From owner-svn-src-stable-6@FreeBSD.ORG Mon Sep 20 14:58:09 2010 Return-Path: Delivered-To: svn-src-stable-6@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 363211065679; Mon, 20 Sep 2010 14:58:09 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 085198FC2A; Mon, 20 Sep 2010 14:58:09 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o8KEw8Bg055755; Mon, 20 Sep 2010 14:58:08 GMT (envelope-from cperciva@svn.freebsd.org) Received: (from cperciva@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o8KEw8ZR055753; Mon, 20 Sep 2010 14:58:08 GMT (envelope-from cperciva@svn.freebsd.org) Message-Id: <201009201458.o8KEw8ZR055753@svn.freebsd.org> From: Colin Percival Date: Mon, 20 Sep 2010 14:58:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org X-SVN-Group: stable-6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r212901 - head/contrib/bzip2 releng/6.4 releng/6.4/contrib/bzip2 releng/6.4/sys/conf releng/7.1 releng/7.1/contrib/bzip2 releng/7.1/sys/conf releng/7.3 releng/7.3/contrib/bzip2 releng/7... X-BeenThere: svn-src-stable-6@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 6-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2010 14:58:09 -0000 Author: cperciva Date: Mon Sep 20 14:58:08 2010 New Revision: 212901 URL: http://svn.freebsd.org/changeset/base/212901 Log: Fix an integer overflow in RLE length parsing when decompressing corrupt bzip2 data. Approved by: so (cperciva) Security: FreeBSD-SA-10:08.bzip2 Modified: stable/6/contrib/bzip2/decompress.c Changes in other areas also in this revision: Modified: head/contrib/bzip2/decompress.c releng/6.4/UPDATING releng/6.4/contrib/bzip2/decompress.c releng/6.4/sys/conf/newvers.sh releng/7.1/UPDATING releng/7.1/contrib/bzip2/decompress.c releng/7.1/sys/conf/newvers.sh releng/7.3/UPDATING releng/7.3/contrib/bzip2/decompress.c releng/7.3/sys/conf/newvers.sh releng/8.0/UPDATING releng/8.0/contrib/bzip2/decompress.c releng/8.0/sys/conf/newvers.sh releng/8.1/UPDATING releng/8.1/contrib/bzip2/decompress.c releng/8.1/sys/conf/newvers.sh stable/7/contrib/bzip2/decompress.c stable/8/contrib/bzip2/decompress.c Modified: stable/6/contrib/bzip2/decompress.c ============================================================================== --- stable/6/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010 (r212900) +++ stable/6/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010 (r212901) @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; From owner-svn-src-stable-6@FreeBSD.ORG Fri Sep 24 23:51:45 2010 Return-Path: Delivered-To: svn-src-stable-6@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFC0C106564A; Fri, 24 Sep 2010 23:51:45 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id ADF648FC08; Fri, 24 Sep 2010 23:51:45 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o8ONpjhx043279; Fri, 24 Sep 2010 23:51:45 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o8ONpjEr043277; Fri, 24 Sep 2010 23:51:45 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201009242351.o8ONpjEr043277@svn.freebsd.org> From: Xin LI Date: Fri, 24 Sep 2010 23:51:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org X-SVN-Group: stable-6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r213146 - stable/6/lib/libutil X-BeenThere: svn-src-stable-6@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 6-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2010 23:51:45 -0000 Author: delphij Date: Fri Sep 24 23:51:45 2010 New Revision: 213146 URL: http://svn.freebsd.org/changeset/base/213146 Log: MFC r211393 (by des): In setusercontext(), do not apply user settings unless running as the user in question (usually but not necessarily because we were called with LOGIN_SETUSER). This plugs a hole where users could raise their resource limits and expand their CPU mask. Approved by: des Modified: stable/6/lib/libutil/login_class.c Directory Properties: stable/6/lib/libutil/ (props changed) Modified: stable/6/lib/libutil/login_class.c ============================================================================== --- stable/6/lib/libutil/login_class.c Fri Sep 24 23:48:29 2010 (r213145) +++ stable/6/lib/libutil/login_class.c Fri Sep 24 23:51:45 2010 (r213146) @@ -415,7 +415,7 @@ setusercontext(login_cap_t *lc, const st /* * Now, we repeat some of the above for the user's private entries */ - if ((lc = login_getuserclass(pwd)) != NULL) { + if (getuid() == uid && (lc = login_getuserclass(pwd)) != NULL) { mymask = setlogincontext(lc, pwd, mymask, flags); login_close(lc); }