os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add 3 latest advisories and 1 errata:

Browse source 
Fix sendmail improper close-on-exec flag handling. [SA-14:11]

Fix ktrace memory disclosure. [SA-14:12]

Fix incorrect error handling in PAM policy parser. [SA-14:13]

Fix triple-fault when executing from a threaded process. [EN-14:06]
This commit is contained in:
Xin LI 2014-06-03 19:32:04 +00:00
parent e390da51d1
commit e6520ef815
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=45000
28 changed files with 1644 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

163
share/security/advisories/FreeBSD-EN-14:06.exec.asc Normal file
View file

@ -0,0 +1,163 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:06.exec Errata Notice
The FreeBSD Project
Topic: triple-fault when executing from a threaded process
Category: core
Module: kern
Announced: 2014-06-03
Credits: Ivo De Decker and Debian GNU/kFreeBSD porters
Affects: All supported versions of FreeBSD.
Corrected: 2014-05-23 09:29:04 UTC (stable/10, 10.0-STABLE)
2014-06-03 19:02:52 UTC (releng/10.0, 10.0-RELEASE-p4)
2014-05-23 11:56:32 UTC (stable/9, 9.2-STABLE)
2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7)
2014-06-03 19:03:11 UTC (releng/9.1, 9.1-RELEASE-p14)
2014-05-23 09:48:42 UTC (stable/8, 8.4-STABLE)
2014-06-03 19:03:23 UTC (releng/8.4, 8.4-RELEASE-p11)
CVE Name: CVE-2014-3880
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The execve and fexecve system calls transforms the calling process into a
new process, constructed from an ordinarty file.
When executing a new process, the FreeBSD virtual memory subsystem tries to
optimize the process by avoiding destroying the old virtual memory address
space when the calling process do not share its address space with another
process (for instance, via rfork(2) with RFMEM) and when the new min/max
address limit stays the same. In the optimized scenario, the virtual memory
subsystem only removes usermode mappings from the existing virtual memory
address space instead of destroying and recreating it.
II. Problem Description
When the virtual memory address space is recreated for the calling process,
the old virtual memory address space as well as its associated mappings are
destroyed before thread_single(9) boundary, where threads were allowed to
run to safely terminate. If such threads were on other CPUs, the old page
table pointer may still be referenced.
III. Impact
The system will crash when this happens due to a triple-fault triggered by
dereferencing an invalid page table pointer.
IV. Workaround
No workaround is available, but systems that do not run binaries that are
of different bit-ness (e.g. 32-bit and 64-bit binaries) are not affected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8.4]
# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-8.4.patch
# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-8.4.patch.asc
# gpg --verify exec-8.4.patch.asc
[FreeBSD 9.1]
# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-9.1.patch
# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-9.1.patch.asc
# gpg --verify exec-9.1.patch.asc
[FreeBSD 9.2]
# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-9.2.patch
# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-9.2.patch.asc
# gpg --verify exec-9.2.patch.asc
[FreeBSD 10.0]
# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-10.0.patch
# fetch http://security.FreeBSD.org/patches/EN-14:06/exec-10.0.patch.asc
# gpg --verify exec-10.0.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r266583
releng/8.4/ r267019
stable/9/ r266585
releng/9.1/ r267018
releng/9.2/ r267018
stable/10/ r266582
releng/10.0/ r267017
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://bugs.debian.org/743141>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3880>
The latest revision of this Errata Notice is available at
http://security.FreeBSD.org/advisories/FreeBSD-EN-14:06.exec.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTjiDaAAoJEO1n7NZdz2rnNcIQANX2RW/Yeuso43ziviT10iH9
IBd0Ibazfq4HIVANEGfBF9pkL7vQ4VZzzWJBZEA6r/0qDMVO0mMoFA2/SDAB3oCO
Wjc2TF/FLNPlrYamO1Comb1lKG8nmXj3C+AEEOyzlxDBLIH4cEuCX6yBbjZgjeuz
eYTmFWqiMBwjOctZSFzmaZjaG0EtUIig8ELkPePXBP+zGZiBlBRpLuXWTUuRTT1T
I8YbhEhlvw7rZmtK7rq5uRFfFclmFCC1cYRxKb9o+9tXUL9Qq6q0740hAG/I1HJU
s7M3gvQZNhFa6B8fC2XbBwe1g51pfcxRkU8ZZ0kIU4064r9CP9In9InmcFKrfZTo
xNYNiV9/8rY2lHts6cXZgfrJQLfEWzYghlKVBBZpd8syVjt8ozA08YAD4RAzGAsb
s1cwI9ZCpc9ak6kd9xvDV/ZUmJLE3XS8HkogUd/RBYiu0GTn6MsCIc/pnOpAL1Cq
BWLmWS8vDT4rcuC828L2VmdfLjrdWcr9DHreiW7xxCX4O+/ktOT43PrgQtjd/mf+
i0k9OAJRwdoh92ylLkEJqm3kugoDGxOITKHvo2dx+g2ySukIzTv0BCNT9EAJ0kX+
i4G0eyGNTsIycZcokil1rUzk2giNLa5yqKOZNzPZ3EA7U/knuXDN1rdN0OzrqncY
WZlllko53SvpSDli15vp
=A9nK
-----END PGP SIGNATURE-----

137
share/security/advisories/FreeBSD-SA-14:11.sendmail.asc Normal file
View file

@ -0,0 +1,137 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:11.sendmail Security Advisory
The FreeBSD Project
Topic: sendmail improper close-on-exec flag handling
Category: contrib
Module: sendmail
Announced: 2014-06-03
Affects: All supported versions of FreeBSD.
Corrected: 2014-05-26 15:35:11 UTC (stable/10, 10.0-STABLE)
2014-06-03 19:02:52 UTC (releng/10.0, 10.0-RELEASE-p4)
2014-05-26 20:10:00 UTC (stable/9, 9.3-PRERELEASE)
2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7)
2014-06-03 19:03:11 UTC (releng/9.1, 9.1-RELEASE-p14)
2014-05-26 15:30:27 UTC (stable/8, 8.4-STABLE)
2014-06-03 19:03:23 UTC (releng/8.4, 8.4-RELEASE-p11)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD includes sendmail(8), a general purpose internetwork mail
routing facility, as the default Mail Transfer Agent (MTA).
FreeBSD uses file descriptor as an abstract indicator for accessing a file.
Upon execve(2), file descriptors open in the calling process image remain
open in the new process image, except for those for which the close-on-exec
flag is set.
II. Problem Description
There is a programming error in sendmail(8) that prevented open file
descriptors have close-on-exec properly set. Consequently a subprocess
will be able to access all open files that the parent process have open.
III. Impact
A local user who can execute their own program for mail delivery will be
able to interfere with an open SMTP connection.
IV. Workaround
Do not allow untrusted users to specify programs for mail delivery, for
instance, procmail.
Systems that do not use sendmail(8) MTA are not affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:11/sendmail.patch
# fetch http://security.FreeBSD.org/patches/SA-14:11/sendmail.patch.asc
# gpg --verify sendmail.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r266693
releng/8.4/ r267019
stable/9/ r266711
releng/9.1/ r267018
releng/9.2/ r267018
stable/10/ r266692
releng/10.0/ r267017
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:11.sendmail.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTjiDaAAoJEO1n7NZdz2rnMxgP/0N9dTCKztkx92+Er1riKEns
k0dfQswsTn2BwKzqIwiuzYcC9YFuBbU/ydfhIy3CGHJoZXd98sl0IZkWok7N7gYb
N46aSyMypHh5RtoxtRm7aLhmKSBXiXhygwoeV8HW5fBhgZG544BQ+zs3wDWL/Y4J
sfTEV4C254hm8+loCjtg+WIoFDtaYFWTWCUm1Yhxb1puN5scCNNgbvqvmhmrCLtb
n/AoWUvqQi8B7tu2YafbG+BE8qaLC+tGpqC4mF3NxtNUX++4HMC6ZhbcOaa2PKrk
kepReV/zdc3DaZ0e0KsiwFBiWMe9NW0RjHaZeDe3wzbX9fer2WjoOszLw7xLo/8s
GPZwI+fPRysKGRXeW+0Bp3itbHYAFUhS5PttZQcGqzFKIRNLdVcAIMsj/+j32/LM
vVw3e1NpsIhpxqIorxJEwuBxr4SWzCY26TbJVG+jWqEzhaRgjgpW+TZ2bhW3EDKm
CNnngufJzh54/rEKolWxntyiw442JRpcPvumiUiH9WmRHipkCrMttQGA9TfjUy0u
diQFs/nWNa9YeUkF1jB7eMFoJubg5d/7/gDFPbHMvgjP7kN75k1TmeyzrBVUuplH
ek+XMzxkWYPStw1QHub94VpKhVm7fjvLrq2+2bfdQnM7bRbgwdA66jSwqVQ569Hr
oOFXJjVfz279BMqszAsw
=JUzV
-----END PGP SIGNATURE-----

144
share/security/advisories/FreeBSD-SA-14:12.ktrace.asc Normal file
View file

@ -0,0 +1,144 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:12.ktrace Security Advisory
The FreeBSD Project
Topic: ktrace kernel memory disclosure
Category: core
Module: kern
Announced: 2014-06-03
Credits: Jilles Tjoelker
Affects: FreeBSD 8.4, FreeBSD 9.1 and FreeBSD 9.2
Corrected: 2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1)
2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1-p1)
2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7)
2014-06-03 19:03:11 UTC (releng/9.1, 9.1-RELEASE-p14)
2014-06-03 19:02:42 UTC (stable/8, 8.4-STABLE)
2014-06-03 19:03:23 UTC (releng/8.4, 8.4-RELEASE-p11)
CVE Name: CVE-2014-3873
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The ktrace utility enables kernel trace logging for the specified processes,
commonly used for diagnostic or debugging purposes. The kernel operations
that are traced include system calls, namei translations, signal processing,
and I/O as well as data associated with these operations.
The utility may be used only with a kernel that has been built with the
``KTRACE'' option in the kernel configuration file, which is enabled by
default.
II. Problem Description
Due to an overlooked merge to -STABLE branches, the size for page fault
kernel trace entries was set incorrectly.
III. Impact
A user who can enable kernel process tracing could end up reading the
contents of kernel memory.
Such memory might contain sensitive information, such as portions of the
file cache or terminal buffers. This information might be directly
useful, or it might be leveraged to obtain elevated privileges in some
way; for example, a terminal buffer might include a user-entered
password.
IV. Workaround
The system administrator may set sysctl security.bsd.unprivileged_proc_debug
to 0 to prevent non-privileged users from using all process debugging
facilities provided by the kernel, that includes ktrace functionality.
Please note that this flag have broad effect and may break applications,
as some of them may rely on certain debugging facilities to function.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:12/ktrace.patch
# fetch http://security.FreeBSD.org/patches/SA-14:12/ktrace.patch.asc
# gpg --verify ktrace.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r267016
releng/8.4/ r267019
stable/9/ r267015
releng/9.1/ r267018
releng/9.2/ r267018
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3873>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:12.ktrace.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTjiDaAAoJEO1n7NZdz2rnIfQP/0kHBNvnNUiZ+1OWo5fMDg3N
Oe7UdrvnfyeXlgw5bP4t0qwbTpn0kVYL2dfr3bxhkT1w7oF/xQjbcosx/DbzPZZs
VtlAGQYh0CvOXcUZmh+COuRfcy2wkr1kKFlc2bGQVTq1uzKS+vceqA3619IWMnJO
b6ClzFnn+0hk6BrUd8xdvoiYIF2RG+zcw7CxuoBQrzPYA9iO/S4ACmxzfTIgRcAD
ZLGXfUEw3wlftfg605H1iV9xKm4FDUGr9qoL4W0UmYmmTmU4Z71yXSzX3A53qlRg
Xd1Grw2K+zhaKaV6xL+mqox0nzSKiYuNf/ZguB5+x9ZA14ck7NtCYg6up1fgh7Ms
pznVb8/GCc+IPdWJGXpSz6yFhl/MJc6mTOi+L0gOGvNKp0raNHelCpxlqavGt/tv
9Niv791FK32S8ynlP0yKRvd8Hzq4b185ehWuGWbQO8bEHljqhOyZDhysBYYWdgFi
0KG16lJopCbMPPPBVb4zfsFBvokr31m2w+/xsDD+hmaXa6C9bHIvHpuyJep4q02E
4NOoVr1x8dO5s7yVk7bNZx0WFCDYZ/DLMycLjEftHog7iq4nw29HW/Mt/rPgJWOf
NiO0GEJ1XucJ1ShV/OC0B+69mFx9OsOI8kDNLE4l9oqGu2UqcZ/W0Dsa9PPl+ec+
njyksdL+yqvx9kF8fnJ0
=46Yf
-----END PGP SIGNATURE-----

171
share/security/advisories/FreeBSD-SA-14:13.pam.asc Normal file
View file

@ -0,0 +1,171 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:13.pam Security Advisory
The FreeBSD Project
Topic: Incorrect error handling in PAM policy parser
Category: contrib
Module: pam
Announced: 2014-06-03
Credits: Peter Wemm, Dag-Erling Smørgrav
Affects: FreeBSD 9.2 and later.
Corrected: 2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1)
2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1-p1)
2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7)
2014-06-03 19:02:18 UTC (stable/10, 10.0-STABLE)
2014-06-03 19:02:52 UTC (releng/10.0, 10.0-RELEASE-p4)
CVE Name: CVE-2014-3879
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown. It is
used not only in the base system, but also by a large number of
third-party applications.
Various authentication methods (UNIX, LDAP, Kerberos etc.) are
implemented in modules which are loaded and executed according to
predefined, named policies. These policies are defined in
/etc/pam.conf, /etc/pam.d/<policy name>, /usr/local/etc/pam.conf or
/usr/local/etc/pam.d/<policy name>.
The PAM API is a de facto industry standard which has been implemented
by several parties. FreeBSD uses the OpenPAM implementation.
II. Problem Description
The OpenPAM library searches for policy definitions in several
locations. While doing so, the absence of a policy file is a soft
failure (handled by searching in the next location) while the presence
of an invalid file is a hard failure (handled by returning an error to
the caller).
The policy parser returns the same error code (ENOENT) when a
syntactically valid policy references a non-existent module as when
the requested policy file does not exist. The search loop regards
this as a soft failure and looks for the next similarly-named policy,
without discarding the partially-loaded configuration.
A similar issue can arise if a policy contains an include directive
that refers to a non-existent policy.
III. Impact
If a module is removed, or the name of a module is misspelled in the
policy file, the PAM library will proceed with a partially loaded
configuration. Depending on the exact circumstances, this may result
in a fail-open scenario where users are allowed to log in without a
password, or with an incorrect password.
In particular, if a policy references a module installed by a package
or port, and that package or port is being reinstalled or upgraded,
there is a brief window of time during which the module is absent and
policies that use it may fail open. This can be especially damaging
to Internet-facing SSH servers, which are regularly subjected to
brute-force scans.
IV. Workaround
If your system uses customized PAM policies, carefully review your
policies to ensure that all module names are spelled correctly.
If your system uses third-party authentication modules, either refrain
from upgrading those modules until you have patched your system, or
shut down the affected services before upgrading.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.2]
# fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd9.patch
# fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd9.patch.asc
# gpg --verify pam-freebsd9.patch.asc
[FreeBSD 9.3 and 10.0]
# fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd10.patch
# fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd10.patch.asc
# gpg --verify pam-freebsd10.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r267015
releng/9.2/ r267018
stable/10/ r267014
releng/10.0/ r267017
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3879>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:13.pam.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTjiDaAAoJEO1n7NZdz2rnx90P/je9ArC02N90sK//UauenbXV
BJCNh1WRSVE3hoxgVyPC0R+6Ts6J9At42ANUHXHVxipA2Qpu2UKf+/c3JreSuSGs
6rgAj1TPZEideQInTs9qCJWr6f/M2aPlYCF8iHuuLMJTO35wfVYQENDaFJmebKoI
fKkVvTh8ig2cgJWe7RZxd+Y4tPxKZb5ix5jV+xFjDPrmzVgSCUVpW0GrD7qWOg1W
25Ysx+LLBr03guDnFd9RodObWoNZ+aFxuvkKELmjUKva7xRSEw6PfwPCpLp9/83Q
HDVlkw0jH+0sF1SY7V+GUvQriPNpwyGNEOfDvL47gnlN/Z7HOZ0hYlVuYw4QYGv5
l5PZOL5eFC6xl88fn+ypKQwGDdzpM4i+svBy//2CW17luU31L4F/cde+yCxsEJB5
JXNhVTYe2z+ACfSs+Oxzk5uGI1f9FhvTzIyoO26Coq6e2Nk2633451kRgdPNxoAP
kMimT2Mle/1kqupLirGi44lEyUYV9As2AhnLBFFUXTnESlWVe6q0N0Rb8G6D2jcR
0m5hccsS2HcysUtSIP8ADB6LlSgH+bKP2FUFopdjQUx3J+/KQ5kl6L/UhOOr1Hag
4PdoCPpR15s2CaICmu5HkDtGNkZQV7xdN6TLcksJHXRshISlbzZjlaNyrbu6oJu9
nz3mhzGz1ZH6l7kuNYXD
=qUxk
-----END PGP SIGNATURE-----

66
share/security/patches/EN-14:06/exec-10.0.patch Normal file
View file

@ -0,0 +1,66 @@
Index: sys/kern/kern_exec.c
===================================================================
--- sys/kern/kern_exec.c (revision 266979)
+++ sys/kern/kern_exec.c (working copy)
@@ -283,6 +283,7 @@ kern_execve(td, args, mac_p)
struct mac *mac_p;
{
struct proc *p = td->td_proc;
+ struct vmspace *oldvmspace;
int error;
AUDIT_ARG_ARGV(args->begin_argv, args->argc,
@@ -299,6 +300,8 @@ kern_execve(td, args, mac_p)
PROC_UNLOCK(p);
}
+ KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
+ oldvmspace = td->td_proc->p_vmspace;
error = do_execve(td, args, mac_p);
if (p->p_flag & P_HADTHREADS) {
@@ -313,6 +316,12 @@ kern_execve(td, args, mac_p)
thread_single_end();
PROC_UNLOCK(p);
}
+ if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
+ KASSERT(td->td_proc->p_vmspace != oldvmspace,
+ ("oldvmspace still used"));
+ vmspace_free(oldvmspace);
+ td->td_pflags &= ~TDP_EXECVMSPC;
+ }
return (error);
}
Index: sys/sys/proc.h
===================================================================
--- sys/sys/proc.h (revision 266979)
+++ sys/sys/proc.h (working copy)
@@ -966,4 +966,5 @@ curthread_pflags_restore(int save)
#endif /* _KERNEL */
+#define TDP_EXECVMSPC 0x40000000 /* Execve destroyed old vmspace */
#endif /* !_SYS_PROC_H_ */
Index: sys/vm/vm_map.c
===================================================================
--- sys/vm/vm_map.c (revision 266979)
+++ sys/vm/vm_map.c (working copy)
@@ -3725,6 +3725,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
struct vmspace *oldvmspace = p->p_vmspace;
struct vmspace *newvmspace;
+ KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
+ ("vmspace_exec recursed"));
newvmspace = vmspace_alloc(minuser, maxuser, NULL);
if (newvmspace == NULL)
return (ENOMEM);
@@ -3741,7 +3743,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
PROC_VMSPACE_UNLOCK(p);
if (p == curthread->td_proc)
pmap_activate(curthread);
- vmspace_free(oldvmspace);
+ curthread->td_pflags |= TDP_EXECVMSPC;
return (0);
}

17
share/security/patches/EN-14:06/exec-10.0.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiErAAoJEO1n7NZdz2rnKXEQAJxIZgrVrGZobVSEztzpE8hT
yFcp2Yd0AZesA0glaqBaReEyDxpyKXvDDX33q3nFc+C5rhOePZXp5zw0e4MLT/DX
hGxBp9/sbji+w7soUdL25y5h6QfY19LK1WwJlI4+6CNQUGVvN/bN/uF0vyaiTk1k
9j5Twmtb31hsbpJNwHL6D7+K2vSd5hrMBxaozTn9TOBDzI0KS19NUp6Xt1CrpkAL
NmM65tD1PZ9flsoXqsUBdENydrIEH8XrCovwPXzYipUnqeEvl6VGS5D7U3t/m/SC
bh8v1mK6Ipt7YLJ0HducqO643XkG7n01pJKY8LIXEX1x0yVLI+hLqvSIfPjEza1j
kNs289QiWX3FG7k0ufucnd8tGbaZ5gyrJuA2OWERZurEDPoGYkHxz4cMPXKoTSw+
ZX4h/mz8zvNGak9Jy6xStWAMGG1FdnrPAWDddNb1aOQJCdx3Ur+fOOTkrYT76JHA
k8iWI44rmBL0BFqkJk/LbcA2NI43pKN/WEVAgufi06yK3poQzV93WyunZ/iBJJVO
boz6F+cCG023r8Obq1jMv7qi+seuUL8pi8PxlYqWeye6xtOKc1Utm6yHJyFmLFN0
4OmVxgOneS5jcn4IV/F0WNuuRLshTEjpcOKxf9qn2Izll219ikZZtiCD4U5FN0hL
910LWVL+ek6GRdVOyRwg
=fRaC
-----END PGP SIGNATURE-----

77
share/security/patches/EN-14:06/exec-10.patch Normal file
View file

@ -0,0 +1,77 @@
Index: sys/sys/proc.h
===================================================================
--- sys/sys/proc.h (revision 266581)
+++ sys/sys/proc.h (revision 266582)
@@ -425,6 +425,7 @@ do { \
#define TDP_NERRNO 0x08000000 /* Last errno is already in td_errno */
#define TDP_UIOHELD 0x10000000 /* Current uio has pages held in td_ma */
#define TDP_DEVMEMIO 0x20000000 /* Accessing memory for /dev/mem */
+#define TDP_EXECVMSPC 0x40000000 /* Execve destroyed old vmspace */
/*
* Reasons that the current thread can not be run yet.
Index: sys/kern/kern_exec.c
===================================================================
--- sys/kern/kern_exec.c (revision 266581)
+++ sys/kern/kern_exec.c (revision 266582)
@@ -283,6 +283,7 @@ kern_execve(td, args, mac_p)
struct mac *mac_p;
{
struct proc *p = td->td_proc;
+ struct vmspace *oldvmspace;
int error;
AUDIT_ARG_ARGV(args->begin_argv, args->argc,
@@ -299,6 +300,8 @@ kern_execve(td, args, mac_p)
PROC_UNLOCK(p);
}
+ KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
+ oldvmspace = td->td_proc->p_vmspace;
error = do_execve(td, args, mac_p);
if (p->p_flag & P_HADTHREADS) {
@@ -313,6 +316,12 @@ kern_execve(td, args, mac_p)
thread_single_end();
PROC_UNLOCK(p);
}
+ if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
+ KASSERT(td->td_proc->p_vmspace != oldvmspace,
+ ("oldvmspace still used"));
+ vmspace_free(oldvmspace);
+ td->td_pflags &= ~TDP_EXECVMSPC;
+ }
return (error);
}
Index: sys/vm/vm_map.c
===================================================================
--- sys/vm/vm_map.c (revision 266581)
+++ sys/vm/vm_map.c (revision 266582)
@@ -3751,6 +3751,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
struct vmspace *oldvmspace = p->p_vmspace;
struct vmspace *newvmspace;
+ KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
+ ("vmspace_exec recursed"));
newvmspace = vmspace_alloc(minuser, maxuser, NULL);
if (newvmspace == NULL)
return (ENOMEM);
@@ -3767,7 +3769,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
PROC_VMSPACE_UNLOCK(p);
if (p == curthread->td_proc)
pmap_activate(curthread);
- vmspace_free(oldvmspace);
+ curthread->td_pflags |= TDP_EXECVMSPC;
return (0);
}
Index: .
===================================================================
--- . (revision 266581)
+++ . (revision 266582)
Property changes on: .
___________________________________________________________________
Modified: svn:mergeinfo
Merged /head:r266464

17
share/security/patches/EN-14:06/exec-10.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiErAAoJEO1n7NZdz2rnohMQAIzPJ9eBbU4Xdrk5QVHXIFYa
CFeHZM1JOSaNv/XLXXVIvLbZF8m5Egdskj8+PPbn4+cO6c1QhyNRAt/lcc+2Fqpb
w011aG2zTMNCJCTnU26l68cB//MmeWeu6RI2BvSDh6zQlluy9NPrONnSvhb8Y8tM
LZr9c4CVoe0esDTs06X6/0p2f1OStRpIH8hgNI+0OK1DAkL45XcJF5s4PdIkPIgM
0VzSXz93cxTMFAwbWzFNoo+JPM9AFtweUyVQ3vLFCLOSn198IAHrlYCvAoKsoRjI
kv69njIKpzKlRiD98PQxKjVSnMrZ9VcCtSXfEZgDzeBjrNMx7GpBCsVNkL3WHbDa
EgmoBb35mpKDkJ3SMMCDRIYOMTbmESek2Fgj2/u1n3ypNTE54VHevDCeb03+xnag
i3la3eBcRJ49QJcSWRci5S4FjiMX5ujdH6tLYJq1dz2qnqla3GV5jPM8ph6ZY5ZA
Keqf1eieQPaHL+7wfuRBeeDk4KXK7YYtj2/V9DDFuf7PndArHQx72tJjPamcgaEy
CoICjTEFwDHlyN0yJlNe0EWNaC5ItR6zdHEAcs7j9Jsgfn5AAfa+rhg90KuiBVjF
wnXIdWYfiUS65VHVgSO/x/n2/wOoF0Ky9v2CFMoDx5P6/2CCHadY8KcxiVRJs89M
epY+RFb27pmmbTIbV5P+
=Lp2V
-----END PGP SIGNATURE-----

66
share/security/patches/EN-14:06/exec-8.4.patch Normal file
View file

@ -0,0 +1,66 @@
Index: sys/kern/kern_exec.c
===================================================================
--- sys/kern/kern_exec.c (revision 266979)
+++ sys/kern/kern_exec.c (working copy)
@@ -278,6 +278,7 @@ kern_execve(td, args, mac_p)
struct mac *mac_p;
{
struct proc *p = td->td_proc;
+ struct vmspace *oldvmspace;
int error;
AUDIT_ARG_ARGV(args->begin_argv, args->argc,
@@ -294,6 +295,8 @@ kern_execve(td, args, mac_p)
PROC_UNLOCK(p);
}
+ KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
+ oldvmspace = td->td_proc->p_vmspace;
error = do_execve(td, args, mac_p);
if (p->p_flag & P_HADTHREADS) {
@@ -308,6 +311,12 @@ kern_execve(td, args, mac_p)
thread_single_end();
PROC_UNLOCK(p);
}
+ if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
+ KASSERT(td->td_proc->p_vmspace != oldvmspace,
+ ("oldvmspace still used"));
+ vmspace_free(oldvmspace);
+ td->td_pflags &= ~TDP_EXECVMSPC;
+ }
return (error);
}
Index: sys/sys/proc.h
===================================================================
--- sys/sys/proc.h (revision 266979)
+++ sys/sys/proc.h (working copy)
@@ -938,4 +938,5 @@ curthread_pflags_restore(int save)
#endif /* _KERNEL */
+#define TDP_EXECVMSPC 0x40000000 /* Execve destroyed old vmspace */
#endif /* !_SYS_PROC_H_ */
Index: sys/vm/vm_map.c
===================================================================
--- sys/vm/vm_map.c (revision 266979)
+++ sys/vm/vm_map.c (working copy)
@@ -3521,6 +3521,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
struct vmspace *oldvmspace = p->p_vmspace;
struct vmspace *newvmspace;
+ KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
+ ("vmspace_exec recursed"));
newvmspace = vmspace_alloc(minuser, maxuser);
if (newvmspace == NULL)
return (ENOMEM);
@@ -3537,7 +3539,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
PROC_VMSPACE_UNLOCK(p);
if (p == curthread->td_proc)
pmap_activate(curthread);
- vmspace_free(oldvmspace);
+ curthread->td_pflags |= TDP_EXECVMSPC;
return (0);
}

17
share/security/patches/EN-14:06/exec-8.4.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiErAAoJEO1n7NZdz2rnc3EP/3U2Q1wMCK+35jIdsGJ0g+sy
5Dr3VKBYO7h3Tt+V2bUtzDvIEleh7pqtjJZM1k4bT78VgFW0+y/3qdOdVrSbsEqc
0uDYwklb/VMpdQEFh4Qs5qiRt7xuBQPChKDlyzaOIjPl2YM4vy51aGxrwlyH/J9I
/OIEMIOdANDU7YSkm70+edV9/egR9zGupWSBaEfVtH0WUNm3AubyyU8pbE8DDsuz
dLS+PQF9ISZDDwGJgju07GCDmSyZkL0hBzhPQhaXvooxu3KZw8e1mapN7CCU/ntx
Dc9T5QKmuREkbY5ZmK+H2bhGfHU7+sEVwSKUzK3xhhSaBcTQ381q11+TtF2EaPkc
mLd0A4D1O8nJMX/OoLXy3vipS9kz6U10i9+PuntM4QzQqcNYvEjyLnQDpWOslIim
WabFiJL/bPYQiLF3dwcW43+V+acTJ1mXGIhh6iuCospL328JHj4sbp8KDU+qftSx
D/7+ojrxp8sD9m4Up3W8FZ7/DODJv+Rz2n2vXozpBOAo8gXYU30k313y6s/KAH+4
9AQlohIjJVBMv3LX4Erx1CfPpR/Vs1rrswH2VpmMPGNkCy4HHDuKNda4z6r+huU+
QgFVwOj6ooTod5yRVEnFqsZtkFAWvkWWOEpgkalEKVmVCha2d98ImdU7n6bSjipt
l404I80gEZeyntZHGMO2
=DGKB
-----END PGP SIGNATURE-----

104
share/security/patches/EN-14:06/exec-8.patch Normal file
View file

@ -0,0 +1,104 @@
Index: sys/kern/kern_exec.c
===================================================================
--- sys/kern/kern_exec.c (revision 266582)
+++ sys/kern/kern_exec.c (revision 266583)
@@ -278,6 +278,7 @@ kern_execve(td, args, mac_p)
struct mac *mac_p;
{
struct proc *p = td->td_proc;
+ struct vmspace *oldvmspace;
int error;
AUDIT_ARG_ARGV(args->begin_argv, args->argc,
@@ -294,6 +295,8 @@ kern_execve(td, args, mac_p)
PROC_UNLOCK(p);
}
+ KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
+ oldvmspace = td->td_proc->p_vmspace;
error = do_execve(td, args, mac_p);
if (p->p_flag & P_HADTHREADS) {
@@ -308,6 +311,12 @@ kern_execve(td, args, mac_p)
thread_single_end();
PROC_UNLOCK(p);
}
+ if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
+ KASSERT(td->td_proc->p_vmspace != oldvmspace,
+ ("oldvmspace still used"));
+ vmspace_free(oldvmspace);
+ td->td_pflags &= ~TDP_EXECVMSPC;
+ }
return (error);
}
Index: sys/kern
===================================================================
--- sys/kern (revision 266582)
+++ sys/kern (revision 266583)
Property changes on: sys/kern
___________________________________________________________________
Modified: svn:mergeinfo
Merged /head/sys/kern:r266464
Index: sys/vm/vm_map.c
===================================================================
--- sys/vm/vm_map.c (revision 266582)
+++ sys/vm/vm_map.c (revision 266583)
@@ -3521,6 +3521,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
struct vmspace *oldvmspace = p->p_vmspace;
struct vmspace *newvmspace;
+ KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
+ ("vmspace_exec recursed"));
newvmspace = vmspace_alloc(minuser, maxuser);
if (newvmspace == NULL)
return (ENOMEM);
@@ -3537,7 +3539,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
PROC_VMSPACE_UNLOCK(p);
if (p == curthread->td_proc)
pmap_activate(curthread);
- vmspace_free(oldvmspace);
+ curthread->td_pflags |= TDP_EXECVMSPC;
return (0);
}
Index: sys/vm
===================================================================
--- sys/vm (revision 266582)
+++ sys/vm (revision 266583)
Property changes on: sys/vm
___________________________________________________________________
Modified: svn:mergeinfo
Merged /head/sys/vm:r266464
Index: sys/sys/proc.h
===================================================================
--- sys/sys/proc.h (revision 266582)
+++ sys/sys/proc.h (revision 266583)
@@ -414,6 +414,7 @@ do { \
#define TDP_AUDITREC 0x01000000 /* Audit record pending on thread */
#define TDP_RESETSPUR 0x04000000 /* Reset spurious page fault history. */
#define TDP_NERRNO 0x08000000 /* Last errno is already in td_errno */
+#define TDP_EXECVMSPC 0x40000000 /* Execve destroyed old vmspace */
/*
* Reasons that the current thread can not be run yet.
Index: sys/sys
===================================================================
--- sys/sys (revision 266582)
+++ sys/sys (revision 266583)
Property changes on: sys/sys
___________________________________________________________________
Modified: svn:mergeinfo
Merged /head/sys/sys:r266464
Index: sys
===================================================================
--- sys (revision 266582)
+++ sys (revision 266583)
Property changes on: sys
___________________________________________________________________
Modified: svn:mergeinfo
Merged /head/sys:r266464

17
share/security/patches/EN-14:06/exec-8.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiEsAAoJEO1n7NZdz2rneiAQAIguAEhoLxM/iWvzf9ANsYeg
z8PfxP1YsFEr8FJDsnIYlr201iz9UnS77lYXTZrCHNeXn2B1IOPeVWj9puupojte
cTaQb78uxQalum3UxvJXGmwyGUohA2Jyn5lxiHpqmwR6KZTjF2v7eTYNnKn02s0/
XUObewuFUcbHCTaIc7ZdkBqmuYzkfLt44Atk7X+x07UM41CTVTKUf7oa8qSNeYpR
HaQGcv7K+e3kRlHQo/Z1Bkt69SaIePmwnHZ3wOyIuxw12btoK5FkmOWDoiV1bE8i
UhL2SVs3bSHIvehLFaN/5vwIpI95oxQXvxQNjNrjxuHLW/ojs3uJnD0nQfbqO5Y0
US+2MQG3pYvuEZYCW9x5NpZTcdcc0iQNbatLr6U756fZShAvsg9xCniC0ApEx5aX
DDsFwLUrDbFD97mOhWzmsFHGVUsWEqlAj7xZjTBP+/2cuTbwVtdLN0rzGDptzeZV
2UIK1YwQzJxHJ32n/BymXtLf9YPHFlgRN4Z6D5oR4dI35Ex4lI38Tp6sNV1GKZEU
YCciI4zaQkGKx4XsowU9gSFrXKzWwr6v+pwXaZMRJ6QfpzFmfp0SxBiDvkcMsAjq
UD3oR5xusNkRBGKaSvpxPW6PYqU5YbGwbaF5xN/lLTbc3F93HDQzI1OnkvCvpqhk
B7TnA+C3qFlYzJ4Sr+LY
=fEfK
-----END PGP SIGNATURE-----

66
share/security/patches/EN-14:06/exec-9.1.patch Normal file
View file

@ -0,0 +1,66 @@
Index: sys/kern/kern_exec.c
===================================================================
--- sys/kern/kern_exec.c (revision 266979)
+++ sys/kern/kern_exec.c (working copy)
@@ -280,6 +280,7 @@ kern_execve(td, args, mac_p)
struct mac *mac_p;
{
struct proc *p = td->td_proc;
+ struct vmspace *oldvmspace;
int error;
AUDIT_ARG_ARGV(args->begin_argv, args->argc,
@@ -296,6 +297,8 @@ kern_execve(td, args, mac_p)
PROC_UNLOCK(p);
}
+ KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
+ oldvmspace = td->td_proc->p_vmspace;
error = do_execve(td, args, mac_p);
if (p->p_flag & P_HADTHREADS) {
@@ -310,6 +313,12 @@ kern_execve(td, args, mac_p)
thread_single_end();
PROC_UNLOCK(p);
}
+ if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
+ KASSERT(td->td_proc->p_vmspace != oldvmspace,
+ ("oldvmspace still used"));
+ vmspace_free(oldvmspace);
+ td->td_pflags &= ~TDP_EXECVMSPC;
+ }
return (error);
}
Index: sys/sys/proc.h
===================================================================
--- sys/sys/proc.h (revision 266979)
+++ sys/sys/proc.h (working copy)
@@ -968,4 +968,5 @@ curthread_pflags_restore(int save)
#endif /* _KERNEL */
+#define TDP_EXECVMSPC 0x40000000 /* Execve destroyed old vmspace */
#endif /* !_SYS_PROC_H_ */
Index: sys/vm/vm_map.c
===================================================================
--- sys/vm/vm_map.c (revision 266979)
+++ sys/vm/vm_map.c (working copy)
@@ -3631,6 +3631,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
struct vmspace *oldvmspace = p->p_vmspace;
struct vmspace *newvmspace;
+ KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
+ ("vmspace_exec recursed"));
newvmspace = vmspace_alloc(minuser, maxuser);
if (newvmspace == NULL)
return (ENOMEM);
@@ -3647,7 +3649,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
PROC_VMSPACE_UNLOCK(p);
if (p == curthread->td_proc)
pmap_activate(curthread);
- vmspace_free(oldvmspace);
+ curthread->td_pflags |= TDP_EXECVMSPC;
return (0);
}

17
share/security/patches/EN-14:06/exec-9.1.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiEsAAoJEO1n7NZdz2rnAkYP/Au0Jh8a3bjbeMhDOwyxD8BI
EbRlX6D8T6tsTLiYQQGTqhIQcRGng0sUVloesldqc2KU1O7WdQp2AjOxmOCJdB4W
6VfgZQQUSYwihWb4SaMe+W9aC66o8yVklQzCJ6u4MCw3Q2htmJOJiAqNT7vc2CF1
gymMkDjF2hHnMWV/7Qp4keBeMXj0fBWzIkVX8BttFDHHfh6KNlfWSUUnCpH90XM3
w8Do+bB48y3GlUxLlUVC6pxVRQQftdIS7F8ZUQL1HZ2DuXO7iv9a3gcTlf8M9V8l
x2CQyQiIrC7rtfKxn65R3WI83A3vC9SAj6/+F/ovNSoiJWq8no2cUSsjfH2e3xVB
GcraGSL5QdWVAOtwGbgmfd0tiWZ0v2ClTL+y1ss9LlrQRtNqIZVdPgW7V6/zU2ll
IShpSV5cU0x1j1c31Xe0W7FL7up9e2AQCiFLitU6Ep81a1eqI1RDQyNQssPwpPPP
V3bFGXP9maQRbsUSMtrTOt8I058Y39UNm15wrZoyQCCcOVKlWeuoyGukhbSc8Fkh
Ss7/K7ITpKtI72Lk7KVzaSK//DCPRMd3sVVNv1lFZH8V2pEZM9AsbnpPFDGEtFz6
kkJcLlZxBNsuFHEXRgBEUGGnvhEg3jIh8h05zuHFASyzECbFhwRky9czhBdVhZvf
L31wIojUYdK0ygebcao/
=bYrG
-----END PGP SIGNATURE-----

66
share/security/patches/EN-14:06/exec-9.2.patch Normal file
View file

@ -0,0 +1,66 @@
Index: sys/kern/kern_exec.c
===================================================================
--- sys/kern/kern_exec.c (revision 266979)
+++ sys/kern/kern_exec.c (working copy)
@@ -280,6 +280,7 @@ kern_execve(td, args, mac_p)
struct mac *mac_p;
{
struct proc *p = td->td_proc;
+ struct vmspace *oldvmspace;
int error;
AUDIT_ARG_ARGV(args->begin_argv, args->argc,
@@ -296,6 +297,8 @@ kern_execve(td, args, mac_p)
PROC_UNLOCK(p);
}
+ KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
+ oldvmspace = td->td_proc->p_vmspace;
error = do_execve(td, args, mac_p);
if (p->p_flag & P_HADTHREADS) {
@@ -310,6 +313,12 @@ kern_execve(td, args, mac_p)
thread_single_end();
PROC_UNLOCK(p);
}
+ if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
+ KASSERT(td->td_proc->p_vmspace != oldvmspace,
+ ("oldvmspace still used"));
+ vmspace_free(oldvmspace);
+ td->td_pflags &= ~TDP_EXECVMSPC;
+ }
return (error);
}
Index: sys/sys/proc.h
===================================================================
--- sys/sys/proc.h (revision 266979)
+++ sys/sys/proc.h (working copy)
@@ -977,4 +977,5 @@ curthread_pflags_restore(int save)
#endif /* _KERNEL */
+#define TDP_EXECVMSPC 0x40000000 /* Execve destroyed old vmspace */
#endif /* !_SYS_PROC_H_ */
Index: sys/vm/vm_map.c
===================================================================
--- sys/vm/vm_map.c (revision 266979)
+++ sys/vm/vm_map.c (working copy)
@@ -3669,6 +3669,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
struct vmspace *oldvmspace = p->p_vmspace;
struct vmspace *newvmspace;
+ KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
+ ("vmspace_exec recursed"));
newvmspace = vmspace_alloc(minuser, maxuser);
if (newvmspace == NULL)
return (ENOMEM);
@@ -3685,7 +3687,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
PROC_VMSPACE_UNLOCK(p);
if (p == curthread->td_proc)
pmap_activate(curthread);
- vmspace_free(oldvmspace);
+ curthread->td_pflags |= TDP_EXECVMSPC;
return (0);
}

17
share/security/patches/EN-14:06/exec-9.2.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiErAAoJEO1n7NZdz2rnfdUQAIXkghr9iyfRWzpVblKQkBdJ
eiSvVJCFAWQSC/ZgOcx2exQLyR36tMhVRCpcKdk7admU8/qGVFAf1uCCtHOG4T66
R++kaHIZU21YXw0PtQ/dVIS6VH7pISP5SR+K7plmpc3j6EvY4sT8J1XMPrAesmd9
EZzQSvnAGiJ0ynMXN+VS47kO+3pktKq/R2wv59oEBgvkjSWaumZ81e7PUHn/Y1LZ
Z60ime3pEO8qwX6JrXuCDBWIAZ5XVcBl0AfBMuiXcumEmj6vnwjM8+4S1dTfQmSm
Ug5kysK4L7Tgmlw4Hv/I+/PBZpl8wAs8AIKCQzbqEV2T2FMFmbJd4zL1rVIRxibT
TWK0dY0Bsjvu2Yk88h3SlW+muiGWCh6LE316Cwhnx3Ul8KnU7O6RgeTaNvJRdq2Z
aWUPJ1A9kQwmJvyzZMH9BRQ6UW7tExZNhJ20eWzNcYaj7C94e6+ryd5PMLyAkh0t
Qc2JnlSVwIoqLooZzWE/8SzDpfQqhrEqqdVmF+mTS9HbNsjKC/cfW6QZeBWAJ5Jo
B3sqwB1Kj6m3oOUYDzT/ONdFLzquGSv3rSwzPVI/LQ7CQeHxmpU0dtbdmSTWJ5iE
7gN+lYA1ZDELEmCTn+VVd0BraLNuhdxc3PIm0OJ5JEe/niu47PnPL5hiVMvkfkLy
7i/+f48ZwifKaoXwoj1n
=UYOE
-----END PGP SIGNATURE-----

86
share/security/patches/EN-14:06/exec-9.patch Normal file
View file

@ -0,0 +1,86 @@
Index: sys/kern/kern_exec.c
===================================================================
--- sys/kern/kern_exec.c (revision 266584)
+++ sys/kern/kern_exec.c (revision 266585)
@@ -282,6 +282,7 @@ kern_execve(td, args, mac_p)
struct mac *mac_p;
{
struct proc *p = td->td_proc;
+ struct vmspace *oldvmspace;
int error;
AUDIT_ARG_ARGV(args->begin_argv, args->argc,
@@ -298,6 +299,8 @@ kern_execve(td, args, mac_p)
PROC_UNLOCK(p);
}
+ KASSERT((td->td_pflags & TDP_EXECVMSPC) == 0, ("nested execve"));
+ oldvmspace = td->td_proc->p_vmspace;
error = do_execve(td, args, mac_p);
if (p->p_flag & P_HADTHREADS) {
@@ -312,6 +315,12 @@ kern_execve(td, args, mac_p)
thread_single_end();
PROC_UNLOCK(p);
}
+ if ((td->td_pflags & TDP_EXECVMSPC) != 0) {
+ KASSERT(td->td_proc->p_vmspace != oldvmspace,
+ ("oldvmspace still used"));
+ vmspace_free(oldvmspace);
+ td->td_pflags &= ~TDP_EXECVMSPC;
+ }
return (error);
}
Index: sys/sys/proc.h
===================================================================
--- sys/sys/proc.h (revision 266584)
+++ sys/sys/proc.h (revision 266585)
@@ -426,6 +426,7 @@ do { \
#define TDP_NERRNO 0x08000000 /* Last errno is already in td_errno */
#define TDP_UIOHELD 0x10000000 /* Current uio has pages held in td_ma */
#define TDP_DEVMEMIO 0x20000000 /* Accessing memory for /dev/mem */
+#define TDP_EXECVMSPC 0x40000000 /* Execve destroyed old vmspace */
/*
* Reasons that the current thread can not be run yet.
Index: sys/sys
===================================================================
--- sys/sys (revision 266584)
+++ sys/sys (revision 266585)
Property changes on: sys/sys
___________________________________________________________________
Modified: svn:mergeinfo
Merged /head/sys/sys:r266464
Index: sys/vm/vm_map.c
===================================================================
--- sys/vm/vm_map.c (revision 266584)
+++ sys/vm/vm_map.c (revision 266585)
@@ -3752,6 +3752,8 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
struct vmspace *oldvmspace = p->p_vmspace;
struct vmspace *newvmspace;
+ KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
+ ("vmspace_exec recursed"));
newvmspace = vmspace_alloc(minuser, maxuser);
if (newvmspace == NULL)
return (ENOMEM);
@@ -3768,7 +3770,7 @@ vmspace_exec(struct proc *p, vm_offset_t minuser,
PROC_VMSPACE_UNLOCK(p);
if (p == curthread->td_proc)
pmap_activate(curthread);
- vmspace_free(oldvmspace);
+ curthread->td_pflags |= TDP_EXECVMSPC;
return (0);
}
Index: sys
===================================================================
--- sys (revision 266584)
+++ sys (revision 266585)
Property changes on: sys
___________________________________________________________________
Modified: svn:mergeinfo
Merged /head/sys:r266464

17
share/security/patches/EN-14:06/exec-9.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiEsAAoJEO1n7NZdz2rn6BQQANAuPD+r5ufc5k4DWT+LmdOF
olJVVI6L/VoCT+GD+BJWMl6JNXgiwkiU2+8+EvoyciGaIse2CEfldBp8hX3YGsAa
+3QRsQZpOJHGWDI+S6sHtxPF6/5Mq0oCw5K2vt7ReqNOA+N0SFLRwC4ZDD6Entj5
vTKhvIdmqgdoSndk+Me4OhGdb+H3J4UiTDfooD5jXt7NIn0mzfF0mrsbC0Lk9Ir/
Ac+sy1Q8NVjYmiEPcFuRQBfCqB7y/KJFqveighGcW6J9mbQwWGAmVOm9aWTPn+6C
m0reAvKwJm9fmBCSG/1vyYlKjcCIGpxqhee4CiaRarhuCPIwXxDCPulmUWOwRuMs
5v6HKTVOROoJDkFtix20pmSLmQdjvAANA+YKXNfxmBN0olSI+I9G7kF6l6TY0wE/
rst7aV6RgLhnuXdOiwOVBrytIDBpWV20szJbqrIoeuubSC8X/2WgvzmtlAmUR8Pw
6I4SqU28lntLuZSQzkYSiL36kOwSTwmSnTy1euiZ4csEifYKdc1Bp9yCk5hT5d4U
zO6HmmYALaFUsAjTqr61Dq+hJa8XQ++WLZOSJ1xQx8G0XIsBN6mbIqmLbYmjMWmE
2TU6Dmz3FMN5yy4i+B8bpK3a5Udz+nlxzhJdh9ykUAYe/AxK9tZnUPnCoxP/T64W
CBUZPHcjFt2Ru5eJEqkn
=eiLQ
-----END PGP SIGNATURE-----

15
share/security/patches/SA-14:11/sendmail.patch Normal file
View file

@ -0,0 +1,15 @@
Index: contrib/sendmail/src/conf.c
===================================================================
--- contrib/sendmail/src/conf.c (revision 266538)
+++ contrib/sendmail/src/conf.c (working copy)
@@ -5309,8 +5309,8 @@ closefd_walk(lowest, fd)
*/
void
-sm_close_on_exec(highest, lowest)
- int highest, lowest;
+sm_close_on_exec(lowest, highest)
+ int lowest, highest;
{
#if HASFDWALK
(void) fdwalk(closefd_walk, &lowest);

17
share/security/patches/SA-14:11/sendmail.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiEZAAoJEO1n7NZdz2rnJ64QAOooiS8mt5CGotw63YSGGuay
97K4ATBg6QezWH+H0T9XA11qImM02i6d1ocrJYs6/3qo1Il6j7PjCqZYlh9gAFNg
m+L6Ma1Mo/blmYYbzJiNKhciAe+ja6hRiNRW4+En2blt8hiErJ5MlqQHuuF6JGsm
lSJZ5g3eYC+QId26Q9ZU05BJD8pV4ucYxDvLaruuDYwuk/90pMGUNv4AuVJtctr5
bEThHDRGqajsNta6e0SdFywYhAUbLZtUNUQOEXbMkDHFJ8QKSuj5rRajz0E4NvJZ
/n2Sg7ojopGPcODPVx/rWfQC5DbZCwTvd8nLiMrasgdUyNIMQ/KaxGr5JAajuLvo
j/5Y2W5V1Ea5YRJSWJDVqleyDGbD58WVK4/O18G3u1tnh/MZBHtvZ5pUnYiP2GVk
yKNLsbJXGPU5byCSLcJVgLvH3Sr1uTQHelIRYtx563jv6RkoUB5kb5jAFMR5VI99
eRR9EUBcEhtt11umx9hO3DsDOZw0ZQhhGqLcHc0oFlxlyxNfyPhXQjDuseFrMzD/
UIZ6wfKusebCl6NwI4X55LnPpAu/vecI23gaGWqkBJSYD5z00PRPbfg9Dt16VNxG
5hyjR2hd81HHaFEi2uj77OlDYF99WG3lRVWnpzi5FoeqNxaoblNDHQfM9RWMaRjF
JtXbe9jdu5/j7O3GtdWs
=OSNM
-----END PGP SIGNATURE-----

12
share/security/patches/SA-14:12/ktrace.patch Normal file
View file

@ -0,0 +1,12 @@
Index: sys/kern/kern_ktrace.c
===================================================================
--- sys/kern/kern_ktrace.c (revision 266771)
+++ sys/kern/kern_ktrace.c (working copy)
@@ -119,6 +119,7 @@ static int data_lengths[] = {
0, /* KTR_SYSCTL */
sizeof(struct ktr_proc_ctor), /* KTR_PROCCTOR */
0, /* KTR_PROCDTOR */
+ 0, /* unused */
sizeof(struct ktr_fault), /* KTR_FAULT */
sizeof(struct ktr_faultend), /* KTR_FAULTEND */
};

17
share/security/patches/SA-14:12/ktrace.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiEZAAoJEO1n7NZdz2rn7g4P+gPGfdz3v0IQdpuf+NaLN5uo
ge9DZ3Jv9GNU5ivmzJeOatXDuw8AzlxiuYfpTtTWZx6FrLb6Aj92PaQFzno3Xe1H
cXFzosbcd9X46fpVAazMVmGSMOBJ10jEdnN0kzkme0AiI9Y4zTQKc9IbxECSx7aY
3m5rwXbRGbAu9a6qR3aJKcX64K76fCPPFu+iK9lNY86lSolXgjLnWgVHalwg/btM
lboReoWUFjB88trjY5jDrYWNWH6sMOu6hrT2orKbja2Ov9GRJLFiIHNqpYtT7xBC
mc9cFK2BBdmPJcwsJu+f2D6Z2pjr43Gg42FhAqmqaxFPT77WLkBJqc1m7ey9teHi
IF37f4ThcbJ8p02G5TbuJselPWjCD9KHjUDKwyhWxwsos6kmodmhdTpBlSIJck4W
hRBmTDnu7w7xohWOQBQyQsCc3mPx8+pEIzYlW2K1tsBcnczSp2PSNuD1qRIbCIAk
t1sbepy9zH/nhXV+1RlPLmX42Sa9c1I1ZrXrhuGOVChaKXKoYWqGmvA5xz12Gswx
lJyhBsm6qKUCFhTTZ6ZuScjzEmjUriZm2qkuHQNCC0jLYD8X+bLaE6gAB2dHmx/L
EBS3jgWbvZMMDPvrXnLyeYWSoU9ynVAjDD2SOTu2UwWUBd3WticvkCdBs/G20hT3
sXSWbu0R8p40DFhSUIhM
=Gtab
-----END PGP SIGNATURE-----

126
share/security/patches/SA-14:13/pam-freebsd10.patch Normal file
View file

@ -0,0 +1,126 @@
Index: contrib/openpam/lib/libpam/openpam_configure.c
===================================================================
--- contrib/openpam/lib/libpam/openpam_configure.c.orig
+++ contrib/openpam/lib/libpam/openpam_configure.c
@@ -1,6 +1,6 @@
/*-
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2012 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2014 Dag-Erling Smørgrav
* All rights reserved.
*
* This software was developed for the FreeBSD Project by ThinkSec AS and
@@ -193,6 +193,7 @@
openpam_log(PAM_LOG_ERROR,
"%s(%d): missing or invalid facility",
filename, lineno);
+ errno = EINVAL;
goto fail;
}
if (facility != fclt && facility != PAM_FACILITY_ANY) {
@@ -208,6 +209,7 @@
openpam_log(PAM_LOG_ERROR,
"%s(%d): missing or invalid service name",
filename, lineno);
+ errno = EINVAL;
goto fail;
}
if (wordv[i] != NULL) {
@@ -214,12 +216,21 @@
openpam_log(PAM_LOG_ERROR,
"%s(%d): garbage at end of line",
filename, lineno);
+ errno = EINVAL;
goto fail;
}
ret = openpam_load_chain(pamh, servicename, fclt);
FREEV(wordc, wordv);
- if (ret < 0)
+ if (ret < 0) {
+ /*
+ * Bogus errno, but this ensures that the
+ * outer loop does not just ignore the
+ * error and keep searching.
+ */
+ if (errno == ENOENT)
+ errno = EINVAL;
goto fail;
+ }
continue;
}
@@ -229,6 +240,7 @@
openpam_log(PAM_LOG_ERROR,
"%s(%d): missing or invalid control flag",
filename, lineno);
+ errno = EINVAL;
goto fail;
}
@@ -238,6 +250,7 @@
openpam_log(PAM_LOG_ERROR,
"%s(%d): missing or invalid module name",
filename, lineno);
+ errno = EINVAL;
goto fail;
}
@@ -247,8 +260,11 @@
this->flag = ctlf;
/* load module */
- if ((this->module = openpam_load_module(modulename)) == NULL)
+ if ((this->module = openpam_load_module(modulename)) == NULL) {
+ if (errno == ENOENT)
+ errno = ENOEXEC;
goto fail;
+ }
/*
* The remaining items in wordv are the module's
@@ -281,7 +297,11 @@
* The loop ended because openpam_readword() returned NULL, which
* can happen for four different reasons: an I/O error (ferror(f)
* is true), a memory allocation failure (ferror(f) is false,
- * errno is non-zero)
+ * feof(f) is false, errno is non-zero), the file ended with an
+ * unterminated quote or backslash escape (ferror(f) is false,
+ * feof(f) is true, errno is non-zero), or the end of the file was
+ * reached without error (ferror(f) is false, feof(f) is true,
+ * errno is zero).
*/
if (ferror(f) || errno != 0)
goto syserr;
@@ -402,6 +422,9 @@
}
ret = openpam_load_file(pamh, service, facility,
filename, style);
+ /* success */
+ if (ret > 0)
+ RETURNN(ret);
/* the file exists, but an error occurred */
if (ret == -1 && errno != ENOENT)
RETURNN(ret);
@@ -411,7 +434,8 @@
}
/* no hit */
- RETURNN(0);
+ errno = ENOENT;
+ RETURNN(-1);
}
/*
@@ -432,8 +456,10 @@
openpam_log(PAM_LOG_ERROR, "invalid service name");
RETURNC(PAM_SYSTEM_ERR);
}
- if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0)
- goto load_err;
+ if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) {
+ if (errno != ENOENT)
+ goto load_err;
+ }
for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
if (pamh->chains[fclt] != NULL)
continue;

17
share/security/patches/SA-14:13/pam-freebsd10.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiEZAAoJEO1n7NZdz2rna/wQAN56cyB+7Ol9jPzo33CMsG3X
FA6j8UHsHhPsrWPLhMEQVEvlCPYD9lzOgCer86TlCIXDoNLgcFNZ6KRXQnD0EuTE
XXnQbN7hh5FlER7GrD/ZfzRBJopz9Eg4XoMIhwfPLNAGSHgfXLqZcl/FMoCbjF0D
5DGWFeorBJulYA9LJH3TBMcZNrQ3D7BwQblq1Sw5aG5L38udc0XiTuO312yqe45r
mFInMu44a0YhFkoPPYNtG8CqTZyARg+ahdhSmO+V2URBCzapnt/tpwC1kLOf1hlp
d5HuU+hnfnsE46wdTouwBm2CawieVFFdUpoiHDTKNFveonZ6wTS1uvgc7LfbLVIC
a3CQqORffQR8005Kiq4Be78Mo/kkrBAZUS8Q++os9FngUFhmKJNsiSHPXa0eySaR
8y7uY85sAHmm1a6+y0wMyUa4nJttP1KQdliRuMYko071zFDSag1ougQKKgcF0UFK
47LILIq/yB8JUqb4/teIoWhZvqbgxvK2p7wF3HTs2BCQlaDn6H4+2b/qkR8PLXPC
ocsJQpWDy6wEOd05r4jcwgAIM3RmQdTL6zDTCmNa2Wq0Pq/QGhkleCKXAtuSyxBS
QcdZT3fPT2DhgCPKY3YTuKx84IEzCCRIKOI+HfPbtbQ1vt0/YPaSMYGjb/duNxY0
VFoRrjtLCSF76kLHsgdP
=wW1f
-----END PGP SIGNATURE-----

126
share/security/patches/SA-14:13/pam-freebsd9.patch Normal file
View file

@ -0,0 +1,126 @@
Index: contrib/openpam/lib/openpam_configure.c
===================================================================
--- contrib/openpam/lib/openpam_configure.c.orig
+++ contrib/openpam/lib/openpam_configure.c
@@ -1,6 +1,6 @@
/*-
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2004-2012 Dag-Erling Smørgrav
+ * Copyright (c) 2004-2014 Dag-Erling Smørgrav
* All rights reserved.
*
* This software was developed for the FreeBSD Project by ThinkSec AS and
@@ -194,6 +194,7 @@
openpam_log(PAM_LOG_ERROR,
"%s(%d): missing or invalid facility",
filename, lineno);
+ errno = EINVAL;
goto fail;
}
if (facility != fclt && facility != PAM_FACILITY_ANY) {
@@ -209,6 +210,7 @@
openpam_log(PAM_LOG_ERROR,
"%s(%d): missing or invalid service name",
filename, lineno);
+ errno = EINVAL;
goto fail;
}
if (wordv[i] != NULL) {
@@ -215,12 +217,21 @@
openpam_log(PAM_LOG_ERROR,
"%s(%d): garbage at end of line",
filename, lineno);
+ errno = EINVAL;
goto fail;
}
ret = openpam_load_chain(pamh, servicename, fclt);
FREEV(wordc, wordv);
- if (ret < 0)
+ if (ret < 0) {
+ /*
+ * Bogus errno, but this ensures that the
+ * outer loop does not just ignore the
+ * error and keep searching.
+ */
+ if (errno == ENOENT)
+ errno = EINVAL;
goto fail;
+ }
continue;
}
@@ -230,6 +241,7 @@
openpam_log(PAM_LOG_ERROR,
"%s(%d): missing or invalid control flag",
filename, lineno);
+ errno = EINVAL;
goto fail;
}
@@ -239,6 +251,7 @@
openpam_log(PAM_LOG_ERROR,
"%s(%d): missing or invalid module name",
filename, lineno);
+ errno = EINVAL;
goto fail;
}
@@ -248,8 +261,11 @@
this->flag = ctlf;
/* load module */
- if ((this->module = openpam_load_module(modulename)) == NULL)
+ if ((this->module = openpam_load_module(modulename)) == NULL) {
+ if (errno == ENOENT)
+ errno = ENOEXEC;
goto fail;
+ }
/*
* The remaining items in wordv are the module's
@@ -282,7 +298,11 @@
* The loop ended because openpam_readword() returned NULL, which
* can happen for four different reasons: an I/O error (ferror(f)
* is true), a memory allocation failure (ferror(f) is false,
- * errno is non-zero)
+ * feof(f) is false, errno is non-zero), the file ended with an
+ * unterminated quote or backslash escape (ferror(f) is false,
+ * feof(f) is true, errno is non-zero), or the end of the file was
+ * reached without error (ferror(f) is false, feof(f) is true,
+ * errno is zero).
*/
if (ferror(f) || errno != 0)
goto syserr;
@@ -411,6 +431,9 @@
}
ret = openpam_load_file(pamh, service, facility,
filename, style);
+ /* success */
+ if (ret > 0)
+ RETURNN(ret);
/* the file exists, but an error occurred */
if (ret == -1 && errno != ENOENT)
RETURNN(ret);
@@ -420,7 +443,8 @@
}
/* no hit */
- RETURNN(0);
+ errno = ENOENT;
+ RETURNN(-1);
}
/*
@@ -441,8 +465,10 @@
openpam_log(PAM_LOG_ERROR, "invalid service name");
RETURNC(PAM_SYSTEM_ERR);
}
- if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0)
- goto load_err;
+ if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) {
+ if (errno != ENOENT)
+ goto load_err;
+ }
for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
if (pamh->chains[fclt] != NULL)
continue;

17
share/security/patches/SA-14:13/pam-freebsd9.patch.asc Normal file
View file

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAABCgAGBQJTjiEZAAoJEO1n7NZdz2rn4SEQAM7hovg9G8/b5oJPvVAoQnat
+BQ6D3i+thdApdMG/OkctFsJCeHl8ifXjuX1xzaSdfda1MQ+jb99nzKqRs840saU
sx04zTDOOQkl61BKMj4DP4hdT39LSdp3t2JFAp/OVxFMaBZa44LPcrS1TjkitG/0
0YP+Ifn8trKCu8ayAK1jqcKWRoTwIhwez9Ejtk4Gpw8GD8j/WT6SW+VEqGo6r5/h
MgEDLu1sABcK2GCyzWPkCItAN72mp12QeiCno6u7zGs6viqzH/1yZUIos91mVyxd
8UKL1Fa4Ff+vQNoxl18QFIzKv0eRKpxQPE7HhJd+8egFSM+hqfuMcZjatt3yq2sj
VFbgAA/yaydfrXtyN83Ihrs1cMMvFqUYAq9B68ALGrFDjEAEf1LArVr4AyP3Nnvf
kRC3N6xrmrRqHxRDFhNAYu9SH9QjoQS0gQt/nh8sMDKp8ZDG7rbcmF7GIpt2F1R1
eqpwSGTKPYunVRRDKQsfm7WDJM4ONRQpS9xjQaSKAc1gay3iXGbfe4+UQjj9N3P+
RcTdwVPcXSPY1fkDglRlt+4Zsh2mnijrtCoQLPxXJM9nKvcRHWsduj61Y5aO2xb6
5DrMoHbT+2vRz/IYyQ2pP0yTFAr33i11tZ9F0LayOuwP8mryJgHLjIl28nYQEDuZ
pEfmLifUA1TXncGqen7d
=ueo/
-----END PGP SIGNATURE-----

20
share/xml/advisories.xml
View file

@ -7,6 +7,26 @@
<year>
<name>2014</name>
<month>
<name>6</name>
<day>
<name>3</name>
<advisory>
<name>FreeBSD-SA-14:11.sendmail</name>
</advisory>
<advisory>
<name>FreeBSD-SA-14:12.ktrace</name>
</advisory>
<advisory>
<name>FreeBSD-SA-14:13.pam</name>
</advisory>
</day>
</month>
<month>
<name>5</name>

12
share/xml/notices.xml
View file

@ -7,6 +7,18 @@
<year>
<name>2014</name>
<month>
<name>5</name>
<day>
<name>3</name>
<notice>
<name>FreeBSD-EN-14:06.exec</name>
</notice>
</day>
</month>
<month>
<name>5</name>