Our favorite operating system is now changing the default shell (ksh) to enforce not allowing invalid NUL characters in input that will be parsed as parts of the script.

The commit message reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Theo de Raadt <deraadt () cvs ! openbsd ! org>
Date:       2024-09-23 21:18:33

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2024/09/23 15:18:33

Modified files:
	bin/ksh        : shf.c 

Log message:
If during parsing lines in the script, ksh finds a NUL byte on the
line, it should abort ("syntax error: NUL byte unexpected").  There
appears to be one piece of software which is misinterpreting guidance
of this, and trying to depend upon embedded NUL.  During research,
every shell we tested has one or more cases where a NUL byte in the
input or inside variable contents will create divergent behaviour from
other shells.  (ie. gets converted to a space, is silently skipped, or
aborts script parsing or later execution).  All the shells are written
in C, and majority of them use C strings for everything, which means
they cannot embed a NUL, so this is not surprising.  It is quite
unbelievable there are people trying to rewrite history on a lark, and
expecting the world to follow alone.

Read more…

Theo de Raadt (deraadt@) updated the version of OpenBSD -current to "7.6-current".

Those running the latest-and-greatest [via a sufficiently new snapshot or built from source] no longer need to use "-D snap" with pkg_add(1) (and pkg_info(1)).

The OpenBSD project has announced OpenBSD 7.6, its 57^th release.

The new release contains a number of significant improvements, including but not limited to:

• There is initial support for Qualcomm Snapdragon X Elite [arm64] laptops.
• Initial support for Suspend-to-Idle has been added on amd64 and i386, enabling suspend on machines which do not support S3.
• UDP parallel input has been enabled. [See earlier report]
• Libva's VA-API (Video Acceleration API) was imported into xenocara. [See earlier report]
• The default write format for tar(1) has changed to "pax". [See earlier report]
• pfctl(8) and systat(1) now display fragment reassembly statistics. [See earlier report]
• A configurable passphrase timeout for disk decryption at boot (a potential battery lifesaver) has been added. [See earlier report]
• Local-to-anchor tables are now available in pf(4) rules. [See earlier report]
• rport(4), a driver providing point-to-point interfaces for layer 3 connectivity between rdomain(4) instances, has been added.
• dhcp6leased(8), a DHCPv6 client daemon for IPv6 PD has been added. [See earlier report]
• dhclient(8) has been removed (now that dhcpleased(8) is well established). [See earlier report]
• OpenSSH 9.9, featuring:
  • sshd(8) has been split into multiple binaries. [See earlier report]
  • Options to penalize undesirable behavior [See earlier report]
  • support for a new hybrid post-quantum key exchange [See earlier report]

and of course there is the full changelog which details the changes made over this latest six month development cycle.

Installation Guide details how to get the system up and running with a fresh install, while those who already run earlier releases should follow the Upgrade Guide, in most cases using sysupgrade(8) to upgrade their systems.

Now please dive in and enjoy the new release, and while the installer runs, please do donate to the project to support further development and more future goodies for us all!

Qualys has discovered that OpenBSD suffers from multiple authentication bypass and local privilege escalation vulnerabilities.

Qualys discovered a local privilege escalation in OpenBSD's dynamic loader (ld.so). This vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges. They developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable.

This Metasploit module exploits a vulnerability in the OpenBSD ld.so dynamic loader (CVE-2019-19726). The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution. This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).

Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root.