Date: Wed, 10 Dec 2014 16:42:09 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46083 - in head/share: security/advisories security/patches/SA-14:27 security/patches/SA-14:28 security/patches/SA-14:29 xml Message-ID: <201412101642.sBAGg9DZ083963@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Wed Dec 10 16:42:08 2014 New Revision: 46083 URL: https://svnweb.freebsd.org/changeset/doc/46083 Log: Add SA-14:2[789] Added: head/share/security/advisories/FreeBSD-SA-14:27.stdio.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:28.file.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-14:29.bind.asc (contents, props changed) head/share/security/patches/SA-14:27/ head/share/security/patches/SA-14:27/stdio.patch (contents, props changed) head/share/security/patches/SA-14:27/stdio.patch.asc (contents, props changed) head/share/security/patches/SA-14:28/ head/share/security/patches/SA-14:28/file-12.patch (contents, props changed) head/share/security/patches/SA-14:28/file-12.patch.asc (contents, props changed) head/share/security/patches/SA-14:28/file-7.patch (contents, props changed) head/share/security/patches/SA-14:28/file-7.patch.asc (contents, props changed) head/share/security/patches/SA-14:28/file-8.patch (contents, props changed) head/share/security/patches/SA-14:28/file-8.patch.asc (contents, props changed) head/share/security/patches/SA-14:29/ head/share/security/patches/SA-14:29/bind983.patch (contents, props changed) head/share/security/patches/SA-14:29/bind983.patch.asc (contents, props changed) head/share/security/patches/SA-14:29/bind984.patch (contents, props changed) head/share/security/patches/SA-14:29/bind984.patch.asc (contents, props changed) head/share/security/patches/SA-14:29/bind987.patch (contents, props changed) head/share/security/patches/SA-14:29/bind987.patch.asc (contents, props changed) head/share/security/patches/SA-14:29/bind995.patch (contents, props changed) head/share/security/patches/SA-14:29/bind995.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-14:27.stdio.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:27.stdio.asc Wed Dec 10 16:42:08 2014 (r46083) @@ -0,0 +1,126 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:27.stdio Security Advisory + The FreeBSD Project + +Topic: Buffer overflow in stdio + +Category: core +Module: libc +Announced: 2014-12-10 +Credits: Adrian Chadd and Alfred Perlstein, Norse Corporation +Affects: FreeBSD 10.1 +Corrected: 2014-12-10 08:24:02 UTC (stable/10, 10.1-STABLE) + 2014-12-10 08:35:55 UTC (releng/10.1, 10.1-RELEASE-p1) +CVE Name: CVE-2014-8611 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The standard I/O library provides a simple and efficient buffered stream +I/O interface. The library writes buffered data when it is full or when +the application explicitly request so by calling the fflush(3) function. + +II. Problem Description + +A programming error in the standard I/O library's __sflush() function could +erroneously adjust the buffered stream's internal state even when no write +actually occurred in the case when write(2) system call returns an error. + +III. Impact + +The accounting mismatch would accumulate, if the caller does not check for +stream status and will eventually lead to a heap buffer overflow. + +Such overflows may lead to data corruption or the execution of arbitrary +code at the privilege level of the calling program. + +IV. Workaround + +No workaround is available. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-14:27/stdio.patch +# fetch http://security.FreeBSD.org/patches/SA-14:27/stdio.patch.asc +# gpg --verify stdio.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/10/ r275667 +releng/10.1/ r275670 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8611>; + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:27.stdio.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJUiA11AAoJEO1n7NZdz2rnZLMP/ic0j0lykvkZ4x39Th4vUIX7 +SCqROB8zxKj8qA3QlXhusaJA9o9hAPX8HA99ZVbDyugz0m4ST0t6JAYL+w3eVYZm +RpEszshxi7rwUXaoue99lk0JnP2ssZbNZn5y4Z0XCYvingfP7Um6tOG0XqUs+N45 +Mivhuz+JKaFSYG4WwrSIr2pNpn6XnDeGoihtuXOkinBv8Ga3xHyuTY+30vUnEEH+ +Vr2MftHMm3Wo87OM1XhrTQS5jYzD8u0xgwKjcf0/+6Q+iXzLDkk8MfCE1W9SP7FE +zas1MHxWeV5AICAX0CUI/9R2Zgymi/xJksw4BNZsDyGnOvIRdcMv+0KOWnCn42mk +HCm2NTyvUM2Cgjbj5T4yICQBEi5dI6WiTp2yKTKQOiqDsszUW1NyqGQdYPfyjjMS +kQA5RTdGVxwxp8FMnJGvYdlVRZgx5BAI8znhlxxqKs25uhbOnn+zKm+rA2XnLLMk +sg2V/E906vldjLw8ddvNKm5oy0UkezBj0J1NOgkpN3atvUB8X2H251h2n51+oAbE +FSd4qqN70vwHdOmIGNrjWZpOqSJzeGs5JjbaxMpo6MoIWJz2zrK2WLiFVWZGohgh +9TGU6Ubs/yTLLfu1jTDAMl1dbZd1lChmycKRuqTpe56keOlHghquCMxhogWY0PQE +nE47N3BP/KCtuQw1uxuK +=F9uH +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:28.file.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:28.file.asc Wed Dec 10 16:42:08 2014 (r46083) @@ -0,0 +1,157 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:28.file Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in file(1) and libmagic(3) + +Category: contrib +Module: file +Announced: 2014-12-10 +Affects: All supported versions of FreeBSD. +Credits: Thomas Jarosch of Intra2net AG +Corrected: 2014-12-10 08:26:53 UTC (stable/10, 10.1-STABLE) + 2014-12-10 08:35:55 UTC (releng/10.1, 10.1-RELEASE-p1) + 2014-12-10 08:36:07 UTC (releng/10.0, 10.0-RELEASE-p13) + 2014-12-10 08:31:41 UTC (stable/9, 9.3-STABLE) + 2014-12-10 08:36:40 UTC (releng/9.3, 9.3-RELEASE-p6) + 2014-12-10 08:36:40 UTC (releng/9.2, 9.2-RELEASE-p16) + 2014-12-10 08:36:40 UTC (releng/9.1, 9.1-RELEASE-p23) + 2014-12-10 08:31:41 UTC (stable/8, 8.4-STABLE) + 2014-12-10 08:36:40 UTC (releng/8.4, 8.4-RELEASE-p20) +CVE Name: CVE-2014-3710, CVE-2014-8116, CVE-2014-8117 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The file(1) utility attempts to classify file system objects based on +filesystem, magic number and language tests. + +The libmagic(3) library provides most of the functionality of file(1) +and may be used by other applications. + +II. Problem Description + +There are a number of denial of service issues in the ELF parser used +by file(1). + +III. Impact + +An attacker who can cause file(1) or any other applications using the +libmagic(3) library to be run on a maliciously constructed input can +cause the application to crash or consume excessive CPU resources, +resulting in a denial-of-service. + +IV. Workaround + +No workaround is available, but systems where file(1) and other +libmagic(3)-using applications are never run on untrusted input are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 10.1] +# fetch http://security.FreeBSD.org/patches/SA-14:28/file-12.patch +# fetch http://security.FreeBSD.org/patches/SA-14:28/file-12.patch.asc +# gpg --verify file-12.patch.asc + +[FreeBSD 9.1, 9.2, 9.3 and 10.0] +# fetch http://security.FreeBSD.org/patches/SA-14:28/file-8.patch +# fetch http://security.FreeBSD.org/patches/SA-14:28/file-8.patch.asc +# gpg --verify file-8.patch.asc + +[FreeBSD 8.4] +# fetch http://security.FreeBSD.org/patches/SA-14:28/file-7.patch +# fetch http://security.FreeBSD.org/patches/SA-14:28/file-7.patch.asc +# gpg --verify file-7.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all deamons using the library, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r275669 +releng/8.4/ r275672 +stable/9/ r275669 +releng/9.1/ r275672 +releng/9.2/ r275672 +releng/9.3/ r275672 +stable/10/ r275668 +releng/10.0/ r275671 +releng/10.1/ r275670 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710>; + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116>; + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117>; + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:28.file.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJUiA11AAoJEO1n7NZdz2rnCBMQAL/22vlzYOuAilNqQu5SZCZ8 +i+VVrq9ZQv9Q32JiSs/eZtiz8d1OrhZK86a6dzx2vd5cV3QjWTOh5oK00gnO6Nq1 +g1tqRDYVSzoPBVNLkpH0gKJjUNcxhzehQy2oge+7mtkcj3RsIX9MrPDpagIwdlOm +KOHlfHL5w3sVbXvA9hqASH6GkvWKaj/QRm9wyHitVHYI9EbJE6jAyeDfzR1sFP54 +f4FkT3TtsVw712+TYkC/EmgyPA8R6tK08LpYsa0pnwCtuMUkT+/zmDhcjXEyqZ0X +cimkXyANSyDxzFjNrec0ETno35a5dNeasZvRg8DZXAGko9ainwUKTk5p+AUiKUOh +MGxCFCkAPK/jbzBfZmQ7WMwpEDpjCxKK/C1qM2hHmpXwodzMtxSONicomcQrHm3O +f2C1JWIy7V8pLZDVN8Ce25JLjDRt+cZc6JR2sICrfAjUWXRyCbmIsTj/+CjLHH1a +/8hXs/TI0Z4jvcPsujoo7GhOdXvLz4Z7bY9cdZgEmZaUw+OwPN3DGiUEkK1+VNNt +ClufF6cHWE9UaUp26fjoZ/qVTFt/ixIy7Qsx9EqA1YrnemI9mOxgxTFB1jqMM6uR +NGEFUsyUQWLJxpinrEJIvJj5r9lQw11GaqsvyOyZ8IzPLJ31okYUXUFiFUECI+aN +P0XVV9PyCfdO6tq8ajOi +=+w7r +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-14:29.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-14:29.bind.asc Wed Dec 10 16:42:08 2014 (r46083) @@ -0,0 +1,158 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:29.bind Security Advisory + The FreeBSD Project + +Topic: BIND remote denial of service vulnerability + +Category: contrib +Module: bind +Announced: 2014-12-10 +Credits: ISC +Affects: FreeBSD 8.4, 9.1, 9.2 and 9.3. +Corrected: 2014-12-10 08:31:41 UTC (stable/9, 9.3-STABLE) + 2014-12-10 08:36:40 UTC (releng/9.3, 9.3-RELEASE-p6) + 2014-12-10 08:36:40 UTC (releng/9.2, 9.2-RELEASE-p16) + 2014-12-10 08:36:40 UTC (releng/9.1, 9.1-RELEASE-p23) + 2014-12-10 08:31:41 UTC (stable/8, 8.4-STABLE) + 2014-12-10 08:36:40 UTC (releng/8.4, 8.4-RELEASE-p20) +CVE Name: CVE-2014-8500 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +II. Problem Description + +By causing queries to be made against a maliciously-constructed zone or +against a malicious DNS server, an attacker who is able to cause +specific queries to be sent to a nameserver can cause named(8) to +crash, leading to a denial of service. + +All recursive BIND DNS servers are vulnerable to this. Authoritative +servers are only vulnerable if the attacker is able to control a +delegation traversed by the authoritative server in order to serve +the zone. + +III. Impact + +An attacker who can cause specific queries to be sent to a nameserver +could cause named(8) to crash, resulting in a denial of service. + +IV. Workaround + +No workaround is available, but hosts not running named(8) are not +vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 9.3-RELEASE and 9.3-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-14:29/bind995.patch +# fetch http://security.FreeBSD.org/patches/SA-14:29/bind995.patch.asc +# gpg --verify bind995.patch.asc + +[FreeBSD 9.2-RELEASE] +# fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch +# fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch.asc +# gpg --verify bind984.patch.asc + +[FreeBSD 9.1-RELEASE] +# fetch http://security.FreeBSD.org/patches/SA-14:29/bind983.patch +# fetch http://security.FreeBSD.org/patches/SA-14:29/bind983.patch.asc +# gpg --verify bind983.patch.asc + +[FreeBSD 8.4-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-14:29/bind987.patch +# fetch http://security.FreeBSD.org/patches/SA-14:29/bind987.patch.asc +# gpg --verify bind987.patch.asc + +[FreeBSD 8.4-RELEASE] +# fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch +# fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch.asc +# gpg --verify bind984.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the applicable daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r275669 +releng/8.4/ r275672 +stable/9/ r275669 +releng/9.1/ r275672 +releng/9.2/ r275672 +releng/9.3/ r275672 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500>; + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:29.bind.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJUiA11AAoJEO1n7NZdz2rn7kgP/RWw0Q9dx8/xS+NSypV3Hfqr +6D4Zh8LGsrKuWMGD29MYrFle2Ze5gUfjOFfaqonD2P5vyrCfnyVUhGiIRUKcFn/z +dF6XwWKoZHRRHxNL7d71ZRwG3o4gEJP0SWFbfIVUg0YCDdwpChASyHJkXR5rgrTB +6MFDdeNGq+NzQzESmJJyLT/hgWZB0p/g5tLnez+XNxxk4oGywJlNACEq9SfD618Q +86Pl7oFJjaKrAtb7kzI2tYG+UvUHdQriRwo9C87fnSH4TNf2G1VwVoV0Lip45w4I +MwJ8j4U3Vqr8cepqc6HSZauIA7N3N1Key7qzcnEP56iIfM1yIg+k7FTeaGM7tw45 +lxlrxgLDBpFt+F24cnROagNFZ8o2iWsnaH9ZhEkV6Qabu7eU/XjwKwY9evqqPgeP +bCFZeFCxl4DSNTgkLmP+GjXoRxXQ2NokboU7o+KnZGPnxduDK9RG4yx0IvQc3uyv +ad+zW4luYGuuIwVXiHif8y7SnOrp4LiVIX04isavaBVSndWC4VenlajoH8IvYxIW +P/Bc8J0qxPmEJzZmutzLNQEDEHnxz3o9s/6C7FSASRkMMJ7QXvq0bIdVpkubh0bE +PqJVu6WN2KD6tKjuZq4P/WVrRedsRG+qDYb819guIok2kGa6A4tgQ/DAvuZur+do +K3JRKm1SZmozOqV/SVmy +=uNWP +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:27/stdio.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:27/stdio.patch Wed Dec 10 16:42:08 2014 (r46083) @@ -0,0 +1,22 @@ +Index: lib/libc/stdio/fflush.c +=================================================================== +--- lib/libc/stdio/fflush.c.orig ++++ lib/libc/stdio/fflush.c +@@ -124,11 +124,13 @@ + t = _swrite(fp, (char *)p, n); + if (t <= 0) { + /* Reset _p and _w. */ +- if (p > fp->_p) /* Some was written. */ ++ if (p > fp->_p) { ++ /* Some was written. */ + memmove(fp->_p, p, n); +- fp->_p += n; +- if ((fp->_flags & (__SLBF | __SNBF)) == 0) +- fp->_w -= n; ++ fp->_p += n; ++ if ((fp->_flags & (__SLBF | __SNBF)) == 0) ++ fp->_w -= n; ++ } + fp->_flags |= __SERR; + return (EOF); + } Added: head/share/security/patches/SA-14:27/stdio.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:27/stdio.patch.asc Wed Dec 10 16:42:08 2014 (r46083) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUiA2QAAoJEO1n7NZdz2rnM3AP/0HoTCXA+hqUYQ3RuFXQJYLr +2/cbSEiMvfB40rvB9T7WvZYsiWJN+V0R1yMRDu2uF4KJB6Au5GGNzdeG742yU3B4 +W2IVFtCMST0DlsGuUQV/zXeMhQiwXZx0cP5iIoukeyf/vZ7+p8b+WObB81D6+gPf +tBlRG5cHc3eX+SGXzhbpuUQrG35KtFA0JijLIAy2criCFo+nN6iRBnVa5Uk0X3hx +p7lRK7G9tY9fQX3Z7BqoOHxBWC1YNJEWrzkLMVWUmowXMOWvcyab6k/kwtfVCrV0 +ZilEOukghDLhzeL9oeRCgQioMHjST4wi34n7ouU6mKb+IzouyPrR42Qfax3u7Lke +ndDauZU3G1D46+D7/O6lLpQWK8g5AYk9AL/PPDr2ewYQrxYRNchaZUdIHz9gNnud +HITnxYsRa3/ArooIti9wF2vsqM/iuzIJ7BEGntEFsCtQgLjMUnl0Hx+Gnu+cg3aj +Liy+bPXqtRhZdbGRVQyoFKeWjjbvwzBx692hBXqjWRhmPIWvggLHSP6o30qpsZmT +dJNmC2m5TBFaJOpQSaq6fk6ExPKVSMjQX/IrY22IfKZ+FN1tHXsnf2l3PcZEdjd/ +PgdNjNX9EP0Pp5GzND87ooe3Z+kJewzSdWNHTpT0i6ljhH/AaJbq5VYAVlx2B/9K +ctb+fAKvwGuyGGzZdibE +=3A4p +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:28/file-12.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:28/file-12.patch Wed Dec 10 16:42:08 2014 (r46083) @@ -0,0 +1,288 @@ +Index: contrib/file/src/elfclass.h +=================================================================== +--- contrib/file/src/elfclass.h.orig ++++ contrib/file/src/elfclass.h +@@ -35,10 +35,12 @@ + switch (type) { + #ifdef ELFCORE + case ET_CORE: ++ phnum = elf_getu16(swap, elfhdr.e_phnum); ++ if (phnum > MAX_PHNUM) ++ return toomany(ms, "program", phnum); + flags |= FLAGS_IS_CORE; + if (dophn_core(ms, clazz, swap, fd, +- (off_t)elf_getu(swap, elfhdr.e_phoff), +- elf_getu16(swap, elfhdr.e_phnum), ++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum, + (size_t)elf_getu16(swap, elfhdr.e_phentsize), + fsize, &flags) == -1) + return -1; +@@ -46,18 +48,24 @@ + #endif + case ET_EXEC: + case ET_DYN: ++ phnum = elf_getu16(swap, elfhdr.e_phnum); ++ if (phnum > MAX_PHNUM) ++ return toomany(ms, "program", phnum); ++ shnum = elf_getu16(swap, elfhdr.e_shnum); ++ if (shnum > MAX_SHNUM) ++ return toomany(ms, "section", shnum); + if (dophn_exec(ms, clazz, swap, fd, +- (off_t)elf_getu(swap, elfhdr.e_phoff), +- elf_getu16(swap, elfhdr.e_phnum), ++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum, + (size_t)elf_getu16(swap, elfhdr.e_phentsize), +- fsize, &flags, elf_getu16(swap, elfhdr.e_shnum)) +- == -1) ++ fsize, &flags, shnum) == -1) + return -1; + /*FALLTHROUGH*/ + case ET_REL: ++ shnum = elf_getu16(swap, elfhdr.e_shnum); ++ if (shnum > MAX_SHNUM) ++ return toomany(ms, "section", shnum); + if (doshn(ms, clazz, swap, fd, +- (off_t)elf_getu(swap, elfhdr.e_shoff), +- elf_getu16(swap, elfhdr.e_shnum), ++ (off_t)elf_getu(swap, elfhdr.e_shoff), shnum, + (size_t)elf_getu16(swap, elfhdr.e_shentsize), + fsize, &flags, elf_getu16(swap, elfhdr.e_machine), + (int)elf_getu16(swap, elfhdr.e_shstrndx)) == -1) +Index: contrib/file/src/file.h +=================================================================== +--- contrib/file/src/file.h.orig ++++ contrib/file/src/file.h +@@ -482,6 +482,14 @@ + protected void file_regfree(file_regex_t *); + protected void file_regerror(file_regex_t *, int, struct magic_set *); + ++typedef struct { ++ char *buf; ++ uint32_t offset; ++} file_pushbuf_t; ++ ++protected file_pushbuf_t *file_push_buffer(struct magic_set *); ++protected char *file_pop_buffer(struct magic_set *, file_pushbuf_t *); ++ + #ifndef COMPILE_ONLY + extern const char *file_names[]; + extern const size_t file_nnames; +Index: contrib/file/src/funcs.c +=================================================================== +--- contrib/file/src/funcs.c.orig ++++ contrib/file/src/funcs.c +@@ -491,3 +491,43 @@ + file_magerror(ms, "regex error %d for `%s', (%s)", rc, rx->pat, + errmsg); + } ++ ++protected file_pushbuf_t * ++file_push_buffer(struct magic_set *ms) ++{ ++ file_pushbuf_t *pb; ++ ++ if (ms->event_flags & EVENT_HAD_ERR) ++ return NULL; ++ ++ if ((pb = (CAST(file_pushbuf_t *, malloc(sizeof(*pb))))) == NULL) ++ return NULL; ++ ++ pb->buf = ms->o.buf; ++ pb->offset = ms->offset; ++ ++ ms->o.buf = NULL; ++ ms->offset = 0; ++ ++ return pb; ++} ++ ++protected char * ++file_pop_buffer(struct magic_set *ms, file_pushbuf_t *pb) ++{ ++ char *rbuf; ++ ++ if (ms->event_flags & EVENT_HAD_ERR) { ++ free(pb->buf); ++ free(pb); ++ return NULL; ++ } ++ ++ rbuf = ms->o.buf; ++ ++ ms->o.buf = pb->buf; ++ ms->offset = pb->offset; ++ ++ free(pb); ++ return rbuf; ++} +Index: contrib/file/src/readelf.c +=================================================================== +--- contrib/file/src/readelf.c.orig ++++ contrib/file/src/readelf.c +@@ -60,6 +60,18 @@ + private uint32_t getu32(int, uint32_t); + private uint64_t getu64(int, uint64_t); + ++#define MAX_PHNUM 256 ++#define MAX_SHNUM 1024 ++ ++private int ++toomany(struct magic_set *ms, const char *name, uint16_t num) ++{ ++ if (file_printf(ms, ", too many %s header sections (%u)", name, num ++ ) == -1) ++ return -1; ++ return 0; ++} ++ + private uint16_t + getu16(int swap, uint16_t value) + { +@@ -477,6 +489,13 @@ + uint32_t namesz, descsz; + unsigned char *nbuf = CAST(unsigned char *, vbuf); + ++ if (xnh_sizeof + offset > size) { ++ /* ++ * We're out of note headers. ++ */ ++ return xnh_sizeof + offset; ++ } ++ + (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof); + offset += xnh_sizeof; + +@@ -492,13 +511,13 @@ + if (namesz & 0x80000000) { + (void)file_printf(ms, ", bad note name size 0x%lx", + (unsigned long)namesz); +- return offset; ++ return 0; + } + + if (descsz & 0x80000000) { + (void)file_printf(ms, ", bad note description size 0x%lx", + (unsigned long)descsz); +- return offset; ++ return 0; + } + + +@@ -900,6 +919,7 @@ + Elf32_Shdr sh32; + Elf64_Shdr sh64; + int stripped = 1; ++ size_t nbadcap = 0; + void *nbuf; + off_t noff, coff, name_off; + uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilites */ +@@ -988,6 +1008,8 @@ + goto skip; + } + ++ if (nbadcap > 5) ++ break; + if (lseek(fd, xsh_offset, SEEK_SET) == (off_t)-1) { + file_badseek(ms); + return -1; +@@ -1053,6 +1075,8 @@ + (unsigned long long)xcap_tag, + (unsigned long long)xcap_val) == -1) + return -1; ++ if (nbadcap++ > 2) ++ coff = xsh_size; + break; + } + } +@@ -1233,7 +1257,7 @@ + int flags = 0; + Elf32_Ehdr elf32hdr; + Elf64_Ehdr elf64hdr; +- uint16_t type; ++ uint16_t type, phnum, shnum; + + if (ms->flags & (MAGIC_MIME|MAGIC_APPLE)) + return 0; +Index: contrib/file/src/softmagic.c +=================================================================== +--- contrib/file/src/softmagic.c.orig ++++ contrib/file/src/softmagic.c +@@ -67,6 +67,9 @@ + private void cvt_64(union VALUETYPE *, const struct magic *); + + #define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) ++ ++#define MAX_RECURSION_LEVEL 10 ++ + /* + * softmagic - lookup one file in parsed, in-memory copy of database + * Passed the name and FILE * of one file to be typed. +@@ -1193,14 +1196,15 @@ + int flip, int recursion_level, int *printed_something, + int *need_separator, int *returnval) + { +- uint32_t soffset, offset = ms->offset; ++ uint32_t offset = ms->offset; + uint32_t lhs; ++ file_pushbuf_t *pb; + int rv, oneed_separator, in_type; +- char *sbuf, *rbuf; ++ char *rbuf; + union VALUETYPE *p = &ms->ms_value; + struct mlist ml; + +- if (recursion_level >= 20) { ++ if (recursion_level >= MAX_RECURSION_LEVEL) { + file_error(ms, 0, "recursion nesting exceeded"); + return -1; + } +@@ -1644,19 +1648,23 @@ + case FILE_INDIRECT: + if (offset == 0) + return 0; ++ + if (nbytes < offset) + return 0; +- sbuf = ms->o.buf; +- soffset = ms->offset; +- ms->o.buf = NULL; +- ms->offset = 0; ++ ++ if ((pb = file_push_buffer(ms)) == NULL) ++ return -1; ++ + rv = file_softmagic(ms, s + offset, nbytes - offset, + recursion_level, BINTEST, text); ++ + if ((ms->flags & MAGIC_DEBUG) != 0) + fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv); +- rbuf = ms->o.buf; +- ms->o.buf = sbuf; +- ms->offset = soffset; ++ ++ rbuf = file_pop_buffer(ms, pb); ++ if (rbuf == NULL && ms->event_flags & EVENT_HAD_ERR) ++ return -1; ++ + if (rv == 1) { + if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 && + file_printf(ms, F(ms, m, "%u"), offset) == -1) { +@@ -1674,13 +1682,13 @@ + case FILE_USE: + if (nbytes < offset) + return 0; +- sbuf = m->value.s; +- if (*sbuf == '^') { +- sbuf++; ++ rbuf = m->value.s; ++ if (*rbuf == '^') { ++ rbuf++; + flip = !flip; + } +- if (file_magicfind(ms, sbuf, &ml) == -1) { +- file_error(ms, 0, "cannot find entry `%s'", sbuf); ++ if (file_magicfind(ms, rbuf, &ml) == -1) { ++ file_error(ms, 0, "cannot find entry `%s'", rbuf); + return -1; + } + Added: head/share/security/patches/SA-14:28/file-12.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:28/file-12.patch.asc Wed Dec 10 16:42:08 2014 (r46083) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUiA2QAAoJEO1n7NZdz2rnjzAQANogueUdUbRBgn+EYwcnKUgQ +8y4P5VDNnAIxKrPCRGpRF9IvGaxAzO62y/GlZ6Fq+H+VFk+1poCIXDY3escUM0uk +BM/V+k3wuvsaefTiNIfTMEOYiJ81nrcMZ5cDtO4wgN1Pem44Lmh8O3gztAMSGgFm +IzJBYcDp8XgGYZqCtZN0gAQjLuJHn6vrqdW//dyXNmpsNFMLAlBFI9IJ6R/EuHyF +gcmw2UDtnTvR5+PfBSo9T/DZUB6sWrh3h2FQi2AFnOm1qbzhsRoZy+ea8zgnnYYD +kdTkiyXq6opoQYLeCrYcyaIksCNXvQNh6ocQKrEpTXNO9p6/uN4QSrd35HK+/8JK +4zgMWWOQB35QBhtxevVjR03JtPXa1r61Y/jY00nnGrnzVx01/GKo2vzbo3+iwBJB +rvkSvQKuJxm6k54oOUtCIOKzkackSiKIcbaPXt7g0dZhLrsV7JwXuCrXfz+aDFqt +F/gxckIybZjM1NW3/4PNN1W7nvc+cW3dsHaEW2susGXRi2eHlM2VqZjAoMHmqN3v +9swzo5Cu3Xotx3gSPGH19g6MLZh/xMSXCIylRYw5xxCOP3H3o2lO3Gnet+rFIJVs +pXUlibCmuTnalxlUT7q5OXancUItUQ4haYkXf7FglqOAeekdLvwboQoANKnBubhr +c07kINUBCQlbtRDd66Qs +=9qt7 +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:28/file-7.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:28/file-7.patch Wed Dec 10 16:42:08 2014 (r46083) @@ -0,0 +1,146 @@ +Index: contrib/file/elfclass.h +=================================================================== +--- contrib/file/elfclass.h.orig ++++ contrib/file/elfclass.h +@@ -35,9 +35,11 @@ + switch (type) { + #ifdef ELFCORE + case ET_CORE: ++ phnum = elf_getu16(swap, elfhdr.e_phnum); ++ if (phnum > MAX_PHNUM) ++ return toomany(ms, "program", phnum); + if (dophn_core(ms, clazz, swap, fd, +- (off_t)elf_getu(swap, elfhdr.e_phoff), +- elf_getu16(swap, elfhdr.e_phnum), ++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum, + (size_t)elf_getu16(swap, elfhdr.e_phentsize), + fsize, &flags) == -1) + return -1; +@@ -45,18 +47,24 @@ + #endif + case ET_EXEC: + case ET_DYN: ++ phnum = elf_getu16(swap, elfhdr.e_phnum); ++ if (phnum > MAX_PHNUM) ++ return toomany(ms, "program", phnum); ++ shnum = elf_getu16(swap, elfhdr.e_shnum); ++ if (shnum > MAX_SHNUM) ++ return toomany(ms, "section", shnum); + if (dophn_exec(ms, clazz, swap, fd, +- (off_t)elf_getu(swap, elfhdr.e_phoff), +- elf_getu16(swap, elfhdr.e_phnum), ++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum, + (size_t)elf_getu16(swap, elfhdr.e_phentsize), +- fsize, &flags, elf_getu16(swap, elfhdr.e_shnum)) +- == -1) ++ fsize, &flags, shnum) == -1) + return -1; + /*FALLTHROUGH*/ + case ET_REL: ++ shnum = elf_getu16(swap, elfhdr.e_shnum); ++ if (shnum > MAX_SHNUM) ++ return toomany(ms, "section", shnum); + if (doshn(ms, clazz, swap, fd, +- (off_t)elf_getu(swap, elfhdr.e_shoff), +- elf_getu16(swap, elfhdr.e_shnum), ++ (off_t)elf_getu(swap, elfhdr.e_shoff), shnum, + (size_t)elf_getu16(swap, elfhdr.e_shentsize), + &flags, + elf_getu16(swap, elfhdr.e_machine)) == -1) +Index: contrib/file/readelf.c +=================================================================== +--- contrib/file/readelf.c.orig ++++ contrib/file/readelf.c +@@ -60,6 +60,18 @@ + private uint32_t getu32(int, uint32_t); + private uint64_t getu64(int, uint64_t); + ++#define MAX_PHNUM 256 ++#define MAX_SHNUM 1024 ++ ++private int ++toomany(struct magic_set *ms, const char *name, uint16_t num) ++{ ++ if (file_printf(ms, ", too many %s header sections (%u)", name, num ++ ) == -1) ++ return -1; ++ return 0; ++} ++ + private uint16_t + getu16(int swap, uint16_t value) + { +@@ -391,13 +403,13 @@ + if (namesz & 0x80000000) { + (void)file_printf(ms, ", bad note name size 0x%lx", + (unsigned long)namesz); +- return offset; ++ return 0; + } + + if (descsz & 0x80000000) { + (void)file_printf(ms, ", bad note description size 0x%lx", + (unsigned long)descsz); +- return offset; ++ return 0; + } + + +@@ -821,6 +833,7 @@ + Elf32_Shdr sh32; + Elf64_Shdr sh64; + int stripped = 1; ++ size_t nbadcap = 0; + void *nbuf; + off_t noff; + uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilites */ +@@ -893,6 +906,8 @@ + case SHT_SUNW_cap: + { + off_t coff; ++ if (nbadcap > 5) ++ break; + if ((off = lseek(fd, (off_t)0, SEEK_CUR)) == + (off_t)-1) { + file_badread(ms); +@@ -933,6 +948,8 @@ + (unsigned long long)xcap_tag, + (unsigned long long)xcap_val) == -1) + return -1; ++ if (nbadcap++ > 2) ++ coff = xsh_size; + break; + } + } +@@ -1139,7 +1156,7 @@ + int flags = 0; + Elf32_Ehdr elf32hdr; + Elf64_Ehdr elf64hdr; +- uint16_t type; ++ uint16_t type, phnum, shnum; + + if (ms->flags & (MAGIC_MIME|MAGIC_APPLE)) + return 0; +Index: contrib/file/softmagic.c +=================================================================== +--- contrib/file/softmagic.c.orig ++++ contrib/file/softmagic.c +@@ -61,6 +61,9 @@ + private void cvt_64(union VALUETYPE *, const struct magic *); + + #define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o))) ++ ++#define MAX_RECURSION_LEVEL 10 ++ + /* + * softmagic - lookup one file in parsed, in-memory copy of database + * Passed the name and FILE * of one file to be typed. +@@ -1030,7 +1033,7 @@ + uint32_t count = m->str_range; + union VALUETYPE *p = &ms->ms_value; + +- if (recursion_level >= 20) { ++ if (recursion_level >= MAX_RECURSION_LEVEL) { + file_error(ms, 0, "recursion nesting exceeded"); + return -1; + } Added: head/share/security/patches/SA-14:28/file-7.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:28/file-7.patch.asc Wed Dec 10 16:42:08 2014 (r46083) @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJUiA2RAAoJEO1n7NZdz2rnaRIQAOy5fBvNnNRIM2mEoiDVbI2a +nVoDsiSHWX9roIRdY/3L0d/S4mbvt08Sbd10qF6pR/haJlniDBR8BHxjkUHU5rTF +C/rkIsVJwasf4Mb6yTIlJntAqZDRVr4vtv3Y4EN9qJqI85q3KhSNJByrllltiBzg +BfHUxKV8vaBULDNbAICeNa6HJ9dOzup9Fr1zu+N+dup3SCIbvHBiS8I/fHvQvzf4 +to5kkp4XwHUDgemS9cuwLzs9Xs5VJbhJht8n/2flJI80mTrLa+sGlNLARjOMJU3n +NFW7oZ01spsWfLrdCr9fI/zsf7QowKHHEquZaX305BysmBqdes4FqkjMbRelM8a3 +4kKzV8b1ZLXXzqw6Tj4XXFcC0SAqvYtDou2u+AoIJwfdO7AbFDYBKS6AD5sP5tb6 +3ZwoiWk09Xnb3gVOPrzvh/9nF6BrjhHC5qlSt8Kdp1XWupoXBaxWbSu9Dcfu1Amd +PhivZ1DrK5lMkzIDCjW/aXrbhIWrZR/a2ilsWbeSgO8Wq899gPlj6zHnf9pxBKVJ +QKO/hkb0f4fmFd7RDi3fCN6dOXEyT3lo8GcDVLvfbJYjbbWveylPmg6/O2SOKqYY +KMFrECyoSRSgY9aV3pISw/ioukukkS+R0vDCdthNUHdxbpAM53OnnVaeJrZnoAt5 +xjvvLOy4c+UQZDj4GuON +=ZtPX +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-14:28/file-8.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-14:28/file-8.patch Wed Dec 10 16:42:08 2014 (r46083) @@ -0,0 +1,147 @@ +Index: contrib/file/elfclass.h +=================================================================== +--- contrib/file/elfclass.h.orig ++++ contrib/file/elfclass.h +@@ -35,10 +35,12 @@ + switch (type) { + #ifdef ELFCORE + case ET_CORE: ++ phnum = elf_getu16(swap, elfhdr.e_phnum); ++ if (phnum > MAX_PHNUM) ++ return toomany(ms, "program", phnum); + flags |= FLAGS_IS_CORE; + if (dophn_core(ms, clazz, swap, fd, +- (off_t)elf_getu(swap, elfhdr.e_phoff), +- elf_getu16(swap, elfhdr.e_phnum), ++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum, + (size_t)elf_getu16(swap, elfhdr.e_phentsize), + fsize, &flags) == -1) + return -1; +@@ -46,18 +48,24 @@ + #endif + case ET_EXEC: + case ET_DYN: ++ phnum = elf_getu16(swap, elfhdr.e_phnum); ++ if (phnum > MAX_PHNUM) *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412101642.sBAGg9DZ083963>