1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.ANN

  • FreeBSD Security Advisory FreeBSD-SA-24:19.fetch

    From FreeBSD Security Advisories@21:1/5 to All on Tue Oct 29 22:00:16 2024
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-SA-24:19.fetch Security Advisory
    The FreeBSD Project

    Topic: Certificate revocation list fetch(1) option fails

    Category: core
    Module: fetch
    Announced: 2024-10-29
    Credits: Franco Fichtner
    Affects: All supported versions of FreeBSD.
    Corrected: 2024-10-09 11:49:32 UTC (stable/14, 14.1-STABLE)
    2024-10-29 18:57:00 UTC (releng/14.1, 14.1-RELEASE-p6)
    2024-10-09 11:50:06 UTC (stable/13, 13.4-STABLE)
    2024-10-29 18:57:13 UTC (releng/13.4, 13.4-RELEASE-p2)
    2024-10-29 18:57:30 UTC (releng/13.3, 13.3-RELEASE-p8)
    CVE Name: CVE-2024-45289

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    I. Background

    Fetch is utility used to retrieve file(s) from URL(s) specified on the command line. It supports a --crl option to specify a certificate revocation list which contains peer certificates which have been revoked.

    II. Problem Description

    The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option.

    III. Impact

    Fetch would still connect to a host presenting a certificate included in the revocation file passed to the --crl option.

    IV. Workaround

    The certificate revocation list file can be specified by the SSL_CRL_FILE fetch(3) environment variable rather than using the --crl option to fetch(1).

    V. Solution

    Upgrade your vulnerable system to a supported FreeBSD stable or
    release / security branch (releng) dated after the correction date.

    Perform one of the following:

    1) To update your vulnerable system via a binary patch:

    Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install

    2) To update your vulnerable system via a source code patch:

    The following patches have been verified to apply to the applicable
    FreeBSD release branches.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    # fetch https://security.FreeBSD.org/patches/SA-24:19/fetch.patch
    # fetch https://security.FreeBSD.org/patches/SA-24:19/fetch.patch.asc
    # gpg --verify fetch.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

    VI. Correction details

    This issue is corrected as of the corresponding Git commit hash in the following stable and release branches:

    Branch/path Hash Revision
    - ------------------------------------------------------------------------- stable/14/ 51676e0a3bd3 stable/14-n269041 releng/14.1/ 0e8bf366e6c5 releng/14.1-n267725 stable/13/ 484724578422 stable/13-n258502 releng/13.4/ 51f6c450d991 releng/13.4-n258267 releng/13.3/ 9f1314a30b4a releng/13.3-n257477
    - -------------------------------------------------------------------------

    Run the following command to see which files were modified by a
    particular commit:

    # git show --stat <commit hash>

    Or visit the following URL, replacing NNNNNN with the hash:

    <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

    To determine the commit count in a working tree (for comparison against
    nNNNNNN in the table above), run:

    # git rev-list --count --first-parent HEAD

    VII. References

    <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45289>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-24:19.fetch.asc> -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmchUCkACgkQbljekB8A Gu/0RQ//fm2B2XPZPiGADBhuNeC8NsVwFqzNh/Nrxj2bUCel44kU4yGRZ0jADOD+ URW+0LDs+rOhIV2cw6fZDUwN+/dblFjZiKpQHJF42A1M90hNRfPArbCh6X2h8EAq C4Kr6M6tUByfMX2Hf0aj/QNVrar/hirNhM8ZwDXVMxDj+aBSHSUqZCzfgeTy4/nn 9DJKOaxJ6WKE9OmAEUhSNoPF6AP+ZzU0aOQCs9tUn+OqKDTxLwn0vXSTPaPw4FcR YYYIeiIKpqLhZxPhDnLh/Z/J4AleXPLZeL8VFKemopYk5Fi6HOG/f8UjC/GYoFp/ eHlEY7H1/aRUYJ6FWm4p/cGfxdJOWmkcJax6VQwBNKX23bEzQh9+4RlnE5cPbAio w4XeQybgitic/NeKhI8Jt/aFnVQah2i+O/PQRFCsDDVJGqRnjVw7+6Zvl4zEDoTP Xx96PXGCW3UZyNgqDo2jgZman1P5GLKtZg6FmGKlc/IrqijVnWfh06fI5nZ7Bo1z b8DiCGSQ/W2cL+d2ILj0illAU9g7JO3MDJOl/lchSUTg4XLUI+G201HaR9wRxSo0 SXYq23CG4Nll6b8tdC6EEnOoc4RgyQIJv+N/oML8enJ15x7teXG+JlWIf0rM2qkf Bxn8hBawdfshzuIkLf2X0J6rm8MBj/s9O3j87oD1C37dqp+E4Uo=
    =CEwj
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)