5 files changed, 31 insertions, 26 deletions

diff --git a/UPDATING b/UPDATING
index 220a5f2bd269..67cf571f29fd 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,10 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20080118:	p10	FreeBSD-SA-08:01.pty, FreeBSD-SA-08:02.libc
+	Fix issues which allow snooping on ptys. [08:01]
+	Fix an off-by-one error in inet_network(3). [08:02]
+
 20071129:	p9	FreeBSD-SA-07:09.random
 	Correct a random value disclosure in random(4).
 
diff --git a/lib/libc/inet/inet_network.c b/lib/libc/inet/inet_network.c
index 9d417ac2db91..bd3c6fcb348e 100644
--- a/lib/libc/inet/inet_network.c
+++ b/lib/libc/inet/inet_network.c
@@ -86,9 +86,9 @@ again:
 	}
 	if (!digit)
 		return (INADDR_NONE);
+	if (pp >= parts + 4 || val > 0xffU)
+		return (INADDR_NONE);
 	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
 		*pp++ = val, cp++;
 		goto again;
 	}
diff --git a/lib/libc/stdlib/grantpt.c b/lib/libc/stdlib/grantpt.c
index a466cba0766a..5256236b4803 100644
--- a/lib/libc/stdlib/grantpt.c
+++ b/lib/libc/stdlib/grantpt.c
@@ -214,24 +214,30 @@ char *
 ptsname(int fildes)
 {
 	static char slave[] = _PATH_DEV PTS_PREFIX "XY";
-	char *retval;
+	const char *master;
 	struct stat sbuf;
 
-	retval = NULL;
+	/* All master pty's must be char devices. */
+	if (_fstat(fildes, &sbuf) == -1)
+		goto invalid;
+	if (!S_ISCHR(sbuf.st_mode))
+		goto invalid;
 
-	if (_fstat(fildes, &sbuf) == 0) {
-		if (!ISPTM(sbuf))
-			errno = EINVAL;
-		else {
-			(void)snprintf(slave, sizeof(slave),
-				       _PATH_DEV PTS_PREFIX "%s",
-				       devname(sbuf.st_rdev, S_IFCHR) +
-				       strlen(PTM_PREFIX));
-			retval = slave;
-		}
-	}
+	/* Check to see if this device is a pty(4) master. */
+	master = devname(sbuf.st_rdev, S_IFCHR);
+	if (strlen(master) != strlen(PTM_PREFIX "XY"))
+		goto invalid;
+	if (strncmp(master, PTM_PREFIX, strlen(PTM_PREFIX)) != 0)
+		goto invalid;
 
-	return (retval);
+	/* It is, so generate the corresponding pty(4) slave name. */
+	(void)snprintf(slave, sizeof(slave), _PATH_DEV PTS_PREFIX "%s",
+	    master + strlen(PTM_PREFIX));
+	return (slave);
+
+invalid:
+	errno = EINVAL;
+	return (NULL);
 }
 
 /*
@@ -240,18 +246,14 @@ ptsname(int fildes)
 int
 unlockpt(int fildes)
 {
-	int retval;
-	struct stat sbuf;
 
 	/*
 	 * Unlocking a master/slave pseudo-terminal pair has no meaning in a
 	 * non-streams PTY environment.  However, we do ensure fildes is a
 	 * valid master pseudo-terminal device.
 	 */
-	if ((retval = _fstat(fildes, &sbuf)) == 0 && !ISPTM(sbuf)) {
-		errno = EINVAL;
-		retval = -1;
-	}
+	if (ptsname(fildes) == NULL)
+		return (-1);
 
-	return (retval);
+	return (0);
 }
diff --git a/lib/libutil/pty.c b/lib/libutil/pty.c
index b230edb113af..005a52fe38c7 100644
--- a/lib/libutil/pty.c
+++ b/lib/libutil/pty.c
@@ -76,8 +76,7 @@ openpty(int *amaster, int *aslave, char *name, struct termios *termp, struct win
 					break; /* try the next pty group */
 			} else {
 				line[5] = 't';
-				(void) chown(line, getuid(), ttygid);
-				(void) chmod(line, S_IRUSR|S_IWUSR|S_IWGRP);
+				(void) grantpt(master);
 				(void) revoke(line);
 				if ((slave = open(line, O_RDWR, 0)) != -1) {
 					*amaster = master;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 707c4b42f391..a935f9a2d3eb 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="6.2"
-BRANCH="RELEASE-p9"
+BRANCH="RELEASE-p10"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi