os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add SA-14:15.iconv, SA-14:16.file, EN-14:07.pmap and EN-14:08.heimdal.

Browse source
This commit is contained in:
Xin LI 2014-06-24 19:29:17 +00:00
parent b56869daf4
commit bbd3497201
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=45118
16 changed files with 3066 additions and 2 deletions

129
share/security/advisories/FreeBSD-EN-14:07.pmap.asc Normal file
View file

@ -0,0 +1,129 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:07.pmap Errata Notice
The FreeBSD Project
Topic: Bug with PCID implementation
Category: core
Module: kernel
Announced: 2014-06-24
Credits: Henrik Gulbrandsen
Affects: FreeBSD 10.0-RELEASE
Corrected: 2014-03-04 21:51:09 UTC (stable/10, 10.0-STABLE)
2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
Process-context identifiers (PCIDs) are a facility in modern x86
processors, which tags TLB entries with the Id of the address space
and allows to avoid TLB invalidation on the context switch.
II. Problem Description
Due to bug in the handling of the mask of the CPU set where the given
address space could have cached TLB entries, stale mappings could be
seen by multithreaded programs.
III. Impact
Applications, most notably Java, which makes heavy use of threads may
randomly crash due to the inconcistency.
IV. Workaround
Systems that do not run have a CPU that supports the Process-Context
Identifiers feature are not affected.
The system administrator can add the following to /boot/loader.conf
which disables Process-Context Identifiers to workaround this problem:
vm.pmap.pcid_enabled="0"
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.0]
# fetch http://security.FreeBSD.org/patches/EN-14:07/pmap.patch
# fetch http://security.FreeBSD.org/patches/EN-14:07/pmap.patch.asc
# gpg --verify pmap.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r262753
releng/10.0/ r267829
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:07.pmap.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnAbYP/iZKU3SSwHwWPzYa03ZwgW4u
54MigJuV/wyOfJj2ZZuOXTaYZP1miRgFr7mn9OWkA6slWHLAVkmN9fWrUU8tRPjJ
UDVhnbToVYIcmW2tEH5lZ5y1Stt178NZTeMo26jgkWhj74RZ10OIFdSuNlNUQGSr
djanCdgpnGL+odml+rQcGAAKKH97PchQ6r9IivNgE6mnGhGvzOjQOSdxioBLew14
w5Ua3k4nn/4hYi4RMPJ/vAlPdJHVsnZb8kRWhf4Ncj19IkvJ8EO6PmnHCbdGmV1I
cvqVFxXPGGA/A+O9E+1S+54SWotivpgjSujuQFFmvuzBbPhlt/Hmtn6YwljNG4+e
V6MsMRPMHVoIhOCBv9xfCHgyajA7jgbRGqQkMWxwKPVLjmk2NWOsbGBjHMFHnqYn
87Sh7crbFffNGwqGJgn+vXSXeNZ/95EWSBE0/B4KfqPeX6XCJI/C/sMRl0ATKa7C
k227J0olXKKUInLEq7tS1nLS0IKlWLF5WiRFx7DOa4DKLBcLZkYKTu3ATJySQ4V3
hDNDpubB3/94ug1slRNWDYGxzaZq0ctUTubxsHW7a0iYQi/PkssCT/8jVAdsx8hq
S1DjGZiFAKLOiJUSvPfONdwodORyEyMB+z37EfgeHKKqnjJXgSEtmnmI+7sT8hlR
FhXX1XQOBUtPxF+MY4bT
=vNzu
-----END PGP SIGNATURE-----

166
share/security/advisories/FreeBSD-EN-14:08.heimdal.asc Normal file
View file

@ -0,0 +1,166 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:08.heimdal Errata Notice
The FreeBSD Project
Topic: gss_pseudo_random interoperability issue
Category: contrib
Module: heimdal
Announced: 2014-06-24
Credits: Marc Dionne, Nico Williams, and Benjamin Kaduk
Affects: All supported versions of FreeBSD prior to 9.2-RELEASE.
Corrected: 2013-12-16 06:52:30 UTC (stable/9, 9.2-STABLE)
2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9)
2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16)
2013-12-16 06:56:38 UTC (stable/8, 8.4-STABLE)
2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
Heimdal provides an implementation of Kerberos 5, the Generic Security
Service API (GSS-API), and the krb5 GSS-API mechanism. The GSS-API is
an abstract API that provides a unified interface for security services
that wraps many underlying security mechanisms. Application protocols
using the GSS-API exchange context tokens to establish a security context.
Once the security context has successfully been established, it can be
used to checksum and/or encrypt messages between the two parties of
the context, securely generate an identical pseudorandom bitstring at
both endpoints, and other security-related functionality.
Kerberos 5 permits the use of different encryption types for encryption
keys; part of the specification for each encryption type is a pseudo-random
function that uses an encryption key and some optional seed data to
produce a pseudo-random bitstring of a fixed length. The GSS_Pseudo_random
function uses an established security context and some optional seed
data to produce a pseudo-random bitstring of (nearly) arbitrary lengh.
The specification for GSS_Pseudo_random for the krb5 mechanism (RFC 4402)
uses a counter mode to produce the arbitrary length output from the
fixed-length output of the underlying enctype's pseudo-random output.
II. Problem Description
RFC 4402 specifies that the counter which is prepended to the seed data
must be encoded in network (big-endian) byte order before being input to the
encryption type's pseudo-random function. All released versions of Heimdal
that include a GSS_Pseudo_random implementation for the krb5 mechanism
encode the counter as a little-endian integer.
III. Impact
Only applications using the GSS_Pseudo_random functionality with the krb5
mechanism are affected; the number of such applications is believed to
be small. (RFC 4402 was published in 2006.) Since the first value
used for the counter is zero, the first block of output is correct, but
the second and all subsequent blocks of output are incorrect.
Old versions of Heimdal will interoperate over the network with each
other, but will not interoperate with MIT krb5 peers or other implementations
of RFC 4402, if producing more than one block of pseudo-random output.
For the commonly used AES encryption types, the first 128 bits of output
are correct but the subsequent output differs.
IV. Workaround
Applications which do not use the GSS_Pseudo_random functionality
are not affected.
Applications which can reduce their pseudo-random needs to a single
block length (e.g., 128 bits for AES) will interoperate with all
known implementations.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch
# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch.asc
# gpg --verify heimdal.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r259452
releng/8.4/ r267832
stable/9/ r259451
releng/9.1/ r267831
releng/9.2/ r267831
stable/10/ r259447
releng/10.0/ r259758
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The discussion of this interoperability issue in the IETF kitten working
group archives may be found here:
http://www.ietf.org/mail-archive/web/kitten/current/msg04479.html
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:08.heimdal.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnk2wP/RXxr1lgWeKY1wCusB/wlkLO
6cVsvZwIkvTvKNglkqY4dEvJJ1mdy25xP2yoft+ChM9ugTiGs5gfxsROXLCufobP
0ycnbl0pxL00aNwU3nXaejPhfblwwLmnwZAb3JuxF795BH/7z4a9vdC0mEn86RbQ
efeu3hqxJJxDL65xUntlgzWiFSWB+DZUjBU9DAFWlOPnbVR2T3n5w4sFSWMDtmv+
AxqKjNVLgIHQKECTYjyFV2UjXCn6Np2m0dWHSpYM5MsdSaUolOqDRRxzAK5LKHg0
ieHTf1OgBpfe/iBuSwybtEv/4cagDvN82Vsni8MbLEeDMa4DSsKorea1SIrCTcBv
CW4ugln7bBWgm3hnCEIWsy0wwhSVQetGFjYgimZySI5/nO2Jnh1Ung705MPCYpb7
+X+G/oLqp04Bq81sWY4KFN8cfcmM2fQyL0zYOS72VPjXEvwcHnsbjZ/yO8eekO+J
oxkd8FaXR4b21HCh5cdlwWNNU4mu9wId8CLJW0y9l15zloTQvjW8+MSlEhAm9KUl
nYq/qHGiLTvxmsHlnQumay8lhtRJf0r3pNih+xchxy7JCVeu84aZHSIDrklZoiAr
LjOWagYFP9qHqhmmRxVoHKBeHgUaDWiJ9J0a0R44GadowrstYT7cYCzfSQr1KkDz
HPlEHgAxXm0shG0bbEA5
=tTXE
-----END PGP SIGNATURE-----

131
share/security/advisories/FreeBSD-SA-14:15.iconv.asc Normal file
View file

@ -0,0 +1,131 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:15.iconv Security Advisory
The FreeBSD Project
Topic: iconv(3) NULL pointer dereference and out-of-bounds array access
Category: core
Module: libc/iconv
Announced: 2014-06-24
Credits: Manuel Mausz, Tijl Coosemans
Affects: FreeBSD 10.0
Corrected: 2014-03-04 12:43:10 UTC (stable/10, 10.0-STABLE)
2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6)
CVE Name: CVE-2014-3951
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The iconv(3) API allows converting text data from one character set
encoding to another. Applications first open a converter between two
encodings using iconv_open(3) and then convert text using iconv(3).
HZ is an encoding of the GB2312 character set used for simplified
Chinese characters. VIQR is an encoding for Vietnamese characters.
II. Problem Description
A NULL pointer dereference in the initialization code of the HZ module and
an out of bounds array access in the initialization code of the VIQR module
make iconv_open(3) calls involving HZ or VIQR result in an application crash.
III. Impact
Services where an attacker can control the arguments of an iconv_open(3)
call can be caused to crash resulting in a denial-of-service. For example,
an email encoded in HZ may cause an email delivery service to crash if it
converts emails to a more generic encoding like UTF-8 before applying
filtering rules.
IV. Workaround
No workaround is available, but systems that do not process untrusted
Chinese or Vietnamese input are not affected by this vulnerability.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.0]
# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch
# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch.asc
# gpg --verify iconv.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r262731
releng/10.0/ r267829
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3951>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:15.iconv.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnmqsP/1VXkGjjBB34Qh43HGxmVofB
8Zfkc19nQtHvQaS+wAUfm10Onu2QJUPPm5OZL+kYYxJs1G4/VLTDTl/7cHBkCoA0
abdDpRbtG6CMHfnaARpMOAkg+uvHl41pjHgr+mi4TRYivzSNp+qfw8BsPJ21DAS6
Om6H6m+ggHjTXrtniBtQ+os2wfxbGGMJQzL94QC+tyzzFTEknIt8lgn6hboh99eV
pQb8WnSRCPuyiw+hKHdOOS7er7ZCIy9l0VWWfyJzcZP3/W5q6qSNCdnMUNZsTk0L
ruiUrhRjookK6/3VKb+9/YMfpB8xuQad2fk2mbQZkaxdSVJyFIfOI6Y9PJYbx9BP
Z7Bp0qyEGs+5/CZhiSwr2E/3k7kNe+30dvbPE0SBw9JNS4T0FyzlRUM4Y8s843Lf
GUcacSLcgCv8DUU517GmTL+UvnE+dajppr/vueRTC2T0mj8OX1qukq1Rjs9RpZkc
l2ajo3TbMZjwwivEsJEI2706tqv2v7+xON6WrZbUvbXlp4Kw7v01pS2Z3DFIeK8d
D9H80XuBIM6ZvMUd3NZHBGBjcxYEHvB5hM26ceCAP/ZvOSa4jp8vVQcPVONwj55n
RvX+K66t3yGiRznjhUUL+/8T9ulcI8TomgKL+U3UXasinYU9F4v55yXRugYvgnig
jh8e1kgmRt2rt5ZLthe5
=Wr8S
-----END PGP SIGNATURE-----

161
share/security/advisories/FreeBSD-SA-14:16.file.asc Normal file
View file

@ -0,0 +1,161 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:16.file Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in file(1) and libmagic(3)
Category: contrib
Module: file
Announced: 2014-06-24
Affects: All supported versions of FreeBSD.
Corrected: 2014-06-24 19:04:55 UTC (stable/10, 10.0-STABLE)
2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6)
2014-06-24 19:04:55 UTC (stable/9, 9.3-PRERELEASE)
2014-06-24 19:05:19 UTC (releng/9.3, 9.3-RC2)
2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9)
2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16)
2014-06-24 19:04:55 UTC (stable/8, 8.4-STABLE)
2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13)
CVE Name: CVE-2012-1571, CVE-2013-7345, CVE-2014-1943, CVE-2014-2270
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The file(1) utility attempts to classify file system objects based on
filesystem, magic number and language tests.
The libmagic(3) library provides most of the functionality of file(1)
and may be used by other applications.
II. Problem Description
A specifically crafted Composite Document File (CDF) file can trigger an
out-of-bounds read or an invalid pointer dereference. [CVE-2012-1571]
A flaw in regular expression in the awk script detector makes use of
multiple wildcards with unlimited repetitions. [CVE-2013-7345]
A malicious input file could trigger infinite recursion in libmagic(3).
[CVE-2014-1943]
A specifically crafted Portable Executable (PE) can trigger out-of-bounds
read. [CVE-2014-2270]
III. Impact
An attacker who can cause file(1) or any other applications using the
libmagic(3) library to be run on a maliciously constructed input can
the application to crash or consume excessive CPU resources, resulting
in a denial-of-service.
IV. Workaround
No workaround is available, but systems where file(1) and other
libmagic(3)-using applications are never run on untrusted input are not
vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.1, 9.2, 9.3, 10.0]
# fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch
# fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch.asc
# gpg --verify file.patch.asc
[FreeBSD 8.4]
# fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch
# fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch.asc
# gpg --verify file.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r267828
releng/8.4/ r267832
stable/9/ r267828
releng/9.1/ r267831
releng/9.2/ r267831
releng/9.3/ r267830
stable/10/ r267828
releng/10.0/ r267829
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1571>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:16.file.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnaLsP/jwrr5b1qZ9tObnN3FXwzEjD
jNHa3AJKHXgrYGzF8yNrZElhE48f02sr9dEXqIw/E5eElcVhi38RBEkwblE8Nj2H
M5bzEwVS7kWPcAl1vBno1rFTHutUTOSSopBGgwlNAlWSFnr1iFIIU9dQ6kcGCnBj
LvMx5kTSyZ707kArRrFjrDeYlPLSE/vSBOC00TqReS+3Q9By1IH5kUWesDWr+3Gk
lvW/JzSTcyOicrGR6vRHiLn9+NKojd6pV3hqV/uxuth1OxRtiGPeodL6CyvkipMo
rKjTgXEY2KluBGV9ff+rbeARLfUh2PDJ9Z5BfF7O8ZyMZpKkcw6MFRRfJ0xgtUZK
vpF0u8NVMIZhHLSJ9q1Roij2POxeOETNXG2bGKtVu8pqhJ14DvMfPgamsQLhzKRX
vBN1Gw+3RctJrQpF9HvYFOsKlfzcWyka82lw5GSsDYGH2TamU00CTQmx/5PW+WVo
xV3C17Wj8AkmRYWeC4IzkTiZ8avVOZ+TMyJKRhL6EGBT3ramu8BFdV8oZOcHHpR/
rAI6eZcFtNuwKuvfqHZmh84GicHDkMHXy6OiyCYUW9uNdWl7nUPMMxp/zEA6gtay
ozVedGIIrhYkfQAJRcRAcnEBYqcBVkCD/rKXJtdALl3RDQrediRaz0nWE2bJ/qs3
bHjS6vu9VS/3z0+pEYri
=5Ihe
-----END PGP SIGNATURE-----

13
share/security/patches/EN-14:07/pmap.patch Normal file
View file

@ -0,0 +1,13 @@
Index: sys/amd64/amd64/pmap.c
===================================================================
--- sys/amd64/amd64/pmap.c (revision 267572)
+++ sys/amd64/amd64/pmap.c (working copy)
@@ -367,7 +367,7 @@ static int pmap_flags = PMAP_PDE_SUPERPAGE; /* fla
static struct unrhdr pcid_unr;
static struct mtx pcid_mtx;
-int pmap_pcid_enabled = 1;
+int pmap_pcid_enabled = 0;
SYSCTL_INT(_vm_pmap, OID_AUTO, pcid_enabled, CTLFLAG_RDTUN, &pmap_pcid_enabled,
0, "Is TLB Context ID enabled ?");
int invpcid_works = 0;

17
share/security/patches/EN-14:07/pmap.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCgAGBQJTqc/GAAoJEO1n7NZdz2rnhbEP/2pckDzyxx2dvtY4VXOHwykV
K8Wb0m8o2x6IpHx/lqvToBX77VneknAmfc6yNxldMTmBq5sLA4kuLp9EkH7iuFtV
k1XcDWWGaoyLEK6Ur2f/CQOE9t0Qig5i6hVNbWCYzmjNZZGGE4Xd60rSSyQ1QN28
JNoopI5p/wGWkDlDbw5f+foXBfbuOx1t1XWgEPRbxAXnvc6f3QBi7HQEu7GWWu04
o5bn7+42zv3ij6aJ/zMb818Ml5cp1zeGT9VkSN17yqEdzmF+5C32caUp4qiiA5+n
gTR56RISYT+85xK+4AXdv3kZE5ZSQlsA8wLquKDiRVNFvqH7ly6v21JbWEfJBwyz
4iCA5I9A/Bp8z5ScouupkPimMEKCmSFwpE/Ww914x5bOaYl4xsXUQzBKs2nIWaao
u7sR7HxW0bq9pK1iVR2kU2md+65vq98HHO1xi1wQ8Aqw9Gt3CKklubiOf36qilUE
FCxBtumgOkHP8HWSE4oKFqLqx3GPV2j2BMSZiUE/x7gfd86FF6/fyx01NIekMpny
Osp5rXA5jnKgHJC8M6sF/+Xag1kBaIur5wNtaPSsQASmiXs4yXY29zH3sX4AxA2n
0fS1fItiM/US30TPGbcT0YEU8FR/CHDchUD2FjbjxntU4VSBUrnsK+ydRWiL+M0e
q4qZ9kLz2/HzBYG54HiI
=XjDR
-----END PGP SIGNATURE-----

13
share/security/patches/EN-14:08/heimdal.patch Normal file
View file

@ -0,0 +1,13 @@
Index: crypto/heimdal/lib/gssapi/krb5/prf.c
===================================================================
--- crypto/heimdal/lib/gssapi/krb5/prf.c (revision 267806)
+++ crypto/heimdal/lib/gssapi/krb5/prf.c (working copy)
@@ -117,7 +117,7 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
num = 0;
p = prf_out->value;
while(desired_output_len > 0) {
- _gsskrb5_encode_om_uint32(num, input.data);
+ _gsskrb5_encode_be_om_uint32(num, input.data);
ret = krb5_crypto_prf(context, crypto, &input, &output);
if (ret) {
OM_uint32 junk;

17
share/security/patches/EN-14:08/heimdal.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCgAGBQJTqc/GAAoJEO1n7NZdz2rneCAP/Ay62O3KiG8sQoCgH/3aTcV2
k0OhOBxvRsTAaiOy5EVT+BMtZWymDBWiiFZueL6jpYEy3LthqAmguj9KMWC0k6ni
a6ETu8IzPWjqmYodqcPEM0dfDsovSzDxP2iAdKwcCrY379d/7hPvmhVR2IMt7oXj
7aeu1zDZtubw5SkpS9Vy6X8yynuz3caxqaUjmRuumonZ+isrQxeC8taXQP/nFIs1
F71Il7LluEf9Abieh9R1m6mVftABGju9TSvmzHtjuBd0jzInBpegDlxeD3sw4mqa
TWHKABsd9DqEnghkTN3f0CQ+ba8/KEcN5hR+xpjWGw+8GjilkE5JswIM8W9iQK61
BIim1dwS4WwLxIxgQtaHwSXrWq5yVrSFwq3sy5yUCa/dZVr4U+vlr4YHZtEw0V+H
MUh8/3087XlLskNVA7zYQMyjO0f0BUVB5V28VZQJnrywPzHCP/ZHCKboqTmGA5t6
19MaloslnSpCp73T+ooQ+aiv5j8FGKJfhXOKHkrrj6wocNq1iqsc0coVWv3TtN1J
GAM00xKyxQLe2nVP+EPQJt1uDdNvcPfXCbNzzQbyW4wnRklBuXqIKKeZn/vYTIYE
x0oPHPPgAihot6gP2ZZRclT0kpqdJWFGw6fjsBJINBrMPAlClwPUQtelUkueaxtz
PGj8k8GVtsFOjgvqsRfb
=QKVG
-----END PGP SIGNATURE-----

175
share/security/patches/SA-14:15/iconv.patch Normal file
View file

@ -0,0 +1,175 @@
Index: lib/libc/iconv/citrus_prop.c
===================================================================
--- lib/libc/iconv/citrus_prop.c (revision 267591)
+++ lib/libc/iconv/citrus_prop.c (working copy)
@@ -339,7 +339,7 @@ name_found:
static int
_citrus_prop_parse_element(struct _memstream * __restrict ms,
- const _citrus_prop_hint_t * __restrict hints, void ** __restrict context)
+ const _citrus_prop_hint_t * __restrict hints, void * __restrict context)
{
int ch, errnum;
#define _CITRUS_PROP_HINT_NAME_LEN_MAX 255
@@ -435,8 +435,7 @@ _citrus_prop_parse_variable(const _citrus_prop_hin
if (ch == EOF || ch == '\0')
break;
_memstream_ungetc(&ms, ch);
- errnum = _citrus_prop_parse_element(
- &ms, hints, (void ** __restrict)context);
+ errnum = _citrus_prop_parse_element(&ms, hints, context);
if (errnum != 0)
return (errnum);
}
Index: lib/libc/iconv/citrus_prop.h
===================================================================
--- lib/libc/iconv/citrus_prop.h (revision 267591)
+++ lib/libc/iconv/citrus_prop.h (working copy)
@@ -42,7 +42,7 @@ typedef struct _citrus_prop_hint_t _citrus_prop_hi
#define _CITRUS_PROP_CB0_T(_func_, _type_) \
typedef int (*_citrus_prop_##_func_##_cb_func_t) \
- (void ** __restrict, const char *, _type_); \
+ (void * __restrict, const char *, _type_); \
typedef struct { \
_citrus_prop_##_func_##_cb_func_t func; \
} _citrus_prop_##_func_##_cb_t;
@@ -52,7 +52,7 @@ _CITRUS_PROP_CB0_T(str, const char *)
#define _CITRUS_PROP_CB1_T(_func_, _type_) \
typedef int (*_citrus_prop_##_func_##_cb_func_t) \
- (void ** __restrict, const char *, _type_, _type_); \
+ (void * __restrict, const char *, _type_, _type_); \
typedef struct { \
_citrus_prop_##_func_##_cb_func_t func; \
} _citrus_prop_##_func_##_cb_t;
Index: lib/libiconv_modules/BIG5/citrus_big5.c
===================================================================
--- lib/libiconv_modules/BIG5/citrus_big5.c (revision 267591)
+++ lib/libiconv_modules/BIG5/citrus_big5.c (working copy)
@@ -170,7 +170,7 @@ _citrus_BIG5_check_excludes(_BIG5EncodingInfo *ei,
}
static int
-_citrus_BIG5_fill_rowcol(void ** __restrict ctx, const char * __restrict s,
+_citrus_BIG5_fill_rowcol(void * __restrict ctx, const char * __restrict s,
uint64_t start, uint64_t end)
{
_BIG5EncodingInfo *ei;
@@ -189,7 +189,7 @@ static int
static int
/*ARGSUSED*/
-_citrus_BIG5_fill_excludes(void ** __restrict ctx,
+_citrus_BIG5_fill_excludes(void * __restrict ctx,
const char * __restrict s __unused, uint64_t start, uint64_t end)
{
_BIG5EncodingInfo *ei;
@@ -235,7 +235,6 @@ static int
_citrus_BIG5_encoding_module_init(_BIG5EncodingInfo * __restrict ei,
const void * __restrict var, size_t lenvar)
{
- void *ctx = (void *)ei;
const char *s;
int err;
@@ -257,9 +256,9 @@ _citrus_BIG5_encoding_module_init(_BIG5EncodingInf
}
/* fallback Big5-1984, for backward compatibility. */
- _citrus_BIG5_fill_rowcol((void **)&ctx, "row", 0xA1, 0xFE);
- _citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0x40, 0x7E);
- _citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0xA1, 0xFE);
+ _citrus_BIG5_fill_rowcol(ei, "row", 0xA1, 0xFE);
+ _citrus_BIG5_fill_rowcol(ei, "col", 0x40, 0x7E);
+ _citrus_BIG5_fill_rowcol(ei, "col", 0xA1, 0xFE);
return (0);
}
Index: lib/libiconv_modules/HZ/citrus_hz.c
===================================================================
--- lib/libiconv_modules/HZ/citrus_hz.c (revision 267591)
+++ lib/libiconv_modules/HZ/citrus_hz.c (working copy)
@@ -65,8 +65,8 @@ typedef enum {
} charset_t;
typedef struct {
+ int start;
int end;
- int start;
int width;
} range_t;
@@ -503,12 +503,12 @@ _citrus_HZ_encoding_module_uninit(_HZEncodingInfo
}
static int
-_citrus_HZ_parse_char(void **context, const char *name __unused, const char *s)
+_citrus_HZ_parse_char(void *context, const char *name __unused, const char *s)
{
escape_t *escape;
void **p;
- p = (void **)*context;
+ p = (void **)context;
escape = (escape_t *)p[0];
if (escape->ch != '\0')
return (EINVAL);
@@ -520,7 +520,7 @@ static int
}
static int
-_citrus_HZ_parse_graphic(void **context, const char *name, const char *s)
+_citrus_HZ_parse_graphic(void *context, const char *name, const char *s)
{
_HZEncodingInfo *ei;
escape_t *escape;
@@ -527,7 +527,7 @@ static int
graphic_t *graphic;
void **p;
- p = (void **)*context;
+ p = (void **)context;
escape = (escape_t *)p[0];
ei = (_HZEncodingInfo *)p[1];
graphic = malloc(sizeof(*graphic));
@@ -589,13 +589,13 @@ _CITRUS_PROP_HINT_END
};
static int
-_citrus_HZ_parse_escape(void **context, const char *name, const char *s)
+_citrus_HZ_parse_escape(void *context, const char *name, const char *s)
{
_HZEncodingInfo *ei;
escape_t *escape;
void *p[2];
- ei = (_HZEncodingInfo *)*context;
+ ei = (_HZEncodingInfo *)context;
escape = malloc(sizeof(*escape));
if (escape == NULL)
return (EINVAL);
Index: lib/libiconv_modules/VIQR/citrus_viqr.c
===================================================================
--- lib/libiconv_modules/VIQR/citrus_viqr.c (revision 267591)
+++ lib/libiconv_modules/VIQR/citrus_viqr.c (working copy)
@@ -431,7 +431,6 @@ static int
_citrus_VIQR_encoding_module_init(_VIQREncodingInfo * __restrict ei,
const void * __restrict var __unused, size_t lenvar __unused)
{
- const mnemonic_def_t *p;
const char *s;
size_t i, n;
int errnum;
@@ -455,7 +454,10 @@ _citrus_VIQR_encoding_module_init(_VIQREncodingInf
return (errnum);
}
}
- for (i = 0;; ++i) {
+ /* a + 1 < b + 1 here to silence gcc warning about unsigned < 0. */
+ for (i = 0; i + 1 < mnemonic_ext_size + 1; ++i) {
+ const mnemonic_def_t *p;
+
p = &mnemonic_ext[i];
n = strlen(p->name);
if (ei->mb_cur_max < n)

17
share/security/patches/SA-14:15/iconv.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnGpkP/0rm6huVPDIo3qTvfuXyKVvX
MGbc8+35EfDSUxAYLkQIJxiEF88+chJrEqyivP311+IMFUXdyplQvXQiZcTKXdPp
hYVa7wCeC7BbdXILiw+hi9J5TI4QiE+b4Kmn83DIS/iYols4tRpUVXN4OCFaO3BR
oW5RuCI/VBVqwUm+3pZhz1GuzPOmZo+8KxdHk3nmSmoad6SNvPB0W3QY53P2J96E
8euOJGM/38QWav2g7QsQeI+MAx2jcxUmRIQVfCblfXG1O0izNjuC8hjqJptSvBpc
uvJAhQxptludfAa7/ZnW4ws/dJz4ekNSlerjRpNiXE0Hr2r2TAM8cFwG9AbVThga
wZ8+rHFOC30kIJ6uvZbpTPHNSHxu4pVyOOoh4Tfr1xpDqb/3ktSXfXX6bgXPrhMI
PdBVVACYGbdurQU8Z65JbMmNx96Sl79w8mOHrMSeVS3pRL7FtJ4J+c8sOLyiaouM
kIf+vbqSPHRqpkCtmmKP6QM+qrfhrlzmYwyNTE2pKautaGNCyAMY3lrKhbEr7llK
L4YZ9/9Z6ivZZZDhAZbzcJrWQOuW0wmt7E2CyC1TOHOBjI6202J/++ZWSmmsexWF
mWNai/3IqCGd24unHHxdrTUSw+b99pL+HAgAdTQZ2dg3Qh/qC0PAcICBoWDgS0sM
Q34JUXT4cVpCqHeFhPkp
=gJzF
-----END PGP SIGNATURE-----

1891
share/security/patches/SA-14:16/file-8.4.patch Normal file
View file

File diff suppressed because it is too large Load diff

17
share/security/patches/SA-14:16/file-8.4.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnwYEQAJ2tsC+x3C539+wx8HQVDyzn
YArD9qa9vccrISU0BBvBRDwnEEJ2jm/57EMpA9vc8drrWnz29gxYtIDeFWAkosM/
CTR0M3ZSMaTSnHQWoM8VxlMPWDfQBzokJB5H3qNUCJZV/QdQo7kSHdMvzeqdiqbG
jkuVuifm5TgxEQVaznK9E0PoL/gVGfndUg9N5MJnO/XEO0wy4gqDE6SSn9zE4Rxc
uWa34gZwh33eJWi9tE6sNAbekZuwEtK7smw+wkcUvUdfdUqTsp8j05ZY/PMAG97z
SeYZ3rXk4sKXE4NSM8QxFxbfQNcFmKv7viQoPqTJDu63ctJdcyN6vv8hH9j73+mN
W3NQOdfnKQblqgqC6bkXUV4A3YAUirWfcBiHo02PBfhspwBI+CA7VJbNxPxdmGn9
r9F9SP114afHz/2W62yDagXPc39TJ/T7e8sqEbw2Up5a1Rd7PzpQCDMYALspx4tS
FQqR61aTfpSDXdQYLPgyTPiBNrDcUA0WdAWpm2KAteUOUt5K7Z5N59IbxJU51VpL
dPdJsTkCN84HY6ynng4nrxaeH6ImPmv3wd34cxVIgrEzfDbteYr2qn6tNM+4AAhg
bbFbqbXPp3qyn3ryDskdkeEbNIBK0Dw41ATtvfsolVPI+xWVT996R16uvqwu2hhl
HaPZcO4HUyyDsdKzLNk+
=Kg8r
-----END PGP SIGNATURE-----

276
share/security/patches/SA-14:16/file.patch Normal file
View file

@ -0,0 +1,276 @@
Index: contrib/file/Magdir/commands
===================================================================
--- contrib/file/Magdir/commands (revision 267806)
+++ contrib/file/Magdir/commands (working copy)
@@ -49,7 +49,8 @@
!:mime text/x-awk
0 string/wt #!\ /usr/bin/awk awk script text executable
!:mime text/x-awk
-0 regex =^\\s*BEGIN\\s*[{] awk script text
+0 regex =^\\s{0,100}BEGIN\\s{0,100}[{] awk script text
+!:strength - 12
# AT&T Bell Labs' Plan 9 shell
0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable
Index: contrib/file/ascmagic.c
===================================================================
--- contrib/file/ascmagic.c (revision 267806)
+++ contrib/file/ascmagic.c (working copy)
@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms,
== NULL)
goto done;
if ((rv = file_softmagic(ms, utf8_buf,
- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
+ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
rv = -1;
}
Index: contrib/file/file.h
===================================================================
--- contrib/file/file.h (revision 267806)
+++ contrib/file/file.h (working copy)
@@ -414,7 +414,7 @@ protected int file_encoding(struct magic_set *, co
unichar **, size_t *, const char **, const char **, const char **);
protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
- int, int);
+ size_t, int, int);
protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
protected uint64_t file_signextend(struct magic_set *, struct magic *,
uint64_t);
Index: contrib/file/funcs.c
===================================================================
--- contrib/file/funcs.c (revision 267806)
+++ contrib/file/funcs.c (working copy)
@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd, const ch
/* try soft magic tests */
if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
- if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
looks_text)) != 0) {
if ((ms->flags & MAGIC_DEBUG) != 0)
(void)fprintf(stderr, "softmagic %d\n", m);
Index: contrib/file/softmagic.c
===================================================================
--- contrib/file/softmagic.c (revision 267806)
+++ contrib/file/softmagic.c (working copy)
@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.147 2011/11
private int match(struct magic_set *, struct magic *, uint32_t,
- const unsigned char *, size_t, int, int);
+ const unsigned char *, size_t, int, int, int);
private int mget(struct magic_set *, const unsigned char *,
- struct magic *, size_t, unsigned int, int);
+ struct magic *, size_t, unsigned int, int, int);
private int magiccheck(struct magic_set *, struct magic *);
private int32_t mprint(struct magic_set *, struct magic *);
private int32_t moffset(struct magic_set *, struct magic *);
@@ -60,6 +60,7 @@ private void cvt_16(union VALUETYPE *, const struc
private void cvt_32(union VALUETYPE *, const struct magic *);
private void cvt_64(union VALUETYPE *, const struct magic *);
+#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
/*
* softmagic - lookup one file in parsed, in-memory copy of database
* Passed the name and FILE * of one file to be typed.
@@ -67,13 +68,13 @@ private void cvt_64(union VALUETYPE *, const struc
/*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */
protected int
file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
- int mode, int text)
+ size_t level, int mode, int text)
{
struct mlist *ml;
int rv;
for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
- text)) != 0)
+ text, level)) != 0)
return rv;
return 0;
@@ -108,7 +109,8 @@ file_softmagic(struct magic_set *ms, const unsigne
*/
private int
match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
- const unsigned char *s, size_t nbytes, int mode, int text)
+ const unsigned char *s, size_t nbytes, int mode, int text,
+ int recursion_level)
{
uint32_t magindex = 0;
unsigned int cont_level = 0;
@@ -140,7 +142,7 @@ match(struct magic_set *ms, struct magic *magic, u
ms->line = m->lineno;
/* if main entry matches, print it... */
- switch (mget(ms, s, m, nbytes, cont_level, text)) {
+ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
case -1:
return -1;
case 0:
@@ -223,7 +225,7 @@ match(struct magic_set *ms, struct magic *magic, u
continue;
}
#endif
- switch (mget(ms, s, m, nbytes, cont_level, text)) {
+ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
case -1:
return -1;
case 0:
@@ -1018,12 +1020,18 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, in
private int
mget(struct magic_set *ms, const unsigned char *s,
- struct magic *m, size_t nbytes, unsigned int cont_level, int text)
+ struct magic *m, size_t nbytes, unsigned int cont_level, int text,
+ int recursion_level)
{
uint32_t offset = ms->offset;
uint32_t count = m->str_range;
union VALUETYPE *p = &ms->ms_value;
+ if (recursion_level >= 20) {
+ file_error(ms, 0, "recursion nesting exceeded");
+ return -1;
+ }
+
if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
return -1;
@@ -1073,7 +1081,7 @@ mget(struct magic_set *ms, const unsigned char *s,
}
switch (m->in_type) {
case FILE_BYTE:
- if (nbytes < (offset + 1))
+ if (OFFSET_OOB(nbytes, offset, 1))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1108,7 +1116,7 @@ mget(struct magic_set *ms, const unsigned char *s,
offset = ~offset;
break;
case FILE_BESHORT:
- if (nbytes < (offset + 2))
+ if (OFFSET_OOB(nbytes, offset, 2))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1160,7 +1168,7 @@ mget(struct magic_set *ms, const unsigned char *s,
offset = ~offset;
break;
case FILE_LESHORT:
- if (nbytes < (offset + 2))
+ if (OFFSET_OOB(nbytes, offset, 2))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1212,7 +1220,7 @@ mget(struct magic_set *ms, const unsigned char *s,
offset = ~offset;
break;
case FILE_SHORT:
- if (nbytes < (offset + 2))
+ if (OFFSET_OOB(nbytes, offset, 2))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1249,7 +1257,7 @@ mget(struct magic_set *ms, const unsigned char *s,
break;
case FILE_BELONG:
case FILE_BEID3:
- if (nbytes < (offset + 4))
+ if (OFFSET_OOB(nbytes, offset, 4))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1320,7 +1328,7 @@ mget(struct magic_set *ms, const unsigned char *s,
break;
case FILE_LELONG:
case FILE_LEID3:
- if (nbytes < (offset + 4))
+ if (OFFSET_OOB(nbytes, offset, 4))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1390,7 +1398,7 @@ mget(struct magic_set *ms, const unsigned char *s,
offset = ~offset;
break;
case FILE_MELONG:
- if (nbytes < (offset + 4))
+ if (OFFSET_OOB(nbytes, offset, 4))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1460,7 +1468,7 @@ mget(struct magic_set *ms, const unsigned char *s,
offset = ~offset;
break;
case FILE_LONG:
- if (nbytes < (offset + 4))
+ if (OFFSET_OOB(nbytes, offset, 4))
return 0;
if (off) {
switch (m->in_op & FILE_OPS_MASK) {
@@ -1527,7 +1535,7 @@ mget(struct magic_set *ms, const unsigned char *s,
/* Verify we have enough data to match magic type */
switch (m->type) {
case FILE_BYTE:
- if (nbytes < (offset + 1)) /* should alway be true */
+ if (OFFSET_OOB(nbytes, offset, 1))
return 0;
break;
@@ -1534,7 +1542,7 @@ mget(struct magic_set *ms, const unsigned char *s,
case FILE_SHORT:
case FILE_BESHORT:
case FILE_LESHORT:
- if (nbytes < (offset + 2))
+ if (OFFSET_OOB(nbytes, offset, 2))
return 0;
break;
@@ -1553,7 +1561,7 @@ mget(struct magic_set *ms, const unsigned char *s,
case FILE_FLOAT:
case FILE_BEFLOAT:
case FILE_LEFLOAT:
- if (nbytes < (offset + 4))
+ if (OFFSET_OOB(nbytes, offset, 4))
return 0;
break;
@@ -1560,7 +1568,7 @@ mget(struct magic_set *ms, const unsigned char *s,
case FILE_DOUBLE:
case FILE_BEDOUBLE:
case FILE_LEDOUBLE:
- if (nbytes < (offset + 8))
+ if (OFFSET_OOB(nbytes, offset, 8))
return 0;
break;
@@ -1567,7 +1575,7 @@ mget(struct magic_set *ms, const unsigned char *s,
case FILE_STRING:
case FILE_PSTRING:
case FILE_SEARCH:
- if (nbytes < (offset + m->vallen))
+ if (OFFSET_OOB(nbytes, offset, m->vallen))
return 0;
break;
@@ -1577,6 +1585,8 @@ mget(struct magic_set *ms, const unsigned char *s,
break;
case FILE_INDIRECT:
+ if (offset == 0)
+ return 0;
if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
file_printf(ms, "%s", m->desc) == -1)
return -1;
@@ -1583,7 +1593,7 @@ mget(struct magic_set *ms, const unsigned char *s,
if (nbytes < offset)
return 0;
return file_softmagic(ms, s + offset, nbytes - offset,
- BINTEST, text);
+ recursion_level, BINTEST, text);
case FILE_DEFAULT: /* nothing to check */
default:

17
share/security/patches/SA-14:16/file.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnE0YP/A+Q3jwyWJW7f4UQCN1funJ0
XZwDYYD/aVXUmQcegpDDDlJ9Ol3Rr2K6CXKJHN+2kH1NvjD2W82+trJiiAetTBwI
OqsgtyiJM8k3Pa67lRNoBPkYRaoZ7MgXurDzY8lclz0bb+n2OLQr4gvXQ8gEbZZE
ZETzFGlOhDw22gWOFzU7fMbg+WZr1yQBPEzEtJ5DR2WAS/eiAEzW9D8+HgBvR1T9
X8jE6OEblJ3xBHkGByX9t9r+0klwOHdjx6Y54P+b1gFmgaIGLOPulNVE1d7oyRbt
Lhcrd1OUWuohz7nOfC+L29bYn0AiIVt/bZekKNyILiKuZbo01JmMLB+Ekn+R4Hv+
fXjcc4qVVwTveJMPZ8HDNnpKusMXhqMAYDLblA4c6LnFdpwuKMMK9D9KCTNe0N17
hGeJXHXAaeewdhsaXUA5VpLR1bZjQgLRIO3kKSrgIJVQWpPn+U5q0uuKl/JEo4O7
hnble23XfiqfRnkaZ9Cs8Gw16g/XFhDKSu6ppVMCSTALwvmppVtQpw8tfq+W1EmW
9OlwLN5FAjYuMS2GbuZr4o53cFJD0a/3OdeMIZdTP9zstU/AMx1zauAHfUinDAKN
p7zriJB3gz0XQSSXwtlAHJpOapvMYob/axhToy+TcnxiHPa9oQEAbJWtfar0NQVR
t4TETAxIo1YT7cW7w87U
=nVM9
-----END PGP SIGNATURE-----

12
share/xml/advisories.xml
View file

@ -10,6 +10,18 @@
<month>
<name>6</name>
<day>
<name>24</name>
<advisory>
<name>FreeBSD-SA-14:16.file</name>
</advisory>
<advisory>
<name>FreeBSD-SA-14:15.iconv</name>
</advisory>
</day>
<day>
<name>5</name>

16
share/xml/notices.xml
View file

@ -10,6 +10,18 @@
<month>
<name>6</name>
<day>
<name>24</name>
<notice>
<name>FreeBSD-EN-14:08.heimdal</name>
</notice>
<notice>
<name>FreeBSD-EN-14:07.pmap</name>
</notice>
</day>
<day>
<name>3</name>
@ -26,7 +38,7 @@
<name>13</name>
<notice>
<name>FreeBSD-EN-14:03.pkg</name>
<name>FreeBSD-EN-14:05.ciss</name>
</notice>
<notice>
@ -34,7 +46,7 @@
</notice>
<notice>
<name>FreeBSD-EN-14:05.ciss</name>
<name>FreeBSD-EN-14:03.pkg</name>
</notice>
</day>
</month>