diff options
author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2005-06-08 21:29:15 +0000 |
---|---|---|
committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2005-06-08 21:29:15 +0000 |
commit | e12769c3cfc68ecb5358040b7f0929c3f0221fce (patch) | |
tree | 16c3747ac6daced4494c519c78faaaa446c4ca13 | |
parent | 0661094c6f13ad2d0765b2310577d52c20588805 (diff) | |
download | src-test2-e12769c3cfc68ecb5358040b7f0929c3f0221fce.tar.gz src-test2-e12769c3cfc68ecb5358040b7f0929c3f0221fce.zip |
Notes
-rw-r--r-- | UPDATING | 8 | ||||
-rw-r--r-- | contrib/bind9/lib/dns/validator.c | 4 | ||||
-rw-r--r-- | contrib/tcpdump/print-bgp.c | 7 | ||||
-rw-r--r-- | contrib/tcpdump/print-isoclns.c | 5 | ||||
-rw-r--r-- | contrib/tcpdump/print-ldp.c | 3 | ||||
-rw-r--r-- | contrib/tcpdump/print-rsvp.c | 11 | ||||
-rw-r--r-- | gnu/usr.bin/gzip/gzip.c | 18 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 |
8 files changed, 43 insertions, 15 deletions
@@ -8,6 +8,14 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. Important recent entries: 20040724 (default X changes). +20050608: p16 FreeBSD-SA-05:10.tcpdump, FreeBSD-SA-05:11.gzip, + FreeBSD-SA-05:12.bind9 + Correct several denial-of-service vulnerabilities in tcpdump. + + Correct directory traversal and race condition vulnerabilities in gzip. + + Correct BIND 9 DNSSEC remote denial of service vulnerability. + 20050513: p15 FreeBSD-SA-05:09.htt Add a knob for disabling/enabling HTT. Default off due to information disclosure on multi-user systems. diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c index c55c893911fb..3650175510aa 100644 --- a/contrib/bind9/lib/dns/validator.c +++ b/contrib/bind9/lib/dns/validator.c @@ -497,6 +497,8 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname, REQUIRE(exists != NULL); REQUIRE(data != NULL); + REQUIRE(nsecset != NULL && + nsecset->type == dns_rdatatype_nsec); result = dns_rdataset_first(nsecset); if (result != ISC_R_SUCCESS) { @@ -661,7 +663,7 @@ authvalidated(isc_task_t *task, isc_event_t *event) { if (rdataset->trust == dns_trust_secure) val->seensig = ISC_TRUE; - if (val->nsecset != NULL && + if (rdataset->type == dns_rdatatype_nsec && rdataset->trust == dns_trust_secure && ((val->attributes & VALATTR_NEEDNODATA) != 0 || (val->attributes & VALATTR_NEEDNOQNAME) != 0) && diff --git a/contrib/tcpdump/print-bgp.c b/contrib/tcpdump/print-bgp.c index bfa472a83fa7..16de89a4bb39 100644 --- a/contrib/tcpdump/print-bgp.c +++ b/contrib/tcpdump/print-bgp.c @@ -1216,6 +1216,8 @@ bgp_attr_print(const struct bgp_attr *attr, const u_char *pptr, int len) tptr = pptr + len; break; } + if (advance < 0) /* infinite loop protection */ + break; tptr += advance; } break; @@ -1646,9 +1648,10 @@ bgp_update_print(const u_char *dat, int length) while (dat + length > p) { char buf[MAXHOSTNAMELEN + 100]; i = decode_prefix4(p, buf, sizeof(buf)); - if (i == -1) + if (i == -1) { printf("\n\t (illegal prefix length)"); - else if (i == -2) + break; + } else if (i == -2) goto trunc; else { printf("\n\t %s", buf); diff --git a/contrib/tcpdump/print-isoclns.c b/contrib/tcpdump/print-isoclns.c index 5dc660f1eee3..ebc1528d4eb8 100644 --- a/contrib/tcpdump/print-isoclns.c +++ b/contrib/tcpdump/print-isoclns.c @@ -1508,6 +1508,9 @@ static int isis_print (const u_int8_t *p, u_int length) tlv_type, tlv_len); + if (tlv_len == 0) /* something is malformed */ + break; + /* now check if we have a decoder otherwise do a hexdump at the end*/ switch (tlv_type) { case TLV_AREA_ADDR: @@ -1538,7 +1541,7 @@ static int isis_print (const u_int8_t *p, u_int length) break; case TLV_ISNEIGH_VARLEN: - if (!TTEST2(*tptr, 1)) + if (!TTEST2(*tptr, 1) || tmp < 3) /* min. TLV length */ goto trunctlv; lan_alen = *tptr++; /* LAN adress length */ tmp --; diff --git a/contrib/tcpdump/print-ldp.c b/contrib/tcpdump/print-ldp.c index 1162ac39afd0..40a3d66b1fb6 100644 --- a/contrib/tcpdump/print-ldp.c +++ b/contrib/tcpdump/print-ldp.c @@ -326,6 +326,9 @@ ldp_print(register const u_char *pptr, register u_int len) { EXTRACT_32BITS(&ldp_msg_header->id), LDP_MASK_U_BIT(EXTRACT_16BITS(&ldp_msg_header->type)) ? "continue processing" : "ignore"); + if (msg_len == 0) /* infinite loop protection */ + break; + msg_tptr=tptr+sizeof(struct ldp_msg_header); msg_tlen=msg_len-sizeof(struct ldp_msg_header)+4; /* Type & Length fields not included */ diff --git a/contrib/tcpdump/print-rsvp.c b/contrib/tcpdump/print-rsvp.c index 534878ed2a8a..5d825fd41feb 100644 --- a/contrib/tcpdump/print-rsvp.c +++ b/contrib/tcpdump/print-rsvp.c @@ -875,10 +875,17 @@ rsvp_print(register const u_char *pptr, register u_int len) { switch(rsvp_obj_ctype) { case RSVP_CTYPE_IPV4: while(obj_tlen >= 4 ) { - printf("\n\t Subobject Type: %s", + printf("\n\t Subobject Type: %s, length %u", tok2str(rsvp_obj_xro_values, "Unknown %u", - RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr))); + RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)), + *(obj_tptr+1)); + + if (*(obj_tptr+1) == 0) { /* prevent infinite loops */ + printf("\n\t ERROR: zero length ERO subtype"); + break; + } + switch(RSVP_OBJ_XRO_MASK_SUBOBJ(*obj_tptr)) { case RSVP_OBJ_XRO_IPV4: printf(", %s, %s/%u, Flags: [%s]", diff --git a/gnu/usr.bin/gzip/gzip.c b/gnu/usr.bin/gzip/gzip.c index 06b0a32077f2..a9af12c1b0fc 100644 --- a/gnu/usr.bin/gzip/gzip.c +++ b/gnu/usr.bin/gzip/gzip.c @@ -830,8 +830,11 @@ local void treat_file(iname) } close(ifd); - if (!to_stdout && close(ofd)) { - write_error(); + if (!to_stdout) { + /* Copy modes, times, ownership, and remove the input file */ + copy_stat(&istat); + if (close(ofd)) + write_error(); } if (method == -1) { if (!to_stdout) unlink (ofname); @@ -851,10 +854,6 @@ local void treat_file(iname) } fprintf(stderr, "\n"); } - /* Copy modes, times, ownership, and remove the input file */ - if (!to_stdout) { - copy_stat(&istat); - } } /* ======================================================================== @@ -1258,6 +1257,7 @@ local int get_method(in) /* Copy the base name. Keep a directory prefix intact. */ char *p = basename(ofname); char *base = p; + char *base2; for (;;) { *p = (char)get_char(); if (*p++ == '\0') break; @@ -1265,6 +1265,8 @@ local int get_method(in) error("corrupted input -- file name too large"); } } + base2 = basename (base); + strcpy(base, base2); /* If necessary, adapt the name to local OS conventions: */ if (!list) { MAKE_LEGAL_NAME(base); @@ -1637,12 +1639,12 @@ local void copy_stat(ifstat) reset_times(ofname, ifstat); #endif /* Copy the protection modes */ - if (chmod(ofname, ifstat->st_mode & 07777)) { + if (fchmod(ofd, ifstat->st_mode & 07777)) { WARN((stderr, "%s: ", progname)); if (!quiet) perror(ofname); } #ifndef NO_CHOWN - chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ + (void) fchown(ofd, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */ #endif remove_ofname = 0; /* It's now safe to remove the input file: */ diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index a78ebf787034..30d5125faaf7 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="5.3" -BRANCH="RELEASE-p15" +BRANCH="RELEASE-p16" RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" |