aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2010-05-27 03:15:04 +0000
committerColin Percival <cperciva@FreeBSD.org>2010-05-27 03:15:04 +0000
commita6b5951a1159278502d0b699efcdf9276a4334db (patch)
treee4938b70333428a22b43a642ce2d063f2e1bb813
parent2e7e77ff792417b708755984259bd4833608e85b (diff)
downloadsrc-a6b5951a1159278502d0b699efcdf9276a4334db.tar.gz
src-a6b5951a1159278502d0b699efcdf9276a4334db.zip
Change the current working directory to be inside the jail created by
the jail(8) command. [10:04] Fix a one-NUL-byte buffer overflow in libopie. [10:05] Correctly sanity-check a buffer length in nfs mount. [10:06] Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-10:04.jail Security: FreeBSD-SA-10:05.opie Security: FreeBSD-SA-10:06.nfsclient
Notes
Notes: svn path=/releng/8.0/; revision=208586
-rw-r--r--UPDATING9
-rw-r--r--contrib/opie/libopie/readrec.c4
-rw-r--r--lib/libc/sys/mount.29
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/nfsclient/nfs_vfsops.c5
-rw-r--r--usr.sbin/jail/jail.c4
6 files changed, 28 insertions, 5 deletions
diff --git a/UPDATING b/UPDATING
index a2a59f221574..b326a7112120 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20100526: p3 FreeBSD-SA-10:04.jail, FreeBSD-SA-10:05.opie,
+ FreeBSD-SA-10:06.nfsclient
+ Change the current working directory to be inside the jail created by
+ the jail(8) command. [10:04]
+
+ Fix a one-NUL-byte buffer overflow in libopie. [10:05]
+
+ Correctly sanity-check a buffer length in nfs mount. [10:06]
+
20100106: p2 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd,
FreeBSD-SA-10:03.zfs, FreeBSD-EN-10:01.freebsd
Fix BIND named(8) cache poisoning with DNSSEC validation.
diff --git a/contrib/opie/libopie/readrec.c b/contrib/opie/libopie/readrec.c
index f56af7ffb73d..4f204b927eeb 100644
--- a/contrib/opie/libopie/readrec.c
+++ b/contrib/opie/libopie/readrec.c
@@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struct opie *opie)
if (c = strchr(opie->opie_principal, ':'))
*c = 0;
- if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
- (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
- strcpy(principal, opie->opie_principal);
+ strlcpy(principal, opie->opie_principal, sizeof(principal));
do {
if ((opie->opie_recstart = ftell(f)) < 0)
diff --git a/lib/libc/sys/mount.2 b/lib/libc/sys/mount.2
index 6ce2d4d2fa74..3d48f4110fce 100644
--- a/lib/libc/sys/mount.2
+++ b/lib/libc/sys/mount.2
@@ -107,7 +107,7 @@ This restriction can be removed by setting the
.Va vfs.usermount
.Xr sysctl 8
variable
-to a non-zero value.
+to a non-zero value; see the BUGS section for more information.
.Pp
The following
.Fa flags
@@ -370,3 +370,10 @@ functions appeared in
.At v6 .
.Sh BUGS
Some of the error codes need translation to more obvious messages.
+.Pp
+Allowing untrusted users to mount arbitrary media, e.g. by enabling
+.Va vfs.usermount ,
+should not be considered safe.
+Most file systems in
+.Fx
+were not built to safeguard against malicious devices.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index de53cd7f4f8e..e71b051674f6 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.0"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/nfsclient/nfs_vfsops.c b/sys/nfsclient/nfs_vfsops.c
index 17dc5d4b5dee..c4366eb15b9b 100644
--- a/sys/nfsclient/nfs_vfsops.c
+++ b/sys/nfsclient/nfs_vfsops.c
@@ -1054,6 +1054,11 @@ nfs_mount(struct mount *mp)
error = EINVAL;
goto out;
}
+ if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) {
+ vfs_mount_error(mp, "Bad file handle");
+ error = EINVAL;
+ goto out;
+ }
if (mp->mnt_flag & MNT_UPDATE) {
struct nfsmount *nmp = VFSTONFS(mp);
diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c
index ca87796d3364..0722bfd22397 100644
--- a/usr.sbin/jail/jail.c
+++ b/usr.sbin/jail/jail.c
@@ -511,6 +511,10 @@ set_param(const char *name, char *value)
*value++ = '\0';
}
+ /* jail_set won't chdir along with its chroot, so do it here. */
+ if (!strcmp(name, "path") && chdir(value) < 0)
+ err(1, "chdir: %s", value);
+
/* Check for repeat parameters */
for (i = 0; i < nparams; i++)
if (!strcmp(name, params[i].jp_name)) {