FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=stable%2F13 2026-04-28T19:36:05Z 2026-04-28T19:36:05Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:35:10Z urn:sha1:4acc2b5c61a7be9bbd88fe601a9bc0a044060d79 The previous implementation used FD_SET() on a stack-allocated fd_set, which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE (1024). Approved by: so Security: FreeBSD-SA-26:16.libnv Security: CVE-2026-39457 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56689 2026-04-23T09:45:52Z Dag-Erling Smørgrav des@FreeBSD.org 2026-04-18T08:25:31Z urn:sha1:170f7d2168a227ea1fb58f20fe543ac22d4635f2 PR: 294577 MFC after: 1 week Reviewed by: mm Differential Revision: https://reviews.freebsd.org/D56468 (cherry picked from commit 05bbe5e3883492dd2afa52039da1fac45c5059a0) 2026-04-23T09:45:11Z Martin Matuska mm@FreeBSD.org 2026-04-13T13:47:17Z urn:sha1:184dafb54c69fa9873e09c852f7de9c7db7458fd libarchive 3.8.7 Important bugfixes: #2871 libarchive: fix handling of option failures #2897 iso9660: fix undefined behavior #2898 RAR: fix LZSS window size mismatch after PPMd block #2900 CAB: fix NULL pointer dereference during skip #2911 libarchive: do not continue with truncated numbers #2919 CAB: Fix Heap OOB Write in CAB LZX decoder #2934 iso9660: fix posibble heap buffer overflow on 32-bit systems #2939 cpio: Fix -R memory leak #2947 libarchive: lzop and grzip filter support Important bugfixes between 3.8.5 and 3.8.6: #2860 bsdunzip: fix ISO week year and Gregorian year confusion #2864 7zip: ix SEGV in check_7zip_header_in_sfx via ELF offset validation #2875 7zip: fix out-of-bounds access on ELF 64-bit header #2877 RAR5 reader: fix infinite loop in rar5 decompression #2878 mtree reader: Fix file descriptor leak in mtree parser cleanup (CWE-775) #2892 RAR5 reader: fix potential memory leak #2893 RAR5: fix SIGSEGV when archive_read_support_format_rar5 is called twice #2895 CAB reader: fix memory leak on repeated calls to archive_read_support_format_cab Obtained from: libarchive Vendor commit: ded82291ab41d5e355831b96b0e1ff49e24d8939 MFC after: 1 week (cherry picked from commit eb5165bb491138f60d9004bc4c781490016d9288) 2026-04-21T15:43:53Z Mark Johnston markj@FreeBSD.org 2026-03-31T13:37:43Z urn:sha1:b8fc561930689d167d831e79a77f72726302db76 pmap_pkru_update_range() did not handle the case where a PDPE has PG_PS set. More generally, the SET_PKRU and CLEAR_PKRU sysarch implementations did not check whether the request covers a "boundary" vm map entry. Fix this, add the missing PG_PS test, and add some tests. Approved by: so Security: FreeBSD-SA-26:11.amd64 Security: CVE-2026-6386 Reported by: Nicholas Carlini <npc@anthropic.com> Reviewed by: kib, alc Differential Revision: https://reviews.freebsd.org/D56184 2026-04-12T05:59:39Z Dag-Erling Smørgrav des@FreeBSD.org 2026-04-07T11:04:37Z urn:sha1:10417355a767f69325e2955dd3a6d44a32e5714e MFC after: 1 week Fixes: 8dfeba04eb36 ("Update to a June 8th snapshot of (un)vis form NetBSD.") Reviewed by: ziaee Differential Revision: https://reviews.freebsd.org/D56260 (cherry picked from commit a09d06bc5bff64baab76220a66c3501b89899134) 2026-04-05T05:37:13Z Philip Paeps philip@FreeBSD.org 2026-04-02T00:12:18Z urn:sha1:75767bb212946444a4ab7a5570a20d836ab964dd Changes: https://github.com/libexpat/libexpat/blob/R_2_7_5/expat/Changes https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes Security: CVE-2026-32776 Security: CVE-2026-32777 Security: CVE-2026-32778 Security: CVE-2026-24515 Security: CVE-2026-25210 (cherry picked from commit ae04c7bbf065278687fa930e81a96767e9009d38) 2026-03-26T01:30:00Z Mark Johnston markj@FreeBSD.org 2026-03-24T02:12:42Z urn:sha1:99ec7f9b9e4836733fbfeea272422a4d0d7adfd8 svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini <npc@anthropic.com> Reviewed by: rmacklem Fixes: a9148abd9da5d (cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206) 2026-03-05T08:06:43Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-28T18:11:10Z urn:sha1:f2f74aeca53098e702733ee1f0831783e90c51f8 MFC after: 3 days Fixes: 6378393308bc ("Add an internal libiscsiutil library.") Sponsored by: Klara, Inc. Sponsored by: NetApp, Inc. Reviewed by: kevans Differential Revision: https://reviews.freebsd.org/D55596 (cherry picked from commit 05ca4837a3e9a413aabcf005abb14fff35088476) 2026-03-04T14:46:04Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-25T21:12:36Z urn:sha1:c1788a925a93223dbd78f8c9988b4a296428b951 Our manual page currently states that system() will return 127 if it fails to execute the shell. The actual return value is, to quote POSIX, “as if the command language interpreter had terminated using exit(127) or _exit(127)”. MFC after: 1 week Sponsored by: Klara, Inc. Reviewed by: bnovkov, kevans Differential Revision: https://reviews.freebsd.org/D55483 (cherry picked from commit 7305604b29d3db29c9bb5de6e7a25829fb541d1e) 2026-02-26T04:03:52Z Dag-Erling Smørgrav des@FreeBSD.org 2026-02-21T01:18:18Z urn:sha1:783cec744b9025d4a0d933b39ee95b0085b677c3 If socket() fails because the address family or protocol is unsupported, just continue with the next address. MFC after: 1 week Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D55407 (cherry picked from commit b5d570e711da1dad303312bebaf1bd2fb720f0dc)