Headline
CVE-2019-19726: OpenBSD 6.6 Errata
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
For errata on a certain release, click below:
2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5,
3.6, 3.7, 3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5.0, 5.1,
5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.7, 6.8,
6.9, 7.0, 7.1, 7.2.
Patches for the OpenBSD base system are distributed as unified diffs. Each patch is cryptographically signed with the signify(1) tool and contains usage instructions. All the following patches are also available in one tar.gz file for convenience.
Alternatively, the syspatch(8) utility can be used to apply binary updates on the following architectures: amd64, i386, arm64.
Patches for supported releases are also incorporated into the -stable branch.
- 001: RELIABILITY FIX: October 28, 2019 All architectures
bpf(4) has a race condition during device removal.
A source code patch exists which remedies this problem. - 002: RELIABILITY FIX: October 28, 2019 All architectures
Various third party applications may crash due to symbol collision.
A source code patch exists which remedies this problem. - 003: RELIABILITY FIX: October 31, 2019 All architectures
bgpd(8) can crash on nexthop changes or during startup in certain configurations.
A source code patch exists which remedies this problem. - 004: RELIABILITY FIX: November 16, 2019 All architectures
The kernel could crash due to a NULL pointer dereference in net80211.
A source code patch exists which remedies this problem. - 005: RELIABILITY FIX: November 16, 2019 All architectures
A new kernel may require newer firmware images when using sysupgrade.
A source code patch exists which remedies this problem. - 006: SECURITY FIX: November 16, 2019 All architectures
A regular user could change some network interface parameters due to missing checks in the ioctl(2) system call.
A source code patch exists which remedies this problem. - 007: SECURITY FIX: November 22, 2019 i386 and amd64
A local user could cause the system to hang by reading specific registers when Intel Gen8/Gen9 graphics hardware is in a low power state. A local user could perform writes to memory that should be blocked with Intel Gen9 graphics hardware.
A source code patch exists which remedies this problem. - 008: SECURITY FIX: November 22, 2019 All architectures
Shared memory regions used by some Mesa drivers had permissions which allowed others to access that memory.
A source code patch exists which remedies this problem. - 009: SECURITY FIX: December 4, 2019 All architectures
Environment-provided paths are used for dlopen() in mesa, resulting in escalation to the auth group in xlock(1).
A source code patch exists which remedies this problem. - 010: SECURITY FIX: December 4, 2019 All architectures
libc’s authentication layer performed insufficient username validation.
A source code patch exists which remedies this problem. - 011: SECURITY FIX: December 4, 2019 All architectures
xenodm uses the libc authentication layer incorrectly.
A source code patch exists which remedies this problem. - 012: SECURITY FIX: December 8, 2019 All architectures
A user can log in with a different user’s login class.
A source code patch exists which remedies this problem. - 013: SECURITY FIX: December 11, 2019 All architectures
ld.so may fail to remove the LD_LIBRARY_PATH environment variable for set-user-ID and set-group-ID executables in low memory conditions.
A source code patch exists which remedies this problem. - 014: SECURITY FIX: December 18, 2019 arm64
ARM64 CPUs speculatively execute instructions after ERET.
A source code patch exists which remedies this problem. - 015: SECURITY FIX: December 20, 2019 All architectures
ftp(1) will follow remote redirects to local files.
A source code patch exists which remedies this problem. - 016: SECURITY FIX: December 20, 2019 All architectures
ripd(8) fails to validate authentication lengths.
A source code patch exists which remedies this problem. - 017: SECURITY FIX: January 17, 2020 i386 and amd64
Execution Unit state was not cleared on context switch with Intel Gen9 graphics hardware.
A source code patch exists which remedies this problem. - 018: RELIABILITY FIX: January 30, 2020 All architectures
smtpd can crash on opportunistic TLS downgrade, causing a denial of service.
A source code patch exists which remedies this problem. - 019: SECURITY FIX: January 30, 2020 All architectures
An incorrect check allows an attacker to trick mbox delivery into executing arbitrary commands as root and lmtp delivery into executing arbitrary commands as an unprivileged user.
A source code patch exists which remedies this problem. - 020: SECURITY FIX: February 17, 2020 amd64
A missing range check in the vmm pvclock allows a guest to write to host memory.
A source code patch exists which remedies this problem. - 021: SECURITY FIX: February 24, 2020 All architectures
An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
A source code patch exists which remedies this problem. - 022: RELIABILITY FIX: March 10, 2020 All architectures
Missing input validation in sysctl(2) can be used to crash the kernel.
A source code patch exists which remedies this problem. - 023: RELIABILITY FIX: March 13, 2020 All architectures
Local outbound UDP broadcast or multicast packets sent by a spliced socket can crash the kernel.
A source code patch exists which remedies this problem. - 024: SECURITY FIX: April 7, 2020 All architectures
dhcpd could reference freed memory after releasing a lease with an unusually long uid.
A source code patch exists which remedies this problem. - 025: SECURITY FIX: April 19, 2020 i386, amd64, arm64, loongson, macppc, sparc64
There was an incorrect test for root in the DRM Linux compatibility code.
A source code patch exists which remedies this problem. - 026: RELIABILITY FIX: May 10, 2020 All architectures
ospfd could generate corrupt OSPF Router (Type 1) LSAs in certain situations.
A source code patch exists which remedies this problem. - 027: SECURITY FIX: May 13, 2020 All architectures
An out-of-bounds index access in wscons(4) can cause a kernel crash.
A source code patch exists which remedies this problem. - 028: SECURITY FIX: May 22, 2020 All architectures
Specially crafted queries may crash unbound and unwind. Both can be tricked into amplifying an incoming query.
A source code patch exists which remedies this problem. - 029: SECURITY FIX: June 1, 2020 All architectures
Several problems in Perl’s regular expression compiler could lead to corruption of the intermediate language state of a compiled regular expression.
A source code patch exists which remedies this problem. - 030: SECURITY FIX: June 5, 2020 All architectures
Malicious HID descriptors could be misparsed.
A source code patch exists which remedies this problem. - 031: RELIABILITY FIX: June 8, 2020 All architectures
libc’s resolver could get into a corrupted state.
A source code patch exists which remedies this problem. - 032: RELIABILITY FIX: June 11, 2020 All architectures
libcrypto may fail to build a valid certificate chain due to expired untrusted issuer certificates.
A source code patch exists which remedies this problem. - 033: SECURITY FIX: July 9, 2020 All architectures
shmget IPC_STAT leaked some kernel data.
A source code patch exists which remedies this problem. - 034: RELIABILITY FIX: July 16, 2020 All architectures
tty subsystem abuse can impact performance badly.
A source code patch exists which remedies this problem. - 035: RELIABILITY FIX: July 22, 2020 All architectures
Only pty devices need reprint delays.
A source code patch exists which remedies this problem. - 036: SECURITY FIX: July 27, 2020 All architectures
In iked, incorrect use of EVP_PKEY_cmp allows an authentication bypass.
A source code patch exists which remedies this problem. - 037: SECURITY FIX: July 31, 2020 All architectures
Malformed messages can cause heap corruption in the X Input Method client implementation in libX11.
A source code patch exists which remedies this problem. - 038: SECURITY FIX: July 31, 2020 All architectures
Pixmaps inside the xserver were an info leak.
A source code patch exists which remedies this problem. - 039: RELIABILITY FIX: August 7, 2020 All architectures
The recent security errata 037 broke X11 input methods.
A source code patch exists which remedies this problem. - 040: SECURITY FIX: August 25, 2020 All architectures
An integer overflow in libX11 could lead to a double free. Additionally fix a regression in ximcp.
A source code patch exists which remedies this problem. - 041: SECURITY FIX: August 25, 2020 All architectures
Various X server extensions had deficient input validation.
A source code patch exists which remedies this problem. - 042: SECURITY FIX: September 5, 2020 amd64, arm64
A buffer overflow was discovered in an amdgpu ioctl.
A source code patch exists which remedies this problem.
Related news
glibc ld.so Local Privilege Escalation
Dubbed Looney Tunables, Qualys discovered a buffer overflow vulnerability in the glibc dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c.