From owner-svn-src-releng@freebsd.org Mon Jul 25 15:04:20 2016 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 70600BA39DC; Mon, 25 Jul 2016 15:04:20 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 35FDC16E6; Mon, 25 Jul 2016 15:04:20 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u6PF4JGB058209; Mon, 25 Jul 2016 15:04:19 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u6PF4HKb058193; Mon, 25 Jul 2016 15:04:17 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201607251504.u6PF4HKb058193@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Mon, 25 Jul 2016 15:04:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r303304 - in releng: 10.1 10.1/sys/conf 10.1/usr.bin/bsdiff/bspatch 10.1/usr.sbin/freebsd-update 10.2 10.2/sys/conf 10.2/usr.bin/bsdiff/bspatch 10.2/usr.sbin/freebsd-update 10.3 10.3/sy... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 15:04:20 -0000 Author: delphij Date: Mon Jul 25 15:04:17 2016 New Revision: 303304 URL: https://svnweb.freebsd.org/changeset/base/303304 Log: Fix bspatch heap overflow vulnerability. [SA-16:25] Fix freebsd-update(8) support of FreeBSD 11.0 release distribution. [EN-16:09] Approved by: so Modified: releng/10.1/UPDATING releng/10.1/sys/conf/newvers.sh releng/10.1/usr.bin/bsdiff/bspatch/bspatch.c releng/10.1/usr.sbin/freebsd-update/freebsd-update.sh releng/10.2/UPDATING releng/10.2/sys/conf/newvers.sh releng/10.2/usr.bin/bsdiff/bspatch/bspatch.c releng/10.2/usr.sbin/freebsd-update/freebsd-update.sh releng/10.3/UPDATING releng/10.3/sys/conf/newvers.sh releng/10.3/usr.bin/bsdiff/bspatch/bspatch.c releng/10.3/usr.sbin/freebsd-update/freebsd-update.sh releng/9.3/UPDATING releng/9.3/sys/conf/newvers.sh releng/9.3/usr.bin/bsdiff/bspatch/bspatch.c releng/9.3/usr.sbin/freebsd-update/freebsd-update.sh Modified: releng/10.1/UPDATING ============================================================================== --- releng/10.1/UPDATING Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.1/UPDATING Mon Jul 25 15:04:17 2016 (r303304) @@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20160725 p37 FreeBSD-SA-16:25.bspatch + FreeBSD-EN-16:09.freebsd-update + + Fix bspatch heap overflow vulnerability. [SA-16:25] + + Fix freebsd-update(8) support of FreeBSD 11.0 release + distribution. [EN-16:09] + 20160604 p36 FreeBSD-SA-16:24.ntp Fix multiple vulnerabilities of ntp. Modified: releng/10.1/sys/conf/newvers.sh ============================================================================== --- releng/10.1/sys/conf/newvers.sh Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.1/sys/conf/newvers.sh Mon Jul 25 15:04:17 2016 (r303304) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p36" +BRANCH="RELEASE-p37" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.1/usr.bin/bsdiff/bspatch/bspatch.c ============================================================================== --- releng/10.1/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.1/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 15:04:17 2016 (r303304) @@ -155,6 +155,10 @@ int main(int argc,char * argv[]) }; /* Sanity-check */ + if ((ctrl[0] < 0) || (ctrl[1] < 0)) + errx(1,"Corrupt patch\n"); + + /* Sanity-check */ if(newpos+ctrl[0]>newsize) errx(1,"Corrupt patch\n"); Modified: releng/10.1/usr.sbin/freebsd-update/freebsd-update.sh ============================================================================== --- releng/10.1/usr.sbin/freebsd-update/freebsd-update.sh Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.1/usr.sbin/freebsd-update/freebsd-update.sh Mon Jul 25 15:04:17 2016 (r303304) @@ -1229,7 +1229,7 @@ fetch_metadata_sanity () { # Check that the first four fields make sense. if gunzip -c < files/$1.gz | - grep -qvE "^[a-z]+\|[0-9a-z]+\|${P}+\|[fdL-]\|"; then + grep -qvE "^[a-z]+\|[0-9a-z-]+\|${P}+\|[fdL-]\|"; then fetch_metadata_bogus "" return 1 fi Modified: releng/10.2/UPDATING ============================================================================== --- releng/10.2/UPDATING Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.2/UPDATING Mon Jul 25 15:04:17 2016 (r303304) @@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20160725 p20 FreeBSD-SA-16:25.bspatch + FreeBSD-EN-16:09.freebsd-update + + Fix bspatch heap overflow vulnerability. [SA-16:25] + + Fix freebsd-update(8) support of FreeBSD 11.0 release + distribution. [EN-16:09] + 20160604 p19 FreeBSD-SA-16:24.ntp Fix multiple vulnerabilities of ntp. Modified: releng/10.2/sys/conf/newvers.sh ============================================================================== --- releng/10.2/sys/conf/newvers.sh Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.2/sys/conf/newvers.sh Mon Jul 25 15:04:17 2016 (r303304) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.2" -BRANCH="RELEASE-p19" +BRANCH="RELEASE-p20" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.2/usr.bin/bsdiff/bspatch/bspatch.c ============================================================================== --- releng/10.2/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.2/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 15:04:17 2016 (r303304) @@ -155,6 +155,10 @@ int main(int argc,char * argv[]) }; /* Sanity-check */ + if ((ctrl[0] < 0) || (ctrl[1] < 0)) + errx(1,"Corrupt patch\n"); + + /* Sanity-check */ if(newpos+ctrl[0]>newsize) errx(1,"Corrupt patch\n"); Modified: releng/10.2/usr.sbin/freebsd-update/freebsd-update.sh ============================================================================== --- releng/10.2/usr.sbin/freebsd-update/freebsd-update.sh Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.2/usr.sbin/freebsd-update/freebsd-update.sh Mon Jul 25 15:04:17 2016 (r303304) @@ -1245,7 +1245,7 @@ fetch_metadata_sanity () { # Check that the first four fields make sense. if gunzip -c < files/$1.gz | - grep -qvE "^[a-z]+\|[0-9a-z]+\|${P}+\|[fdL-]\|"; then + grep -qvE "^[a-z]+\|[0-9a-z-]+\|${P}+\|[fdL-]\|"; then fetch_metadata_bogus "" return 1 fi Modified: releng/10.3/UPDATING ============================================================================== --- releng/10.3/UPDATING Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.3/UPDATING Mon Jul 25 15:04:17 2016 (r303304) @@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20160725 p6 FreeBSD-SA-16:25.bspatch + FreeBSD-EN-16:09.freebsd-update + + Fix bspatch heap overflow vulnerability. [SA-16:25] + + Fix freebsd-update(8) support of FreeBSD 11.0 release + distribution. [EN-16:09] + 20160604 p5 FreeBSD-SA-16:24.ntp Fix multiple vulnerabilities of ntp. Modified: releng/10.3/sys/conf/newvers.sh ============================================================================== --- releng/10.3/sys/conf/newvers.sh Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.3/sys/conf/newvers.sh Mon Jul 25 15:04:17 2016 (r303304) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.3" -BRANCH="RELEASE-p5" +BRANCH="RELEASE-p6" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.3/usr.bin/bsdiff/bspatch/bspatch.c ============================================================================== --- releng/10.3/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.3/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 15:04:17 2016 (r303304) @@ -155,6 +155,10 @@ int main(int argc,char * argv[]) }; /* Sanity-check */ + if ((ctrl[0] < 0) || (ctrl[1] < 0)) + errx(1,"Corrupt patch\n"); + + /* Sanity-check */ if(newpos+ctrl[0]>newsize) errx(1,"Corrupt patch\n"); Modified: releng/10.3/usr.sbin/freebsd-update/freebsd-update.sh ============================================================================== --- releng/10.3/usr.sbin/freebsd-update/freebsd-update.sh Mon Jul 25 15:04:15 2016 (r303303) +++ releng/10.3/usr.sbin/freebsd-update/freebsd-update.sh Mon Jul 25 15:04:17 2016 (r303304) @@ -1250,7 +1250,7 @@ fetch_metadata_sanity () { # Check that the first four fields make sense. if gunzip -c < files/$1.gz | - grep -qvE "^[a-z]+\|[0-9a-z]+\|${P}+\|[fdL-]\|"; then + grep -qvE "^[a-z]+\|[0-9a-z-]+\|${P}+\|[fdL-]\|"; then fetch_metadata_bogus "" return 1 fi Modified: releng/9.3/UPDATING ============================================================================== --- releng/9.3/UPDATING Mon Jul 25 15:04:15 2016 (r303303) +++ releng/9.3/UPDATING Mon Jul 25 15:04:17 2016 (r303304) @@ -11,6 +11,14 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20160725 p45 FreeBSD-SA-16:25.bspatch + FreeBSD-EN-16:09.freebsd-update + + Fix bspatch heap overflow vulnerability. [SA-16:25] + + Fix freebsd-update(8) support of FreeBSD 11.0 release + distribution. [EN-16:09] + 20160604 p44 FreeBSD-SA-16:24.ntp Fix multiple vulnerabilities of ntp. Modified: releng/9.3/sys/conf/newvers.sh ============================================================================== --- releng/9.3/sys/conf/newvers.sh Mon Jul 25 15:04:15 2016 (r303303) +++ releng/9.3/sys/conf/newvers.sh Mon Jul 25 15:04:17 2016 (r303304) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.3" -BRANCH="RELEASE-p44" +BRANCH="RELEASE-p45" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.3/usr.bin/bsdiff/bspatch/bspatch.c ============================================================================== --- releng/9.3/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 15:04:15 2016 (r303303) +++ releng/9.3/usr.bin/bsdiff/bspatch/bspatch.c Mon Jul 25 15:04:17 2016 (r303304) @@ -155,6 +155,10 @@ int main(int argc,char * argv[]) }; /* Sanity-check */ + if ((ctrl[0] < 0) || (ctrl[1] < 0)) + errx(1,"Corrupt patch\n"); + + /* Sanity-check */ if(newpos+ctrl[0]>newsize) errx(1,"Corrupt patch\n"); Modified: releng/9.3/usr.sbin/freebsd-update/freebsd-update.sh ============================================================================== --- releng/9.3/usr.sbin/freebsd-update/freebsd-update.sh Mon Jul 25 15:04:15 2016 (r303303) +++ releng/9.3/usr.sbin/freebsd-update/freebsd-update.sh Mon Jul 25 15:04:17 2016 (r303304) @@ -1229,7 +1229,7 @@ fetch_metadata_sanity () { # Check that the first four fields make sense. if gunzip -c < files/$1.gz | - grep -qvE "^[a-z]+\|[0-9a-z]+\|${P}+\|[fdL-]\|"; then + grep -qvE "^[a-z]+\|[0-9a-z-]+\|${P}+\|[fdL-]\|"; then fetch_metadata_bogus "" return 1 fi