svn commit: r46083 - in head/share: security/advisories security/patches/SA-14:27 security/patches/SA-14:28 security/patches/SA-14:29 xml

Dag-Erling Smørgrav des at FreeBSD.org
Wed Dec 10 16:42:12 UTC 2014


Author: des
Date: Wed Dec 10 16:42:08 2014
New Revision: 46083
URL: https://svnweb.freebsd.org/changeset/doc/46083

Log:
  Add SA-14:2[789]

Added:
  head/share/security/advisories/FreeBSD-SA-14:27.stdio.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-14:28.file.asc   (contents, props changed)
  head/share/security/advisories/FreeBSD-SA-14:29.bind.asc   (contents, props changed)
  head/share/security/patches/SA-14:27/
  head/share/security/patches/SA-14:27/stdio.patch   (contents, props changed)
  head/share/security/patches/SA-14:27/stdio.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:28/
  head/share/security/patches/SA-14:28/file-12.patch   (contents, props changed)
  head/share/security/patches/SA-14:28/file-12.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:28/file-7.patch   (contents, props changed)
  head/share/security/patches/SA-14:28/file-7.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:28/file-8.patch   (contents, props changed)
  head/share/security/patches/SA-14:28/file-8.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:29/
  head/share/security/patches/SA-14:29/bind983.patch   (contents, props changed)
  head/share/security/patches/SA-14:29/bind983.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:29/bind984.patch   (contents, props changed)
  head/share/security/patches/SA-14:29/bind984.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:29/bind987.patch   (contents, props changed)
  head/share/security/patches/SA-14:29/bind987.patch.asc   (contents, props changed)
  head/share/security/patches/SA-14:29/bind995.patch   (contents, props changed)
  head/share/security/patches/SA-14:29/bind995.patch.asc   (contents, props changed)
Modified:
  head/share/xml/advisories.xml

Added: head/share/security/advisories/FreeBSD-SA-14:27.stdio.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:27.stdio.asc	Wed Dec 10 16:42:08 2014	(r46083)
@@ -0,0 +1,126 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:27.stdio                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Buffer overflow in stdio
+
+Category:       core
+Module:         libc
+Announced:      2014-12-10
+Credits:        Adrian Chadd and Alfred Perlstein, Norse Corporation
+Affects:        FreeBSD 10.1
+Corrected:      2014-12-10 08:24:02 UTC (stable/10, 10.1-STABLE)
+                2014-12-10 08:35:55 UTC (releng/10.1, 10.1-RELEASE-p1)
+CVE Name:       CVE-2014-8611
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The standard I/O library provides a simple and efficient buffered stream
+I/O interface.  The library writes buffered data when it is full or when
+the application explicitly request so by calling the fflush(3) function.
+
+II.  Problem Description
+
+A programming error in the standard I/O library's __sflush() function could
+erroneously adjust the buffered stream's internal state even when no write
+actually occurred in the case when write(2) system call returns an error.
+
+III. Impact
+
+The accounting mismatch would accumulate, if the caller does not check for
+stream status and will eventually lead to a heap buffer overflow.
+
+Such overflows may lead to data corruption or the execution of arbitrary
+code at the privilege level of the calling program.
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:27/stdio.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:27/stdio.patch.asc
+# gpg --verify stdio.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r275667
+releng/10.1/                                                      r275670
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8611>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:27.stdio.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJUiA11AAoJEO1n7NZdz2rnZLMP/ic0j0lykvkZ4x39Th4vUIX7
+SCqROB8zxKj8qA3QlXhusaJA9o9hAPX8HA99ZVbDyugz0m4ST0t6JAYL+w3eVYZm
+RpEszshxi7rwUXaoue99lk0JnP2ssZbNZn5y4Z0XCYvingfP7Um6tOG0XqUs+N45
+Mivhuz+JKaFSYG4WwrSIr2pNpn6XnDeGoihtuXOkinBv8Ga3xHyuTY+30vUnEEH+
+Vr2MftHMm3Wo87OM1XhrTQS5jYzD8u0xgwKjcf0/+6Q+iXzLDkk8MfCE1W9SP7FE
+zas1MHxWeV5AICAX0CUI/9R2Zgymi/xJksw4BNZsDyGnOvIRdcMv+0KOWnCn42mk
+HCm2NTyvUM2Cgjbj5T4yICQBEi5dI6WiTp2yKTKQOiqDsszUW1NyqGQdYPfyjjMS
+kQA5RTdGVxwxp8FMnJGvYdlVRZgx5BAI8znhlxxqKs25uhbOnn+zKm+rA2XnLLMk
+sg2V/E906vldjLw8ddvNKm5oy0UkezBj0J1NOgkpN3atvUB8X2H251h2n51+oAbE
+FSd4qqN70vwHdOmIGNrjWZpOqSJzeGs5JjbaxMpo6MoIWJz2zrK2WLiFVWZGohgh
+9TGU6Ubs/yTLLfu1jTDAMl1dbZd1lChmycKRuqTpe56keOlHghquCMxhogWY0PQE
+nE47N3BP/KCtuQw1uxuK
+=F9uH
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-14:28.file.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:28.file.asc	Wed Dec 10 16:42:08 2014	(r46083)
@@ -0,0 +1,157 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:28.file                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple vulnerabilities in file(1) and libmagic(3)
+
+Category:       contrib
+Module:         file
+Announced:      2014-12-10
+Affects:        All supported versions of FreeBSD.
+Credits:        Thomas Jarosch of Intra2net AG
+Corrected:      2014-12-10 08:26:53 UTC (stable/10, 10.1-STABLE)
+                2014-12-10 08:35:55 UTC (releng/10.1, 10.1-RELEASE-p1)
+                2014-12-10 08:36:07 UTC (releng/10.0, 10.0-RELEASE-p13)
+                2014-12-10 08:31:41 UTC (stable/9, 9.3-STABLE)
+                2014-12-10 08:36:40 UTC (releng/9.3, 9.3-RELEASE-p6)
+                2014-12-10 08:36:40 UTC (releng/9.2, 9.2-RELEASE-p16)
+                2014-12-10 08:36:40 UTC (releng/9.1, 9.1-RELEASE-p23)
+                2014-12-10 08:31:41 UTC (stable/8, 8.4-STABLE)
+                2014-12-10 08:36:40 UTC (releng/8.4, 8.4-RELEASE-p20)
+CVE Name:       CVE-2014-3710, CVE-2014-8116, CVE-2014-8117
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The file(1) utility attempts to classify file system objects based on
+filesystem, magic number and language tests.
+
+The libmagic(3) library provides most of the functionality of file(1)
+and may be used by other applications.
+
+II.  Problem Description
+
+There are a number of denial of service issues in the ELF parser used
+by file(1).
+
+III. Impact
+
+An attacker who can cause file(1) or any other applications using the
+libmagic(3) library to be run on a maliciously constructed input can
+cause the application to crash or consume excessive CPU resources,
+resulting in a denial-of-service.
+
+IV.  Workaround
+
+No workaround is available, but systems where file(1) and other
+libmagic(3)-using applications are never run on untrusted input are not
+vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.1]
+# fetch http://security.FreeBSD.org/patches/SA-14:28/file-12.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:28/file-12.patch.asc
+# gpg --verify file-12.patch.asc
+
+[FreeBSD 9.1, 9.2, 9.3 and 10.0]
+# fetch http://security.FreeBSD.org/patches/SA-14:28/file-8.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:28/file-8.patch.asc
+# gpg --verify file-8.patch.asc
+
+[FreeBSD 8.4]
+# fetch http://security.FreeBSD.org/patches/SA-14:28/file-7.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:28/file-7.patch.asc
+# gpg --verify file-7.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r275669
+releng/8.4/                                                       r275672
+stable/9/                                                         r275669
+releng/9.1/                                                       r275672
+releng/9.2/                                                       r275672
+releng/9.3/                                                       r275672
+stable/10/                                                        r275668
+releng/10.0/                                                      r275671
+releng/10.1/                                                      r275670
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:28.file.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJUiA11AAoJEO1n7NZdz2rnCBMQAL/22vlzYOuAilNqQu5SZCZ8
+i+VVrq9ZQv9Q32JiSs/eZtiz8d1OrhZK86a6dzx2vd5cV3QjWTOh5oK00gnO6Nq1
+g1tqRDYVSzoPBVNLkpH0gKJjUNcxhzehQy2oge+7mtkcj3RsIX9MrPDpagIwdlOm
+KOHlfHL5w3sVbXvA9hqASH6GkvWKaj/QRm9wyHitVHYI9EbJE6jAyeDfzR1sFP54
+f4FkT3TtsVw712+TYkC/EmgyPA8R6tK08LpYsa0pnwCtuMUkT+/zmDhcjXEyqZ0X
+cimkXyANSyDxzFjNrec0ETno35a5dNeasZvRg8DZXAGko9ainwUKTk5p+AUiKUOh
+MGxCFCkAPK/jbzBfZmQ7WMwpEDpjCxKK/C1qM2hHmpXwodzMtxSONicomcQrHm3O
+f2C1JWIy7V8pLZDVN8Ce25JLjDRt+cZc6JR2sICrfAjUWXRyCbmIsTj/+CjLHH1a
+/8hXs/TI0Z4jvcPsujoo7GhOdXvLz4Z7bY9cdZgEmZaUw+OwPN3DGiUEkK1+VNNt
+ClufF6cHWE9UaUp26fjoZ/qVTFt/ixIy7Qsx9EqA1YrnemI9mOxgxTFB1jqMM6uR
+NGEFUsyUQWLJxpinrEJIvJj5r9lQw11GaqsvyOyZ8IzPLJ31okYUXUFiFUECI+aN
+P0XVV9PyCfdO6tq8ajOi
+=+w7r
+-----END PGP SIGNATURE-----

Added: head/share/security/advisories/FreeBSD-SA-14:29.bind.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:29.bind.asc	Wed Dec 10 16:42:08 2014	(r46083)
@@ -0,0 +1,158 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:29.bind                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          BIND remote denial of service vulnerability
+
+Category:       contrib
+Module:         bind
+Announced:      2014-12-10
+Credits:        ISC
+Affects:        FreeBSD 8.4, 9.1, 9.2 and 9.3.
+Corrected:      2014-12-10 08:31:41 UTC (stable/9, 9.3-STABLE)
+                2014-12-10 08:36:40 UTC (releng/9.3, 9.3-RELEASE-p6)
+                2014-12-10 08:36:40 UTC (releng/9.2, 9.2-RELEASE-p16)
+                2014-12-10 08:36:40 UTC (releng/9.1, 9.1-RELEASE-p23)
+                2014-12-10 08:31:41 UTC (stable/8, 8.4-STABLE)
+                2014-12-10 08:36:40 UTC (releng/8.4, 8.4-RELEASE-p20)
+CVE Name:       CVE-2014-8500
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II.  Problem Description
+
+By causing queries to be made against a maliciously-constructed zone or
+against a malicious DNS server, an attacker who is able to cause
+specific queries to be sent to a nameserver can cause named(8) to
+crash, leading to a denial of service.
+
+All recursive BIND DNS servers are vulnerable to this.  Authoritative
+servers are only vulnerable if the attacker is able to control a
+delegation traversed by the authoritative server in order to serve
+the zone.
+
+III. Impact
+
+An attacker who can cause specific queries to be sent to a nameserver
+could cause named(8) to crash, resulting in a denial of service.
+
+IV.  Workaround
+
+No workaround is available, but hosts not running named(8) are not
+vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.3-RELEASE and 9.3-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:29/bind995.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:29/bind995.patch.asc
+# gpg --verify bind995.patch.asc
+
+[FreeBSD 9.2-RELEASE]
+# fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch.asc
+# gpg --verify bind984.patch.asc
+
+[FreeBSD 9.1-RELEASE]
+# fetch http://security.FreeBSD.org/patches/SA-14:29/bind983.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:29/bind983.patch.asc
+# gpg --verify bind983.patch.asc
+
+[FreeBSD 8.4-STABLE]
+# fetch http://security.FreeBSD.org/patches/SA-14:29/bind987.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:29/bind987.patch.asc
+# gpg --verify bind987.patch.asc
+
+[FreeBSD 8.4-RELEASE]
+# fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch.asc
+# gpg --verify bind984.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the applicable daemons, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r275669
+releng/8.4/                                                       r275672
+stable/9/                                                         r275669
+releng/9.1/                                                       r275672
+releng/9.2/                                                       r275672
+releng/9.3/                                                       r275672
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:29.bind.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJUiA11AAoJEO1n7NZdz2rn7kgP/RWw0Q9dx8/xS+NSypV3Hfqr
+6D4Zh8LGsrKuWMGD29MYrFle2Ze5gUfjOFfaqonD2P5vyrCfnyVUhGiIRUKcFn/z
+dF6XwWKoZHRRHxNL7d71ZRwG3o4gEJP0SWFbfIVUg0YCDdwpChASyHJkXR5rgrTB
+6MFDdeNGq+NzQzESmJJyLT/hgWZB0p/g5tLnez+XNxxk4oGywJlNACEq9SfD618Q
+86Pl7oFJjaKrAtb7kzI2tYG+UvUHdQriRwo9C87fnSH4TNf2G1VwVoV0Lip45w4I
+MwJ8j4U3Vqr8cepqc6HSZauIA7N3N1Key7qzcnEP56iIfM1yIg+k7FTeaGM7tw45
+lxlrxgLDBpFt+F24cnROagNFZ8o2iWsnaH9ZhEkV6Qabu7eU/XjwKwY9evqqPgeP
+bCFZeFCxl4DSNTgkLmP+GjXoRxXQ2NokboU7o+KnZGPnxduDK9RG4yx0IvQc3uyv
+ad+zW4luYGuuIwVXiHif8y7SnOrp4LiVIX04isavaBVSndWC4VenlajoH8IvYxIW
+P/Bc8J0qxPmEJzZmutzLNQEDEHnxz3o9s/6C7FSASRkMMJ7QXvq0bIdVpkubh0bE
+PqJVu6WN2KD6tKjuZq4P/WVrRedsRG+qDYb819guIok2kGa6A4tgQ/DAvuZur+do
+K3JRKm1SZmozOqV/SVmy
+=uNWP
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-14:27/stdio.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-14:27/stdio.patch	Wed Dec 10 16:42:08 2014	(r46083)
@@ -0,0 +1,22 @@
+Index: lib/libc/stdio/fflush.c
+===================================================================
+--- lib/libc/stdio/fflush.c.orig
++++ lib/libc/stdio/fflush.c
+@@ -124,11 +124,13 @@
+ 		t = _swrite(fp, (char *)p, n);
+ 		if (t <= 0) {
+ 			/* Reset _p and _w. */
+-			if (p > fp->_p)	/* Some was written. */
++			if (p > fp->_p) {
++				/* Some was written. */
+ 				memmove(fp->_p, p, n);
+-			fp->_p += n;
+-			if ((fp->_flags & (__SLBF | __SNBF)) == 0)
+-				fp->_w -= n;
++				fp->_p += n;
++				if ((fp->_flags & (__SLBF | __SNBF)) == 0)
++					fp->_w -= n;
++			}
+ 			fp->_flags |= __SERR;
+ 			return (EOF);
+ 		}

Added: head/share/security/patches/SA-14:27/stdio.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-14:27/stdio.patch.asc	Wed Dec 10 16:42:08 2014	(r46083)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUiA2QAAoJEO1n7NZdz2rnM3AP/0HoTCXA+hqUYQ3RuFXQJYLr
+2/cbSEiMvfB40rvB9T7WvZYsiWJN+V0R1yMRDu2uF4KJB6Au5GGNzdeG742yU3B4
+W2IVFtCMST0DlsGuUQV/zXeMhQiwXZx0cP5iIoukeyf/vZ7+p8b+WObB81D6+gPf
+tBlRG5cHc3eX+SGXzhbpuUQrG35KtFA0JijLIAy2criCFo+nN6iRBnVa5Uk0X3hx
+p7lRK7G9tY9fQX3Z7BqoOHxBWC1YNJEWrzkLMVWUmowXMOWvcyab6k/kwtfVCrV0
+ZilEOukghDLhzeL9oeRCgQioMHjST4wi34n7ouU6mKb+IzouyPrR42Qfax3u7Lke
+ndDauZU3G1D46+D7/O6lLpQWK8g5AYk9AL/PPDr2ewYQrxYRNchaZUdIHz9gNnud
+HITnxYsRa3/ArooIti9wF2vsqM/iuzIJ7BEGntEFsCtQgLjMUnl0Hx+Gnu+cg3aj
+Liy+bPXqtRhZdbGRVQyoFKeWjjbvwzBx692hBXqjWRhmPIWvggLHSP6o30qpsZmT
+dJNmC2m5TBFaJOpQSaq6fk6ExPKVSMjQX/IrY22IfKZ+FN1tHXsnf2l3PcZEdjd/
+PgdNjNX9EP0Pp5GzND87ooe3Z+kJewzSdWNHTpT0i6ljhH/AaJbq5VYAVlx2B/9K
+ctb+fAKvwGuyGGzZdibE
+=3A4p
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-14:28/file-12.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-14:28/file-12.patch	Wed Dec 10 16:42:08 2014	(r46083)
@@ -0,0 +1,288 @@
+Index: contrib/file/src/elfclass.h
+===================================================================
+--- contrib/file/src/elfclass.h.orig
++++ contrib/file/src/elfclass.h
+@@ -35,10 +35,12 @@
+ 	switch (type) {
+ #ifdef ELFCORE
+ 	case ET_CORE:
++		phnum = elf_getu16(swap, elfhdr.e_phnum);
++		if (phnum > MAX_PHNUM)
++			return toomany(ms, "program", phnum);
+ 		flags |= FLAGS_IS_CORE;
+ 		if (dophn_core(ms, clazz, swap, fd,
+-		    (off_t)elf_getu(swap, elfhdr.e_phoff),
+-		    elf_getu16(swap, elfhdr.e_phnum), 
++		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+ 		    fsize, &flags) == -1)
+ 			return -1;
+@@ -46,18 +48,24 @@
+ #endif
+ 	case ET_EXEC:
+ 	case ET_DYN:
++		phnum = elf_getu16(swap, elfhdr.e_phnum);
++		if (phnum > MAX_PHNUM)
++			return toomany(ms, "program", phnum);
++		shnum = elf_getu16(swap, elfhdr.e_shnum);
++		if (shnum > MAX_SHNUM)
++			return toomany(ms, "section", shnum);
+ 		if (dophn_exec(ms, clazz, swap, fd,
+-		    (off_t)elf_getu(swap, elfhdr.e_phoff),
+-		    elf_getu16(swap, elfhdr.e_phnum), 
++		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+-		    fsize, &flags, elf_getu16(swap, elfhdr.e_shnum))
+-		    == -1)
++		    fsize, &flags, shnum) == -1)
+ 			return -1;
+ 		/*FALLTHROUGH*/
+ 	case ET_REL:
++		shnum = elf_getu16(swap, elfhdr.e_shnum);
++		if (shnum > MAX_SHNUM)
++			return toomany(ms, "section", shnum);
+ 		if (doshn(ms, clazz, swap, fd,
+-		    (off_t)elf_getu(swap, elfhdr.e_shoff),
+-		    elf_getu16(swap, elfhdr.e_shnum),
++		    (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
+ 		    (size_t)elf_getu16(swap, elfhdr.e_shentsize),
+ 		    fsize, &flags, elf_getu16(swap, elfhdr.e_machine),
+ 		    (int)elf_getu16(swap, elfhdr.e_shstrndx)) == -1)
+Index: contrib/file/src/file.h
+===================================================================
+--- contrib/file/src/file.h.orig
++++ contrib/file/src/file.h
+@@ -482,6 +482,14 @@
+ protected void file_regfree(file_regex_t *);
+ protected void file_regerror(file_regex_t *, int, struct magic_set *);
+ 
++typedef struct {
++	char *buf;
++	uint32_t offset;
++} file_pushbuf_t;
++
++protected file_pushbuf_t *file_push_buffer(struct magic_set *);
++protected char  *file_pop_buffer(struct magic_set *, file_pushbuf_t *);
++
+ #ifndef COMPILE_ONLY
+ extern const char *file_names[];
+ extern const size_t file_nnames;
+Index: contrib/file/src/funcs.c
+===================================================================
+--- contrib/file/src/funcs.c.orig
++++ contrib/file/src/funcs.c
+@@ -491,3 +491,43 @@
+ 	file_magerror(ms, "regex error %d for `%s', (%s)", rc, rx->pat,
+ 	    errmsg);
+ }
++
++protected file_pushbuf_t *
++file_push_buffer(struct magic_set *ms)
++{
++	file_pushbuf_t *pb;
++
++	if (ms->event_flags & EVENT_HAD_ERR)
++		return NULL;
++
++	if ((pb = (CAST(file_pushbuf_t *, malloc(sizeof(*pb))))) == NULL)
++		return NULL;
++
++	pb->buf = ms->o.buf;
++	pb->offset = ms->offset;
++
++	ms->o.buf = NULL;
++	ms->offset = 0;
++
++	return pb;
++}
++
++protected char *
++file_pop_buffer(struct magic_set *ms, file_pushbuf_t *pb)
++{
++	char *rbuf;
++
++	if (ms->event_flags & EVENT_HAD_ERR) {
++		free(pb->buf);
++		free(pb);
++		return NULL;
++	}
++
++	rbuf = ms->o.buf;
++
++	ms->o.buf = pb->buf;
++	ms->offset = pb->offset;
++
++	free(pb);
++	return rbuf;
++}
+Index: contrib/file/src/readelf.c
+===================================================================
+--- contrib/file/src/readelf.c.orig
++++ contrib/file/src/readelf.c
+@@ -60,6 +60,18 @@
+ private uint32_t getu32(int, uint32_t);
+ private uint64_t getu64(int, uint64_t);
+ 
++#define MAX_PHNUM	256
++#define	MAX_SHNUM	1024
++
++private int
++toomany(struct magic_set *ms, const char *name, uint16_t num)
++{
++	if (file_printf(ms, ", too many %s header sections (%u)", name, num
++	    ) == -1)
++		return -1;
++	return 0;
++}
++
+ private uint16_t
+ getu16(int swap, uint16_t value)
+ {
+@@ -477,6 +489,13 @@
+ 	uint32_t namesz, descsz;
+ 	unsigned char *nbuf = CAST(unsigned char *, vbuf);
+ 
++	if (xnh_sizeof + offset > size) {
++		/*
++		 * We're out of note headers.
++		 */
++		return xnh_sizeof + offset;
++	}
++
+ 	(void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
+ 	offset += xnh_sizeof;
+ 
+@@ -492,13 +511,13 @@
+ 	if (namesz & 0x80000000) {
+ 	    (void)file_printf(ms, ", bad note name size 0x%lx",
+ 		(unsigned long)namesz);
+-	    return offset;
++	    return 0;
+ 	}
+ 
+ 	if (descsz & 0x80000000) {
+ 	    (void)file_printf(ms, ", bad note description size 0x%lx",
+ 		(unsigned long)descsz);
+-	    return offset;
++	    return 0;
+ 	}
+ 
+ 
+@@ -900,6 +919,7 @@
+ 	Elf32_Shdr sh32;
+ 	Elf64_Shdr sh64;
+ 	int stripped = 1;
++	size_t nbadcap = 0;
+ 	void *nbuf;
+ 	off_t noff, coff, name_off;
+ 	uint64_t cap_hw1 = 0;	/* SunOS 5.x hardware capabilites */
+@@ -988,6 +1008,8 @@
+ 				goto skip;
+ 			}
+ 
++			if (nbadcap > 5)
++				break;
+ 			if (lseek(fd, xsh_offset, SEEK_SET) == (off_t)-1) {
+ 				file_badseek(ms);
+ 				return -1;
+@@ -1053,6 +1075,8 @@
+ 					    (unsigned long long)xcap_tag,
+ 					    (unsigned long long)xcap_val) == -1)
+ 						return -1;
++					if (nbadcap++ > 2)
++						coff = xsh_size;
+ 					break;
+ 				}
+ 			}
+@@ -1233,7 +1257,7 @@
+ 	int flags = 0;
+ 	Elf32_Ehdr elf32hdr;
+ 	Elf64_Ehdr elf64hdr;
+-	uint16_t type;
++	uint16_t type, phnum, shnum;
+ 
+ 	if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
+ 		return 0;
+Index: contrib/file/src/softmagic.c
+===================================================================
+--- contrib/file/src/softmagic.c.orig
++++ contrib/file/src/softmagic.c
+@@ -67,6 +67,9 @@
+ private void cvt_64(union VALUETYPE *, const struct magic *);
+ 
+ #define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
++
++#define MAX_RECURSION_LEVEL	10
++
+ /*
+  * softmagic - lookup one file in parsed, in-memory copy of database
+  * Passed the name and FILE * of one file to be typed.
+@@ -1193,14 +1196,15 @@
+     int flip, int recursion_level, int *printed_something,
+     int *need_separator, int *returnval)
+ {
+-	uint32_t soffset, offset = ms->offset;
++	uint32_t offset = ms->offset;
+ 	uint32_t lhs;
++	file_pushbuf_t *pb;
+ 	int rv, oneed_separator, in_type;
+-	char *sbuf, *rbuf;
++	char *rbuf;
+ 	union VALUETYPE *p = &ms->ms_value;
+ 	struct mlist ml;
+ 
+-	if (recursion_level >= 20) {
++	if (recursion_level >= MAX_RECURSION_LEVEL) {
+ 		file_error(ms, 0, "recursion nesting exceeded");
+ 		return -1;
+ 	}
+@@ -1644,19 +1648,23 @@
+ 	case FILE_INDIRECT:
+ 		if (offset == 0)
+ 			return 0;
++
+ 		if (nbytes < offset)
+ 			return 0;
+-		sbuf = ms->o.buf;
+-		soffset = ms->offset;
+-		ms->o.buf = NULL;
+-		ms->offset = 0;
++
++		if ((pb = file_push_buffer(ms)) == NULL)
++			return -1;
++
+ 		rv = file_softmagic(ms, s + offset, nbytes - offset,
+ 		    recursion_level, BINTEST, text);
++
+ 		if ((ms->flags & MAGIC_DEBUG) != 0)
+ 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
+-		rbuf = ms->o.buf;
+-		ms->o.buf = sbuf;
+-		ms->offset = soffset;
++
++		rbuf = file_pop_buffer(ms, pb);
++		if (rbuf == NULL && ms->event_flags & EVENT_HAD_ERR)
++			return -1;
++
+ 		if (rv == 1) {
+ 			if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
+ 			    file_printf(ms, F(ms, m, "%u"), offset) == -1) {
+@@ -1674,13 +1682,13 @@
+ 	case FILE_USE:
+ 		if (nbytes < offset)
+ 			return 0;
+-		sbuf = m->value.s;
+-		if (*sbuf == '^') {
+-			sbuf++;
++		rbuf = m->value.s;
++		if (*rbuf == '^') {
++			rbuf++;
+ 			flip = !flip;
+ 		}
+-		if (file_magicfind(ms, sbuf, &ml) == -1) {
+-			file_error(ms, 0, "cannot find entry `%s'", sbuf);
++		if (file_magicfind(ms, rbuf, &ml) == -1) {
++			file_error(ms, 0, "cannot find entry `%s'", rbuf);
+ 			return -1;
+ 		}
+ 

Added: head/share/security/patches/SA-14:28/file-12.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-14:28/file-12.patch.asc	Wed Dec 10 16:42:08 2014	(r46083)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUiA2QAAoJEO1n7NZdz2rnjzAQANogueUdUbRBgn+EYwcnKUgQ
+8y4P5VDNnAIxKrPCRGpRF9IvGaxAzO62y/GlZ6Fq+H+VFk+1poCIXDY3escUM0uk
+BM/V+k3wuvsaefTiNIfTMEOYiJ81nrcMZ5cDtO4wgN1Pem44Lmh8O3gztAMSGgFm
+IzJBYcDp8XgGYZqCtZN0gAQjLuJHn6vrqdW//dyXNmpsNFMLAlBFI9IJ6R/EuHyF
+gcmw2UDtnTvR5+PfBSo9T/DZUB6sWrh3h2FQi2AFnOm1qbzhsRoZy+ea8zgnnYYD
+kdTkiyXq6opoQYLeCrYcyaIksCNXvQNh6ocQKrEpTXNO9p6/uN4QSrd35HK+/8JK
+4zgMWWOQB35QBhtxevVjR03JtPXa1r61Y/jY00nnGrnzVx01/GKo2vzbo3+iwBJB
+rvkSvQKuJxm6k54oOUtCIOKzkackSiKIcbaPXt7g0dZhLrsV7JwXuCrXfz+aDFqt
+F/gxckIybZjM1NW3/4PNN1W7nvc+cW3dsHaEW2susGXRi2eHlM2VqZjAoMHmqN3v
+9swzo5Cu3Xotx3gSPGH19g6MLZh/xMSXCIylRYw5xxCOP3H3o2lO3Gnet+rFIJVs
+pXUlibCmuTnalxlUT7q5OXancUItUQ4haYkXf7FglqOAeekdLvwboQoANKnBubhr
+c07kINUBCQlbtRDd66Qs
+=9qt7
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-14:28/file-7.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-14:28/file-7.patch	Wed Dec 10 16:42:08 2014	(r46083)
@@ -0,0 +1,146 @@
+Index: contrib/file/elfclass.h
+===================================================================
+--- contrib/file/elfclass.h.orig
++++ contrib/file/elfclass.h
+@@ -35,9 +35,11 @@
+ 	switch (type) {
+ #ifdef ELFCORE
+ 	case ET_CORE:
++		phnum = elf_getu16(swap, elfhdr.e_phnum);
++		if (phnum > MAX_PHNUM)
++			return toomany(ms, "program", phnum);
+ 		if (dophn_core(ms, clazz, swap, fd,
+-		    (off_t)elf_getu(swap, elfhdr.e_phoff),
+-		    elf_getu16(swap, elfhdr.e_phnum), 
++		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+ 		    fsize, &flags) == -1)
+ 			return -1;
+@@ -45,18 +47,24 @@
+ #endif
+ 	case ET_EXEC:
+ 	case ET_DYN:
++		phnum = elf_getu16(swap, elfhdr.e_phnum);
++		if (phnum > MAX_PHNUM)
++			return toomany(ms, "program", phnum);
++		shnum = elf_getu16(swap, elfhdr.e_shnum);
++		if (shnum > MAX_SHNUM)
++			return toomany(ms, "section", shnum);
+ 		if (dophn_exec(ms, clazz, swap, fd,
+-		    (off_t)elf_getu(swap, elfhdr.e_phoff),
+-		    elf_getu16(swap, elfhdr.e_phnum), 
++		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+-		    fsize, &flags, elf_getu16(swap, elfhdr.e_shnum))
+-		    == -1)
++		    fsize, &flags, shnum) == -1)
+ 			return -1;
+ 		/*FALLTHROUGH*/
+ 	case ET_REL:
++		shnum = elf_getu16(swap, elfhdr.e_shnum);
++		if (shnum > MAX_SHNUM)
++			return toomany(ms, "section", shnum);
+ 		if (doshn(ms, clazz, swap, fd,
+-		    (off_t)elf_getu(swap, elfhdr.e_shoff),
+-		    elf_getu16(swap, elfhdr.e_shnum),
++		    (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
+ 		    (size_t)elf_getu16(swap, elfhdr.e_shentsize),
+ 		    &flags,
+ 		    elf_getu16(swap, elfhdr.e_machine)) == -1)
+Index: contrib/file/readelf.c
+===================================================================
+--- contrib/file/readelf.c.orig
++++ contrib/file/readelf.c
+@@ -60,6 +60,18 @@
+ private uint32_t getu32(int, uint32_t);
+ private uint64_t getu64(int, uint64_t);
+ 
++#define MAX_PHNUM	256
++#define	MAX_SHNUM	1024
++
++private int
++toomany(struct magic_set *ms, const char *name, uint16_t num)
++{
++	if (file_printf(ms, ", too many %s header sections (%u)", name, num
++	    ) == -1)
++		return -1;
++	return 0;
++}
++
+ private uint16_t
+ getu16(int swap, uint16_t value)
+ {
+@@ -391,13 +403,13 @@
+ 	if (namesz & 0x80000000) {
+ 	    (void)file_printf(ms, ", bad note name size 0x%lx",
+ 		(unsigned long)namesz);
+-	    return offset;
++	    return 0;
+ 	}
+ 
+ 	if (descsz & 0x80000000) {
+ 	    (void)file_printf(ms, ", bad note description size 0x%lx",
+ 		(unsigned long)descsz);
+-	    return offset;
++	    return 0;
+ 	}
+ 
+ 
+@@ -821,6 +833,7 @@
+ 	Elf32_Shdr sh32;
+ 	Elf64_Shdr sh64;
+ 	int stripped = 1;
++	size_t nbadcap = 0;
+ 	void *nbuf;
+ 	off_t noff;
+ 	uint64_t cap_hw1 = 0;	/* SunOS 5.x hardware capabilites */
+@@ -893,6 +906,8 @@
+ 		case SHT_SUNW_cap:
+ 		    {
+ 			off_t coff;
++			if (nbadcap > 5)
++				break;
+ 			if ((off = lseek(fd, (off_t)0, SEEK_CUR)) ==
+ 			    (off_t)-1) {
+ 				file_badread(ms);
+@@ -933,6 +948,8 @@
+ 					    (unsigned long long)xcap_tag,
+ 					    (unsigned long long)xcap_val) == -1)
+ 						return -1;
++					if (nbadcap++ > 2)
++						coff = xsh_size;
+ 					break;
+ 				}
+ 			}
+@@ -1139,7 +1156,7 @@
+ 	int flags = 0;
+ 	Elf32_Ehdr elf32hdr;
+ 	Elf64_Ehdr elf64hdr;
+-	uint16_t type;
++	uint16_t type, phnum, shnum;
+ 
+ 	if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
+ 		return 0;
+Index: contrib/file/softmagic.c
+===================================================================
+--- contrib/file/softmagic.c.orig
++++ contrib/file/softmagic.c
+@@ -61,6 +61,9 @@
+ private void cvt_64(union VALUETYPE *, const struct magic *);
+ 
+ #define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
++
++#define MAX_RECURSION_LEVEL	10
++
+ /*
+  * softmagic - lookup one file in parsed, in-memory copy of database
+  * Passed the name and FILE * of one file to be typed.
+@@ -1030,7 +1033,7 @@
+ 	uint32_t count = m->str_range;
+ 	union VALUETYPE *p = &ms->ms_value;
+ 
+-	if (recursion_level >= 20) {
++	if (recursion_level >= MAX_RECURSION_LEVEL) {
+ 		file_error(ms, 0, "recursion nesting exceeded");
+ 		return -1;
+ 	}

Added: head/share/security/patches/SA-14:28/file-7.patch.asc
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-14:28/file-7.patch.asc	Wed Dec 10 16:42:08 2014	(r46083)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUiA2RAAoJEO1n7NZdz2rnaRIQAOy5fBvNnNRIM2mEoiDVbI2a
+nVoDsiSHWX9roIRdY/3L0d/S4mbvt08Sbd10qF6pR/haJlniDBR8BHxjkUHU5rTF
+C/rkIsVJwasf4Mb6yTIlJntAqZDRVr4vtv3Y4EN9qJqI85q3KhSNJByrllltiBzg
+BfHUxKV8vaBULDNbAICeNa6HJ9dOzup9Fr1zu+N+dup3SCIbvHBiS8I/fHvQvzf4
+to5kkp4XwHUDgemS9cuwLzs9Xs5VJbhJht8n/2flJI80mTrLa+sGlNLARjOMJU3n
+NFW7oZ01spsWfLrdCr9fI/zsf7QowKHHEquZaX305BysmBqdes4FqkjMbRelM8a3
+4kKzV8b1ZLXXzqw6Tj4XXFcC0SAqvYtDou2u+AoIJwfdO7AbFDYBKS6AD5sP5tb6
+3ZwoiWk09Xnb3gVOPrzvh/9nF6BrjhHC5qlSt8Kdp1XWupoXBaxWbSu9Dcfu1Amd
+PhivZ1DrK5lMkzIDCjW/aXrbhIWrZR/a2ilsWbeSgO8Wq899gPlj6zHnf9pxBKVJ
+QKO/hkb0f4fmFd7RDi3fCN6dOXEyT3lo8GcDVLvfbJYjbbWveylPmg6/O2SOKqYY
+KMFrECyoSRSgY9aV3pISw/ioukukkS+R0vDCdthNUHdxbpAM53OnnVaeJrZnoAt5
+xjvvLOy4c+UQZDj4GuON
+=ZtPX
+-----END PGP SIGNATURE-----

Added: head/share/security/patches/SA-14:28/file-8.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/share/security/patches/SA-14:28/file-8.patch	Wed Dec 10 16:42:08 2014	(r46083)
@@ -0,0 +1,147 @@
+Index: contrib/file/elfclass.h
+===================================================================
+--- contrib/file/elfclass.h.orig
++++ contrib/file/elfclass.h
+@@ -35,10 +35,12 @@
+ 	switch (type) {
+ #ifdef ELFCORE
+ 	case ET_CORE:
++		phnum = elf_getu16(swap, elfhdr.e_phnum);
++		if (phnum > MAX_PHNUM)
++			return toomany(ms, "program", phnum);
+ 		flags |= FLAGS_IS_CORE;
+ 		if (dophn_core(ms, clazz, swap, fd,
+-		    (off_t)elf_getu(swap, elfhdr.e_phoff),
+-		    elf_getu16(swap, elfhdr.e_phnum), 
++		    (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ 		    (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+ 		    fsize, &flags) == -1)
+ 			return -1;
+@@ -46,18 +48,24 @@
+ #endif
+ 	case ET_EXEC:
+ 	case ET_DYN:
++		phnum = elf_getu16(swap, elfhdr.e_phnum);
++		if (phnum > MAX_PHNUM)

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-doc-all mailing list