aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2006-12-06 09:18:02 +0000
committerColin Percival <cperciva@FreeBSD.org>2006-12-06 09:18:02 +0000
commitc9d94646a4cf026c9d3e1db25e3265fb20b41554 (patch)
tree444b743c959a4ddfa1b4dfdb19ba158afe428237
parent3bd085e6a7dda24a1923e51192bb69b07960d7d1 (diff)
downloadsrc-c9d94646a4cf026c9d3e1db25e3265fb20b41554.tar.gz
src-c9d94646a4cf026c9d3e1db25e3265fb20b41554.zip
Correct a signedness bug which allowed members of the operator
group to read kernel memory. [1] Disable handling of GNUTYPE_NAMES tar file entries by default, since they can be used to extract files outside of the cwd. [2] Security: FreeBSD-SA-06:25.kmem [1] Security: FreeBSD-SA-06:26.gtar [2] Approved by: so (cperciva)
Notes
Notes: svn path=/releng/5.5/; revision=164944
-rw-r--r--UPDATING7
-rw-r--r--contrib/tar/src/common.h3
-rw-r--r--contrib/tar/src/extract.c8
-rw-r--r--contrib/tar/src/tar.c8
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/dev/firewire/fwdev.c2
6 files changed, 27 insertions, 3 deletions
diff --git a/UPDATING b/UPDATING
index 3802d3e5eeb9..d1caf2177ae0 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,13 @@ Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20061206: p9 FreeBSD-SA-06:25.kmem, FreeBSD-SA-06.26.gtar
+ Correct a signedness bug which allowed members of the operator
+ group to read kernel memory. [06:25]
+
+ Disable handling of GNUTYPE_NAMES tar file entries by default,
+ since they can be used to extract files outside of the cwd. [06:26]
+
20060930: p8 FreeBSD-SA-06:22.openssh
Correct multiple vulnerabilities in sshd(8).
diff --git a/contrib/tar/src/common.h b/contrib/tar/src/common.h
index 40e0ab61d78f..ee2548e7d37e 100644
--- a/contrib/tar/src/common.h
+++ b/contrib/tar/src/common.h
@@ -124,6 +124,9 @@ GLOBAL size_t record_size;
/* Boolean value. */
GLOBAL int absolute_names_option;
+/* Allow GNUTYPE_NAMES type? */
+GLOBAL bool allow_name_mangling_option;
+
/* This variable tells how to interpret newer_mtime_option, below. If zero,
files get archived if their mtime is not less than newer_mtime_option.
If nonzero, files get archived if *either* their ctime or mtime is not less
diff --git a/contrib/tar/src/extract.c b/contrib/tar/src/extract.c
index 3032da06ceb3..81010a79c1c7 100644
--- a/contrib/tar/src/extract.c
+++ b/contrib/tar/src/extract.c
@@ -1219,7 +1219,13 @@ extract_archive (void)
break;
case GNUTYPE_NAMES:
- extract_mangle ();
+ if (allow_name_mangling_option)
+ extract_mangle ();
+ else {
+ ERROR ((0, 0, _("GNUTYPE_NAMES mangling ignored")));
+ if (backup_option)
+ undo_last_backup ();
+ }
break;
case GNUTYPE_MULTIVOL:
diff --git a/contrib/tar/src/tar.c b/contrib/tar/src/tar.c
index 7d872faf11a3..27ac28e35609 100644
--- a/contrib/tar/src/tar.c
+++ b/contrib/tar/src/tar.c
@@ -129,6 +129,7 @@ confirm (const char *message_action, const char *message_name)
enum
{
ANCHORED_OPTION = CHAR_MAX + 1,
+ ALLOW_NAME_MANGLING_OPTION,
BACKUP_OPTION,
DELETE_OPTION,
EXCLUDE_OPTION,
@@ -178,6 +179,7 @@ static struct option long_options[] =
{"absolute-names", no_argument, 0, 'P'},
{"absolute-paths", no_argument, 0, OBSOLETE_ABSOLUTE_NAMES},
{"after-date", required_argument, 0, 'N'},
+ {"allow-name-mangling", no_argument, 0, ALLOW_NAME_MANGLING_OPTION},
{"anchored", no_argument, 0, ANCHORED_OPTION},
{"append", no_argument, 0, 'r'},
{"atime-preserve", no_argument, &atime_preserve_option, 1},
@@ -392,6 +394,8 @@ Archive format selection:\n\
PATTERN at list/extract time, a globbing PATTERN\n\
-o, --old-archive, --portability write a V7 format archive\n\
--posix write a POSIX format archive\n\
+ --allow-name-mangling allow GNUTYPE_NAMES mangling --\n\
+ considered dangerous\n\
-j, -y, --bzip, --bzip2, --bunzip2 filter the archive through bzip2\n\
-z, --gzip, --ungzip filter the archive through gzip\n\
-Z, --compress, --uncompress filter the archive through compress\n\
@@ -901,6 +905,10 @@ decode_options (int argc, char **argv)
set_use_compress_program_option ("compress");
break;
+ case ALLOW_NAME_MANGLING_OPTION:
+ allow_name_mangling_option = true;
+ break;
+
case OBSOLETE_VERSION_CONTROL:
WARN ((0, 0, _("Obsolete option name replaced by --backup")));
/* Fall through. */
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 733a73647bca..3db1b09b4035 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="5.5"
-BRANCH="RELEASE-p8"
+BRANCH="RELEASE-p9"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/dev/firewire/fwdev.c b/sys/dev/firewire/fwdev.c
index 79c74af9fe84..9d37409ec4bb 100644
--- a/sys/dev/firewire/fwdev.c
+++ b/sys/dev/firewire/fwdev.c
@@ -712,7 +712,7 @@ out:
else
len = fwdev->rommax - CSRROMOFF + 4;
}
- if (crom_buf->len < len)
+ if (crom_buf->len < len && crom_buf->len >= 0)
len = crom_buf->len;
else
crom_buf->len = len;