Releases: MidnightBSD/src
2.2.0
MidnightBSD 2.2
6/7/2022
I’m happy to announce the availability of MidnightBSD 2.2 for amd64 and i386. This release focused on updating third party software in the base system and some smaller enhancements.
Upgrade Process
(you can also do this with svnlite using github)
Install git if you don’t have it already
mport install git
Fetch MidnightBSD from git via github.com/midnightbsd/src.git (assumes you don’t have /usr/src populated)
git clone https://github.com/MidnightBSD/src.git
Checkout the stable/2.2 branch
git checkout stable/2.2
cd /usr/src; make clean buildworld buildkernel;
mergemaster -p
make installkernel
reboot
(if it works OK, login and go to /usr/src)
make installworld
mergemaster -iU
mport index
Update installed mports/packages.
rm -rf /usr/lib/perl/5.32.0
cd /usr/src/; make check-old; then run make delete-old and finally make installworld
When you are done, verify that Perl is updated by running perl -v
You should have Perl 5.36.0.
Bug Fixes and new features
use md library sha256 implementation for lzma
/bin/sh updated based on freebsd 12-stable sources
root shell changed to tcsh from csh. This adds history to the root user’s interactive shell. We may change the root shell to mksh in the future.
Introduce a patch to dummynet from pfsense to increase max value to 4Gb/s instead of 2Gb/s.
mport 2.2.0
removes use of libdispatch / gcd dependency so we can eventually support static built mport.
add desktop-file-utils command to plist.
add KLD to plist handler (allows packages to define kernel modules)
Introduce type on ucl pkg messages (allows package messages on specific events)
add null check on stub detach (prevents crashing when unloading a package)
add chroot path to libexec commands and mport.list (allows a chroot for updating in a jail)
Fixed issues with desktop startup and created an initial .xinitrc file for GUI installs.
A Hyper-V vPCI emulation change can cause SR-IOV (Single-Root I/O Virtualization) and DDA (Discrete Device Assignment) devices to fail to operate correctly under Hyper-V. In recent Hyper-V releases on Windows Server 2022, the vPCI code does not initialize the last 4 bit of device registers. This behavior change could result in failure to initialize guest drivers for SR-IOV or DDA devices.
Netcat: add sctp support from FreeBSD
Add ptsname_r to libc.
Ipfilter bug fixes from FreeBSD.
Enable dbus and hald during the firstboot script (long term we want hal to go away)
Slow down the loader twiddle. (speeds up boot on VMs like AWS AMI and older hardware)
add siginfo to chflags
switch to less pager for root.
cat(1): Bring in a bug fix for the -e flag as found in FreeBSD 12 stable
Security Fixes
Update root certificates bundle
Reject execve when new argc is zero. Fixes a security issue with NULL argv[0] entries similar to the recent CVE with polkit on Linux.
Fix an integer overflow in OpenSSL and memory leaks.
netmap: Fix TOCTOU vulnerability in nmreq_copyin
The total size of the user-provided nmreq was first computed and then
trusted during the copyin. This might lead to kernel memory corruption
and escape from jails/containers.
Security: CVE-2022-23084
netmap
An unsanitized field in an option could be abused, causing an integer
overflow followed by kernel memory corruption. This might be used
to escape jails/containers.
Security: CVE-2022-23085
The netmap_ioctl() function has a reference counting bug in case of
NETMAP_REQ_PORT_INFO_GET command. When hdr->nr_name[0] == '\0'
,
the function does not decrease the refcount of "nmd", which is
increased by netmap_mem_find(), causing a refcount leak.
Wpa_supplicant: A vulnerability was discovered in how wpa_supplicant processes P2P
(Wi-Fi Direct) provision discovery requests. Under a corner case
condition, an invalid Provision Discovery Request frame could end up
reaching a state where the oldest peer entry needs to be removed. With
a suitably constructed invalid frame, this could result in use
(read+write) of freed memory. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially code execution.
Binutils: The function make_relative_prefix_1 does not properly free locally
allocated memory when it returns early. Free the memory associated with the variables full_programe, bin_dirs, prog_dirs, and prefix_dirs when the function returns early.
Zlib: Fix CLEAR_HASH macro to be usable as a single statement. Fix a security issue in inflate.c
3rd Party Software
Perl 5.36.0
Libucl 0.8.1
tzdata 2022a
lua 5.3.6
subversion 1.14.1
expat 2.47
sqlite 3.38.2 (also enabled math functions)
OpenSSH 8.8p1
zlib 1.2.12
update libucl
Hardware
Update pci vendor ids
add libusb_has_capability to libusb
The 802.11 beacon handling routine failed to validate the length of an
IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.
Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers
allocated a buffer of a caller-specified size, but copied to it a fixed size
header. Other heap content would be overwritten if the specified size was
too small.
bhyve
The e1000 network adapters permit a variety of modifications to an Ethernet
packet when it is being transmitted. These include the insertion of IP and
TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation
offload ("TSO"). The e1000 device model uses an on-stack buffer to generate
the modified packet header when simulating these modifications on transmitted
packets.
When checksum offload is requested for a transmitted packet, the e1000 device
model used a guest-provided value to specify the checksum offset in the on-
stack buffer. The offset was not validated for certain packet types.
The hard-coded size for state region 1 (SSE/XMM) was incorrect.
Known Issues
mport package manager - On systems with a large number of packages installed, a mport upgrade can run out of file descriptors.
OpenSSL is quite out of date. We had planned to update this for the release, but ran into some issues with GELI. Instead, we backported some public patches to our OpenSSL version. We will continue to work on this and do another release when available. Please use the mports version of OpenSSL for any software you build.
2.1.8
netmap: Fix TOCTOU vulnerability in nmreq_copyin
The total size of the user-provided nmreq was first computed and then
trusted during the copyin. This might lead to kernel memory corruption
and escape from jails/containers.
Security: CVE-2022-23084
netmap
An unsanitized field in an option could be abused, causing an integer
overflow followed by kernel memory corruption. This might be used
to escape jails/containers.
Security: CVE-2022-23085
The netmap_ioctl() function has a reference counting bug in case of
NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`,
the function does not decrease the refcount of "nmd", which is
increased by netmap_mem_find(), causing a refcount leak.
The 802.11 beacon handling routine failed to validate the length of an
IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.
Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers
allocated a buffer of a caller-specified size, but copied to it a fixed size
header. Other heap content would be overwritten if the specified size was
too small.
byhve
The e1000 network adapters permit a variety of modifications to an Ethernet
packet when it is being transmitted. These include the insertion of IP and
TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation
offload ("TSO"). The e1000 device model uses an on-stack buffer to generate
the modified packet header when simulating these modifications on transmitted
packets.
When checksum offload is requested for a transmitted packet, the e1000 device
model used a guest-provided value to specify the checksum offset in the on-
stack buffer. The offset was not validated for certain packet types.
2.1.7
2.1.6
2.1.5
2.1.4
2.1.3
2.1.2
2.1.1
2.1.0
MidnightBSD 2.1
I’m happy to announce the availability of MidnightBSD 2.1 for amd64 and i386. This is an incremental release focusing on bug fixes, improvements to the package manager and a new system compiler.
LLVM updated to 10.0.1
mport 2.1.4
Upgrade Process
Install git if you don’t have it already mport install git
Fetch MidnightBSD from git via github.com/midnightbsd/src.git (assumes you don’t have /usr/src populated) git clone https://github.com/MidnightBSD/src.git
Checkout the stable/2.1 branch git checkout stable/2.1 cd /usr/src; make clean buildworld buildkernel;
mergemaster -p
make installkernel
reboot
(if it works OK, login and go to /usr/src)
make installworld
mergemaster -iU
cd /usr/src/usr.bin/perl; make; make install;
Update installed mports/packages
cd /usr/src/; make check-old; make delete-old
Bug Fixes and new features
The majority of improvements come from the MidnightBSD package manager, mport. A number of longstanding bugs have been fixed. It now can update dependencies properly on install, update or upgrade scenarios. Previously, it would sometimes crash and force the user to do it manually. Several fixes have been made around PLIST processing.
mport now sets a character encoding so that extracting files with libarchive with special characters is more likely to work properly without a crash occurring. (lang/go port is a fun trigger of this bug)
libmport no long relies on libdispatch. This is slower in a few scenarios, but most invocations are now faster as it doesn't need to setup the thread pools or do the locking it once did. This makes sense as package installs have a lot of serial code paths. Also fixed many memory leaks as well as some use after free and invalid free calls against the wrong pointer. We're now using sha256 for hashing plist entries installed.
We now generate a os-release file on system startup in /var/run
Fixed issue where looking at some man pages would cause man to crash in MidnightBSD.
A bug in the firstboot script was corrected that referenced an invalid package name.
burncd was removed.
Fixed some temp file handling bugs
Fixed some problems with libcxxrt and rtld in MidnightBSD that would cause strange problems with 32bit binaries.
Fix the buggy mdnsd 'mdns' sed in the /etc/rc.d/mdnsd script that would often cause it to fail to modify /etc/nsswitch.conf on system startup as needed.
libcasper(3) creates service processes by forking the calling process, so they initially inherit the calling process' file descriptor table. Casper services expect the lowest 3 file descriptors, traditionally corresponding to standard input, output, and error, are redirected to /dev/null. libcasper(3) ensures this is the case. However, it did not handle the possibility that one of them is closed, and this scenario would trigger an assertion failure during service creation, resulting in a crash.
Security Fixes
Apache Portable Runtime CVE workaround. CVE-2021-35940
A programming error in the Linux compatibility layer futex(2) system call might allow attackers to cause a denial of service.
Certain VirtIO-based device models failed to handle errors when fetching I/O descriptors. Such errors could be triggered by a malicious guest. As a result, the device model code could be tricked into operating on uninitialized I/O vectors, leading to memory corruption.
The ggatec(8) daemon does not validate the size of a response before writing it to a fixed-sized buffer. This allows to overwrite the stack of ggatec(8).
The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for *p == '\0' one byte too late because p++ was already performed.
A programming error in the Linux compatibility layer futex(2) system call might allow attackers to cause a denial of service.
libcasper(3) creates service processes by forking the calling process, so they initially inherit the calling process' file descriptor table. Casper services expect the lowest 3 file descriptors, traditionally corresponding to standard input, output, and error, are redirected to /dev/null. libcasper(3) ensures this is the case. However, it did not handle the possibility that one of them is closed, and this scenario would trigger an assertion failure during service creation, resulting in a crash.
A particular case of memory sharing is mishandled in the virtual memory system. It is possible and legal to establish a relationship where multiple descendant processes share a mapping which shadows memory of an ancestor process. In this scenario, when one process modifies memory through such a mapping, the copy-on-write logic fails to invalidate other mappings of the source page. These stale mappings may remain even after the mapped pages have been reused for another purpose.
Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail.
Fix a security issue with pam. The rules would not be applied correctly.
xen fix to unmap correctly when errors occur
Fix a extattr corruption bug with ufs
Uninitialized kernel stack leaks in several file systems
Xen guests can triger backend Out Of Memory
The root certificates of the Mozilla CA Certificate Store have been updated.
Fixed a security problem with zlib:
Handle case where inflateSync used when header never processed. If zlib and/or gzip header processing was requested, but a header was never provided and inflateSync was used successfully, then the inflate state would be inconsistent, trying to compute a check value but with no flags set. This commit sets the inflate mode to raw in this case, since there is no other assumption that can be made if a header was requested but never seen.
3rd Party Software
mandoc
LLVM 10.0.1
APR-util 1.6.1/li>
APR 1.7.0
Subversion 1.14.0
file 5.39
sendmail 8.16.1
sqlite3 3.35.5
tzdata 2021a
libarchive 3.5.0
unbound 1.13.0
xz 5.2.5
openmp
Hardware
Added sume(4) - NetFPGA SUME 4x10Gb Ethernet driver
JMicron JMB582/JMB585 AHCI
Add deprecation notices to ctau and cx drivers
Update e1000 driver for Intel gigabit NICs
evdev - fix a panic when removing a usb mouse
ichwd - Add Atom C3000 watchdog ID
ismt - fix a left shift bug
Fix intrhook release in MFI
Add support for BCM54618SE PHY
mlx5 - Account out of buffer as dropped packets in mlx5en(4)
netmap: ixl: add CRC to outbound frames
nvme bug fixes
Sync nxge driver with FreeBSD
Don't consider PCIe hot-plug command timeout fatal
add Bitron Video AV2010/10 ZigBee USB Stick
Various bug fixes to usb, vxge
Known Issues
We're in the process of building new i386 packages as many important ones for desktop use are missing at the moment.