pax error #2642 libarchive: fix FILE_skip regression #2643 tar: Handle extra bytes after sparse entries #2649 compress: Prevent call stack overflow #2651 iso9660: always check archive_string_ensure return value CVE: CVE-2024-57970, CVE-2025-1632, CVE-2025-25724, CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918 PR: 286944 (exp-run on main, libarchive 3.8.0) Approved by: so Security: FreeBSD-SA-25:07.libarchive (cherry picked from commit 2e113ef82465598b8c26e0ca415fbe90677fbd47) (cherry picked from commit f47afeb2ce1eb04a787a4b8c1a6d7752940268da) 2025-07-02T05:42:46Z Aurélien Croc de Suray freebsd@ap2c.com 2025-04-05T00:47:53Z urn:sha1:f936833911d765c1dc9640913b73acfa1d751742 science/dlib-cpp reveals an interesting scenario that works fine on other platforms but not on FreeBSD; notably, it ends up creating a new global object from some destructor which is called during __cxa_finalize. This breaks when libdlib is dlopen()ed and then subsequently dlclose()ed, as we never end up invoking the created object's dtor until program exit when the shlib is already unmapped. Fix it by noting when we're in the middle of __cxa_finalize for a dso, and then restarting the search if __cxa_atexit() was called in the middle somewhere. We wait until we've processed the initial set before starting over and processing the newly added handlers as if it were a complete set of handlers added during runtime. The alternative is calling them as they're added to maintain a LIFO in terms of total ordering, but in theory a constructor could add another global object that also needs to be destroyed, and that object needs to be destroyed after the one that constructed it to avoid creating unexpected lifetime issues. This manifests in the pdlib PHP extension for dlib crashing, see [0]. [0] https://github.com/goodspb/pdlib/issues/39 PR: 285870 Reviewed by: kevans (also supplied commit message) Approved by: so Security: FreeBSD-EN-25:09.libc (cherry picked from commit 23427c8e1fedb9fc68ad0bd27a59c7ffd2b3008c) (cherry picked from commit 04f7496f89e28057079f3f0b1a02d7d9d874487f) 2025-04-10T14:39:08Z Philip Paeps philip@FreeBSD.org 2025-04-02T08:56:02Z urn:sha1:dec0bf8096b312c395421d11c0e76e954a7e2386 Changes: https://github.com/libexpat/libexpat/blob/R_2_7_1/expat/Changes Note that libbsdxml(3) is only intended to used by utilities in the FreeBSD base system. The vulnerability addressed by expat 2.7.0 is not exploitable on FreeBSD as supported by the security-officer@ team. Approved by: so Security: FreeBSD-EN-25:05.expat Security: CVE-2024-8176 (cherry picked from commit fe9278888fd4414abe2d922e469cf608005f4c65) (cherry picked from commit 41b768ae1970ed484abaaea401453c3902df93c2) (cherry picked from commit 03a1992591b0ae85b6b250255fe56e17f6d919c6) (cherry picked from commit adc9e9e8dbddcf7d57bcdef0d9d0a0e7c08c15ba) (cherry picked from commit 00c8538e87c61f1fd57ccd9e02a6d435b68d9a73) (cherry picked from commit 5630672e6f6d58597a3d6f01928a7703f1cdd207) 2025-03-07T00:00:00Z Colin Percival cperciva@FreeBSD.org 2025-03-07T00:00:00Z urn:sha1:882b9f3f2218b50fc1d2d31ee71b7765c7f09f85 - Bump BRANCH to RELEASE - Add the anticipated RELEASE announcement date - Set a static __FreeBSD_version Approved by: re (implicit) Sponsored by: Amazon 2025-02-10T07:38:51Z Kirk McKusick mckusick@FreeBSD.org 2025-01-28T01:39:45Z urn:sha1:dfe803fdbc54e65aaf23c56d53eeeefdef8e42aa Standardize the definition of a UFS dinode. Differential Revision: https://reviews.freebsd.org/D48472 (cherry picked from commit 1111a44301da39d7b7459c784230e1405e8980f8) (cherry picked from commit aa90fbed151de512ab6e59f75df009533a15751f) (cherry picked from commit 256389eaf158acaf67f0530764be8af68edee78c) (cherry picked from commit 6cd973d903c8f214d84daf91eb75047631bf1618) (cherry picked from commit e1ebda4458bbaf7d85fb803e20f3afc5441f24d9) (cherry picked from commit 6f87402a02f0801942fe8f0d9a8f7f3e04dfbb01) Approved-by: re (cperciva) 2025-01-29T19:29:29Z Joseph Mingrone jrm@FreeBSD.org 2024-09-14T17:09:34Z urn:sha1:68ddf72800f81ea725785848e9919a4a23acf411 Reviewed by: kp (pflogd changes) Sponsored by: The FreeBSD Foundation (cherry picked from commit afdbf109c6a661a729938f68211054a0a50d38ac) (cherry picked from commit ecb75be376a3e18d3e4836b6ee07015264784694) (cherry picked from commit f0bcebe67ef6cf9f104535d6cd9f151c1b61dd6a) (cherry picked from commit 34aa6f2c2db5cc9655f201a1ef01adbb9fb484d5) 2025-01-29T19:29:28Z Joseph Mingrone jrm@FreeBSD.org 2023-05-05T13:56:10Z urn:sha1:e6efc827e47a5b3ddbaedc4aa9783ffeb986abc9 Sponsored by: The FreeBSD Foundation (cherry picked from commit dd744a896be358d6f001766188da6aed80e00378) (cherry picked from commit 270d20ce91c898c532ebaff76bb5b71c8544e928) (cherry picked from commit 67c802c948abf6955c3d8b53f4a41293a9caea24) (cherry picked from commit b1538e8fc488409113b833dd1c53aab1057b0568) 2025-01-29T19:29:28Z Joseph Mingrone jrm@FreeBSD.org 2023-02-13T22:06:51Z urn:sha1:7aedea8685359fa5e914a7341ef0ef33b8227d7c Prior to this MFC, the stable/13 libpcap was at version 1.9.1, which was released over five years ago. Several CVEs have been identified in that version. For a detailed list, see https://www.tcpdump.org/public-cve-list.txt. Reviewed by: kp (pf changes) Sponsored by: The FreeBSD Foundation (cherry picked from commit 6d1c946e916845d01062e146aad5395410da1e54) (cherry picked from commit 0c59e0b4e5817f139ce28486085b2f196351c7a3) (cherry picked from commit 512c553671bef26e93342d4ae1ec5f60d8ae112b) (cherry picked from commit 6f9cba8f8b5efd16249633e52483ea351876b67b) (cherry picked from commit 437f05885047c533cadf15b564729cfd0273d2fe) Commit 437f05885047c533cadf15b564729cfd0273d2fe has been adapted to only include the changes for the libpcap 1.10.3 update. 2025-01-20T22:41:52Z Alan Somers asomers@FreeBSD.org 2024-12-31T20:41:01Z urn:sha1:1486bb0bfcacafe5dd1c2f3add7b92e57f7e1ff2 These tests create a linked list with one entry for every group on the running system. On a system with about 30,000 groups, the test took 69 seconds to run, and crashed Kyua with the below error: kyua: E: string or blob too big (sqlite op: sqlite3_bind_blob) (sqlite db: /root/.kyua/store/results.usr_tests.20241231-203317-570235.db). Fix the test by limiting it to operating on the first 1024 groups. Apply the same change to getpw_test and getserv_test too, which are vulnerable to the same problem. Sponsored by: ConnectWise Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D48275 (cherry picked from commit d11904b350214943dedb64c7121d4602799d7afd)