BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Security Advisory FreeBSD-SA-25:03.etcupdate

29 January, 2025 by security-advisories@freebsd.org | freebsd 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-25:03.etcupdate                                  Security Advisory
                                                          The FreeBSD Project

Topic:          Unprivileged access to system files

Category:       core
Module:         etcupdate
Announced:      2025-01-29
Credits:        Christos Chatzaras
Affects:        All supported versions of FreeBSD.
Corrected:      2025-01-28 16:07:18 UTC (stable/14, 14.2-STABLE)
                2025-01-29 18:54:57 UTC (releng/14.2, 14.2-RELEASE-p1)
                2025-01-29 18:55:26 UTC (releng/14.1, 14.1-RELEASE-p7)
                2025-01-28 16:07:34 UTC (stable/13, 13.4-STABLE)
                2025-01-29 18:55:30 UTC (releng/13.4, 13.4-RELEASE-p3)
CVE Name:       CVE-2025-0374

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

The etcupdate(8) utility is a tool for managing updates to files that are not
updated as part of ‘make installworld’ such as files in /etc.  It manages
updates by doing a three-way merge of changes made to these files against the
local versions.  It is also designed to minimize the amount of user
intervention with the goal of simplifying upgrades for clusters of machines.

II.  Problem Description

When etcupdate encounters conflicts while merging files, it saves a version
containing conflict markers in /var/db/etcupdate/conflicts.  This version does
not preserve the mode of the input file, and is world-readable.  This applies
to files that would normally have restricted visibility, such as
/etc/master.passwd.

III. Impact

An unprivileged local user may be able to read encrypted root and user
passwords from the temporary master.passwd file created in
/var/db/etcupdate/conflicts.  This is possible only when conflicts within the
password file arise during an update, and the unprotected file is deleted when
conflicts are resolved.

IV.  Workaround

No workaround is available.  Systems whose files are updated using a mechanism
other than etcupdate, such as freebsd-update(8), are unaffected.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-25:03/etcupdate.patch
# fetch https://security.FreeBSD.org/patches/SA-25:03/etcupdate.patch.asc
# gpg --verify etcupdate.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              93836ff92be8    stable/14-n270244
releng/14.2/                            c55000e7c233  releng/14.2-n269513
releng/14.1/                            b8945a926a2f  releng/14.1-n267736
stable/13/                              17e935f1f327    stable/13-n259074
releng/13.4/                            c1c180910d46  releng/13.4-n258274
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id'7470>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0374>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:03.etcupdate.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKwACgkQbljekB8A
Gu+/Zg//S1n7l9ABmKTrFKWstkDgyNplTyb8VRQ6HQtdAQSa1M5C8MUXt57wjCV0
uOilT3GwT29IzBW2EDe3m8uOGdd3n0Ti6pCn0a11HV/VXqTt7zbbLNSPs7soTWVs
oIsig0wmw/oZ2+ZkOvZG19ae99NdLzrV6YSK8NpdnOqwnTiZtN0cxCEdzhAQVznL
omYwXjw7todZ1mskECDuaFrw+1R6K2Aw0lpauveNcsGewjV85IML6G3sPKYMJJCq
E51LZ/1AfkQ+DDae+BVrGpvocf8YtR1p9Af8nSq16/WKKn4bwsVqFDf+fDpLpHW6
W7P+Ng4KDKMPX7D/ObzTECKJLuhP3f0yZkkOrypIXFC5M34lbmyqJvR4tB7uJeNU
uqlD9RNbKY652isbIRZKz5L8gnZpFK0IUTHhcGOpTw8dfF19CsfE2jHoI/7fs8rC
RqMRCHo2dlPMP1xHTWfsgS3BYNJgC99CF1VCgpj2PuwQ3tP+CnQ5Ed2tvdTRrPjA
/IL3DzH/5hUIhHUPPPnw7m4PHUduXJyG1gvv998oIVw4Q7AXTcTGYU4fLZrEvBY7
r4Zgpy8WkdRYMJHfdlrmSJNf3r2isrVXosw5PLbwBRw1k+V2KlxBRo6YjglbakU/
LEmgLL7D4BrMHUBjqe1m1wff3Urz41tRTQr/IaBjeXxI6jlwDDM`Xo
-----END PGP SIGNATURE-----