os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add SA-16:27-31.

Browse source
This commit is contained in:
Xin LI 2016-10-10 07:38:23 +00:00
parent c5eba003d3
commit 99ea0d28e6
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=49477
22 changed files with 9336 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

132
share/security/advisories/FreeBSD-SA-16:27.openssl.asc Normal file
View file

@ -0,0 +1,132 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:27.openssl Security Advisory
The FreeBSD Project
Topic: Regression in OpenSSL suite
Category: contrib
Module: openssl
Announced: 2016-10-10
Credits: OpenSSL Project
Affects: All supported versions of FreeBSD.
Corrected: 2016-09-26 14:30:19 UTC (stable/11, 11.0-STABLE)
2016-09-26 20:26:19 UTC (releng/11.0, 11.0-RELEASE-p1)
CVE Name: CVE-2016-7052
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
The OpenSSL version included in FreeBSD 11.0-RELEASE is 1.0.2i. The version
has bug fix for CVE-2016-7052, which should have included CRL sanity check,
but the check was omitted.
III. Impact
Any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer
exception.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart all daemons that use the library, or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all daemons that use the library, or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:27/openssl.patch
# fetch https://security.FreeBSD.org/patches/SA-16:27/openssl.patch.asc
# gpg --verify openssl.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r306343
releng/11.0/ r306354
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.openssl.org/news/secadv/20160926.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7052>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:27.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX+0OlAAoJEO1n7NZdz2rnEPYQAOewieypFMknEi5Q02IBVhcC
Bs1sczFLXaSz+4c9lNRi+m6Q5TXbW0MM9ZhZDnoLOXZ9OZ7DsQ0OVJcmWPHCSTkT
WAlZgiB5B2xtZpLUNi0XAVPyegh+YxWCKa5mq/e4gC7BL+QhtTQqIlzsNylBDcI0
2Tp5fPfO3vIJlSwPpsUA2peYlm2c75/dusE0+bvWnqickWbEmFdCAd8rzTLrsm9R
w5essD2o6BzFPA9j+3X/LNaMI6ZKKa4EkaXXB42KHruDfNTV8dmYL/LLxWs6aj1f
Li++71GPh3aZZCA5SCo6NYdI25kg4xORZzqUmYzT856kdmpaemLd8oVT8/ojOCTX
CoNtA9yVphhYgfSGLy2BIs0u7U3H16SVjZ1oC5MjTAY6kUsEDt6x2vlKOt5452yN
3v2fHf9I8/ibgo4d4ovpGGzvrj/8EfodmDLhjYP5RcwZH4FW1jCUzXTflsYmPWMi
8+COC+K19MNIXR0M8ajs2M8z2ILc3pOUZ1sdrNhU1jEIyYCl8EDMEU0Bc13XlUKS
UE92RKfxIAMh+Zyu44++8UizfOorBVKhQVd+9NthMnfXW6xlnwujjbabam8k2E5V
Za4sBQ57JvL9aKrsbmB/hhVnxXE6jYqtp7tagXK+wwULO1SarpRp7HENd50ggH5l
yu2DM4rkIcwzTaJEdvyT
=5rNc
-----END PGP SIGNATURE-----

138
share/security/advisories/FreeBSD-SA-16:28.bind.asc Normal file
View file

@ -0,0 +1,138 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:28.bind Security Advisory
The FreeBSD Project
Topic: BIND remote Denial of Service vulnerability
Category: contrib
Module: bind
Announced: 2016-10-10
Credits: ISC
Affects: FreeBSD 9.x
Corrected: 2016-09-28 06:11:01 UTC (stable/9, 9.3-STABLE)
2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48)
CVE Name: CVE-2016-2776
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
Testing by ISC has uncovered a critical error condition which can occur when
a nameserver is constructing a response. A defect in the rendering of
messages into packets can cause named to exit with an assertion failure in
buffer.c while constructing a response to a query that meets certain
criteria.
This assertion can be triggered even if the apparent source address is not
allowed to make queries (i.e. doesn't match 'allow-query'). [CVE-2016-2776]
III. Impact
A remote attacker who can send queries to a server running BIND can cause
the server to crash, resulting in a Denial of Service condition.
IV. Workaround
No workaround is available, but hosts not running named(8) are not
vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The named service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The named service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:28/bind.patch
# fetch https://security.FreeBSD.org/patches/SA-16:28/bind.patch.asc
# gpg --verify bind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the named service, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r306394
releng/9.3/ r306942
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://kb.isc.org/article/AA-01419>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:28.bind.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX+0OlAAoJEO1n7NZdz2rnt/cQAJJ/P9/cNH4mB3Oq9kks1TJI
thye1Bmd6BAS16UYj+S2POSkrwkTJLhg/Rtch/4O1TUJ7q86Dko/0nciF/4Qin/J
LrNhX2TUUTpQygfWdzTqdk9EiHLKT46sNh1Two4Lb9gMuBulES9Fy40gj8y81ypv
uys05i6DMAlY/EsmidTHFKUGGC9160XLS7wFWnlw9XglDHn2+pIDALHl77mmoXwR
VKiCbGO6IybDV5bATh12eflCSb+IJRT0MMOwJAt3Nhzp//7t2tf+izazzfs43IH4
HRkiDfkkxqAMus6h0Dm4xR91oe/oSzlEedKFM3ctHfQqyIi+AP0FKixf8pS72n7o
M0W5vIbkMSuTsiOTzyQUJpQ3tExvWeZjhNZj9U5trs2YNdPCRaM3pETUdF6GZmNC
tnPiTZFst3ARsy/4oJg8Eeo/cyrd/sfPm4fXCbXkakL7ml/Mu+/KEyq5qw43FIXn
96/btRfHsPSpy74KRtLsqSM29eCK9puGhJIk1iBtuhuTvze/48Od7U5zWOjn8XiS
o4oOyCtm3nQfB8VIzfypFAIUFFOqfHmsfP3s51J9tUXjxvORO3UWD3/R2wXLre2Y
Z5+s7IUhesunZztGtaUFCqG28KCrzmSiIVXGRd/IsQCuTJ4DNiUFZofKYdI0B7fE
hrSETFwDg/OYusZ5/96D
=v9vM
-----END PGP SIGNATURE-----

146
share/security/advisories/FreeBSD-SA-16:29.bspatch.asc Normal file
View file

@ -0,0 +1,146 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:29.bspatch Security Advisory
The FreeBSD Project
Topic: Heap overflow vulnerability in bspatch
Category: core
Module: bsdiff
Announced: 2016-10-10
Affects: All supported versions of FreeBSD.
2016-09-22 21:05:21 UTC (stable/11, 11.0-STABLE)
2016-09-27 19:36:12 UTC (releng/11.0, 11.0-RELEASE-p1)
2016-09-22 21:16:54 UTC (stable/10, 10.3-STABLE)
2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10)
2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23)
2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40)
2016-09-23 01:52:06 UTC (stable/9, 9.3-STABLE)
2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The bspatch utility generates newfile from oldfile and patchfile where
patchfile is a binary patch built by bsdiff(1).
II. Problem Description
The implementation of bspatch is susceptible to integer overflows with
carefully crafted input, potentially allowing an attacker who can control
the patch file to write at arbitrary locations in the heap. This issue
was partially addressed in FreeBSD-SA-16:25.bspatch, but some possible
integer overflows remained.
III. Impact
An attacker who can control the patch file can cause a crash or run arbitrary
code under the credentials of the user who runs bspatch, in many cases, root.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
No reboot is needed.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility.
Because this vulnerability exists in bspatch, a component used by
freebsd-update, a special procedure must be followed to safely update.
First, truncate bspatch to a zero byte file:
# :> /usr/bin/bspatch
FreeBSD-update will fall back to replacing bspatch, rather than applying
a binary patch. Proceed with FreeBSD-update as usual:
# freebsd-update fetch
# freebsd-update install
No reboot is needed.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:29/bspatch.patch
# fetch https://security.FreeBSD.org/patches/SA-16:29/bspatch.patch.asc
# gpg --verify bspatch.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r306222
releng/9.3/ r306942
stable/10/ r306215
releng/10.1/ r306941
releng/10.2/ r306941
releng/10.3/ r306941
stable/11/ r306213
releng/11.0/ r306379
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:29.bspatch.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX+0OmAAoJEO1n7NZdz2rnMHQQALyzQ6rIFLMV+qfIKr/dxUmv
frrY3rE8GbHNI6UYnlB7T97SZBVG2lOGpUO7sGNzsqAol+aBEn44mX88ijCQk+mc
pIHcbwACkAG6u5c6nyelHAa3ZLc8PkPbNaryjfc9Y0vZxGFKI5ETpdN1nFxUBKRA
eGt4h4GW3ZxHTkc3DDogDM6kBds3DYAnQjnqvkH6QesM/cMIdnU2NMjIrYDdtcsJ
Mp92PqRl8/qCZxcpfoHSl3S190Dmu9KNjEwXdk8gvtr7aTe/OG9fcIOAwIJHMi/n
E3tojTrSGLl0v9yuznG8rU0Hr6VyFNRv9i5QhPEQF4ZQ0HT2/naV0v/THMB1JdeR
8rszvO8HIdYkKEYPEp4RZ+QWJX36xK0ZOA0BSF3+OW6VYMIEB+iMvK1xAlGWmyJq
D6f5AQuw559o4MNZ9gh1tXl+PXjYHvwSOrHb1EZ7mDZ3zVarn8TwUjxaE2ILIhjW
wS+wqbxZt1eENfKbhLHxSavIE+Bi59ab/iymmOFtFdgDDDpQhzx13MUFM17v270g
1OCXnx7HLMIr5ibndJBQbjPmZT0InMM9856Hij8UhcFjyFpytCJie7sVcDFG9nNp
z3VXrSIdEIA5MwaD6MYGW8nUfBwQnD/rSh6t2Tt4qz24FPk9K9pbzpb8CDIOImiF
GnLZXJQlgmJ55XOa0EgR
=uRNW
-----END PGP SIGNATURE-----

149
share/security/advisories/FreeBSD-SA-16:30.portsnap.asc Normal file
View file

@ -0,0 +1,149 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:30.portsnap Security Advisory
The FreeBSD Project
Topic: Multiple portsnap vulnerabilities
Category: core
Module: portsnap
Announced: 2016-10-10
Affects: All supported versions of FreeBSD.
Corrected: 2016-09-28 21:33:35 UTC (stable/11, 11.0-STABLE)
2016-09-28 22:04:07 UTC (releng/11.0, 11.0-RELEASE-p1)
2016-10-05 00:33:06 UTC (stable/10, 10.3-STABLE)
2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10)
2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23)
2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40)
2016-10-05 01:01:10 UTC (stable/9, 9.3-STABLE)
2016-10-10 07:19:16 UTC (releng/9.3, 9.3-RELEASE-p48)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The portsnap utility is used to fetch and update compressed snapshots of
the FreeBSD ports tree. Portsnap fetches snapshots and updates over http,
and then cryptographically verifies the downloaded files.
II. Problem Description
Flaws in portsnap's verification of downloaded tar files allows additional
files to be included without causing the verification to fail. Portsnap may
then use or execute these files.
III. Impact
An attacker who can conduct man in the middle attack on the network at the
time when portsnap is run can cause portsnap to execute arbitrary commands
under the credentials of the user who runs portsnap, typically root.
IV. Workaround
The ports tree may be obtained by methods other than portsnap, as
described in the FreeBSD handbook.
V. Solution
portsnap has been modified to explicitly validate compressed files within
the tar file by full name, rather than relying on gunzip's filename search
logic. portsnap now verifies that snapshots contain only the expected files.
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
No reboot is needed.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility.
This advisory is released concurrently with FreeBSD-SA-16:29.bspatch
which contains special instructions for using freebsd-update. Following
the instructions in that advisory will safely apply updates for
FreeBSD-SA-16:29.bspatch, FreeBSD-SA-16:30.portsnap, and
FreeBSD-SA-16:31.libarchive.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.x]
# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-10.patch
# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-10.patch.asc
# gpg --verify portsnap-10.patch.asc
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-9.3.patch
# fetch https://security.FreeBSD.org/patches/SA-16:30/portsnap-9.3.patch.asc
# gpg --verify portsnap-9.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r306701
releng/9.3/ r306942
stable/10/ r306697
releng/10.1/ r306941
releng/10.2/ r306941
releng/10.3/ r306941
stable/11/ r306418
releng/11.0/ r306419
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:30.portsnap.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX+0OqAAoJEO1n7NZdz2rns54P/3N6V4ZGWZ8jXDSw7KPRhF16
gUs2AQx+rL+o5rOVsMZ6DulVtFP+AzUvEsLIJeARdaOJar9St1cQVTZHa+8CtWr5
aCSgx5r39srcvvMuQ34z0yss7eEkHRubzkIzrjHcD6MweFg4tAIufXHgxmhNVuKp
QOQCwUbWIp8MssNbd/nYr1fpNoEvhkuzEv+EsvU+gTXeYNbHDS8zN/XC1a4167Q9
flFCqVn45ZpYR+2ifeLv0s+Rj4MQdnaCUYPpt1JoY5pIr/1GbNuywam9YgUQJZ7o
gbY+S9Un0aByEOmPgD2e6qb8qhQFtaJgAbhB51dsI/qpZUljQKERmV1vd78drqWB
1gss/MFe5oyxZ5IbmHLBabIcKvvtH72gSaD8Zp973TbD72usjC/ZfdkukNBlWkbm
M4PFTK+VQA1y5c8R2RduVoz3ioaBtRisxqqGOi0i3AUgiWx6IeP9jkIana28dGtJ
Mkm4ZiWBj12lT5B+gafpy7+bLkbYl2sEFYIt+YUlJ1GqAumyDnnmYt5rDhZwMLFo
7ywCpCwtoBc49sCV7szV4MdFw0Zmo8tT0uiWBehferN1SHygKVNGnXIj+NotRXx0
mp0j7pgK4AcML2y7pJLEUwyWUKE5tBkPKmHg+4ELhqPb0mjm+A+KHX/8vXxlPpRJ
2yVhfIubEhECQJeJKAqm
=y+kG
-----END PGP SIGNATURE-----

136
share/security/advisories/FreeBSD-SA-16:31.libarchive.asc Normal file
View file

@ -0,0 +1,136 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:31.libarchive Security Advisory
The FreeBSD Project
Topic: Multiple libarchive vulnerabilities
Category: core
Module: portsnap
Announced: 2016-10-05
Affects: All supported versions of FreeBSD.
Corrected: 2016-09-25 22:02:27 UTC (stable/11, 11.0-STABLE)
2016-09-27 19:36:12 UTC (releng/11.0, 11.0-RELEASE-p1)
2016-09-25 22:04:02 UTC (stable/10, 10.3-STABLE)
2016-10-10 07:18:54 UTC (releng/10.3, 10.3-RELEASE-p10)
2016-10-10 07:18:54 UTC (releng/10.2, 10.2-RELEASE-p23)
2016-10-10 07:18:54 UTC (releng/10.1, 10.1-RELEASE-p40)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The libarchive(3) library provides a flexible interface for reading and
writing streaming archive files such as tar(1) and cpio(1), and has been the
basis for the FreeBSD implementation of the tar(1) and cpio(1) utilities
since FreeBSD 5.3.
II. Problem Description
Flaws in libarchive's handling of symlinks and hard links allow overwriting
files outside the extraction directory, or permission changes to a directory
outside the extraction directory.
III. Impact
An attacker who can control freebsd-update's or portsnap's input to tar can
change file content or permisssions on files outside of the update tool's
working sandbox.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
No reboot is needed.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility.
This advisory is released concurrently with FreeBSD-SA-16:29.bspatch
which contains special instructions for using freebsd-update. Following
the instructions in that advisory will safely apply updates for
FreeBSD-SA-16:29.bspatch, FreeBSD-SA-16:30.portsnap, and
FreeBSD-SA-16:31.libarchive.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch
# fetch https://security.FreeBSD.org/patches/SA-16:31/libarchive.patch.asc
# gpg --verify libarchive.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r306322
releng/10.1/ r306941
releng/10.2/ r306941
releng/10.3/ r306941
stable/11/ r306321
releng/11.0/ r306379
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f>
<URL:https://github.com/libarchive/libarchive/issues/743>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:31.libarchive.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX+0OrAAoJEO1n7NZdz2rnkaAP/i5Njok8Lg3ogwRGVo/HVQfA
AzRz2oQ5oAuwZhmpkQ3CzHArRsaTGuKK5C1SNJpmEDuq5XM2u5Td2ph/R5ry0fwF
7B58Ci+o7ngRWtJ/N8dYk3cXfg0sjPZKDO1otIyfh8HF3UAq5uB3/w/8UFOpqcxQ
guMKahd/r9PnfrD8GtS+t/2V+KHInNH0J4YD/+hoqcdZPzMKtlE5D5OjqOov9rVn
myQwAuN+w2buPj2gXSuubq5wTNFOvj8u06mVpRj+0X0VoybdN5cohuqSx7s4vlw+
/qV7gT2993aijXp43dGGSUeuGl1ZbrKp233vntkIYrsjJzaw56YMHL3ushopGGhj
OfC/ilXmsUjrlHgCrWpMiTuN7cdWDXrpMnaf4c99yMxdYUuRtbbnVthdOpZB8iOt
7xeVnvHiYTYbQu+4xy4SPOWqPLOnrbwVqIocXU1QjWJice5A3EU/mSAd2IpX04a2
prdlaGxBNZlziLgzsZoiER+5u0S3owbx7y2SVhMEslHyrRQ92X7SZjfu4NrvlX5k
Dw6xjpHD51pshj4GXTPuznbCyd8246u1fRnH3fnlNLhz5/XhrYbG+OVQ9WDbnX2C
6SzS/oOcjA9qcq1+Ghmz6G7S2MuWZ0XcKfzV0ygX2RZEhU1p0rZfsF/2cGrKIGY1
JguXI1tZdrjfSZisAI+l
=vqSJ
-----END PGP SIGNATURE-----

4151
share/security/patches/SA-16:27/openssl.patch Normal file
View file

File diff suppressed because it is too large Load diff

17
share/security/patches/SA-16:27/openssl.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAABCgAGBQJX+0PkAAoJEO1n7NZdz2rnOOwQAOezEOJdnLrlHHKfQhX2MZ2x
GL8VmX3mIzWUBt8nU/aS1ApM/l5Oiiiw0qGmO0PbjDKzEsrnzoudAlOXYA6S42GX
koFAFhGtdza1hfzEUfqCit6yzK+JlSLBFXnezmZzUmM/RipJig6mJGbbrh3avxPL
sAvbe893bQ/5zOu72KdK4CrfpNgeGC4vGvVuTag24rNjRS/X9FTxt1Dg+snvXaec
IZfp/ar8ZAdWGQzmkLbSl0Ac3x5WWh7I9TSs0a+o9fMK36jgor7lMzTLMrkJ8Jh1
IqrWktNL5BDOyAROHEmdhbQiXNeRljJTGrg9Fkjacmj7PqrjbVNzwqCCqmn1Dr1I
9u3++EOJf4AK6cKZ2dAqhbxoKB+q4N6SDiSnm5Gspr/et6LJqlsEiaf+8evVpvRY
jnhdykgf5dgmwMl39FWM4+4Yy8R0XusmlHhh6fiivaAidUhzExsfokGndzhF6nYc
Dys/hVhi3GGg1QejCNck/yHH8ikVEuUFq2pObpDDObS771QQ/wJ6HtHhXMxEsHjg
aXLLmpPrP1ZHrRkcdS5xFeRDgmlGJe+Yoxsw4aqJPsj/kfjIZzeIyD6yfFYsnZzj
R+x1ZuVbb8OkKvm1fhZojEzWROL6dcT4CYUahqLaxn2G5bzht1HSaehOy7/0EOHR
HQw0gDrKNjf/vCtN4v9a
=5Xq6
-----END PGP SIGNATURE-----

87
share/security/patches/SA-16:28/bind.patch Normal file
View file

@ -0,0 +1,87 @@
--- contrib/bind9/lib/dns/message.c.orig
+++ contrib/bind9/lib/dns/message.c
@@ -1736,7 +1736,7 @@
if (r.length < DNS_MESSAGE_HEADERLEN)
return (ISC_R_NOSPACE);
- if (r.length < msg->reserved)
+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
return (ISC_R_NOSPACE);
/*
@@ -1863,8 +1863,29 @@
return (ISC_TRUE);
}
+#endif
-#endif
+static isc_result_t
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+ dns_compress_t *cctx, isc_buffer_t *target,
+ unsigned int reserved, unsigned int options, unsigned int *countp)
+{
+ isc_result_t result;
+
+ /*
+ * Shrink the space in the buffer by the reserved amount.
+ */
+ if (target->length - target->used < reserved)
+ return (ISC_R_NOSPACE);
+
+ target->length -= reserved;
+ result = dns_rdataset_towire(rdataset, owner_name,
+ cctx, target, options, countp);
+ target->length += reserved;
+
+ return (result);
+}
+
isc_result_t
dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
unsigned int options)
@@ -1907,6 +1928,8 @@
/*
* Shrink the space in the buffer by the reserved amount.
*/
+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
+ return (ISC_R_NOSPACE);
msg->buffer->length -= msg->reserved;
total = 0;
@@ -2183,9 +2206,8 @@
* Render.
*/
count = 0;
- result = dns_rdataset_towire(msg->opt, dns_rootname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->opt, dns_rootname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
@@ -2201,9 +2223,8 @@
if (result != ISC_R_SUCCESS)
return (result);
count = 0;
- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
@@ -2224,9 +2245,8 @@
* the owner name of a SIG(0) is irrelevant, and will not
* be set in a message being rendered.
*/
- result = dns_rdataset_towire(msg->sig0, dns_rootname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);

17
share/security/patches/SA-16:28/bind.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAABCgAGBQJX+0PkAAoJEO1n7NZdz2rnQp4QAM0ewaa+/Uf9DtsxfNFBG7B3
FGwAQsn6147M1+Et1FFtHonjnnzYb+bN+xEHGDLS5R7kLxDgdzWdF/+VlM1iTex9
gwdJ9PHctHKh++mw6iI4CSZDPHIg+4YmuY6liUDVlQthetOdh8mIHrOO9EBOkQZ9
yk37YWSFmJEKfLYOOSp8/c7ukf56YW3Z7KWVSjxftx7Ct4WJVVL0nc6YDly0/IoS
3RhGPdT/fkqYVewHolCkp9+oVMiQaOJIqUCpE8oaRMRrRjUHG457RoyEVM0y2SwC
ptjAvimClV0qv6hzXY/D4Y4UV5MCTreJVESkZECNF5UB20jhdPLR2gwC1NQNb0+w
3W1AabWMIv/OyqfFy4ZWIaEKaza8iVQruJZdq/ZPItSiszRqJ9vVReI8rIaEPtRI
ZVhPO4YOozwQE/kQrYQL5MJe2uV+grnmN/1wDCMqUBBi/9/YnRFFpf876Q4lS9xM
D2d4PqelPUJ+C+K4P/750Jiv4K4DXuR1zliwshmofeNKS1/KkqGm7E4jp0JoCSQa
udlSQ4Y5D/84Wcevi3GXXuAK55I0WOfB5XgSMpAFVgKeEKSYDaU93olNOqxikMwC
vV5GX6RgTRri3pjhGoxFvp1EcuihUCmjGMcUJy1lPg8QQpf1KTiQ24acse5CV+nr
YBtiOueAyfcGtkaTWCty
=Daic
-----END PGP SIGNATURE-----

325
share/security/patches/SA-16:29/bspatch.patch Normal file
View file

@ -0,0 +1,325 @@
--- usr.bin/bsdiff/bspatch/bspatch.c.orig
+++ usr.bin/bsdiff/bspatch/bspatch.c
@@ -27,56 +27,133 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#if defined(__FreeBSD__)
+#include <sys/param.h>
+#if __FreeBSD_version >= 1001511
+#include <sys/capsicum.h>
+#define HAVE_CAPSICUM
+#endif
+#endif
+
#include <bzlib.h>
-#include <stdlib.h>
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <libgen.h>
+#include <limits.h>
+#include <stdint.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
-#include <err.h>
#include <unistd.h>
-#include <fcntl.h>
#ifndef O_BINARY
#define O_BINARY 0
#endif
+#define HEADER_SIZE 32
+
+static char *newfile;
+static int dirfd = -1;
+
+static void
+exit_cleanup(void)
+{
+
+ if (dirfd != -1 && newfile != NULL)
+ if (unlinkat(dirfd, newfile, 0))
+ warn("unlinkat");
+}
static off_t offtin(u_char *buf)
{
off_t y;
- y=buf[7]&0x7F;
- y=y*256;y+=buf[6];
- y=y*256;y+=buf[5];
- y=y*256;y+=buf[4];
- y=y*256;y+=buf[3];
- y=y*256;y+=buf[2];
- y=y*256;y+=buf[1];
- y=y*256;y+=buf[0];
+ y = buf[7] & 0x7F;
+ y = y * 256; y += buf[6];
+ y = y * 256; y += buf[5];
+ y = y * 256; y += buf[4];
+ y = y * 256; y += buf[3];
+ y = y * 256; y += buf[2];
+ y = y * 256; y += buf[1];
+ y = y * 256; y += buf[0];
- if(buf[7]&0x80) y=-y;
+ if (buf[7] & 0x80)
+ y = -y;
- return y;
+ return (y);
}
-int main(int argc,char * argv[])
+int main(int argc, char *argv[])
{
- FILE * f, * cpf, * dpf, * epf;
- BZFILE * cpfbz2, * dpfbz2, * epfbz2;
+ FILE *f, *cpf, *dpf, *epf;
+ BZFILE *cpfbz2, *dpfbz2, *epfbz2;
+ char *directory, *namebuf;
int cbz2err, dbz2err, ebz2err;
- int fd;
- ssize_t oldsize,newsize;
- ssize_t bzctrllen,bzdatalen;
- u_char header[32],buf[8];
+ int newfd, oldfd;
+ off_t oldsize, newsize;
+ off_t bzctrllen, bzdatalen;
+ u_char header[HEADER_SIZE], buf[8];
u_char *old, *new;
- off_t oldpos,newpos;
+ off_t oldpos, newpos;
off_t ctrl[3];
- off_t lenread;
- off_t i;
+ off_t i, lenread, offset;
+#ifdef HAVE_CAPSICUM
+ cap_rights_t rights_dir, rights_ro, rights_wr;
+#endif
if(argc!=4) errx(1,"usage: %s oldfile newfile patchfile\n",argv[0]);
/* Open patch file */
if ((f = fopen(argv[3], "rb")) == NULL)
err(1, "fopen(%s)", argv[3]);
+ /* Open patch file for control block */
+ if ((cpf = fopen(argv[3], "rb")) == NULL)
+ err(1, "fopen(%s)", argv[3]);
+ /* open patch file for diff block */
+ if ((dpf = fopen(argv[3], "rb")) == NULL)
+ err(1, "fopen(%s)", argv[3]);
+ /* open patch file for extra block */
+ if ((epf = fopen(argv[3], "rb")) == NULL)
+ err(1, "fopen(%s)", argv[3]);
+ /* open oldfile */
+ if ((oldfd = open(argv[1], O_RDONLY | O_BINARY, 0)) < 0)
+ err(1, "open(%s)", argv[1]);
+ /* open directory where we'll write newfile */
+ if ((namebuf = strdup(argv[2])) == NULL ||
+ (directory = dirname(namebuf)) == NULL ||
+ (dirfd = open(directory, O_DIRECTORY)) < 0)
+ err(1, "open %s", argv[2]);
+ free(namebuf);
+ if ((newfile = basename(argv[2])) == NULL)
+ err(1, "basename");
+ /* open newfile */
+ if ((newfd = openat(dirfd, newfile,
+ O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, 0666)) < 0)
+ err(1, "open(%s)", argv[2]);
+ atexit(exit_cleanup);
+
+#ifdef HAVE_CAPSICUM
+ if (cap_enter() < 0) {
+ /* Failed to sandbox, fatal if CAPABILITY_MODE enabled */
+ if (errno != ENOSYS)
+ err(1, "failed to enter security sandbox");
+ } else {
+ /* Capsicum Available */
+ cap_rights_init(&rights_ro, CAP_READ, CAP_FSTAT, CAP_SEEK);
+ cap_rights_init(&rights_wr, CAP_WRITE);
+ cap_rights_init(&rights_dir, CAP_UNLINKAT);
+
+ if (cap_rights_limit(fileno(f), &rights_ro) < 0 ||
+ cap_rights_limit(fileno(cpf), &rights_ro) < 0 ||
+ cap_rights_limit(fileno(dpf), &rights_ro) < 0 ||
+ cap_rights_limit(fileno(epf), &rights_ro) < 0 ||
+ cap_rights_limit(oldfd, &rights_ro) < 0 ||
+ cap_rights_limit(newfd, &rights_wr) < 0 ||
+ cap_rights_limit(dirfd, &rights_dir) < 0)
+ err(1, "cap_rights_limit() failed, could not restrict"
+ " capabilities");
+ }
+#endif
/*
File format:
@@ -93,99 +170,99 @@
*/
/* Read header */
- if (fread(header, 1, 32, f) < 32) {
+ if (fread(header, 1, HEADER_SIZE, f) < HEADER_SIZE) {
if (feof(f))
- errx(1, "Corrupt patch\n");
+ errx(1, "Corrupt patch");
err(1, "fread(%s)", argv[3]);
}
/* Check for appropriate magic */
if (memcmp(header, "BSDIFF40", 8) != 0)
- errx(1, "Corrupt patch\n");
+ errx(1, "Corrupt patch");
/* Read lengths from header */
- bzctrllen=offtin(header+8);
- bzdatalen=offtin(header+16);
- newsize=offtin(header+24);
- if((bzctrllen<0) || (bzdatalen<0) || (newsize<0))
- errx(1,"Corrupt patch\n");
+ bzctrllen = offtin(header + 8);
+ bzdatalen = offtin(header + 16);
+ newsize = offtin(header + 24);
+ if (bzctrllen < 0 || bzctrllen > OFF_MAX - HEADER_SIZE ||
+ bzdatalen < 0 || bzctrllen + HEADER_SIZE > OFF_MAX - bzdatalen ||
+ newsize < 0 || newsize > SSIZE_MAX)
+ errx(1, "Corrupt patch");
/* Close patch file and re-open it via libbzip2 at the right places */
if (fclose(f))
err(1, "fclose(%s)", argv[3]);
- if ((cpf = fopen(argv[3], "rb")) == NULL)
- err(1, "fopen(%s)", argv[3]);
- if (fseeko(cpf, 32, SEEK_SET))
- err(1, "fseeko(%s, %lld)", argv[3],
- (long long)32);
+ offset = HEADER_SIZE;
+ if (fseeko(cpf, offset, SEEK_SET))
+ err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
if ((cpfbz2 = BZ2_bzReadOpen(&cbz2err, cpf, 0, 0, NULL, 0)) == NULL)
errx(1, "BZ2_bzReadOpen, bz2err = %d", cbz2err);
- if ((dpf = fopen(argv[3], "rb")) == NULL)
- err(1, "fopen(%s)", argv[3]);
- if (fseeko(dpf, 32 + bzctrllen, SEEK_SET))
- err(1, "fseeko(%s, %lld)", argv[3],
- (long long)(32 + bzctrllen));
+ offset += bzctrllen;
+ if (fseeko(dpf, offset, SEEK_SET))
+ err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
if ((dpfbz2 = BZ2_bzReadOpen(&dbz2err, dpf, 0, 0, NULL, 0)) == NULL)
errx(1, "BZ2_bzReadOpen, bz2err = %d", dbz2err);
- if ((epf = fopen(argv[3], "rb")) == NULL)
- err(1, "fopen(%s)", argv[3]);
- if (fseeko(epf, 32 + bzctrllen + bzdatalen, SEEK_SET))
- err(1, "fseeko(%s, %lld)", argv[3],
- (long long)(32 + bzctrllen + bzdatalen));
+ offset += bzdatalen;
+ if (fseeko(epf, offset, SEEK_SET))
+ err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
if ((epfbz2 = BZ2_bzReadOpen(&ebz2err, epf, 0, 0, NULL, 0)) == NULL)
errx(1, "BZ2_bzReadOpen, bz2err = %d", ebz2err);
- if(((fd=open(argv[1],O_RDONLY|O_BINARY,0))<0) ||
- ((oldsize=lseek(fd,0,SEEK_END))==-1) ||
- ((old=malloc(oldsize+1))==NULL) ||
- (lseek(fd,0,SEEK_SET)!=0) ||
- (read(fd,old,oldsize)!=oldsize) ||
- (close(fd)==-1)) err(1,"%s",argv[1]);
- if((new=malloc(newsize+1))==NULL) err(1,NULL);
+ if ((oldsize = lseek(oldfd, 0, SEEK_END)) == -1 ||
+ oldsize > SSIZE_MAX ||
+ (old = malloc(oldsize)) == NULL ||
+ lseek(oldfd, 0, SEEK_SET) != 0 ||
+ read(oldfd, old, oldsize) != oldsize ||
+ close(oldfd) == -1)
+ err(1, "%s", argv[1]);
+ if ((new = malloc(newsize)) == NULL)
+ err(1, NULL);
- oldpos=0;newpos=0;
- while(newpos<newsize) {
+ oldpos = 0;
+ newpos = 0;
+ while (newpos < newsize) {
/* Read control data */
- for(i=0;i<=2;i++) {
+ for (i = 0; i <= 2; i++) {
lenread = BZ2_bzRead(&cbz2err, cpfbz2, buf, 8);
if ((lenread < 8) || ((cbz2err != BZ_OK) &&
(cbz2err != BZ_STREAM_END)))
- errx(1, "Corrupt patch\n");
- ctrl[i]=offtin(buf);
+ errx(1, "Corrupt patch");
+ ctrl[i] = offtin(buf);
};
/* Sanity-check */
- if ((ctrl[0] < 0) || (ctrl[1] < 0))
- errx(1,"Corrupt patch\n");
+ if (ctrl[0] < 0 || ctrl[0] > INT_MAX ||
+ ctrl[1] < 0 || ctrl[1] > INT_MAX)
+ errx(1, "Corrupt patch");
/* Sanity-check */
- if(newpos+ctrl[0]>newsize)
- errx(1,"Corrupt patch\n");
+ if (newpos + ctrl[0] > newsize)
+ errx(1, "Corrupt patch");
/* Read diff string */
lenread = BZ2_bzRead(&dbz2err, dpfbz2, new + newpos, ctrl[0]);
if ((lenread < ctrl[0]) ||
((dbz2err != BZ_OK) && (dbz2err != BZ_STREAM_END)))
- errx(1, "Corrupt patch\n");
+ errx(1, "Corrupt patch");
/* Add old data to diff string */
- for(i=0;i<ctrl[0];i++)
- if((oldpos+i>=0) && (oldpos+i<oldsize))
- new[newpos+i]+=old[oldpos+i];
+ for (i = 0; i < ctrl[0]; i++)
+ if ((oldpos + i >= 0) && (oldpos + i < oldsize))
+ new[newpos + i] += old[oldpos + i];
/* Adjust pointers */
- newpos+=ctrl[0];
- oldpos+=ctrl[0];
+ newpos += ctrl[0];
+ oldpos += ctrl[0];
/* Sanity-check */
- if(newpos+ctrl[1]>newsize)
- errx(1,"Corrupt patch\n");
+ if (newpos + ctrl[1] > newsize)
+ errx(1, "Corrupt patch");
/* Read extra string */
lenread = BZ2_bzRead(&ebz2err, epfbz2, new + newpos, ctrl[1]);
if ((lenread < ctrl[1]) ||
((ebz2err != BZ_OK) && (ebz2err != BZ_STREAM_END)))
- errx(1, "Corrupt patch\n");
+ errx(1, "Corrupt patch");
/* Adjust pointers */
newpos+=ctrl[1];
@@ -200,12 +277,13 @@
err(1, "fclose(%s)", argv[3]);
/* Write the new file */
- if(((fd=open(argv[2],O_CREAT|O_TRUNC|O_WRONLY|O_BINARY,0666))<0) ||
- (write(fd,new,newsize)!=newsize) || (close(fd)==-1))
- err(1,"%s",argv[2]);
+ if (write(newfd, new, newsize) != newsize || close(newfd) == -1)
+ err(1, "%s", argv[2]);
+ /* Disable atexit cleanup */
+ newfile = NULL;
free(new);
free(old);
- return 0;
+ return (0);
}

17
share/security/patches/SA-16:29/bspatch.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAABCgAGBQJX+0PlAAoJEO1n7NZdz2rnfh4QAIXvMutg0RNWQ0nrxUC2l8D9
0Ul2EMzk764Cq8qsFbKtecxxrzGf8EF90KxWMJTi+n2OdEvZleRP0ZwZP/6LHKR+
79p+ZHJ+KAafF1JQ0B7hEBQHMN4VG9tD58xrQYpNaxzRw7bGBWEQignOzGYJf0GA
xF1KEgOcN1YwdfV6IuwHC3qKLpG0LsVItr3Pk8qOxPKKUB2X19rXqyZxy4vI9Rbd
v4E3hdIG/ltjGfd/+hg/d6tajtzoMsaWQVOPYHyR1WsUIf5cRhX4Kxf0s59xKgtK
hxIpGcJ+HpdEDJQJxjjPZmeM1duU9K7LjSfCB2W6Ss/IMwwcPeRUiwDAlbmX3Iui
149kLuKCMMoGqem50f0rUHqT6OaSj9QCz64NatGaCtmj7jpKPWKx0DmtnYcDrwLS
/QnYqqlCYKQDhgxKMwvBIhFh5KNO67tOJ5JU94/x+q8JSluO4TXq/JBOd3x7Gx1J
GKlyRL/NRACq0OFBDIavUBicd2mlV7MvX2GkUUFQ+xoFIr2gtZWjOd8uc5M9VTcs
9hJHg8EV6+0+r+X5kbGD7Ysp/Ane/H/0zsipQOmH792xtUv4+BYY7HGtOU+mHo/n
9ArqhJCgoW4kryKo3N91gdRfpmRz1CU6Ug/OaNtu3+gDZ1DpqVzrt0ZcBq6cWJSP
muRFMZb83H5gn9orwr7w
=plb5
-----END PGP SIGNATURE-----

49
share/security/patches/SA-16:30/portsnap-10.patch Normal file
View file

@ -0,0 +1,49 @@
--- usr.sbin/portsnap/portsnap/portsnap.sh.orig
+++ usr.sbin/portsnap/portsnap/portsnap.sh
@@ -646,7 +646,7 @@
# Verify a list of files
fetch_snapshot_verify() {
while read F; do
- if [ "`gunzip -c snap/${F} | ${SHA256} -q`" != ${F} ]; then
+ if [ "`gunzip -c < snap/${F}.gz | ${SHA256} -q`" != ${F} ]; then
echo "snapshot corrupt."
return 1
fi
@@ -681,11 +681,18 @@
cut -f 2 -d '|' tINDEX.new | fetch_snapshot_verify || return 1
# Extract the index
rm -f INDEX.new
- gunzip -c snap/`look INDEX tINDEX.new |
+ gunzip -c < snap/`look INDEX tINDEX.new |
cut -f 2 -d '|'`.gz > INDEX.new
fetch_index_sanity || return 1
# Verify the snapshot contents
cut -f 2 -d '|' INDEX.new | fetch_snapshot_verify || return 1
+ cut -f 2 -d '|' tINDEX.new INDEX.new | sort -u > files.expected
+ find snap -mindepth 1 | sed -E 's^snap/(.*)\.gz^\1^' | sort > files.snap
+ if ! cmp -s files.expected files.snap; then
+ echo "unexpected files in snapshot."
+ return 1
+ fi
+ rm files.expected files.snap
echo "done."
# Move files into their proper locations
@@ -777,7 +784,7 @@
# Extract the index
echo -n "Extracting index... " 1>${QUIETREDIR}
- gunzip -c files/`look INDEX tINDEX.new |
+ gunzip -c < files/`look INDEX tINDEX.new |
cut -f 2 -d '|'`.gz > INDEX.new
fetch_index_sanity || return 1
@@ -897,7 +904,7 @@
echo -n "$1 not provided by portsnap server; "
echo "$2 not being generated."
else
- gunzip -c "${WORKDIR}/files/`look $1 ${WORKDIR}/tINDEX |
+ gunzip -c < "${WORKDIR}/files/`look $1 ${WORKDIR}/tINDEX |
cut -f 2 -d '|'`.gz" |
cat - ${LOCALDESC} |
${MKINDEX} /dev/stdin > ${PORTSDIR}/$2

17
share/security/patches/SA-16:30/portsnap-10.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAABCgAGBQJX+0PlAAoJEO1n7NZdz2rn9XUP/iaVbNjwpbtZVxtTIlEHFvgH
BK1Pn4DEuXKWfL00kMAUr/fhZSKqb37hT9ZBQzRbrofG5nG0hOpG8LF9br3ZWaR5
t04Yk9mXM9c1JDXjXuSNAewe4z+ylSdNNxXNO75s/qC2TbOGP2R7GpcIJ+LljsEI
cRgZuau3ce6iJcrbbmlI4BBvOMGor1eteJI4kXIegtsOlHxl+mAQcqxdpxENGwzn
VJMQv7dav0PQ2TaCU8UkBj9jYeToXoTMo/lqalweSrYVqL6Lf7zP312Lxz1YtJY3
c9GcViHjni8RnBMglGX6LYm9uzQIlA8nxccU3Uc08b6c8uouWLn6QmkQefGa2zqf
YRUnX8fJwy3n8qFjPm3wq48UsJvL8i7O33DyDHo8OerG2OADbz6ts56QRKgJWI7w
NLPq/D/OeTgfbuGrOdnJWZBQZ/CwAdeNtzQLvyj5xG2S9jBv2lWh/nvKgBUshWoW
HaxxVKh7Q4c9JXmSMHokRIe/oeFdAN3V1Bh4/IbR8V4vh1B0XGGo1bpWaM90qZ54
z5JG1acryHTgoFk48uaDm69wTbgU5Ag63v0clSJH7ns4VZvf9nhYEmdxQl6IebAp
HC50Upysn8NKoXRuOwFJqUevgpAcgp8RDNCKJ3ypNLpbGUE5LKm0CC6lnZbnWnr0
cHfCP/URRfL/VLFvpTLb
=qZzf
-----END PGP SIGNATURE-----

49
share/security/patches/SA-16:30/portsnap-9.3.patch Normal file
View file

@ -0,0 +1,49 @@
--- usr.sbin/portsnap/portsnap/portsnap.sh.orig
+++ usr.sbin/portsnap/portsnap/portsnap.sh
@@ -609,7 +609,7 @@
# Verify a list of files
fetch_snapshot_verify() {
while read F; do
- if [ "`gunzip -c snap/${F} | ${SHA256} -q`" != ${F} ]; then
+ if [ "`gunzip -c < snap/${F}.gz | ${SHA256} -q`" != ${F} ]; then
echo "snapshot corrupt."
return 1
fi
@@ -644,11 +644,18 @@
cut -f 2 -d '|' tINDEX.new | fetch_snapshot_verify || return 1
# Extract the index
rm -f INDEX.new
- gunzip -c snap/`look INDEX tINDEX.new |
+ gunzip -c < snap/`look INDEX tINDEX.new |
cut -f 2 -d '|'`.gz > INDEX.new
fetch_index_sanity || return 1
# Verify the snapshot contents
cut -f 2 -d '|' INDEX.new | fetch_snapshot_verify || return 1
+ cut -f 2 -d '|' tINDEX.new INDEX.new | sort -u > files.expected
+ find snap -mindepth 1 | sed -E 's^snap/(.*)\.gz^\1^' | sort > files.snap
+ if ! cmp -s files.expected files.snap; then
+ echo "unexpected files in snapshot."
+ return 1
+ fi
+ rm files.expected files.snap
echo "done."
# Move files into their proper locations
@@ -737,7 +744,7 @@
echo "done."
# Extract the index
- gunzip -c files/`look INDEX tINDEX.new |
+ gunzip -c < files/`look INDEX tINDEX.new |
cut -f 2 -d '|'`.gz > INDEX.new
fetch_index_sanity || return 1
@@ -842,7 +849,7 @@
echo -n "$1 not provided by portsnap server; "
echo "$2 not being generated."
else
- gunzip -c "${WORKDIR}/files/`look $1 ${WORKDIR}/tINDEX |
+ gunzip -c < "${WORKDIR}/files/`look $1 ${WORKDIR}/tINDEX |
cut -f 2 -d '|'`.gz" |
cat - ${LOCALDESC} |
${MKINDEX} /dev/stdin > ${PORTSDIR}/$2

17
share/security/patches/SA-16:30/portsnap-9.3.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAABCgAGBQJX+0PlAAoJEO1n7NZdz2rntIMP/3653gK7bSBhc1Dw68p9OQcE
VqDIE7ucmGjMl9Jk6UrIqMdf54O0lKb+Kf1FuuyERtIBl/c8oTM/ChPvVPyyAVnm
+3GPfoFzfH0UloD6jko9rWdFX0QdrVhZh5tP/TZpDj+FprJm9xgUruKEAmkN0Itz
rvHHI6v2qbXO97lP18jvZhdBExlzICRRgjnduxqbjabb+B6MQdU/Ey8tkussrB+l
tPkTJWEwXfkDGNBx/LF6bM+yh8qlTIOFF9yL8wUXxuG2oKkbS49agPzrTzj5ZLnX
AozV+jnXvNCLGA+eR1rRyfLOtnNh8nbJeOe4fZB/o+595R0YjOsjZLKZAZSajIKV
yIC1j5inK+WbBULYowFb6XL9kg1Y2gc42GkYaOmoEOcQqdcptBpN+c+5W6wM29CD
RouiCAbOxWgwNCAhZMyyS03x2P+sAahAUrZ7lrEqitoy/gLn82etFAu/vid6PAIo
u79rT4Wq1TBeow7fu37KIWtuFvfKl0BSe02SdjWw+5taZisBc84LYQMGdB8sA2Rl
7t99xGx0NwA/CsONv2rsvjxFXnjvN7ZLw7ccmpMSl90LORwXrn1WK0G4O6hbFYbp
DB4UNReyF7bnwWJzRsN0hQUXamrCJlv3DFVCzdkd3A5iN1gxQYPGPX1A2eI1oVUw
JPpNrRIH+dqkRc9vw+Ba
=Pic0
-----END PGP SIGNATURE-----

1270
share/security/patches/SA-16:31/libarchive-10.1.patch Normal file
View file

File diff suppressed because it is too large Load diff

17
share/security/patches/SA-16:31/libarchive-10.1.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAABCgAGBQJX+0PmAAoJEO1n7NZdz2rnn7kQAOUhndMptAsM7FN+wLxFUBHC
GNB9bjulRPcXBM4D2aQcN7If8oG9d7nvmgaphrml8WDkgxUGCoAZyxG0Cty87wYp
gvyMZuhsmIEkKvI9UOH2PeFaVm/qkQrojjFplE/0BFtFLLr6RVGytSR4krYjbZPb
9jj1Q3OL/dHuZFFeyP30yDCFYId5cBLbfNo410iKlX0CZj6lsD6FDMKlXmLqbgrW
pnUP9mb5EHBmAmvZm0bieFAl2W9UdrbjVTR6/IwQLAMeQQpKZFX1eYLkm+FuUlfM
nk5Z26JXoHIDODQBNf5p3sArHRJbLb/8KfZjVpyTAxoDT+kdHHk55oCFDhYMgYHm
Nkyrqoq5oQ4KEGdkuLcWsOvnMzAWn4rjBTpzKHUPk24xG9pbU8LKV7WcnmYlX/n8
uKk8wjGGrIpdxGRhArkBoiqS5q11Xc2XDgNyHonZLekeNBYC1NpdhuK6Ni45NS6q
/IDFBoOXmxbsQAvcArFCqMPpp1IMQ9zMwefJOMvSwdvFDvK4x6JTrIbFhhWgTp3I
xrlYscQy0rW0HeNucpdaGDzGb9OvzC5LsuA/uKs5vTPFijm6Lwdu9xpSzbT07dVJ
1k7GoctzPJm970THSS7M6y/vbqLS8SWhsiBuA30ftyS2udLJKsAhd7sML4tvut4d
eoyhQFyF38/ITK3qQ/Jo
=w5H8
-----END PGP SIGNATURE-----

1270
share/security/patches/SA-16:31/libarchive-10.2.patch Normal file
View file

File diff suppressed because it is too large Load diff

17
share/security/patches/SA-16:31/libarchive-10.2.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAABCgAGBQJX+0PmAAoJEO1n7NZdz2rn4pcQANwh2y75/IJsBmdNHJ039vBS
oSfzGTH+k1EWswJfudVa50qQsZV4DFhbHOlTvocEtBQWuxP7d/MTh9cCFX1c2bmg
gD/AVe24rZoikv/J35uKRyEL4145vAMLUikr6BZCcFe63XJ0YaFHzLNlMn5j31dl
yRDHI3KH6DCTgEjVHv0CsnagLtqA5PIQIa5ck9zhkAcmC7BYbk3zqOERkj9la7h1
HODayA9l8Uludie0aUpSSKEr41aY0C7go7sC4J29zbY2oKPvMEE8fitnl2h5tzqy
BFY5ZbJWpx264GNu3mp7sOrn6wTqyCW2IvfDIJ36jcvN2KWb+Nt4bVt9Apv7hltg
KUc/POJxrcISPtirQhDFNtclPrCyTT00pQigin8wT9rFZzJapW90hN22HFcF9EaN
+Xqwu1cJudjRfKHYyhUekLU9jhk3y8BI2UdMDhBEv6xnJ+9Cvjb5V3Khvyv/OcTV
wZ7KJnxxaQlbfIfW8VHs9nZct8QEBXZQZ7rm/tSBv9TKJNgVQgtuElSkSw8mA3Nk
9T97AVc37/R0urwM8F2A5rpm12roPG0RvkYPAbKfpaL5QklsnI7QlLJ3DYT/PgPe
HAf8mUqKwqUjsI3xlyH+UJ5fGPpUYO5gRXUq4Jj8xYbzbRR0TUfyJKbAhQecarKW
8sd5IddIZQ64/Pf9+tCM
=b7yC
-----END PGP SIGNATURE-----

1270
share/security/patches/SA-16:31/libarchive-10.3.patch Normal file
View file

File diff suppressed because it is too large Load diff

17
share/security/patches/SA-16:31/libarchive-10.3.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAABCgAGBQJX+0PmAAoJEO1n7NZdz2rnnmUQAIqTh0iP7z9FW2QY6FuyTWQK
XNqLx5LaAdTfoJ3gFpQMvbms5yVr/aOPUTgRTwl1UctPNM68bdGslxFwj2aIs4u7
I4/VPvbWdSURzjwik2cTXpwEqHMWymPbFqeDZ914AbjN3LCk3oyClrCQbetR+37g
GEfQtsMipZeUjOvQXTGvMFQTirRmMrrU+5gPwkbVWXdnE+7chridmN7oer4IarpA
IQY454+dbYkAwDK6+ZUwi3xFnF93fBuguxHwbiuH1Z9i+2pO4saWSjSJJ7pGeU3i
WaGKKnyBCO+fKPI40iv2YnDHiVlpK06g/GQIpzFEHo0FRAByJY1zLBx3+leUGLhk
fy4r3LobLrJANWr48AzoO4KUeRuuTmmvm1eWfTCTa4ODEJuos8BCLKiwsdWJuMPW
Z3LsDmaQxoGpxK+4SsCyANTBs0DHO+kzcTnsW4MgsmnLn0KAOaGP50z3FpqqE4ov
2fPq/qe1A+Wicto16hx5PZfvunroPputvoN8qoFujdYuOgGfRcgqEUxTT/zknZXz
3ncwMgCK1JA6ivvKW9XwDup6v3Z+fW1PpZB7qPZFhx/q+EJukOD5AyhJROOKKjtp
mOEnJf7my2c0H9uxDbXlPgfHZY4dS7BszRJq0istxdvcvl0ZEOTTJAD3hOnGXyYU
TCtBq+CcUEOG7+MLWqtZ
=km25
-----END PGP SIGNATURE-----

28
share/xml/advisories.xml
View file

@ -7,6 +7,34 @@
<year>
<name>2016</name>
<month>
<name>10</name>
<day>
<name>10</name>
<advisory>
<name>FreeBSD-SA-16:31.libarchive</name>
</advisory>
<advisory>
<name>FreeBSD-SA-16:30.portsnap</name>
</advisory>
<advisory>
<name>FreeBSD-SA-16:29.bspatch</name>
</advisory>
<advisory>
<name>FreeBSD-SA-16:28.bind</name>
</advisory>
<advisory>
<name>FreeBSD-SA-16:27.openssl</name>
</advisory>
</day>
</month>
<month>
<name>9</name>