Revised SA-16:37, addressing regressions from initial SA.
This commit is contained in:
Gleb Smirnoff
parent
366ff17d89
commit
2dd1eb304f
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=49715
5 changed files with 130 additions and 54 deletions
|
|
@ -9,22 +9,27 @@ Topic: link_ntoa(3) buffer overflow
|
|||
|
||||
Category: core
|
||||
Module: libc
|
||||
Announced: 2016-12-06
|
||||
Announced: 2016-12-06, revised on 2016-12-08
|
||||
Affects: All supported versions of FreeBSD.
|
||||
Corrected: 2016-12-06 18:53:21 UTC (stable/11, 11.0-STABLE)
|
||||
2016-12-06 18:49:38 UTC (releng/11.0, 11.0-RELEASE-p4)
|
||||
2016-12-06 18:53:46 UTC (stable/10, 10.3-STABLE)
|
||||
2016-12-06 18:49:48 UTC (releng/10.3, 10.3-RELEASE-p13)
|
||||
2016-12-06 18:49:54 UTC (releng/10.2, 10.2-RELEASE-p26)
|
||||
2016-12-06 18:49:59 UTC (releng/10.1, 10.1-RELEASE-p43)
|
||||
2016-12-06 18:54:04 UTC (stable/9, 9.3-STABLE)
|
||||
2016-12-06 18:50:06 UTC (releng/9.3, 9.3-RELEASE-p51)
|
||||
Corrected: 2016-12-07 23:19:46 UTC (stable/11, 11.0-STABLE)
|
||||
2016-12-07 23:29:42 UTC (releng/11.0, 11.0-RELEASE-p5)
|
||||
2016-12-07 23:20:26 UTC (stable/10, 10.3-STABLE)
|
||||
2016-12-07 23:31:07 UTC (releng/10.3, 10.3-RELEASE-p14)
|
||||
2016-12-07 23:32:42 UTC (releng/10.2, 10.2-RELEASE-p27)
|
||||
2016-12-07 23:34:06 UTC (releng/10.1, 10.1-RELEASE-p44)
|
||||
2016-12-07 23:20:50 UTC (stable/9, 9.3-STABLE)
|
||||
2016-12-07 23:35:15 UTC (releng/9.3, 9.3-RELEASE-p52)
|
||||
CVE Name: CVE-2016-6559
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
||||
|
||||
0. Revision history.
|
||||
|
||||
v1.0 2016-12-06 Initial release.
|
||||
v1.1 2016-12-08 Revised patches to address regressions.
|
||||
|
||||
I. Background
|
||||
|
||||
The link_ntoa(3) function generates ASCII representation of a link-level
|
||||
|
|
@ -73,10 +78,21 @@ FreeBSD release branches.
|
|||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[*** v1.1 NOTE ***] If your sources are not yet patched using the initially
|
||||
published patch, then you need to apply libc.patch. If your sources are
|
||||
already updated, or patched with patch from the initial advisory, then you
|
||||
need to apply the incremental patch, named libc-inc.patch.
|
||||
|
||||
[FreeBSD system, not patched with initial SA-16:37 patch]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:37/libc.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:37/libc.patch.asc
|
||||
# gpg --verify libc.patch.asc
|
||||
|
||||
[FreeBSD system, initial SA-16:37 patch already applied]
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:37/libc-inc.patch
|
||||
# fetch https://security.FreeBSD.org/patches/SA-16:37/libc-inc.patch.asc
|
||||
# gpg --verify libc-inc.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
|
|
@ -94,14 +110,14 @@ affected branch.
|
|||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/9/ r309646
|
||||
releng/9.3/ r309637
|
||||
stable/10/ r309645
|
||||
releng/10.1/ r309636
|
||||
releng/10.2/ r309635
|
||||
releng/10.3/ r309634
|
||||
stable/11/ r309644
|
||||
releng/11.0/ r309633
|
||||
stable/9/ r309691
|
||||
releng/9.3/ r309697
|
||||
stable/10/ r309690
|
||||
releng/10.1/ r309696
|
||||
releng/10.2/ r309694
|
||||
releng/10.3/ r309693
|
||||
stable/11/ r309689
|
||||
releng/11.0/ r309692
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
|
|
@ -118,22 +134,23 @@ VII. References
|
|||
|
||||
<URL:http://www.kb.cert.org/vuls/id/548487>
|
||||
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6559>
|
||||
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215105>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:37.libc.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAEBCgAGBQJYRw1vAAoJEO1n7NZdz2rnk5sP/18NuTRoit3jfa1uHCYMyTOB
|
||||
vOGtNtn5xs8NNY4wAdYx2cF3CscTZEWyQtXWsMWzXgbWI0KrWteacGDaDlFwraCu
|
||||
9/TJmkCQC5FCfYsgQFOpOPtMl9W+gY2ZrmEPXsfc/smjvIas3fPCBjnoRM2qQlfc
|
||||
25YIut+S6OFhm2XM42t/jljbLs6b/PJikeKt7kEEEjKKXWHNwLEYjbtEyelKxD1i
|
||||
1IBVe4Run2RajERg99yCznAGGvRo2hbGmnV59kDAilanJK+s3pzCOBFdnKyZd/2l
|
||||
Ie8B/fKEXRJyFgJF7A9eSuElTV5fCFfX05AC3PXMoi+GsVPQqhEpNb1FvJoANiFL
|
||||
l61nbqkM5KEteIWvf1udHZo6kjhYY4YlvutXW7o41XaUhnaO3dC+4+VpfTycH/no
|
||||
j8kVFS1Y9oun31TTZ/+aQqnCfozAMKFaZtrZI3UkSR1kjz5Z5Rqrc4isBhXXP1dQ
|
||||
QC87THCyW2D1+E0LvMyJEWKtjGMd8OO5KZjvTxcmxDSrqEOn+yGT1Lp8G/NLuQ4D
|
||||
zcarPPl2eE0bikvL/T/k7OdpplTDXoaCOHiMIr02WpbJwipw6HD4FZrg1IQu/Db9
|
||||
2cHihr/tS1mbr7k/VKUyIZvQQhZ9j72m4wwBk0CFEG8DeZtMeSum1xgLTEjUerHe
|
||||
rWrKG2feWv//R0BvVNhu
|
||||
=8y53
|
||||
iQIcBAEBCgAGBQJYSNoxAAoJEO1n7NZdz2rnQfQP/0oJ8WdTTVMpjEHRBQ7WbayB
|
||||
f7Y8MeVFErNLL8caQDxRyiF/ex07m5m2morik84ggDTkHiWnllaP0H3MadivP9Ly
|
||||
XspViMU73r49PmYTAsrMARyW2ncufgGpsvaEcVOVKEAiwcm0ATu7gnTf+cyrfWoe
|
||||
k9HlTS18bN18zQ/FFSJPjmIsTh8Cb+cdF6SrVEt7bIcoVzZWMU/sDJP9JDnRFa3+
|
||||
o7bWDQg3kfA8k3XEzrL9FSO52Sr9jNslZGAaycFFQjxecgC/05mTbqPsJOpdhkaC
|
||||
mfcARX/8+iwxsE/3h7R5OK6vsu6piUE6vi8HsnTwK7ZMz/IYkPpe4C9WroRYAG29
|
||||
mqBl+qdVElk/DXPgsz6F7PHqG3SUY3Kkn/bMGT4B3yLjNvWs4+pjh74uyvVLPKkQ
|
||||
meQEs3VLl+c0VkpAxbieMS1KChJwBAKAD7Cevg83YfosC8/LFRoqS6kofjXjVqCd
|
||||
dd0cSWyOE6y/eFy2187lncnz1BNW1Eg8AEH02vEkXOI5hrnhmO6t0cH9dQcj3nHa
|
||||
6yULqFHJJJGsGqPD1/FkXjn7hAMKsMMROCGpY0txNVA2a3Z6zf593nZL7Vr1nPy7
|
||||
7C7/sKToSilR3OJGoSFxNlRHqkgb08dQOzsof/355M94baKw82QAULuQoOBYu0DU
|
||||
PZ21bNtGfZSN4rThyVuQ
|
||||
=Id1+
|
||||
-----END PGP SIGNATURE-----
|
||||
|
|
|
|||
43
share/security/patches/SA-16:37/libc-inc.patch
Normal file
43
share/security/patches/SA-16:37/libc-inc.patch
Normal file
|
|
@ -0,0 +1,43 @@
|
|||
--- lib/libc/net/linkaddr.c.orig
|
||||
+++ lib/libc/net/linkaddr.c
|
||||
@@ -125,7 +125,7 @@
|
||||
static char obuf[64];
|
||||
_Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small");
|
||||
char *out;
|
||||
- const char *in, *inlim;
|
||||
+ const u_char *in, *inlim;
|
||||
int namelen, i, rem;
|
||||
|
||||
namelen = (sdl->sdl_nlen <= IFNAMSIZ) ? sdl->sdl_nlen : IFNAMSIZ;
|
||||
@@ -142,11 +142,11 @@
|
||||
}
|
||||
}
|
||||
|
||||
- in = (const char *)sdl->sdl_data + sdl->sdl_nlen;
|
||||
+ in = (const u_char *)sdl->sdl_data + sdl->sdl_nlen;
|
||||
inlim = in + sdl->sdl_alen;
|
||||
|
||||
while (in < inlim && rem > 1) {
|
||||
- if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) {
|
||||
+ if (in != (const u_char *)sdl->sdl_data + sdl->sdl_nlen) {
|
||||
*out++ = '.';
|
||||
rem--;
|
||||
}
|
||||
@@ -154,15 +154,14 @@
|
||||
if (i > 0xf) {
|
||||
if (rem < 3)
|
||||
break;
|
||||
+ *out++ = hexlist[i >> 4];
|
||||
*out++ = hexlist[i & 0xf];
|
||||
- i >>= 4;
|
||||
- *out++ = hexlist[i];
|
||||
rem -= 2;
|
||||
} else {
|
||||
if (rem < 2)
|
||||
break;
|
||||
*out++ = hexlist[i];
|
||||
- rem++;
|
||||
+ rem--;
|
||||
}
|
||||
}
|
||||
*out = 0;
|
||||
16
share/security/patches/SA-16:37/libc-inc.patch.asc
Normal file
16
share/security/patches/SA-16:37/libc-inc.patch.asc
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAABCgAGBQJYSNpCAAoJEO1n7NZdz2rnQhwQAIB9bWgYA4tn7fHwbpmEZrrz
|
||||
9clKJ+DUrINrgjD4R5J52b2vTirwSX+jLhwcblDcFz85VeoIc8xDPpd8rvFa9znC
|
||||
UZ2SBI0itfVZQkEGu+uEJE+9QdEr2jbwq1LIr3Ye3SECQJORlg11detvPEbNyDvm
|
||||
20DrfR+BPFvDSGKGEbKvegGaPUTv+MYXx3Km4jiXDB/Bo7lUjmE/mdIZszskzJpM
|
||||
AKx4moCR0Wep73vxGOhi2GArf+p4ZUe9eu0wdU/NTKzYH5DdjGnV+bNam2SdpgDT
|
||||
rMfrvpUJ+uqdZ1cj7yCsPjuKzskKdWihOCD+vHS3rC00ggYCQv5gnnnyo08z4qRE
|
||||
e0yU/4lj68i0X1E6gUIvATW7Y4r4EqX5xNl/nKfpgFQSqJRtZGbmlUH/7eni82Fh
|
||||
W3BKZsUyTtZJIod+SlmEloOlsqpRpL+ePSKXv5e0vLq6pr4tdLFFrPaKsi+6AbFO
|
||||
mfVSHGJIdB7WUaau34ymhpyb1SI1qrEoNNoYki6SNfuXsghgQKgghwl0cWpJEsUp
|
||||
Atg+BQH7ea2sPQh9BXqsiSiUb6wuyi/JHeuBQ4pQcKzyf7RuyxaA7rtr2p0w+UBG
|
||||
MRgceUP4H8XxCCltddq2WrNTB5dmac0t5ehYO8eJpQgtWPsl8yG5PldHkXWkhEa6
|
||||
gJVPBsoQJObVrkM/PXrl
|
||||
=/W0I
|
||||
-----END PGP SIGNATURE-----
|
||||
|
|
@ -8,7 +8,7 @@
|
|||
#include <net/if_dl.h>
|
||||
#include <string.h>
|
||||
|
||||
@@ -122,31 +123,47 @@
|
||||
@@ -122,31 +123,46 @@
|
||||
link_ntoa(const struct sockaddr_dl *sdl)
|
||||
{
|
||||
static char obuf[64];
|
||||
|
|
@ -19,7 +19,7 @@
|
|||
- int firsttime = 1;
|
||||
+ _Static_assert(sizeof(obuf) >= IFNAMSIZ + 20, "obuf is too small");
|
||||
+ char *out;
|
||||
+ const char *in, *inlim;
|
||||
+ const u_char *in, *inlim;
|
||||
+ int namelen, i, rem;
|
||||
|
||||
- if (sdl->sdl_nlen) {
|
||||
|
|
@ -44,31 +44,31 @@
|
|||
- firsttime = 0;
|
||||
- else
|
||||
+
|
||||
+ in = (const char *)sdl->sdl_data + sdl->sdl_nlen;
|
||||
+ in = (const u_char *)sdl->sdl_data + sdl->sdl_nlen;
|
||||
+ inlim = in + sdl->sdl_alen;
|
||||
+
|
||||
+ while (in < inlim && rem > 1) {
|
||||
+ if (in != (const char *)sdl->sdl_data + sdl->sdl_nlen) {
|
||||
+ if (in != (const u_char *)sdl->sdl_data + sdl->sdl_nlen) {
|
||||
*out++ = '.';
|
||||
+ rem--;
|
||||
+ }
|
||||
i = *in++;
|
||||
if (i > 0xf) {
|
||||
- out[1] = hexlist[i & 0xf];
|
||||
+ if (rem < 3)
|
||||
+ break;
|
||||
+ *out++ = hexlist[i & 0xf];
|
||||
i >>= 4;
|
||||
- i >>= 4;
|
||||
- out[0] = hexlist[i];
|
||||
- out += 2;
|
||||
- } else
|
||||
*out++ = hexlist[i];
|
||||
+ if (rem < 3)
|
||||
+ break;
|
||||
+ *out++ = hexlist[i >> 4];
|
||||
+ *out++ = hexlist[i & 0xf];
|
||||
+ rem -= 2;
|
||||
+ } else {
|
||||
+ if (rem < 2)
|
||||
+ break;
|
||||
+ *out++ = hexlist[i];
|
||||
+ rem++;
|
||||
*out++ = hexlist[i];
|
||||
+ rem--;
|
||||
+ }
|
||||
}
|
||||
*out = 0;
|
||||
|
|
|
|||
|
|
@ -1,16 +1,16 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAABCgAGBQJYRw1vAAoJEO1n7NZdz2rnH2QP/jQF/xtjDHJoEKk3h6DGZUC4
|
||||
GM27jneyYt/SWbGVHchYhD6y+67304OeUCZ7N6aEUI3cVgoZObDuVNoNrtfBnSPB
|
||||
gTtAOUQchlF0ZP/TKZSrONz6Pz+1R/N9QryJSDYr3KUsLDuU6I2nob7kR+Iwxn1V
|
||||
pX8MakPMSOUH8tHHpXlQySN8rjobtiCdvulDyi0IX92Ajdq7fqLlu2oiHsMYdtfW
|
||||
hzWahmHJZUFe0CqLc+78vGB5WTsIXcwSfrkq5MVy8hDlbtmFrgyXcReEBnXSw+kC
|
||||
Y751w+W674Cck/60inzA3is7Iy84/yE0fGuBmFWPhOatTbVqI6dG+gK0CqlzW8g7
|
||||
M9ven4K9S9vO52oMSlQJi1VGx66r1P4+7RpiqIC6GFpBZ4ItEYvD4/SP3y75eIGD
|
||||
LRSzV+LHJarwNslznAFWxg0rWoHbOhH2x0XT2Ve7rXXm4jzIMTL6LSczYlppQ6d2
|
||||
DBfyFHykY4iA0VbSBJYXueQrDHc4njJnr4Kl1ZSOZq9HhUbwVcVM0Wse+ZZJ7veQ
|
||||
Xe83iqX6+bbRM8GFLtSw/mJa1h+TMW6N8T/qQXdokYCpVASLDnwfLinqkeC1mh+H
|
||||
Wr5kf9pbrBTLcnR/LRnVDZ9ySN6AaZdbLea+7RnPZ46MyQIG14yIvJMPk1LnQB9L
|
||||
dO+RStwsKHuz2O37ENqi
|
||||
=lrl6
|
||||
iQIcBAABCgAGBQJYSNpCAAoJEO1n7NZdz2rn878P/Apo2QqeYGpvg35269V/BSL/
|
||||
jV42W8llFJ+5sxieWMgxTX3RxymwqhxZPQU6gFoBadnESWo/Z00mtNHygP7JIkDZ
|
||||
SKmOBJl2uZDuZpXAwt2wpKqzYixBAzA19R7gxHI9nXU9CiAG4Ql+EAD99QbUZhPf
|
||||
CjELbPmYwdkt77QrRJXdUZd+vUV3QkvB/4B+eww+aoaG5pTZ1IVjO45PXQn4FDsW
|
||||
04UNYlvgKXQCpEBDYKbsht1B75JCrlvgMpG0KBeDzVMtWxLcTtj8l4U4HH70N6Jx
|
||||
OTcvyCuzRMNltKVEcl5j8HX8YbHq8cGSzdbtKXbCrP4BHGjNJpL9ZGZyZt0DpwI1
|
||||
/vjij8ChpMUH9g+lrIGZF6WvXaY3L4OInldtUvBuYuVuJMiXiR2WuRJSzyMHVgxN
|
||||
2+k3+wgkwPHwJ24UTu+pj0GJ/e7HdWTEUK+Ox6m/+ynj69jlRoUipf1JrFMCsBVh
|
||||
BfoPZdYEXjy2Y8hAs4ybQvufFdBs/A7G+xHR4qgQ7XxnTaCTR3GObHAvp1ytHj19
|
||||
J1nHjPoF7t9wq7ZBOXJNJGtZ4T1S5E5POtXQvxXm/pk+I9JqauESUDyBkhaStEJB
|
||||
O+g0cS3G51tJpcfhEnaNQnFeI20NIXkqeqGZSDdCMHXseWzJuWqux7xKICv0iA2x
|
||||
Sc88sLhCDB/Hu+VGm5DX
|
||||
=hvSq
|
||||
-----END PGP SIGNATURE-----
|
||||
|
|
|
|||
Loading…
Reference in a new issue