aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2014-11-04 23:32:45 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2014-11-04 23:32:45 +0000
commit7cebf7e583e85beb2434c3dac21c4e3db1873134 (patch)
tree7737d959c3d040d766284ccbee58db8287d7a6f7
parenteb5534a05f5ce0574f09cf0beecf2e4758abf670 (diff)
downloadsrc-7cebf7e583e85beb2434c3dac21c4e3db1873134.tar.gz
src-7cebf7e583e85beb2434c3dac21c4e3db1873134.zip
[SA-14:24] Fix denial of service attack against sshd(8).
[SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2). [SA-14:26] Fix remote command execution in ftp(1). [EN-14:12] Fix NFSv4 and ZFS cache consistency issue. Approved by: so (des)
Notes
Notes: svn path=/releng/9.1/; revision=274112
-rw-r--r--UPDATING14
-rw-r--r--contrib/tnftp/src/fetch.c36
-rw-r--r--secure/usr.sbin/sshd/Makefile10
-rw-r--r--sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c1
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/kern/kern_prot.c31
6 files changed, 65 insertions, 29 deletions
diff --git a/UPDATING b/UPDATING
index 90f6f900025a..fed22aff9040 100644
--- a/UPDATING
+++ b/UPDATING
@@ -9,6 +9,20 @@ handbook.
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20141104: p22 FreeBSD-SA-14:24.sshd
+ FreeBSD-SA-14:25.setlogin
+ FreeBSD-SA-14:26.ftp
+ FreeBSD-EN-14:12.zfs
+
+ Fix denial of service attack against sshd(8). [SA-14:24]
+
+ Fix kernel stack disclosure in setlogin(2) / getlogin(2).
+ [SA-14:25]
+
+ Fix remote command execution in ftp(1). [SA-14:26]
+
+ Fix NFSv4 and ZFS cache consistency issue. [EN-14:12]
+
20141022: p21 FreeBSD-EN-14:10.tzdata
Time zone data file update. [EN-14:10]
diff --git a/contrib/tnftp/src/fetch.c b/contrib/tnftp/src/fetch.c
index 91b49fd2435a..72153a546b0e 100644
--- a/contrib/tnftp/src/fetch.c
+++ b/contrib/tnftp/src/fetch.c
@@ -547,7 +547,7 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth)
url_decode(decodedpath);
if (outfile)
- savefile = ftp_strdup(outfile);
+ savefile = outfile;
else {
cp = strrchr(decodedpath, '/'); /* find savefile */
if (cp != NULL)
@@ -571,8 +571,7 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth)
rangestart = rangeend = entitylen = -1;
mtime = -1;
if (restartautofetch) {
- if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
- stat(savefile, &sb) == 0)
+ if (stat(savefile, &sb) == 0)
restart_point = sb.st_size;
}
if (urltype == FILE_URL_T) { /* file:// URLs */
@@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth)
} /* end of ftp:// or http:// specific setup */
/* Open the output file. */
- if (strcmp(savefile, "-") == 0) {
- fout = stdout;
- } else if (*savefile == '|') {
- oldintp = xsignal(SIGPIPE, SIG_IGN);
- fout = popen(savefile + 1, "w");
- if (fout == NULL) {
- warn("Can't execute `%s'", savefile + 1);
- goto cleanup_fetch_url;
+
+ /*
+ * Only trust filenames with special meaning if they came from
+ * the command line
+ */
+ if (outfile == savefile) {
+ if (strcmp(savefile, "-") == 0) {
+ fout = stdout;
+ } else if (*savefile == '|') {
+ oldintp = xsignal(SIGPIPE, SIG_IGN);
+ fout = popen(savefile + 1, "w");
+ if (fout == NULL) {
+ warn("Can't execute `%s'", savefile + 1);
+ goto cleanup_fetch_url;
+ }
+ closefunc = pclose;
}
- closefunc = pclose;
- } else {
+ }
+ if (fout == NULL) {
if ((rangeend != -1 && rangeend <= restart_point) ||
(rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
/* already done */
@@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth)
(*closefunc)(fout);
if (res0)
freeaddrinfo(res0);
- FREEPTR(savefile);
+ if (savefile != outfile)
+ FREEPTR(savefile);
FREEPTR(uuser);
if (pass != NULL)
memset(pass, 0, strlen(pass));
diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile
index f587263f7faf..895bcb43c0ec 100644
--- a/secure/usr.sbin/sshd/Makefile
+++ b/secure/usr.sbin/sshd/Makefile
@@ -42,6 +42,16 @@ LDADD+= -lgssapi_krb5 -lgssapi -lkrb5 -lasn1
DPADD+= ${LIBCRYPTO} ${LIBCRYPT}
LDADD+= -lcrypto -lcrypt
+# Fix the order of NEEDED entries for libthr and libc. The libthr
+# needs to interpose libc symbols, leaving the libthr loading as
+# dependency of krb causes reversed order and broken interposing. Put
+# the threading library last on the linker command line, just before
+# the -lc added by a compiler driver.
+.if ${MK_KERBEROS_SUPPORT} != "no"
+DPADD+= ${LIBPTHREAD}
+LDADD+= -lpthread
+.endif
+
.if defined(LOCALBASE)
CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
.endif
diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
index f8418c7f9ff8..bf291e4ae4d5 100644
--- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
+++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
@@ -2721,6 +2721,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, int flags, cred_t *cr,
#endif
vap->va_seq = zp->z_seq;
vap->va_flags = 0; /* FreeBSD: Reset chflags(2) flags. */
+ vap->va_filerev = zp->z_seq;
/*
* Add in any requested optional attributes and the create time.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 3ab43125c3d0..08e4a2c6c1b5 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.1"
-BRANCH="RELEASE-p21"
+BRANCH="RELEASE-p22"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index cf939844576b..c658755bc042 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -2073,19 +2073,20 @@ struct getlogin_args {
int
sys_getlogin(struct thread *td, struct getlogin_args *uap)
{
- int error;
char login[MAXLOGNAME];
struct proc *p = td->td_proc;
+ size_t len;
if (uap->namelen > MAXLOGNAME)
uap->namelen = MAXLOGNAME;
PROC_LOCK(p);
SESS_LOCK(p->p_session);
- bcopy(p->p_session->s_login, login, uap->namelen);
+ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
SESS_UNLOCK(p->p_session);
PROC_UNLOCK(p);
- error = copyout(login, uap->namebuf, uap->namelen);
- return(error);
+ if (len > uap->namelen)
+ return (ERANGE);
+ return (copyout(login, uap->namebuf, len));
}
/*
@@ -2104,21 +2105,23 @@ sys_setlogin(struct thread *td, struct setlogin_args *uap)
int error;
char logintmp[MAXLOGNAME];
+ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
+
error = priv_check(td, PRIV_PROC_SETLOGIN);
if (error)
return (error);
error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
- if (error == ENAMETOOLONG)
- error = EINVAL;
- else if (!error) {
- PROC_LOCK(p);
- SESS_LOCK(p->p_session);
- (void) memcpy(p->p_session->s_login, logintmp,
- sizeof(logintmp));
- SESS_UNLOCK(p->p_session);
- PROC_UNLOCK(p);
+ if (error != 0) {
+ if (error == ENAMETOOLONG)
+ error = EINVAL;
+ return (error);
}
- return (error);
+ PROC_LOCK(p);
+ SESS_LOCK(p->p_session);
+ strcpy(p->p_session->s_login, logintmp);
+ SESS_UNLOCK(p->p_session);
+ PROC_UNLOCK(p);
+ return (0);
}
void