svn commit: r41014 - in head/share: security/advisories security/patches/SA-13:01 security/patches/SA-13:02 xml

Bjoern A. Zeeb bz at FreeBSD.org
Tue Feb 19 13:56:51 UTC 2013


Author: bz (src committer)
Date: Tue Feb 19 13:56:49 2013
New Revision: 41014
URL: http://svnweb.freebsd.org/changeset/doc/41014

Log:
  Add latest security advisories:
  
    Fix Denial of Service vulnerability in named(8) with DNS64. [13:01]
  
    Fix Denial of Service vulnerability in libc's glob(3) functionality.
    [13:02]
  
  Security:	CVE-2012-5688
  Security:	FreeBSD-SA-13:01.bind
  Security:	CVE-2010-2632
  Security:	FreeBSD-SA-13:02.libc

Added:
  head/share/security/advisories/FreeBSD-SA-13:01.bind.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-13:02.libc.asc   (contents, props changed)
  head/share/security/patches/SA-13:01/
  head/share/security/patches/SA-13:01/bind.patch   (contents, props changed)
  head/share/security/patches/SA-13:01/bind.patch.asc   (contents, props changed)
  head/share/security/patches/SA-13:02/
  head/share/security/patches/SA-13:02/libc.patch   (contents, props changed)
  head/share/security/patches/SA-13:02/libc.patch.asc   (contents, props changed)
Modified:
  head/share/xml/advisories.xml

Added: head/share/security/advisories/FreeBSD-SA-13:01.bind.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-13:01.bind.asc	Tue Feb 19 13:56:49 2013	(r41014)
@@ -0,0 +1,122 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:01.bind                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          BIND remote DoS with deliberately crafted DNS64 query
+
+Category:       contrib
+Module:         bind
+Announced:      2013-02-19
+Affects:        FreeBSD 9.x and later
+Corrected:      2013-01-08 09:05:09 UTC (stable/9, 9.1-STABLE)
+                2013-02-19 13:27:20 UTC (releng/9.0, 9.0-RELEASE-p6)
+                2013-02-19 13:27:20 UTC (releng/9.1, 9.1-RELEASE-p1)
+CVE Name:       CVE-2012-5688
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+DNS64 is an IPv6 transition mechanism that will return a synthesized
+AAAA response even if there is only an A record available.
+
+II.  Problem Description
+
+Due to a software defect a crafted query can cause named(8) to crash
+with an assertion failure.
+
+III. Impact
+
+If named(8) is configured to use DNS64, an attacker who can send it a
+query can cause named(8) to crash, resulting in a denial of service.
+
+IV.  Workaround
+
+No workaround is available, but systems not configured to use DNS64
+using the "dns64" configuration statement are not vulnerable.  DNS64
+is not enabled in the default configuration on FreeBSD.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Restart the named(8) daemon, or reboot your system.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-13:01/bind.patch
+# fetch http://security.FreeBSD.org/patches/SA-13:01/bind.patch.asc
+# gpg --verify bind.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the named(8) daemon, or reboot your system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart the named(8) daemon, or reboot your system.
+
+4) Alternatively, install and run BIND from the Ports Collection after
+the correction date.  The following versions and newer versions of
+BIND installed from the Ports Collection are not affected by this
+vulnerability:
+
+        bind98-9.8.4.1
+        bind99-9.9.2.1
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/9/                                                         r245163
+releng/9.0/                                                       r246989
+releng/9.1/                                                       r246989
+- -------------------------------------------------------------------------
+
+VII. References
+
+https://kb.isc.org/article/AA-00828
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-13:01.bind.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (FreeBSD)
+
+iEYEARECAAYFAlEjf8MACgkQFdaIBMps37JUigCeIvjGL59H2froSeFqfPvlzM7L
+XpAAni7nW5GZt4AE3eSDQwE4ivCne6SK
+=Rxq4
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-13:02.libc.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-13:02.libc.asc	Tue Feb 19 13:56:49 2013	(r41014)
@@ -0,0 +1,114 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:02.libc                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          glob(3) related resource exhaustion
+
+Category:       core
+Module:         libc
+Announced:      2013-02-19
+Affects:        All supported versions of FreeBSD.
+Corrected:      2013-02-05 09:53:32 UTC (stable/7, 7.4-STABLE)
+                2013-02-19 13:27:20 UTC (releng/7.4, 7.4-RELEASE-p12)
+                2013-02-05 09:53:32 UTC (stable/8, 8.3-STABLE)
+                2013-02-19 13:27:20 UTC (releng/8.3, 8.3-RELEASE-p6)
+                2013-02-05 09:53:32 UTC (stable/9, 9.1-STABLE)
+                2013-02-19 13:27:20 UTC (releng/9.0, 9.0-RELEASE-p6)
+                2013-02-19 13:27:20 UTC (releng/9.1, 9.1-RELEASE-p1)
+CVE Name:       CVE-2010-2632
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The glob(3) function is a pathname generator that implements the rules for
+file name pattern matching used by the shell.
+
+II.  Problem Description
+
+GLOB_LIMIT is supposed to limit the number of paths to prevent against
+memory or CPU attacks.  The implementation however is insufficient.
+
+III. Impact
+
+An attacker that is able to exploit this vulnerability could cause excessive
+memory or CPU usage, resulting in a Denial of Service.  A common target for
+a remote attacker could be ftpd(8).
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-13:02/libc.patch
+# fetch http://security.FreeBSD.org/patches/SA-13:02/libc.patch.asc
+# gpg --verify libc.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/7/                                                         r246357
+releng/7.4/                                                       r246989
+stable/8/                                                         r246357
+releng/8.3/                                                       r246989
+stable/9/                                                         r246357
+releng/9.0/                                                       r246989
+releng/9.1/                                                       r246989
+- -------------------------------------------------------------------------
+
+VII. References
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-13:02.libc.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (FreeBSD)
+
+iEYEARECAAYFAlEjf80ACgkQFdaIBMps37JFUgCfUrw8Ky4U19COja6fna49Calv
+z/YAn1JSGxzHCo8vLj4XhtXqrQt68or4
+=mCPv
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-13:01/bind.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-13:01/bind.patch	Tue Feb 19 13:56:49 2013	(r41014)
@@ -0,0 +1,18 @@
+Index: contrib/bind9/bin/named/query.c
+===================================================================
+--- contrib/bind9/bin/named/query.c
++++ contrib/bind9/bin/named/query.c
+@@ -5183,10 +5183,12 @@
+ 	isc_result_t result;
+ 	isc_uint32_t ttl = ISC_UINT32_MAX;
+ 
++	dns_rdataset_init(&rdataset);
++
+ 	result = dns_db_getoriginnode(db, &node);
+ 	if (result != ISC_R_SUCCESS)
+ 		goto cleanup;
+-	dns_rdataset_init(&rdataset);
++
+ 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
+ 				     0, 0, &rdataset, NULL);
+ 	if (result != ISC_R_SUCCESS)

Added: head/share/security/patches/SA-13:01/bind.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-13:01/bind.patch.asc	Tue Feb 19 13:56:49 2013	(r41014)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (FreeBSD)
+
+iEYEABECAAYFAlEjf/cACgkQFdaIBMps37LjHwCfQ0g0m9lvCY/AZmzYq6NfupNU
+cjQAn1ovam14yAE0+WT3FAhOM0lr7INw
+=gwXh
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-13:02/libc.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-13:02/libc.patch	Tue Feb 19 13:56:49 2013	(r41014)
@@ -0,0 +1,215 @@
+Index: lib/libc/gen/glob.c
+===================================================================
+--- lib/libc/gen/glob.c	(revision 246357)
++++ lib/libc/gen/glob.c	(working copy)
+@@ -94,6 +94,25 @@ __FBSDID("$FreeBSD$");
+ 
+ #include "collate.h"
+ 
++/*
++ * glob(3) expansion limits. Stop the expansion if any of these limits
++ * is reached. This caps the runtime in the face of DoS attacks. See
++ * also CVE-2010-2632
++ */
++#define	GLOB_LIMIT_BRACE	128	/* number of brace calls */
++#define	GLOB_LIMIT_PATH		65536	/* number of path elements */
++#define	GLOB_LIMIT_READDIR	16384	/* number of readdirs */
++#define	GLOB_LIMIT_STAT		1024	/* number of stat system calls */
++#define	GLOB_LIMIT_STRING	ARG_MAX	/* maximum total size for paths */
++
++struct glob_limit {
++	size_t	l_brace_cnt;
++	size_t	l_path_lim;
++	size_t	l_readdir_cnt;	
++	size_t	l_stat_cnt;	
++	size_t	l_string_cnt;
++};
++
+ #define	DOLLAR		'$'
+ #define	DOT		'.'
+ #define	EOS		'\0'
+@@ -153,15 +172,18 @@ static const Char *g_strchr(const Char *, wchar_t)
+ static Char	*g_strcat(Char *, const Char *);
+ #endif
+ static int	 g_stat(Char *, struct stat *, glob_t *);
+-static int	 glob0(const Char *, glob_t *, size_t *);
+-static int	 glob1(Char *, glob_t *, size_t *);
+-static int	 glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *);
+-static int	 glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *);
+-static int	 globextend(const Char *, glob_t *, size_t *);
+-static const Char *	
++static int	 glob0(const Char *, glob_t *, struct glob_limit *);
++static int	 glob1(Char *, glob_t *, struct glob_limit *);
++static int	 glob2(Char *, Char *, Char *, Char *, glob_t *,
++    struct glob_limit *);
++static int	 glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
++    struct glob_limit *);
++static int	 globextend(const Char *, glob_t *, struct glob_limit *);
++static const Char *
+ 		 globtilde(const Char *, Char *, size_t, glob_t *);
+-static int	 globexp1(const Char *, glob_t *, size_t *);
+-static int	 globexp2(const Char *, const Char *, glob_t *, int *, size_t *);
++static int	 globexp1(const Char *, glob_t *, struct glob_limit *);
++static int	 globexp2(const Char *, const Char *, glob_t *, int *,
++    struct glob_limit *);
+ static int	 match(Char *, Char *, Char *);
+ #ifdef DEBUG
+ static void	 qprintf(const char *, Char *);
+@@ -171,8 +193,8 @@ int
+ glob(const char * __restrict pattern, int flags,
+ 	 int (*errfunc)(const char *, int), glob_t * __restrict pglob)
+ {
++	struct glob_limit limit = { 0, 0, 0, 0, 0 };
+ 	const char *patnext;
+-	size_t limit;
+ 	Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
+ 	mbstate_t mbs;
+ 	wchar_t wc;
+@@ -186,11 +208,10 @@ glob(const char * __restrict pattern, int flags,
+ 			pglob->gl_offs = 0;
+ 	}
+ 	if (flags & GLOB_LIMIT) {
+-		limit = pglob->gl_matchc;
+-		if (limit == 0)
+-			limit = ARG_MAX;
+-	} else
+-		limit = 0;
++		limit.l_path_lim = pglob->gl_matchc;
++		if (limit.l_path_lim == 0)
++			limit.l_path_lim = GLOB_LIMIT_PATH;
++	}
+ 	pglob->gl_flags = flags & ~GLOB_MAGCHAR;
+ 	pglob->gl_errfunc = errfunc;
+ 	pglob->gl_matchc = 0;
+@@ -243,11 +264,17 @@ glob(const char * __restrict pattern, int flags,
+  * characters
+  */
+ static int
+-globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
++globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ 	const Char* ptr = pattern;
+ 	int rv;
+ 
++	if ((pglob->gl_flags & GLOB_LIMIT) &&
++	    limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
++		errno = 0;
++		return (GLOB_NOSPACE);
++	}
++
+ 	/* Protect a single {}, for find(1), like csh */
+ 	if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
+ 		return glob0(pattern, pglob, limit);
+@@ -266,7 +293,8 @@ static int
+  * If it fails then it tries to glob the rest of the pattern and returns.
+  */
+ static int
+-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit)
++globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
++    struct glob_limit *limit)
+ {
+ 	int     i;
+ 	Char   *lm, *ls;
+@@ -436,7 +464,7 @@ globtilde(const Char *pattern, Char *patbuf, size_
+  * if things went well, nonzero if errors occurred.
+  */
+ static int
+-glob0(const Char *pattern, glob_t *pglob, size_t *limit)
++glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ 	const Char *qpatnext;
+ 	int err;
+@@ -529,7 +557,7 @@ compare(const void *p, const void *q)
+ }
+ 
+ static int
+-glob1(Char *pattern, glob_t *pglob, size_t *limit)
++glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ 	Char pathbuf[MAXPATHLEN];
+ 
+@@ -547,7 +575,7 @@ static int
+  */
+ static int
+ glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
+-      glob_t *pglob, size_t *limit)
++      glob_t *pglob, struct glob_limit *limit)
+ {
+ 	struct stat sb;
+ 	Char *p, *q;
+@@ -563,6 +591,15 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_
+ 			if (g_lstat(pathbuf, &sb, pglob))
+ 				return(0);
+ 
++			if ((pglob->gl_flags & GLOB_LIMIT) &&
++			    limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
++				errno = 0;
++				if (pathend + 1 > pathend_last)
++					return (GLOB_ABORTED);
++				*pathend++ = SEP;
++				*pathend = EOS;
++				return (GLOB_NOSPACE);
++			}
+ 			if (((pglob->gl_flags & GLOB_MARK) &&
+ 			    pathend[-1] != SEP) && (S_ISDIR(sb.st_mode)
+ 			    || (S_ISLNK(sb.st_mode) &&
+@@ -606,7 +643,7 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_
+ static int
+ glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
+       Char *pattern, Char *restpattern,
+-      glob_t *pglob, size_t *limit)
++      glob_t *pglob, struct glob_limit *limit)
+ {
+ 	struct dirent *dp;
+ 	DIR *dirp;
+@@ -652,6 +689,19 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_
+ 		size_t clen;
+ 		mbstate_t mbs;
+ 
++		if ((pglob->gl_flags & GLOB_LIMIT) &&
++		    limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
++			errno = 0;
++			if (pathend + 1 > pathend_last)
++				err = GLOB_ABORTED;
++			else {
++				*pathend++ = SEP;
++				*pathend = EOS;
++				err = GLOB_NOSPACE;
++			}
++			break;
++		}
++
+ 		/* Initial DOT must be matched literally. */
+ 		if (dp->d_name[0] == DOT && *pattern != DOT)
+ 			continue;
+@@ -702,14 +752,15 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_
+  *	gl_pathv points to (gl_offs + gl_pathc + 1) items.
+  */
+ static int
+-globextend(const Char *path, glob_t *pglob, size_t *limit)
++globextend(const Char *path, glob_t *pglob, struct glob_limit *limit)
+ {
+ 	char **pathv;
+ 	size_t i, newsize, len;
+ 	char *copy;
+ 	const Char *p;
+ 
+-	if (*limit && pglob->gl_pathc > *limit) {
++	if ((pglob->gl_flags & GLOB_LIMIT) &&
++	    pglob->gl_matchc > limit->l_path_lim) {
+ 		errno = 0;
+ 		return (GLOB_NOSPACE);
+ 	}
+@@ -737,6 +788,12 @@ static int
+ 	for (p = path; *p++;)
+ 		continue;
+ 	len = MB_CUR_MAX * (size_t)(p - path);	/* XXX overallocation */
++	limit->l_string_cnt += len;
++	if ((pglob->gl_flags & GLOB_LIMIT) &&
++	    limit->l_string_cnt >= GLOB_LIMIT_STRING) {
++		errno = 0;
++		return (GLOB_NOSPACE);
++	}
+ 	if ((copy = malloc(len)) != NULL) {
+ 		if (g_Ctoc(path, copy, len)) {
+ 			free(copy);

Added: head/share/security/patches/SA-13:02/libc.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-13:02/libc.patch.asc	Tue Feb 19 13:56:49 2013	(r41014)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (FreeBSD)
+
+iEYEABECAAYFAlEjf/0ACgkQFdaIBMps37Kw1ACfX+M73KQtFkdrAhFWVyVm2G44
+DLYAn2SoJT4c98Frj75ttappPsvFDgVk
+=H9Gv
+-----END PGP SIGNATURE-----

Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml	Tue Feb 19 13:27:07 2013	(r41013)
+++ head/share/xml/advisories.xml	Tue Feb 19 13:56:49 2013	(r41014)
@@ -5,6 +5,26 @@
     </cvs:keyword>
 
   <year>
+    <name>2013</name>
+
+    <month>
+      <name>2</name>
+
+      <day>
+	<name>19</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-13:02.libc</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-13:01.bind</name>
+	</advisory>
+      </day>
+    </month>
+  </year>
+
+  <year>
     <name>2012</name>
 
     <month>


More information about the svn-doc-all mailing list