Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Nov 2012 23:46:26 +0000 (UTC)
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r40128 - in head/share: security/advisories security/patches/SA-12:06 security/patches/SA-12:07 security/patches/SA-12:08 xml
Message-ID:  <201211222346.qAMNkQiM092733@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: simon
Date: Thu Nov 22 23:46:26 2012
New Revision: 40128
URL: http://svnweb.freebsd.org/changeset/doc/40128

Log:
  Add latest advisories.

Added:
  head/share/security/advisories/FreeBSD-SA-12:06.bind.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-12:07.hostapd.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-12:08.linux.asc   (contents, props changed)
  head/share/security/patches/SA-12:06/
  head/share/security/patches/SA-12:06/bind.patch   (contents, props changed)
  head/share/security/patches/SA-12:06/bind.patch.asc   (contents, props changed)
  head/share/security/patches/SA-12:07/
  head/share/security/patches/SA-12:07/hostapd-8.patch   (contents, props changed)
  head/share/security/patches/SA-12:07/hostapd-8.patch.asc   (contents, props changed)
  head/share/security/patches/SA-12:07/hostapd.patch   (contents, props changed)
  head/share/security/patches/SA-12:07/hostapd.patch.asc   (contents, props changed)
  head/share/security/patches/SA-12:08/
  head/share/security/patches/SA-12:08/linux.patch   (contents, props changed)
  head/share/security/patches/SA-12:08/linux.patch.asc   (contents, props changed)
Modified:
  head/share/xml/advisories.xml

Added: head/share/security/advisories/FreeBSD-SA-12:06.bind.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-12:06.bind.asc	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-12:06.bind                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple Denial of Service vulnerabilities with named(8)
+
+Category:       contrib
+Module:         bind
+Announced:      2012-11-22
+Affects:        All supported versions of FreeBSD before 9.1-RC2.
+Corrected:      2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE)
+                2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11)
+                2012-10-11 13:25:09 UTC (RELENG_8, 8.3-STABLE)
+                2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
+                2012-10-10 19:50:15 UTC (RELENG_9, 9.1-PRERELEASE)
+                2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
+                2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
+                2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
+                2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
+CVE Name:       CVE-2012-4244, CVE-2012-5166
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II.  Problem Description
+
+The BIND daemon would crash when a query is made on a resource record
+with RDATA that exceeds 65535 bytes.
+
+The BIND daemon would lock up when a query is made on specific
+combinations of RDATA.
+
+III. Impact
+
+A remote attacker can query a resolving name server to retrieve a record
+whose RDATA is known to be larger than 65535 bytes, thereby causing the
+resolving server to crash via an assertion failure in named.
+
+An attacker who is in a position to add a record with RDATA larger than
+65535 bytes to an authoritative name server can cause that server to
+crash by later querying for that record.
+
+The attacker can also cause the server to lock up with specific
+combinations of RDATA.
+
+IV.  Workaround
+
+No workaround is available, but systems not running the BIND name
+server are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
+or to the RELENG_7_4, RELENG_8_3, or RELENG_9_0 security branch dated
+after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to FreeBSD 7.4,
+8.3, and 9.0 systems.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch
+# fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, or 9.1-RC1 on
+the i386 or amd64 platforms can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+4) Install and run BIND from the Ports Collection after the correction
+date.  The following versions and newer versions of BIND installed from
+the Ports Collection are not affected by this vulnerability:
+
+        bind96-9.6.3.1.ESV.R7.4
+        bind97-9.7.6.4
+        bind98-9.8.3.4
+        bind99-9.9.1.4
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Subversion:
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/7/                                                         r243418
+releng/7.4/                                                       r243417
+stable/8/                                                         r241443
+releng/8.3/                                                       r243417
+stable/9/                                                         r241415
+releng/9.0/                                                       r243417
+releng/9.1/                                                       r243417
+- -------------------------------------------------------------------------
+
+VII. References
+
+https://kb.isc.org/article/AA-00778
+https://kb.isc.org/article/AA-00801
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.bind.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEARECAAYFAlCutVIACgkQFdaIBMps37JhPQCfcwCHE7CxzBnrMdszdFYODgQs
+1+kAn316Rx2d0Ecig5JHUR3broq5Hpog
+=EklC
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-12:07.hostapd.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-12:07.hostapd.asc	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-12:07.hostapd                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Insufficient message length validation for EAP-TLS messages
+
+Category:       contrib
+Module:         wpa
+Announced:      2012-11-22
+Credits:        Timo Warns, Jouni Malinen
+Affects:        FreeBSD 8.0 and later.
+Corrected:      2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE)
+                2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
+                2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE)
+                2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
+                2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
+                2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
+                2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
+CVE Name:       CVE-2012-4445
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The hostapd utility is an authenticator for IEEE 802.11 networks.  It
+provides full support for WPA/IEEE 802.11i and can also act as an IEEE
+802.1X Authenticator with a suitable backend Authentication Server
+(typically FreeRADIUS).
+
+EAP-TLS is the original, standard wireless LAN EAP authentication
+protocol defined in RFC 5216.  It uses PKI to secure communication to a
+RADIUS authentication server or another type of authentication server.
+
+II.  Problem Description
+
+The internal authentication server of hostapd does not sufficiently
+validate the message length field of EAP-TLS messages.
+
+III. Impact
+
+A remote attacker could cause the hostapd daemon to abort by sending
+specially crafted EAP-TLS messages, resulting in a Denial of Service.
+
+IV.  Workaround
+
+No workaround is available, but systems not running hostapd are not
+vulnerable.
+
+Note that for FreeBSD 8.x systems, the EAP-TLS authentication method
+is not enabled by default.  Systems running FreeBSD 8.x are only
+affected when hostapd is built with -DEAP_SERVER and as such, binary
+installations from the official release are not affected.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to 8-STABLE or 9-STABLE, or to
+the RELENG_8_3, or RELENG_9_0 security branch dated after the
+correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to FreeBSD 8.3
+and 9.0 systems.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 8.x]
+# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch
+# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch.asc
+
+[FreeBSD 9.x]
+
+# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch
+# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1, 9.1-RC2, or 9.1-RC3
+on the i386 or amd64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Subversion:
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                     r<revision>
+releng/8.3/                                                   r<revision>
+stable/9/                                                     r<revision>
+releng/9.0/                                                   r<revision>
+releng/9.1/                                                   r<revision>
+- -------------------------------------------------------------------------
+
+VII. References
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.hostapd.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEARECAAYFAlCutVYACgkQFdaIBMps37IiwACfb85bpNnyzDRhlDnQiQ4lc6rC
+MFsAoJ0KXKPu6focwcOGgwuQLhHjTpMx
+=wijQ
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-12:08.linux.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-12:08.linux.asc	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,123 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-12:08.linux                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Linux compatibility layer input validation error
+
+Category:       core
+Module:         kernel
+Announced:      2012-11-22
+Credits:        Mateusz Guzik
+Affects:        All supported versions of FreeBSD.
+Corrected:      2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE)
+                2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11)
+                2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE)
+                2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
+                2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE)
+                2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
+                2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
+                2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
+                2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
+CVE Name:       CVE-2012-4576
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD is binary-compatible with the Linux operating system through a
+loadable kernel module/optional kernel component.
+
+II.  Problem Description
+
+A programming error in the handling of some Linux system calls may
+result in memory locations being accessed without proper validation.
+
+III. Impact
+
+It is possible for a local attacker to overwrite portions of kernel
+memory, which may result in a privilege escalation or cause a system
+panic.
+
+IV.  Workaround
+
+No workaround is available, but systems not using the Linux binary
+compatibility layer are not vulnerable.
+
+The following command can be used to test if the Linux binary
+compatibility layer is loaded:
+
+	# kldstat -m linuxelf
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
+or to the RELENG_7_4, RELENG_8_3, RELENG_9_0, or RELENG_9_1 security
+branch dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to FreeBSD 7.4,
+8.3, 9.0, and 9.1 systems.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch
+# fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
+system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1,
+9.1-RC2, or 9.1-RC3 on the i386 or amd64 platforms can be updated via
+the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Subversion:
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/7/                                                         r243418
+releng/7.4/                                                       r243417
+stable/8/                                                         r243417
+releng/8.3/                                                       r243417
+stable/9/                                                         r243417
+releng/9.0/                                                       r243417
+releng/9.1/                                                       r243417
+- -------------------------------------------------------------------------
+
+VII. References
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4576
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-12:08.linux.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEARECAAYFAlCutVoACgkQFdaIBMps37JA4QCfZ/wp/ysDIJd1VwF525PzimTt
+BUwAoJdU6pddJeJCsHfZ8812cAsrsLqP
+=KVp4
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-12:06/bind.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-12:06/bind.patch	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,184 @@
+Index: contrib/bind9/bin/named/query.c
+===================================================================
+--- contrib/bind9/bin/named/query.c	(revision 241362)
++++ contrib/bind9/bin/named/query.c	(working copy)
+@@ -1140,7 +1140,0 @@ query_isduplicate(ns_client_t *client, dns_name_t
+-	/*
+-	 * If the dns_name_t we're looking up is already in the message,
+-	 * we don't want to trigger the caller's name replacement logic.
+-	 */
+-	if (name == mname)
+-		mname = NULL;
+-
+@@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_t *name, d
+ 	if (dns_rdataset_isassociated(rdataset) &&
+ 	    !query_isduplicate(client, fname, type, &mname)) {
+ 		if (mname != NULL) {
++			INSIST(mname != fname);
+ 			query_releasename(client, &fname);
+ 			fname = mname;
+ 		} else
+@@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_t *name, d
+ 			mname = NULL;
+ 			if (!query_isduplicate(client, fname,
+ 					       dns_rdatatype_a, &mname)) {
++				if (mname != fname) {
+ 				if (mname != NULL) {
+ 					query_releasename(client, &fname);
+ 					fname = mname;
+ 				} else
+ 					need_addname = ISC_TRUE;
++				}
+ 				ISC_LIST_APPEND(fname->list, rdataset, link);
+ 				added_something = ISC_TRUE;
+ 				if (sigrdataset != NULL &&
+@@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_t *name, d
+ 			mname = NULL;
+ 			if (!query_isduplicate(client, fname,
+ 					       dns_rdatatype_aaaa, &mname)) {
++				if (mname != fname) {
+ 				if (mname != NULL) {
+ 					query_releasename(client, &fname);
+ 					fname = mname;
+ 				} else
+ 					need_addname = ISC_TRUE;
++				}
+ 				ISC_LIST_APPEND(fname->list, rdataset, link);
+ 				added_something = ISC_TRUE;
+ 				if (sigrdataset != NULL &&
+@@ -1960,6 +1958,7 @@ query_addadditional2(void *arg, dns_name_t *name,
+ 		    crdataset->type == dns_rdatatype_aaaa) {
+ 			if (!query_isduplicate(client, fname, crdataset->type,
+ 					       &mname)) {
++				if (mname != fname) {
+ 				if (mname != NULL) {
+ 					/*
+ 					 * A different type of this name is
+@@ -1976,6 +1975,7 @@ query_addadditional2(void *arg, dns_name_t *name,
+ 					mname0 = mname;
+ 				} else
+ 					need_addname = ISC_TRUE;
++				}
+ 				ISC_LIST_UNLINK(cfname.list, crdataset, link);
+ 				ISC_LIST_APPEND(fname->list, crdataset, link);
+ 				added_something = ISC_TRUE;
+Index: contrib/bind9/lib/dns/include/dns/rdata.h
+===================================================================
+--- contrib/bind9/lib/dns/include/dns/rdata.h	(revision 241362)
++++ contrib/bind9/lib/dns/include/dns/rdata.h	(working copy)
+@@ -147,6 +147,17 @@ struct dns_rdata {
+ 	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
+ 
+ /*
++ * The maximum length of a RDATA that can be sent on the wire.
++ * Max packet size (65535) less header (12), less name (1), type (2),
++ * class (2), ttl(4), length (2).
++ *
++ * None of the defined types that support name compression can exceed
++ * this and all new types are to be sent uncompressed.
++ */
++
++#define DNS_RDATA_MAXLENGTH	65512U
++
++/*
+  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
+  * are used by masterfile-level formatting and defined elsewhere.
+  * See additional comments at dns_rdata_tofmttext().
+Index: contrib/bind9/lib/dns/master.c
+===================================================================
+--- contrib/bind9/lib/dns/master.c	(revision 241362)
++++ contrib/bind9/lib/dns/master.c	(working copy)
+@@ -75,7 +75,7 @@
+ /*%
+  * max message size - header - root - type - class - ttl - rdlen
+  */
+-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
++#define MINTSIZ DNS_RDATA_MAXLENGTH
+ /*%
+  * Size for tokens in the presentation format,
+  * The largest tokens are the base64 blocks in KEY and CERT records,
+Index: contrib/bind9/lib/dns/rdata.c
+===================================================================
+--- contrib/bind9/lib/dns/rdata.c	(revision 241362)
++++ contrib/bind9/lib/dns/rdata.c	(working copy)
+@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl
+ 	isc_buffer_t st;
+ 	isc_boolean_t use_default = ISC_FALSE;
+ 	isc_uint32_t activelength;
++	size_t length;
+ 
+ 	REQUIRE(dctx != NULL);
+ 	if (rdata != NULL) {
+@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl
+ 	}
+ 
+ 	/*
++	 * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
++	 * as we cannot transmit it.
++	 */
++	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
++	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
++		result = DNS_R_FORMERR;
++
++	/*
+ 	 * We should have consumed all of our buffer.
+ 	 */
+ 	if (result == ISC_R_SUCCESS && !buffer_empty(source))
+@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl
+ 
+ 	if (rdata != NULL && result == ISC_R_SUCCESS) {
+ 		region.base = isc_buffer_used(&st);
+-		region.length = isc_buffer_usedlength(target) -
+-				isc_buffer_usedlength(&st);
++		region.length = length;
+ 		dns_rdata_fromregion(rdata, rdclass, type, &region);
+ 	}
+ 
+@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdatacl
+ 	unsigned long line;
+ 	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
+ 	isc_result_t tresult;
++	size_t length;
+ 
+ 	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
+ 	if (rdata != NULL) {
+@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdatacl
+ 		}
+ 	} while (1);
+ 
++	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
++	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
++		result = ISC_R_NOSPACE;
++
+ 	if (rdata != NULL && result == ISC_R_SUCCESS) {
+ 		region.base = isc_buffer_used(&st);
+-		region.length = isc_buffer_usedlength(target) -
+-				isc_buffer_usedlength(&st);
++		region.length = length;
+ 		dns_rdata_fromregion(rdata, rdclass, type, &region);
+ 	}
+ 	if (result != ISC_R_SUCCESS) {
+@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdata
+ 	isc_buffer_t st;
+ 	isc_region_t region;
+ 	isc_boolean_t use_default = ISC_FALSE;
++	size_t length;
+ 
+ 	REQUIRE(source != NULL);
+ 	if (rdata != NULL) {
+@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdata
+ 	if (use_default)
+ 		(void)NULL;
+ 
++	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
++	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
++		result = ISC_R_NOSPACE;
++
+ 	if (rdata != NULL && result == ISC_R_SUCCESS) {
+ 		region.base = isc_buffer_used(&st);
+-		region.length = isc_buffer_usedlength(target) -
+-				isc_buffer_usedlength(&st);
++		region.length = length;
+ 		dns_rdata_fromregion(rdata, rdclass, type, &region);
+ 	}
+ 	if (result != ISC_R_SUCCESS)

Added: head/share/security/patches/SA-12:06/bind.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-12:06/bind.patch.asc	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEABECAAYFAlCutW0ACgkQFdaIBMps37Jv4ACfQSkD3485eTAzkfovm8D93DvE
+qXEAn3IiThUYmh8j//lwUN1iKcf61Wp/
+=TTmP
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-12:07/hostapd-8.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-12:07/hostapd-8.patch	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,18 @@
+Index: contrib/wpa/src/eap_server/eap_tls_common.c
+===================================================================
+--- contrib/wpa/src/eap_server/eap_tls_common.c	(revision 240976)
++++ contrib/wpa/src/eap_server/eap_tls_common.c	(working copy)
+@@ -220,6 +220,13 @@ static int eap_server_tls_process_fragment(struct
+ 				   " over 64 kB)");
+ 			return -1;
+ 		}
++		if (len > message_length) {
++			wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++				   "first fragment of frame (TLS Message "
++				   "Length %d bytes)",
++				   (int) len, (int) message_length);
++			return -1;
++		}
+ 
+ 		data->in_buf = wpabuf_alloc(message_length);
+ 		if (data->in_buf == NULL) {

Added: head/share/security/patches/SA-12:07/hostapd-8.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-12:07/hostapd-8.patch.asc	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEABECAAYFAlCutWkACgkQFdaIBMps37ID9wCghACRhZoqwo7c2lb2yS4CeT+r
+mLcAn03eMFp1mpjDmq6ZU95v4ocwmSfP
+=qF0E
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-12:07/hostapd.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-12:07/hostapd.patch	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,19 @@
+Index: contrib/wpa/src/eap_server/eap_server_tls_common.c
+===================================================================
+--- contrib/wpa/src/eap_server/eap_server_tls_common.c	(revision 240924)
++++ contrib/wpa/src/eap_server/eap_server_tls_common.c	(working copy)
+@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragment(struct
+ 			return -1;
+ 		}
+ 
++		if (len > message_length) {
++			wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++				   "first fragment of frame (TLS Message "
++				   "Length %d bytes)",
++				   (int) len, (int) message_length);
++			return -1;
++		}
++
+ 		data->tls_in = wpabuf_alloc(message_length);
+ 		if (data->tls_in == NULL) {
+ 			wpa_printf(MSG_DEBUG, "SSL: No memory for message");

Added: head/share/security/patches/SA-12:07/hostapd.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-12:07/hostapd.patch.asc	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEABECAAYFAlCutWYACgkQFdaIBMps37J+fACfXVjO/+y2+MwRSzNqKGg8aqJ+
+rpMAn0YUlFyhwIlMISyDUAQl+NZ75QLI
+=Yl8o
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-12:08/linux.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-12:08/linux.patch	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,16 @@
+Index: sys/compat/linux/linux_ioctl.c
+===================================================================
+--- sys/compat/linux/linux_ioctl.c	(revision 242578)
++++ sys/compat/linux/linux_ioctl.c	(working copy)
+@@ -2260,8 +2260,9 @@ again:
+ 
+ 	ifc.ifc_len = valid_len; 
+ 	sbuf_finish(sb);
+-	memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
+-	error = copyout(&ifc, uifc, sizeof(ifc));
++	error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
++	if (error == 0)
++		error = copyout(&ifc, uifc, sizeof(ifc));
+ 	sbuf_delete(sb);
+ 	CURVNET_RESTORE();
+ 

Added: head/share/security/patches/SA-12:08/linux.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-12:08/linux.patch.asc	Thu Nov 22 23:46:26 2012	(r40128)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEABECAAYFAlCutWMACgkQFdaIBMps37JOZQCdE0l9Djh4BQUR7EmtU4GLVfGl
+4RcAnjbbX3c7i759WOQmSWrItD8NyI/g
+=nWGE
+-----END PGP SIGNATURE-----

Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml	Thu Nov 22 13:44:34 2012	(r40127)
+++ head/share/xml/advisories.xml	Thu Nov 22 23:46:26 2012	(r40128)
@@ -8,6 +8,26 @@
     <name>2012</name>
 
     <month>
+      <name>11</name>
+
+      <day>
+	<name>22</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-12:08.bind</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-12:07.hostapd</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-12:06.bind</name>
+	</advisory>
+      </day>
+    </month>
+
+    <month>
       <name>8</name>
 
       <day>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211222346.qAMNkQiM092733>