os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add latest advisories.

Browse source
This commit is contained in:
Simon L. B. Nielsen 2012-11-22 23:46:26 +00:00
parent 3f9ca4a10b
commit 26913edc9f
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=40128
12 changed files with 676 additions and 0 deletions

139
share/security/advisories/FreeBSD-SA-12:06.bind.asc Normal file
View file

@ -0,0 +1,139 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-12:06.bind Security Advisory
The FreeBSD Project
Topic: Multiple Denial of Service vulnerabilities with named(8)
Category: contrib
Module: bind
Announced: 2012-11-22
Affects: All supported versions of FreeBSD before 9.1-RC2.
Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE)
2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11)
2012-10-11 13:25:09 UTC (RELENG_8, 8.3-STABLE)
2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
2012-10-10 19:50:15 UTC (RELENG_9, 9.1-PRERELEASE)
2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
CVE Name: CVE-2012-4244, CVE-2012-5166
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
The BIND daemon would crash when a query is made on a resource record
with RDATA that exceeds 65535 bytes.
The BIND daemon would lock up when a query is made on specific
combinations of RDATA.
III. Impact
A remote attacker can query a resolving name server to retrieve a record
whose RDATA is known to be larger than 65535 bytes, thereby causing the
resolving server to crash via an assertion failure in named.
An attacker who is in a position to add a record with RDATA larger than
65535 bytes to an authoritative name server can cause that server to
crash by later querying for that record.
The attacker can also cause the server to lock up with specific
combinations of RDATA.
IV. Workaround
No workaround is available, but systems not running the BIND name
server are not affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, or RELENG_9_0 security branch dated
after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.4,
8.3, and 9.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
3) To update your vulnerable system via a binary patch:
Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, or 9.1-RC1 on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
4) Install and run BIND from the Ports Collection after the correction
date. The following versions and newer versions of BIND installed from
the Ports Collection are not affected by this vulnerability:
bind96-9.6.3.1.ESV.R7.4
bind97-9.7.6.4
bind98-9.8.3.4
bind99-9.9.1.4
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r243418
releng/7.4/ r243417
stable/8/ r241443
releng/8.3/ r243417
stable/9/ r241415
releng/9.0/ r243417
releng/9.1/ r243417
- -------------------------------------------------------------------------
VII. References
https://kb.isc.org/article/AA-00778
https://kb.isc.org/article/AA-00801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.bind.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9
iEYEARECAAYFAlCutVIACgkQFdaIBMps37JhPQCfcwCHE7CxzBnrMdszdFYODgQs
1+kAn316Rx2d0Ecig5JHUR3broq5Hpog
=EklC
-----END PGP SIGNATURE-----

129
share/security/advisories/FreeBSD-SA-12:07.hostapd.asc Normal file
View file

@ -0,0 +1,129 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-12:07.hostapd Security Advisory
The FreeBSD Project
Topic: Insufficient message length validation for EAP-TLS messages
Category: contrib
Module: wpa
Announced: 2012-11-22
Credits: Timo Warns, Jouni Malinen
Affects: FreeBSD 8.0 and later.
Corrected: 2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE)
2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE)
2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
CVE Name: CVE-2012-4445
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The hostapd utility is an authenticator for IEEE 802.11 networks. It
provides full support for WPA/IEEE 802.11i and can also act as an IEEE
802.1X Authenticator with a suitable backend Authentication Server
(typically FreeRADIUS).
EAP-TLS is the original, standard wireless LAN EAP authentication
protocol defined in RFC 5216. It uses PKI to secure communication to a
RADIUS authentication server or another type of authentication server.
II. Problem Description
The internal authentication server of hostapd does not sufficiently
validate the message length field of EAP-TLS messages.
III. Impact
A remote attacker could cause the hostapd daemon to abort by sending
specially crafted EAP-TLS messages, resulting in a Denial of Service.
IV. Workaround
No workaround is available, but systems not running hostapd are not
vulnerable.
Note that for FreeBSD 8.x systems, the EAP-TLS authentication method
is not enabled by default. Systems running FreeBSD 8.x are only
affected when hostapd is built with -DEAP_SERVER and as such, binary
installations from the official release are not affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 8-STABLE or 9-STABLE, or to
the RELENG_8_3, or RELENG_9_0 security branch dated after the
correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 8.3
and 9.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8.x]
# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch
# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch.asc
[FreeBSD 9.x]
# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch
# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
3) To update your vulnerable system via a binary patch:
Systems running 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1, 9.1-RC2, or 9.1-RC3
on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r<revision>
releng/8.3/ r<revision>
stable/9/ r<revision>
releng/9.0/ r<revision>
releng/9.1/ r<revision>
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.hostapd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9
iEYEARECAAYFAlCutVYACgkQFdaIBMps37IiwACfb85bpNnyzDRhlDnQiQ4lc6rC
MFsAoJ0KXKPu6focwcOGgwuQLhHjTpMx
=wijQ
-----END PGP SIGNATURE-----

123
share/security/advisories/FreeBSD-SA-12:08.linux.asc Normal file
View file

@ -0,0 +1,123 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-12:08.linux Security Advisory
The FreeBSD Project
Topic: Linux compatibility layer input validation error
Category: core
Module: kernel
Announced: 2012-11-22
Credits: Mateusz Guzik
Affects: All supported versions of FreeBSD.
Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE)
2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11)
2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE)
2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE)
2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
CVE Name: CVE-2012-4576
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD is binary-compatible with the Linux operating system through a
loadable kernel module/optional kernel component.
II. Problem Description
A programming error in the handling of some Linux system calls may
result in memory locations being accessed without proper validation.
III. Impact
It is possible for a local attacker to overwrite portions of kernel
memory, which may result in a privilege escalation or cause a system
panic.
IV. Workaround
No workaround is available, but systems not using the Linux binary
compatibility layer are not vulnerable.
The following command can be used to test if the Linux binary
compatibility layer is loaded:
# kldstat -m linuxelf
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_9_0, or RELENG_9_1 security
branch dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.4,
8.3, 9.0, and 9.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch
# fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your vulnerable system via a binary patch:
Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1,
9.1-RC2, or 9.1-RC3 on the i386 or amd64 platforms can be updated via
the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r243418
releng/7.4/ r243417
stable/8/ r243417
releng/8.3/ r243417
stable/9/ r243417
releng/9.0/ r243417
releng/9.1/ r243417
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4576
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:08.linux.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9
iEYEARECAAYFAlCutVoACgkQFdaIBMps37JA4QCfZ/wp/ysDIJd1VwF525PzimTt
BUwAoJdU6pddJeJCsHfZ8812cAsrsLqP
=KVp4
-----END PGP SIGNATURE-----

184
share/security/patches/SA-12:06/bind.patch Normal file
View file

@ -0,0 +1,184 @@
Index: contrib/bind9/bin/named/query.c
===================================================================
--- contrib/bind9/bin/named/query.c (revision 241362)
+++ contrib/bind9/bin/named/query.c (working copy)
@@ -1140,7 +1140,0 @@ query_isduplicate(ns_client_t *client, dns_name_t
- /*
- * If the dns_name_t we're looking up is already in the message,
- * we don't want to trigger the caller's name replacement logic.
- */
- if (name == mname)
- mname = NULL;
-
@@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_t *name, d
if (dns_rdataset_isassociated(rdataset) &&
!query_isduplicate(client, fname, type, &mname)) {
if (mname != NULL) {
+ INSIST(mname != fname);
query_releasename(client, &fname);
fname = mname;
} else
@@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_t *name, d
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) {
+ if (mname != fname) {
if (mname != NULL) {
query_releasename(client, &fname);
fname = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_t *name, d
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) {
+ if (mname != fname) {
if (mname != NULL) {
query_releasename(client, &fname);
fname = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1960,6 +1958,7 @@ query_addadditional2(void *arg, dns_name_t *name,
crdataset->type == dns_rdatatype_aaaa) {
if (!query_isduplicate(client, fname, crdataset->type,
&mname)) {
+ if (mname != fname) {
if (mname != NULL) {
/*
* A different type of this name is
@@ -1976,6 +1975,7 @@ query_addadditional2(void *arg, dns_name_t *name,
mname0 = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname->list, crdataset, link);
added_something = ISC_TRUE;
Index: contrib/bind9/lib/dns/include/dns/rdata.h
===================================================================
--- contrib/bind9/lib/dns/include/dns/rdata.h (revision 241362)
+++ contrib/bind9/lib/dns/include/dns/rdata.h (working copy)
@@ -147,6 +147,17 @@ struct dns_rdata {
(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
/*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH 65512U
+
+/*
* Flags affecting rdata formatting style. Flags 0xFFFF0000
* are used by masterfile-level formatting and defined elsewhere.
* See additional comments at dns_rdata_tofmttext().
Index: contrib/bind9/lib/dns/master.c
===================================================================
--- contrib/bind9/lib/dns/master.c (revision 241362)
+++ contrib/bind9/lib/dns/master.c (working copy)
@@ -75,7 +75,7 @@
/*%
* max message size - header - root - type - class - ttl - rdlen
*/
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+#define MINTSIZ DNS_RDATA_MAXLENGTH
/*%
* Size for tokens in the presentation format,
* The largest tokens are the base64 blocks in KEY and CERT records,
Index: contrib/bind9/lib/dns/rdata.c
===================================================================
--- contrib/bind9/lib/dns/rdata.c (revision 241362)
+++ contrib/bind9/lib/dns/rdata.c (working copy)
@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl
isc_buffer_t st;
isc_boolean_t use_default = ISC_FALSE;
isc_uint32_t activelength;
+ size_t length;
REQUIRE(dctx != NULL);
if (rdata != NULL) {
@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl
}
/*
+ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+ * as we cannot transmit it.
+ */
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = DNS_R_FORMERR;
+
+ /*
* We should have consumed all of our buffer.
*/
if (result == ISC_R_SUCCESS && !buffer_empty(source))
@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, &region);
}
@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdatacl
unsigned long line;
void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
isc_result_t tresult;
+ size_t length;
REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
if (rdata != NULL) {
@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdatacl
}
} while (1);
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = ISC_R_NOSPACE;
+
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, &region);
}
if (result != ISC_R_SUCCESS) {
@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdata
isc_buffer_t st;
isc_region_t region;
isc_boolean_t use_default = ISC_FALSE;
+ size_t length;
REQUIRE(source != NULL);
if (rdata != NULL) {
@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdata
if (use_default)
(void)NULL;
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = ISC_R_NOSPACE;
+
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, &region);
}
if (result != ISC_R_SUCCESS)

7
share/security/patches/SA-12:06/bind.patch.asc Normal file
View file

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9
iEYEABECAAYFAlCutW0ACgkQFdaIBMps37Jv4ACfQSkD3485eTAzkfovm8D93DvE
qXEAn3IiThUYmh8j//lwUN1iKcf61Wp/
=TTmP
-----END PGP SIGNATURE-----

18
share/security/patches/SA-12:07/hostapd-8.patch Normal file
View file

@ -0,0 +1,18 @@
Index: contrib/wpa/src/eap_server/eap_tls_common.c
===================================================================
--- contrib/wpa/src/eap_server/eap_tls_common.c (revision 240976)
+++ contrib/wpa/src/eap_server/eap_tls_common.c (working copy)
@@ -220,6 +220,13 @@ static int eap_server_tls_process_fragment(struct
" over 64 kB)");
return -1;
}
+ if (len > message_length) {
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+ "first fragment of frame (TLS Message "
+ "Length %d bytes)",
+ (int) len, (int) message_length);
+ return -1;
+ }
data->in_buf = wpabuf_alloc(message_length);
if (data->in_buf == NULL) {

7
share/security/patches/SA-12:07/hostapd-8.patch.asc Normal file
View file

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9
iEYEABECAAYFAlCutWkACgkQFdaIBMps37ID9wCghACRhZoqwo7c2lb2yS4CeT+r
mLcAn03eMFp1mpjDmq6ZU95v4ocwmSfP
=qF0E
-----END PGP SIGNATURE-----

19
share/security/patches/SA-12:07/hostapd.patch Normal file
View file

@ -0,0 +1,19 @@
Index: contrib/wpa/src/eap_server/eap_server_tls_common.c
===================================================================
--- contrib/wpa/src/eap_server/eap_server_tls_common.c (revision 240924)
+++ contrib/wpa/src/eap_server/eap_server_tls_common.c (working copy)
@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragment(struct
return -1;
}
+ if (len > message_length) {
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+ "first fragment of frame (TLS Message "
+ "Length %d bytes)",
+ (int) len, (int) message_length);
+ return -1;
+ }
+
data->tls_in = wpabuf_alloc(message_length);
if (data->tls_in == NULL) {
wpa_printf(MSG_DEBUG, "SSL: No memory for message");

7
share/security/patches/SA-12:07/hostapd.patch.asc Normal file
View file

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9
iEYEABECAAYFAlCutWYACgkQFdaIBMps37J+fACfXVjO/+y2+MwRSzNqKGg8aqJ+
rpMAn0YUlFyhwIlMISyDUAQl+NZ75QLI
=Yl8o
-----END PGP SIGNATURE-----

16
share/security/patches/SA-12:08/linux.patch Normal file
View file

@ -0,0 +1,16 @@
Index: sys/compat/linux/linux_ioctl.c
===================================================================
--- sys/compat/linux/linux_ioctl.c (revision 242578)
+++ sys/compat/linux/linux_ioctl.c (working copy)
@@ -2260,8 +2260,9 @@ again:
ifc.ifc_len = valid_len;
sbuf_finish(sb);
- memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
- error = copyout(&ifc, uifc, sizeof(ifc));
+ error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
+ if (error == 0)
+ error = copyout(&ifc, uifc, sizeof(ifc));
sbuf_delete(sb);
CURVNET_RESTORE();

7
share/security/patches/SA-12:08/linux.patch.asc Normal file
View file

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9
iEYEABECAAYFAlCutWMACgkQFdaIBMps37JOZQCdE0l9Djh4BQUR7EmtU4GLVfGl
4RcAnjbbX3c7i759WOQmSWrItD8NyI/g
=nWGE
-----END PGP SIGNATURE-----

20
share/xml/advisories.xml
View file

@ -7,6 +7,26 @@
<year>
<name>2012</name>
<month>
<name>11</name>
<day>
<name>22</name>
<advisory>
<name>FreeBSD-SA-12:08.bind</name>
</advisory>
<advisory>
<name>FreeBSD-SA-12:07.hostapd</name>
</advisory>
<advisory>
<name>FreeBSD-SA-12:06.bind</name>
</advisory>
</day>
</month>
<month>
<name>8</name>