From owner-svn-src-releng@FreeBSD.ORG  Mon Nov  3 09:02:09 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4B405BCE;
 Mon,  3 Nov 2014 09:02:09 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 36B25F68;
 Mon,  3 Nov 2014 09:02:09 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA3929st074083;
 Mon, 3 Nov 2014 09:02:09 GMT (envelope-from gjb@FreeBSD.org)
Received: (from gjb@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA3928OR074069;
 Mon, 3 Nov 2014 09:02:08 GMT (envelope-from gjb@FreeBSD.org)
Message-Id: <201411030902.sA3928OR074069@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: gjb set sender to gjb@FreeBSD.org
 using -f
From: Glen Barber <gjb@FreeBSD.org>
Date: Mon, 3 Nov 2014 09:02:08 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r274019 - in releng/10.1/release/doc:
 en_US.ISO8859-1/hardware share/xml
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Nov 2014 09:02:09 -0000

Author: gjb
Date: Mon Nov  3 09:02:08 2014
New Revision: 274019
URL: https://svnweb.freebsd.org/changeset/base/274019

Log:
  Update the hardware page to reflect CPU updates/additions
  added in head@r273941.
  
  Since the original commit requires changes to the doc/
  repository after the release tag had already happened,
  (re)define entities in share/xml/release.ent that reflect
  doc@r45900 to prevent build breakage.
  
  Requested by:	gavin
  Approved by:	re (implicit, relnotes)
  Sponsored by:	The FreeBSD Foundation

Modified:
  releng/10.1/release/doc/en_US.ISO8859-1/hardware/article.xml
  releng/10.1/release/doc/share/xml/release.ent

Modified: releng/10.1/release/doc/en_US.ISO8859-1/hardware/article.xml
==============================================================================
--- releng/10.1/release/doc/en_US.ISO8859-1/hardware/article.xml	Mon Nov  3 08:48:48 2014	(r274018)
+++ releng/10.1/release/doc/en_US.ISO8859-1/hardware/article.xml	Mon Nov  3 09:02:08 2014	(r274019)
@@ -77,7 +77,7 @@
       <para>Note that there are two names for this architecture, AMD64
 	(AMD) and Intel EM64T (Extended Memory 64-bit Technology).
 	64-bit mode of the two architectures are almost compatible
-	with each other, and &os;/&arch.amd64; should support them
+	with each other, and &os;/&arch.amd64; supports them
 	both.</para>
 
       <para>As of this writing, the following processors are
@@ -93,6 +93,18 @@
 	</listitem>
 
 	<listitem>
+	  <para>&amd.sempron;.</para>
+	</listitem>
+
+	<listitem>
+	  <para>&amd.turion;.</para>
+	</listitem>
+
+	<listitem>
+	  <para>&amd.phenom;.</para>
+	</listitem>
+
+	<listitem>
 	  <para>All multi-core &intel; &xeon; processors except
 	    Sossaman have EM64T support.</para>
 	</listitem>
@@ -105,22 +117,30 @@
 	</listitem>
 
 	<listitem>
-	  <para>All &intel; Core 2 (not Core Duo) and later
+	  <para>All &intel; &core; 2 (not &core; Duo) and later
 	    processors</para>
 	</listitem>
 
 	<listitem>
+	  <para>All &intel; &core; i range of processors</para>
+	</listitem>
+
+	<listitem>
 	  <para>All &intel; &pentium; D processors</para>
 	</listitem>
 
 	<listitem>
-	  <para>&intel; &pentium; 4s and Celeron Ds using
+	  <para>All &intel; &centrino; Duo and &centrino; Pro platforms</para>
+	</listitem>
+
+	<listitem>
+	  <para>&intel; &pentium; 4s and &celeron; Ds using
 	    the <quote>Cedar Mill</quote> core have EM64T
 	    support.</para>
 	</listitem>
 
 	<listitem>
-	  <para>Some &intel; &pentium; 4s and Celeron Ds using
+	  <para>Some &intel; &pentium; 4s and &celeron; Ds using
 	    the <quote>Prescott</quote> core have EM64T support.  See
 	    the <link
 	      xlink:href="http://processorfinder.intel.com">Intel

Modified: releng/10.1/release/doc/share/xml/release.ent
==============================================================================
--- releng/10.1/release/doc/share/xml/release.ent	Mon Nov  3 08:48:48 2014	(r274018)
+++ releng/10.1/release/doc/share/xml/release.ent	Mon Nov  3 09:02:08 2014	(r274019)
@@ -73,3 +73,17 @@
 <!ENTITY arch.pc98 "pc98">
 <!ENTITY arch.powerpc "powerpc">
 <!ENTITY arch.sparc64 "sparc64">
+
+<!-- Entities added after the doc/ tag for 10.1-RELEASE -->
+<!ENTITY amd.phenom "<trademark xmlns='http://docbook.org/ns/docbook'>AMD&nbsp;Phenom</trademark>">
+<!ENTITY amd.sempron "<trademark xmlns='http://docbook.org/ns/docbook'>AMD&nbsp;Sempron</trademark>">
+<!ENTITY amd.turion "<trademark xmlns='http://docbook.org/ns/docbook'>AMD&nbsp;Turion</trademark>">
+<!ENTITY centrino "<trademark xmlns='http://docbook.org/ns/docbook' class='registered'>Centrino</trademark>">
+<!ENTITY tm-attrib.intel "<para xmlns='http://docbook.org/ns/docbook'>Intel,
+  Celeron, Centrino, Core, EtherExpress, i386, i486, Itanium, Pentium,
+  and Xeon are trademarks or registered trademarks of Intel Corporation
+  or its subsidiaries in the United States and other countries.</para>">
+<!ENTITY tm-attrib.amd "<para xmlns='http://docbook.org/ns/docbook'>AMD,
+  AMD Athlon, AMD Opteron, AMD Phenom, AMD Sempron, AMD Turion, Athlon,
+  &Eacute;lan, Opteron, and PCnet are trademarks of Advanced Micro
+  Devices, Inc.</para>">

From owner-svn-src-releng@FreeBSD.ORG  Tue Nov  4 23:04:00 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 742DC43D;
 Tue,  4 Nov 2014 23:04:00 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 61183E3E;
 Tue,  4 Nov 2014 23:04:00 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA4N40RP064120;
 Tue, 4 Nov 2014 23:04:00 GMT (envelope-from gjb@FreeBSD.org)
Received: (from gjb@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA4N40mA064119;
 Tue, 4 Nov 2014 23:04:00 GMT (envelope-from gjb@FreeBSD.org)
Message-Id: <201411042304.sA4N40mA064119@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: gjb set sender to gjb@FreeBSD.org
 using -f
From: Glen Barber <gjb@FreeBSD.org>
Date: Tue, 4 Nov 2014 23:04:00 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r274104 - releng/10.1/release
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 23:04:00 -0000

Author: gjb
Date: Tue Nov  4 23:03:59 2014
New Revision: 274104
URL: https://svnweb.freebsd.org/changeset/base/274104

Log:
  MFstable10 r274102:
    MFC r274095:
    Fix VOLUME_LABEL when BRANCH contains '-' and '.'
    characters.
  
  Approved by:	re (hrs)
  Sponsored by:	The FreeBSD Foundation

Modified:
  releng/10.1/release/Makefile
Directory Properties:
  releng/10.1/   (props changed)

Modified: releng/10.1/release/Makefile
==============================================================================
--- releng/10.1/release/Makefile	Tue Nov  4 23:02:19 2014	(r274103)
+++ releng/10.1/release/Makefile	Tue Nov  4 23:03:59 2014	(r274104)
@@ -56,10 +56,10 @@ ${_V}!=	eval $$(awk '/^${_V}=/{print}' $
 .for _V in ${TARGET_ARCH}
 .if !empty(TARGET:M${_V})
 OSRELEASE=	${TYPE}-${REVISION}-${BRANCH}-${TARGET}
-VOLUME_LABEL=	${REVISION:C/\./_/g:}_${BRANCH}_${TARGET}
+VOLUME_LABEL=	${REVISION:C/[.-]/_/g}_${BRANCH:C/[.-]/_/g}_${TARGET}
 .else
 OSRELEASE=	${TYPE}-${REVISION}-${BRANCH}-${TARGET}-${TARGET_ARCH}
-VOLUME_LABEL=	${REVISION:C/\./_/g:}_${BRANCH}_${TARGET_ARCH}
+VOLUME_LABEL=	${REVISION:C/[.-]/_/g}_${BRANCH:C/[.-]/_/g}_${TARGET_ARCH}
 .endif
 .endfor
 .endif

From owner-svn-src-releng@FreeBSD.ORG  Tue Nov  4 23:31:19 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D1899268;
 Tue,  4 Nov 2014 23:31:19 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B29601B9;
 Tue,  4 Nov 2014 23:31:19 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA4NVJ4I076852;
 Tue, 4 Nov 2014 23:31:19 GMT (envelope-from des@FreeBSD.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA4NVIa3076453;
 Tue, 4 Nov 2014 23:31:18 GMT (envelope-from des@FreeBSD.org)
Message-Id: <201411042331.sA4NVIa3076453@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org
 using -f
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 4 Nov 2014 23:31:18 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r274110 - in releng/10.0: . contrib/tnftp/src
 secure/usr.sbin/sshd sys/cddl/contrib/opensolaris/uts/common/fs/zfs sys/conf
 sys/kern
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 23:31:19 -0000

Author: des
Date: Tue Nov  4 23:31:17 2014
New Revision: 274110
URL: https://svnweb.freebsd.org/changeset/base/274110

Log:
  [SA-14:24] Fix denial of service attack against sshd(8).
  [SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
  [SA-14:26] Fix remote command execution in ftp(1).
  [EN-14:12] Fix NFSv4 and ZFS cache consistency issue.
  
  Approved by:	so (des)

Modified:
  releng/10.0/UPDATING
  releng/10.0/contrib/tnftp/src/fetch.c
  releng/10.0/secure/usr.sbin/sshd/Makefile
  releng/10.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
  releng/10.0/sys/conf/newvers.sh
  releng/10.0/sys/kern/kern_prot.c

Modified: releng/10.0/UPDATING
==============================================================================
--- releng/10.0/UPDATING	Tue Nov  4 23:30:47 2014	(r274109)
+++ releng/10.0/UPDATING	Tue Nov  4 23:31:17 2014	(r274110)
@@ -16,6 +16,20 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20141104:	p12	FreeBSD-SA-14:24.sshd
+			FreeBSD-SA-14:25.setlogin
+			FreeBSD-SA-14:26.ftp
+			FreeBSD-EN-14:12.zfs
+
+	Fix denial of service attack against sshd(8). [SA-14:24]
+
+	Fix kernel stack disclosure in setlogin(2) / getlogin(2).
+	[SA-14:25]
+
+	Fix remote command execution in ftp(1). [SA-14:26]
+
+	Fix NFSv4 and ZFS cache consistency issue. [EN-14:12]
+
 20141022:	p11	FreeBSD-EN-14:10.tzdata
 
 	Time zone data file update. [EN-14:10]

Modified: releng/10.0/contrib/tnftp/src/fetch.c
==============================================================================
--- releng/10.0/contrib/tnftp/src/fetch.c	Tue Nov  4 23:30:47 2014	(r274109)
+++ releng/10.0/contrib/tnftp/src/fetch.c	Tue Nov  4 23:31:17 2014	(r274110)
@@ -547,7 +547,7 @@ fetch_url(const char *url, const char *p
 	url_decode(decodedpath);
 
 	if (outfile)
-		savefile = ftp_strdup(outfile);
+		savefile = outfile;
 	else {
 		cp = strrchr(decodedpath, '/');		/* find savefile */
 		if (cp != NULL)
@@ -571,8 +571,7 @@ fetch_url(const char *url, const char *p
 	rangestart = rangeend = entitylen = -1;
 	mtime = -1;
 	if (restartautofetch) {
-		if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
-		    stat(savefile, &sb) == 0)
+		if (stat(savefile, &sb) == 0)
 			restart_point = sb.st_size;
 	}
 	if (urltype == FILE_URL_T) {		/* file:// URLs */
@@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *p
 	}		/* end of ftp:// or http:// specific setup */
 
 			/* Open the output file. */
-	if (strcmp(savefile, "-") == 0) {
-		fout = stdout;
-	} else if (*savefile == '|') {
-		oldintp = xsignal(SIGPIPE, SIG_IGN);
-		fout = popen(savefile + 1, "w");
-		if (fout == NULL) {
-			warn("Can't execute `%s'", savefile + 1);
-			goto cleanup_fetch_url;
+
+	/*
+	 * Only trust filenames with special meaning if they came from
+	 * the command line
+	 */
+	if (outfile == savefile) {
+		if (strcmp(savefile, "-") == 0) {
+			fout = stdout;
+		} else if (*savefile == '|') {
+			oldintp = xsignal(SIGPIPE, SIG_IGN);
+			fout = popen(savefile + 1, "w");
+			if (fout == NULL) {
+				warn("Can't execute `%s'", savefile + 1);
+				goto cleanup_fetch_url;
+			}
+			closefunc = pclose;
 		}
-		closefunc = pclose;
-	} else {
+	}
+	if (fout == NULL) {
 		if ((rangeend != -1 && rangeend <= restart_point) ||
 		    (rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
 			/* already done */
@@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *p
 		(*closefunc)(fout);
 	if (res0)
 		freeaddrinfo(res0);
-	FREEPTR(savefile);
+	if (savefile != outfile)
+		FREEPTR(savefile);
 	FREEPTR(uuser);
 	if (pass != NULL)
 		memset(pass, 0, strlen(pass));

Modified: releng/10.0/secure/usr.sbin/sshd/Makefile
==============================================================================
--- releng/10.0/secure/usr.sbin/sshd/Makefile	Tue Nov  4 23:30:47 2014	(r274109)
+++ releng/10.0/secure/usr.sbin/sshd/Makefile	Tue Nov  4 23:31:17 2014	(r274110)
@@ -56,6 +56,16 @@ CFLAGS+= -DNONE_CIPHER_ENABLED
 DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
 LDADD+= -lcrypt -lcrypto -lz
 
+# Fix the order of NEEDED entries for libthr and libc. The libthr
+# needs to interpose libc symbols, leaving the libthr loading as
+# dependency of krb causes reversed order and broken interposing. Put
+# the threading library last on the linker command line, just before
+# the -lc added by a compiler driver.
+.if ${MK_KERBEROS_SUPPORT} != "no"
+DPADD+= ${LIBPTHREAD}
+LDADD+= -lpthread
+.endif
+
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
 .endif

Modified: releng/10.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
==============================================================================
--- releng/10.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c	Tue Nov  4 23:30:47 2014	(r274109)
+++ releng/10.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c	Tue Nov  4 23:31:17 2014	(r274110)
@@ -2822,6 +2822,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, i
 #endif
 	vap->va_seq = zp->z_seq;
 	vap->va_flags = 0;	/* FreeBSD: Reset chflags(2) flags. */
+	vap->va_filerev = zp->z_seq;
 
 	/*
 	 * Add in any requested optional attributes and the create time.

Modified: releng/10.0/sys/conf/newvers.sh
==============================================================================
--- releng/10.0/sys/conf/newvers.sh	Tue Nov  4 23:30:47 2014	(r274109)
+++ releng/10.0/sys/conf/newvers.sh	Tue Nov  4 23:31:17 2014	(r274110)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.0"
-BRANCH="RELEASE-p11"
+BRANCH="RELEASE-p12"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.0/sys/kern/kern_prot.c
==============================================================================
--- releng/10.0/sys/kern/kern_prot.c	Tue Nov  4 23:30:47 2014	(r274109)
+++ releng/10.0/sys/kern/kern_prot.c	Tue Nov  4 23:31:17 2014	(r274110)
@@ -2073,21 +2073,20 @@ struct getlogin_args {
 int
 sys_getlogin(struct thread *td, struct getlogin_args *uap)
 {
-	int error;
 	char login[MAXLOGNAME];
 	struct proc *p = td->td_proc;
+	size_t len;
 
 	if (uap->namelen > MAXLOGNAME)
 		uap->namelen = MAXLOGNAME;
 	PROC_LOCK(p);
 	SESS_LOCK(p->p_session);
-	bcopy(p->p_session->s_login, login, uap->namelen);
+	len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
 	SESS_UNLOCK(p->p_session);
 	PROC_UNLOCK(p);
-	if (strlen(login) + 1 > uap->namelen)
+	if (len > uap->namelen)
 		return (ERANGE);
-	error = copyout(login, uap->namebuf, uap->namelen);
-	return (error);
+	return (copyout(login, uap->namebuf, len));
 }
 
 /*
@@ -2106,21 +2105,23 @@ sys_setlogin(struct thread *td, struct s
 	int error;
 	char logintmp[MAXLOGNAME];
 
+	CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
 	error = priv_check(td, PRIV_PROC_SETLOGIN);
 	if (error)
 		return (error);
 	error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
-	if (error == ENAMETOOLONG)
-		error = EINVAL;
-	else if (!error) {
-		PROC_LOCK(p);
-		SESS_LOCK(p->p_session);
-		(void) memcpy(p->p_session->s_login, logintmp,
-		    sizeof(logintmp));
-		SESS_UNLOCK(p->p_session);
-		PROC_UNLOCK(p);
+	if (error != 0) {
+		if (error == ENAMETOOLONG)
+			error = EINVAL;
+		return (error);
 	}
-	return (error);
+	PROC_LOCK(p);
+	SESS_LOCK(p->p_session);
+	strcpy(p->p_session->s_login, logintmp);
+	SESS_UNLOCK(p->p_session);
+	PROC_UNLOCK(p);
+	return (0);
 }
 
 void

From owner-svn-src-releng@FreeBSD.ORG  Tue Nov  4 23:32:17 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id DA12E561;
 Tue,  4 Nov 2014 23:32:17 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C4ABC1CB;
 Tue,  4 Nov 2014 23:32:17 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA4NWHXf078760;
 Tue, 4 Nov 2014 23:32:17 GMT (envelope-from des@FreeBSD.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA4NWGUw078752;
 Tue, 4 Nov 2014 23:32:16 GMT (envelope-from des@FreeBSD.org)
Message-Id: <201411042332.sA4NWGUw078752@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org
 using -f
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 4 Nov 2014 23:32:16 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r274111 - in releng/8.4: . contrib/lukemftp/src
 sys/cddl/contrib/opensolaris/uts/common/fs/zfs sys/conf sys/kern
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 23:32:18 -0000

Author: des
Date: Tue Nov  4 23:32:15 2014
New Revision: 274111
URL: https://svnweb.freebsd.org/changeset/base/274111

Log:
  [SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
  [SA-14:26] Fix remote command execution in ftp(1).
  [EN-14:12] Fix NFSv4 and ZFS cache consistency issue.
  
  Approved by:	so (des)

Modified:
  releng/8.4/UPDATING
  releng/8.4/contrib/lukemftp/src/fetch.c
  releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
  releng/8.4/sys/conf/newvers.sh
  releng/8.4/sys/kern/kern_prot.c

Modified: releng/8.4/UPDATING
==============================================================================
--- releng/8.4/UPDATING	Tue Nov  4 23:31:17 2014	(r274110)
+++ releng/8.4/UPDATING	Tue Nov  4 23:32:15 2014	(r274111)
@@ -15,6 +15,17 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20141104:	p19	FreeBSD-SA-14:25.setlogin
+			FreeBSD-SA-14:26.ftp
+			FreeBSD-EN-14:12.zfs
+
+	Fix kernel stack disclosure in setlogin(2) / getlogin(2).
+	[SA-14:25]
+
+	Fix remote command execution in ftp(1). [SA-14:26]
+
+	Fix NFSv4 and ZFS cache consistency issue. [EN-14:12]
+
 20141022:	p18	FreeBSD-EN-14:10.tzdata
 
 	Time zone data file update. [EN-14:10]

Modified: releng/8.4/contrib/lukemftp/src/fetch.c
==============================================================================
--- releng/8.4/contrib/lukemftp/src/fetch.c	Tue Nov  4 23:31:17 2014	(r274110)
+++ releng/8.4/contrib/lukemftp/src/fetch.c	Tue Nov  4 23:32:15 2014	(r274111)
@@ -540,7 +540,7 @@ fetch_url(const char *url, const char *p
 	url_decode(decodedpath);
 
 	if (outfile)
-		savefile = xstrdup(outfile);
+		savefile = outfile;
 	else {
 		cp = strrchr(decodedpath, '/');		/* find savefile */
 		if (cp != NULL)
@@ -566,8 +566,7 @@ fetch_url(const char *url, const char *p
 	rangestart = rangeend = entitylen = -1;
 	mtime = -1;
 	if (restartautofetch) {
-		if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
-		    stat(savefile, &sb) == 0)
+		if (stat(savefile, &sb) == 0)
 			restart_point = sb.st_size;
 	}
 	if (urltype == FILE_URL_T) {		/* file:// URLs */
@@ -1085,17 +1084,25 @@ fetch_url(const char *url, const char *p
 	}		/* end of ftp:// or http:// specific setup */
 
 			/* Open the output file. */
-	if (strcmp(savefile, "-") == 0) {
-		fout = stdout;
-	} else if (*savefile == '|') {
-		oldintp = xsignal(SIGPIPE, SIG_IGN);
-		fout = popen(savefile + 1, "w");
-		if (fout == NULL) {
-			warn("Can't run `%s'", savefile + 1);
-			goto cleanup_fetch_url;
+
+	/*
+	 * Only trust filenames with special meaning if they came from
+	 * the command line
+	 */
+	if (outfile == savefile) {
+		if (strcmp(savefile, "-") == 0) {
+			fout = stdout;
+		} else if (*savefile == '|') {
+			oldintp = xsignal(SIGPIPE, SIG_IGN);
+			fout = popen(savefile + 1, "w");
+			if (fout == NULL) {
+				warn("Can't execute `%s'", savefile + 1);
+				goto cleanup_fetch_url;
+			}
+			closefunc = pclose;
 		}
-		closefunc = pclose;
-	} else {
+	}
+	if (fout == NULL) {
 		if ((rangeend != -1 && rangeend <= restart_point) ||
 		    (rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
 			/* already done */
@@ -1278,7 +1285,8 @@ fetch_url(const char *url, const char *p
 		(*closefunc)(fout);
 	if (res0)
 		freeaddrinfo(res0);
-	FREEPTR(savefile);
+	if (savefile != outfile)
+		FREEPTR(savefile);
 	FREEPTR(user);
 	FREEPTR(pass);
 	FREEPTR(host);

Modified: releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
==============================================================================
--- releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c	Tue Nov  4 23:31:17 2014	(r274110)
+++ releng/8.4/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c	Tue Nov  4 23:32:15 2014	(r274111)
@@ -2735,6 +2735,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, i
 #endif
 	vap->va_seq = zp->z_seq;
 	vap->va_flags = 0;	/* FreeBSD: Reset chflags(2) flags. */
+	vap->va_filerev = zp->z_seq;
 
 	/*
 	 * Add in any requested optional attributes and the create time.

Modified: releng/8.4/sys/conf/newvers.sh
==============================================================================
--- releng/8.4/sys/conf/newvers.sh	Tue Nov  4 23:31:17 2014	(r274110)
+++ releng/8.4/sys/conf/newvers.sh	Tue Nov  4 23:32:15 2014	(r274111)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.4"
-BRANCH="RELEASE-p18"
+BRANCH="RELEASE-p19"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.4/sys/kern/kern_prot.c
==============================================================================
--- releng/8.4/sys/kern/kern_prot.c	Tue Nov  4 23:31:17 2014	(r274110)
+++ releng/8.4/sys/kern/kern_prot.c	Tue Nov  4 23:32:15 2014	(r274111)
@@ -2054,21 +2054,20 @@ struct getlogin_args {
 int
 getlogin(struct thread *td, struct getlogin_args *uap)
 {
-	int error;
 	char login[MAXLOGNAME];
 	struct proc *p = td->td_proc;
+	size_t len;
 
 	if (uap->namelen > MAXLOGNAME)
 		uap->namelen = MAXLOGNAME;
 	PROC_LOCK(p);
 	SESS_LOCK(p->p_session);
-	bcopy(p->p_session->s_login, login, uap->namelen);
+	len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
 	SESS_UNLOCK(p->p_session);
 	PROC_UNLOCK(p);
-	if (strlen(login) + 1 > uap->namelen)
+	if (len > uap->namelen)
 		return (ERANGE);
-	error = copyout(login, uap->namebuf, uap->namelen);
-	return (error);
+	return (copyout(login, uap->namebuf, len));
 }
 
 /*
@@ -2087,21 +2086,23 @@ setlogin(struct thread *td, struct setlo
 	int error;
 	char logintmp[MAXLOGNAME];
 
+	CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
 	error = priv_check(td, PRIV_PROC_SETLOGIN);
 	if (error)
 		return (error);
 	error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
-	if (error == ENAMETOOLONG)
-		error = EINVAL;
-	else if (!error) {
-		PROC_LOCK(p);
-		SESS_LOCK(p->p_session);
-		(void) memcpy(p->p_session->s_login, logintmp,
-		    sizeof(logintmp));
-		SESS_UNLOCK(p->p_session);
-		PROC_UNLOCK(p);
+	if (error != 0) {
+		if (error == ENAMETOOLONG)
+			error = EINVAL;
+		return (error);
 	}
-	return (error);
+	PROC_LOCK(p);
+	SESS_LOCK(p->p_session);
+	strcpy(p->p_session->s_login, logintmp);
+	SESS_UNLOCK(p->p_session);
+	PROC_UNLOCK(p);
+	return (0);
 }
 
 void

From owner-svn-src-releng@FreeBSD.ORG  Tue Nov  4 23:32:48 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3DF4E6FB;
 Tue,  4 Nov 2014 23:32:48 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1F43D1D6;
 Tue,  4 Nov 2014 23:32:48 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA4NWlac078868;
 Tue, 4 Nov 2014 23:32:47 GMT (envelope-from des@FreeBSD.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA4NWkBD078862;
 Tue, 4 Nov 2014 23:32:46 GMT (envelope-from des@FreeBSD.org)
Message-Id: <201411042332.sA4NWkBD078862@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org
 using -f
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 4 Nov 2014 23:32:46 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r274112 - in releng/9.1: . contrib/tnftp/src
 secure/usr.sbin/sshd sys/cddl/contrib/opensolaris/uts/common/fs/zfs sys/conf
 sys/kern
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 23:32:48 -0000

Author: des
Date: Tue Nov  4 23:32:45 2014
New Revision: 274112
URL: https://svnweb.freebsd.org/changeset/base/274112

Log:
  [SA-14:24] Fix denial of service attack against sshd(8).
  [SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
  [SA-14:26] Fix remote command execution in ftp(1).
  [EN-14:12] Fix NFSv4 and ZFS cache consistency issue.
  
  Approved by:	so (des)

Modified:
  releng/9.1/UPDATING
  releng/9.1/contrib/tnftp/src/fetch.c
  releng/9.1/secure/usr.sbin/sshd/Makefile
  releng/9.1/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
  releng/9.1/sys/conf/newvers.sh
  releng/9.1/sys/kern/kern_prot.c

Modified: releng/9.1/UPDATING
==============================================================================
--- releng/9.1/UPDATING	Tue Nov  4 23:32:15 2014	(r274111)
+++ releng/9.1/UPDATING	Tue Nov  4 23:32:45 2014	(r274112)
@@ -9,6 +9,20 @@ handbook.
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20141104:	p22	FreeBSD-SA-14:24.sshd
+			FreeBSD-SA-14:25.setlogin
+			FreeBSD-SA-14:26.ftp
+			FreeBSD-EN-14:12.zfs
+
+	Fix denial of service attack against sshd(8). [SA-14:24]
+
+	Fix kernel stack disclosure in setlogin(2) / getlogin(2).
+	[SA-14:25]
+
+	Fix remote command execution in ftp(1). [SA-14:26]
+
+	Fix NFSv4 and ZFS cache consistency issue. [EN-14:12]
+
 20141022:	p21	FreeBSD-EN-14:10.tzdata
 
 	Time zone data file update. [EN-14:10]

Modified: releng/9.1/contrib/tnftp/src/fetch.c
==============================================================================
--- releng/9.1/contrib/tnftp/src/fetch.c	Tue Nov  4 23:32:15 2014	(r274111)
+++ releng/9.1/contrib/tnftp/src/fetch.c	Tue Nov  4 23:32:45 2014	(r274112)
@@ -547,7 +547,7 @@ fetch_url(const char *url, const char *p
 	url_decode(decodedpath);
 
 	if (outfile)
-		savefile = ftp_strdup(outfile);
+		savefile = outfile;
 	else {
 		cp = strrchr(decodedpath, '/');		/* find savefile */
 		if (cp != NULL)
@@ -571,8 +571,7 @@ fetch_url(const char *url, const char *p
 	rangestart = rangeend = entitylen = -1;
 	mtime = -1;
 	if (restartautofetch) {
-		if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
-		    stat(savefile, &sb) == 0)
+		if (stat(savefile, &sb) == 0)
 			restart_point = sb.st_size;
 	}
 	if (urltype == FILE_URL_T) {		/* file:// URLs */
@@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *p
 	}		/* end of ftp:// or http:// specific setup */
 
 			/* Open the output file. */
-	if (strcmp(savefile, "-") == 0) {
-		fout = stdout;
-	} else if (*savefile == '|') {
-		oldintp = xsignal(SIGPIPE, SIG_IGN);
-		fout = popen(savefile + 1, "w");
-		if (fout == NULL) {
-			warn("Can't execute `%s'", savefile + 1);
-			goto cleanup_fetch_url;
+
+	/*
+	 * Only trust filenames with special meaning if they came from
+	 * the command line
+	 */
+	if (outfile == savefile) {
+		if (strcmp(savefile, "-") == 0) {
+			fout = stdout;
+		} else if (*savefile == '|') {
+			oldintp = xsignal(SIGPIPE, SIG_IGN);
+			fout = popen(savefile + 1, "w");
+			if (fout == NULL) {
+				warn("Can't execute `%s'", savefile + 1);
+				goto cleanup_fetch_url;
+			}
+			closefunc = pclose;
 		}
-		closefunc = pclose;
-	} else {
+	}
+	if (fout == NULL) {
 		if ((rangeend != -1 && rangeend <= restart_point) ||
 		    (rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
 			/* already done */
@@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *p
 		(*closefunc)(fout);
 	if (res0)
 		freeaddrinfo(res0);
-	FREEPTR(savefile);
+	if (savefile != outfile)
+		FREEPTR(savefile);
 	FREEPTR(uuser);
 	if (pass != NULL)
 		memset(pass, 0, strlen(pass));

Modified: releng/9.1/secure/usr.sbin/sshd/Makefile
==============================================================================
--- releng/9.1/secure/usr.sbin/sshd/Makefile	Tue Nov  4 23:32:15 2014	(r274111)
+++ releng/9.1/secure/usr.sbin/sshd/Makefile	Tue Nov  4 23:32:45 2014	(r274112)
@@ -42,6 +42,16 @@ LDADD+=	 -lgssapi_krb5 -lgssapi -lkrb5 -
 DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
 LDADD+=	-lcrypto -lcrypt
 
+# Fix the order of NEEDED entries for libthr and libc. The libthr
+# needs to interpose libc symbols, leaving the libthr loading as
+# dependency of krb causes reversed order and broken interposing. Put
+# the threading library last on the linker command line, just before
+# the -lc added by a compiler driver.
+.if ${MK_KERBEROS_SUPPORT} != "no"
+DPADD+= ${LIBPTHREAD}
+LDADD+= -lpthread
+.endif
+
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
 .endif

Modified: releng/9.1/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
==============================================================================
--- releng/9.1/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c	Tue Nov  4 23:32:15 2014	(r274111)
+++ releng/9.1/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c	Tue Nov  4 23:32:45 2014	(r274112)
@@ -2721,6 +2721,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, i
 #endif
 	vap->va_seq = zp->z_seq;
 	vap->va_flags = 0;	/* FreeBSD: Reset chflags(2) flags. */
+	vap->va_filerev = zp->z_seq;
 
 	/*
 	 * Add in any requested optional attributes and the create time.

Modified: releng/9.1/sys/conf/newvers.sh
==============================================================================
--- releng/9.1/sys/conf/newvers.sh	Tue Nov  4 23:32:15 2014	(r274111)
+++ releng/9.1/sys/conf/newvers.sh	Tue Nov  4 23:32:45 2014	(r274112)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.1"
-BRANCH="RELEASE-p21"
+BRANCH="RELEASE-p22"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.1/sys/kern/kern_prot.c
==============================================================================
--- releng/9.1/sys/kern/kern_prot.c	Tue Nov  4 23:32:15 2014	(r274111)
+++ releng/9.1/sys/kern/kern_prot.c	Tue Nov  4 23:32:45 2014	(r274112)
@@ -2073,19 +2073,20 @@ struct getlogin_args {
 int
 sys_getlogin(struct thread *td, struct getlogin_args *uap)
 {
-	int error;
 	char login[MAXLOGNAME];
 	struct proc *p = td->td_proc;
+	size_t len;
 
 	if (uap->namelen > MAXLOGNAME)
 		uap->namelen = MAXLOGNAME;
 	PROC_LOCK(p);
 	SESS_LOCK(p->p_session);
-	bcopy(p->p_session->s_login, login, uap->namelen);
+	len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
 	SESS_UNLOCK(p->p_session);
 	PROC_UNLOCK(p);
-	error = copyout(login, uap->namebuf, uap->namelen);
-	return(error);
+	if (len > uap->namelen)
+		return (ERANGE);
+	return (copyout(login, uap->namebuf, len));
 }
 
 /*
@@ -2104,21 +2105,23 @@ sys_setlogin(struct thread *td, struct s
 	int error;
 	char logintmp[MAXLOGNAME];
 
+	CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
 	error = priv_check(td, PRIV_PROC_SETLOGIN);
 	if (error)
 		return (error);
 	error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
-	if (error == ENAMETOOLONG)
-		error = EINVAL;
-	else if (!error) {
-		PROC_LOCK(p);
-		SESS_LOCK(p->p_session);
-		(void) memcpy(p->p_session->s_login, logintmp,
-		    sizeof(logintmp));
-		SESS_UNLOCK(p->p_session);
-		PROC_UNLOCK(p);
+	if (error != 0) {
+		if (error == ENAMETOOLONG)
+			error = EINVAL;
+		return (error);
 	}
-	return (error);
+	PROC_LOCK(p);
+	SESS_LOCK(p->p_session);
+	strcpy(p->p_session->s_login, logintmp);
+	SESS_UNLOCK(p->p_session);
+	PROC_UNLOCK(p);
+	return (0);
 }
 
 void

From owner-svn-src-releng@FreeBSD.ORG  Tue Nov  4 23:33:19 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 5BEA68AE;
 Tue,  4 Nov 2014 23:33:19 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3D5DD1E5;
 Tue,  4 Nov 2014 23:33:19 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA4NXJK6079020;
 Tue, 4 Nov 2014 23:33:19 GMT (envelope-from des@FreeBSD.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA4NXHl6079012;
 Tue, 4 Nov 2014 23:33:17 GMT (envelope-from des@FreeBSD.org)
Message-Id: <201411042333.sA4NXHl6079012@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org
 using -f
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 4 Nov 2014 23:33:17 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r274113 - in releng/9.2: . contrib/tnftp/src
 secure/usr.sbin/sshd sys/cddl/contrib/opensolaris/uts/common/fs/zfs sys/conf
 sys/kern
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 23:33:19 -0000

Author: des
Date: Tue Nov  4 23:33:17 2014
New Revision: 274113
URL: https://svnweb.freebsd.org/changeset/base/274113

Log:
  [SA-14:24] Fix denial of service attack against sshd(8).
  [SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
  [SA-14:26] Fix remote command execution in ftp(1).
  [EN-14:12] Fix NFSv4 and ZFS cache consistency issue.
  
  Approved by:	so (des)

Modified:
  releng/9.2/UPDATING
  releng/9.2/contrib/tnftp/src/fetch.c
  releng/9.2/secure/usr.sbin/sshd/Makefile
  releng/9.2/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
  releng/9.2/sys/conf/newvers.sh
  releng/9.2/sys/kern/kern_prot.c

Modified: releng/9.2/UPDATING
==============================================================================
--- releng/9.2/UPDATING	Tue Nov  4 23:32:45 2014	(r274112)
+++ releng/9.2/UPDATING	Tue Nov  4 23:33:17 2014	(r274113)
@@ -11,6 +11,20 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20141104:	p15	FreeBSD-SA-14:24.sshd
+			FreeBSD-SA-14:25.setlogin
+			FreeBSD-SA-14:26.ftp
+			FreeBSD-EN-14:12.zfs
+
+	Fix denial of service attack against sshd(8). [SA-14:24]
+
+	Fix kernel stack disclosure in setlogin(2) / getlogin(2).
+	[SA-14:25]
+
+	Fix remote command execution in ftp(1). [SA-14:26]
+
+	Fix NFSv4 and ZFS cache consistency issue. [EN-14:12]
+
 20141022:	p14	FreeBSD-EN-14:10.tzdata
 
 	Time zone data file update. [EN-14:10]

Modified: releng/9.2/contrib/tnftp/src/fetch.c
==============================================================================
--- releng/9.2/contrib/tnftp/src/fetch.c	Tue Nov  4 23:32:45 2014	(r274112)
+++ releng/9.2/contrib/tnftp/src/fetch.c	Tue Nov  4 23:33:17 2014	(r274113)
@@ -547,7 +547,7 @@ fetch_url(const char *url, const char *p
 	url_decode(decodedpath);
 
 	if (outfile)
-		savefile = ftp_strdup(outfile);
+		savefile = outfile;
 	else {
 		cp = strrchr(decodedpath, '/');		/* find savefile */
 		if (cp != NULL)
@@ -571,8 +571,7 @@ fetch_url(const char *url, const char *p
 	rangestart = rangeend = entitylen = -1;
 	mtime = -1;
 	if (restartautofetch) {
-		if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
-		    stat(savefile, &sb) == 0)
+		if (stat(savefile, &sb) == 0)
 			restart_point = sb.st_size;
 	}
 	if (urltype == FILE_URL_T) {		/* file:// URLs */
@@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *p
 	}		/* end of ftp:// or http:// specific setup */
 
 			/* Open the output file. */
-	if (strcmp(savefile, "-") == 0) {
-		fout = stdout;
-	} else if (*savefile == '|') {
-		oldintp = xsignal(SIGPIPE, SIG_IGN);
-		fout = popen(savefile + 1, "w");
-		if (fout == NULL) {
-			warn("Can't execute `%s'", savefile + 1);
-			goto cleanup_fetch_url;
+
+	/*
+	 * Only trust filenames with special meaning if they came from
+	 * the command line
+	 */
+	if (outfile == savefile) {
+		if (strcmp(savefile, "-") == 0) {
+			fout = stdout;
+		} else if (*savefile == '|') {
+			oldintp = xsignal(SIGPIPE, SIG_IGN);
+			fout = popen(savefile + 1, "w");
+			if (fout == NULL) {
+				warn("Can't execute `%s'", savefile + 1);
+				goto cleanup_fetch_url;
+			}
+			closefunc = pclose;
 		}
-		closefunc = pclose;
-	} else {
+	}
+	if (fout == NULL) {
 		if ((rangeend != -1 && rangeend <= restart_point) ||
 		    (rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
 			/* already done */
@@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *p
 		(*closefunc)(fout);
 	if (res0)
 		freeaddrinfo(res0);
-	FREEPTR(savefile);
+	if (savefile != outfile)
+		FREEPTR(savefile);
 	FREEPTR(uuser);
 	if (pass != NULL)
 		memset(pass, 0, strlen(pass));

Modified: releng/9.2/secure/usr.sbin/sshd/Makefile
==============================================================================
--- releng/9.2/secure/usr.sbin/sshd/Makefile	Tue Nov  4 23:32:45 2014	(r274112)
+++ releng/9.2/secure/usr.sbin/sshd/Makefile	Tue Nov  4 23:33:17 2014	(r274113)
@@ -47,6 +47,16 @@ CFLAGS+= -DNONE_CIPHER_ENABLED
 DPADD+=	${LIBCRYPTO} ${LIBCRYPT}
 LDADD+=	-lcrypto -lcrypt
 
+# Fix the order of NEEDED entries for libthr and libc. The libthr
+# needs to interpose libc symbols, leaving the libthr loading as
+# dependency of krb causes reversed order and broken interposing. Put
+# the threading library last on the linker command line, just before
+# the -lc added by a compiler driver.
+.if ${MK_KERBEROS_SUPPORT} != "no"
+DPADD+= ${LIBPTHREAD}
+LDADD+= -lpthread
+.endif
+
 .if defined(LOCALBASE)
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
 .endif

Modified: releng/9.2/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
==============================================================================
--- releng/9.2/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c	Tue Nov  4 23:32:45 2014	(r274112)
+++ releng/9.2/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c	Tue Nov  4 23:33:17 2014	(r274113)
@@ -2799,6 +2799,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, i
 #endif
 	vap->va_seq = zp->z_seq;
 	vap->va_flags = 0;	/* FreeBSD: Reset chflags(2) flags. */
+	vap->va_filerev = zp->z_seq;
 
 	/*
 	 * Add in any requested optional attributes and the create time.

Modified: releng/9.2/sys/conf/newvers.sh
==============================================================================
--- releng/9.2/sys/conf/newvers.sh	Tue Nov  4 23:32:45 2014	(r274112)
+++ releng/9.2/sys/conf/newvers.sh	Tue Nov  4 23:33:17 2014	(r274113)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.2"
-BRANCH="RELEASE-p14"
+BRANCH="RELEASE-p15"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.2/sys/kern/kern_prot.c
==============================================================================
--- releng/9.2/sys/kern/kern_prot.c	Tue Nov  4 23:32:45 2014	(r274112)
+++ releng/9.2/sys/kern/kern_prot.c	Tue Nov  4 23:33:17 2014	(r274113)
@@ -2073,21 +2073,20 @@ struct getlogin_args {
 int
 sys_getlogin(struct thread *td, struct getlogin_args *uap)
 {
-	int error;
 	char login[MAXLOGNAME];
 	struct proc *p = td->td_proc;
+	size_t len;
 
 	if (uap->namelen > MAXLOGNAME)
 		uap->namelen = MAXLOGNAME;
 	PROC_LOCK(p);
 	SESS_LOCK(p->p_session);
-	bcopy(p->p_session->s_login, login, uap->namelen);
+	len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
 	SESS_UNLOCK(p->p_session);
 	PROC_UNLOCK(p);
-	if (strlen(login) + 1 > uap->namelen)
+	if (len > uap->namelen)
 		return (ERANGE);
-	error = copyout(login, uap->namebuf, uap->namelen);
-	return (error);
+	return (copyout(login, uap->namebuf, len));
 }
 
 /*
@@ -2106,21 +2105,23 @@ sys_setlogin(struct thread *td, struct s
 	int error;
 	char logintmp[MAXLOGNAME];
 
+	CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
 	error = priv_check(td, PRIV_PROC_SETLOGIN);
 	if (error)
 		return (error);
 	error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
-	if (error == ENAMETOOLONG)
-		error = EINVAL;
-	else if (!error) {
-		PROC_LOCK(p);
-		SESS_LOCK(p->p_session);
-		(void) memcpy(p->p_session->s_login, logintmp,
-		    sizeof(logintmp));
-		SESS_UNLOCK(p->p_session);
-		PROC_UNLOCK(p);
+	if (error != 0) {
+		if (error == ENAMETOOLONG)
+			error = EINVAL;
+		return (error);
 	}
-	return (error);
+	PROC_LOCK(p);
+	SESS_LOCK(p->p_session);
+	strcpy(p->p_session->s_login, logintmp);
+	SESS_UNLOCK(p->p_session);
+	PROC_UNLOCK(p);
+	return (0);
 }
 
 void

From owner-svn-src-releng@FreeBSD.ORG  Tue Nov  4 23:33:48 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B11B6A23;
 Tue,  4 Nov 2014 23:33:48 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9B4CC1F5;
 Tue,  4 Nov 2014 23:33:48 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA4NXmO7079130;
 Tue, 4 Nov 2014 23:33:48 GMT (envelope-from des@FreeBSD.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA4NXlxo079124;
 Tue, 4 Nov 2014 23:33:47 GMT (envelope-from des@FreeBSD.org)
Message-Id: <201411042333.sA4NXlxo079124@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org
 using -f
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 4 Nov 2014 23:33:47 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r274114 - in releng/9.3: . contrib/tnftp/src
 sys/cddl/contrib/opensolaris/uts/common/fs/zfs sys/conf sys/kern
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 23:33:48 -0000

Author: des
Date: Tue Nov  4 23:33:46 2014
New Revision: 274114
URL: https://svnweb.freebsd.org/changeset/base/274114

Log:
  [SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
  [SA-14:26] Fix remote command execution in ftp(1).
  [EN-14:12] Fix NFSv4 and ZFS cache consistency issue.
  
  Approved by:	so (des)

Modified:
  releng/9.3/UPDATING
  releng/9.3/contrib/tnftp/src/fetch.c
  releng/9.3/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
  releng/9.3/sys/conf/newvers.sh
  releng/9.3/sys/kern/kern_prot.c

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Tue Nov  4 23:33:17 2014	(r274113)
+++ releng/9.3/UPDATING	Tue Nov  4 23:33:46 2014	(r274114)
@@ -11,6 +11,17 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20141104:	p5	FreeBSD-SA-14:25.setlogin
+			FreeBSD-SA-14:26.ftp
+			FreeBSD-EN-14:12.zfs
+
+	Fix kernel stack disclosure in setlogin(2) / getlogin(2).
+	[SA-14:25]
+
+	Fix remote command execution in ftp(1). [SA-14:26]
+
+	Fix NFSv4 and ZFS cache consistency issue. [EN-14:12]
+
 20141022:	p4	FreeBSD-EN-14:10.tzdata
 			FreeBSD-EN-14:11.crypt
 

Modified: releng/9.3/contrib/tnftp/src/fetch.c
==============================================================================
--- releng/9.3/contrib/tnftp/src/fetch.c	Tue Nov  4 23:33:17 2014	(r274113)
+++ releng/9.3/contrib/tnftp/src/fetch.c	Tue Nov  4 23:33:46 2014	(r274114)
@@ -547,7 +547,7 @@ fetch_url(const char *url, const char *p
 	url_decode(decodedpath);
 
 	if (outfile)
-		savefile = ftp_strdup(outfile);
+		savefile = outfile;
 	else {
 		cp = strrchr(decodedpath, '/');		/* find savefile */
 		if (cp != NULL)
@@ -571,8 +571,7 @@ fetch_url(const char *url, const char *p
 	rangestart = rangeend = entitylen = -1;
 	mtime = -1;
 	if (restartautofetch) {
-		if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
-		    stat(savefile, &sb) == 0)
+		if (stat(savefile, &sb) == 0)
 			restart_point = sb.st_size;
 	}
 	if (urltype == FILE_URL_T) {		/* file:// URLs */
@@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *p
 	}		/* end of ftp:// or http:// specific setup */
 
 			/* Open the output file. */
-	if (strcmp(savefile, "-") == 0) {
-		fout = stdout;
-	} else if (*savefile == '|') {
-		oldintp = xsignal(SIGPIPE, SIG_IGN);
-		fout = popen(savefile + 1, "w");
-		if (fout == NULL) {
-			warn("Can't execute `%s'", savefile + 1);
-			goto cleanup_fetch_url;
+
+	/*
+	 * Only trust filenames with special meaning if they came from
+	 * the command line
+	 */
+	if (outfile == savefile) {
+		if (strcmp(savefile, "-") == 0) {
+			fout = stdout;
+		} else if (*savefile == '|') {
+			oldintp = xsignal(SIGPIPE, SIG_IGN);
+			fout = popen(savefile + 1, "w");
+			if (fout == NULL) {
+				warn("Can't execute `%s'", savefile + 1);
+				goto cleanup_fetch_url;
+			}
+			closefunc = pclose;
 		}
-		closefunc = pclose;
-	} else {
+	}
+	if (fout == NULL) {
 		if ((rangeend != -1 && rangeend <= restart_point) ||
 		    (rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
 			/* already done */
@@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *p
 		(*closefunc)(fout);
 	if (res0)
 		freeaddrinfo(res0);
-	FREEPTR(savefile);
+	if (savefile != outfile)
+		FREEPTR(savefile);
 	FREEPTR(uuser);
 	if (pass != NULL)
 		memset(pass, 0, strlen(pass));

Modified: releng/9.3/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
==============================================================================
--- releng/9.3/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c	Tue Nov  4 23:33:17 2014	(r274113)
+++ releng/9.3/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c	Tue Nov  4 23:33:46 2014	(r274114)
@@ -2812,6 +2812,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, i
 #endif
 	vap->va_seq = zp->z_seq;
 	vap->va_flags = 0;	/* FreeBSD: Reset chflags(2) flags. */
+	vap->va_filerev = zp->z_seq;
 
 	/*
 	 * Add in any requested optional attributes and the create time.

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Tue Nov  4 23:33:17 2014	(r274113)
+++ releng/9.3/sys/conf/newvers.sh	Tue Nov  4 23:33:46 2014	(r274114)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.3/sys/kern/kern_prot.c
==============================================================================
--- releng/9.3/sys/kern/kern_prot.c	Tue Nov  4 23:33:17 2014	(r274113)
+++ releng/9.3/sys/kern/kern_prot.c	Tue Nov  4 23:33:46 2014	(r274114)
@@ -2073,21 +2073,20 @@ struct getlogin_args {
 int
 sys_getlogin(struct thread *td, struct getlogin_args *uap)
 {
-	int error;
 	char login[MAXLOGNAME];
 	struct proc *p = td->td_proc;
+	size_t len;
 
 	if (uap->namelen > MAXLOGNAME)
 		uap->namelen = MAXLOGNAME;
 	PROC_LOCK(p);
 	SESS_LOCK(p->p_session);
-	bcopy(p->p_session->s_login, login, uap->namelen);
+	len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
 	SESS_UNLOCK(p->p_session);
 	PROC_UNLOCK(p);
-	if (strlen(login) + 1 > uap->namelen)
+	if (len > uap->namelen)
 		return (ERANGE);
-	error = copyout(login, uap->namebuf, uap->namelen);
-	return (error);
+	return (copyout(login, uap->namebuf, len));
 }
 
 /*
@@ -2106,21 +2105,23 @@ sys_setlogin(struct thread *td, struct s
 	int error;
 	char logintmp[MAXLOGNAME];
 
+	CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
 	error = priv_check(td, PRIV_PROC_SETLOGIN);
 	if (error)
 		return (error);
 	error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
-	if (error == ENAMETOOLONG)
-		error = EINVAL;
-	else if (!error) {
-		PROC_LOCK(p);
-		SESS_LOCK(p->p_session);
-		(void) memcpy(p->p_session->s_login, logintmp,
-		    sizeof(logintmp));
-		SESS_UNLOCK(p->p_session);
-		PROC_UNLOCK(p);
+	if (error != 0) {
+		if (error == ENAMETOOLONG)
+			error = EINVAL;
+		return (error);
 	}
-	return (error);
+	PROC_LOCK(p);
+	SESS_LOCK(p->p_session);
+	strcpy(p->p_session->s_login, logintmp);
+	SESS_UNLOCK(p->p_session);
+	PROC_UNLOCK(p);
+	return (0);
 }
 
 void

From owner-svn-src-releng@FreeBSD.ORG  Tue Nov  4 23:34:47 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9243AB57;
 Tue,  4 Nov 2014 23:34:47 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 737A8205;
 Tue,  4 Nov 2014 23:34:47 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA4NYlgA079316;
 Tue, 4 Nov 2014 23:34:47 GMT (envelope-from des@FreeBSD.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA4NYkev079313;
 Tue, 4 Nov 2014 23:34:46 GMT (envelope-from des@FreeBSD.org)
Message-Id: <201411042334.sA4NYkev079313@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org
 using -f
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 4 Nov 2014 23:34:46 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r274115 - in releng/10.1: contrib/tnftp/src sys/conf
 sys/kern
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 23:34:47 -0000

Author: des
Date: Tue Nov  4 23:34:46 2014
New Revision: 274115
URL: https://svnweb.freebsd.org/changeset/base/274115

Log:
  [SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
  [SA-14:26] Fix remote command execution in ftp(1).
  
  Approved by:	re (gjb)

Modified:
  releng/10.1/contrib/tnftp/src/fetch.c
  releng/10.1/sys/conf/newvers.sh
  releng/10.1/sys/kern/kern_prot.c

Modified: releng/10.1/contrib/tnftp/src/fetch.c
==============================================================================
--- releng/10.1/contrib/tnftp/src/fetch.c	Tue Nov  4 23:33:46 2014	(r274114)
+++ releng/10.1/contrib/tnftp/src/fetch.c	Tue Nov  4 23:34:46 2014	(r274115)
@@ -547,7 +547,7 @@ fetch_url(const char *url, const char *p
 	url_decode(decodedpath);
 
 	if (outfile)
-		savefile = ftp_strdup(outfile);
+		savefile = outfile;
 	else {
 		cp = strrchr(decodedpath, '/');		/* find savefile */
 		if (cp != NULL)
@@ -571,8 +571,7 @@ fetch_url(const char *url, const char *p
 	rangestart = rangeend = entitylen = -1;
 	mtime = -1;
 	if (restartautofetch) {
-		if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
-		    stat(savefile, &sb) == 0)
+		if (stat(savefile, &sb) == 0)
 			restart_point = sb.st_size;
 	}
 	if (urltype == FILE_URL_T) {		/* file:// URLs */
@@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *p
 	}		/* end of ftp:// or http:// specific setup */
 
 			/* Open the output file. */
-	if (strcmp(savefile, "-") == 0) {
-		fout = stdout;
-	} else if (*savefile == '|') {
-		oldintp = xsignal(SIGPIPE, SIG_IGN);
-		fout = popen(savefile + 1, "w");
-		if (fout == NULL) {
-			warn("Can't execute `%s'", savefile + 1);
-			goto cleanup_fetch_url;
+
+	/*
+	 * Only trust filenames with special meaning if they came from
+	 * the command line
+	 */
+	if (outfile == savefile) {
+		if (strcmp(savefile, "-") == 0) {
+			fout = stdout;
+		} else if (*savefile == '|') {
+			oldintp = xsignal(SIGPIPE, SIG_IGN);
+			fout = popen(savefile + 1, "w");
+			if (fout == NULL) {
+				warn("Can't execute `%s'", savefile + 1);
+				goto cleanup_fetch_url;
+			}
+			closefunc = pclose;
 		}
-		closefunc = pclose;
-	} else {
+	}
+	if (fout == NULL) {
 		if ((rangeend != -1 && rangeend <= restart_point) ||
 		    (rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
 			/* already done */
@@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *p
 		(*closefunc)(fout);
 	if (res0)
 		freeaddrinfo(res0);
-	FREEPTR(savefile);
+	if (savefile != outfile)
+		FREEPTR(savefile);
 	FREEPTR(uuser);
 	if (pass != NULL)
 		memset(pass, 0, strlen(pass));

Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh	Tue Nov  4 23:33:46 2014	(r274114)
+++ releng/10.1/sys/conf/newvers.sh	Tue Nov  4 23:34:46 2014	(r274115)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RC4"
+BRANCH="RC4-p1"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.1/sys/kern/kern_prot.c
==============================================================================
--- releng/10.1/sys/kern/kern_prot.c	Tue Nov  4 23:33:46 2014	(r274114)
+++ releng/10.1/sys/kern/kern_prot.c	Tue Nov  4 23:34:46 2014	(r274115)
@@ -2073,21 +2073,20 @@ struct getlogin_args {
 int
 sys_getlogin(struct thread *td, struct getlogin_args *uap)
 {
-	int error;
 	char login[MAXLOGNAME];
 	struct proc *p = td->td_proc;
+	size_t len;
 
 	if (uap->namelen > MAXLOGNAME)
 		uap->namelen = MAXLOGNAME;
 	PROC_LOCK(p);
 	SESS_LOCK(p->p_session);
-	bcopy(p->p_session->s_login, login, uap->namelen);
+	len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
 	SESS_UNLOCK(p->p_session);
 	PROC_UNLOCK(p);
-	if (strlen(login) + 1 > uap->namelen)
+	if (len > uap->namelen)
 		return (ERANGE);
-	error = copyout(login, uap->namebuf, uap->namelen);
-	return (error);
+	return (copyout(login, uap->namebuf, len));
 }
 
 /*
@@ -2106,21 +2105,23 @@ sys_setlogin(struct thread *td, struct s
 	int error;
 	char logintmp[MAXLOGNAME];
 
+	CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
 	error = priv_check(td, PRIV_PROC_SETLOGIN);
 	if (error)
 		return (error);
 	error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
-	if (error == ENAMETOOLONG)
-		error = EINVAL;
-	else if (!error) {
-		PROC_LOCK(p);
-		SESS_LOCK(p->p_session);
-		(void) memcpy(p->p_session->s_login, logintmp,
-		    sizeof(logintmp));
-		SESS_UNLOCK(p->p_session);
-		PROC_UNLOCK(p);
+	if (error != 0) {
+		if (error == ENAMETOOLONG)
+			error = EINVAL;
+		return (error);
 	}
-	return (error);
+	PROC_LOCK(p);
+	SESS_LOCK(p->p_session);
+	strcpy(p->p_session->s_login, logintmp);
+	SESS_UNLOCK(p->p_session);
+	PROC_UNLOCK(p);
+	return (0);
 }
 
 void

From owner-svn-src-releng@FreeBSD.ORG  Wed Nov  5 22:33:21 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4431035A;
 Wed,  5 Nov 2014 22:33:21 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 2E8991B0;
 Wed,  5 Nov 2014 22:33:21 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA5MXLbv034487;
 Wed, 5 Nov 2014 22:33:21 GMT (envelope-from wblock@FreeBSD.org)
Received: (from wblock@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA5MXLVS034486;
 Wed, 5 Nov 2014 22:33:21 GMT (envelope-from wblock@FreeBSD.org)
Message-Id: <201411052233.sA5MXLVS034486@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: wblock set sender to
 wblock@FreeBSD.org using -f
From: Warren Block <wblock@FreeBSD.org>
Date: Wed, 5 Nov 2014 22:33:21 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r274147 - releng/10.1/etc
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Nov 2014 22:33:21 -0000

Author: wblock (doc committer)
Date: Wed Nov  5 22:33:20 2014
New Revision: 274147
URL: https://svnweb.freebsd.org/changeset/base/274147

Log:
  MFC r274128:
  
  Add the less-ambiguous freebsd-version command.
  
  Approved by:	re

Modified:
  releng/10.1/etc/motd
Directory Properties:
  releng/10.1/   (props changed)

Modified: releng/10.1/etc/motd
==============================================================================
--- releng/10.1/etc/motd	Wed Nov  5 20:58:25 2014	(r274146)
+++ releng/10.1/etc/motd	Wed Nov  5 22:33:20 2014	(r274147)
@@ -13,7 +13,7 @@ Documents installed with the system are 
 directory, or can be installed later with:  pkg install en-freebsd-doc
 For other languages, replace "en" with a language code like de or fr.
 
-Show the version of FreeBSD installed:  uname -a
+Show the version of FreeBSD installed:  freebsd-version ; uname -a
 Please include that output and any error messages when posting questions.
 Introduction to manual pages:  man man
 FreeBSD directory layout:      man hier

From owner-svn-src-releng@FreeBSD.ORG  Thu Nov  6 02:28:08 2014
Return-Path: <owner-svn-src-releng@FreeBSD.ORG>
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D2162158;
 Thu,  6 Nov 2014 02:28:08 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BE52DE6A;
 Thu,  6 Nov 2014 02:28:08 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sA62S8tJ044476;
 Thu, 6 Nov 2014 02:28:08 GMT (envelope-from gjb@FreeBSD.org)
Received: (from gjb@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sA62S8gH044475;
 Thu, 6 Nov 2014 02:28:08 GMT (envelope-from gjb@FreeBSD.org)
Message-Id: <201411060228.sA62S8gH044475@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: gjb set sender to gjb@FreeBSD.org
 using -f
From: Glen Barber <gjb@FreeBSD.org>
Date: Thu, 6 Nov 2014 02:28:08 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r274161 - releng/10.1/release/doc/en_US.ISO8859-1/relnotes
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2014 02:28:08 -0000

Author: gjb
Date: Thu Nov  6 02:28:08 2014
New Revision: 274161
URL: https://svnweb.freebsd.org/changeset/base/274161

Log:
  Document SA-14:25, SA-14:26
  
  Approved by:	re (implicit)
  Sponsored by:	The FreeBSD Foundation

Modified:
  releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml

Modified: releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml
==============================================================================
--- releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml	Thu Nov  6 02:23:01 2014	(r274160)
+++ releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml	Thu Nov  6 02:28:08 2014	(r274161)
@@ -314,6 +314,18 @@
 	      <entry>21&nbsp;October&nbsp;2014</entry>
 	      <entry><para>Multiple vulerabilities.</para></entry>
 	    </row>
+
+	    <row>
+	      <entry><link xlink:href="http://www.freebsd.org/security/advisories/FreeBSD-SA-14:25.setlogin.asc">SA-14:25.setlogin</link></entry>
+	      <entry>04&nbsp;November&nbsp;2014</entry>
+	      <entry><para>Kernel stack disclosure.</para></entry>
+	    </row>
+
+	    <row>
+	      <entry><link xlink:href="http://www.freebsd.org/security/advisories/FreeBSD-SA-14:26.ftp.asc">SA-14:26.ftp</link></entry>
+	      <entry>04&nbsp;November&nbsp;2014</entry>
+	      <entry><para>Remote code execution.</para></entry>
+	    </row>
 	  </tbody>
 	</tgroup>
       </informaltable>