Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726)
> 1a/ we set the LD_LIBRARY_PATH environment variable to one single dot (the current working directory) and approximately ARG_MAX colons (the maximum number of bytes for the argument and environment list); as described in man ld.so:
> 1b/ we set the RLIMIT_DATA resource limit to ARG_MAX * sizeof(char *) (2MB on amd64, 1MB on i386); as described in man setrlimit:
[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.
> I am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections.
Some more info in replies, such as https://marc.info/?l=oss-security&m=157554332429760&w=2.
U2F support in OpenSSH
OpenBSD 6.5 released
> We are pleased to announce the official release of OpenBSD 6.5. This is our 46th release.
XSA-294 - x86 shadow: Insufficient TLB flushing when using PCID
> Use of Process Context Identifiers (PCID) was introduced into Xen in order to improve performance after XSA-254 (and in particular its Meltdown sub-issue). This enablement implied changes to the TLB flushing logic. One aspect which was overlooked is the safety of switching between shadow pagetables, which previously relied on the unconditional flushing of a write to CR3.
> With PCID enabled, a switch of shadow pagetable for a 64bit PV guest fails to invalidate the linear mappings of the previous shadow pagetable. As a result, subsequent accesses to the shadow pagetables may be deemed to be safe by the shadow logic (based on the old shadow pagetable) but fault when made in practice.
default to OXTABS off
> Almost all terminals now support hardware tabs so default to OXTABS off.
The future is here!
wump: incorrect wumpus movement probability
> The computation of wumpus movement probability in games/wump/wump.c has a parenthesis problem that causes it not to work the way it evidently is meant to.
Multiple telnet.c overflows
> When a telnet server requests environment options the sprintf on line 1002 will not perform bounds checking and causes an overflow of stack buffer temp defined at line 990. This issue can be trivially fixed using a patch to add bounds checking to sprintf such as with a call to snprintf();
What is dead may never die.
Better handle automatic column width assignments
> Modified files:
> usr.bin/mandoc : out.c
> Log message:
> Better handle automatic column width assignments in the presence of horizontal spans, by implementing a moderately difficult iterative algoritm. The benefit is that spans containing long text no longer cause an excessive width of their starting column.
Also, use unicode for drawing: https://marc.info/?l=openbsd-cvs&m=154338047707592&w=2
And some other assorted commits that are fun.
WireGuard: Secure Network Tunnel
> WireGuard is a secure network tunnel written especially for Linux, which has faced around three years of serious development, deployment, and scrutiny. It delivers excellent performance and is extremely easy to use and configure. It has been designed with the primary goal of being both easy to audit by virtue of being small and highly secure from a cryptography and systems security perspective. WireGuard is used by some massive companies pushing enormous amounts of traffic, and likely already today you’ve consumed bytes that at some point transited through a WireGuard tunnel. Even as an out-of-tree module, WireGuard has been integrated into various userspace tools, Linux distributions, mobile phones, and data centers. There are ports in several languages to several operating systems, and even commercial hardware and services sold integrating WireGuard. It is time, therefore, for WireGuard to be properly integrated into Linux.
> How about we add another new permission! This is not a hardware permission, but a software permission. It is opportunistically enforced by the kernel.
> the permission is MAP_STACK. If you want to use memory as a stack, you must mmap it with that flag bit.
Standards state a contract or implication
In reference to the inquiry, gettimeofday(2) does not conform to POSIX.1-2008?
> Standards state a contract or implication: *if* you, the developer follow _these_ rules, *then* the standardized item will follow _these_other_ rules (if compliant). If you violate the implication, then the standard no longer applies and you have lost the guarantees of the standard.
Nice summary of the standards situation. If you color inside the lines, you get a pretty picture. If you don’t, you don’t.
OpenBSD syspatches for one release in the future.
> Errata patches will continue to be generated for 2 releases.
> The mechanism is like a userland ‘stackghost’ in the function prologue and epilogue. The preamble XOR’s the return address at top of stack with the stack pointer value itself.
Lower VM_MAX_USER_ADDRESS to finalize work-around for Ryzen bug
A good summary of the bug affecting Ryzen CPUs.
Add deprecation notices for all rcmd tools
If you’re still using rcp, you should not be. At all.
KARL - kernel address randomized link
> Over the last three weeks I’ve been working on a new randomization
feature which will protect the kernel.
randomize the link order of .o files in the kernel
> As a result, the internal layout of every newly build bsd kernel is different from past kernels.
vmm(4)/vmd(8) support for seabios and linux guests
> This should be enough for people to create images and help find and
OpenBSD errata - wifi mitm vulnerability
> A malicious access point can trick an OpenBSD client using WPA1 or WPA2 into connecting to this malicious AP instead of the desired AP. When this attack is used successfully the OpenBSD client will send and accept unencrypted frames.