-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

============================================================================= FreeBSD-EN-22:06.libalias Errata Notice
The FreeBSD Project

Topic: Incorrect fragmented IPv4 packet handling in libalias

Category: core
Module: libalias
Announced: 2022-01-11
Affects: All supported versions of FreeBSD.
Corrected: 2022-01-09 22:04:56 UTC (stable/13, 13.0-STABLE)
2022-01-11 18:15:02 UTC (releng/13.0, 13.0-RELEASE-p6)
2022-01-09 23:06:52 UTC (stable/12, 12.3-STABLE)
2022-01-11 18:19:32 UTC (releng/12.3, 12.3-RELEASE-p1)

Note: This errata notice does not update FreeBSD 12.2. FreeBSD 12.2
users affected by this update should upgrade to FreeBSD 12.3.

For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

The libalias(3) library is a collection of functions for aliasing and dealiasing of IPv4 packets, intended for masquerading and network
address translation (NAT). Additionally, libalias(3) includes modules
to support protocols that require additional logic to support address translation.

libalias(3) is used by several FreeBSD networking components: ng_nat(4), ipfw(4) and natd(8).

II. Problem Description

The patch committed for SA-20:12.libalias introduced additional
validation of TCP, UDP and ICMP protocol headers. This validation
failed to take into account the possibility of IP packet fragmentation,
and could cause libalias(3) to return the PKT_ALIAS_IGNORED status code
for the first fragment of a packet, rather than applying aliasing rules.

III. Impact

Depending on the configuration of the consumer, this bug may cause
fragmented packets to be dropped, or may cause further processing of
fragments without aliasing rules applied. For example, if the NG_NAT_DENY_INCOMING flag is set on an ng_nat(4) node, fragments will be unconditionally dropped. Similarly, if the "deny_in" flag is set for an ipfw(4) NAT rule, fragments will be unconditionally dropped.

IV. Workaround

No workaround is available. Only systems using NAT via ng_nat(4),
ipfw(4) NAT rules, or natd(8) are affected. Systems leveraging pf(4) or
ipf(4) to perform NAT are not affected.

V. Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 13.0]
# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.13.patch
# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.13.patch.asc
# gpg --verify libalias.13.patch.asc

[FreeBSD 12.3]
# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.12.patch
# fetch https://security.FreeBSD.org/patches/EN-22:06/libalias.12.patch.asc
# gpg --verify libalias.12.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches:

Branch/path Hash Revision
- ------------------------------------------------------------------------- stable/13/ ec746e619578 stable/13-n248913 releng/13.0/ 4378aee9f82f releng/13.0-n244772 stable/12/ r371477 releng/12.3/ r371486
- -------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258970>

The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:06.libalias.asc> -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmHd1f4ACgkQ05eS9J6n 5cLW2xAAjuMj68hzBt5aSxuRliu4wT+NdXMq/M5VWH9kHSZw2HrMfQuDY25ecwWE VAkeQoIAV/+Uz8OrVKBBqlTgxZyFxmM8a2pNBURPSeY508o7X5h8HMHECaUndqMJ dXfa2YgpUm36RQZfaKCGbBCIXUj4V+fmSFkoq87U0EXexrCim6m5tzMoBsWV7Eob KWbZObwR2PrvYSoHvdbPNWrGF/6CDu/38x9TBxPU+sT3dVa4qJyUD3D/7hhe3Onb VscwvebHNKZwaxxEJJma4xbUcOXJpOUVA/JRjphkzeX5B1Fgix1N4ae8C3ATXiZT H9OhB+AU/EtTU5rbcWjEiNckIh/icGV9lkEuqX4AXKmQHeYJEVCctY+IgcZfppzq MpY1OuDhjObvQtyuBv6up0EN/Lv2AAN8sooXIwwy00DX6ISnjtynP81huCpHLRE9 3xntY/y1JHDlNN5tFOBc+z3YNYRo5ha36UXuhi5IQvxGeN5gonW+cK3BUluK3U+Q 9ibXXaHPZ6V1nowksU1A72RGR2B+axYb7KrNzg+20I/rmjl0t2ZBtULMq1WWks/w nLGY/Wb0uaK7GUiUte8l4ggm0oISGIa0ICCV3OogBeaytsWB0fi2atKJxvMuMvPT XXj+zrqPw33nMu9mf0ClWQwiXWD8AKi3kFgfi6o9aC5zWd1LlCY=
=qTdA
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)