aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2015-08-25 20:49:05 +0000
committerXin LI <delphij@FreeBSD.org>2015-08-25 20:49:05 +0000
commit0a4794072ceddb6293565e4730b0081a906d0844 (patch)
tree2fced043194bfb9dd5d9f3a562fece921c64c58b
parent85d704f8b6f27204b662eb54da2490c7495b441d (diff)
downloadsrc-0a4794072ceddb6293565e4730b0081a906d0844.tar.gz
src-0a4794072ceddb6293565e4730b0081a906d0844.zip
Fix local privilege escalation in IRET handler. [SA-15:21]
Fix OpenSSH multiple vulnerabilities. [SA-15:22] Fix insufficient check of unsupported pkg(7) signature methods. [EN-15:15] Approved by: so
Notes
Notes: svn path=/releng/9.3/; revision=287147
-rw-r--r--UPDATING11
-rw-r--r--crypto/openssh/monitor.c6
-rw-r--r--crypto/openssh/monitor_wrap.c1
-rw-r--r--crypto/openssh/mux.c6
-rw-r--r--sys/amd64/amd64/exception.S9
-rw-r--r--sys/amd64/amd64/machdep.c1
-rw-r--r--sys/amd64/amd64/trap.c2
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--usr.sbin/pkg/pkg.c16
9 files changed, 41 insertions, 13 deletions
diff --git a/UPDATING b/UPDATING
index 8dcc8fc965c4..9c40cc4e55de 100644
--- a/UPDATING
+++ b/UPDATING
@@ -11,6 +11,17 @@ handbook:
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20150825: p24 FreeBSD-SA-15:21.amd64
+ FreeBSD-SA-15:22.openssh
+ FreeBSD-EN-15:15.pkg
+
+ Fix local privilege escalation in IRET handler. [SA-15:21]
+
+ Fix OpenSSH multiple vulnerabilities. [SA-15:22]
+
+ Fix insufficient check of unsupported pkg(7) signature methods.
+ [EN-15:15]
+
20150818: p23 FreeBSD-SA-15:20.expat
Fix multiple integer overflows in expat (libbsdxml) XML parser.
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
index 531c4f9a8518..af63490cf5a0 100644
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@@ -1027,9 +1027,7 @@ extern KbdintDevice sshpam_device;
int
mm_answer_pam_init_ctx(int sock, Buffer *m)
{
-
debug3("%s", __func__);
- authctxt->user = buffer_get_string(m, NULL);
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
sshpam_authok = NULL;
buffer_clear(m);
@@ -1111,14 +1109,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
int
mm_answer_pam_free_ctx(int sock, Buffer *m)
{
+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
debug3("%s", __func__);
(sshpam_device.free_ctx)(sshpam_ctxt);
+ sshpam_ctxt = sshpam_authok = NULL;
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
auth_method = "keyboard-interactive";
auth_submethod = "pam";
- return (sshpam_authok == sshpam_ctxt);
+ return r;
}
#endif
diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c
index 1a47e41745d1..b2bc8dd64881 100644
--- a/crypto/openssh/monitor_wrap.c
+++ b/crypto/openssh/monitor_wrap.c
@@ -820,7 +820,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
debug3("%s", __func__);
buffer_init(&m);
- buffer_put_cstring(&m, authctxt->user);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/crypto/openssh/mux.c b/crypto/openssh/mux.c
index 6ef88c9cba23..e27194f0f5a0 100644
--- a/crypto/openssh/mux.c
+++ b/crypto/openssh/mux.c
@@ -635,7 +635,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
u_int lport, cport;
int i, ret = 0, freefwd = 1;
- fwd.listen_host = fwd.connect_host = NULL;
+ memset(&fwd, 0, sizeof(fwd));
+
if (buffer_get_int_ret(&ftype, m) != 0 ||
(fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&lport, m) != 0 ||
@@ -785,7 +786,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
int i, listen_port, ret = 0;
u_int lport, cport;
- fwd.listen_host = fwd.connect_host = NULL;
+ memset(&fwd, 0, sizeof(fwd));
+
if (buffer_get_int_ret(&ftype, m) != 0 ||
(fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&lport, m) != 0 ||
diff --git a/sys/amd64/amd64/exception.S b/sys/amd64/amd64/exception.S
index 25b89d819af0..49d61f67a581 100644
--- a/sys/amd64/amd64/exception.S
+++ b/sys/amd64/amd64/exception.S
@@ -154,9 +154,13 @@ IDTVEC(xmm)
IDTVEC(tss)
TRAP_ERR(T_TSSFLT)
IDTVEC(missing)
- TRAP_ERR(T_SEGNPFLT)
+ subq $TF_ERR,%rsp
+ movl $T_SEGNPFLT,TF_TRAPNO(%rsp)
+ jmp prot_addrf
IDTVEC(stk)
- TRAP_ERR(T_STKFLT)
+ subq $TF_ERR,%rsp
+ movl $T_STKFLT,TF_TRAPNO(%rsp)
+ jmp prot_addrf
IDTVEC(align)
TRAP_ERR(T_ALIGNFLT)
@@ -319,6 +323,7 @@ IDTVEC(page)
IDTVEC(prot)
subq $TF_ERR,%rsp
movl $T_PROTFLT,TF_TRAPNO(%rsp)
+prot_addrf:
movq $0,TF_ADDR(%rsp)
movq %rdi,TF_RDI(%rsp) /* free up a GP register */
leaq doreti_iret(%rip),%rdi
diff --git a/sys/amd64/amd64/machdep.c b/sys/amd64/amd64/machdep.c
index 63de58ff8f9c..e0f848657d9f 100644
--- a/sys/amd64/amd64/machdep.c
+++ b/sys/amd64/amd64/machdep.c
@@ -428,6 +428,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask)
regs->tf_rflags &= ~(PSL_T | PSL_D);
regs->tf_cs = _ucodesel;
regs->tf_ds = _udatasel;
+ regs->tf_ss = _udatasel;
regs->tf_es = _udatasel;
regs->tf_fs = _ufssel;
regs->tf_gs = _ugssel;
diff --git a/sys/amd64/amd64/trap.c b/sys/amd64/amd64/trap.c
index 3c6e0d3e6d4c..3c82692903ad 100644
--- a/sys/amd64/amd64/trap.c
+++ b/sys/amd64/amd64/trap.c
@@ -473,8 +473,6 @@ trap(struct trapframe *frame)
goto out;
case T_STKFLT: /* stack fault */
- break;
-
case T_PROTFLT: /* general protection fault */
case T_SEGNPFLT: /* segment not present fault */
if (td->td_intr_nesting_level != 0)
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index f5c1e4f8d64b..1424a22587a2 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.3"
-BRANCH="RELEASE-p23"
+BRANCH="RELEASE-p24"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/usr.sbin/pkg/pkg.c b/usr.sbin/pkg/pkg.c
index 9e222cb04ca7..0a4293875d91 100644
--- a/usr.sbin/pkg/pkg.c
+++ b/usr.sbin/pkg/pkg.c
@@ -749,7 +749,13 @@ bootstrap_pkg(bool force)
goto fetchfail;
if (signature_type != NULL &&
- strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+ strcasecmp(signature_type, "NONE") != 0) {
+ if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
+ warnx("Signature type %s is not supported for "
+ "bootstrapping.", signature_type);
+ goto cleanup;
+ }
+
snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX",
getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig",
@@ -834,7 +840,13 @@ bootstrap_pkg_local(const char *pkgpath, bool force)
return (-1);
}
if (signature_type != NULL &&
- strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+ strcasecmp(signature_type, "NONE") != 0) {
+ if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
+ warnx("Signature type %s is not supported for "
+ "bootstrapping.", signature_type);
+ goto cleanup;
+ }
+
snprintf(path, sizeof(path), "%s.sig", pkgpath);
if ((fd_sig = open(path, O_RDONLY)) == -1) {