Fix sendfile(2) write-only file permission bypass. [08:03.sendfile]

Fix IPsec null pointer dereference panic. [SA-08:04.ipsec]

Security:	FreeBSD-SA-08:03.sendfile
Security:	FreeBSD-SA-08:04.ipsec
Approved by:	so (simon)

4 files changed, 8 insertions, 3 deletions

diff --git a/UPDATING b/UPDATING
index 4d5a0a5f582b..429614746800 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,11 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20080214:	p19	FreeBSD-SA-08:02.sendfile, FreeBSD-SA-08:03.ipsec
+	Fix sendfile(2) write-only file permission bypass. [08:02]
+
+	Fix IPsec null pointer dereference panic. [08:03]
+
 20080114:	p18	FreeBSD-SA-08:01.pty
 	Fix issues which allow snooping on ptys.
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 3c3db8af5d5e..5ccb23da8dfc 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="5.5"
-BRANCH="RELEASE-p18"
+BRANCH="RELEASE-p19"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"
 
diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index 40ddd19df0ed..088443018172 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -2014,7 +2014,7 @@ _fgetvp(struct thread *td, int fd, struct vnode **vpp, int flags)
 	GIANT_REQUIRED;		/* VFS */
 
 	*vpp = NULL;
-	if ((error = _fget(td, fd, &fp, 0, 0)) != 0)
+	if ((error = _fget(td, fd, &fp, flags, 0)) != 0)
 		return (error);
 	if (fp->f_vnode == NULL) {
 		error = EINVAL;
diff --git a/sys/netinet6/ipcomp_input.c b/sys/netinet6/ipcomp_input.c
index 1831648a50de..be97fd1d6678 100644
--- a/sys/netinet6/ipcomp_input.c
+++ b/sys/netinet6/ipcomp_input.c
@@ -258,7 +258,7 @@ ipcomp6_input(mp, offp, proto)
 	off = *offp;
 
 	md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
-	if (!m) {
+	if (!md) {
 		m = NULL;	/* already freed */
 		ipseclog((LOG_DEBUG, "IPv6 IPComp input: assumption failed "
 		    "(pulldown failure)\n"));