Allele Security Alert
ASA-2019-00468
Identifier(s)
ASA-2019-00468, CVE-2019-5606, FreeBSD-SA-19:13.pts
Title
pts write-after-free
Vendor(s)
The FreeBSD Project
Product(s)
FreeBSD
Affected version(s)
All supported versions of FreeBSD
Fixed version(s)
2019-07-07 14:19:46 UTC (stable/12, 12.0-STABLE)
2019-07-24 12:53:06 UTC (releng/12.0, 12.0-RELEASE-p8)
2019-07-07 14:20:14 UTC (stable/11, 11.2-STABLE)
2019-07-24 12:53:06 UTC (releng/11.2, 11.2-RELEASE-p12)
2019-07-24 12:53:06 UTC (releng/11.3, 11.3-RELEASE-p1)
Proof of concept
Unknown
Description
The code which handles a close(2) of a descriptor created by posix_openpt(2) fails to undo the configuration which causes SIGIO to be raised. This bug can lead to a write-after-free of kernel memory.
The bug permits malicious code to trigger a write-after-free, which may be used to gain root privileges or escape a jail.
Technical details
Unknown
Credits
syzkaller
Reference(s)
FreeBSD-SA-19:13.pts
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:13.pts.asc
pts.patch
https://security.FreeBSD.org/patches/SA-19:13/pts.patch
Defer funsetown() calls for a TTY to tty_rel_free().
https://svnweb.freebsd.org/base?view=revision&revision=r349805
Fix pts write-after-free.
https://svnweb.freebsd.org/base?view=revision&revision=r350282
Defer funsetown() calls for a TTY to tty_rel_free().
https://svnweb.freebsd.org/base?view=revision&revision=r349806
CVE-2019-5606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5606
CVE-2019-5606
https://nvd.nist.gov/vuln/detail/CVE-2019-5606
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 1, 2019