openssl: Fix multiple vulnerabilities
This is a rollup commit from upstream to fix:
Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
See https://openssl-library.org/news/secadv/ for additional details.
Approved by: so
Obtained from: OpenSSL
Security: FreeBSD-SA-26:01.openssl
Security: CVE-2025-15467
Security: CVE-2025-68160
[6 lines not shown]
vfs: Don't clobber namei flags in vn_open_cred()
Otherwise NAMEILOOKUP is cleared. More generally it seems quite
surprising that the flags set by vn_open_cred() callers are not
automatically preserved. Modify open2nameif() such that it takes
already-set namei flags into account.
Approved by: so
Reviewed by: olce, kib
Fixes: 7587f6d4840f ("namei: Make stackable filesystems check harder for jail roots")
Differential Revision: https://reviews.freebsd.org/D50531
(cherry picked from commit e05e33041c252dc236939683c01ca4b7b083562c)
(cherry picked from commit a66767844690dfd82e14df2d22bd9bc40e46546b)
namei: Make stackable filesystems check harder for jail roots
Suppose a process has its cwd pointing to a nullfs directory, where the
lower directory is also visible in the jail's filesystem namespace.
Suppose that the lower directory vnode is moved out from under the
nullfs mount. The nullfs vnode still shadows the lower vnode, and
dotdot lookups relative to that directory will instantiate new nullfs
vnodes outside of the nullfs mountpoint, effectively shadowing the lower
filesystem.
This phenomenon can be abused to escape a chroot, since the nullfs
vnodes instantiated by these dotdot lookups defeat the root vnode check
in vfs_lookup(), which uses vnode pointer equality to test for the
process root.
Fix this by extending nullfs and unionfs to perform the same check,
exploiting the fact that the passed componentname is embedded in a
nameidata structure to avoid changing the VOP_LOOKUP interface. That
is, add a flag to indicate that containerof can be used to get the full
[13 lines not shown]
arm64: Correctly align the SVE signal context
The SVE signal context needs to be correctly aligned. Fix this by
creating a new macro to calculate the needed size to provide this
alignment, and use it when setting and checking the saved SVE signal
context.
Approved by: so
Security: FreeBSD-EN-26:02.arm64
Reported by: cperciva
Reviewed by: cperciva, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D54396
(cherry picked from commit a9e77eb7016df70723c208fc09fbd01ec23a732d)
(cherry picked from commit bcd6bb8067d13d28d13a309e32818cda9e0d29ff)
openssl: Fix multiple vulnerabilities
This is a rollup commit from upstream to fix:
Stack buffer overflow in CMS AuthEnvelopedData parsing (CVE-2025-15467)
Heap out-of-bounds write in BIO_f_linebuffer on short writes (CVE-2025-68160)
Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (CVE-2025-69418)
Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (CVE-2025-69419)
Missing ASN1_TYPE validation in TS_RESP_verify_response() function (CVE-2025-69420)
NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (CVE-2025-69421)
Missing ASN1_TYPE validation in PKCS#12 parsing (CVE-2026-22795)
ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (CVE-2026-22796)
See https://openssl-library.org/news/secadv/ for additional details.
Approved by: so
Obtained from: OpenSSL
Security: FreeBSD-SA-26:01.openssl
Security: CVE-2025-15467
Security: CVE-2025-68160
[6 lines not shown]
vfs: Don't clobber namei flags in vn_open_cred()
Otherwise NAMEILOOKUP is cleared. More generally it seems quite
surprising that the flags set by vn_open_cred() callers are not
automatically preserved. Modify open2nameif() such that it takes
already-set namei flags into account.
Approved by: so
Reviewed by: olce, kib
Fixes: 7587f6d4840f ("namei: Make stackable filesystems check harder for jail roots")
Differential Revision: https://reviews.freebsd.org/D50531
(cherry picked from commit e05e33041c252dc236939683c01ca4b7b083562c)
(cherry picked from commit a66767844690dfd82e14df2d22bd9bc40e46546b)
namei: Make stackable filesystems check harder for jail roots
Suppose a process has its cwd pointing to a nullfs directory, where the
lower directory is also visible in the jail's filesystem namespace.
Suppose that the lower directory vnode is moved out from under the
nullfs mount. The nullfs vnode still shadows the lower vnode, and
dotdot lookups relative to that directory will instantiate new nullfs
vnodes outside of the nullfs mountpoint, effectively shadowing the lower
filesystem.
This phenomenon can be abused to escape a chroot, since the nullfs
vnodes instantiated by these dotdot lookups defeat the root vnode check
in vfs_lookup(), which uses vnode pointer equality to test for the
process root.
Fix this by extending nullfs and unionfs to perform the same check,
exploiting the fact that the passed componentname is embedded in a
nameidata structure to avoid changing the VOP_LOOKUP interface. That
is, add a flag to indicate that containerof can be used to get the full
[13 lines not shown]
arm64: Correctly align the SVE signal context
The SVE signal context needs to be correctly aligned. Fix this by
creating a new macro to calculate the needed size to provide this
alignment, and use it when setting and checking the saved SVE signal
context.
Approved by: so
Security: FreeBSD-EN-26:02.arm64
Reported by: cperciva
Reviewed by: cperciva, markj
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D54396
(cherry picked from commit a9e77eb7016df70723c208fc09fbd01ec23a732d)
(cherry picked from commit bcd6bb8067d13d28d13a309e32818cda9e0d29ff)
