Add SA-14:15.iconv, SA-14:16.file, EN-14:07.pmap and EN-14:08.heimdal.
This commit is contained in:
parent
b56869daf4
commit
bbd3497201
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=45118
16 changed files with 3066 additions and 2 deletions
share
security
advisories
FreeBSD-EN-14:07.pmap.ascFreeBSD-EN-14:08.heimdal.ascFreeBSD-SA-14:15.iconv.ascFreeBSD-SA-14:16.file.asc
patches
xml
129
share/security/advisories/FreeBSD-EN-14:07.pmap.asc
Normal file
129
share/security/advisories/FreeBSD-EN-14:07.pmap.asc
Normal file
|
@ -0,0 +1,129 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-EN-14:07.pmap Errata Notice
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: Bug with PCID implementation
|
||||
|
||||
Category: core
|
||||
Module: kernel
|
||||
Announced: 2014-06-24
|
||||
Credits: Henrik Gulbrandsen
|
||||
Affects: FreeBSD 10.0-RELEASE
|
||||
Corrected: 2014-03-04 21:51:09 UTC (stable/10, 10.0-STABLE)
|
||||
2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6)
|
||||
|
||||
For general information regarding FreeBSD Errata Notices and Security
|
||||
Advisories, including descriptions of the fields above, security
|
||||
branches, and the following sections, please visit
|
||||
<URL:http://security.freebsd.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
Process-context identifiers (PCIDs) are a facility in modern x86
|
||||
processors, which tags TLB entries with the Id of the address space
|
||||
and allows to avoid TLB invalidation on the context switch.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
Due to bug in the handling of the mask of the CPU set where the given
|
||||
address space could have cached TLB entries, stale mappings could be
|
||||
seen by multithreaded programs.
|
||||
|
||||
III. Impact
|
||||
|
||||
Applications, most notably Java, which makes heavy use of threads may
|
||||
randomly crash due to the inconcistency.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
Systems that do not run have a CPU that supports the Process-Context
|
||||
Identifiers feature are not affected.
|
||||
|
||||
The system administrator can add the following to /boot/loader.conf
|
||||
which disables Process-Context Identifiers to workaround this problem:
|
||||
|
||||
vm.pmap.pcid_enabled="0"
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your system to a supported FreeBSD stable or release / security
|
||||
branch (releng) dated after the correction date.
|
||||
|
||||
2) To update your present system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[FreeBSD 10.0]
|
||||
# fetch http://security.FreeBSD.org/patches/EN-14:07/pmap.patch
|
||||
# fetch http://security.FreeBSD.org/patches/EN-14:07/pmap.patch.asc
|
||||
# gpg --verify pmap.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile your kernel as described in
|
||||
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
||||
system.
|
||||
|
||||
3) To update your system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the revision numbers of each file that was
|
||||
corrected in FreeBSD.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/10/ r262753
|
||||
releng/10.0/ r267829
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
The latest revision of this Errata Notice is available at
|
||||
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:07.pmap.asc
|
||||
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnAbYP/iZKU3SSwHwWPzYa03ZwgW4u
|
||||
54MigJuV/wyOfJj2ZZuOXTaYZP1miRgFr7mn9OWkA6slWHLAVkmN9fWrUU8tRPjJ
|
||||
UDVhnbToVYIcmW2tEH5lZ5y1Stt178NZTeMo26jgkWhj74RZ10OIFdSuNlNUQGSr
|
||||
djanCdgpnGL+odml+rQcGAAKKH97PchQ6r9IivNgE6mnGhGvzOjQOSdxioBLew14
|
||||
w5Ua3k4nn/4hYi4RMPJ/vAlPdJHVsnZb8kRWhf4Ncj19IkvJ8EO6PmnHCbdGmV1I
|
||||
cvqVFxXPGGA/A+O9E+1S+54SWotivpgjSujuQFFmvuzBbPhlt/Hmtn6YwljNG4+e
|
||||
V6MsMRPMHVoIhOCBv9xfCHgyajA7jgbRGqQkMWxwKPVLjmk2NWOsbGBjHMFHnqYn
|
||||
87Sh7crbFffNGwqGJgn+vXSXeNZ/95EWSBE0/B4KfqPeX6XCJI/C/sMRl0ATKa7C
|
||||
k227J0olXKKUInLEq7tS1nLS0IKlWLF5WiRFx7DOa4DKLBcLZkYKTu3ATJySQ4V3
|
||||
hDNDpubB3/94ug1slRNWDYGxzaZq0ctUTubxsHW7a0iYQi/PkssCT/8jVAdsx8hq
|
||||
S1DjGZiFAKLOiJUSvPfONdwodORyEyMB+z37EfgeHKKqnjJXgSEtmnmI+7sT8hlR
|
||||
FhXX1XQOBUtPxF+MY4bT
|
||||
=vNzu
|
||||
-----END PGP SIGNATURE-----
|
166
share/security/advisories/FreeBSD-EN-14:08.heimdal.asc
Normal file
166
share/security/advisories/FreeBSD-EN-14:08.heimdal.asc
Normal file
|
@ -0,0 +1,166 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-EN-14:08.heimdal Errata Notice
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: gss_pseudo_random interoperability issue
|
||||
|
||||
Category: contrib
|
||||
Module: heimdal
|
||||
Announced: 2014-06-24
|
||||
Credits: Marc Dionne, Nico Williams, and Benjamin Kaduk
|
||||
Affects: All supported versions of FreeBSD prior to 9.2-RELEASE.
|
||||
Corrected: 2013-12-16 06:52:30 UTC (stable/9, 9.2-STABLE)
|
||||
2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9)
|
||||
2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16)
|
||||
2013-12-16 06:56:38 UTC (stable/8, 8.4-STABLE)
|
||||
2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13)
|
||||
|
||||
For general information regarding FreeBSD Errata Notices and Security
|
||||
Advisories, including descriptions of the fields above, security
|
||||
branches, and the following sections, please visit
|
||||
<URL:http://security.freebsd.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
Heimdal provides an implementation of Kerberos 5, the Generic Security
|
||||
Service API (GSS-API), and the krb5 GSS-API mechanism. The GSS-API is
|
||||
an abstract API that provides a unified interface for security services
|
||||
that wraps many underlying security mechanisms. Application protocols
|
||||
using the GSS-API exchange context tokens to establish a security context.
|
||||
Once the security context has successfully been established, it can be
|
||||
used to checksum and/or encrypt messages between the two parties of
|
||||
the context, securely generate an identical pseudorandom bitstring at
|
||||
both endpoints, and other security-related functionality.
|
||||
|
||||
Kerberos 5 permits the use of different encryption types for encryption
|
||||
keys; part of the specification for each encryption type is a pseudo-random
|
||||
function that uses an encryption key and some optional seed data to
|
||||
produce a pseudo-random bitstring of a fixed length. The GSS_Pseudo_random
|
||||
function uses an established security context and some optional seed
|
||||
data to produce a pseudo-random bitstring of (nearly) arbitrary lengh.
|
||||
The specification for GSS_Pseudo_random for the krb5 mechanism (RFC 4402)
|
||||
uses a counter mode to produce the arbitrary length output from the
|
||||
fixed-length output of the underlying enctype's pseudo-random output.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
RFC 4402 specifies that the counter which is prepended to the seed data
|
||||
must be encoded in network (big-endian) byte order before being input to the
|
||||
encryption type's pseudo-random function. All released versions of Heimdal
|
||||
that include a GSS_Pseudo_random implementation for the krb5 mechanism
|
||||
encode the counter as a little-endian integer.
|
||||
|
||||
III. Impact
|
||||
|
||||
Only applications using the GSS_Pseudo_random functionality with the krb5
|
||||
mechanism are affected; the number of such applications is believed to
|
||||
be small. (RFC 4402 was published in 2006.) Since the first value
|
||||
used for the counter is zero, the first block of output is correct, but
|
||||
the second and all subsequent blocks of output are incorrect.
|
||||
Old versions of Heimdal will interoperate over the network with each
|
||||
other, but will not interoperate with MIT krb5 peers or other implementations
|
||||
of RFC 4402, if producing more than one block of pseudo-random output.
|
||||
For the commonly used AES encryption types, the first 128 bits of output
|
||||
are correct but the subsequent output differs.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
Applications which do not use the GSS_Pseudo_random functionality
|
||||
are not affected.
|
||||
|
||||
Applications which can reduce their pseudo-random needs to a single
|
||||
block length (e.g., 128 bits for AES) will interoperate with all
|
||||
known implementations.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your system to a supported FreeBSD stable or release / security
|
||||
branch (releng) dated after the correction date.
|
||||
|
||||
2) To update your present system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch
|
||||
# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch.asc
|
||||
# gpg --verify heimdal.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Restart all deamons using the library, or reboot the system.
|
||||
|
||||
3) To update your system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the revision numbers of each file that was
|
||||
corrected in FreeBSD.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/8/ r259452
|
||||
releng/8.4/ r267832
|
||||
stable/9/ r259451
|
||||
releng/9.1/ r267831
|
||||
releng/9.2/ r267831
|
||||
stable/10/ r259447
|
||||
releng/10.0/ r259758
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
The discussion of this interoperability issue in the IETF kitten working
|
||||
group archives may be found here:
|
||||
http://www.ietf.org/mail-archive/web/kitten/current/msg04479.html
|
||||
|
||||
The latest revision of this Errata Notice is available at
|
||||
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:08.heimdal.asc
|
||||
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnk2wP/RXxr1lgWeKY1wCusB/wlkLO
|
||||
6cVsvZwIkvTvKNglkqY4dEvJJ1mdy25xP2yoft+ChM9ugTiGs5gfxsROXLCufobP
|
||||
0ycnbl0pxL00aNwU3nXaejPhfblwwLmnwZAb3JuxF795BH/7z4a9vdC0mEn86RbQ
|
||||
efeu3hqxJJxDL65xUntlgzWiFSWB+DZUjBU9DAFWlOPnbVR2T3n5w4sFSWMDtmv+
|
||||
AxqKjNVLgIHQKECTYjyFV2UjXCn6Np2m0dWHSpYM5MsdSaUolOqDRRxzAK5LKHg0
|
||||
ieHTf1OgBpfe/iBuSwybtEv/4cagDvN82Vsni8MbLEeDMa4DSsKorea1SIrCTcBv
|
||||
CW4ugln7bBWgm3hnCEIWsy0wwhSVQetGFjYgimZySI5/nO2Jnh1Ung705MPCYpb7
|
||||
+X+G/oLqp04Bq81sWY4KFN8cfcmM2fQyL0zYOS72VPjXEvwcHnsbjZ/yO8eekO+J
|
||||
oxkd8FaXR4b21HCh5cdlwWNNU4mu9wId8CLJW0y9l15zloTQvjW8+MSlEhAm9KUl
|
||||
nYq/qHGiLTvxmsHlnQumay8lhtRJf0r3pNih+xchxy7JCVeu84aZHSIDrklZoiAr
|
||||
LjOWagYFP9qHqhmmRxVoHKBeHgUaDWiJ9J0a0R44GadowrstYT7cYCzfSQr1KkDz
|
||||
HPlEHgAxXm0shG0bbEA5
|
||||
=tTXE
|
||||
-----END PGP SIGNATURE-----
|
131
share/security/advisories/FreeBSD-SA-14:15.iconv.asc
Normal file
131
share/security/advisories/FreeBSD-SA-14:15.iconv.asc
Normal file
|
@ -0,0 +1,131 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-14:15.iconv Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: iconv(3) NULL pointer dereference and out-of-bounds array access
|
||||
|
||||
Category: core
|
||||
Module: libc/iconv
|
||||
Announced: 2014-06-24
|
||||
Credits: Manuel Mausz, Tijl Coosemans
|
||||
Affects: FreeBSD 10.0
|
||||
Corrected: 2014-03-04 12:43:10 UTC (stable/10, 10.0-STABLE)
|
||||
2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6)
|
||||
CVE Name: CVE-2014-3951
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:http://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The iconv(3) API allows converting text data from one character set
|
||||
encoding to another. Applications first open a converter between two
|
||||
encodings using iconv_open(3) and then convert text using iconv(3).
|
||||
HZ is an encoding of the GB2312 character set used for simplified
|
||||
Chinese characters. VIQR is an encoding for Vietnamese characters.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
A NULL pointer dereference in the initialization code of the HZ module and
|
||||
an out of bounds array access in the initialization code of the VIQR module
|
||||
make iconv_open(3) calls involving HZ or VIQR result in an application crash.
|
||||
|
||||
III. Impact
|
||||
|
||||
Services where an attacker can control the arguments of an iconv_open(3)
|
||||
call can be caused to crash resulting in a denial-of-service. For example,
|
||||
an email encoded in HZ may cause an email delivery service to crash if it
|
||||
converts emails to a more generic encoding like UTF-8 before applying
|
||||
filtering rules.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available, but systems that do not process untrusted
|
||||
Chinese or Vietnamese input are not affected by this vulnerability.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
2) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[FreeBSD 10.0]
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch.asc
|
||||
# gpg --verify iconv.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Restart all deamons using the library, or reboot the system.
|
||||
|
||||
3) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/10/ r262731
|
||||
releng/10.0/ r267829
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3951>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:15.iconv.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnmqsP/1VXkGjjBB34Qh43HGxmVofB
|
||||
8Zfkc19nQtHvQaS+wAUfm10Onu2QJUPPm5OZL+kYYxJs1G4/VLTDTl/7cHBkCoA0
|
||||
abdDpRbtG6CMHfnaARpMOAkg+uvHl41pjHgr+mi4TRYivzSNp+qfw8BsPJ21DAS6
|
||||
Om6H6m+ggHjTXrtniBtQ+os2wfxbGGMJQzL94QC+tyzzFTEknIt8lgn6hboh99eV
|
||||
pQb8WnSRCPuyiw+hKHdOOS7er7ZCIy9l0VWWfyJzcZP3/W5q6qSNCdnMUNZsTk0L
|
||||
ruiUrhRjookK6/3VKb+9/YMfpB8xuQad2fk2mbQZkaxdSVJyFIfOI6Y9PJYbx9BP
|
||||
Z7Bp0qyEGs+5/CZhiSwr2E/3k7kNe+30dvbPE0SBw9JNS4T0FyzlRUM4Y8s843Lf
|
||||
GUcacSLcgCv8DUU517GmTL+UvnE+dajppr/vueRTC2T0mj8OX1qukq1Rjs9RpZkc
|
||||
l2ajo3TbMZjwwivEsJEI2706tqv2v7+xON6WrZbUvbXlp4Kw7v01pS2Z3DFIeK8d
|
||||
D9H80XuBIM6ZvMUd3NZHBGBjcxYEHvB5hM26ceCAP/ZvOSa4jp8vVQcPVONwj55n
|
||||
RvX+K66t3yGiRznjhUUL+/8T9ulcI8TomgKL+U3UXasinYU9F4v55yXRugYvgnig
|
||||
jh8e1kgmRt2rt5ZLthe5
|
||||
=Wr8S
|
||||
-----END PGP SIGNATURE-----
|
161
share/security/advisories/FreeBSD-SA-14:16.file.asc
Normal file
161
share/security/advisories/FreeBSD-SA-14:16.file.asc
Normal file
|
@ -0,0 +1,161 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
=============================================================================
|
||||
FreeBSD-SA-14:16.file Security Advisory
|
||||
The FreeBSD Project
|
||||
|
||||
Topic: Multiple vulnerabilities in file(1) and libmagic(3)
|
||||
|
||||
Category: contrib
|
||||
Module: file
|
||||
Announced: 2014-06-24
|
||||
Affects: All supported versions of FreeBSD.
|
||||
Corrected: 2014-06-24 19:04:55 UTC (stable/10, 10.0-STABLE)
|
||||
2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6)
|
||||
2014-06-24 19:04:55 UTC (stable/9, 9.3-PRERELEASE)
|
||||
2014-06-24 19:05:19 UTC (releng/9.3, 9.3-RC2)
|
||||
2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9)
|
||||
2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16)
|
||||
2014-06-24 19:04:55 UTC (stable/8, 8.4-STABLE)
|
||||
2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13)
|
||||
CVE Name: CVE-2012-1571, CVE-2013-7345, CVE-2014-1943, CVE-2014-2270
|
||||
|
||||
For general information regarding FreeBSD Security Advisories,
|
||||
including descriptions of the fields above, security branches, and the
|
||||
following sections, please visit <URL:http://security.FreeBSD.org/>.
|
||||
|
||||
I. Background
|
||||
|
||||
The file(1) utility attempts to classify file system objects based on
|
||||
filesystem, magic number and language tests.
|
||||
|
||||
The libmagic(3) library provides most of the functionality of file(1)
|
||||
and may be used by other applications.
|
||||
|
||||
II. Problem Description
|
||||
|
||||
A specifically crafted Composite Document File (CDF) file can trigger an
|
||||
out-of-bounds read or an invalid pointer dereference. [CVE-2012-1571]
|
||||
|
||||
A flaw in regular expression in the awk script detector makes use of
|
||||
multiple wildcards with unlimited repetitions. [CVE-2013-7345]
|
||||
|
||||
A malicious input file could trigger infinite recursion in libmagic(3).
|
||||
[CVE-2014-1943]
|
||||
|
||||
A specifically crafted Portable Executable (PE) can trigger out-of-bounds
|
||||
read. [CVE-2014-2270]
|
||||
|
||||
III. Impact
|
||||
|
||||
An attacker who can cause file(1) or any other applications using the
|
||||
libmagic(3) library to be run on a maliciously constructed input can
|
||||
the application to crash or consume excessive CPU resources, resulting
|
||||
in a denial-of-service.
|
||||
|
||||
IV. Workaround
|
||||
|
||||
No workaround is available, but systems where file(1) and other
|
||||
libmagic(3)-using applications are never run on untrusted input are not
|
||||
vulnerable.
|
||||
|
||||
V. Solution
|
||||
|
||||
Perform one of the following:
|
||||
|
||||
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
||||
release / security branch (releng) dated after the correction date.
|
||||
|
||||
2) To update your vulnerable system via a source code patch:
|
||||
|
||||
The following patches have been verified to apply to the applicable
|
||||
FreeBSD release branches.
|
||||
|
||||
a) Download the relevant patch from the location below, and verify the
|
||||
detached PGP signature using your PGP utility.
|
||||
|
||||
[FreeBSD 9.1, 9.2, 9.3, 10.0]
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch.asc
|
||||
# gpg --verify file.patch.asc
|
||||
|
||||
[FreeBSD 8.4]
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch
|
||||
# fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch.asc
|
||||
# gpg --verify file.patch.asc
|
||||
|
||||
b) Apply the patch. Execute the following commands as root:
|
||||
|
||||
# cd /usr/src
|
||||
# patch < /path/to/patch
|
||||
|
||||
c) Recompile the operating system using buildworld and installworld as
|
||||
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
|
||||
|
||||
Restart all deamons using the library, or reboot the system.
|
||||
|
||||
3) To update your vulnerable system via a binary patch:
|
||||
|
||||
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
||||
platforms can be updated via the freebsd-update(8) utility:
|
||||
|
||||
# freebsd-update fetch
|
||||
# freebsd-update install
|
||||
|
||||
VI. Correction details
|
||||
|
||||
The following list contains the correction revision numbers for each
|
||||
affected branch.
|
||||
|
||||
Branch/path Revision
|
||||
- -------------------------------------------------------------------------
|
||||
stable/8/ r267828
|
||||
releng/8.4/ r267832
|
||||
stable/9/ r267828
|
||||
releng/9.1/ r267831
|
||||
releng/9.2/ r267831
|
||||
releng/9.3/ r267830
|
||||
stable/10/ r267828
|
||||
releng/10.0/ r267829
|
||||
- -------------------------------------------------------------------------
|
||||
|
||||
To see which files were modified by a particular revision, run the
|
||||
following command, replacing NNNNNN with the revision number, on a
|
||||
machine with Subversion installed:
|
||||
|
||||
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
||||
|
||||
Or visit the following URL, replacing NNNNNN with the revision number:
|
||||
|
||||
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
||||
|
||||
VII. References
|
||||
|
||||
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1571>
|
||||
|
||||
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345>
|
||||
|
||||
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943>
|
||||
|
||||
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270>
|
||||
|
||||
The latest revision of this advisory is available at
|
||||
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:16.file.asc>
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnaLsP/jwrr5b1qZ9tObnN3FXwzEjD
|
||||
jNHa3AJKHXgrYGzF8yNrZElhE48f02sr9dEXqIw/E5eElcVhi38RBEkwblE8Nj2H
|
||||
M5bzEwVS7kWPcAl1vBno1rFTHutUTOSSopBGgwlNAlWSFnr1iFIIU9dQ6kcGCnBj
|
||||
LvMx5kTSyZ707kArRrFjrDeYlPLSE/vSBOC00TqReS+3Q9By1IH5kUWesDWr+3Gk
|
||||
lvW/JzSTcyOicrGR6vRHiLn9+NKojd6pV3hqV/uxuth1OxRtiGPeodL6CyvkipMo
|
||||
rKjTgXEY2KluBGV9ff+rbeARLfUh2PDJ9Z5BfF7O8ZyMZpKkcw6MFRRfJ0xgtUZK
|
||||
vpF0u8NVMIZhHLSJ9q1Roij2POxeOETNXG2bGKtVu8pqhJ14DvMfPgamsQLhzKRX
|
||||
vBN1Gw+3RctJrQpF9HvYFOsKlfzcWyka82lw5GSsDYGH2TamU00CTQmx/5PW+WVo
|
||||
xV3C17Wj8AkmRYWeC4IzkTiZ8avVOZ+TMyJKRhL6EGBT3ramu8BFdV8oZOcHHpR/
|
||||
rAI6eZcFtNuwKuvfqHZmh84GicHDkMHXy6OiyCYUW9uNdWl7nUPMMxp/zEA6gtay
|
||||
ozVedGIIrhYkfQAJRcRAcnEBYqcBVkCD/rKXJtdALl3RDQrediRaz0nWE2bJ/qs3
|
||||
bHjS6vu9VS/3z0+pEYri
|
||||
=5Ihe
|
||||
-----END PGP SIGNATURE-----
|
13
share/security/patches/EN-14:07/pmap.patch
Normal file
13
share/security/patches/EN-14:07/pmap.patch
Normal file
|
@ -0,0 +1,13 @@
|
|||
Index: sys/amd64/amd64/pmap.c
|
||||
===================================================================
|
||||
--- sys/amd64/amd64/pmap.c (revision 267572)
|
||||
+++ sys/amd64/amd64/pmap.c (working copy)
|
||||
@@ -367,7 +367,7 @@ static int pmap_flags = PMAP_PDE_SUPERPAGE; /* fla
|
||||
|
||||
static struct unrhdr pcid_unr;
|
||||
static struct mtx pcid_mtx;
|
||||
-int pmap_pcid_enabled = 1;
|
||||
+int pmap_pcid_enabled = 0;
|
||||
SYSCTL_INT(_vm_pmap, OID_AUTO, pcid_enabled, CTLFLAG_RDTUN, &pmap_pcid_enabled,
|
||||
0, "Is TLB Context ID enabled ?");
|
||||
int invpcid_works = 0;
|
17
share/security/patches/EN-14:07/pmap.patch.asc
Normal file
17
share/security/patches/EN-14:07/pmap.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAABCgAGBQJTqc/GAAoJEO1n7NZdz2rnhbEP/2pckDzyxx2dvtY4VXOHwykV
|
||||
K8Wb0m8o2x6IpHx/lqvToBX77VneknAmfc6yNxldMTmBq5sLA4kuLp9EkH7iuFtV
|
||||
k1XcDWWGaoyLEK6Ur2f/CQOE9t0Qig5i6hVNbWCYzmjNZZGGE4Xd60rSSyQ1QN28
|
||||
JNoopI5p/wGWkDlDbw5f+foXBfbuOx1t1XWgEPRbxAXnvc6f3QBi7HQEu7GWWu04
|
||||
o5bn7+42zv3ij6aJ/zMb818Ml5cp1zeGT9VkSN17yqEdzmF+5C32caUp4qiiA5+n
|
||||
gTR56RISYT+85xK+4AXdv3kZE5ZSQlsA8wLquKDiRVNFvqH7ly6v21JbWEfJBwyz
|
||||
4iCA5I9A/Bp8z5ScouupkPimMEKCmSFwpE/Ww914x5bOaYl4xsXUQzBKs2nIWaao
|
||||
u7sR7HxW0bq9pK1iVR2kU2md+65vq98HHO1xi1wQ8Aqw9Gt3CKklubiOf36qilUE
|
||||
FCxBtumgOkHP8HWSE4oKFqLqx3GPV2j2BMSZiUE/x7gfd86FF6/fyx01NIekMpny
|
||||
Osp5rXA5jnKgHJC8M6sF/+Xag1kBaIur5wNtaPSsQASmiXs4yXY29zH3sX4AxA2n
|
||||
0fS1fItiM/US30TPGbcT0YEU8FR/CHDchUD2FjbjxntU4VSBUrnsK+ydRWiL+M0e
|
||||
q4qZ9kLz2/HzBYG54HiI
|
||||
=XjDR
|
||||
-----END PGP SIGNATURE-----
|
13
share/security/patches/EN-14:08/heimdal.patch
Normal file
13
share/security/patches/EN-14:08/heimdal.patch
Normal file
|
@ -0,0 +1,13 @@
|
|||
Index: crypto/heimdal/lib/gssapi/krb5/prf.c
|
||||
===================================================================
|
||||
--- crypto/heimdal/lib/gssapi/krb5/prf.c (revision 267806)
|
||||
+++ crypto/heimdal/lib/gssapi/krb5/prf.c (working copy)
|
||||
@@ -117,7 +117,7 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
|
||||
num = 0;
|
||||
p = prf_out->value;
|
||||
while(desired_output_len > 0) {
|
||||
- _gsskrb5_encode_om_uint32(num, input.data);
|
||||
+ _gsskrb5_encode_be_om_uint32(num, input.data);
|
||||
ret = krb5_crypto_prf(context, crypto, &input, &output);
|
||||
if (ret) {
|
||||
OM_uint32 junk;
|
17
share/security/patches/EN-14:08/heimdal.patch.asc
Normal file
17
share/security/patches/EN-14:08/heimdal.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAABCgAGBQJTqc/GAAoJEO1n7NZdz2rneCAP/Ay62O3KiG8sQoCgH/3aTcV2
|
||||
k0OhOBxvRsTAaiOy5EVT+BMtZWymDBWiiFZueL6jpYEy3LthqAmguj9KMWC0k6ni
|
||||
a6ETu8IzPWjqmYodqcPEM0dfDsovSzDxP2iAdKwcCrY379d/7hPvmhVR2IMt7oXj
|
||||
7aeu1zDZtubw5SkpS9Vy6X8yynuz3caxqaUjmRuumonZ+isrQxeC8taXQP/nFIs1
|
||||
F71Il7LluEf9Abieh9R1m6mVftABGju9TSvmzHtjuBd0jzInBpegDlxeD3sw4mqa
|
||||
TWHKABsd9DqEnghkTN3f0CQ+ba8/KEcN5hR+xpjWGw+8GjilkE5JswIM8W9iQK61
|
||||
BIim1dwS4WwLxIxgQtaHwSXrWq5yVrSFwq3sy5yUCa/dZVr4U+vlr4YHZtEw0V+H
|
||||
MUh8/3087XlLskNVA7zYQMyjO0f0BUVB5V28VZQJnrywPzHCP/ZHCKboqTmGA5t6
|
||||
19MaloslnSpCp73T+ooQ+aiv5j8FGKJfhXOKHkrrj6wocNq1iqsc0coVWv3TtN1J
|
||||
GAM00xKyxQLe2nVP+EPQJt1uDdNvcPfXCbNzzQbyW4wnRklBuXqIKKeZn/vYTIYE
|
||||
x0oPHPPgAihot6gP2ZZRclT0kpqdJWFGw6fjsBJINBrMPAlClwPUQtelUkueaxtz
|
||||
PGj8k8GVtsFOjgvqsRfb
|
||||
=QKVG
|
||||
-----END PGP SIGNATURE-----
|
175
share/security/patches/SA-14:15/iconv.patch
Normal file
175
share/security/patches/SA-14:15/iconv.patch
Normal file
|
@ -0,0 +1,175 @@
|
|||
Index: lib/libc/iconv/citrus_prop.c
|
||||
===================================================================
|
||||
--- lib/libc/iconv/citrus_prop.c (revision 267591)
|
||||
+++ lib/libc/iconv/citrus_prop.c (working copy)
|
||||
@@ -339,7 +339,7 @@ name_found:
|
||||
|
||||
static int
|
||||
_citrus_prop_parse_element(struct _memstream * __restrict ms,
|
||||
- const _citrus_prop_hint_t * __restrict hints, void ** __restrict context)
|
||||
+ const _citrus_prop_hint_t * __restrict hints, void * __restrict context)
|
||||
{
|
||||
int ch, errnum;
|
||||
#define _CITRUS_PROP_HINT_NAME_LEN_MAX 255
|
||||
@@ -435,8 +435,7 @@ _citrus_prop_parse_variable(const _citrus_prop_hin
|
||||
if (ch == EOF || ch == '\0')
|
||||
break;
|
||||
_memstream_ungetc(&ms, ch);
|
||||
- errnum = _citrus_prop_parse_element(
|
||||
- &ms, hints, (void ** __restrict)context);
|
||||
+ errnum = _citrus_prop_parse_element(&ms, hints, context);
|
||||
if (errnum != 0)
|
||||
return (errnum);
|
||||
}
|
||||
Index: lib/libc/iconv/citrus_prop.h
|
||||
===================================================================
|
||||
--- lib/libc/iconv/citrus_prop.h (revision 267591)
|
||||
+++ lib/libc/iconv/citrus_prop.h (working copy)
|
||||
@@ -42,7 +42,7 @@ typedef struct _citrus_prop_hint_t _citrus_prop_hi
|
||||
|
||||
#define _CITRUS_PROP_CB0_T(_func_, _type_) \
|
||||
typedef int (*_citrus_prop_##_func_##_cb_func_t) \
|
||||
- (void ** __restrict, const char *, _type_); \
|
||||
+ (void * __restrict, const char *, _type_); \
|
||||
typedef struct { \
|
||||
_citrus_prop_##_func_##_cb_func_t func; \
|
||||
} _citrus_prop_##_func_##_cb_t;
|
||||
@@ -52,7 +52,7 @@ _CITRUS_PROP_CB0_T(str, const char *)
|
||||
|
||||
#define _CITRUS_PROP_CB1_T(_func_, _type_) \
|
||||
typedef int (*_citrus_prop_##_func_##_cb_func_t) \
|
||||
- (void ** __restrict, const char *, _type_, _type_); \
|
||||
+ (void * __restrict, const char *, _type_, _type_); \
|
||||
typedef struct { \
|
||||
_citrus_prop_##_func_##_cb_func_t func; \
|
||||
} _citrus_prop_##_func_##_cb_t;
|
||||
Index: lib/libiconv_modules/BIG5/citrus_big5.c
|
||||
===================================================================
|
||||
--- lib/libiconv_modules/BIG5/citrus_big5.c (revision 267591)
|
||||
+++ lib/libiconv_modules/BIG5/citrus_big5.c (working copy)
|
||||
@@ -170,7 +170,7 @@ _citrus_BIG5_check_excludes(_BIG5EncodingInfo *ei,
|
||||
}
|
||||
|
||||
static int
|
||||
-_citrus_BIG5_fill_rowcol(void ** __restrict ctx, const char * __restrict s,
|
||||
+_citrus_BIG5_fill_rowcol(void * __restrict ctx, const char * __restrict s,
|
||||
uint64_t start, uint64_t end)
|
||||
{
|
||||
_BIG5EncodingInfo *ei;
|
||||
@@ -189,7 +189,7 @@ static int
|
||||
|
||||
static int
|
||||
/*ARGSUSED*/
|
||||
-_citrus_BIG5_fill_excludes(void ** __restrict ctx,
|
||||
+_citrus_BIG5_fill_excludes(void * __restrict ctx,
|
||||
const char * __restrict s __unused, uint64_t start, uint64_t end)
|
||||
{
|
||||
_BIG5EncodingInfo *ei;
|
||||
@@ -235,7 +235,6 @@ static int
|
||||
_citrus_BIG5_encoding_module_init(_BIG5EncodingInfo * __restrict ei,
|
||||
const void * __restrict var, size_t lenvar)
|
||||
{
|
||||
- void *ctx = (void *)ei;
|
||||
const char *s;
|
||||
int err;
|
||||
|
||||
@@ -257,9 +256,9 @@ _citrus_BIG5_encoding_module_init(_BIG5EncodingInf
|
||||
}
|
||||
|
||||
/* fallback Big5-1984, for backward compatibility. */
|
||||
- _citrus_BIG5_fill_rowcol((void **)&ctx, "row", 0xA1, 0xFE);
|
||||
- _citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0x40, 0x7E);
|
||||
- _citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0xA1, 0xFE);
|
||||
+ _citrus_BIG5_fill_rowcol(ei, "row", 0xA1, 0xFE);
|
||||
+ _citrus_BIG5_fill_rowcol(ei, "col", 0x40, 0x7E);
|
||||
+ _citrus_BIG5_fill_rowcol(ei, "col", 0xA1, 0xFE);
|
||||
|
||||
return (0);
|
||||
}
|
||||
Index: lib/libiconv_modules/HZ/citrus_hz.c
|
||||
===================================================================
|
||||
--- lib/libiconv_modules/HZ/citrus_hz.c (revision 267591)
|
||||
+++ lib/libiconv_modules/HZ/citrus_hz.c (working copy)
|
||||
@@ -65,8 +65,8 @@ typedef enum {
|
||||
} charset_t;
|
||||
|
||||
typedef struct {
|
||||
+ int start;
|
||||
int end;
|
||||
- int start;
|
||||
int width;
|
||||
} range_t;
|
||||
|
||||
@@ -503,12 +503,12 @@ _citrus_HZ_encoding_module_uninit(_HZEncodingInfo
|
||||
}
|
||||
|
||||
static int
|
||||
-_citrus_HZ_parse_char(void **context, const char *name __unused, const char *s)
|
||||
+_citrus_HZ_parse_char(void *context, const char *name __unused, const char *s)
|
||||
{
|
||||
escape_t *escape;
|
||||
void **p;
|
||||
|
||||
- p = (void **)*context;
|
||||
+ p = (void **)context;
|
||||
escape = (escape_t *)p[0];
|
||||
if (escape->ch != '\0')
|
||||
return (EINVAL);
|
||||
@@ -520,7 +520,7 @@ static int
|
||||
}
|
||||
|
||||
static int
|
||||
-_citrus_HZ_parse_graphic(void **context, const char *name, const char *s)
|
||||
+_citrus_HZ_parse_graphic(void *context, const char *name, const char *s)
|
||||
{
|
||||
_HZEncodingInfo *ei;
|
||||
escape_t *escape;
|
||||
@@ -527,7 +527,7 @@ static int
|
||||
graphic_t *graphic;
|
||||
void **p;
|
||||
|
||||
- p = (void **)*context;
|
||||
+ p = (void **)context;
|
||||
escape = (escape_t *)p[0];
|
||||
ei = (_HZEncodingInfo *)p[1];
|
||||
graphic = malloc(sizeof(*graphic));
|
||||
@@ -589,13 +589,13 @@ _CITRUS_PROP_HINT_END
|
||||
};
|
||||
|
||||
static int
|
||||
-_citrus_HZ_parse_escape(void **context, const char *name, const char *s)
|
||||
+_citrus_HZ_parse_escape(void *context, const char *name, const char *s)
|
||||
{
|
||||
_HZEncodingInfo *ei;
|
||||
escape_t *escape;
|
||||
void *p[2];
|
||||
|
||||
- ei = (_HZEncodingInfo *)*context;
|
||||
+ ei = (_HZEncodingInfo *)context;
|
||||
escape = malloc(sizeof(*escape));
|
||||
if (escape == NULL)
|
||||
return (EINVAL);
|
||||
Index: lib/libiconv_modules/VIQR/citrus_viqr.c
|
||||
===================================================================
|
||||
--- lib/libiconv_modules/VIQR/citrus_viqr.c (revision 267591)
|
||||
+++ lib/libiconv_modules/VIQR/citrus_viqr.c (working copy)
|
||||
@@ -431,7 +431,6 @@ static int
|
||||
_citrus_VIQR_encoding_module_init(_VIQREncodingInfo * __restrict ei,
|
||||
const void * __restrict var __unused, size_t lenvar __unused)
|
||||
{
|
||||
- const mnemonic_def_t *p;
|
||||
const char *s;
|
||||
size_t i, n;
|
||||
int errnum;
|
||||
@@ -455,7 +454,10 @@ _citrus_VIQR_encoding_module_init(_VIQREncodingInf
|
||||
return (errnum);
|
||||
}
|
||||
}
|
||||
- for (i = 0;; ++i) {
|
||||
+ /* a + 1 < b + 1 here to silence gcc warning about unsigned < 0. */
|
||||
+ for (i = 0; i + 1 < mnemonic_ext_size + 1; ++i) {
|
||||
+ const mnemonic_def_t *p;
|
||||
+
|
||||
p = &mnemonic_ext[i];
|
||||
n = strlen(p->name);
|
||||
if (ei->mb_cur_max < n)
|
17
share/security/patches/SA-14:15/iconv.patch.asc
Normal file
17
share/security/patches/SA-14:15/iconv.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnGpkP/0rm6huVPDIo3qTvfuXyKVvX
|
||||
MGbc8+35EfDSUxAYLkQIJxiEF88+chJrEqyivP311+IMFUXdyplQvXQiZcTKXdPp
|
||||
hYVa7wCeC7BbdXILiw+hi9J5TI4QiE+b4Kmn83DIS/iYols4tRpUVXN4OCFaO3BR
|
||||
oW5RuCI/VBVqwUm+3pZhz1GuzPOmZo+8KxdHk3nmSmoad6SNvPB0W3QY53P2J96E
|
||||
8euOJGM/38QWav2g7QsQeI+MAx2jcxUmRIQVfCblfXG1O0izNjuC8hjqJptSvBpc
|
||||
uvJAhQxptludfAa7/ZnW4ws/dJz4ekNSlerjRpNiXE0Hr2r2TAM8cFwG9AbVThga
|
||||
wZ8+rHFOC30kIJ6uvZbpTPHNSHxu4pVyOOoh4Tfr1xpDqb/3ktSXfXX6bgXPrhMI
|
||||
PdBVVACYGbdurQU8Z65JbMmNx96Sl79w8mOHrMSeVS3pRL7FtJ4J+c8sOLyiaouM
|
||||
kIf+vbqSPHRqpkCtmmKP6QM+qrfhrlzmYwyNTE2pKautaGNCyAMY3lrKhbEr7llK
|
||||
L4YZ9/9Z6ivZZZDhAZbzcJrWQOuW0wmt7E2CyC1TOHOBjI6202J/++ZWSmmsexWF
|
||||
mWNai/3IqCGd24unHHxdrTUSw+b99pL+HAgAdTQZ2dg3Qh/qC0PAcICBoWDgS0sM
|
||||
Q34JUXT4cVpCqHeFhPkp
|
||||
=gJzF
|
||||
-----END PGP SIGNATURE-----
|
1891
share/security/patches/SA-14:16/file-8.4.patch
Normal file
1891
share/security/patches/SA-14:16/file-8.4.patch
Normal file
File diff suppressed because it is too large
Load diff
17
share/security/patches/SA-14:16/file-8.4.patch.asc
Normal file
17
share/security/patches/SA-14:16/file-8.4.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnwYEQAJ2tsC+x3C539+wx8HQVDyzn
|
||||
YArD9qa9vccrISU0BBvBRDwnEEJ2jm/57EMpA9vc8drrWnz29gxYtIDeFWAkosM/
|
||||
CTR0M3ZSMaTSnHQWoM8VxlMPWDfQBzokJB5H3qNUCJZV/QdQo7kSHdMvzeqdiqbG
|
||||
jkuVuifm5TgxEQVaznK9E0PoL/gVGfndUg9N5MJnO/XEO0wy4gqDE6SSn9zE4Rxc
|
||||
uWa34gZwh33eJWi9tE6sNAbekZuwEtK7smw+wkcUvUdfdUqTsp8j05ZY/PMAG97z
|
||||
SeYZ3rXk4sKXE4NSM8QxFxbfQNcFmKv7viQoPqTJDu63ctJdcyN6vv8hH9j73+mN
|
||||
W3NQOdfnKQblqgqC6bkXUV4A3YAUirWfcBiHo02PBfhspwBI+CA7VJbNxPxdmGn9
|
||||
r9F9SP114afHz/2W62yDagXPc39TJ/T7e8sqEbw2Up5a1Rd7PzpQCDMYALspx4tS
|
||||
FQqR61aTfpSDXdQYLPgyTPiBNrDcUA0WdAWpm2KAteUOUt5K7Z5N59IbxJU51VpL
|
||||
dPdJsTkCN84HY6ynng4nrxaeH6ImPmv3wd34cxVIgrEzfDbteYr2qn6tNM+4AAhg
|
||||
bbFbqbXPp3qyn3ryDskdkeEbNIBK0Dw41ATtvfsolVPI+xWVT996R16uvqwu2hhl
|
||||
HaPZcO4HUyyDsdKzLNk+
|
||||
=Kg8r
|
||||
-----END PGP SIGNATURE-----
|
276
share/security/patches/SA-14:16/file.patch
Normal file
276
share/security/patches/SA-14:16/file.patch
Normal file
|
@ -0,0 +1,276 @@
|
|||
Index: contrib/file/Magdir/commands
|
||||
===================================================================
|
||||
--- contrib/file/Magdir/commands (revision 267806)
|
||||
+++ contrib/file/Magdir/commands (working copy)
|
||||
@@ -49,7 +49,8 @@
|
||||
!:mime text/x-awk
|
||||
0 string/wt #!\ /usr/bin/awk awk script text executable
|
||||
!:mime text/x-awk
|
||||
-0 regex =^\\s*BEGIN\\s*[{] awk script text
|
||||
+0 regex =^\\s{0,100}BEGIN\\s{0,100}[{] awk script text
|
||||
+!:strength - 12
|
||||
|
||||
# AT&T Bell Labs' Plan 9 shell
|
||||
0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable
|
||||
Index: contrib/file/ascmagic.c
|
||||
===================================================================
|
||||
--- contrib/file/ascmagic.c (revision 267806)
|
||||
+++ contrib/file/ascmagic.c (working copy)
|
||||
@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms,
|
||||
== NULL)
|
||||
goto done;
|
||||
if ((rv = file_softmagic(ms, utf8_buf,
|
||||
- (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
|
||||
+ (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
|
||||
rv = -1;
|
||||
}
|
||||
|
||||
Index: contrib/file/file.h
|
||||
===================================================================
|
||||
--- contrib/file/file.h (revision 267806)
|
||||
+++ contrib/file/file.h (working copy)
|
||||
@@ -414,7 +414,7 @@ protected int file_encoding(struct magic_set *, co
|
||||
unichar **, size_t *, const char **, const char **, const char **);
|
||||
protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
|
||||
protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
|
||||
- int, int);
|
||||
+ size_t, int, int);
|
||||
protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
|
||||
protected uint64_t file_signextend(struct magic_set *, struct magic *,
|
||||
uint64_t);
|
||||
Index: contrib/file/funcs.c
|
||||
===================================================================
|
||||
--- contrib/file/funcs.c (revision 267806)
|
||||
+++ contrib/file/funcs.c (working copy)
|
||||
@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd, const ch
|
||||
|
||||
/* try soft magic tests */
|
||||
if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
|
||||
- if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
|
||||
+ if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
|
||||
looks_text)) != 0) {
|
||||
if ((ms->flags & MAGIC_DEBUG) != 0)
|
||||
(void)fprintf(stderr, "softmagic %d\n", m);
|
||||
Index: contrib/file/softmagic.c
|
||||
===================================================================
|
||||
--- contrib/file/softmagic.c (revision 267806)
|
||||
+++ contrib/file/softmagic.c (working copy)
|
||||
@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.147 2011/11
|
||||
|
||||
|
||||
private int match(struct magic_set *, struct magic *, uint32_t,
|
||||
- const unsigned char *, size_t, int, int);
|
||||
+ const unsigned char *, size_t, int, int, int);
|
||||
private int mget(struct magic_set *, const unsigned char *,
|
||||
- struct magic *, size_t, unsigned int, int);
|
||||
+ struct magic *, size_t, unsigned int, int, int);
|
||||
private int magiccheck(struct magic_set *, struct magic *);
|
||||
private int32_t mprint(struct magic_set *, struct magic *);
|
||||
private int32_t moffset(struct magic_set *, struct magic *);
|
||||
@@ -60,6 +60,7 @@ private void cvt_16(union VALUETYPE *, const struc
|
||||
private void cvt_32(union VALUETYPE *, const struct magic *);
|
||||
private void cvt_64(union VALUETYPE *, const struct magic *);
|
||||
|
||||
+#define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
|
||||
/*
|
||||
* softmagic - lookup one file in parsed, in-memory copy of database
|
||||
* Passed the name and FILE * of one file to be typed.
|
||||
@@ -67,13 +68,13 @@ private void cvt_64(union VALUETYPE *, const struc
|
||||
/*ARGSUSED1*/ /* nbytes passed for regularity, maybe need later */
|
||||
protected int
|
||||
file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
|
||||
- int mode, int text)
|
||||
+ size_t level, int mode, int text)
|
||||
{
|
||||
struct mlist *ml;
|
||||
int rv;
|
||||
for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
|
||||
if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
|
||||
- text)) != 0)
|
||||
+ text, level)) != 0)
|
||||
return rv;
|
||||
|
||||
return 0;
|
||||
@@ -108,7 +109,8 @@ file_softmagic(struct magic_set *ms, const unsigne
|
||||
*/
|
||||
private int
|
||||
match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
|
||||
- const unsigned char *s, size_t nbytes, int mode, int text)
|
||||
+ const unsigned char *s, size_t nbytes, int mode, int text,
|
||||
+ int recursion_level)
|
||||
{
|
||||
uint32_t magindex = 0;
|
||||
unsigned int cont_level = 0;
|
||||
@@ -140,7 +142,7 @@ match(struct magic_set *ms, struct magic *magic, u
|
||||
ms->line = m->lineno;
|
||||
|
||||
/* if main entry matches, print it... */
|
||||
- switch (mget(ms, s, m, nbytes, cont_level, text)) {
|
||||
+ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
|
||||
case -1:
|
||||
return -1;
|
||||
case 0:
|
||||
@@ -223,7 +225,7 @@ match(struct magic_set *ms, struct magic *magic, u
|
||||
continue;
|
||||
}
|
||||
#endif
|
||||
- switch (mget(ms, s, m, nbytes, cont_level, text)) {
|
||||
+ switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
|
||||
case -1:
|
||||
return -1;
|
||||
case 0:
|
||||
@@ -1018,12 +1020,18 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, in
|
||||
|
||||
private int
|
||||
mget(struct magic_set *ms, const unsigned char *s,
|
||||
- struct magic *m, size_t nbytes, unsigned int cont_level, int text)
|
||||
+ struct magic *m, size_t nbytes, unsigned int cont_level, int text,
|
||||
+ int recursion_level)
|
||||
{
|
||||
uint32_t offset = ms->offset;
|
||||
uint32_t count = m->str_range;
|
||||
union VALUETYPE *p = &ms->ms_value;
|
||||
|
||||
+ if (recursion_level >= 20) {
|
||||
+ file_error(ms, 0, "recursion nesting exceeded");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
|
||||
return -1;
|
||||
|
||||
@@ -1073,7 +1081,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
}
|
||||
switch (m->in_type) {
|
||||
case FILE_BYTE:
|
||||
- if (nbytes < (offset + 1))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 1))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@@ -1108,7 +1116,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
offset = ~offset;
|
||||
break;
|
||||
case FILE_BESHORT:
|
||||
- if (nbytes < (offset + 2))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 2))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@@ -1160,7 +1168,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
offset = ~offset;
|
||||
break;
|
||||
case FILE_LESHORT:
|
||||
- if (nbytes < (offset + 2))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 2))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@@ -1212,7 +1220,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
offset = ~offset;
|
||||
break;
|
||||
case FILE_SHORT:
|
||||
- if (nbytes < (offset + 2))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 2))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@@ -1249,7 +1257,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
break;
|
||||
case FILE_BELONG:
|
||||
case FILE_BEID3:
|
||||
- if (nbytes < (offset + 4))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 4))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@@ -1320,7 +1328,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
break;
|
||||
case FILE_LELONG:
|
||||
case FILE_LEID3:
|
||||
- if (nbytes < (offset + 4))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 4))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@@ -1390,7 +1398,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
offset = ~offset;
|
||||
break;
|
||||
case FILE_MELONG:
|
||||
- if (nbytes < (offset + 4))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 4))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@@ -1460,7 +1468,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
offset = ~offset;
|
||||
break;
|
||||
case FILE_LONG:
|
||||
- if (nbytes < (offset + 4))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 4))
|
||||
return 0;
|
||||
if (off) {
|
||||
switch (m->in_op & FILE_OPS_MASK) {
|
||||
@@ -1527,7 +1535,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
/* Verify we have enough data to match magic type */
|
||||
switch (m->type) {
|
||||
case FILE_BYTE:
|
||||
- if (nbytes < (offset + 1)) /* should alway be true */
|
||||
+ if (OFFSET_OOB(nbytes, offset, 1))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
@@ -1534,7 +1542,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
case FILE_SHORT:
|
||||
case FILE_BESHORT:
|
||||
case FILE_LESHORT:
|
||||
- if (nbytes < (offset + 2))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 2))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
@@ -1553,7 +1561,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
case FILE_FLOAT:
|
||||
case FILE_BEFLOAT:
|
||||
case FILE_LEFLOAT:
|
||||
- if (nbytes < (offset + 4))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 4))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
@@ -1560,7 +1568,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
case FILE_DOUBLE:
|
||||
case FILE_BEDOUBLE:
|
||||
case FILE_LEDOUBLE:
|
||||
- if (nbytes < (offset + 8))
|
||||
+ if (OFFSET_OOB(nbytes, offset, 8))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
@@ -1567,7 +1575,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
case FILE_STRING:
|
||||
case FILE_PSTRING:
|
||||
case FILE_SEARCH:
|
||||
- if (nbytes < (offset + m->vallen))
|
||||
+ if (OFFSET_OOB(nbytes, offset, m->vallen))
|
||||
return 0;
|
||||
break;
|
||||
|
||||
@@ -1577,6 +1585,8 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
break;
|
||||
|
||||
case FILE_INDIRECT:
|
||||
+ if (offset == 0)
|
||||
+ return 0;
|
||||
if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
|
||||
file_printf(ms, "%s", m->desc) == -1)
|
||||
return -1;
|
||||
@@ -1583,7 +1593,7 @@ mget(struct magic_set *ms, const unsigned char *s,
|
||||
if (nbytes < offset)
|
||||
return 0;
|
||||
return file_softmagic(ms, s + offset, nbytes - offset,
|
||||
- BINTEST, text);
|
||||
+ recursion_level, BINTEST, text);
|
||||
|
||||
case FILE_DEFAULT: /* nothing to check */
|
||||
default:
|
17
share/security/patches/SA-14:16/file.patch.asc
Normal file
17
share/security/patches/SA-14:16/file.patch.asc
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnE0YP/A+Q3jwyWJW7f4UQCN1funJ0
|
||||
XZwDYYD/aVXUmQcegpDDDlJ9Ol3Rr2K6CXKJHN+2kH1NvjD2W82+trJiiAetTBwI
|
||||
OqsgtyiJM8k3Pa67lRNoBPkYRaoZ7MgXurDzY8lclz0bb+n2OLQr4gvXQ8gEbZZE
|
||||
ZETzFGlOhDw22gWOFzU7fMbg+WZr1yQBPEzEtJ5DR2WAS/eiAEzW9D8+HgBvR1T9
|
||||
X8jE6OEblJ3xBHkGByX9t9r+0klwOHdjx6Y54P+b1gFmgaIGLOPulNVE1d7oyRbt
|
||||
Lhcrd1OUWuohz7nOfC+L29bYn0AiIVt/bZekKNyILiKuZbo01JmMLB+Ekn+R4Hv+
|
||||
fXjcc4qVVwTveJMPZ8HDNnpKusMXhqMAYDLblA4c6LnFdpwuKMMK9D9KCTNe0N17
|
||||
hGeJXHXAaeewdhsaXUA5VpLR1bZjQgLRIO3kKSrgIJVQWpPn+U5q0uuKl/JEo4O7
|
||||
hnble23XfiqfRnkaZ9Cs8Gw16g/XFhDKSu6ppVMCSTALwvmppVtQpw8tfq+W1EmW
|
||||
9OlwLN5FAjYuMS2GbuZr4o53cFJD0a/3OdeMIZdTP9zstU/AMx1zauAHfUinDAKN
|
||||
p7zriJB3gz0XQSSXwtlAHJpOapvMYob/axhToy+TcnxiHPa9oQEAbJWtfar0NQVR
|
||||
t4TETAxIo1YT7cW7w87U
|
||||
=nVM9
|
||||
-----END PGP SIGNATURE-----
|
|
@ -10,6 +10,18 @@
|
|||
<month>
|
||||
<name>6</name>
|
||||
|
||||
<day>
|
||||
<name>24</name>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-14:16.file</name>
|
||||
</advisory>
|
||||
|
||||
<advisory>
|
||||
<name>FreeBSD-SA-14:15.iconv</name>
|
||||
</advisory>
|
||||
</day>
|
||||
|
||||
<day>
|
||||
<name>5</name>
|
||||
|
||||
|
|
|
@ -10,6 +10,18 @@
|
|||
<month>
|
||||
<name>6</name>
|
||||
|
||||
<day>
|
||||
<name>24</name>
|
||||
|
||||
<notice>
|
||||
<name>FreeBSD-EN-14:08.heimdal</name>
|
||||
</notice>
|
||||
|
||||
<notice>
|
||||
<name>FreeBSD-EN-14:07.pmap</name>
|
||||
</notice>
|
||||
</day>
|
||||
|
||||
<day>
|
||||
<name>3</name>
|
||||
|
||||
|
@ -26,7 +38,7 @@
|
|||
<name>13</name>
|
||||
|
||||
<notice>
|
||||
<name>FreeBSD-EN-14:03.pkg</name>
|
||||
<name>FreeBSD-EN-14:05.ciss</name>
|
||||
</notice>
|
||||
|
||||
<notice>
|
||||
|
@ -34,7 +46,7 @@
|
|||
</notice>
|
||||
|
||||
<notice>
|
||||
<name>FreeBSD-EN-14:05.ciss</name>
|
||||
<name>FreeBSD-EN-14:03.pkg</name>
|
||||
</notice>
|
||||
</day>
|
||||
</month>
|
||||
|
|
Loading…
Reference in a new issue