aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJacques Vidrine <nectar@FreeBSD.org>2004-09-19 22:28:14 +0000
committerJacques Vidrine <nectar@FreeBSD.org>2004-09-19 22:28:14 +0000
commit503667654bb4362b55a289bd93715dcc001867cb (patch)
treef52b9f2356613a9d605a8d317ec181b68689444a
parent1ddddb6b8be63067ebd2a8cf0f11fe42032c5d19 (diff)
downloadsrc-503667654bb4362b55a289bd93715dcc001867cb.tar.gz
src-503667654bb4362b55a289bd93715dcc001867cb.zip
Correct several vulnerabilities in CVS 1.11.5 (CAN-2004-0414,
CAN-2004-0416, CAN-2004-0417, CAN-2004-0418, CAN-2004-0778 and others). Approved by: so
Notes
Notes: svn path=/releng/4.9/; revision=135483
-rw-r--r--UPDATING6
-rw-r--r--contrib/cvs/lib/xsize.h2
-rw-r--r--contrib/cvs/src/commit.c7
-rw-r--r--contrib/cvs/src/cvs.h4
-rw-r--r--contrib/cvs/src/filesubr.c8
-rw-r--r--contrib/cvs/src/history.c33
-rw-r--r--contrib/cvs/src/modules.c18
-rw-r--r--contrib/cvs/src/server.c70
-rw-r--r--contrib/cvs/src/wrapper.c34
-rw-r--r--gnu/usr.bin/cvs/lib/config.h.proto2
-rw-r--r--sys/conf/newvers.sh2
11 files changed, 160 insertions, 26 deletions
diff --git a/UPDATING b/UPDATING
index f126ff38cc81..4deccd3e2150 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,7 +17,11 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
-20040630: p11 FreeBSD-SA-04.13.linux
+20040919: p12 FreeBSD-SA-04:14.cvs
+ Correct several vulnerabilities in CVS (CAN-2004-0414,
+ CAN-2004-0416, CAN-2004-0417, CAN-2004-0418, CAN-2004-0778).
+
+20040630: p11 FreeBSD-SA-04:13.linux
Correct an input validation error in the linux binary
compatibility code.
diff --git a/contrib/cvs/lib/xsize.h b/contrib/cvs/lib/xsize.h
index 7634c6d4d5a4..38d2f19aefd4 100644
--- a/contrib/cvs/lib/xsize.h
+++ b/contrib/cvs/lib/xsize.h
@@ -26,6 +26,8 @@
#include <limits.h>
#if HAVE_STDINT_H
# include <stdint.h>
+#else
+#define SIZE_MAX UINT_MAX /* XXX */
#endif
/* The size of memory objects is often computed through expressions of
diff --git a/contrib/cvs/src/commit.c b/contrib/cvs/src/commit.c
index 6408f21e7f22..382398e4c538 100644
--- a/contrib/cvs/src/commit.c
+++ b/contrib/cvs/src/commit.c
@@ -481,7 +481,12 @@ commit (argc, argv)
operate on, and only work with those files in the future.
This saves time--we don't want to search the file system
of the working directory twice. */
- find_args.argv = (char **) xmalloc (find_args.argc * sizeof (char **));
+ if (size_overflow_p (xtimes (find_args.argc, sizeof (char **))))
+ {
+ find_args.argc = 0;
+ return 0;
+ }
+ find_args.argv = xmalloc (xtimes (find_args.argc, sizeof (char **)));
find_args.argc = 0;
walklist (find_args.ulist, copy_ulist, &find_args);
diff --git a/contrib/cvs/src/cvs.h b/contrib/cvs/src/cvs.h
index ed49ae34b1ac..0081840b9537 100644
--- a/contrib/cvs/src/cvs.h
+++ b/contrib/cvs/src/cvs.h
@@ -41,6 +41,10 @@
#include "popen.h"
#endif
+/* Begin GNULIB headers. */
+#include "xsize.h"
+/* End GNULIB headers. */
+
#ifdef STDC_HEADERS
#include <stdlib.h>
#else
diff --git a/contrib/cvs/src/filesubr.c b/contrib/cvs/src/filesubr.c
index 01afa93f3b44..d65ddefa7f8c 100644
--- a/contrib/cvs/src/filesubr.c
+++ b/contrib/cvs/src/filesubr.c
@@ -988,8 +988,14 @@ expand_wild (argc, argv, pargc, pargv)
char ***pargv;
{
int i;
+ if (size_overflow_p (xtimes (argc, sizeof (char *)))) {
+ *pargc = 0;
+ *pargv = NULL;
+ error (0, 0, "expand_wild: too many arguments");
+ return;
+ }
*pargc = argc;
- *pargv = (char **) xmalloc (argc * sizeof (char *));
+ *pargv = xmalloc (xtimes (argc, sizeof (char *)));
for (i = 0; i < argc; ++i)
(*pargv)[i] = xstrdup (argv[i]);
}
diff --git a/contrib/cvs/src/history.c b/contrib/cvs/src/history.c
index 076a9b152e49..05505e488784 100644
--- a/contrib/cvs/src/history.c
+++ b/contrib/cvs/src/history.c
@@ -414,8 +414,11 @@ history (argc, argv)
working = 1;
break;
case 'X': /* Undocumented debugging flag */
+#ifdef DEBUG
histfile = optarg;
+#endif
break;
+
case 'D': /* Since specified date */
if (*since_rev || *since_tag || *backto)
{
@@ -890,9 +893,13 @@ save_user (name)
{
if (user_count == user_max)
{
- user_max += USER_INCREMENT;
- user_list = (char **) xrealloc ((char *) user_list,
- (int) user_max * sizeof (char *));
+ user_max = xsum (user_max, USER_INCREMENT);
+ if (size_overflow_p (xtimes (user_max, sizeof (char *))))
+ {
+ error (0, 0, "save_user: too many users");
+ return;
+ }
+ user_list = xrealloc (user_list, xtimes (user_max, sizeof (char *)));
}
user_list[user_count++] = xstrdup (name);
}
@@ -920,9 +927,13 @@ save_file (dir, name, module)
if (file_count == file_max)
{
- file_max += FILE_INCREMENT;
- file_list = (struct file_list_str *) xrealloc ((char *) file_list,
- file_max * sizeof (*fl));
+ file_max = xsum (file_max, FILE_INCREMENT);
+ if (size_overflow_p (xtimes (file_max, sizeof (*fl))))
+ {
+ error (0, 0, "save_file: too many files");
+ return;
+ }
+ file_list = xrealloc (file_list, xtimes (file_max, sizeof (*fl)));
}
fl = &file_list[file_count++];
fl->l_file = cp = xmalloc (strlen (dir) + strlen (name) + 2);
@@ -961,9 +972,13 @@ save_module (module)
{
if (mod_count == mod_max)
{
- mod_max += MODULE_INCREMENT;
- mod_list = (char **) xrealloc ((char *) mod_list,
- mod_max * sizeof (char *));
+ mod_max = xsum (mod_max, MODULE_INCREMENT);
+ if (size_overflow_p (xtimes (mod_max, sizeof (char *))))
+ {
+ error (0, 0, "save_module: too many modules");
+ return;
+ }
+ mod_list = xrealloc (mod_list, xtimes (mod_max, sizeof (char *)));
}
mod_list[mod_count++] = xstrdup (module);
}
diff --git a/contrib/cvs/src/modules.c b/contrib/cvs/src/modules.c
index 087676c31b45..ed148b04ce22 100644
--- a/contrib/cvs/src/modules.c
+++ b/contrib/cvs/src/modules.c
@@ -167,6 +167,24 @@ do_module (db, mname, m_type, msg, callback_proc, where, shorten,
mname);
+ /* Don't process absolute directories. Anything else could be a security
+ * problem. Before this check was put in place:
+ *
+ * $ cvs -d:fork:/cvsroot co /foo
+ * cvs server: warning: cannot make directory CVS in /: Permission denied
+ * cvs [server aborted]: cannot make directory /foo: Permission denied
+ * $
+ */
+ if (isabsolute (mname))
+ error (1, 0, "Absolute module reference invalid: `%s'", mname);
+
+ /* Similarly for directories that attempt to step above the root of the
+ * repository.
+ */
+ if (pathname_levels (mname) > 0)
+ error (1, 0, "up-level in module reference (`..') invalid: `%s'.",
+ mname);
+
/* if this is a directory to ignore, add it to that list */
if (mname[0] == '!' && mname[1] != '\0')
{
diff --git a/contrib/cvs/src/server.c b/contrib/cvs/src/server.c
index adf46aaf6366..40220ea2fc7f 100644
--- a/contrib/cvs/src/server.c
+++ b/contrib/cvs/src/server.c
@@ -927,7 +927,7 @@ serve_max_dotdot (arg)
int i;
char *p;
- if (lim < 0)
+ if (lim < 0 || lim > 10000)
return;
p = xmalloc (strlen (server_temp_dir) + 2 * lim + 10);
if (p == NULL)
@@ -1647,7 +1647,16 @@ serve_unchanged (arg)
&& strlen (arg) == cp - name
&& strncmp (arg, name, cp - name) == 0)
{
- timefield = strchr (cp + 1, '/') + 1;
+ if (!(timefield = strchr (cp + 1, '/')) || *++timefield == '\0')
+ {
+ /* We didn't find the record separator or it is followed by
+ * the end of the string, so just exit.
+ */
+ if (alloc_pending (80))
+ sprintf (pending_error_text,
+ "E Malformed Entry encountered.");
+ return;
+ }
/* If the time field is not currently empty, then one of
* serve_modified, serve_is_modified, & serve_unchanged were
* already called for this file. We would like to ignore the
@@ -1710,7 +1719,16 @@ serve_is_modified (arg)
&& strlen (arg) == cp - name
&& strncmp (arg, name, cp - name) == 0)
{
- timefield = strchr (cp + 1, '/') + 1;
+ if (!(timefield = strchr (cp + 1, '/')) || *++timefield == '\0')
+ {
+ /* We didn't find the record separator or it is followed by
+ * the end of the string, so just exit.
+ */
+ if (alloc_pending (80))
+ sprintf (pending_error_text,
+ "E Malformed Entry encountered.");
+ return;
+ }
/* If the time field is not currently empty, then one of
* serve_modified, serve_is_modified, & serve_unchanged were
* already called for this file. We would like to ignore the
@@ -1795,8 +1813,29 @@ serve_entry (arg)
{
struct an_entry *p;
char *cp;
+ int i = 0;
if (error_pending()) return;
- p = (struct an_entry *) xmalloc (sizeof (struct an_entry));
+
+ /* Verify that the entry is well-formed. This can avoid problems later.
+ * At the moment we only check that the Entry contains five slashes in
+ * approximately the correct locations since some of the code makes
+ * assumptions about this.
+ */
+ cp = arg;
+ if (*cp == 'D') cp++;
+ while (i++ < 5)
+ {
+ if (!cp || *cp != '/')
+ {
+ if (alloc_pending (80))
+ sprintf (pending_error_text,
+ "E protocol error: Malformed Entry");
+ return;
+ }
+ cp = strchr (cp + 1, '/');
+ }
+
+ p = xmalloc (sizeof (struct an_entry));
if (p == NULL)
{
pending_error = ENOMEM;
@@ -2028,6 +2067,9 @@ serve_notify (arg)
{
char *cp;
+ if (!data[0])
+ goto error;
+
if (strchr (data, '+'))
goto error;
@@ -2160,6 +2202,14 @@ serve_argument (arg)
if (error_pending()) return;
+ if (argument_count >= 10000)
+ {
+ if (alloc_pending (80))
+ sprintf (pending_error_text,
+ "E Protocol error: too many arguments");
+ return;
+ }
+
if (argument_vector_size <= argument_count)
{
argument_vector_size *= 2;
@@ -2190,6 +2240,14 @@ serve_argumentx (arg)
if (error_pending()) return;
+ if (argument_count <= 1)
+ {
+ if (alloc_pending (80))
+ sprintf (pending_error_text,
+ "E Protocol error: called argumentx without prior call to argument");
+ return;
+ }
+
p = argument_vector[argument_count - 1];
p = xrealloc (p, strlen (p) + 1 + strlen (arg) + 1);
if (p == NULL)
@@ -2546,7 +2604,7 @@ check_command_legal_p (cmd_name)
save some code here... -kff */
/* Chop newline by hand, for strcmp()'s sake. */
- if (linebuf[num_red - 1] == '\n')
+ if (num_red > 0 && linebuf[num_red - 1] == '\n')
linebuf[num_red - 1] = '\0';
if (strcmp (linebuf, CVS_Username) == 0)
@@ -2601,7 +2659,7 @@ check_command_legal_p (cmd_name)
while ((num_red = getline (&linebuf, &linebuf_len, fp)) >= 0)
{
/* Chop newline by hand, for strcmp()'s sake. */
- if (linebuf[num_red - 1] == '\n')
+ if (num_red > 0 && linebuf[num_red - 1] == '\n')
linebuf[num_red - 1] = '\0';
if (strcmp (linebuf, CVS_Username) == 0)
diff --git a/contrib/cvs/src/wrapper.c b/contrib/cvs/src/wrapper.c
index ab0b19fea55f..183de44dd245 100644
--- a/contrib/cvs/src/wrapper.c
+++ b/contrib/cvs/src/wrapper.c
@@ -239,6 +239,30 @@ wrap_unparse_rcs_options (line, first_call_p)
#endif /* SERVER_SUPPORT || CLIENT_SUPPORT */
/*
+ * Remove fmt str specifier other than %% or %s. And allow
+ * only max_s %s specifiers
+ */
+wrap_clean_fmt_str(char *fmt, int max_s)
+{
+ while (*fmt) {
+ if (fmt[0] == '%' && fmt[1])
+ {
+ if (fmt[1] == '%')
+ fmt++;
+ else
+ if (fmt[1] == 's' && max_s > 0)
+ {
+ max_s--;
+ fmt++;
+ } else
+ *fmt = ' ';
+ }
+ fmt++;
+ }
+ return;
+}
+
+/*
* Open a file and read lines, feeding each line to a line parser. Arrange
* for keeping a temporary list of wrappers at the end, if the "temp"
* argument is set.
@@ -558,9 +582,8 @@ wrap_tocvs_process_file(fileName)
args = xmalloc (strlen (e->tocvsFilter)
+ strlen (fileName)
+ strlen (buf));
- /* FIXME: sprintf will blow up if the format string contains items other
- than %s, or contains too many %s's. We should instead be parsing
- e->tocvsFilter ourselves and giving a real error. */
+
+ wrap_clean_fmt_str(e->tocvsFilter, 2);
sprintf (args, e->tocvsFilter, fileName, buf);
run_setup (args);
run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL|RUN_REALLY );
@@ -592,9 +615,8 @@ wrap_fromcvs_process_file(fileName)
args = xmalloc (strlen (e->fromcvsFilter)
+ strlen (fileName));
- /* FIXME: sprintf will blow up if the format string contains items other
- than %s, or contains too many %s's. We should instead be parsing
- e->fromcvsFilter ourselves and giving a real error. */
+
+ wrap_clean_fmt_str(e->fromcvsFilter, 1);
sprintf (args, e->fromcvsFilter, fileName);
run_setup (args);
run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL );
diff --git a/gnu/usr.bin/cvs/lib/config.h.proto b/gnu/usr.bin/cvs/lib/config.h.proto
index 3efc40f77011..a5a21a92038f 100644
--- a/gnu/usr.bin/cvs/lib/config.h.proto
+++ b/gnu/usr.bin/cvs/lib/config.h.proto
@@ -248,7 +248,7 @@
#define HAVE_SIGVEC 1
/* Define to 1 if you have the <stdint.h> header file. */
-#define HAVE_STDINT_H 1
+/* #undef HAVE_STDINT_H */
/* Define to 1 if you have the <stdlib.h> header file. */
#define HAVE_STDLIB_H 1
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index dc5d759b4751..5994ae06c428 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.9"
-BRANCH="RELEASE-p11"
+BRANCH="RELEASE-p12"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"