Add initial 2023 advisories.

.github/workflows/schema-validation.yml

@@ -0,0 +1,42 @@
+name: Schema Validation
+
+on:
+  pull_request:
+    paths:
+      - '**.yaml'
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '**.yaml'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repo
+      uses: actions/checkout@v3
+
+    - name: Setup Node.js environment
+      uses: actions/setup-node@v3
+      with:
+        node-version: '18'
+
+    - name: Install dependencies
+      run: |
+        npm install -g ajv-cli js-yaml ajv-keywords ajv-formats
+
+    - name: Download schema
+      run: |
+        curl https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json --output schema.json
+
+    - name: Validate YAML files
+      run: |
+        for file in $(find . -name "*.yaml"); do
+          if [[ $file != *'false_positives.yaml' ]]; then
+            echo "validating $file"
+            npx js-yaml $file > temp.json
+            ajv validate -s schema.json --spec draft2020 -d temp.json -c ajv-formats -c ajv-keywords --strict=false
+          fi
+        done

.gitignore

@@ -0,0 +1,2 @@
+*.json
+.idea

README.md

@@ -1,2 +1,25 @@
-# midnightbsd-vulns
+# MidnightBSD Security Advisory Database
 MidnightBSD Security Advisories - Vulnerability Disclosure
+
+Advisories live in the [vulns](vulns/) directory and use a YAML encoding of the
+[OSV format](https://ossf.github.io/osv-schema/).
+
+## Contributing advisories
+
+### Making a pull request
+
+Existing entries can be edited by simply creating a pull request.
+
+To introduce a new entry, create a pull request with a new file that has a name matching MNBSD-<latest-id.txt + 1>-<anything>.yaml.
+
+Increment the file `latest-id.txt` in your pull request.
+
+MidnightBSD operating system vulnerabilities for the base system should
+be put in the `vulns/midnightbsd` directory.
+
+mport package manager security advisories should be put in the `vulns/mport` directory.
+
+### Triage process
+
+Vulnerabilities should be pulled from a source like Github or the [NVD CVE](https://nvd.nist.gov/vuln/data-feeds) feeds.
+These will be properly vetted, and approved.

latest-id.txt

@@ -0,0 +1 @@
+2023-6

triage/false_positives.yaml

@@ -0,0 +1,3 @@
+ids:
+
+packages:

vulns/midnightbsd/MNBSD-2023-0.yaml

@@ -0,0 +1,56 @@
+id: MNBSD-2023-0
+details: utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions.
+summary: Buffer overflow in telnetd allows remote code execution
+affected:
+  - package:
+      name: telnetd
+      ecosystem: MidnightBSD
+    ranges:
+      - type: ECOSYSTEM
+        events:
+          - introduced: 0.1.0
+          - fixed: 3.0.1
+    versions:
+      - 0.1.0
+      - 0.1.1
+      - 0.2.0
+      - 0.2.1
+      - 0.3.0
+      - 0.4.0
+      - 0.5.0
+      - 0.6.0
+      - 0.7.0
+      - 0.8.0
+      - 0.9.0
+      - 1.0.0
+      - 1.1.0
+      - 1.2.0
+      - 2.0.0
+      - 2.0.1
+      - 2.0.2
+      - 2.1.0
+      - 2.1.1
+      - 2.2.0
+      - 2.2.1
+      - 2.2.2
+      - 2.2.3
+      - 2.2.4
+      - 2.2.5
+      - 2.2.6
+      - 2.2.7
+      - 2.2.8
+      - 3.0.0
+      -
+references:
+  - type: WEB
+    url: https://nvd.nist.gov/vuln/detail/CVE-2020-10188
+  - type: WEB
+    url: https://github.com/krb5/krb5-appl/blob/d00cd671dfe945791b33d4f1f6a5c57ae1667ef8/telnet/telnetd/utility.c#L205-L216
+  - type: WEB
+    url: https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html
+  - type: WEB
+    url: https://github.com/MidnightBSD/src/commit/db4d8bca9d3c1922a921d0ec5036a28b25332433
+aliases:
+  - CVE-2020-10188
+modified: "2023-04-03T01:17:00.600Z"
+published: "2023-04-03T02:22:58.600Z"

vulns/midnightbsd/MNBSD-2023-1.yaml

@@ -0,0 +1,46 @@
+id: MNBSD-2023-1
+summary: Fixed X.400 address type confusion in X.509 GeneralName
+details: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.
+  When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
+  Found by David Benjamin (Google). Fix developed by Hugo Landau.
+affected:
+  - package:
+      name: openssl
+      ecosystem: MidnightBSD
+    ranges:
+      - type: ECOSYSTEM
+        events:
+          - introduced: 2.0
+          - fixed: 3.1.2
+    versions:
+      - 2.0.0
+      - 2.0.1
+      - 2.0.2
+      - 2.1.0
+      - 2.1.1
+      - 2.2.0
+      - 2.2.1
+      - 2.2.2
+      - 2.2.3
+      - 2.2.4
+      - 2.2.5
+      - 2.2.6
+      - 2.2.7
+      - 2.2.8
+      - 3.0.0
+      - 3.0.1
+      - 3.0.2
+      - 3.0.3
+      - 3.0.4
+      - 3.0.5
+      - 3.1.0
+      - 3.1.1
+references:
+  - type: WEB
+    url: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
+  - type: WEB
+    url: https://github.com/MidnightBSD/src/commit/fae47427305375221e4e8d49f1027c53e8770430
+aliases:
+  - CVE-2023-0286
+modified: "2023-04-03T01:17:00.600Z"
+published: "2023-04-03T02:22:58.600Z"

vulns/midnightbsd/MNBSD-2023-2.yaml

@@ -0,0 +1,45 @@
+id: MNBSD-2023-2
+summary: Timing Oracle in RSA Decryption
+details: A timing based side channel exists in the OpenSSL RSA Decryption
+  implementation.
+affected:
+  - package:
+      name: openssl
+      ecosystem: MidnightBSD
+    ranges:
+      - type: ECOSYSTEM
+        events:
+          - introduced: 2.0
+          - fixed: 3.1.2
+    versions:
+      - 2.0.0
+      - 2.0.1
+      - 2.0.2
+      - 2.1.0
+      - 2.1.1
+      - 2.2.0
+      - 2.2.1
+      - 2.2.2
+      - 2.2.3
+      - 2.2.4
+      - 2.2.5
+      - 2.2.6
+      - 2.2.7
+      - 2.2.8
+      - 3.0.0
+      - 3.0.1
+      - 3.0.2
+      - 3.0.3
+      - 3.0.4
+      - 3.0.5
+      - 3.1.0
+      - 3.1.1
+references:
+  - type: WEB
+    url: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
+  - type: WEB
+    url: https://github.com/MidnightBSD/src/commit/fae47427305375221e4e8d49f1027c53e8770430
+aliases:
+  - CVE-2022-4304
+modified: "2023-04-03T01:17:00.600Z"
+published: "2023-04-03T02:22:58.600Z"

vulns/midnightbsd/MNBSD-2023-3.yaml

@@ -0,0 +1,51 @@
+id: MNBSD-2023-3
+summary: Double free after calling PEM_read_bio_ex
+details: The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
+  decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
+  data.  If the function succeeds then the "name_out", "header" and "data"
+  arguments are populated with pointers to buffers containing the relevant
+  decoded data. The caller is responsible for freeing those buffers. It is
+  possible to construct a PEM file that results in 0 bytes of payload data. In
+  this case PEM_read_bio_ex() will return a failure code but will populate the
+  header argument with a pointer to a buffer that has already been freed.
+affected:
+  - package:
+      name: openssl
+      ecosystem: MidnightBSD
+    ranges:
+      - type: ECOSYSTEM
+        events:
+          - introduced: 2.0
+          - fixed: 3.1.2
+    versions:
+      - 2.0.0
+      - 2.0.1
+      - 2.0.2
+      - 2.1.0
+      - 2.1.1
+      - 2.2.0
+      - 2.2.1
+      - 2.2.2
+      - 2.2.3
+      - 2.2.4
+      - 2.2.5
+      - 2.2.6
+      - 2.2.7
+      - 2.2.8
+      - 3.0.0
+      - 3.0.1
+      - 3.0.2
+      - 3.0.3
+      - 3.0.4
+      - 3.0.5
+      - 3.1.0
+      - 3.1.1
+references:
+  - type: WEB
+    url: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
+  - type: WEB
+    url: https://github.com/MidnightBSD/src/commit/fae47427305375221e4e8d49f1027c53e8770430
+aliases:
+  - CVE-2022-4450
+modified: "2023-04-03T01:17:00.600Z"
+published: "2023-04-03T02:22:58.600Z"

vulns/midnightbsd/MNBSD-2023-4.yaml

@@ -0,0 +1,44 @@
+id: MNBSD-2023-4
+summary: Make sure target username is initialized in doas
+details: This is a minor fix to the previous check that handled multiple usernames with a single UID. It was possible for the target username in this case to not be properly initialised (depending on code path and compiler settings)/ Helmat has introduced a correction for this to make sure the target name is always initialized properly.
+affected:
+  - package:
+      name: doas
+      ecosystem: MidnightBSD
+    ranges:
+      - type: ECOSYSTEM
+        events:
+          - introduced: 2.0
+          - fixed: 3.1.2
+    versions:
+      - 2.0.0
+      - 2.0.1
+      - 2.0.2
+      - 2.1.0
+      - 2.1.1
+      - 2.2.0
+      - 2.2.1
+      - 2.2.2
+      - 2.2.3
+      - 2.2.4
+      - 2.2.5
+      - 2.2.6
+      - 2.2.7
+      - 2.2.8
+      - 3.0.0
+      - 3.0.1
+      - 3.0.2
+      - 3.0.3
+      - 3.0.4
+      - 3.0.5
+      - 3.1.0
+      - 3.1.1
+references:
+  - type: WEB
+    url: https://github.com/slicer69/doas/releases/tag/6.3p9
+  - type: WEB
+    url: https://github.com/MidnightBSD/src/commit/1c8d24f6dca9389785d095e2737668e856600be1
+aliases:
+  -
+modified: "2023-04-03T01:17:00.600Z"
+published: "2023-04-03T02:22:58.600Z"

vulns/midnightbsd/MNBSD-2023-5.yaml

@@ -0,0 +1,33 @@
+id: MNBSD-2023-5
+summary: Wraparound in APR base64 encoding functions
+details: Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.
+affected:
+  - package:
+      name: apr
+      ecosystem: MidnightBSD
+    ranges:
+      - type: ECOSYSTEM
+        events:
+          - introduced: 2.0
+          - fixed: 2.2.8
+    versions:
+      - 2.0.0
+      - 2.1.0
+      - 2.2.0
+      - 2.2.1
+      - 2.2.2
+      - 2.2.3
+      - 2.2.4
+      - 2.2.5
+      - 2.2.6
+      - 2.2.7
+      - 2.2.8
+references:
+  - type: WEB
+    url: https://nvd.nist.gov/vuln/detail/CVE-2022-25147
+  - type: WEB
+    url: https://github.com/MidnightBSD/src/commit/da9ba1d57e45ea06c1f55b34361d58e0dcc9e931
+aliases:
+  - CVE-2022-25147
+modified: "2023-04-09T00:00:00.000Z"
+published: "2023-04-09T00:00:00.000Z"

vulns/midnightbsd/MNBSD-2023-6.yaml

@@ -0,0 +1,35 @@
+id: MNBSD-2023-6
+summary: pam_krb5 blindly validates messages when no keytab is provided.
+details: pam_krb5 authenticates the user by essentially running kinit(1) with the password, getting a `ticket-granting ticket' (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password.
+   Normally, the system running the pam_krb5 module will also have a keytab, a key provisioned by the KDC. The pam_krb5 module will use the tgt to get a service ticket and validate it against the keytab, ensuring the tgt is valid and therefore, the password is valid.
+   However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid.
+affected:
+  - package:
+      name: pam_krb5
+      ecosystem: MidnightBSD
+    ranges:
+      - type: ECOSYSTEM
+        events:
+          - introduced: 2.0
+          - fixed: 3.0.2
+    versions:
+      - 2.0.0
+      - 2.1.0
+      - 2.2.0
+      - 2.2.1
+      - 2.2.2
+      - 2.2.3
+      - 2.2.4
+      - 2.2.5
+      - 2.2.6
+      - 2.2.7
+      - 2.2.8
+      - 3.0.0
+      - 3.0.1
+references:
+  - type: WEB
+    url: https://www.freebsd.org/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc
+aliases:
+  - FreeBSD-SA-23:09.pam_krb5
+modified: "2023-08-09T00:00:00.000Z"
+published: "2023-08-09T00:00:00.000Z"