From owner-svn-src-all@FreeBSD.ORG Fri Dec 23 15:00:39 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68718106571C; Fri, 23 Dec 2011 15:00:39 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 52A498FC16; Fri, 23 Dec 2011 15:00:39 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pBNF0dw6071776; Fri, 23 Dec 2011 15:00:39 GMT (envelope-from cperciva@svn.freebsd.org) Received: (from cperciva@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id pBNF0ccj071728; Fri, 23 Dec 2011 15:00:38 GMT (envelope-from cperciva@svn.freebsd.org) Message-Id: <201112231500.pBNF0ccj071728@svn.freebsd.org> From: Colin Percival Date: Fri, 23 Dec 2011 15:00:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:00:39 -0000 Author: cperciva Date: Fri Dec 23 15:00:37 2011 New Revision: 228843 URL: http://svn.freebsd.org/changeset/base/228843 Log: Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06] Add an API for alerting internal libc routines to the presence of "unsafe" paths post-chroot, and use it in ftpd. [11:07] Fix a buffer overflow in telnetd. [11:08] Make pam_ssh ignore unpassphrased keys unless the "nullok" option is specified. [11:09] Add sanity checking of service names in pam_start. [11:10] Approved by: so (cperciva) Approved by: re (bz) Security: FreeBSD-SA-11:06.bind Security: FreeBSD-SA-11:07.chroot Security: FreeBSD-SA-11:08.telnetd Security: FreeBSD-SA-11:09.pam_ssh Security: FreeBSD-SA-11:10.pam Added: releng/7.3/lib/libc/gen/libc_dlopen.c (contents, props changed) releng/7.4/lib/libc/gen/libc_dlopen.c (contents, props changed) releng/8.1/lib/libc/gen/libc_dlopen.c (contents, props changed) releng/8.2/lib/libc/gen/libc_dlopen.c (contents, props changed) releng/9.0/lib/libc/gen/libc_dlopen.c (contents, props changed) Modified: releng/7.3/UPDATING releng/7.3/contrib/bind9/bin/named/query.c releng/7.3/contrib/bind9/lib/dns/rbtdb.c releng/7.3/contrib/openpam/lib/openpam_configure.c releng/7.3/contrib/telnet/libtelnet/encrypt.c releng/7.3/crypto/heimdal/appl/telnet/libtelnet/encrypt.c releng/7.3/include/unistd.h releng/7.3/lib/libc/Versions.def releng/7.3/lib/libc/gen/Makefile.inc releng/7.3/lib/libc/gen/Symbol.map releng/7.3/lib/libc/include/libc_private.h releng/7.3/lib/libc/net/nsdispatch.c releng/7.3/lib/libpam/modules/pam_ssh/pam_ssh.c releng/7.3/libexec/ftpd/ftpd.c releng/7.3/libexec/ftpd/popen.c releng/7.3/sys/conf/newvers.sh releng/7.4/UPDATING releng/7.4/contrib/bind9/bin/named/query.c releng/7.4/contrib/bind9/lib/dns/rbtdb.c releng/7.4/contrib/openpam/lib/openpam_configure.c releng/7.4/contrib/telnet/libtelnet/encrypt.c releng/7.4/crypto/heimdal/appl/telnet/libtelnet/encrypt.c releng/7.4/include/unistd.h releng/7.4/lib/libc/Versions.def releng/7.4/lib/libc/gen/Makefile.inc releng/7.4/lib/libc/gen/Symbol.map releng/7.4/lib/libc/include/libc_private.h releng/7.4/lib/libc/net/nsdispatch.c releng/7.4/lib/libpam/modules/pam_ssh/pam_ssh.c releng/7.4/libexec/ftpd/ftpd.c releng/7.4/libexec/ftpd/popen.c releng/7.4/sys/conf/newvers.sh releng/8.1/UPDATING releng/8.1/contrib/bind9/bin/named/query.c releng/8.1/contrib/bind9/lib/dns/rbtdb.c releng/8.1/contrib/openpam/lib/openpam_configure.c releng/8.1/contrib/telnet/libtelnet/encrypt.c releng/8.1/crypto/heimdal/appl/telnet/libtelnet/encrypt.c releng/8.1/include/unistd.h releng/8.1/lib/libc/Versions.def releng/8.1/lib/libc/gen/Makefile.inc releng/8.1/lib/libc/gen/Symbol.map releng/8.1/lib/libc/include/libc_private.h releng/8.1/lib/libc/net/nsdispatch.c releng/8.1/lib/libpam/modules/pam_ssh/pam_ssh.c releng/8.1/libexec/ftpd/ftpd.c releng/8.1/libexec/ftpd/popen.c releng/8.1/sys/conf/newvers.sh releng/8.2/UPDATING releng/8.2/contrib/bind9/bin/named/query.c releng/8.2/contrib/bind9/lib/dns/rbtdb.c releng/8.2/contrib/openpam/lib/openpam_configure.c releng/8.2/contrib/telnet/libtelnet/encrypt.c releng/8.2/crypto/heimdal/appl/telnet/libtelnet/encrypt.c releng/8.2/include/unistd.h releng/8.2/lib/libc/Versions.def releng/8.2/lib/libc/gen/Makefile.inc releng/8.2/lib/libc/gen/Symbol.map releng/8.2/lib/libc/include/libc_private.h releng/8.2/lib/libc/net/nsdispatch.c releng/8.2/lib/libpam/modules/pam_ssh/pam_ssh.c releng/8.2/libexec/ftpd/ftpd.c releng/8.2/libexec/ftpd/popen.c releng/8.2/sys/conf/newvers.sh releng/9.0/contrib/telnet/libtelnet/encrypt.c releng/9.0/crypto/heimdal/appl/telnet/libtelnet/encrypt.c releng/9.0/include/unistd.h releng/9.0/lib/libc/Versions.def releng/9.0/lib/libc/gen/Makefile.inc releng/9.0/lib/libc/gen/Symbol.map releng/9.0/lib/libc/iconv/citrus_module.c releng/9.0/lib/libc/include/libc_private.h releng/9.0/lib/libc/net/nsdispatch.c releng/9.0/libexec/ftpd/ftpd.c releng/9.0/libexec/ftpd/popen.c Changes in other areas also in this revision: Added: head/lib/libc/gen/libc_dlopen.c (contents, props changed) stable/7/lib/libc/gen/libc_dlopen.c (contents, props changed) stable/8/lib/libc/gen/libc_dlopen.c (contents, props changed) stable/9/lib/libc/gen/libc_dlopen.c (contents, props changed) Modified: head/contrib/telnet/libtelnet/encrypt.c head/crypto/heimdal/appl/telnet/libtelnet/encrypt.c head/include/unistd.h head/lib/libc/gen/Makefile.inc head/lib/libc/gen/Symbol.map head/lib/libc/iconv/citrus_module.c head/lib/libc/include/libc_private.h head/lib/libc/net/nsdispatch.c head/libexec/ftpd/ftpd.c head/libexec/ftpd/popen.c stable/7/contrib/telnet/libtelnet/encrypt.c stable/7/crypto/heimdal/appl/telnet/libtelnet/encrypt.c stable/7/include/unistd.h stable/7/lib/libc/Versions.def stable/7/lib/libc/gen/Makefile.inc stable/7/lib/libc/gen/Symbol.map stable/7/lib/libc/include/libc_private.h stable/7/lib/libc/net/nsdispatch.c stable/7/libexec/ftpd/ftpd.c stable/7/libexec/ftpd/popen.c stable/8/contrib/telnet/libtelnet/encrypt.c stable/8/crypto/heimdal/appl/telnet/libtelnet/encrypt.c stable/8/include/unistd.h stable/8/lib/libc/Versions.def stable/8/lib/libc/gen/Makefile.inc stable/8/lib/libc/gen/Symbol.map stable/8/lib/libc/include/libc_private.h stable/8/lib/libc/net/nsdispatch.c stable/8/libexec/ftpd/ftpd.c stable/8/libexec/ftpd/popen.c stable/9/contrib/telnet/libtelnet/encrypt.c stable/9/crypto/heimdal/appl/telnet/libtelnet/encrypt.c stable/9/include/unistd.h stable/9/lib/libc/Versions.def stable/9/lib/libc/gen/Makefile.inc stable/9/lib/libc/gen/Symbol.map stable/9/lib/libc/iconv/citrus_module.c stable/9/lib/libc/include/libc_private.h stable/9/lib/libc/net/nsdispatch.c stable/9/libexec/ftpd/ftpd.c stable/9/libexec/ftpd/popen.c Modified: releng/7.3/UPDATING ============================================================================== --- releng/7.3/UPDATING Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/UPDATING Fri Dec 23 15:00:37 2011 (r228843) @@ -8,6 +8,22 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20111223: p9 FreeBSD-SA-11:06.bind, FreeBSD-SA-11:07.chroot + FreeBSD-SA-11:08.telnetd, FreeBSD-SA-11:09.pam_ssh + FreeBSD-SA-11:10.pam + Fix a problem whereby a corrupt DNS record can cause named to crash. + [11:06] + + Add an API for alerting internal libc routines to the presence of + "unsafe" paths post-chroot, and use it in ftpd. [11:07] + + Fix a buffer overflow in telnetd. [11:08] + + Make pam_ssh ignore unpassphrased keys unless the "nullok" option is + specified. [11:09] + + Add sanity checking of service names in pam_start. [11:10] + 20111004: p8 FreeBSD-SA-11:05.unix (revised) Fix a bug in UNIX socket handling in the linux emulator which was exposed by the security fix in FreeBSD-SA-11:05.unix. Modified: releng/7.3/contrib/bind9/bin/named/query.c ============================================================================== --- releng/7.3/contrib/bind9/bin/named/query.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/contrib/bind9/bin/named/query.c Fri Dec 23 15:00:37 2011 (r228843) @@ -1250,11 +1250,9 @@ query_addadditional(void *arg, dns_name_ goto addname; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - /* - * Negative cache entries don't have sigrdatasets. - */ - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { mname = NULL; @@ -1295,8 +1293,9 @@ query_addadditional(void *arg, dns_name_ goto addname; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { mname = NULL; @@ -1744,10 +1743,8 @@ query_addadditional2(void *arg, dns_name goto setcache; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - /* - * Negative cache entries don't have sigrdatasets. - */ - INSIST(! dns_rdataset_isassociated(sigrdataset)); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { /* Remember the result as a cache */ Modified: releng/7.3/contrib/bind9/lib/dns/rbtdb.c ============================================================================== --- releng/7.3/contrib/bind9/lib/dns/rbtdb.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/contrib/bind9/lib/dns/rbtdb.c Fri Dec 23 15:00:37 2011 (r228843) @@ -244,6 +244,7 @@ typedef struct rdatasetheader { #define RDATASET_ATTR_IGNORE 0x0004 #define RDATASET_ATTR_RETAIN 0x0008 #define RDATASET_ATTR_NXDOMAIN 0x0010 +#define RDATASET_ATTR_NEGATIVE 0x0100 typedef struct acache_cbarg { dns_rdatasetadditional_t type; @@ -278,6 +279,8 @@ struct acachectl { (((header)->attributes & RDATASET_ATTR_RETAIN) != 0) #define NXDOMAIN(header) \ (((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0) +#define NEGATIVE(header) \ + (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0) #define DEFAULT_NODE_LOCK_COUNT 7 /*%< Should be prime. */ #define DEFAULT_CACHE_NODE_LOCK_COUNT 1009 /*%< Should be prime. */ @@ -3656,7 +3659,7 @@ cache_find(dns_db_t *db, dns_name_t *nam result == DNS_R_NCACHENXRRSET) { bind_rdataset(search.rbtdb, node, found, search.now, rdataset); - if (foundsig != NULL) + if (!NEGATIVE(found) && foundsig != NULL) bind_rdataset(search.rbtdb, node, foundsig, search.now, sigrdataset); } @@ -4242,7 +4245,7 @@ cache_findrdataset(dns_db_t *db, dns_dbn } if (found != NULL) { bind_rdataset(rbtdb, rbtnode, found, now, rdataset); - if (foundsig != NULL) + if (!NEGATIVE(found) && foundsig != NULL) bind_rdataset(rbtdb, rbtnode, foundsig, now, sigrdataset); } Modified: releng/7.3/contrib/openpam/lib/openpam_configure.c ============================================================================== --- releng/7.3/contrib/openpam/lib/openpam_configure.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/contrib/openpam/lib/openpam_configure.c Fri Dec 23 15:00:37 2011 (r228843) @@ -285,6 +285,13 @@ openpam_load_chain(pam_handle_t *pamh, size_t len; int r; + /* don't allow to escape from policy_path */ + if (strchr(service, '/')) { + openpam_log(PAM_LOG_ERROR, "invalid service name: %s", + service); + return (-PAM_SYSTEM_ERR); + } + for (path = openpam_policy_path; *path != NULL; ++path) { len = strlen(*path); if ((*path)[len - 1] == '/') { Modified: releng/7.3/contrib/telnet/libtelnet/encrypt.c ============================================================================== --- releng/7.3/contrib/telnet/libtelnet/encrypt.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/contrib/telnet/libtelnet/encrypt.c Fri Dec 23 15:00:37 2011 (r228843) @@ -721,6 +721,9 @@ encrypt_keyid(struct key_info *kp, unsig int dir = kp->dir; int ret = 0; + if (len > MAXKEYLEN) + len = MAXKEYLEN; + if (!(ep = (*kp->getcrypt)(*kp->modep))) { if (len == 0) return; Modified: releng/7.3/crypto/heimdal/appl/telnet/libtelnet/encrypt.c ============================================================================== --- releng/7.3/crypto/heimdal/appl/telnet/libtelnet/encrypt.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/crypto/heimdal/appl/telnet/libtelnet/encrypt.c Fri Dec 23 15:00:37 2011 (r228843) @@ -736,6 +736,9 @@ encrypt_keyid(struct key_info *kp, unsig int dir = kp->dir; int ret = 0; + if (len > MAXKEYLEN) + len = MAXKEYLEN; + if (!(ep = (*kp->getcrypt)(*kp->modep))) { if (len == 0) return; Modified: releng/7.3/include/unistd.h ============================================================================== --- releng/7.3/include/unistd.h Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/include/unistd.h Fri Dec 23 15:00:37 2011 (r228843) @@ -494,6 +494,7 @@ int initgroups(const char *, gid_t); int iruserok(unsigned long, int, const char *, const char *); int iruserok_sa(const void *, int, int, const char *, const char *); int issetugid(void); +void __FreeBSD_libc_enter_restricted_mode(void); char *mkdtemp(char *); #ifndef _MKNOD_DECLARED int mknod(const char *, mode_t, dev_t); Modified: releng/7.3/lib/libc/Versions.def ============================================================================== --- releng/7.3/lib/libc/Versions.def Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/lib/libc/Versions.def Fri Dec 23 15:00:37 2011 (r228843) @@ -20,9 +20,13 @@ FBSD_1.1 { FBSD_1.2 { } FBSD_1.1; +# This version was first added to 10.0-current. +FBSD_1.3 { +} FBSD_1.2; + # This is our private namespace. Any global interfaces that are # strictly for use only by other FreeBSD applications and libraries # are listed here. We use a separate namespace so we can write # simple ABI-checking tools. FBSDprivate_1.0 { -} FBSD_1.2; +} FBSD_1.3; Modified: releng/7.3/lib/libc/gen/Makefile.inc ============================================================================== --- releng/7.3/lib/libc/gen/Makefile.inc Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/lib/libc/gen/Makefile.inc Fri Dec 23 15:00:37 2011 (r228843) @@ -20,6 +20,7 @@ SRCS+= __getosreldate.c __xuname.c \ getpeereid.c getprogname.c getpwent.c getttyent.c \ getusershell.c getvfsbyname.c glob.c \ initgroups.c isatty.c isinf.c isnan.c jrand48.c lcong48.c \ + libc_dlopen.c \ lockf.c lrand48.c mrand48.c nftw.c nice.c \ nlist.c nrand48.c opendir.c \ pause.c pmadvise.c popen.c posixshm.c pselect.c \ Modified: releng/7.3/lib/libc/gen/Symbol.map ============================================================================== --- releng/7.3/lib/libc/gen/Symbol.map Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/lib/libc/gen/Symbol.map Fri Dec 23 15:00:37 2011 (r228843) @@ -345,6 +345,10 @@ FBSD_1.2 { getpagesizes; }; +FBSD_1.3 { + __FreeBSD_libc_enter_restricted_mode; +}; + FBSDprivate_1.0 { /* needed by thread libraries */ __thr_jtable; Added: releng/7.3/lib/libc/gen/libc_dlopen.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ releng/7.3/lib/libc/gen/libc_dlopen.c Fri Dec 23 15:00:37 2011 (r228843) @@ -0,0 +1,61 @@ +/*- + * Copyright (c) 2011 Xin Li + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +__FBSDID("$FreeBSD$"); + +#include +#include +#include + +#include "libc_private.h" + +/* + * Whether we want to restrict dlopen()s. + */ +static int __libc_restricted_mode = 0; + +void * +libc_dlopen(const char *path, int mode) +{ + + if (__libc_restricted_mode) { + _rtld_error("Service unavailable -- libc in restricted mode"); + return (NULL); + } else + return (dlopen(path, mode)); +} + +void +__FreeBSD_libc_enter_restricted_mode(void) +{ + + __libc_restricted_mode = 1; + return; +} + Modified: releng/7.3/lib/libc/include/libc_private.h ============================================================================== --- releng/7.3/lib/libc/include/libc_private.h Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/lib/libc/include/libc_private.h Fri Dec 23 15:00:37 2011 (r228843) @@ -44,6 +44,17 @@ extern int __isthreaded; /* + * libc should use libc_dlopen internally, which respects a global + * flag where loading of new shared objects can be restricted. + */ +void *libc_dlopen(const char *, int); + +/* + * For dynamic linker. + */ +void _rtld_error(const char *fmt, ...); + +/* * File lock contention is difficult to diagnose without knowing * where locks were set. Allow a debug library to be built which * records the source file and line number of each lock call. Modified: releng/7.3/lib/libc/net/nsdispatch.c ============================================================================== --- releng/7.3/lib/libc/net/nsdispatch.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/lib/libc/net/nsdispatch.c Fri Dec 23 15:00:37 2011 (r228843) @@ -369,7 +369,7 @@ nss_configure(void) confmod = statbuf.st_mtime; #ifdef NS_CACHING - handle = dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL); + handle = libc_dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL); if (handle != NULL) { nss_cache_cycle_prevention_func = dlsym(handle, "_nss_cache_cycle_prevention_function"); @@ -482,7 +482,7 @@ nss_load_module(const char *source, nss_ if (snprintf(buf, sizeof(buf), "nss_%s.so.%d", mod.name, NSS_MODULE_INTERFACE_VERSION) >= (int)sizeof(buf)) goto fin; - mod.handle = dlopen(buf, RTLD_LOCAL|RTLD_LAZY); + mod.handle = libc_dlopen(buf, RTLD_LOCAL|RTLD_LAZY); if (mod.handle == NULL) { #ifdef _NSS_DEBUG /* This gets pretty annoying since the built-in Modified: releng/7.3/lib/libpam/modules/pam_ssh/pam_ssh.c ============================================================================== --- releng/7.3/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 23 15:00:37 2011 (r228843) @@ -88,7 +88,8 @@ static char *const pam_ssh_agent_envp[] * struct pam_ssh_key containing the key and its comment. */ static struct pam_ssh_key * -pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase) +pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, + int nullok) { struct pam_ssh_key *psk; char fn[PATH_MAX]; @@ -98,7 +99,21 @@ pam_ssh_load_key(const char *dir, const if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) return (NULL); comment = NULL; - key = key_load_private(fn, passphrase, &comment); + /* + * If the key is unencrypted, OpenSSL ignores the passphrase, so + * it will seem like the user typed in the right one. This allows + * a user to circumvent nullok by providing a dummy passphrase. + * Verify that the key really *is* encrypted by trying to load it + * with an empty passphrase, and if the key is not encrypted, + * accept only an empty passphrase. + */ + key = key_load_private(fn, NULL, &comment); + if (key != NULL && !(*passphrase == '\0' && nullok)) { + key_free(key); + return (NULL); + } + if (key == NULL) + key = key_load_private(fn, passphrase, &comment); if (key == NULL) { openpam_log(PAM_LOG_DEBUG, "failed to load key from %s\n", fn); return (NULL); @@ -165,9 +180,6 @@ pam_sm_authenticate(pam_handle_t *pamh, if (pam_err != PAM_SUCCESS) return (pam_err); - if (*passphrase == '\0' && !nullok) - goto skip_keys; - /* switch to user credentials */ pam_err = openpam_borrow_cred(pamh, pwd); if (pam_err != PAM_SUCCESS) @@ -175,7 +187,7 @@ pam_sm_authenticate(pam_handle_t *pamh, /* try to load keys from all keyfiles we know of */ for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { - psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase); + psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok); if (psk != NULL) { pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); ++nkeys; @@ -185,7 +197,6 @@ pam_sm_authenticate(pam_handle_t *pamh, /* switch back to arbitrator credentials */ openpam_restore_cred(pamh); - skip_keys: /* * If we tried an old token and didn't get anything, and * try_first_pass was specified, try again after prompting the Modified: releng/7.3/libexec/ftpd/ftpd.c ============================================================================== --- releng/7.3/libexec/ftpd/ftpd.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/libexec/ftpd/ftpd.c Fri Dec 23 15:00:37 2011 (r228843) @@ -1546,6 +1546,7 @@ skip: reply(550, "Can't change root."); goto bad; } + __FreeBSD_libc_enter_restricted_mode(); } else /* real user w/o chroot */ homedir = pw->pw_dir; /* Modified: releng/7.3/libexec/ftpd/popen.c ============================================================================== --- releng/7.3/libexec/ftpd/popen.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/libexec/ftpd/popen.c Fri Dec 23 15:00:37 2011 (r228843) @@ -142,6 +142,9 @@ ftpd_popen(char *program, char *type) } (void)close(pdes[1]); } + /* Drop privileges before proceeding */ + if (getuid() != geteuid() && setuid(geteuid()) < 0) + _exit(1); if (strcmp(gargv[0], _PATH_LS) == 0) { /* Reset getopt for ls_main() */ optreset = optind = optopt = 1; Modified: releng/7.3/sys/conf/newvers.sh ============================================================================== --- releng/7.3/sys/conf/newvers.sh Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.3/sys/conf/newvers.sh Fri Dec 23 15:00:37 2011 (r228843) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.3" -BRANCH="RELEASE-p8" +BRANCH="RELEASE-p9" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.4/UPDATING ============================================================================== --- releng/7.4/UPDATING Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/UPDATING Fri Dec 23 15:00:37 2011 (r228843) @@ -8,6 +8,22 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20111223: p5 FreeBSD-SA-11:06.bind, FreeBSD-SA-11:07.chroot + FreeBSD-SA-11:08.telnetd, FreeBSD-SA-11:09.pam_ssh + FreeBSD-SA-11:10.pam + Fix a problem whereby a corrupt DNS record can cause named to crash. + [11:06] + + Add an API for alerting internal libc routines to the presence of + "unsafe" paths post-chroot, and use it in ftpd. [11:07] + + Fix a buffer overflow in telnetd. [11:08] + + Make pam_ssh ignore unpassphrased keys unless the "nullok" option is + specified. [11:09] + + Add sanity checking of service names in pam_start. [11:10] + 20111004: p4 FreeBSD-SA-11:05.unix (revised) Fix a bug in UNIX socket handling in the linux emulator which was exposed by the security fix in FreeBSD-SA-11:05.unix. Modified: releng/7.4/contrib/bind9/bin/named/query.c ============================================================================== --- releng/7.4/contrib/bind9/bin/named/query.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/contrib/bind9/bin/named/query.c Fri Dec 23 15:00:37 2011 (r228843) @@ -1251,11 +1251,9 @@ query_addadditional(void *arg, dns_name_ goto addname; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - /* - * Negative cache entries don't have sigrdatasets. - */ - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { mname = NULL; @@ -1296,8 +1294,9 @@ query_addadditional(void *arg, dns_name_ goto addname; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { mname = NULL; @@ -1746,10 +1745,8 @@ query_addadditional2(void *arg, dns_name goto setcache; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - /* - * Negative cache entries don't have sigrdatasets. - */ - INSIST(! dns_rdataset_isassociated(sigrdataset)); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { /* Remember the result as a cache */ Modified: releng/7.4/contrib/bind9/lib/dns/rbtdb.c ============================================================================== --- releng/7.4/contrib/bind9/lib/dns/rbtdb.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/contrib/bind9/lib/dns/rbtdb.c Fri Dec 23 15:00:37 2011 (r228843) @@ -244,6 +244,7 @@ typedef struct rdatasetheader { #define RDATASET_ATTR_IGNORE 0x0004 #define RDATASET_ATTR_RETAIN 0x0008 #define RDATASET_ATTR_NXDOMAIN 0x0010 +#define RDATASET_ATTR_NEGATIVE 0x0100 typedef struct acache_cbarg { dns_rdatasetadditional_t type; @@ -278,6 +279,8 @@ struct acachectl { (((header)->attributes & RDATASET_ATTR_RETAIN) != 0) #define NXDOMAIN(header) \ (((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0) +#define NEGATIVE(header) \ + (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0) #define DEFAULT_NODE_LOCK_COUNT 7 /*%< Should be prime. */ #define DEFAULT_CACHE_NODE_LOCK_COUNT 1009 /*%< Should be prime. */ @@ -3662,7 +3665,7 @@ cache_find(dns_db_t *db, dns_name_t *nam result == DNS_R_NCACHENXRRSET) { bind_rdataset(search.rbtdb, node, found, search.now, rdataset); - if (foundsig != NULL) + if (!NEGATIVE(found) && foundsig != NULL) bind_rdataset(search.rbtdb, node, foundsig, search.now, sigrdataset); } @@ -4248,7 +4251,7 @@ cache_findrdataset(dns_db_t *db, dns_dbn } if (found != NULL) { bind_rdataset(rbtdb, rbtnode, found, now, rdataset); - if (foundsig != NULL) + if (!NEGATIVE(found) && foundsig != NULL) bind_rdataset(rbtdb, rbtnode, foundsig, now, sigrdataset); } Modified: releng/7.4/contrib/openpam/lib/openpam_configure.c ============================================================================== --- releng/7.4/contrib/openpam/lib/openpam_configure.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/contrib/openpam/lib/openpam_configure.c Fri Dec 23 15:00:37 2011 (r228843) @@ -285,6 +285,13 @@ openpam_load_chain(pam_handle_t *pamh, size_t len; int r; + /* don't allow to escape from policy_path */ + if (strchr(service, '/')) { + openpam_log(PAM_LOG_ERROR, "invalid service name: %s", + service); + return (-PAM_SYSTEM_ERR); + } + for (path = openpam_policy_path; *path != NULL; ++path) { len = strlen(*path); if ((*path)[len - 1] == '/') { Modified: releng/7.4/contrib/telnet/libtelnet/encrypt.c ============================================================================== --- releng/7.4/contrib/telnet/libtelnet/encrypt.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/contrib/telnet/libtelnet/encrypt.c Fri Dec 23 15:00:37 2011 (r228843) @@ -721,6 +721,9 @@ encrypt_keyid(struct key_info *kp, unsig int dir = kp->dir; int ret = 0; + if (len > MAXKEYLEN) + len = MAXKEYLEN; + if (!(ep = (*kp->getcrypt)(*kp->modep))) { if (len == 0) return; Modified: releng/7.4/crypto/heimdal/appl/telnet/libtelnet/encrypt.c ============================================================================== --- releng/7.4/crypto/heimdal/appl/telnet/libtelnet/encrypt.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/crypto/heimdal/appl/telnet/libtelnet/encrypt.c Fri Dec 23 15:00:37 2011 (r228843) @@ -736,6 +736,9 @@ encrypt_keyid(struct key_info *kp, unsig int dir = kp->dir; int ret = 0; + if (len > MAXKEYLEN) + len = MAXKEYLEN; + if (!(ep = (*kp->getcrypt)(*kp->modep))) { if (len == 0) return; Modified: releng/7.4/include/unistd.h ============================================================================== --- releng/7.4/include/unistd.h Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/include/unistd.h Fri Dec 23 15:00:37 2011 (r228843) @@ -494,6 +494,7 @@ int initgroups(const char *, gid_t); int iruserok(unsigned long, int, const char *, const char *); int iruserok_sa(const void *, int, int, const char *, const char *); int issetugid(void); +void __FreeBSD_libc_enter_restricted_mode(void); char *mkdtemp(char *); #ifndef _MKNOD_DECLARED int mknod(const char *, mode_t, dev_t); Modified: releng/7.4/lib/libc/Versions.def ============================================================================== --- releng/7.4/lib/libc/Versions.def Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/lib/libc/Versions.def Fri Dec 23 15:00:37 2011 (r228843) @@ -20,9 +20,13 @@ FBSD_1.1 { FBSD_1.2 { } FBSD_1.1; +# This version was first added to 10.0-current. +FBSD_1.3 { +} FBSD_1.2; + # This is our private namespace. Any global interfaces that are # strictly for use only by other FreeBSD applications and libraries # are listed here. We use a separate namespace so we can write # simple ABI-checking tools. FBSDprivate_1.0 { -} FBSD_1.2; +} FBSD_1.3; Modified: releng/7.4/lib/libc/gen/Makefile.inc ============================================================================== --- releng/7.4/lib/libc/gen/Makefile.inc Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/lib/libc/gen/Makefile.inc Fri Dec 23 15:00:37 2011 (r228843) @@ -20,6 +20,7 @@ SRCS+= __getosreldate.c __xuname.c \ getpeereid.c getprogname.c getpwent.c getttyent.c \ getusershell.c getvfsbyname.c glob.c \ initgroups.c isatty.c isinf.c isnan.c jrand48.c lcong48.c \ + libc_dlopen.c \ lockf.c lrand48.c mrand48.c nftw.c nice.c \ nlist.c nrand48.c opendir.c \ pause.c pmadvise.c popen.c posixshm.c pselect.c \ Modified: releng/7.4/lib/libc/gen/Symbol.map ============================================================================== --- releng/7.4/lib/libc/gen/Symbol.map Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/lib/libc/gen/Symbol.map Fri Dec 23 15:00:37 2011 (r228843) @@ -345,6 +345,10 @@ FBSD_1.2 { getpagesizes; }; +FBSD_1.3 { + __FreeBSD_libc_enter_restricted_mode; +}; + FBSDprivate_1.0 { /* needed by thread libraries */ __thr_jtable; Added: releng/7.4/lib/libc/gen/libc_dlopen.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ releng/7.4/lib/libc/gen/libc_dlopen.c Fri Dec 23 15:00:37 2011 (r228843) @@ -0,0 +1,61 @@ +/*- + * Copyright (c) 2011 Xin Li + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +__FBSDID("$FreeBSD$"); + +#include +#include +#include + +#include "libc_private.h" + +/* + * Whether we want to restrict dlopen()s. + */ +static int __libc_restricted_mode = 0; + +void * +libc_dlopen(const char *path, int mode) +{ + + if (__libc_restricted_mode) { + _rtld_error("Service unavailable -- libc in restricted mode"); + return (NULL); + } else + return (dlopen(path, mode)); +} + +void +__FreeBSD_libc_enter_restricted_mode(void) +{ + + __libc_restricted_mode = 1; + return; +} + Modified: releng/7.4/lib/libc/include/libc_private.h ============================================================================== --- releng/7.4/lib/libc/include/libc_private.h Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/lib/libc/include/libc_private.h Fri Dec 23 15:00:37 2011 (r228843) @@ -44,6 +44,17 @@ extern int __isthreaded; /* + * libc should use libc_dlopen internally, which respects a global + * flag where loading of new shared objects can be restricted. + */ +void *libc_dlopen(const char *, int); + +/* + * For dynamic linker. + */ +void _rtld_error(const char *fmt, ...); + +/* * File lock contention is difficult to diagnose without knowing * where locks were set. Allow a debug library to be built which * records the source file and line number of each lock call. Modified: releng/7.4/lib/libc/net/nsdispatch.c ============================================================================== --- releng/7.4/lib/libc/net/nsdispatch.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/lib/libc/net/nsdispatch.c Fri Dec 23 15:00:37 2011 (r228843) @@ -369,7 +369,7 @@ nss_configure(void) confmod = statbuf.st_mtime; #ifdef NS_CACHING - handle = dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL); + handle = libc_dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL); if (handle != NULL) { nss_cache_cycle_prevention_func = dlsym(handle, "_nss_cache_cycle_prevention_function"); @@ -482,7 +482,7 @@ nss_load_module(const char *source, nss_ if (snprintf(buf, sizeof(buf), "nss_%s.so.%d", mod.name, NSS_MODULE_INTERFACE_VERSION) >= (int)sizeof(buf)) goto fin; - mod.handle = dlopen(buf, RTLD_LOCAL|RTLD_LAZY); + mod.handle = libc_dlopen(buf, RTLD_LOCAL|RTLD_LAZY); if (mod.handle == NULL) { #ifdef _NSS_DEBUG /* This gets pretty annoying since the built-in Modified: releng/7.4/lib/libpam/modules/pam_ssh/pam_ssh.c ============================================================================== --- releng/7.4/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/lib/libpam/modules/pam_ssh/pam_ssh.c Fri Dec 23 15:00:37 2011 (r228843) @@ -88,7 +88,8 @@ static char *const pam_ssh_agent_envp[] * struct pam_ssh_key containing the key and its comment. */ static struct pam_ssh_key * -pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase) +pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, + int nullok) { struct pam_ssh_key *psk; char fn[PATH_MAX]; @@ -98,7 +99,21 @@ pam_ssh_load_key(const char *dir, const if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) return (NULL); comment = NULL; - key = key_load_private(fn, passphrase, &comment); + /* + * If the key is unencrypted, OpenSSL ignores the passphrase, so + * it will seem like the user typed in the right one. This allows + * a user to circumvent nullok by providing a dummy passphrase. + * Verify that the key really *is* encrypted by trying to load it + * with an empty passphrase, and if the key is not encrypted, + * accept only an empty passphrase. + */ + key = key_load_private(fn, NULL, &comment); + if (key != NULL && !(*passphrase == '\0' && nullok)) { + key_free(key); + return (NULL); + } + if (key == NULL) + key = key_load_private(fn, passphrase, &comment); if (key == NULL) { openpam_log(PAM_LOG_DEBUG, "failed to load key from %s\n", fn); return (NULL); @@ -165,9 +180,6 @@ pam_sm_authenticate(pam_handle_t *pamh, if (pam_err != PAM_SUCCESS) return (pam_err); - if (*passphrase == '\0' && !nullok) - goto skip_keys; - /* switch to user credentials */ pam_err = openpam_borrow_cred(pamh, pwd); if (pam_err != PAM_SUCCESS) @@ -175,7 +187,7 @@ pam_sm_authenticate(pam_handle_t *pamh, /* try to load keys from all keyfiles we know of */ for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { - psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase); + psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok); if (psk != NULL) { pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); ++nkeys; @@ -185,7 +197,6 @@ pam_sm_authenticate(pam_handle_t *pamh, /* switch back to arbitrator credentials */ openpam_restore_cred(pamh); - skip_keys: /* * If we tried an old token and didn't get anything, and * try_first_pass was specified, try again after prompting the Modified: releng/7.4/libexec/ftpd/ftpd.c ============================================================================== --- releng/7.4/libexec/ftpd/ftpd.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/libexec/ftpd/ftpd.c Fri Dec 23 15:00:37 2011 (r228843) @@ -1546,6 +1546,7 @@ skip: reply(550, "Can't change root."); goto bad; } + __FreeBSD_libc_enter_restricted_mode(); } else /* real user w/o chroot */ homedir = pw->pw_dir; /* Modified: releng/7.4/libexec/ftpd/popen.c ============================================================================== --- releng/7.4/libexec/ftpd/popen.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/libexec/ftpd/popen.c Fri Dec 23 15:00:37 2011 (r228843) @@ -143,6 +143,9 @@ ftpd_popen(char *program, char *type) } (void)close(pdes[1]); } + /* Drop privileges before proceeding */ + if (getuid() != geteuid() && setuid(geteuid()) < 0) + _exit(1); if (strcmp(gargv[0], _PATH_LS) == 0) { /* Reset getopt for ls_main() */ optreset = optind = optopt = 1; Modified: releng/7.4/sys/conf/newvers.sh ============================================================================== --- releng/7.4/sys/conf/newvers.sh Fri Dec 23 14:39:30 2011 (r228842) +++ releng/7.4/sys/conf/newvers.sh Fri Dec 23 15:00:37 2011 (r228843) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.4" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.1/UPDATING ============================================================================== --- releng/8.1/UPDATING Fri Dec 23 14:39:30 2011 (r228842) +++ releng/8.1/UPDATING Fri Dec 23 15:00:37 2011 (r228843) @@ -15,6 +15,22 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20111223: p7 FreeBSD-SA-11:06.bind, FreeBSD-SA-11:07.chroot + FreeBSD-SA-11:08.telnetd, FreeBSD-SA-11:09.pam_ssh + FreeBSD-SA-11:10.pam + Fix a problem whereby a corrupt DNS record can cause named to crash. + [11:06] + + Add an API for alerting internal libc routines to the presence of + "unsafe" paths post-chroot, and use it in ftpd. [11:07] + + Fix a buffer overflow in telnetd. [11:08] + + Make pam_ssh ignore unpassphrased keys unless the "nullok" option is + specified. [11:09] + + Add sanity checking of service names in pam_start. [11:10] + 20111004: p6 FreeBSD-SA-11:05.unix (revised) Fix a bug in UNIX socket handling in the linux emulator which was exposed by the security fix in FreeBSD-SA-11:05.unix. Modified: releng/8.1/contrib/bind9/bin/named/query.c ============================================================================== --- releng/8.1/contrib/bind9/bin/named/query.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/8.1/contrib/bind9/bin/named/query.c Fri Dec 23 15:00:37 2011 (r228843) @@ -1282,11 +1282,9 @@ query_addadditional(void *arg, dns_name_ goto addname; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - /* - * Negative cache entries don't have sigrdatasets. - */ - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { mname = NULL; @@ -1327,8 +1325,9 @@ query_addadditional(void *arg, dns_name_ goto addname; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { mname = NULL; @@ -1777,10 +1776,8 @@ query_addadditional2(void *arg, dns_name goto setcache; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - /* - * Negative cache entries don't have sigrdatasets. - */ - INSIST(! dns_rdataset_isassociated(sigrdataset)); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { /* Remember the result as a cache */ Modified: releng/8.1/contrib/bind9/lib/dns/rbtdb.c ============================================================================== --- releng/8.1/contrib/bind9/lib/dns/rbtdb.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/8.1/contrib/bind9/lib/dns/rbtdb.c Fri Dec 23 15:00:37 2011 (r228843) @@ -278,6 +278,7 @@ typedef ISC_LIST(dns_rbtnode_t) #define RDATASET_ATTR_RESIGN 0x0020 #define RDATASET_ATTR_STATCOUNT 0x0040 #define RDATASET_ATTR_OPTOUT 0x0080 +#define RDATASET_ATTR_NEGATIVE 0x0100 typedef struct acache_cbarg { dns_rdatasetadditional_t type; @@ -316,6 +317,8 @@ struct acachectl { (((header)->attributes & RDATASET_ATTR_RESIGN) != 0) #define OPTOUT(header) \ (((header)->attributes & RDATASET_ATTR_OPTOUT) != 0) +#define NEGATIVE(header) \ + (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0) #define DEFAULT_NODE_LOCK_COUNT 7 /*%< Should be prime. */ @@ -4618,7 +4621,7 @@ cache_find(dns_db_t *db, dns_name_t *nam rdataset); if (need_headerupdate(found, search.now)) update = found; - if (foundsig != NULL) { + if (!NEGATIVE(found) && foundsig != NULL) { bind_rdataset(search.rbtdb, node, foundsig, search.now, sigrdataset); if (need_headerupdate(foundsig, search.now)) @@ -5245,7 +5248,7 @@ cache_findrdataset(dns_db_t *db, dns_dbn } if (found != NULL) { bind_rdataset(rbtdb, rbtnode, found, now, rdataset); - if (foundsig != NULL) + if (!NEGATIVE(found) && foundsig != NULL) bind_rdataset(rbtdb, rbtnode, foundsig, now, sigrdataset); } Modified: releng/8.1/contrib/openpam/lib/openpam_configure.c ============================================================================== --- releng/8.1/contrib/openpam/lib/openpam_configure.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/8.1/contrib/openpam/lib/openpam_configure.c Fri Dec 23 15:00:37 2011 (r228843) @@ -285,6 +285,13 @@ openpam_load_chain(pam_handle_t *pamh, size_t len; int r; + /* don't allow to escape from policy_path */ + if (strchr(service, '/')) { + openpam_log(PAM_LOG_ERROR, "invalid service name: %s", + service); + return (-PAM_SYSTEM_ERR); + } + for (path = openpam_policy_path; *path != NULL; ++path) { len = strlen(*path); if ((*path)[len - 1] == '/') { Modified: releng/8.1/contrib/telnet/libtelnet/encrypt.c ============================================================================== --- releng/8.1/contrib/telnet/libtelnet/encrypt.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/8.1/contrib/telnet/libtelnet/encrypt.c Fri Dec 23 15:00:37 2011 (r228843) @@ -721,6 +721,9 @@ encrypt_keyid(struct key_info *kp, unsig int dir = kp->dir; int ret = 0; + if (len > MAXKEYLEN) + len = MAXKEYLEN; + if (!(ep = (*kp->getcrypt)(*kp->modep))) { if (len == 0) return; Modified: releng/8.1/crypto/heimdal/appl/telnet/libtelnet/encrypt.c ============================================================================== --- releng/8.1/crypto/heimdal/appl/telnet/libtelnet/encrypt.c Fri Dec 23 14:39:30 2011 (r228842) +++ releng/8.1/crypto/heimdal/appl/telnet/libtelnet/encrypt.c Fri Dec 23 15:00:37 2011 (r228843) @@ -736,6 +736,9 @@ encrypt_keyid(struct key_info *kp, unsig int dir = kp->dir; int ret = 0; + if (len > MAXKEYLEN) + len = MAXKEYLEN; + if (!(ep = (*kp->getcrypt)(*kp->modep))) { if (len == 0) return; Modified: releng/8.1/include/unistd.h ============================================================================== --- releng/8.1/include/unistd.h Fri Dec 23 14:39:30 2011 (r228842) +++ releng/8.1/include/unistd.h Fri Dec 23 15:00:37 2011 (r228843) @@ -513,6 +513,7 @@ int initgroups(const char *, gid_t); int iruserok(unsigned long, int, const char *, const char *); int iruserok_sa(const void *, int, int, const char *, const char *); int issetugid(void); +void __FreeBSD_libc_enter_restricted_mode(void); long lpathconf(const char *, int); #ifndef _MKDTEMP_DECLARED char *mkdtemp(char *); Modified: releng/8.1/lib/libc/Versions.def ============================================================================== --- releng/8.1/lib/libc/Versions.def Fri Dec 23 14:39:30 2011 (r228842) +++ releng/8.1/lib/libc/Versions.def Fri Dec 23 15:00:37 2011 (r228843) @@ -19,6 +19,10 @@ FBSD_1.1 { FBSD_1.2 { } FBSD_1.1; +# This version was first added to 10.0-current. +FBSD_1.3 { +} FBSD_1.2; + # This is our private namespace. Any global interfaces that are # strictly for use only by other FreeBSD applications and libraries # are listed here. We use a separate namespace so we can write @@ -26,4 +30,4 @@ FBSD_1.2 { # # Please do NOT increment the version of this namespace. FBSDprivate_1.0 { -} FBSD_1.2; +} FBSD_1.3; Modified: releng/8.1/lib/libc/gen/Makefile.inc ============================================================================== --- releng/8.1/lib/libc/gen/Makefile.inc Fri Dec 23 14:39:30 2011 (r228842) +++ releng/8.1/lib/libc/gen/Makefile.inc Fri Dec 23 15:00:37 2011 (r228843) @@ -20,6 +20,7 @@ SRCS+= __getosreldate.c __xuname.c \ getpeereid.c getprogname.c getpwent.c getttyent.c \ getusershell.c getvfsbyname.c glob.c \ initgroups.c isatty.c isinf.c isnan.c jrand48.c lcong48.c \ + libc_dlopen.c \ lockf.c lrand48.c mrand48.c nftw.c nice.c \ nlist.c nrand48.c opendir.c \ pause.c pmadvise.c popen.c posix_spawn.c \ Modified: releng/8.1/lib/libc/gen/Symbol.map ============================================================================== --- releng/8.1/lib/libc/gen/Symbol.map Fri Dec 23 14:39:30 2011 (r228842) +++ releng/8.1/lib/libc/gen/Symbol.map Fri Dec 23 15:00:37 2011 (r228843) @@ -369,6 +369,10 @@ FBSD_1.2 { getpagesizes; }; +FBSD_1.3 { + __FreeBSD_libc_enter_restricted_mode; +}; + FBSDprivate_1.0 { /* needed by thread libraries */ __thr_jtable; Added: releng/8.1/lib/libc/gen/libc_dlopen.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ releng/8.1/lib/libc/gen/libc_dlopen.c Fri Dec 23 15:00:37 2011 (r228843) @@ -0,0 +1,61 @@ +/*- + * Copyright (c) 2011 Xin Li + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***