From owner-svn-src-stable-8@FreeBSD.ORG  Mon Dec 22 19:08:14 2014
Return-Path: <owner-svn-src-stable-8@FreeBSD.ORG>
Delivered-To: svn-src-stable-8@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 228A8CDE;
 Mon, 22 Dec 2014 19:08:13 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C8AE71B96;
 Mon, 22 Dec 2014 19:08:13 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sBMJ8Di2002346;
 Mon, 22 Dec 2014 19:08:13 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sBMJ8CPS002336;
 Mon, 22 Dec 2014 19:08:12 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201412221908.sBMJ8CPS002336@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Mon, 22 Dec 2014 19:08:12 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject: svn commit: r276073 - in stable: 8/contrib/ntp/ntpd
 8/contrib/ntp/util 9/contrib/ntp/ntpd 9/contrib/ntp/util
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-8@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for only the 8-stable src tree
 <svn-src-stable-8.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable-8>, 
 <mailto:svn-src-stable-8-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-8/>
List-Post: <mailto:svn-src-stable-8@freebsd.org>
List-Help: <mailto:svn-src-stable-8-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable-8>, 
 <mailto:svn-src-stable-8-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2014 19:08:14 -0000

Author: delphij
Date: Mon Dec 22 19:08:09 2014
New Revision: 276073
URL: https://svnweb.freebsd.org/changeset/base/276073

Log:
  MFC r276071:
  
  Fix multiple ntp vulnerabilities.
  
  Reviewed by:	roberto (earlier revision), philip
  Security:	CVE-2014-9293, CVE-2014-9294
  Security:	CVE-2014-9295, CVE-2014-9296
  Security:	FreeBSD-SA-14:31.ntp

Modified:
  stable/8/contrib/ntp/ntpd/ntp_config.c
  stable/8/contrib/ntp/ntpd/ntp_control.c
  stable/8/contrib/ntp/ntpd/ntp_crypto.c
  stable/8/contrib/ntp/ntpd/ntp_proto.c
  stable/8/contrib/ntp/util/ntp-keygen.c
Directory Properties:
  stable/8/contrib/ntp/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/9/contrib/ntp/ntpd/ntp_config.c
  stable/9/contrib/ntp/ntpd/ntp_control.c
  stable/9/contrib/ntp/ntpd/ntp_crypto.c
  stable/9/contrib/ntp/ntpd/ntp_proto.c
  stable/9/contrib/ntp/util/ntp-keygen.c
Directory Properties:
  stable/9/contrib/ntp/   (props changed)

Modified: stable/8/contrib/ntp/ntpd/ntp_config.c
==============================================================================
--- stable/8/contrib/ntp/ntpd/ntp_config.c	Mon Dec 22 19:07:16 2014	(r276072)
+++ stable/8/contrib/ntp/ntpd/ntp_config.c	Mon Dec 22 19:08:09 2014	(r276073)
@@ -1887,7 +1887,7 @@ getconfig(
 
 		for (i = 0; i < 8; i++)
 			for (j = 1; j < 100; ++j) {
-				rankey[i] = (char) (ntp_random() & 0xff);
+				rankey[i] = (char) (arc4random() & 0xff);
 				if (rankey[i] != 0) break;
 			}
 		rankey[8] = 0;

Modified: stable/8/contrib/ntp/ntpd/ntp_control.c
==============================================================================
--- stable/8/contrib/ntp/ntpd/ntp_control.c	Mon Dec 22 19:07:16 2014	(r276072)
+++ stable/8/contrib/ntp/ntpd/ntp_control.c	Mon Dec 22 19:08:09 2014	(r276073)
@@ -24,6 +24,10 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
+#ifndef MIN
+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
+#endif
+
 /*
  * Structure to hold request procedure information
  */
@@ -893,6 +897,7 @@ ctl_putdata(
 	)
 {
 	int overhead;
+	unsigned int currentlen;
 
 	overhead = 0;
 	if (!bin) {
@@ -916,12 +921,22 @@ ctl_putdata(
 	/*
 	 * Save room for trailing junk
 	 */
-	if (dlen + overhead + datapt > dataend) {
+	while (dlen + overhead + datapt > dataend) {
 		/*
 		 * Not enough room in this one, flush it out.
 		 */
+		currentlen = MIN(dlen, dataend - datapt);
+
+		memcpy(datapt, dp, currentlen);
+
+		datapt += currentlen;
+		dp += currentlen;
+		dlen -= currentlen;
+		datalinelen += currentlen;
+
 		ctl_flushpkt(CTL_MORE);
 	}
+
 	memmove((char *)datapt, dp, (unsigned)dlen);
 	datapt += dlen;
 	datalinelen += dlen;

Modified: stable/8/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- stable/8/contrib/ntp/ntpd/ntp_crypto.c	Mon Dec 22 19:07:16 2014	(r276072)
+++ stable/8/contrib/ntp/ntpd/ntp_crypto.c	Mon Dec 22 19:08:09 2014	(r276073)
@@ -864,12 +864,24 @@ crypto_recv(
 			 * errors.
 			 */
 			if (vallen == (u_int) EVP_PKEY_size(host_pkey)) {
-				RSA_private_decrypt(vallen,
+				u_int32 *cookiebuf = malloc(
+					RSA_size(host_pkey->pkey.rsa));
+				if (cookiebuf == NULL) {
+					rval = XEVNT_CKY;
+					break;
+				}
+				if (RSA_private_decrypt(vallen,
 				    (u_char *)ep->pkt,
-				    (u_char *)&temp32,
+				    (u_char *)cookiebuf,
 				    host_pkey->pkey.rsa,
-				    RSA_PKCS1_OAEP_PADDING);
-				cookie = ntohl(temp32);
+				    RSA_PKCS1_OAEP_PADDING) != 4) {
+					rval = XEVNT_CKY;
+					free(cookiebuf);
+					break;
+				} else {
+					cookie = ntohl(*cookiebuf);
+					free(cookiebuf);
+				}
 			} else {
 				rval = XEVNT_CKY;
 				break;
@@ -3914,7 +3926,7 @@ crypto_setup(void)
 		    rand_file);
 		exit (-1);
 	}
-	get_systime(&seed);
+	arc4random_buf(&seed, sizeof(l_fp));
 	RAND_seed(&seed, sizeof(l_fp));
 	RAND_write_file(rand_file);
 	OpenSSL_add_all_algorithms();

Modified: stable/8/contrib/ntp/ntpd/ntp_proto.c
==============================================================================
--- stable/8/contrib/ntp/ntpd/ntp_proto.c	Mon Dec 22 19:07:16 2014	(r276072)
+++ stable/8/contrib/ntp/ntpd/ntp_proto.c	Mon Dec 22 19:08:09 2014	(r276073)
@@ -649,6 +649,7 @@ receive(
 		    has_mac)) {
 			is_authentic = AUTH_ERROR;
 			sys_badauth++;
+			return;
 		} else {
 			is_authentic = AUTH_OK;
 		}

Modified: stable/8/contrib/ntp/util/ntp-keygen.c
==============================================================================
--- stable/8/contrib/ntp/util/ntp-keygen.c	Mon Dec 22 19:07:16 2014	(r276072)
+++ stable/8/contrib/ntp/util/ntp-keygen.c	Mon Dec 22 19:08:09 2014	(r276073)
@@ -642,7 +642,7 @@ gen_md5(
 	for (i = 1; i <= MD5KEYS; i++) {
 		for (j = 0; j < 16; j++) {
 			while (1) {
-				temp = ntp_random() & 0xff;
+				temp = arc4random() & 0xff;
 				if (temp == '#')
 					continue;
 				if (temp > 0x20 && temp < 0x7f)
@@ -675,7 +675,7 @@ gen_rsa(
 	FILE	*str;
 
 	fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
-	rsa = RSA_generate_key(modulus, 3, cb, "RSA");
+	rsa = RSA_generate_key(modulus, 65537, cb, "RSA");
 	fprintf(stderr, "\n");
 	if (rsa == NULL) {
 		fprintf(stderr, "RSA generate keys fails\n%s\n",
@@ -954,7 +954,7 @@ gen_gqpar(
 	 */
 	fprintf(stderr,
 	    "Generating GQ parameters (%d bits)...\n", modulus);
-	rsa = RSA_generate_key(modulus, 3, cb, "GQ");
+	rsa = RSA_generate_key(modulus, 65537, cb, "GQ");
 	fprintf(stderr, "\n");
 	if (rsa == NULL) {
 		fprintf(stderr, "RSA generate keys fails\n%s\n",

From owner-svn-src-stable-8@FreeBSD.ORG  Mon Dec 22 22:11:46 2014
Return-Path: <owner-svn-src-stable-8@FreeBSD.ORG>
Delivered-To: svn-src-stable-8@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 852A26D8;
 Mon, 22 Dec 2014 22:11:46 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7114C372A;
 Mon, 22 Dec 2014 22:11:46 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sBMMBk1x094494;
 Mon, 22 Dec 2014 22:11:46 GMT (envelope-from des@FreeBSD.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sBMMBkkd094493;
 Mon, 22 Dec 2014 22:11:46 GMT (envelope-from des@FreeBSD.org)
Message-Id: <201412222211.sBMMBkkd094493@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org
 using -f
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Mon, 22 Dec 2014 22:11:46 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject: svn commit: r276089 - stable/8/usr.sbin/freebsd-update
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-8@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for only the 8-stable src tree
 <svn-src-stable-8.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable-8>, 
 <mailto:svn-src-stable-8-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-8/>
List-Post: <mailto:svn-src-stable-8@freebsd.org>
List-Help: <mailto:svn-src-stable-8-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable-8>, 
 <mailto:svn-src-stable-8-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2014 22:11:46 -0000

Author: des
Date: Mon Dec 22 22:11:45 2014
New Revision: 276089
URL: https://svnweb.freebsd.org/changeset/base/276089

Log:
  Strip trailing / characters from paths in "not present" index entries.
  
  Errata:		FreeBSD-EN-14:13.freebsd-update
  Approved by:	so@

Modified:
  stable/8/usr.sbin/freebsd-update/freebsd-update.sh

Modified: stable/8/usr.sbin/freebsd-update/freebsd-update.sh
==============================================================================
--- stable/8/usr.sbin/freebsd-update/freebsd-update.sh	Mon Dec 22 22:11:39 2014	(r276088)
+++ stable/8/usr.sbin/freebsd-update/freebsd-update.sh	Mon Dec 22 22:11:45 2014	(r276089)
@@ -1372,6 +1372,7 @@ fetch_filter_metadata () {
 	# matter, since we add a leading "/" when we use paths later.
 	cut -f 3- -d '|' $1 |
 	    sed -e 's,/|d|,|d|,' |
+	    sed -e 's,/|-|,|-|,' |
 	    sort -u > $1.tmp
 
 	# Figure out which lines to ignore and remove them.

From owner-svn-src-stable-8@FreeBSD.ORG  Tue Dec 23 11:00:52 2014
Return-Path: <owner-svn-src-stable-8@FreeBSD.ORG>
Delivered-To: svn-src-stable-8@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 673AFB8A;
 Tue, 23 Dec 2014 11:00:52 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 52AE56437D;
 Tue, 23 Dec 2014 11:00:52 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sBNB0q4u060129;
 Tue, 23 Dec 2014 11:00:52 GMT (envelope-from nyan@FreeBSD.org)
Received: (from nyan@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id sBNB0q5s060128;
 Tue, 23 Dec 2014 11:00:52 GMT (envelope-from nyan@FreeBSD.org)
Message-Id: <201412231100.sBNB0q5s060128@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: nyan set sender to nyan@FreeBSD.org
 using -f
From: Takahashi Yoshihiro <nyan@FreeBSD.org>
Date: Tue, 23 Dec 2014 11:00:52 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject: svn commit: r276131 - stable/8/sys/conf
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-8@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for only the 8-stable src tree
 <svn-src-stable-8.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable-8>, 
 <mailto:svn-src-stable-8-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-8/>
List-Post: <mailto:svn-src-stable-8@freebsd.org>
List-Help: <mailto:svn-src-stable-8-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable-8>, 
 <mailto:svn-src-stable-8-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2014 11:00:52 -0000

Author: nyan
Date: Tue Dec 23 11:00:51 2014
New Revision: 276131
URL: https://svnweb.freebsd.org/changeset/base/276131

Log:
  MFC: r272491
  
    Reduce diffs against i386.

Modified:
  stable/8/sys/conf/options.pc98
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/conf/   (props changed)

Modified: stable/8/sys/conf/options.pc98
==============================================================================
--- stable/8/sys/conf/options.pc98	Tue Dec 23 10:59:53 2014	(r276130)
+++ stable/8/sys/conf/options.pc98	Tue Dec 23 11:00:51 2014	(r276131)
@@ -32,12 +32,6 @@ KVA_PAGES		opt_global.h
 
 TIMER_FREQ			opt_clock.h
 
-# options for serial support
-COM_ESP			opt_sio.h
-COM_MULTIPORT		opt_sio.h
-CONSPEED		opt_sio.h
-GDBSPEED		opt_sio.h
-
 CPU_BLUELIGHTNING_3X		opt_cpu.h
 CPU_BLUELIGHTNING_FPU_OP_CACHE	opt_cpu.h
 CPU_BTB_EN			opt_cpu.h
@@ -68,8 +62,17 @@ I486_CPU		opt_global.h
 I586_CPU		opt_global.h
 I686_CPU		opt_global.h
 
+# options for serial support
+COM_ESP			opt_sio.h
+COM_MULTIPORT		opt_sio.h
+CONSPEED		opt_sio.h
+GDBSPEED		opt_sio.h
+
 GDC
 
+# AGP debugging support
+AGP_DEBUG		opt_agp.h
+
 # Video spigot
 SPIGOT_UNSECURE		opt_spigot.h
 
@@ -97,7 +100,6 @@ DEV_NPX			opt_npx.h
 
 # Debugging
 NPX_DEBUG		opt_npx.h
-AGP_DEBUG		opt_agp.h
 
 # BPF just-in-time compiler
 BPF_JITTER		opt_bpf.h