NetBSD Security Advisory 2022-003: Race condition in mail.local(8)

submited 05 October 2022

A race condition exists in the mail.local(8) (/usr/libexec/mail.local) program which is setuid root. That may be exploited in order to change the ownership of or append arbitrary data to an arbitrary file. A malicious local user may exploit the race condition to acquire write permissions to a critical system file, and leverage the situation to acquire escalated privileges. This was originally addressed in NetBSD-SA2016-006 and has been assigned CVE-2016-6253. The fix proved inefficient and had to be fixed again, which is the reason for this new advisory.

DiscoverBSD - The BSD community linklog
Made a script? Written a blog post? Found a useful tutorial? Share it with the BSD community here or just enjoy what everyone else has found!

Submit

03 July 2026
BSD Now 670: Failure is not an Option  

This episode covers FreeBSD 15.1-RELEASE, OPNsense 26.1.9, a comparison of FreeBSD Jails vs LXC, and a guide to respectfully archiving a website, plus a look at corrupting a ZFS file on purpose.

02 July 2026
EuroBSDCon 2026 Travel Grant Open  

The FreeBSD Foundation is accepting travel grant applications for EuroBSDCon 2026, open to FreeBSD developers and advocates who need assistance with travel expenses, with a deadline of July 7, 2026.

FreeBSD Security Advisory FreeBSD-SA-26:46.ktls  

A remote TLS peer can cause a kernel panic via uninitialized memory access in KTLS receive on all supported FreeBSD versions; patches and workarounds are available.

FreeBSD Security Advisory FreeBSD-SA-26:47.linux  

The Linuxulator in FreeBSD 14.3, 14.4, and 15.0 does not zero a stack-allocated Linux siginfo_t before copying kernel data into it, allowing unprivileged users to read 104 bytes of uninitialized kernel stack memory.

FreeBSD Security Advisory FreeBSD-SA-26:49.iconv  

FreeBSD has issued a security advisory for multiple vulnerabilities in iconv(3) affecting HZ, UTF-7, VIQR, ZW, and ISO-2022 encoding modules, which can lead to buffer overflows when processing untrusted input, with patches available for all supported releases.

FreeBSD Security Advisory FreeBSD-SA-26:48.compat32  

FreeBSD's compat32 kevent() handler can expose uninitialized kernel stack data to unprivileged users due to an unzeroed stack struct, affecting FreeBSD 14.3, 14.4, and 15.0; patches and rebuilds are available for stable and release branches.

FreeBSD Security Advisory FreeBSD-SA-26:45.audit  

The audit(4) facility incorrectly records successful outcomes for ptrace(PTSCREMOTE) system calls that actually failed, potentially misleading audit-based IDS; all supported FreeBSD versions are affected and patches are available.

Enjoying DiscoverBSD? There is more...

Subscribe to BSD Weekly, our free, once–weekly e-mail round-up of BSD news and articles. It is currated from your content on DiscoverBSD and BSDSec (a deadsimple BSD Security Advisories and Announcements).

You can also support the work on Patreon.
01 July 2026
FreeBSD Security Advisory FreeBSD-SA-26:44.posixshm  

FreeBSD has issued a security advisory for multiple vulnerabilities in POSIX largepage objects (CVE-2026-49427, CVE-2026-49428) that allow unprivileged local users to access freed kernel memory and escalate privileges, with patches available for all supported releases.

FreeBSD Security Advisory FreeBSD-SA-26:43.tcp  

A use-after-free in the TCP RACK stack option handler may allow an unprivileged local user to escalate privileges on all supported FreeBSD versions; patches and updated binaries are available.

FreeBSD Security Advisory FreeBSD-SA-26:42.unlinkat  

The unlinkat(2) and funlinkat(2) system calls ignore the ATRESOLVEBENEATH flag, allowing path resolution to escape the intended directory and delete files outside the confined tree. Patches are available for FreeBSD 14.3, 14.4, 15.0, and 15.1.

FreeBSD Security Advisory FreeBSD-SA-26:41.libalias  

A buffer overflow in the libalias RTSP handler affects all supported FreeBSD versions and can allow remote code execution in the kernel via ipfw(4) NAT or in natd(8) when libalias_smedia.so is loaded.

FreeBSD Security Advisory FreeBSD-SA-26:40.zfs  

FreeBSD has issued a security advisory for OpenZFS with three vulnerabilities: a kernel heap overflow via ZFSIOCUSERSPACEMANY for users with "userused" permission, kernel memory corruption via ZFSIOCRECVNEW for users with "receive" permission, and an ability for any local user to set the "$hasrecvd" metadata flag via ZFSIOCSET_PROP, affecting all supported FreeBSD versions.

30 June 2026
March 2026 Finance Report  

GhostBSD reports 1,364.91 CAD in March donations, lists infrastructure and hardware expenses totaling 857.68 CAD, and notes 500.00 CAD added to the server fund for a future Ampere ARM server.

relayd(8) and httpd(8) TLS settings update  

Both relayd and httpd now use a "secure" list of allowed crypto methods for HTTPS, including TLSv1.3 and TLSv1.2 AEAD cipher suites, replacing the previous "HIGH:!aNULL" list which contained non-perfect-forward-security methods and may cause old clients to fail to connect.

29 June 2026
Valuable News - 2026/06/29  

This week's roundup covers OpenBSD amd64 kernel virtual address space expanding to 512GB, a patch for missing PKGBASE in FreeBSD jails, FreeBSD Git weekly reports, a new FreeBSD Core Team election, Sylve 0.3.0 adding a PF firewall and WireGuard manager, BSD Now 669 on Poudriere speed, and more.

g2k26: Rust in CMake, and a Heartbeat for Old Daemons  

Author details porting devel/corrosion and devel/cxxbridge-cmd to handle Rust dependencies in CMake-based KDE Plasma ports under OpenBSD's PORTS_PRIVSEP, and fixes a truncation bug in httpd(8) error documents by routing them through bufferevent instead of a single write, plus a privilege-separation bounds-check fix shared by httpd, relayd, iked, and snmpd.

load more