Home / mailings FreeBSD Security Advisory FreeBSD-SA-25:03.etcupdate
Posted on 29 January 2025
FreeBSD security notificat=============================================================================FreeBSD-SA-25:03.etcupdate Security Advisory
The FreeBSD Project
Topic: Unprivileged access to system files
Category: core
Module: etcupdate
Announced: 2025-01-29
Credits: Christos Chatzaras
Affects: All supported versions of FreeBSD.
Corrected: 2025-01-28 16:07:18 UTC (stable/14, 14.2-STABLE)
2025-01-29 18:54:57 UTC (releng/14.2, 14.2-RELEASE-p1)
2025-01-29 18:55:26 UTC (releng/14.1, 14.1-RELEASE-p7)
2025-01-28 16:07:34 UTC (stable/13, 13.4-STABLE)
2025-01-29 18:55:30 UTC (releng/13.4, 13.4-RELEASE-p3)
CVE Name: CVE-2025-0374
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The etcupdate(8) utility is a tool for managing updates to files that are not
updated as part of ‘make installworld' such as files in /etc. It manages
updates by doing a three-way merge of changes made to these files against the
local versions. It is also designed to minimize the amount of user
intervention with the goal of simplifying upgrades for clusters of machines.
II. Problem Description
When etcupdate encounters conflicts while merging files, it saves a version
containing conflict markers in /var/db/etcupdate/conflicts. This version does
not preserve the mode of the input file, and is world-readable. This applies
to files that would normally have restricted visibility, such as
/etc/master.passwd.
III. Impact
An unprivileged local user may be able to read encrypted root and user
passwords from the temporary master.passwd file created in
/var/db/etcupdate/conflicts. This is possible only when conflicts within the
password file arise during an update, and the unprotected file is deleted when
conflicts are resolved.
IV. Workaround
No workaround is available. Systems whose files are updated using a mechanism
other than etcupdate, such as freebsd-update(8), are unaffected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-25:03/etcupdate.patch
# fetch https://security.FreeBSD.org/patches/SA-25:03/etcupdate.patch.asc
# gpg --verify etcupdate.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ 93836ff92be8 stable/14-n270244
releng/14.2/ c55000e7c233 releng/14.2-n269513
releng/14.1/ b8945a926a2f releng/14.1-n267736
stable/13/ 17e935f1f327 stable/13-n259074
releng/13.4/ c1c180910d46 releng/13.4-n258274
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277470>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0374>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:03.etcupdate.asc>
