aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2006-12-06 09:18:02 +0000
committerColin Percival <cperciva@FreeBSD.org>2006-12-06 09:18:02 +0000
commitbd1be22e3c9cf62f60c784c402390b821441a344 (patch)
treea4cc7838e72842fea0c62cb11241506f9ba3b43f
parentc86ddc159169e05b81ff2b0c5b81e698a4ecf6c8 (diff)
downloadsrc-bd1be22e3c9cf62f60c784c402390b821441a344.tar.gz
src-bd1be22e3c9cf62f60c784c402390b821441a344.zip
Correct a signedness bug which allowed members of the operatorreleng/4.11
group to read kernel memory. [1] Disable handling of GNUTYPE_NAMES tar file entries by default, since they can be used to extract files outside of the cwd. [2] Security: FreeBSD-SA-06:25.kmem [1] Security: FreeBSD-SA-06:26.gtar [2] Approved by: so (cperciva)
Notes
Notes: svn path=/releng/4.11/; revision=164944
-rw-r--r--UPDATING7
-rw-r--r--contrib/tar/src/common.h3
-rw-r--r--contrib/tar/src/extract.c8
-rw-r--r--contrib/tar/src/tar.c8
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/dev/firewire/fwdev.c2
6 files changed, 27 insertions, 3 deletions
diff --git a/UPDATING b/UPDATING
index 2bd7cbdafc5a..7643f3c214e4 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,13 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20061206: p26 FreeBSD-SA-06:25.kmem, FreeBSD-SA-06.26.gtar
+ Correct a signedness bug which allowed members of the operator
+ group to read kernel memory. [06:25]
+
+ Disable handling of GNUTYPE_NAMES tar file entries by default,
+ since they can be used to extract files outside of the cwd. [06:26]
+
20060930: p25 FreeBSD-SA-06:22.openssh
Correct multiple vulnerabilities in sshd(8).
diff --git a/contrib/tar/src/common.h b/contrib/tar/src/common.h
index 40e0ab61d78f..ee2548e7d37e 100644
--- a/contrib/tar/src/common.h
+++ b/contrib/tar/src/common.h
@@ -124,6 +124,9 @@ GLOBAL size_t record_size;
/* Boolean value. */
GLOBAL int absolute_names_option;
+/* Allow GNUTYPE_NAMES type? */
+GLOBAL bool allow_name_mangling_option;
+
/* This variable tells how to interpret newer_mtime_option, below. If zero,
files get archived if their mtime is not less than newer_mtime_option.
If nonzero, files get archived if *either* their ctime or mtime is not less
diff --git a/contrib/tar/src/extract.c b/contrib/tar/src/extract.c
index 3032da06ceb3..81010a79c1c7 100644
--- a/contrib/tar/src/extract.c
+++ b/contrib/tar/src/extract.c
@@ -1219,7 +1219,13 @@ extract_archive (void)
break;
case GNUTYPE_NAMES:
- extract_mangle ();
+ if (allow_name_mangling_option)
+ extract_mangle ();
+ else {
+ ERROR ((0, 0, _("GNUTYPE_NAMES mangling ignored")));
+ if (backup_option)
+ undo_last_backup ();
+ }
break;
case GNUTYPE_MULTIVOL:
diff --git a/contrib/tar/src/tar.c b/contrib/tar/src/tar.c
index 7d872faf11a3..27ac28e35609 100644
--- a/contrib/tar/src/tar.c
+++ b/contrib/tar/src/tar.c
@@ -129,6 +129,7 @@ confirm (const char *message_action, const char *message_name)
enum
{
ANCHORED_OPTION = CHAR_MAX + 1,
+ ALLOW_NAME_MANGLING_OPTION,
BACKUP_OPTION,
DELETE_OPTION,
EXCLUDE_OPTION,
@@ -178,6 +179,7 @@ static struct option long_options[] =
{"absolute-names", no_argument, 0, 'P'},
{"absolute-paths", no_argument, 0, OBSOLETE_ABSOLUTE_NAMES},
{"after-date", required_argument, 0, 'N'},
+ {"allow-name-mangling", no_argument, 0, ALLOW_NAME_MANGLING_OPTION},
{"anchored", no_argument, 0, ANCHORED_OPTION},
{"append", no_argument, 0, 'r'},
{"atime-preserve", no_argument, &atime_preserve_option, 1},
@@ -392,6 +394,8 @@ Archive format selection:\n\
PATTERN at list/extract time, a globbing PATTERN\n\
-o, --old-archive, --portability write a V7 format archive\n\
--posix write a POSIX format archive\n\
+ --allow-name-mangling allow GNUTYPE_NAMES mangling --\n\
+ considered dangerous\n\
-j, -y, --bzip, --bzip2, --bunzip2 filter the archive through bzip2\n\
-z, --gzip, --ungzip filter the archive through gzip\n\
-Z, --compress, --uncompress filter the archive through compress\n\
@@ -901,6 +905,10 @@ decode_options (int argc, char **argv)
set_use_compress_program_option ("compress");
break;
+ case ALLOW_NAME_MANGLING_OPTION:
+ allow_name_mangling_option = true;
+ break;
+
case OBSOLETE_VERSION_CONTROL:
WARN ((0, 0, _("Obsolete option name replaced by --backup")));
/* Fall through. */
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 3be26cc90acf..95cdb9c9a868 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.11"
-BRANCH="RELEASE-p25"
+BRANCH="RELEASE-p26"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/dev/firewire/fwdev.c b/sys/dev/firewire/fwdev.c
index ae736c2969ba..f8789ec6f60f 100644
--- a/sys/dev/firewire/fwdev.c
+++ b/sys/dev/firewire/fwdev.c
@@ -704,7 +704,7 @@ out:
else
len = fwdev->rommax - CSRROMOFF + 4;
}
- if (crom_buf->len < len)
+ if (crom_buf->len < len && crom_buf->len >= 0)
len = crom_buf->len;
else
crom_buf->len = len;