From owner-svn-doc-all@FreeBSD.ORG Tue Feb 19 13:56:51 2013 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BC1F5290; Tue, 19 Feb 2013 13:56:51 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id A0422EB4; Tue, 19 Feb 2013 13:56:51 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r1JDupie024991; Tue, 19 Feb 2013 13:56:51 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r1JDuoMw024977; Tue, 19 Feb 2013 13:56:50 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <201302191356.r1JDuoMw024977@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Tue, 19 Feb 2013 13:56:50 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r41014 - in head/share: security/advisories security/patches/SA-13:01 security/patches/SA-13:02 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2013 13:56:51 -0000 Author: bz (src committer) Date: Tue Feb 19 13:56:49 2013 New Revision: 41014 URL: http://svnweb.freebsd.org/changeset/doc/41014 Log: Add latest security advisories: Fix Denial of Service vulnerability in named(8) with DNS64. [13:01] Fix Denial of Service vulnerability in libc's glob(3) functionality. [13:02] Security: CVE-2012-5688 Security: FreeBSD-SA-13:01.bind Security: CVE-2010-2632 Security: FreeBSD-SA-13:02.libc Added: head/share/security/advisories/FreeBSD-SA-13:01.bind.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-13:02.libc.asc (contents, props changed) head/share/security/patches/SA-13:01/ head/share/security/patches/SA-13:01/bind.patch (contents, props changed) head/share/security/patches/SA-13:01/bind.patch.asc (contents, props changed) head/share/security/patches/SA-13:02/ head/share/security/patches/SA-13:02/libc.patch (contents, props changed) head/share/security/patches/SA-13:02/libc.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-13:01.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-13:01.bind.asc Tue Feb 19 13:56:49 2013 (r41014) @@ -0,0 +1,122 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:01.bind Security Advisory + The FreeBSD Project + +Topic: BIND remote DoS with deliberately crafted DNS64 query + +Category: contrib +Module: bind +Announced: 2013-02-19 +Affects: FreeBSD 9.x and later +Corrected: 2013-01-08 09:05:09 UTC (stable/9, 9.1-STABLE) + 2013-02-19 13:27:20 UTC (releng/9.0, 9.0-RELEASE-p6) + 2013-02-19 13:27:20 UTC (releng/9.1, 9.1-RELEASE-p1) +CVE Name: CVE-2012-5688 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +DNS64 is an IPv6 transition mechanism that will return a synthesized +AAAA response even if there is only an A record available. + +II. Problem Description + +Due to a software defect a crafted query can cause named(8) to crash +with an assertion failure. + +III. Impact + +If named(8) is configured to use DNS64, an attacker who can send it a +query can cause named(8) to crash, resulting in a denial of service. + +IV. Workaround + +No workaround is available, but systems not configured to use DNS64 +using the "dns64" configuration statement are not vulnerable. DNS64 +is not enabled in the default configuration on FreeBSD. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Restart the named(8) daemon, or reboot your system. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:01/bind.patch +# fetch http://security.FreeBSD.org/patches/SA-13:01/bind.patch.asc +# gpg --verify bind.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in . + +Restart the named(8) daemon, or reboot your system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart the named(8) daemon, or reboot your system. + +4) Alternatively, install and run BIND from the Ports Collection after +the correction date. The following versions and newer versions of +BIND installed from the Ports Collection are not affected by this +vulnerability: + + bind98-9.8.4.1 + bind99-9.9.2.1 + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/9/ r245163 +releng/9.0/ r246989 +releng/9.1/ r246989 +- ------------------------------------------------------------------------- + +VII. References + +https://kb.isc.org/article/AA-00828 + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688 + +The latest revision of this advisory is available at +http://security.FreeBSD.org/advisories/FreeBSD-SA-13:01.bind.asc +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (FreeBSD) + +iEYEARECAAYFAlEjf8MACgkQFdaIBMps37JUigCeIvjGL59H2froSeFqfPvlzM7L +XpAAni7nW5GZt4AE3eSDQwE4ivCne6SK +=Rxq4 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-13:02.libc.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-13:02.libc.asc Tue Feb 19 13:56:49 2013 (r41014) @@ -0,0 +1,114 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:02.libc Security Advisory + The FreeBSD Project + +Topic: glob(3) related resource exhaustion + +Category: core +Module: libc +Announced: 2013-02-19 +Affects: All supported versions of FreeBSD. +Corrected: 2013-02-05 09:53:32 UTC (stable/7, 7.4-STABLE) + 2013-02-19 13:27:20 UTC (releng/7.4, 7.4-RELEASE-p12) + 2013-02-05 09:53:32 UTC (stable/8, 8.3-STABLE) + 2013-02-19 13:27:20 UTC (releng/8.3, 8.3-RELEASE-p6) + 2013-02-05 09:53:32 UTC (stable/9, 9.1-STABLE) + 2013-02-19 13:27:20 UTC (releng/9.0, 9.0-RELEASE-p6) + 2013-02-19 13:27:20 UTC (releng/9.1, 9.1-RELEASE-p1) +CVE Name: CVE-2010-2632 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The glob(3) function is a pathname generator that implements the rules for +file name pattern matching used by the shell. + +II. Problem Description + +GLOB_LIMIT is supposed to limit the number of paths to prevent against +memory or CPU attacks. The implementation however is insufficient. + +III. Impact + +An attacker that is able to exploit this vulnerability could cause excessive +memory or CPU usage, resulting in a Denial of Service. A common target for +a remote attacker could be ftpd(8). + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:02/libc.patch +# fetch http://security.FreeBSD.org/patches/SA-13:02/libc.patch.asc +# gpg --verify libc.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in . + +Restart all daemons, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all daemons, or reboot the system. + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/7/ r246357 +releng/7.4/ r246989 +stable/8/ r246357 +releng/8.3/ r246989 +stable/9/ r246357 +releng/9.0/ r246989 +releng/9.1/ r246989 +- ------------------------------------------------------------------------- + +VII. References + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632 + +The latest revision of this advisory is available at +http://security.FreeBSD.org/advisories/FreeBSD-SA-13:02.libc.asc +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (FreeBSD) + +iEYEARECAAYFAlEjf80ACgkQFdaIBMps37JFUgCfUrw8Ky4U19COja6fna49Calv +z/YAn1JSGxzHCo8vLj4XhtXqrQt68or4 +=mCPv +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-13:01/bind.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:01/bind.patch Tue Feb 19 13:56:49 2013 (r41014) @@ -0,0 +1,18 @@ +Index: contrib/bind9/bin/named/query.c +=================================================================== +--- contrib/bind9/bin/named/query.c ++++ contrib/bind9/bin/named/query.c +@@ -5183,10 +5183,12 @@ + isc_result_t result; + isc_uint32_t ttl = ISC_UINT32_MAX; + ++ dns_rdataset_init(&rdataset); ++ + result = dns_db_getoriginnode(db, &node); + if (result != ISC_R_SUCCESS) + goto cleanup; +- dns_rdataset_init(&rdataset); ++ + result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa, + 0, 0, &rdataset, NULL); + if (result != ISC_R_SUCCESS) Added: head/share/security/patches/SA-13:01/bind.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:01/bind.patch.asc Tue Feb 19 13:56:49 2013 (r41014) @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (FreeBSD) + +iEYEABECAAYFAlEjf/cACgkQFdaIBMps37LjHwCfQ0g0m9lvCY/AZmzYq6NfupNU +cjQAn1ovam14yAE0+WT3FAhOM0lr7INw +=gwXh +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-13:02/libc.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:02/libc.patch Tue Feb 19 13:56:49 2013 (r41014) @@ -0,0 +1,215 @@ +Index: lib/libc/gen/glob.c +=================================================================== +--- lib/libc/gen/glob.c (revision 246357) ++++ lib/libc/gen/glob.c (working copy) +@@ -94,6 +94,25 @@ __FBSDID("$FreeBSD$"); + + #include "collate.h" + ++/* ++ * glob(3) expansion limits. Stop the expansion if any of these limits ++ * is reached. This caps the runtime in the face of DoS attacks. See ++ * also CVE-2010-2632 ++ */ ++#define GLOB_LIMIT_BRACE 128 /* number of brace calls */ ++#define GLOB_LIMIT_PATH 65536 /* number of path elements */ ++#define GLOB_LIMIT_READDIR 16384 /* number of readdirs */ ++#define GLOB_LIMIT_STAT 1024 /* number of stat system calls */ ++#define GLOB_LIMIT_STRING ARG_MAX /* maximum total size for paths */ ++ ++struct glob_limit { ++ size_t l_brace_cnt; ++ size_t l_path_lim; ++ size_t l_readdir_cnt; ++ size_t l_stat_cnt; ++ size_t l_string_cnt; ++}; ++ + #define DOLLAR '$' + #define DOT '.' + #define EOS '\0' +@@ -153,15 +172,18 @@ static const Char *g_strchr(const Char *, wchar_t) + static Char *g_strcat(Char *, const Char *); + #endif + static int g_stat(Char *, struct stat *, glob_t *); +-static int glob0(const Char *, glob_t *, size_t *); +-static int glob1(Char *, glob_t *, size_t *); +-static int glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *); +-static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *); +-static int globextend(const Char *, glob_t *, size_t *); +-static const Char * ++static int glob0(const Char *, glob_t *, struct glob_limit *); ++static int glob1(Char *, glob_t *, struct glob_limit *); ++static int glob2(Char *, Char *, Char *, Char *, glob_t *, ++ struct glob_limit *); ++static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, ++ struct glob_limit *); ++static int globextend(const Char *, glob_t *, struct glob_limit *); ++static const Char * + globtilde(const Char *, Char *, size_t, glob_t *); +-static int globexp1(const Char *, glob_t *, size_t *); +-static int globexp2(const Char *, const Char *, glob_t *, int *, size_t *); ++static int globexp1(const Char *, glob_t *, struct glob_limit *); ++static int globexp2(const Char *, const Char *, glob_t *, int *, ++ struct glob_limit *); + static int match(Char *, Char *, Char *); + #ifdef DEBUG + static void qprintf(const char *, Char *); +@@ -171,8 +193,8 @@ int + glob(const char * __restrict pattern, int flags, + int (*errfunc)(const char *, int), glob_t * __restrict pglob) + { ++ struct glob_limit limit = { 0, 0, 0, 0, 0 }; + const char *patnext; +- size_t limit; + Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot; + mbstate_t mbs; + wchar_t wc; +@@ -186,11 +208,10 @@ glob(const char * __restrict pattern, int flags, + pglob->gl_offs = 0; + } + if (flags & GLOB_LIMIT) { +- limit = pglob->gl_matchc; +- if (limit == 0) +- limit = ARG_MAX; +- } else +- limit = 0; ++ limit.l_path_lim = pglob->gl_matchc; ++ if (limit.l_path_lim == 0) ++ limit.l_path_lim = GLOB_LIMIT_PATH; ++ } + pglob->gl_flags = flags & ~GLOB_MAGCHAR; + pglob->gl_errfunc = errfunc; + pglob->gl_matchc = 0; +@@ -243,11 +264,17 @@ glob(const char * __restrict pattern, int flags, + * characters + */ + static int +-globexp1(const Char *pattern, glob_t *pglob, size_t *limit) ++globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit) + { + const Char* ptr = pattern; + int rv; + ++ if ((pglob->gl_flags & GLOB_LIMIT) && ++ limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) { ++ errno = 0; ++ return (GLOB_NOSPACE); ++ } ++ + /* Protect a single {}, for find(1), like csh */ + if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS) + return glob0(pattern, pglob, limit); +@@ -266,7 +293,8 @@ static int + * If it fails then it tries to glob the rest of the pattern and returns. + */ + static int +-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit) ++globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, ++ struct glob_limit *limit) + { + int i; + Char *lm, *ls; +@@ -436,7 +464,7 @@ globtilde(const Char *pattern, Char *patbuf, size_ + * if things went well, nonzero if errors occurred. + */ + static int +-glob0(const Char *pattern, glob_t *pglob, size_t *limit) ++glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit) + { + const Char *qpatnext; + int err; +@@ -529,7 +557,7 @@ compare(const void *p, const void *q) + } + + static int +-glob1(Char *pattern, glob_t *pglob, size_t *limit) ++glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit) + { + Char pathbuf[MAXPATHLEN]; + +@@ -547,7 +575,7 @@ static int + */ + static int + glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern, +- glob_t *pglob, size_t *limit) ++ glob_t *pglob, struct glob_limit *limit) + { + struct stat sb; + Char *p, *q; +@@ -563,6 +591,15 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_ + if (g_lstat(pathbuf, &sb, pglob)) + return(0); + ++ if ((pglob->gl_flags & GLOB_LIMIT) && ++ limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) { ++ errno = 0; ++ if (pathend + 1 > pathend_last) ++ return (GLOB_ABORTED); ++ *pathend++ = SEP; ++ *pathend = EOS; ++ return (GLOB_NOSPACE); ++ } + if (((pglob->gl_flags & GLOB_MARK) && + pathend[-1] != SEP) && (S_ISDIR(sb.st_mode) + || (S_ISLNK(sb.st_mode) && +@@ -606,7 +643,7 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_ + static int + glob3(Char *pathbuf, Char *pathend, Char *pathend_last, + Char *pattern, Char *restpattern, +- glob_t *pglob, size_t *limit) ++ glob_t *pglob, struct glob_limit *limit) + { + struct dirent *dp; + DIR *dirp; +@@ -652,6 +689,19 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_ + size_t clen; + mbstate_t mbs; + ++ if ((pglob->gl_flags & GLOB_LIMIT) && ++ limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) { ++ errno = 0; ++ if (pathend + 1 > pathend_last) ++ err = GLOB_ABORTED; ++ else { ++ *pathend++ = SEP; ++ *pathend = EOS; ++ err = GLOB_NOSPACE; ++ } ++ break; ++ } ++ + /* Initial DOT must be matched literally. */ + if (dp->d_name[0] == DOT && *pattern != DOT) + continue; +@@ -702,14 +752,15 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_ + * gl_pathv points to (gl_offs + gl_pathc + 1) items. + */ + static int +-globextend(const Char *path, glob_t *pglob, size_t *limit) ++globextend(const Char *path, glob_t *pglob, struct glob_limit *limit) + { + char **pathv; + size_t i, newsize, len; + char *copy; + const Char *p; + +- if (*limit && pglob->gl_pathc > *limit) { ++ if ((pglob->gl_flags & GLOB_LIMIT) && ++ pglob->gl_matchc > limit->l_path_lim) { + errno = 0; + return (GLOB_NOSPACE); + } +@@ -737,6 +788,12 @@ static int + for (p = path; *p++;) + continue; + len = MB_CUR_MAX * (size_t)(p - path); /* XXX overallocation */ ++ limit->l_string_cnt += len; ++ if ((pglob->gl_flags & GLOB_LIMIT) && ++ limit->l_string_cnt >= GLOB_LIMIT_STRING) { ++ errno = 0; ++ return (GLOB_NOSPACE); ++ } + if ((copy = malloc(len)) != NULL) { + if (g_Ctoc(path, copy, len)) { + free(copy); Added: head/share/security/patches/SA-13:02/libc.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:02/libc.patch.asc Tue Feb 19 13:56:49 2013 (r41014) @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.12 (FreeBSD) + +iEYEABECAAYFAlEjf/0ACgkQFdaIBMps37Kw1ACfX+M73KQtFkdrAhFWVyVm2G44 +DLYAn2SoJT4c98Frj75ttappPsvFDgVk +=H9Gv +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Tue Feb 19 13:27:07 2013 (r41013) +++ head/share/xml/advisories.xml Tue Feb 19 13:56:49 2013 (r41014) @@ -5,6 +5,26 @@ + 2013 + + + 2 + + + 19 + + + FreeBSD-SA-13:02.libc + + + + FreeBSD-SA-13:01.bind + + + + + + 2012