Date: Wed, 5 Nov 2014 00:28:46 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r45928 - in head/share: security/advisories security/patches/EN-14:12 security/patches/SA-14:24 security/patches/SA-14:25 security/patches/SA-14:26 xml Message-ID: <201411050028.sA50SklS004641@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Wed Nov 5 00:28:45 2014 New Revision: 45928 URL: https://svnweb.freebsd.org/changeset/doc/45928 Log: Add EN-14:12, SA-14:24, SA-14:25 and SA-14:26. Added: head/share/security/advisories/FreeBSD-EN-14:12.zfs.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:24.sshd.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:25.setlogin.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:26.ftp.asc (contents, props changed) head/share/security/patches/EN-14:12/zfs.patch (contents, props changed) head/share/security/patches/EN-14:12/zfs.patch.asc (contents, props changed) head/share/security/patches/SA-14:24/sshd.patch (contents, props changed) head/share/security/patches/SA-14:24/sshd.patch.asc (contents, props changed) head/share/security/patches/SA-14:25/setlogin-91.patch (contents, props changed) head/share/security/patches/SA-14:25/setlogin-91.patch.asc (contents, props changed) head/share/security/patches/SA-14:25/setlogin.patch (contents, props changed) head/share/security/patches/SA-14:25/setlogin.patch.asc (contents, props changed) head/share/security/patches/SA-14:26/ftp-8.patch (contents, props changed) head/share/security/patches/SA-14:26/ftp-8.patch.asc (contents, props changed) head/share/security/patches/SA-14:26/ftp.patch (contents, props changed) head/share/security/patches/SA-14:26/ftp.patch.asc (contents, props changed) Directory Properties: head/share/security/patches/EN-14:12/ (props changed) head/share/security/patches/SA-14:24/ (props changed) head/share/security/patches/SA-14:25/ (props changed) head/share/security/patches/SA-14:26/ (props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-14:12.zfs.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-14:12.zfs.asc Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-14:12.zfs Errata Notice + The FreeBSD Project + +Topic: NFSv4 and ZFS cache consistency issue + +Category: contrib +Module: zfs +Announced: 2011-11-04 +Credits: Bart Hsiao, Marcelo Araujo, Kevin Buhr +Affects: All supported versions of FreeBSD. +Corrected: 2014-10-07 06:00:09 UTC (stable/10, 10.0-STABLE) + 2014-10-15 06:31:08 UTC (releng/10.1, 10.1-RC2) + 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) + 2014-10-07 06:00:32 UTC (stable/9, 9.3-STABLE) + 2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5) + 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) + 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) + 2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE) + 2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:http://security.freebsd.org/>. + +I. Background + +The Network File System (NFS) allows a host to export some or all of +its file systems that can be any kind of file systems such like UFS, ZFS +etcetera, so that other hosts can access them over the network and mount +them as if they were on local disks. + +II. Problem Description + +In a configuration where two or more clients mount a ZFS file system over +NFSv4 from a FreeBSD server, if client1 caches a directory listing and a +file in the directory is renamed on client2, then client1 can end up in +a state where the cached but incorrect directory contents persists indefinitely +and is never updated. + +III. Impact + +When client2 renames a file or directory, client1 does not receive the +changed attributes and never does a READDIR to get the updated contents. +This could result in a client that has incorrect information about the +actual content of the mounted file system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your present system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/EN-14:12/zfs.patch +# fetch http://security.FreeBSD.org/patches/EN-14:12/zfs.patch.asc +# gpg --verify zfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/zfs.patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r274108 +releng/8.4/ r274111 +stable/9/ r272677 +releng/9.1/ r274112 +releng/9.2/ r274113 +releng/9.3/ r274114 +stable/10/ r272676 +releng/10.0/ r274110 +releng/10.1/ r273122 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +The latest revision of this Errata Notice is available at +http://security.FreeBSD.org/advisories/FreeBSD-EN-14:12.zfs.asc +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJUWWUOAAoJEO1n7NZdz2rn9KsQAIw7xhRYGUQ+SwIl6E8Tzodd +bx/VkTLOgcDrGSNqREzkgNeTtWXOXRwibZpBVXl8sglf+WPtZsnGcCALze9CiS14 +boesjajpl7znqJ8zDpIU3qMdFsEOB5Ky3KDTQgCMEygAJrOxASGv6TCOT/3e1hRr +Ez0+32dnqooxNRJjHA0t+t+gBszFFLV1PbstpaCOOAsZpmNMtJGbhsydF/aKcK17 +dcNaOKjMPB4SDGMx+dcZqS8bToEXfe0lwOGiEDAavVCyMx5zyie2bGfUWEI2bpu5 +1VcOtnMxpKlgJdEOIbFI0RXdj4CujLbfwNBnDGLELcCZsPtoWJQZHDmDXK5pkEof +6aOHqqmZrFsI9V81ymVbQYYSHF67ZeRZB3CotC8trQn+tnxK1l0s6KF0FzSHQigU +y1Q1vErOKuzPEcrD7sp7xTS3VAQ1a7/uGY6KcTSrJu7xwrJe8KRNvufokgnzU3D4 +X/O/L7TxvjTmTu1T2882mMIrtpALf/tjGwW32ksUnXo6RiwByvaalO9ObEBPYzGQ +C9xG3ggfqhyHDlw21VhCjZF5hQ7xUnBKHjT60LbGMB5llaN1DUN6HRT9rCbeN4gP +5eJalL2x1NLT1XVCBYlq1IhE6vTcnTdVVcGRBJQbPnfqivrDzBfIFzhy/4tc1J7K +IkJAwk+aThuF3j3xnt+z +=lQAP +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:24.sshd.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:24.sshd.asc Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,160 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:24.sshd Security Advisory + The FreeBSD Project + +Topic: Denial of service attack against sshd(8) + +Category: contrib +Module: openssh +Announced: 2014-11-04 +Credits: +Affects: FreeBSD 9.1, 9.2 and 10.0. +Corrected: 2014-05-04 07:28:26 UTC (stable/10, 10.0-STABLE) + 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) + 2014-05-04 07:57:20 UTC (stable/9, 9.2-STABLE) + 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) + 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) +CVE Name: CVE-2014-8475 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +OpenSSH is an implementation of the SSH protocol suite, providing an +encrypted and authenticated transport for a variety of services, +including remote shell access. The sshd(8) daemon is the server side +of OpenSSH. + +Heimdal is an implementation of Kerberos 5, which provides +authentication and single sign-on capability for many network +services, including OpenSSH. + +II. Problem Description + +Although OpenSSH is not multithreaded, when OpenSSH is compiled with +Kerberos support, the Heimdal libraries bring in the POSIX thread +library as a dependency. Due to incorrect library ordering while +linking sshd(8), symbols in the C library which are shadowed by the +POSIX thread library may not be resolved correctly at run time. + +Note that this problem is specific to the FreeBSD build system and +does not affect other operating systems or the version of OpenSSH +available from the FreeBSD ports tree. + +III. Impact + +An incorrectly linked sshd(8) child process may deadlock while +handling an incoming connection. The connection may then time out or +be interrupted by the client, leaving the deadlocked sshd(8) child +process behind. Eventually, the sshd(8) parent process stops +accepting new connections. + +An attacker may take advantage of this by repeatedly connecting and +then dropping the connection after having begun, but not completed, +the authentication process. + +IV. Workaround + +Possible workarounds include rebuilding sshd with Kerberos support +disabled or installing the security/openssh-portable package from the +FreeBSD ports tree or an official package repository. + +Systems that do not run an OpenSSH server are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch +# fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch.asc +# gpg --verify sshd.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/sshd.patch + +c) Recompile sshd. Execute the following commands as root: + +# cd /usr/src/secure/usr.sbin/sshd +# make && make install + +4) Restart the affected service + +To restart the affected service after updating the system, either +reboot the system or execute the following command as root: + +# service sshd restart + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r265314 +releng/9.1/ r274112 +releng/9.2/ r274113 +stable/10/ r265313 +releng/10.0/ r274110 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<other info on vulnerability> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8475> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:24.sshd.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJUWWlZAAoJEO1n7NZdz2rn4UEP/0VdM6uSHWyQSOzO+kuDxRfT +wru9+yjCB4NJtFzvBLe8eeiUDiTqJaTfrAGbbr9l5qkRXvTaUzWyaHyraLN4nK51 +/ouxKzxxrqf0YDpYQPIUwCVmkoLn/+0T3U7sB78bx5WH4W1XoKKWIkChCyZpVvBI +vw6A5Ep4+U6mTGXE2D04WQISkKXYqzCuW0rJBnm0xDj9xUprgZJ7tTSx/ewAiA/L +FV37riqb8OII8lThV7g0s0F0JWDUf+AznG/S7amior0jMMSExdafifcvHEUZNs72 +4cYh66p/GxeImU2Tm3VDRlfoAv86kUFwIevwD4oj5wXa7aBMdUwPITyQJ0We68gj +3kMBpJaZAJ7DpwYuCu7/RF7K4Irt3mSJJipS3IvI2LteHCakZBIUlbrPJrcfMl4P +VJQU3v4HLH5XZskuR5UEJ755DT+7ZMd7tFl0iWFVsutwjf/bn2u0rtfdcpOerAub +0gYGzPcC9dzBM5OHZdo1wwmZu56jRpddmQ/nc94Wsmm7Nw2ibd9YZpU88LCqR7xa +jsW+F/+napKvsBXqAHTlmJ87oJUSruYS+K/dKbGvCDIjBTjsNu3HqMNS5g4vG+GR +MazlN8Vrg6zVx11ESzFiIJBAgLLNfRgXNFNSPY3NMuMYiS7q0QwGkQlWBb5bmiB8 +FlP/B/8bn/171n5RfarG +=mry5 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:25.setlogin.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:25.setlogin.asc Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,153 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:25.setlogin Security Advisory + The FreeBSD Project + +Topic: Kernel stack disclosure in setlogin(2) / getlogin(2) + +Category: core +Module: kernel +Announced: 2014-11-04 +Credits: Mateusz Guzik +Affects: All supported versions of FreeBSD. +Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE) + 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1) + 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1) + 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3) + 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) + 2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE) + 2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5) + 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) + 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) + 2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE) + 2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19) +CVE Name: CVE-2014-8476 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The setlogin(2) system call sets the login name of the user associated +with the current session. The getlogin(2) routine returns the login name +of the user associated with the current session, as previously set by +setlogin(2). + +II. Problem Description + +When setlogin(2) is called while setting up a new login session, the +login name is copied into an uninitialized stack buffer, which is then +copied into a buffer of the same size in the session structure. The +getlogin(2) system call returns the entire buffer rather than just the +portion occupied by the login name associated with the session. + +III. Impact + +An unprivileged user can access this memory by calling getlogin(2) and +reading beyond the terminating NUL character of the resulting string. +Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10) bytes of kernel memory +may be leaked in this manner for each invocation of setlogin(2). + +This memory may contain sensitive information, such as portions of the +file cache or terminal buffers, which an attacker might leverage to +obtain elevated privileges. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.1] +# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch +# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch.asc +# gpg --verify setlogin-91.patch.asc + +[All other versions] +# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin.patch +# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin.patch.asc +# gpg --verify setlogin.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r274108 +releng/8.4/ r274111 +stable/9/ r274109 +releng/9.1/ r274112 +releng/9.2/ r274113 +releng/9.3/ r274114 +stable/10/ r274107 +releng/10.0/ r274110 +releng/10.1/ r274115 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8476> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:25.setlogin.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJUWWUQAAoJEO1n7NZdz2rnI0IP/RlwFhOJgr9CHdKg5SYsruSQ +LG6z0ufgUETIkeXP1KGm6oYz0X8hpU2Q+MIE5urrPbGYL4Ouo/1oCiwGkBPh4xM/ +L2Z/qIBxmfG/NaRK8PnGSXzlCc02XGnqf9Y6CJN1sIkwrptop02y9sgaLsqLy7K6 +s/YvQ1fe5FT6TV9Nr9l6OwKkVAYa1Ba+JUnklVBWA2eZkLa6YOUlY25w9alqTMVQ +Z4oaLHCnGradKdaKKk0NOOYv0ZGHjkp/Lwd9ja8wyW0K+R1aef9Z5tWloVWQBeJ8 +gzxeA/JpfRtb0lYj2GIpny6znP/lzkEve42No6xDdmUr4Wp0b5hN2qGgwwgEFSIo +2kFVwMkRlK1JsD0U+VK8AxP4neJFECw3t0zWTUr3BMnxoOEG6O1nIU0T6Ru8/K0b +aIc/G8TiOxOaXHuiWJhR1p9cblGlz7HnFSAmM6vN0O4DBcX7xwr/ndDl/6npvkmt +biB+hXZK0Ega8X9LsZ5injDo0FZ4XNIyEOy4/QOeJW4kJQv0Oh14cYSU6cM/yfaU +tJ7M6WYnFS8G+0e03auM1XVeu2oxyR0ry1IC7xS4O9N4m+8nE7DlRU8okhQRXiFB +iCmzO1XmOTK0zygtS34bDaOuey3U0yFG4O5wMKrAkMeQ9jPogyt99ZzIk3L3UPqZ +xcWRhKahyz9umrzsssOL +=xiWR +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:26.ftp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:26.ftp.asc Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,151 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:26.ftp Security Advisory + The FreeBSD Project + +Topic: Remote command execution in ftp(1) + +Category: core +Module: ftp +Announced: 2014-11-04 +Credits: Jared McNeill, Alistair Crooks +Affects: All supported versions of FreeBSD. +Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE) + 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1) + 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1) + 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3) + 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) + 2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE) + 2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5) + 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) + 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) + 2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE) + 2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19) +CVE Name: CVE-2014-8517 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The ftp(1) userland utility is an interactive FTP client. It can also +be used non-interactively, by providing a URL on the command line. In +this mode, it supports HTTP in addition to FTP. + +II. Problem Description + +A malicious HTTP server could cause ftp(1) to execute arbitrary +commands. + +III. Impact + +When operating on HTTP URIs, the ftp(1) client follows HTTP redirects, +and uses the part of the path after the last '/' from the last +resource it accesses as the output filename if '-o' is not specified. + +If the output file name provided by the server begins with a pipe +('|'), the output is passed to popen(3), which might be used to +execute arbitrary commands on the ftp(1) client machine. + +IV. Workaround + +No workaround is available. Users are encouraged to replace ftp(1) in +non-interactive use by either fetch(1) or a third-party client such as +curl or wget. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 8] +# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch +# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch.asc +# gpg --verify ftp-8.patch.asc + +[All other versions] +# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch +# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch.asc +# gpg --verify ftp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile ftp. Execute the following commands as root: + +# cd /usr/src/usr.bin/ftp +# make && make install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r274108 +releng/8.4/ r274111 +stable/9/ r274109 +releng/9.1/ r274112 +releng/9.2/ r274113 +releng/9.3/ r274114 +stable/10/ r274107 +releng/10.0/ r274110 +releng/10.1/ r274115 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8517> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:26.ftpd.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJUWWUQAAoJEO1n7NZdz2rnhUwP+wQKrgKs6lRk6Yl4UtRyEwyG +BHGkA62oaQbehuccahjQgIcLTk3Vp3AalXtSQpdyWJktHiYrFwBnheW/IrhJ6bMS +dpJv3yqqQtSED9sADf+GAvxV6TG9bknq/RDxXKpsQ/MocYbiVxz/3nDOMz9CB7ep +saDttvGHW7RUmNoKL70pgItGapiVuBzMF01PCZ2SmFiJHYi7BoiJwm72Y1NLU8YE +TkiX2ZAoTVMN5/R3DW38HyVCyeY2tMTHSdQXRSYjwzJ0gEbBPWMPQyB1SAa8dtk5 +j54KFNOBoaXMjd3USqFgo0fduU3rGZp5PwITTx5Rx5Ixtz2vHddyOISV0RcjA0cq +TWDwBGlKET7qZ1j7nHTgy4U4wMTWFbkjjqEY+RHYywaAmy8ACDmEUci8d3fWKWVY +d4y8RCvBrlnFVjmNiNcBc5XFXxY0Ra3BQ8C/VE0k0ZFuzmFUCi+DJZDR2Gtl0R9Q +1hAdj+yOJo46ylHPiSyoBZmsRZccV1a81phOPe0mPR84BvzNvBsdI+EFIJWi+5bw +bjuSM8YCOHrlGkqh9h9+BizvLfJFpjUSglwzPmOfRpTv59XJpc6D1Hia+uICTEfd +lSiJgDZ6enozY7QVoiO7G/ycyQCVe7Ehwywx/dpWXVpva85tn4Xl2khBCiPNbBBo +xnPjqxmwGK+4uegsO6CY +=QT3h +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-14:12/zfs.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:12/zfs.patch Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,12 @@ +Index: sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c +=================================================================== +--- sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c.orig ++++ sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c +@@ -2827,6 +2827,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, int flags, + #endif + vap->va_seq = zp->z_seq; + vap->va_flags = 0; /* FreeBSD: Reset chflags(2) flags. */ ++ vap->va_filerev = zp->z_seq; + + /* + * Add in any requested optional attributes and the create time. Added: head/share/security/patches/EN-14:12/zfs.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-14:12/zfs.patch.asc Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUWU5xAAoJEO1n7NZdz2rnvzEQAOhDEi1MDJ5kuXjUFdMJZKiR +xsslfTMBk3xUXiGldU3pFEYAe0xKvQKk2yHgjy1TYTo30UINqTcCkxVIgW06RMLm +61/3Jt0BCboMz4Jg4TNuBZCS/gRI/bZyHP1abXCtTx3PnZUqKvezYX4+dir+CWLW +km9fN4f9ieH8B7GjBTDv1d19jCK8/Vhjw3GtAlVmqor5wCmvmQLv6DLgfVp16Wrf +lmLS9X/fSwTykVlhCQckaDnPt22klv0vUvg3P7BocTYCv44Be50nGPRhme0W7LNw +r2jQPIzGmNsV3KhbilYvaEwm6iLqcgP6Hqrd7924MAM2fkr2qzSFAZYn12Ty3DSl +K47+7DOBfQ7E/REoRMkXLdppUhcvrf/ooS5o98kTx8EEitmo0+ogndaP3WkPK5iR +pyxyhTwRChlqM4DdYrrZ7TCu8XkxxShhoKtYH1IKn/ZIZw9UTMlOES6DqcNz9jIZ +4yaW9TgffZ7S6c4/lVU5PyIbaZao/fT8HtWd+JubFpEc+J/0QkXA0MJuOxm+WgWY +NUVOukFR4fKAIXfdnnN8bZqAfNidPQUaTwdmwy6Zsg2xJxe9L+IaViE8uCkJENic +2T0Y1isfxPMf1MYBsdwRv8KfGtpudc24eRZEXbgdATjClj/CyQHeCQuHTOJDz649 +mEI6MBnMqzSdhf9pR7DX +=S5Fz +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:24/sshd.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:24/sshd.patch Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,21 @@ +Index: secure/usr.sbin/sshd/Makefile +=================================================================== +--- secure/usr.sbin/sshd/Makefile.orig ++++ secure/usr.sbin/sshd/Makefile +@@ -57,6 +57,16 @@ + DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ} + LDADD+= -lcrypt -lcrypto -lz + ++# Fix the order of NEEDED entries for libthr and libc. The libthr ++# needs to interpose libc symbols, leaving the libthr loading as ++# dependency of krb causes reversed order and broken interposing. Put ++# the threading library last on the linker command line, just before ++# the -lc added by a compiler driver. ++.if ${MK_KERBEROS_SUPPORT} != "no" ++DPADD+= ${LIBPTHREAD} ++LDADD+= -lpthread ++.endif ++ + .if defined(LOCALBASE) + CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\" + .endif Added: head/share/security/patches/SA-14:24/sshd.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:24/sshd.patch.asc Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUWU5yAAoJEO1n7NZdz2rncK8P/1ErftXKGU76gZEkjXW+xm0A +daRQM+jwRLlplCA32Si++jj0LHGEL1wEFWT/Q3042vV2YjYT5mhi9EOvPVFouC7Z +3f5PyXaC0gBqdu5lq8heahnEiwkU5z0WcyUOHDdYNVY0uSrRd2dT/yQ2RLMYw9S9 +B9ubILTmwZi2uASS43fuhRk4Hc4gXhlgV3WUtauXTRYSfDme+exmXMMjVxp/YpuH +6QXH/hEOVN3L4aZ6yaVA/EvEgERpJlXLfSKREOOmVzeJ6VCQ3M7aqk6UMGQpUWDB +bd929pvvgg5EsAGEAQI8QPs/zALL9fqLr7MEvjuDRMn4gBzf2ykngfN3s3+0VvuF +Bd93Mf7/GZxjdB0QkRWPpGu1ngQr4645ZTPsrWafFDm+Q51fS/bZhoZZrfBcxZz/ +hgC9SKB7LfXHwf+QZkUQGEp31kjO/pmYnNVbFFM2rhCu7gzh//B2P1+ycF+nCIis +fPZIfUXbdDhQ8fVV6H6WwdLHAgxz0CDSDdtSJBMWdwzzA5RykRamcvDbWCOCGASq +BkrPsUgWJntJa+TNCQxpt0I85m/NxtpSOAua2/KHY9ZHJaQkl/58gaji0hoKauyU +ZRfQP/yVoZ9GZMlUzdiv3xj7xOImYP4naQOLLy7v/aOkQ824QXD6vesPy76hp9lT +xYacjZi9fbvmEFX6llHO +=TFaU +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:25/setlogin-91.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:25/setlogin-91.patch Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,63 @@ +Index: sys/kern/kern_prot.c +=================================================================== +--- sys/kern/kern_prot.c.orig ++++ sys/kern/kern_prot.c +@@ -2073,19 +2073,20 @@ + int + sys_getlogin(struct thread *td, struct getlogin_args *uap) + { +- int error; + char login[MAXLOGNAME]; + struct proc *p = td->td_proc; ++ size_t len; + + if (uap->namelen > MAXLOGNAME) + uap->namelen = MAXLOGNAME; + PROC_LOCK(p); + SESS_LOCK(p->p_session); +- bcopy(p->p_session->s_login, login, uap->namelen); ++ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; + SESS_UNLOCK(p->p_session); + PROC_UNLOCK(p); +- error = copyout(login, uap->namebuf, uap->namelen); +- return(error); ++ if (len > uap->namelen) ++ return (ERANGE); ++ return (copyout(login, uap->namebuf, len)); + } + + /* +@@ -2104,21 +2105,23 @@ + int error; + char logintmp[MAXLOGNAME]; + ++ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); ++ + error = priv_check(td, PRIV_PROC_SETLOGIN); + if (error) + return (error); + error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); +- if (error == ENAMETOOLONG) +- error = EINVAL; +- else if (!error) { +- PROC_LOCK(p); +- SESS_LOCK(p->p_session); +- (void) memcpy(p->p_session->s_login, logintmp, +- sizeof(logintmp)); +- SESS_UNLOCK(p->p_session); +- PROC_UNLOCK(p); ++ if (error != 0) { ++ if (error == ENAMETOOLONG) ++ error = EINVAL; ++ return (error); + } +- return (error); ++ PROC_LOCK(p); ++ SESS_LOCK(p->p_session); ++ strcpy(p->p_session->s_login, logintmp); ++ SESS_UNLOCK(p->p_session); ++ PROC_UNLOCK(p); ++ return (0); + } + + void Added: head/share/security/patches/SA-14:25/setlogin-91.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:25/setlogin-91.patch.asc Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUWU5zAAoJEO1n7NZdz2rnXBIP/jT00G4/lEHn8ZqvXylqkAcd +Cq6X0C1TxNBvB2T2bdss63NwjSu91BxQJoVu+LNoKBOd3SHgfbAFuLHThTRQ5s4G +OF7/woXnP5DyyTdXrPHPMMnc3bi1pLy9j3cTg+QJy5PQEM/lYqZB52E9hsgd62to +tbp6wBe6tSGbrlOZG5E4yT4yEqRLhdz8IAhfzCNraRFxMEFGbTVl5cPK62h1tHZZ +4mAKLXSiq1S2lFtbvNrwsnV/ohJlzOmyT0wy3cWJ4YIoufaImjnPsZzzGKvmDDib +X90WNrM65fGRPZq6OaDSv3BuxSO8rD4+v9g/l2YyfMZrLq+JS+C/rwij79HiRUOT +EnKyywoi0oC0/wHQ43Lx/RDV7dyvB+0VhDjBKH3YXmyDf+lWPbW8iqZQpIkilDD1 +2mFhHSr0ub44o37WIRe4p4WjG0WOxOFL4iNmiw6d704Hkgq1N5/LHrv7pNZwAn29 +vgHnKJtjq/MyH5QWoNLXopbrAjF+4YXOhUqhlWf95kdFRedOexv5GqHAi9Synnri +MVYdOGXD1bs0b1tyjtXS1+vPq1teDBEA8Fr20IrnvPbcNRmZEhHW7va/TbPQTF5R +p7tBycaki1V9WBBE5jE2oZRmpenegbPuzstYtcpm1pnm2dNL5MoeTefB3WNnmPWZ +cdHvpwCQQURRaUyYnlxw +=o8um +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:25/setlogin.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:25/setlogin.patch Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,64 @@ +Index: sys/kern/kern_prot.c +=================================================================== +--- sys/kern/kern_prot.c.orig ++++ sys/kern/kern_prot.c +@@ -2066,21 +2066,20 @@ + int + sys_getlogin(struct thread *td, struct getlogin_args *uap) + { +- int error; + char login[MAXLOGNAME]; + struct proc *p = td->td_proc; ++ size_t len; + + if (uap->namelen > MAXLOGNAME) + uap->namelen = MAXLOGNAME; + PROC_LOCK(p); + SESS_LOCK(p->p_session); +- bcopy(p->p_session->s_login, login, uap->namelen); ++ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; + SESS_UNLOCK(p->p_session); + PROC_UNLOCK(p); +- if (strlen(login) + 1 > uap->namelen) ++ if (len > uap->namelen) + return (ERANGE); +- error = copyout(login, uap->namebuf, uap->namelen); +- return (error); ++ return (copyout(login, uap->namebuf, len)); + } + + /* +@@ -2099,21 +2098,23 @@ + int error; + char logintmp[MAXLOGNAME]; + ++ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); ++ + error = priv_check(td, PRIV_PROC_SETLOGIN); + if (error) + return (error); + error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); +- if (error == ENAMETOOLONG) +- error = EINVAL; +- else if (!error) { +- PROC_LOCK(p); +- SESS_LOCK(p->p_session); +- (void) memcpy(p->p_session->s_login, logintmp, +- sizeof(logintmp)); +- SESS_UNLOCK(p->p_session); +- PROC_UNLOCK(p); ++ if (error != 0) { ++ if (error == ENAMETOOLONG) ++ error = EINVAL; ++ return (error); + } +- return (error); ++ PROC_LOCK(p); ++ SESS_LOCK(p->p_session); ++ strcpy(p->p_session->s_login, logintmp); ++ SESS_UNLOCK(p->p_session); ++ PROC_UNLOCK(p); ++ return (0); + } + + void Added: head/share/security/patches/SA-14:25/setlogin.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:25/setlogin.patch.asc Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUWU5zAAoJEO1n7NZdz2rn7IkQAOFzWal/xCl4moNG5SGXkJaR +3I1a6Dhmti0gHEEUJrvGVW7wpqiVAyy2Qz2m3k2mSz0yr54PVCwGSQnUYBNI5GdG +xC6Zv3e1PMDhKc5ZMq2f/3x/1yS+NzK9JsRcth3yTqA+LazcNZm2B4quGkfKfL/L +Zz43Z+d67ZW5CRkfYGQlp6c70sryCltmyQXTlLTWhVEWpSrkN5zDjnKvAdnXo1gK +Eb7sAimL8vbUyiphv7uAg7M4OrJ5LRWyLRSiWHVi1LTcVXS6OuWeIsxS3wFrqsZD +EyhNyq95pyy9lE5csoUbsbNjvkjT/+M4WdSk+38QitYcJhIltLENYTViW3SFZ70T +FThZdYwq1i5NyMeWWe5FF3IeU7obcXrtdNsNYgY1GDTfShwHYs5ViEKaVa9tw5qk +6Me1HcBs1JoyZklNUrFyXyf1fMp5mtDrRrsgOOfu4r5tqJFHqW8GBFWLlJsJVJzq +65jnNToSlKPGN4aO4iCMA2S1EZOOE0hi5b3/u+FlAg/QmZAQCTwXAQzrgumetklX +DPyffhEx0NacaRuRSjE77GkQ8GIR9XxJW+or3a5WaVoHfIwER1SZdJjbOZ8hzog3 +I2TIqmvbzGx89Ref84kjio3S786cvPQvFbDeDJbaatn+V0SedG23+TM8txUtwUOt +dll5L1WYjpDnPqSj3R7V +=c72I +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:26/ftp-8.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:26/ftp-8.patch Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,69 @@ +Index: contrib/lukemftp/src/fetch.c +=================================================================== +--- contrib/lukemftp/src/fetch.c.orig ++++ contrib/lukemftp/src/fetch.c +@@ -540,7 +540,7 @@ + url_decode(decodedpath); + + if (outfile) +- savefile = xstrdup(outfile); ++ savefile = outfile; + else { + cp = strrchr(decodedpath, '/'); /* find savefile */ + if (cp != NULL) +@@ -566,8 +566,7 @@ + rangestart = rangeend = entitylen = -1; + mtime = -1; + if (restartautofetch) { +- if (strcmp(savefile, "-") != 0 && *savefile != '|' && +- stat(savefile, &sb) == 0) ++ if (stat(savefile, &sb) == 0) + restart_point = sb.st_size; + } + if (urltype == FILE_URL_T) { /* file:// URLs */ +@@ -1085,17 +1084,25 @@ + } /* end of ftp:// or http:// specific setup */ + + /* Open the output file. */ +- if (strcmp(savefile, "-") == 0) { +- fout = stdout; +- } else if (*savefile == '|') { +- oldintp = xsignal(SIGPIPE, SIG_IGN); +- fout = popen(savefile + 1, "w"); +- if (fout == NULL) { +- warn("Can't run `%s'", savefile + 1); +- goto cleanup_fetch_url; ++ ++ /* ++ * Only trust filenames with special meaning if they came from ++ * the command line ++ */ ++ if (outfile == savefile) { ++ if (strcmp(savefile, "-") == 0) { ++ fout = stdout; ++ } else if (*savefile == '|') { ++ oldintp = xsignal(SIGPIPE, SIG_IGN); ++ fout = popen(savefile + 1, "w"); ++ if (fout == NULL) { ++ warn("Can't execute `%s'", savefile + 1); ++ goto cleanup_fetch_url; ++ } ++ closefunc = pclose; + } +- closefunc = pclose; +- } else { ++ } ++ if (fout == NULL) { + if ((rangeend != -1 && rangeend <= restart_point) || + (rangestart == -1 && filesize != -1 && filesize <= restart_point)) { + /* already done */ +@@ -1278,7 +1285,8 @@ + (*closefunc)(fout); + if (res0) + freeaddrinfo(res0); +- FREEPTR(savefile); ++ if (savefile != outfile) ++ FREEPTR(savefile); + FREEPTR(user); + FREEPTR(pass); + FREEPTR(host); Added: head/share/security/patches/SA-14:26/ftp-8.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:26/ftp-8.patch.asc Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUWU5zAAoJEO1n7NZdz2rnL8oP/RHdyCs8fERJMVysB5JvlZNi +ONzdlUforbspVVcftM5eATZFYxzSPxiGnkBV/K3iudglaHHOnhIB3B8vDi4RXQhI +aSTEPJ8WvjhhBdld3he+EsihDEmx0e64EG8RlViv8Uec35FqzmGH36fQIu7pVp0M +0NfPma0h2WjK4mifBunEyg4KEv8pmsWzzPUZUALTXO2Q4INLhSKu6yiAxiab2RXn +cE09UX6MPHT5lkISSBAN1YjJDjg2sL86d01Ar+1G5iH/Rf3IIoV30bPvfYO2c5Co +cZacymlTiakc/JWTxyZAd9jWJTfp6I2Htt8YSygsiRZnJ0WYMaoFb/tzel8U+jXf +UkZTeJtm08xeMS2jVax2j7ceJkWxsFcD0P5LDzIDw3Y+atdONJlknIjEyUq5+9uZ +IywGZGyQFwh3Xz0YVEdKI+81kEW5amRypdRFKijpLkwKwo9FIIQmtBNQZR7xMdgo +JcPvtnzy/3AARVVjv3KLFnj+VTAwnGVOuEb3164ISfhaeU+ny9CKeR/6XRstNaW2 +c0oKO+LsX+6xXC3QIUqBo0grNsNk0SBQpBQCApwPWE0SP/fQ4IcCjx6HsSTnnOKJ +Z1ssejQUPex7Dz8I+wdl92qbUGckdqH/dIl+oI+fxMHRpsNPOEBN6i46zVideojt +NhBAdZGUtj80bGfm+2g1 +=KPRE +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:26/ftp.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:26/ftp.patch Wed Nov 5 00:28:45 2014 (r45928) @@ -0,0 +1,69 @@ +Index: contrib/tnftp/src/fetch.c +=================================================================== +--- contrib/tnftp/src/fetch.c.orig ++++ contrib/tnftp/src/fetch.c +@@ -547,7 +547,7 @@ + url_decode(decodedpath); + + if (outfile) +- savefile = ftp_strdup(outfile); ++ savefile = outfile; + else { + cp = strrchr(decodedpath, '/'); /* find savefile */ + if (cp != NULL) +@@ -571,8 +571,7 @@ + rangestart = rangeend = entitylen = -1; + mtime = -1; + if (restartautofetch) { +- if (strcmp(savefile, "-") != 0 && *savefile != '|' && +- stat(savefile, &sb) == 0) ++ if (stat(savefile, &sb) == 0) + restart_point = sb.st_size; + } + if (urltype == FILE_URL_T) { /* file:// URLs */ +@@ -1098,17 +1097,25 @@ + } /* end of ftp:// or http:// specific setup */ + + /* Open the output file. */ +- if (strcmp(savefile, "-") == 0) { +- fout = stdout; +- } else if (*savefile == '|') { +- oldintp = xsignal(SIGPIPE, SIG_IGN); +- fout = popen(savefile + 1, "w"); +- if (fout == NULL) { +- warn("Can't execute `%s'", savefile + 1); +- goto cleanup_fetch_url; ++ ++ /* ++ * Only trust filenames with special meaning if they came from ++ * the command line ++ */ ++ if (outfile == savefile) { ++ if (strcmp(savefile, "-") == 0) { ++ fout = stdout; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201411050028.sA50SklS004641>