8 files changed, 43 insertions, 15 deletions

diff --git a/UPDATING b/UPDATING
index c3d47ef852f4..057b6d41a25b 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,14 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.  Important recent entries: 20040724 (default X changes).
 
+20050608:	p16	FreeBSD-SA-05:10.tcpdump, FreeBSD-SA-05:11.gzip,
+			FreeBSD-SA-05:12.bind9
+	Correct several denial-of-service vulnerabilities in tcpdump.
+
+	Correct directory traversal and race condition vulnerabilities in gzip.
+
+	Correct BIND 9 DNSSEC remote denial of service vulnerability.
+
 20050513:	p15	FreeBSD-SA-05:09.htt
 	Add a knob for disabling/enabling HTT.  Default off due to information
 	disclosure on multi-user systems.
diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c
index c55c893911fb..3650175510aa 100644
--- a/contrib/bind9/lib/dns/validator.c
+++ b/contrib/bind9/lib/dns/validator.c
@@ -497,6 +497,8 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 
 	REQUIRE(exists != NULL);
 	REQUIRE(data != NULL);
+	REQUIRE(nsecset != NULL &&
+	nsecset->type == dns_rdatatype_nsec);
 
 	result = dns_rdataset_first(nsecset);
 	if (result != ISC_R_SUCCESS) {
@@ -661,7 +663,7 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 		if (rdataset->trust == dns_trust_secure)
 			val->seensig = ISC_TRUE;
 
-		if (val->nsecset != NULL &&
+		if (rdataset->type == dns_rdatatype_nsec &&
 		    rdataset->trust == dns_trust_secure &&
 		    ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
 		     (val->attributes & VALATTR_NEEDNOQNAME) != 0) &&
diff --git a/contrib/tcpdump/print-bgp.c b/contrib/tcpdump/print-bgp.c
index bfa472a83fa7..16de89a4bb39 100644
--- a/contrib/tcpdump/print-bgp.c
+++ b/contrib/tcpdump/print-bgp.c
@@ -1216,6 +1216,8 @@ bgp_attr_print(const struct bgp_attr *attr, const u_char *pptr, int len)
                             tptr = pptr + len;
                             break;
 			}
+                        if (advance < 0) /* infinite loop protection */
+                            break;
 			tptr += advance;
 		}
 		break;
@@ -1646,9 +1648,10 @@ bgp_update_print(const u_char *dat, int length)
 		while (dat + length > p) {
 			char buf[MAXHOSTNAMELEN + 100];
 			i = decode_prefix4(p, buf, sizeof(buf));
-			if (i == -1)
+			if (i == -1) {
 				printf("\n\t    (illegal prefix length)");
-			else if (i == -2)
+				break;
+			} else if (i == -2)
 				goto trunc;
 			else {
 				printf("\n\t    %s", buf);
diff --git a/contrib/tcpdump/print-isoclns.c b/contrib/tcpdump/print-isoclns.c
index 5dc660f1eee3..ebc1528d4eb8 100644
--- a/contrib/tcpdump/print-isoclns.c
+++ b/contrib/tcpdump/print-isoclns.c
@@ -1508,6 +1508,9 @@ static int isis_print (const u_int8_t *p, u_int length)
                tlv_type,
                tlv_len);
 
+        if (tlv_len == 0) /* something is malformed */
+            break;
+
         /* now check if we have a decoder otherwise do a hexdump at the end*/
 	switch (tlv_type) {
 	case TLV_AREA_ADDR:
@@ -1538,7 +1541,7 @@ static int isis_print (const u_int8_t *p, u_int length)
 	    break;
 
         case TLV_ISNEIGH_VARLEN:
-            if (!TTEST2(*tptr, 1))
+            if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */
 		goto trunctlv;
 	    lan_alen = *tptr++; /* LAN adress length */
             tmp --;
diff --git a/contrib/tcpdump/print-ldp.c b/contrib/tcpdump/print-ldp.c
index 1162ac39afd0..40a3d66b1fb6 100644
--- a/contrib/tcpdump/print-ldp.c
+++ b/contrib/tcpdump/print-ldp.c
@@ -326,6 +326,9 @@ ldp_print(register const u_char *pptr, register u_int len) {
                EXTRACT_32BITS(&ldp_msg_header->id),
                LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore");
 
+        if (msg_len == 0) /* infinite loop protection */
+            break;
+
         msg_tptr=tptr+sizeof(struct ldp_msg_header);
         msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */
 
diff --git a/contrib/tcpdump/print-rsvp.c b/contrib/tcpdump/print-rsvp.c
index 534878ed2a8a..5d825fd41feb 100644
--- a/contrib/tcpdump/print-rsvp.c
+++ b/contrib/tcpdump/print-rsvp.c
@@ -875,10 +875,17 @@ rsvp_print(register const u_char *pptr, register u_int len) {
             switch(rsvp_obj_ctype) {
             case RSVP_CTYPE_IPV4:
                 while(obj_tlen >= 4 ) {
-                    printf("\n\t    Subobject Type: %s",
+                    printf("\n\t    Subobject Type: %s, length %u",
                            tok2str(rsvp_obj_xro_values,
                                    "Unknown %u",
-                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)));                
+                                   RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)),
+                           *(obj_tptr+1));                
+
+                    if (*(obj_tptr+1) == 0) { /* prevent infinite loops */
+                        printf("\n\t      ERROR: zero length ERO subtype");
+                        break;
+                    }
+
                     switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) {
                     case RSVP_OBJ_XRO_IPV4:
                         printf(", %s, %s/%u, Flags: [%s]",
diff --git a/gnu/usr.bin/gzip/gzip.c b/gnu/usr.bin/gzip/gzip.c
index 06b0a32077f2..a9af12c1b0fc 100644
--- a/gnu/usr.bin/gzip/gzip.c
+++ b/gnu/usr.bin/gzip/gzip.c
@@ -830,8 +830,11 @@ local void treat_file(iname)
     }
 
     close(ifd);
-    if (!to_stdout && close(ofd)) {
-	write_error();
+    if (!to_stdout) {
+        /* Copy modes, times, ownership, and remove the input file */
+        copy_stat(&istat);
+        if (close(ofd))
+	    write_error();
     }
     if (method == -1) {
 	if (!to_stdout) unlink (ofname);
@@ -851,10 +854,6 @@ local void treat_file(iname)
 	}
 	fprintf(stderr, "\n");
     }
-    /* Copy modes, times, ownership, and remove the input file */
-    if (!to_stdout) {
-	copy_stat(&istat);
-    }
 }
 
 /* ========================================================================
@@ -1258,6 +1257,7 @@ local int get_method(in)
 		/* Copy the base name. Keep a directory prefix intact. */
                 char *p = basename(ofname);
                 char *base = p;
+		char *base2;
 		for (;;) {
 		    *p = (char)get_char();
 		    if (*p++ == '\0') break;
@@ -1265,6 +1265,8 @@ local int get_method(in)
 			error("corrupted input -- file name too large");
 		    }
 		}
+		base2 = basename (base);
+		strcpy(base, base2);
                 /* If necessary, adapt the name to local OS conventions: */
                 if (!list) {
                    MAKE_LEGAL_NAME(base);
@@ -1637,12 +1639,12 @@ local void copy_stat(ifstat)
     reset_times(ofname, ifstat);
 #endif
     /* Copy the protection modes */
-    if (chmod(ofname, ifstat->st_mode & 07777)) {
+    if (fchmod(ofd, ifstat->st_mode & 07777)) {
 	WARN((stderr, "%s: ", progname));
 	if (!quiet) perror(ofname);
     }
 #ifndef NO_CHOWN
-    chown(ofname, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
+    (void) fchown(ofd, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
 #endif
     remove_ofname = 0;
     /* It's now safe to remove the input file: */
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index a78ebf787034..30d5125faaf7 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="5.3"
-BRANCH="RELEASE-p15"
+BRANCH="RELEASE-p16"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"