EuroBSDCon 2024 [in Dublin, Ireland] has now ended, and slides for many of the OpenBSD developer presentations are now available in the usual place.

Video of the individual presentations can be expected somewhat later. In the meantime, OpenBSD-related presentations [including those from non-developers] can be found in the recordings of the "Foyer B" streams.

In addition, there was a full day PF tutorial with some updates to the publicly available slides.

Our favorite operating system is now changing the default shell (ksh) to enforce not allowing invalid NUL characters in input that will be parsed as parts of the script.

The commit message reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Theo de Raadt <deraadt () cvs ! openbsd ! org>
Date:       2024-09-23 21:18:33

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2024/09/23 15:18:33

Modified files:
	bin/ksh        : shf.c 

Log message:
If during parsing lines in the script, ksh finds a NUL byte on the
line, it should abort ("syntax error: NUL byte unexpected").  There
appears to be one piece of software which is misinterpreting guidance
of this, and trying to depend upon embedded NUL.  During research,
every shell we tested has one or more cases where a NUL byte in the
input or inside variable contents will create divergent behaviour from
other shells.  (ie. gets converted to a space, is silently skipped, or
aborts script parsing or later execution).  All the shells are written
in C, and majority of them use C strings for everything, which means
they cannot embed a NUL, so this is not surprising.  It is quite
unbelievable there are people trying to rewrite history on a lark, and
expecting the world to follow alone.

Read more…

Theo de Raadt (deraadt@) updated the version of OpenBSD -current to "7.6-current".

Those running the latest-and-greatest [via a sufficiently new snapshot or built from source] no longer need to use "-D snap" with pkg_add(1) (and pkg_info(1)).

The OpenBSD project has announced OpenBSD 7.6, its 57^th release.

The new release contains a number of significant improvements, including but not limited to:

• There is initial support for Qualcomm Snapdragon X Elite [arm64] laptops.
• Initial support for Suspend-to-Idle has been added on amd64 and i386, enabling suspend on machines which do not support S3.
• UDP parallel input has been enabled. [See earlier report]
• Libva's VA-API (Video Acceleration API) was imported into xenocara. [See earlier report]
• The default write format for tar(1) has changed to "pax". [See earlier report]
• pfctl(8) and systat(1) now display fragment reassembly statistics. [See earlier report]
• A configurable passphrase timeout for disk decryption at boot (a potential battery lifesaver) has been added. [See earlier report]
• Local-to-anchor tables are now available in pf(4) rules. [See earlier report]
• rport(4), a driver providing point-to-point interfaces for layer 3 connectivity between rdomain(4) instances, has been added.
• dhcp6leased(8), a DHCPv6 client daemon for IPv6 PD has been added. [See earlier report]
• dhclient(8) has been removed (now that dhcpleased(8) is well established). [See earlier report]
• OpenSSH 9.9, featuring:
  • sshd(8) has been split into multiple binaries. [See earlier report]
  • Options to penalize undesirable behavior [See earlier report]
  • support for a new hybrid post-quantum key exchange [See earlier report]

and of course there is the full changelog which details the changes made over this latest six month development cycle.

Installation Guide details how to get the system up and running with a fresh install, while those who already run earlier releases should follow the Upgrade Guide, in most cases using sysupgrade(8) to upgrade their systems.

Now please dive in and enjoy the new release, and while the installer runs, please do donate to the project to support further development and more future goodies for us all!

It’s the start of the work week, so for the IT administrators among us, I have another great article by friend of the website, Stefano Marinelli. This article covers migrating a Proxmox-based setup to FreeBSD with bhyve. The load is not particularly high, and the machines have good performance. Suddenly, however, I received a notification: one of the NVMe drives died abruptly, and the server rebooted. ZFS did its job, and everything remained sufficiently secure, but since it’s a leased server and already several years old, I spoke with the client and proposed getting more recent hardware and redoing the setup based on a FreeBSD host. ↫ Stefano Marinelli If you’re interested in moving one of your own setups, or one of your clients’ setups, from Linux to FreeBSD, this is a great place to start and get some ideas, tips, and tricks. Like I said, it’s Monday, and you need to get to work.

NetBSD is an open-source, Unix-like operating system known for its portability, lightweight design, and robustness across a wide array of hardware platforms. Initially released in 1993, NetBSD was one of the first open-source operating systems based on the Berkeley Software Distribution (BSD) lineage, alongside FreeBSD and OpenBSD. NetBSD’s development has been led by a collaborative community and is particularly recognized for its “clean” and well-documented codebase, a factor that has made it a popular choice among users interested in systems programming and cross-platform compatibility. ↫ André Machado I’m not really sure what to make of this article, since it mostly reads like an advertisement for NetBSD, but considering NetBSD is one of the lesser-talked about variants of an operating system family that already sadly plays second fiddle to the Linux behemoth, I don’t think giving it some additional attention is really hurting anybody. The article is still gives a solid overview of the history and strengths of NetBSD, which makes it a good introduction. I have personally never tried NetBSD, but it’s on my list of systems to try out on my PA-RISC workstation since from what I’ve heard it’s the only BSD which can possibly load up X11 on the Visualize FX10pro graphics card it has (OpenBSD can only boot to a console on this GPU). While I could probably coax some cobbled-together Linux installation into booting X11 on it, where’s the fun in that? Do any of you lovely readers use NetBSD for anything? FreeBSD and even OpenBSD are quite well represented as general purpose operating systems in the kinds of circles we all frequent, but I rarely hear about people using NetBSD other than explicitly because it supports some outdated, arcane architecture in 2024.

Published at LXer: Following AMD and FreeBSD Foundation collaborations and the Sovereign Tech Fund making a big investment into FreeBSD, the FreeBSD Foundation and Quantum Leap Research have...

Published at LXer: The HardenedBSD Foundation has partnered with Protectli, a manufacturer of open-source firewall appliances, to develop a censorship- and surveillance-resistant mesh network. ...

Published at LXer: Germany's Sovereign Tech Fund (STF), which is backed by the Federal Ministry for Economic Affairs and Climate Action, is funding open source work again. This time, the recipients...

Street riding at its finest! This is what the new BSD "Foreign Exchange" Video shows you, in which the BSD worldwide team rider Craig Sime and the filmer Johnny Ashworth met our bro Felix Donat last autumn in Germany, to produce this masterpiece of video in the streets of Karlsruhe and Stuttgart.
You definitely have to check their video out!


Enjoy the video, your kunstform BMX Shop Team!



Video: Jonny Ashworth



subscribe to our youtube channel: https://www.youtube-nocookie.com/kunstformbmxshop

We got the new BSD 2019 BMX Parts now in stock, like for example the BSD "Freedom" 2019 BMX Frame, which is Kriss Kyle's signature frame and was in accordance to his wishes and his riding style designed and manufactured for modern and technical riding in all terrains. The BSD "Freedom" 2019 BMX Frame is made from best quality, 100% Sanko Japanese seamless 4130 CrMo and a steep 75° degrees head tube paired with a new invest cast wishbone, seatstay bridge and 7mm thick dropouts with built in chain tensiners.

Also now in stock, the BSD "Soulja V3" 2019 BMX Frame, which is Dan Paley's signature frame and was in accordance to his wishes and his riding style designed and manufactured for top modern and technical Pro level street riding. The BSD "Soulja V3" 2019 BMX Frame is made from best quality, partially heat treated 100% Sanko Japanese seamless 4130 CrMo and has a steep 75.2° degrees head tube paired with a short rear end and a 11.7" high bottom bracket make this high quality Street frame very maneuverable. Furthermore this street frame includes high quality made investment cast dropouts with chain tensioners, a integrated seat clamp and as brakeless version.

Check our online-shop for more new BSD products!



Have fun!



All the best,

Your kunstform BMX Shop Team

The first shipment of BSD products for 2020 has arrived. Lots of rad new parts and colors. Check 'em out below...

Related links:

• all products of BSD

Yeah, spring is comin closer! Perfect that we were able to get the last Fiend Type B 2019 BMX bikes and Felix Prangenberg's signature wethepeople Pathfinder 2019 BMX frames which we can offer now for a great special price. Also the first parts of the Vans Spring 2020 collection, in which none other than BMX Pro Larry Edgar has a signature line and the new 2020 colors and BMX parts from BSD arrived.

When the world was still in order, our bro Felix Donat flew into the BMX Street Paradise a.k.a. Barcelona in order to escape the cold temperatures in Germany, to have a good time and to film for a new BSD clip. Pressing play really feels like a vacation. Sun, good mood, a mellow soundtrack and finest BMX street tech moves can only make you happy!

Have fun with the video, your kunstform BMX Shop Team!

Video: Franck Saint Simon

Related links:

• all products of BSD
• all products of kunstform

Yes, the first shipment of new BSD BMX parts has finally arrived at our shops. Including the famous Revolution freecoaster hubs and new colorways of great frames like the ALVX.

The first shipment of brand new BSD 2023 products has arrived in our stock! Included are, new frame and tire colors, the 4-piece "Safari" and 2-piece "ALVX" handlebars, the new "Mondo" seats and much more! Check it out...

Bright, integrated backlit display enables easy operation for weighing applications.

man pages for UNIX, BSD, Linux, SunOS, HP-UX, AIX, Minux, Ultrix, Plan9, Darwin, XFree86, & Perl Man & Info Pages, plus Application manuals

Repeat Software, a UK software developers has awarded distribution to QBS Distribution ("QBSD"), a European software distributor based in Wembley, London.

Jean-Francois Chassagneux and Camilo A. Garcia Trillos
Math. Comp. 89 (2020), 1895-1932.
Abstract, references and article information

Elena Issoglio, Francesco Russo.

Source: Bernoulli, Volume 26, Number 1, 728--766.

Abstract:
In this paper, we investigate BSDEs where the driver contains a distributional term (in the sense of generalised functions) and derive general Feynman–Kac formulae related to these BSDEs. We introduce an integral operator to give sense to the equation and then we show the existence of a strong solution employing results on a related PDE. Due to the irregularity of the driver, the $Y$-component of a couple $(Y,Z)$ solving the BSDE is not necessarily a semimartingale but a weak Dirichlet process.

FreeBSD Security Advisory - Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. A remote attacker could cause the NFS server to crash, resulting in a denial of service, or possibly execute arbitrary code on the server.

FreeBSD Security Advisory - Insufficient bounds checking in one of the device models provided by bhyve(8) can permit a guest operating system to overwrite memory in the bhyve(8) processing possibly permitting arbitrary code execution. A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root.

This Metasploit module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution.

FreeBSD Security Advisory - Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8) implementations.

FreeBSD Security Advisory - On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser).

This Metasploit module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld unsetenv() function fails to remove LD_* environment variables if __findenv() fails. This can be abused to load arbitrary shared objects using LD_PRELOAD, resulting in privileged code execution.

Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed _"SACK Panic_," allows a remotely-triggered kernel panic on recent Linux kernels. There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective.

Qualys has discovered that OpenBSD suffers from multiple authentication bypass and local privilege escalation vulnerabilities.

Qualys discovered a local privilege escalation in OpenBSD's dynamic loader (ld.so). This vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges. They developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable.

This Metasploit module exploits a vulnerability in the OpenBSD ld.so dynamic loader (CVE-2019-19726). The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution. This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).

Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root.

FreeBSD Security Advisory - Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. FreeBSD 9.3 and 10.1 are not affected. Various other issues have also been addressed.

FreeBSD Security Advisory - While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost.

FreeBSD Security Advisory - With certain inputs, iconv may write beyond the end of the output buffer. Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library function and the nature of possible attacks will depend on the way in which iconv is used by applications or daemons.

FreeBSD Security Advisory - To implement one particular ioctl, the Linux emulation code used a special interface present in the cd(4) driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read access to a cd(4) device to arbitrarily overwrite kernel memory when some media is present in the device. A user in the operator group can make use of this interface to gain root privileges on a system with a cd(4) device when some media is present in the device.

FreeBSD Security Advisory - A bug causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. This data can be viewed by any user with read access to the directory. Additionally, a malicious user with write access to a directory can cause up to 254 bytes of kernel stack memory to be exposed. Some amount of the kernel stack is disclosed and written out to the filesystem.

FreeBSD Security Advisory - Insufficient validation of environment variables in the telnet client supplied in FreeBSD can lead to stack-based buffer overflows. A stack-based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client. Inbound telnet sessions to telnetd(8) are not affected by this issue. These buffer overflows may be triggered when connecting to a malicious server, or by an active attacker in the network path between the client and server. Specially crafted TELNET command sequences may cause the execution of arbitrary code with the privileges of the user invoking telnet(1).

FreeBSD Security Advisory - Due to insufficient initialization of memory copied to userland in the components listed above small amounts of kernel memory may be disclosed to userland processes. A user who can invoke 32-bit FreeBSD ioctls may be able to read the contents of small portions of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.

FreeBSD Security Advisory - System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. A local user can use this flaw to obtain access to files, directories, sockets etc. opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.

FreeBSD Security Advisory - The pci_xhci_device_doorbell() function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read. A misbehaving bhyve guest could crash the system or access memory that it should not be able to.

FreeBSD Security Advisory - If a process attempts to transmit rights over a UNIX-domain socket and an error causes the attempt to fail, references acquired on the rights are not released and are leaked. This bug can be used to cause the reference counter to wrap around and free the corresponding file structure. A local user can exploit the bug to gain root privileges or escape from a jail.

FreeBSD Security Advisory - The decompressor used in bzip2 contains a bug which can lead to an out-of-bounds write when processing a specially crafted bzip2(1) file. bzip2recover contains a heap use-after-free bug which can be triggered when processing a specially crafted bzip2(1) file. An attacker who can cause maliciously crafted input to be processed may trigger either of these bugs. The bzip2recover bug may cause a crash, permitting a denial-of-service. The bzip2 decompressor bug could potentially be exploited to execute arbitrary code. Note that some utilities, including the tar(1) archiver and the bspatch(1) binary patching utility (used in portsnap(8) and freebsd-update(8)) decompress bzip2(1)-compressed data internally; system administrators should assume that their systems will at some point decompress bzip2(1)-compressed data even if they never explicitly invoke the bunzip2(1) utility.

FreeBSD Security Advisory - The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic.

FreeBSD Security Advisory - A function extracting the length from type-length-value encoding is not properly validating the submitted length. A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in a denial of service.

FreeBSD Security Advisory - The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets. When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage. A misbehaving bhyve guest could overwrite memory in the bhyve process on the host.

FreeBSD Security Advisory - Due do a missing check in the code of m_pulldown(9) data returned may not be contiguous as requested by the caller. Extra checks in the IPv6 code catch the error condition and trigger a kernel panic leading to a remote DoS (denial-of-service) attack with certain Ethernet interfaces. At this point it is unknown if any other than the IPv6 code paths can trigger a similar condition.

FreeBSD Security Advisory - The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic.

FreeBSD Security Advisory - System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. A local user can use this flaw to obtain access to files, directories, sockets, etc., opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.