From owner-svn-doc-head@FreeBSD.ORG Thu Nov 22 23:46:27 2012 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F3744F48; Thu, 22 Nov 2012 23:46:26 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id D35968FC08; Thu, 22 Nov 2012 23:46:26 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qAMNkQSC092745; Thu, 22 Nov 2012 23:46:26 GMT (envelope-from simon@svn.freebsd.org) Received: (from simon@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qAMNkQiM092733; Thu, 22 Nov 2012 23:46:26 GMT (envelope-from simon@svn.freebsd.org) Message-Id: <201211222346.qAMNkQiM092733@svn.freebsd.org> From: "Simon L. Nielsen" Date: Thu, 22 Nov 2012 23:46:26 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r40128 - in head/share: security/advisories security/patches/SA-12:06 security/patches/SA-12:07 security/patches/SA-12:08 xml X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 23:46:27 -0000 Author: simon Date: Thu Nov 22 23:46:26 2012 New Revision: 40128 URL: http://svnweb.freebsd.org/changeset/doc/40128 Log: Add latest advisories. Added: head/share/security/advisories/FreeBSD-SA-12:06.bind.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-12:07.hostapd.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-12:08.linux.asc (contents, props changed) head/share/security/patches/SA-12:06/ head/share/security/patches/SA-12:06/bind.patch (contents, props changed) head/share/security/patches/SA-12:06/bind.patch.asc (contents, props changed) head/share/security/patches/SA-12:07/ head/share/security/patches/SA-12:07/hostapd-8.patch (contents, props changed) head/share/security/patches/SA-12:07/hostapd-8.patch.asc (contents, props changed) head/share/security/patches/SA-12:07/hostapd.patch (contents, props changed) head/share/security/patches/SA-12:07/hostapd.patch.asc (contents, props changed) head/share/security/patches/SA-12:08/ head/share/security/patches/SA-12:08/linux.patch (contents, props changed) head/share/security/patches/SA-12:08/linux.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-12:06.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-12:06.bind.asc Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-12:06.bind Security Advisory + The FreeBSD Project + +Topic: Multiple Denial of Service vulnerabilities with named(8) + +Category: contrib +Module: bind +Announced: 2012-11-22 +Affects: All supported versions of FreeBSD before 9.1-RC2. +Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE) + 2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11) + 2012-10-11 13:25:09 UTC (RELENG_8, 8.3-STABLE) + 2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5) + 2012-10-10 19:50:15 UTC (RELENG_9, 9.1-PRERELEASE) + 2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5) + 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1) + 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1) + 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1) +CVE Name: CVE-2012-4244, CVE-2012-5166 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +II. Problem Description + +The BIND daemon would crash when a query is made on a resource record +with RDATA that exceeds 65535 bytes. + +The BIND daemon would lock up when a query is made on specific +combinations of RDATA. + +III. Impact + +A remote attacker can query a resolving name server to retrieve a record +whose RDATA is known to be larger than 65535 bytes, thereby causing the +resolving server to crash via an assertion failure in named. + +An attacker who is in a position to add a record with RDATA larger than +65535 bytes to an authoritative name server can cause that server to +crash by later querying for that record. + +The attacker can also cause the server to lock up with specific +combinations of RDATA. + +IV. Workaround + +No workaround is available, but systems not running the BIND name +server are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, +or to the RELENG_7_4, RELENG_8_3, or RELENG_9_0 security branch dated +after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to FreeBSD 7.4, +8.3, and 9.0 systems. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch +# fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in . + +3) To update your vulnerable system via a binary patch: + +Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, or 9.1-RC1 on +the i386 or amd64 platforms can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install + +4) Install and run BIND from the Ports Collection after the correction +date. The following versions and newer versions of BIND installed from +the Ports Collection are not affected by this vulnerability: + + bind96-9.6.3.1.ESV.R7.4 + bind97-9.7.6.4 + bind98-9.8.3.4 + bind99-9.9.1.4 + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Subversion: + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/7/ r243418 +releng/7.4/ r243417 +stable/8/ r241443 +releng/8.3/ r243417 +stable/9/ r241415 +releng/9.0/ r243417 +releng/9.1/ r243417 +- ------------------------------------------------------------------------- + +VII. References + +https://kb.isc.org/article/AA-00778 +https://kb.isc.org/article/AA-00801 + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166 + +The latest revision of this advisory is available at +http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.bind.asc +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 + +iEYEARECAAYFAlCutVIACgkQFdaIBMps37JhPQCfcwCHE7CxzBnrMdszdFYODgQs +1+kAn316Rx2d0Ecig5JHUR3broq5Hpog +=EklC +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-12:07.hostapd.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-12:07.hostapd.asc Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,129 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-12:07.hostapd Security Advisory + The FreeBSD Project + +Topic: Insufficient message length validation for EAP-TLS messages + +Category: contrib +Module: wpa +Announced: 2012-11-22 +Credits: Timo Warns, Jouni Malinen +Affects: FreeBSD 8.0 and later. +Corrected: 2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE) + 2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5) + 2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE) + 2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5) + 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1) + 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1) + 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1) +CVE Name: CVE-2012-4445 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The hostapd utility is an authenticator for IEEE 802.11 networks. It +provides full support for WPA/IEEE 802.11i and can also act as an IEEE +802.1X Authenticator with a suitable backend Authentication Server +(typically FreeRADIUS). + +EAP-TLS is the original, standard wireless LAN EAP authentication +protocol defined in RFC 5216. It uses PKI to secure communication to a +RADIUS authentication server or another type of authentication server. + +II. Problem Description + +The internal authentication server of hostapd does not sufficiently +validate the message length field of EAP-TLS messages. + +III. Impact + +A remote attacker could cause the hostapd daemon to abort by sending +specially crafted EAP-TLS messages, resulting in a Denial of Service. + +IV. Workaround + +No workaround is available, but systems not running hostapd are not +vulnerable. + +Note that for FreeBSD 8.x systems, the EAP-TLS authentication method +is not enabled by default. Systems running FreeBSD 8.x are only +affected when hostapd is built with -DEAP_SERVER and as such, binary +installations from the official release are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to 8-STABLE or 9-STABLE, or to +the RELENG_8_3, or RELENG_9_0 security branch dated after the +correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to FreeBSD 8.3 +and 9.0 systems. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 8.x] +# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch +# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch.asc + +[FreeBSD 9.x] + +# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch +# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in . + +3) To update your vulnerable system via a binary patch: + +Systems running 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1, 9.1-RC2, or 9.1-RC3 +on the i386 or amd64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Subversion: + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r +releng/8.3/ r +stable/9/ r +releng/9.0/ r +releng/9.1/ r +- ------------------------------------------------------------------------- + +VII. References + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445 + +The latest revision of this advisory is available at +http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.hostapd.asc +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 + +iEYEARECAAYFAlCutVYACgkQFdaIBMps37IiwACfb85bpNnyzDRhlDnQiQ4lc6rC +MFsAoJ0KXKPu6focwcOGgwuQLhHjTpMx +=wijQ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-12:08.linux.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-12:08.linux.asc Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,123 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-12:08.linux Security Advisory + The FreeBSD Project + +Topic: Linux compatibility layer input validation error + +Category: core +Module: kernel +Announced: 2012-11-22 +Credits: Mateusz Guzik +Affects: All supported versions of FreeBSD. +Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE) + 2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11) + 2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE) + 2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5) + 2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE) + 2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5) + 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1) + 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1) + 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1) +CVE Name: CVE-2012-4576 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +FreeBSD is binary-compatible with the Linux operating system through a +loadable kernel module/optional kernel component. + +II. Problem Description + +A programming error in the handling of some Linux system calls may +result in memory locations being accessed without proper validation. + +III. Impact + +It is possible for a local attacker to overwrite portions of kernel +memory, which may result in a privilege escalation or cause a system +panic. + +IV. Workaround + +No workaround is available, but systems not using the Linux binary +compatibility layer are not vulnerable. + +The following command can be used to test if the Linux binary +compatibility layer is loaded: + + # kldstat -m linuxelf + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, +or to the RELENG_7_4, RELENG_8_3, RELENG_9_0, or RELENG_9_1 security +branch dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to FreeBSD 7.4, +8.3, 9.0, and 9.1 systems. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch +# fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1, +9.1-RC2, or 9.1-RC3 on the i386 or amd64 platforms can be updated via +the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the revision numbers of each file that was +corrected in FreeBSD. + +Subversion: + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/7/ r243418 +releng/7.4/ r243417 +stable/8/ r243417 +releng/8.3/ r243417 +stable/9/ r243417 +releng/9.0/ r243417 +releng/9.1/ r243417 +- ------------------------------------------------------------------------- + +VII. References + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4576 + +The latest revision of this advisory is available at +http://security.FreeBSD.org/advisories/FreeBSD-SA-12:08.linux.asc +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 + +iEYEARECAAYFAlCutVoACgkQFdaIBMps37JA4QCfZ/wp/ysDIJd1VwF525PzimTt +BUwAoJdU6pddJeJCsHfZ8812cAsrsLqP +=KVp4 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-12:06/bind.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-12:06/bind.patch Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,184 @@ +Index: contrib/bind9/bin/named/query.c +=================================================================== +--- contrib/bind9/bin/named/query.c (revision 241362) ++++ contrib/bind9/bin/named/query.c (working copy) +@@ -1140,7 +1140,0 @@ query_isduplicate(ns_client_t *client, dns_name_t +- /* +- * If the dns_name_t we're looking up is already in the message, +- * we don't want to trigger the caller's name replacement logic. +- */ +- if (name == mname) +- mname = NULL; +- +@@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_t *name, d + if (dns_rdataset_isassociated(rdataset) && + !query_isduplicate(client, fname, type, &mname)) { + if (mname != NULL) { ++ INSIST(mname != fname); + query_releasename(client, &fname); + fname = mname; + } else +@@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_t *name, d + mname = NULL; + if (!query_isduplicate(client, fname, + dns_rdatatype_a, &mname)) { ++ if (mname != fname) { + if (mname != NULL) { + query_releasename(client, &fname); + fname = mname; + } else + need_addname = ISC_TRUE; ++ } + ISC_LIST_APPEND(fname->list, rdataset, link); + added_something = ISC_TRUE; + if (sigrdataset != NULL && +@@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_t *name, d + mname = NULL; + if (!query_isduplicate(client, fname, + dns_rdatatype_aaaa, &mname)) { ++ if (mname != fname) { + if (mname != NULL) { + query_releasename(client, &fname); + fname = mname; + } else + need_addname = ISC_TRUE; ++ } + ISC_LIST_APPEND(fname->list, rdataset, link); + added_something = ISC_TRUE; + if (sigrdataset != NULL && +@@ -1960,6 +1958,7 @@ query_addadditional2(void *arg, dns_name_t *name, + crdataset->type == dns_rdatatype_aaaa) { + if (!query_isduplicate(client, fname, crdataset->type, + &mname)) { ++ if (mname != fname) { + if (mname != NULL) { + /* + * A different type of this name is +@@ -1976,6 +1975,7 @@ query_addadditional2(void *arg, dns_name_t *name, + mname0 = mname; + } else + need_addname = ISC_TRUE; ++ } + ISC_LIST_UNLINK(cfname.list, crdataset, link); + ISC_LIST_APPEND(fname->list, crdataset, link); + added_something = ISC_TRUE; +Index: contrib/bind9/lib/dns/include/dns/rdata.h +=================================================================== +--- contrib/bind9/lib/dns/include/dns/rdata.h (revision 241362) ++++ contrib/bind9/lib/dns/include/dns/rdata.h (working copy) +@@ -147,6 +147,17 @@ struct dns_rdata { + (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0) + + /* ++ * The maximum length of a RDATA that can be sent on the wire. ++ * Max packet size (65535) less header (12), less name (1), type (2), ++ * class (2), ttl(4), length (2). ++ * ++ * None of the defined types that support name compression can exceed ++ * this and all new types are to be sent uncompressed. ++ */ ++ ++#define DNS_RDATA_MAXLENGTH 65512U ++ ++/* + * Flags affecting rdata formatting style. Flags 0xFFFF0000 + * are used by masterfile-level formatting and defined elsewhere. + * See additional comments at dns_rdata_tofmttext(). +Index: contrib/bind9/lib/dns/master.c +=================================================================== +--- contrib/bind9/lib/dns/master.c (revision 241362) ++++ contrib/bind9/lib/dns/master.c (working copy) +@@ -75,7 +75,7 @@ + /*% + * max message size - header - root - type - class - ttl - rdlen + */ +-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) ++#define MINTSIZ DNS_RDATA_MAXLENGTH + /*% + * Size for tokens in the presentation format, + * The largest tokens are the base64 blocks in KEY and CERT records, +Index: contrib/bind9/lib/dns/rdata.c +=================================================================== +--- contrib/bind9/lib/dns/rdata.c (revision 241362) ++++ contrib/bind9/lib/dns/rdata.c (working copy) +@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl + isc_buffer_t st; + isc_boolean_t use_default = ISC_FALSE; + isc_uint32_t activelength; ++ size_t length; + + REQUIRE(dctx != NULL); + if (rdata != NULL) { +@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl + } + + /* ++ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH ++ * as we cannot transmit it. ++ */ ++ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); ++ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) ++ result = DNS_R_FORMERR; ++ ++ /* + * We should have consumed all of our buffer. + */ + if (result == ISC_R_SUCCESS && !buffer_empty(source)) +@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl + + if (rdata != NULL && result == ISC_R_SUCCESS) { + region.base = isc_buffer_used(&st); +- region.length = isc_buffer_usedlength(target) - +- isc_buffer_usedlength(&st); ++ region.length = length; + dns_rdata_fromregion(rdata, rdclass, type, ®ion); + } + +@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdatacl + unsigned long line; + void (*callback)(dns_rdatacallbacks_t *, const char *, ...); + isc_result_t tresult; ++ size_t length; + + REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); + if (rdata != NULL) { +@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdatacl + } + } while (1); + ++ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); ++ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) ++ result = ISC_R_NOSPACE; ++ + if (rdata != NULL && result == ISC_R_SUCCESS) { + region.base = isc_buffer_used(&st); +- region.length = isc_buffer_usedlength(target) - +- isc_buffer_usedlength(&st); ++ region.length = length; + dns_rdata_fromregion(rdata, rdclass, type, ®ion); + } + if (result != ISC_R_SUCCESS) { +@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdata + isc_buffer_t st; + isc_region_t region; + isc_boolean_t use_default = ISC_FALSE; ++ size_t length; + + REQUIRE(source != NULL); + if (rdata != NULL) { +@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdata + if (use_default) + (void)NULL; + ++ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); ++ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) ++ result = ISC_R_NOSPACE; ++ + if (rdata != NULL && result == ISC_R_SUCCESS) { + region.base = isc_buffer_used(&st); +- region.length = isc_buffer_usedlength(target) - +- isc_buffer_usedlength(&st); ++ region.length = length; + dns_rdata_fromregion(rdata, rdclass, type, ®ion); + } + if (result != ISC_R_SUCCESS) Added: head/share/security/patches/SA-12:06/bind.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-12:06/bind.patch.asc Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 + +iEYEABECAAYFAlCutW0ACgkQFdaIBMps37Jv4ACfQSkD3485eTAzkfovm8D93DvE +qXEAn3IiThUYmh8j//lwUN1iKcf61Wp/ +=TTmP +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-12:07/hostapd-8.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-12:07/hostapd-8.patch Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,18 @@ +Index: contrib/wpa/src/eap_server/eap_tls_common.c +=================================================================== +--- contrib/wpa/src/eap_server/eap_tls_common.c (revision 240976) ++++ contrib/wpa/src/eap_server/eap_tls_common.c (working copy) +@@ -220,6 +220,13 @@ static int eap_server_tls_process_fragment(struct + " over 64 kB)"); + return -1; + } ++ if (len > message_length) { ++ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " ++ "first fragment of frame (TLS Message " ++ "Length %d bytes)", ++ (int) len, (int) message_length); ++ return -1; ++ } + + data->in_buf = wpabuf_alloc(message_length); + if (data->in_buf == NULL) { Added: head/share/security/patches/SA-12:07/hostapd-8.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-12:07/hostapd-8.patch.asc Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 + +iEYEABECAAYFAlCutWkACgkQFdaIBMps37ID9wCghACRhZoqwo7c2lb2yS4CeT+r +mLcAn03eMFp1mpjDmq6ZU95v4ocwmSfP +=qF0E +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-12:07/hostapd.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-12:07/hostapd.patch Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,19 @@ +Index: contrib/wpa/src/eap_server/eap_server_tls_common.c +=================================================================== +--- contrib/wpa/src/eap_server/eap_server_tls_common.c (revision 240924) ++++ contrib/wpa/src/eap_server/eap_server_tls_common.c (working copy) +@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragment(struct + return -1; + } + ++ if (len > message_length) { ++ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " ++ "first fragment of frame (TLS Message " ++ "Length %d bytes)", ++ (int) len, (int) message_length); ++ return -1; ++ } ++ + data->tls_in = wpabuf_alloc(message_length); + if (data->tls_in == NULL) { + wpa_printf(MSG_DEBUG, "SSL: No memory for message"); Added: head/share/security/patches/SA-12:07/hostapd.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-12:07/hostapd.patch.asc Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 + +iEYEABECAAYFAlCutWYACgkQFdaIBMps37J+fACfXVjO/+y2+MwRSzNqKGg8aqJ+ +rpMAn0YUlFyhwIlMISyDUAQl+NZ75QLI +=Yl8o +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-12:08/linux.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-12:08/linux.patch Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,16 @@ +Index: sys/compat/linux/linux_ioctl.c +=================================================================== +--- sys/compat/linux/linux_ioctl.c (revision 242578) ++++ sys/compat/linux/linux_ioctl.c (working copy) +@@ -2260,8 +2260,9 @@ again: + + ifc.ifc_len = valid_len; + sbuf_finish(sb); +- memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len); +- error = copyout(&ifc, uifc, sizeof(ifc)); ++ error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len); ++ if (error == 0) ++ error = copyout(&ifc, uifc, sizeof(ifc)); + sbuf_delete(sb); + CURVNET_RESTORE(); + Added: head/share/security/patches/SA-12:08/linux.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-12:08/linux.patch.asc Thu Nov 22 23:46:26 2012 (r40128) @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 + +iEYEABECAAYFAlCutWMACgkQFdaIBMps37JOZQCdE0l9Djh4BQUR7EmtU4GLVfGl +4RcAnjbbX3c7i759WOQmSWrItD8NyI/g +=nWGE +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Thu Nov 22 13:44:34 2012 (r40127) +++ head/share/xml/advisories.xml Thu Nov 22 23:46:26 2012 (r40128) @@ -8,6 +8,26 @@ 2012 + 11 + + + 22 + + + FreeBSD-SA-12:08.bind + + + + FreeBSD-SA-12:07.hostapd + + + + FreeBSD-SA-12:06.bind + + + + + 8