6 files changed, 28 insertions, 5 deletions

diff --git a/UPDATING b/UPDATING
index a2a59f221574..b326a7112120 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20100526:	p3	FreeBSD-SA-10:04.jail, FreeBSD-SA-10:05.opie,
+			FreeBSD-SA-10:06.nfsclient
+	Change the current working directory to be inside the jail created by
+	the jail(8) command. [10:04]
+
+	Fix a one-NUL-byte buffer overflow in libopie. [10:05]
+
+	Correctly sanity-check a buffer length in nfs mount. [10:06]
+
 20100106:	p2	FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd,
 			FreeBSD-SA-10:03.zfs, FreeBSD-EN-10:01.freebsd
 	Fix BIND named(8) cache poisoning with DNSSEC validation.
diff --git a/contrib/opie/libopie/readrec.c b/contrib/opie/libopie/readrec.c
index f56af7ffb73d..4f204b927eeb 100644
--- a/contrib/opie/libopie/readrec.c
+++ b/contrib/opie/libopie/readrec.c
@@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struct opie *opie)
     
     if (c = strchr(opie->opie_principal, ':'))
       *c = 0;
-    if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
-      (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
     
-    strcpy(principal, opie->opie_principal);
+    strlcpy(principal, opie->opie_principal, sizeof(principal));
     
     do {
       if ((opie->opie_recstart = ftell(f)) < 0)
diff --git a/lib/libc/sys/mount.2 b/lib/libc/sys/mount.2
index 6ce2d4d2fa74..3d48f4110fce 100644
--- a/lib/libc/sys/mount.2
+++ b/lib/libc/sys/mount.2
@@ -107,7 +107,7 @@ This restriction can be removed by setting the
 .Va vfs.usermount
 .Xr sysctl 8
 variable
-to a non-zero value.
+to a non-zero value; see the BUGS section for more information.
 .Pp
 The following
 .Fa flags
@@ -370,3 +370,10 @@ functions appeared in
 .At v6 .
 .Sh BUGS
 Some of the error codes need translation to more obvious messages.
+.Pp
+Allowing untrusted users to mount arbitrary media, e.g. by enabling
+.Va vfs.usermount ,
+should not be considered safe.
+Most file systems in
+.Fx
+were not built to safeguard against malicious devices.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index de53cd7f4f8e..e71b051674f6 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.0"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/nfsclient/nfs_vfsops.c b/sys/nfsclient/nfs_vfsops.c
index 17dc5d4b5dee..c4366eb15b9b 100644
--- a/sys/nfsclient/nfs_vfsops.c
+++ b/sys/nfsclient/nfs_vfsops.c
@@ -1054,6 +1054,11 @@ nfs_mount(struct mount *mp)
 		error = EINVAL;
 		goto out;
 	}
+	if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) {
+		vfs_mount_error(mp, "Bad file handle");
+		error = EINVAL;
+		goto out;
+	}
 
 	if (mp->mnt_flag & MNT_UPDATE) {
 		struct nfsmount *nmp = VFSTONFS(mp);
diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c
index ca87796d3364..0722bfd22397 100644
--- a/usr.sbin/jail/jail.c
+++ b/usr.sbin/jail/jail.c
@@ -511,6 +511,10 @@ set_param(const char *name, char *value)
 			*value++ = '\0';
 	}
 
+	/* jail_set won't chdir along with its chroot, so do it here. */
+	if (!strcmp(name, "path") && chdir(value) < 0)
+		err(1, "chdir: %s", value);
+
 	/* Check for repeat parameters */
 	for (i = 0; i < nparams; i++)
 		if (!strcmp(name, params[i].jp_name)) {