FreeBSD has fixed six vulnerabilities that could allow you to elevate your system privileges or gain access to kernel data. Issues are fixed in 12.0-RELEASE-p8, 11.2-RELEASE-p12 and 11.3-RELEASE-p1 updates.
- - a bug in the close call handler for file descriptors created via the posix_openpt system call can lead to writing to already freed kernel memory areas (write-after-free). A local attacker could use the vulnerability to gain root privileges or exit the jail environment;
- - the lack of proper validation of values when processing environment variables in the telnet client code can lead to a buffer overflow when accessing a malicious server and organizing a code execution attack on the client side;
- - A bug in the implementation of freebsd32_ioctl can leak areas of kernel memory that could potentially contain residual data from the terminal buffer or file cache;
- - the ability to initiate a counter overflow in the mqueuefs pseudo-FS, which can be used to gain access to files, directories and sockets of other processes owned by other users. Among other things, the problem can be used to exit the jail and, if there is root access in the jail, to obtain root privileges in the main system;
- — an error in checking the values of the 'epid' and 'streamid' parameters in the XHCI device emulation code in the bhyve hypervisor allows determining memory values outside the allocated buffer or initiating a system crash;
- - Leaking the counter of references to UNIX socket descriptors used to transfer privileges between processes, can be used to gain root access or exit the jail environment.
Source: opennet.ru
