svn commit: r45928 - in head/share: security/advisories security/patches/EN-14:12 security/patches/SA-14:24 security/patches/SA-14:25 security/patches/SA-14:26 xml
Dag-Erling Smørgrav
des at FreeBSD.org
Wed Nov 5 00:28:50 UTC 2014
Author: des
Date: Wed Nov 5 00:28:45 2014
New Revision: 45928
URL: https://svnweb.freebsd.org/changeset/doc/45928
Log:
Add EN-14:12, SA-14:24, SA-14:25 and SA-14:26.
Added:
head/share/security/advisories/FreeBSD-EN-14:12.zfs.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:24.sshd.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:25.setlogin.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-14:26.ftp.asc (contents, props changed)
head/share/security/patches/EN-14:12/zfs.patch (contents, props changed)
head/share/security/patches/EN-14:12/zfs.patch.asc (contents, props changed)
head/share/security/patches/SA-14:24/sshd.patch (contents, props changed)
head/share/security/patches/SA-14:24/sshd.patch.asc (contents, props changed)
head/share/security/patches/SA-14:25/setlogin-91.patch (contents, props changed)
head/share/security/patches/SA-14:25/setlogin-91.patch.asc (contents, props changed)
head/share/security/patches/SA-14:25/setlogin.patch (contents, props changed)
head/share/security/patches/SA-14:25/setlogin.patch.asc (contents, props changed)
head/share/security/patches/SA-14:26/ftp-8.patch (contents, props changed)
head/share/security/patches/SA-14:26/ftp-8.patch.asc (contents, props changed)
head/share/security/patches/SA-14:26/ftp.patch (contents, props changed)
head/share/security/patches/SA-14:26/ftp.patch.asc (contents, props changed)
Directory Properties:
head/share/security/patches/EN-14:12/ (props changed)
head/share/security/patches/SA-14:24/ (props changed)
head/share/security/patches/SA-14:25/ (props changed)
head/share/security/patches/SA-14:26/ (props changed)
Modified:
head/share/xml/advisories.xml
head/share/xml/notices.xml
Added: head/share/security/advisories/FreeBSD-EN-14:12.zfs.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-EN-14:12.zfs.asc Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:12.zfs Errata Notice
+ The FreeBSD Project
+
+Topic: NFSv4 and ZFS cache consistency issue
+
+Category: contrib
+Module: zfs
+Announced: 2011-11-04
+Credits: Bart Hsiao, Marcelo Araujo, Kevin Buhr
+Affects: All supported versions of FreeBSD.
+Corrected: 2014-10-07 06:00:09 UTC (stable/10, 10.0-STABLE)
+ 2014-10-15 06:31:08 UTC (releng/10.1, 10.1-RC2)
+ 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12)
+ 2014-10-07 06:00:32 UTC (stable/9, 9.3-STABLE)
+ 2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5)
+ 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15)
+ 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22)
+ 2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE)
+ 2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I. Background
+
+The Network File System (NFS) allows a host to export some or all of
+its file systems that can be any kind of file systems such like UFS, ZFS
+etcetera, so that other hosts can access them over the network and mount
+them as if they were on local disks.
+
+II. Problem Description
+
+In a configuration where two or more clients mount a ZFS file system over
+NFSv4 from a FreeBSD server, if client1 caches a directory listing and a
+file in the directory is renamed on client2, then client1 can end up in
+a state where the cached but incorrect directory contents persists indefinitely
+and is never updated.
+
+III. Impact
+
+When client2 renames a file or directory, client1 does not receive the
+changed attributes and never does a READDIR to get the updated contents.
+This could result in a client that has incorrect information about the
+actual content of the mounted file system.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/EN-14:12/zfs.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:12/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/zfs.patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r274108
+releng/8.4/ r274111
+stable/9/ r272677
+releng/9.1/ r274112
+releng/9.2/ r274113
+releng/9.3/ r274114
+stable/10/ r272676
+releng/10.0/ r274110
+releng/10.1/ r273122
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:12.zfs.asc
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJUWWUOAAoJEO1n7NZdz2rn9KsQAIw7xhRYGUQ+SwIl6E8Tzodd
+bx/VkTLOgcDrGSNqREzkgNeTtWXOXRwibZpBVXl8sglf+WPtZsnGcCALze9CiS14
+boesjajpl7znqJ8zDpIU3qMdFsEOB5Ky3KDTQgCMEygAJrOxASGv6TCOT/3e1hRr
+Ez0+32dnqooxNRJjHA0t+t+gBszFFLV1PbstpaCOOAsZpmNMtJGbhsydF/aKcK17
+dcNaOKjMPB4SDGMx+dcZqS8bToEXfe0lwOGiEDAavVCyMx5zyie2bGfUWEI2bpu5
+1VcOtnMxpKlgJdEOIbFI0RXdj4CujLbfwNBnDGLELcCZsPtoWJQZHDmDXK5pkEof
+6aOHqqmZrFsI9V81ymVbQYYSHF67ZeRZB3CotC8trQn+tnxK1l0s6KF0FzSHQigU
+y1Q1vErOKuzPEcrD7sp7xTS3VAQ1a7/uGY6KcTSrJu7xwrJe8KRNvufokgnzU3D4
+X/O/L7TxvjTmTu1T2882mMIrtpALf/tjGwW32ksUnXo6RiwByvaalO9ObEBPYzGQ
+C9xG3ggfqhyHDlw21VhCjZF5hQ7xUnBKHjT60LbGMB5llaN1DUN6HRT9rCbeN4gP
+5eJalL2x1NLT1XVCBYlq1IhE6vTcnTdVVcGRBJQbPnfqivrDzBfIFzhy/4tc1J7K
+IkJAwk+aThuF3j3xnt+z
+=lQAP
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-14:24.sshd.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:24.sshd.asc Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,160 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:24.sshd Security Advisory
+ The FreeBSD Project
+
+Topic: Denial of service attack against sshd(8)
+
+Category: contrib
+Module: openssh
+Announced: 2014-11-04
+Credits:
+Affects: FreeBSD 9.1, 9.2 and 10.0.
+Corrected: 2014-05-04 07:28:26 UTC (stable/10, 10.0-STABLE)
+ 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12)
+ 2014-05-04 07:57:20 UTC (stable/9, 9.2-STABLE)
+ 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15)
+ 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22)
+CVE Name: CVE-2014-8475
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+OpenSSH is an implementation of the SSH protocol suite, providing an
+encrypted and authenticated transport for a variety of services,
+including remote shell access. The sshd(8) daemon is the server side
+of OpenSSH.
+
+Heimdal is an implementation of Kerberos 5, which provides
+authentication and single sign-on capability for many network
+services, including OpenSSH.
+
+II. Problem Description
+
+Although OpenSSH is not multithreaded, when OpenSSH is compiled with
+Kerberos support, the Heimdal libraries bring in the POSIX thread
+library as a dependency. Due to incorrect library ordering while
+linking sshd(8), symbols in the C library which are shadowed by the
+POSIX thread library may not be resolved correctly at run time.
+
+Note that this problem is specific to the FreeBSD build system and
+does not affect other operating systems or the version of OpenSSH
+available from the FreeBSD ports tree.
+
+III. Impact
+
+An incorrectly linked sshd(8) child process may deadlock while
+handling an incoming connection. The connection may then time out or
+be interrupted by the client, leaving the deadlocked sshd(8) child
+process behind. Eventually, the sshd(8) parent process stops
+accepting new connections.
+
+An attacker may take advantage of this by repeatedly connecting and
+then dropping the connection after having begun, but not completed,
+the authentication process.
+
+IV. Workaround
+
+Possible workarounds include rebuilding sshd with Kerberos support
+disabled or installing the security/openssh-portable package from the
+FreeBSD ports tree or an official package repository.
+
+Systems that do not run an OpenSSH server are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch.asc
+# gpg --verify sshd.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/sshd.patch
+
+c) Recompile sshd. Execute the following commands as root:
+
+# cd /usr/src/secure/usr.sbin/sshd
+# make && make install
+
+4) Restart the affected service
+
+To restart the affected service after updating the system, either
+reboot the system or execute the following command as root:
+
+# service sshd restart
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r265314
+releng/9.1/ r274112
+releng/9.2/ r274113
+stable/10/ r265313
+releng/10.0/ r274110
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<other info on vulnerability>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8475>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:24.sshd.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJUWWlZAAoJEO1n7NZdz2rn4UEP/0VdM6uSHWyQSOzO+kuDxRfT
+wru9+yjCB4NJtFzvBLe8eeiUDiTqJaTfrAGbbr9l5qkRXvTaUzWyaHyraLN4nK51
+/ouxKzxxrqf0YDpYQPIUwCVmkoLn/+0T3U7sB78bx5WH4W1XoKKWIkChCyZpVvBI
+vw6A5Ep4+U6mTGXE2D04WQISkKXYqzCuW0rJBnm0xDj9xUprgZJ7tTSx/ewAiA/L
+FV37riqb8OII8lThV7g0s0F0JWDUf+AznG/S7amior0jMMSExdafifcvHEUZNs72
+4cYh66p/GxeImU2Tm3VDRlfoAv86kUFwIevwD4oj5wXa7aBMdUwPITyQJ0We68gj
+3kMBpJaZAJ7DpwYuCu7/RF7K4Irt3mSJJipS3IvI2LteHCakZBIUlbrPJrcfMl4P
+VJQU3v4HLH5XZskuR5UEJ755DT+7ZMd7tFl0iWFVsutwjf/bn2u0rtfdcpOerAub
+0gYGzPcC9dzBM5OHZdo1wwmZu56jRpddmQ/nc94Wsmm7Nw2ibd9YZpU88LCqR7xa
+jsW+F/+napKvsBXqAHTlmJ87oJUSruYS+K/dKbGvCDIjBTjsNu3HqMNS5g4vG+GR
+MazlN8Vrg6zVx11ESzFiIJBAgLLNfRgXNFNSPY3NMuMYiS7q0QwGkQlWBb5bmiB8
+FlP/B/8bn/171n5RfarG
+=mry5
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-14:25.setlogin.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:25.setlogin.asc Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,153 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:25.setlogin Security Advisory
+ The FreeBSD Project
+
+Topic: Kernel stack disclosure in setlogin(2) / getlogin(2)
+
+Category: core
+Module: kernel
+Announced: 2014-11-04
+Credits: Mateusz Guzik
+Affects: All supported versions of FreeBSD.
+Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE)
+ 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1)
+ 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1)
+ 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3)
+ 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12)
+ 2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE)
+ 2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5)
+ 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15)
+ 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22)
+ 2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE)
+ 2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19)
+CVE Name: CVE-2014-8476
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+The setlogin(2) system call sets the login name of the user associated
+with the current session. The getlogin(2) routine returns the login name
+of the user associated with the current session, as previously set by
+setlogin(2).
+
+II. Problem Description
+
+When setlogin(2) is called while setting up a new login session, the
+login name is copied into an uninitialized stack buffer, which is then
+copied into a buffer of the same size in the session structure. The
+getlogin(2) system call returns the entire buffer rather than just the
+portion occupied by the login name associated with the session.
+
+III. Impact
+
+An unprivileged user can access this memory by calling getlogin(2) and
+reading beyond the terminating NUL character of the resulting string.
+Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10) bytes of kernel memory
+may be leaked in this manner for each invocation of setlogin(2).
+
+This memory may contain sensitive information, such as portions of the
+file cache or terminal buffers, which an attacker might leverage to
+obtain elevated privileges.
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.1]
+# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch.asc
+# gpg --verify setlogin-91.patch.asc
+
+[All other versions]
+# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin.patch.asc
+# gpg --verify setlogin.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r274108
+releng/8.4/ r274111
+stable/9/ r274109
+releng/9.1/ r274112
+releng/9.2/ r274113
+releng/9.3/ r274114
+stable/10/ r274107
+releng/10.0/ r274110
+releng/10.1/ r274115
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8476>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:25.setlogin.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJUWWUQAAoJEO1n7NZdz2rnI0IP/RlwFhOJgr9CHdKg5SYsruSQ
+LG6z0ufgUETIkeXP1KGm6oYz0X8hpU2Q+MIE5urrPbGYL4Ouo/1oCiwGkBPh4xM/
+L2Z/qIBxmfG/NaRK8PnGSXzlCc02XGnqf9Y6CJN1sIkwrptop02y9sgaLsqLy7K6
+s/YvQ1fe5FT6TV9Nr9l6OwKkVAYa1Ba+JUnklVBWA2eZkLa6YOUlY25w9alqTMVQ
+Z4oaLHCnGradKdaKKk0NOOYv0ZGHjkp/Lwd9ja8wyW0K+R1aef9Z5tWloVWQBeJ8
+gzxeA/JpfRtb0lYj2GIpny6znP/lzkEve42No6xDdmUr4Wp0b5hN2qGgwwgEFSIo
+2kFVwMkRlK1JsD0U+VK8AxP4neJFECw3t0zWTUr3BMnxoOEG6O1nIU0T6Ru8/K0b
+aIc/G8TiOxOaXHuiWJhR1p9cblGlz7HnFSAmM6vN0O4DBcX7xwr/ndDl/6npvkmt
+biB+hXZK0Ega8X9LsZ5injDo0FZ4XNIyEOy4/QOeJW4kJQv0Oh14cYSU6cM/yfaU
+tJ7M6WYnFS8G+0e03auM1XVeu2oxyR0ry1IC7xS4O9N4m+8nE7DlRU8okhQRXiFB
+iCmzO1XmOTK0zygtS34bDaOuey3U0yFG4O5wMKrAkMeQ9jPogyt99ZzIk3L3UPqZ
+xcWRhKahyz9umrzsssOL
+=xiWR
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-14:26.ftp.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-14:26.ftp.asc Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,151 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:26.ftp Security Advisory
+ The FreeBSD Project
+
+Topic: Remote command execution in ftp(1)
+
+Category: core
+Module: ftp
+Announced: 2014-11-04
+Credits: Jared McNeill, Alistair Crooks
+Affects: All supported versions of FreeBSD.
+Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE)
+ 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1)
+ 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1)
+ 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3)
+ 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12)
+ 2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE)
+ 2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5)
+ 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15)
+ 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22)
+ 2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE)
+ 2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19)
+CVE Name: CVE-2014-8517
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+The ftp(1) userland utility is an interactive FTP client. It can also
+be used non-interactively, by providing a URL on the command line. In
+this mode, it supports HTTP in addition to FTP.
+
+II. Problem Description
+
+A malicious HTTP server could cause ftp(1) to execute arbitrary
+commands.
+
+III. Impact
+
+When operating on HTTP URIs, the ftp(1) client follows HTTP redirects,
+and uses the part of the path after the last '/' from the last
+resource it accesses as the output filename if '-o' is not specified.
+
+If the output file name provided by the server begins with a pipe
+('|'), the output is passed to popen(3), which might be used to
+execute arbitrary commands on the ftp(1) client machine.
+
+IV. Workaround
+
+No workaround is available. Users are encouraged to replace ftp(1) in
+non-interactive use by either fetch(1) or a third-party client such as
+curl or wget.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 8]
+# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch.asc
+# gpg --verify ftp-8.patch.asc
+
+[All other versions]
+# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch.asc
+# gpg --verify ftp.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile ftp. Execute the following commands as root:
+
+# cd /usr/src/usr.bin/ftp
+# make && make install
+
+VI. Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r274108
+releng/8.4/ r274111
+stable/9/ r274109
+releng/9.1/ r274112
+releng/9.2/ r274113
+releng/9.3/ r274114
+stable/10/ r274107
+releng/10.0/ r274110
+releng/10.1/ r274115
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8517>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:26.ftpd.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAEBCgAGBQJUWWUQAAoJEO1n7NZdz2rnhUwP+wQKrgKs6lRk6Yl4UtRyEwyG
+BHGkA62oaQbehuccahjQgIcLTk3Vp3AalXtSQpdyWJktHiYrFwBnheW/IrhJ6bMS
+dpJv3yqqQtSED9sADf+GAvxV6TG9bknq/RDxXKpsQ/MocYbiVxz/3nDOMz9CB7ep
+saDttvGHW7RUmNoKL70pgItGapiVuBzMF01PCZ2SmFiJHYi7BoiJwm72Y1NLU8YE
+TkiX2ZAoTVMN5/R3DW38HyVCyeY2tMTHSdQXRSYjwzJ0gEbBPWMPQyB1SAa8dtk5
+j54KFNOBoaXMjd3USqFgo0fduU3rGZp5PwITTx5Rx5Ixtz2vHddyOISV0RcjA0cq
+TWDwBGlKET7qZ1j7nHTgy4U4wMTWFbkjjqEY+RHYywaAmy8ACDmEUci8d3fWKWVY
+d4y8RCvBrlnFVjmNiNcBc5XFXxY0Ra3BQ8C/VE0k0ZFuzmFUCi+DJZDR2Gtl0R9Q
+1hAdj+yOJo46ylHPiSyoBZmsRZccV1a81phOPe0mPR84BvzNvBsdI+EFIJWi+5bw
+bjuSM8YCOHrlGkqh9h9+BizvLfJFpjUSglwzPmOfRpTv59XJpc6D1Hia+uICTEfd
+lSiJgDZ6enozY7QVoiO7G/ycyQCVe7Ehwywx/dpWXVpva85tn4Xl2khBCiPNbBBo
+xnPjqxmwGK+4uegsO6CY
+=QT3h
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/EN-14:12/zfs.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:12/zfs.patch Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,12 @@
+Index: sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
+===================================================================
+--- sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c.orig
++++ sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
+@@ -2827,6 +2827,7 @@ zfs_getattr(vnode_t *vp, vattr_t *vap, int flags,
+ #endif
+ vap->va_seq = zp->z_seq;
+ vap->va_flags = 0; /* FreeBSD: Reset chflags(2) flags. */
++ vap->va_filerev = zp->z_seq;
+
+ /*
+ * Add in any requested optional attributes and the create time.
Added: head/share/security/patches/EN-14:12/zfs.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/EN-14:12/zfs.patch.asc Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUWU5xAAoJEO1n7NZdz2rnvzEQAOhDEi1MDJ5kuXjUFdMJZKiR
+xsslfTMBk3xUXiGldU3pFEYAe0xKvQKk2yHgjy1TYTo30UINqTcCkxVIgW06RMLm
+61/3Jt0BCboMz4Jg4TNuBZCS/gRI/bZyHP1abXCtTx3PnZUqKvezYX4+dir+CWLW
+km9fN4f9ieH8B7GjBTDv1d19jCK8/Vhjw3GtAlVmqor5wCmvmQLv6DLgfVp16Wrf
+lmLS9X/fSwTykVlhCQckaDnPt22klv0vUvg3P7BocTYCv44Be50nGPRhme0W7LNw
+r2jQPIzGmNsV3KhbilYvaEwm6iLqcgP6Hqrd7924MAM2fkr2qzSFAZYn12Ty3DSl
+K47+7DOBfQ7E/REoRMkXLdppUhcvrf/ooS5o98kTx8EEitmo0+ogndaP3WkPK5iR
+pyxyhTwRChlqM4DdYrrZ7TCu8XkxxShhoKtYH1IKn/ZIZw9UTMlOES6DqcNz9jIZ
+4yaW9TgffZ7S6c4/lVU5PyIbaZao/fT8HtWd+JubFpEc+J/0QkXA0MJuOxm+WgWY
+NUVOukFR4fKAIXfdnnN8bZqAfNidPQUaTwdmwy6Zsg2xJxe9L+IaViE8uCkJENic
+2T0Y1isfxPMf1MYBsdwRv8KfGtpudc24eRZEXbgdATjClj/CyQHeCQuHTOJDz649
+mEI6MBnMqzSdhf9pR7DX
+=S5Fz
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-14:24/sshd.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:24/sshd.patch Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,21 @@
+Index: secure/usr.sbin/sshd/Makefile
+===================================================================
+--- secure/usr.sbin/sshd/Makefile.orig
++++ secure/usr.sbin/sshd/Makefile
+@@ -57,6 +57,16 @@
+ DPADD+= ${LIBCRYPT} ${LIBCRYPTO} ${LIBZ}
+ LDADD+= -lcrypt -lcrypto -lz
+
++# Fix the order of NEEDED entries for libthr and libc. The libthr
++# needs to interpose libc symbols, leaving the libthr loading as
++# dependency of krb causes reversed order and broken interposing. Put
++# the threading library last on the linker command line, just before
++# the -lc added by a compiler driver.
++.if ${MK_KERBEROS_SUPPORT} != "no"
++DPADD+= ${LIBPTHREAD}
++LDADD+= -lpthread
++.endif
++
+ .if defined(LOCALBASE)
+ CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
+ .endif
Added: head/share/security/patches/SA-14:24/sshd.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:24/sshd.patch.asc Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUWU5yAAoJEO1n7NZdz2rncK8P/1ErftXKGU76gZEkjXW+xm0A
+daRQM+jwRLlplCA32Si++jj0LHGEL1wEFWT/Q3042vV2YjYT5mhi9EOvPVFouC7Z
+3f5PyXaC0gBqdu5lq8heahnEiwkU5z0WcyUOHDdYNVY0uSrRd2dT/yQ2RLMYw9S9
+B9ubILTmwZi2uASS43fuhRk4Hc4gXhlgV3WUtauXTRYSfDme+exmXMMjVxp/YpuH
+6QXH/hEOVN3L4aZ6yaVA/EvEgERpJlXLfSKREOOmVzeJ6VCQ3M7aqk6UMGQpUWDB
+bd929pvvgg5EsAGEAQI8QPs/zALL9fqLr7MEvjuDRMn4gBzf2ykngfN3s3+0VvuF
+Bd93Mf7/GZxjdB0QkRWPpGu1ngQr4645ZTPsrWafFDm+Q51fS/bZhoZZrfBcxZz/
+hgC9SKB7LfXHwf+QZkUQGEp31kjO/pmYnNVbFFM2rhCu7gzh//B2P1+ycF+nCIis
+fPZIfUXbdDhQ8fVV6H6WwdLHAgxz0CDSDdtSJBMWdwzzA5RykRamcvDbWCOCGASq
+BkrPsUgWJntJa+TNCQxpt0I85m/NxtpSOAua2/KHY9ZHJaQkl/58gaji0hoKauyU
+ZRfQP/yVoZ9GZMlUzdiv3xj7xOImYP4naQOLLy7v/aOkQ824QXD6vesPy76hp9lT
+xYacjZi9fbvmEFX6llHO
+=TFaU
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-14:25/setlogin-91.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:25/setlogin-91.patch Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,63 @@
+Index: sys/kern/kern_prot.c
+===================================================================
+--- sys/kern/kern_prot.c.orig
++++ sys/kern/kern_prot.c
+@@ -2073,19 +2073,20 @@
+ int
+ sys_getlogin(struct thread *td, struct getlogin_args *uap)
+ {
+- int error;
+ char login[MAXLOGNAME];
+ struct proc *p = td->td_proc;
++ size_t len;
+
+ if (uap->namelen > MAXLOGNAME)
+ uap->namelen = MAXLOGNAME;
+ PROC_LOCK(p);
+ SESS_LOCK(p->p_session);
+- bcopy(p->p_session->s_login, login, uap->namelen);
++ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
+ SESS_UNLOCK(p->p_session);
+ PROC_UNLOCK(p);
+- error = copyout(login, uap->namebuf, uap->namelen);
+- return(error);
++ if (len > uap->namelen)
++ return (ERANGE);
++ return (copyout(login, uap->namebuf, len));
+ }
+
+ /*
+@@ -2104,21 +2105,23 @@
+ int error;
+ char logintmp[MAXLOGNAME];
+
++ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
++
+ error = priv_check(td, PRIV_PROC_SETLOGIN);
+ if (error)
+ return (error);
+ error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
+- if (error == ENAMETOOLONG)
+- error = EINVAL;
+- else if (!error) {
+- PROC_LOCK(p);
+- SESS_LOCK(p->p_session);
+- (void) memcpy(p->p_session->s_login, logintmp,
+- sizeof(logintmp));
+- SESS_UNLOCK(p->p_session);
+- PROC_UNLOCK(p);
++ if (error != 0) {
++ if (error == ENAMETOOLONG)
++ error = EINVAL;
++ return (error);
+ }
+- return (error);
++ PROC_LOCK(p);
++ SESS_LOCK(p->p_session);
++ strcpy(p->p_session->s_login, logintmp);
++ SESS_UNLOCK(p->p_session);
++ PROC_UNLOCK(p);
++ return (0);
+ }
+
+ void
Added: head/share/security/patches/SA-14:25/setlogin-91.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:25/setlogin-91.patch.asc Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUWU5zAAoJEO1n7NZdz2rnXBIP/jT00G4/lEHn8ZqvXylqkAcd
+Cq6X0C1TxNBvB2T2bdss63NwjSu91BxQJoVu+LNoKBOd3SHgfbAFuLHThTRQ5s4G
+OF7/woXnP5DyyTdXrPHPMMnc3bi1pLy9j3cTg+QJy5PQEM/lYqZB52E9hsgd62to
+tbp6wBe6tSGbrlOZG5E4yT4yEqRLhdz8IAhfzCNraRFxMEFGbTVl5cPK62h1tHZZ
+4mAKLXSiq1S2lFtbvNrwsnV/ohJlzOmyT0wy3cWJ4YIoufaImjnPsZzzGKvmDDib
+X90WNrM65fGRPZq6OaDSv3BuxSO8rD4+v9g/l2YyfMZrLq+JS+C/rwij79HiRUOT
+EnKyywoi0oC0/wHQ43Lx/RDV7dyvB+0VhDjBKH3YXmyDf+lWPbW8iqZQpIkilDD1
+2mFhHSr0ub44o37WIRe4p4WjG0WOxOFL4iNmiw6d704Hkgq1N5/LHrv7pNZwAn29
+vgHnKJtjq/MyH5QWoNLXopbrAjF+4YXOhUqhlWf95kdFRedOexv5GqHAi9Synnri
+MVYdOGXD1bs0b1tyjtXS1+vPq1teDBEA8Fr20IrnvPbcNRmZEhHW7va/TbPQTF5R
+p7tBycaki1V9WBBE5jE2oZRmpenegbPuzstYtcpm1pnm2dNL5MoeTefB3WNnmPWZ
+cdHvpwCQQURRaUyYnlxw
+=o8um
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-14:25/setlogin.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:25/setlogin.patch Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,64 @@
+Index: sys/kern/kern_prot.c
+===================================================================
+--- sys/kern/kern_prot.c.orig
++++ sys/kern/kern_prot.c
+@@ -2066,21 +2066,20 @@
+ int
+ sys_getlogin(struct thread *td, struct getlogin_args *uap)
+ {
+- int error;
+ char login[MAXLOGNAME];
+ struct proc *p = td->td_proc;
++ size_t len;
+
+ if (uap->namelen > MAXLOGNAME)
+ uap->namelen = MAXLOGNAME;
+ PROC_LOCK(p);
+ SESS_LOCK(p->p_session);
+- bcopy(p->p_session->s_login, login, uap->namelen);
++ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
+ SESS_UNLOCK(p->p_session);
+ PROC_UNLOCK(p);
+- if (strlen(login) + 1 > uap->namelen)
++ if (len > uap->namelen)
+ return (ERANGE);
+- error = copyout(login, uap->namebuf, uap->namelen);
+- return (error);
++ return (copyout(login, uap->namebuf, len));
+ }
+
+ /*
+@@ -2099,21 +2098,23 @@
+ int error;
+ char logintmp[MAXLOGNAME];
+
++ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
++
+ error = priv_check(td, PRIV_PROC_SETLOGIN);
+ if (error)
+ return (error);
+ error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
+- if (error == ENAMETOOLONG)
+- error = EINVAL;
+- else if (!error) {
+- PROC_LOCK(p);
+- SESS_LOCK(p->p_session);
+- (void) memcpy(p->p_session->s_login, logintmp,
+- sizeof(logintmp));
+- SESS_UNLOCK(p->p_session);
+- PROC_UNLOCK(p);
++ if (error != 0) {
++ if (error == ENAMETOOLONG)
++ error = EINVAL;
++ return (error);
+ }
+- return (error);
++ PROC_LOCK(p);
++ SESS_LOCK(p->p_session);
++ strcpy(p->p_session->s_login, logintmp);
++ SESS_UNLOCK(p->p_session);
++ PROC_UNLOCK(p);
++ return (0);
+ }
+
+ void
Added: head/share/security/patches/SA-14:25/setlogin.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:25/setlogin.patch.asc Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUWU5zAAoJEO1n7NZdz2rn7IkQAOFzWal/xCl4moNG5SGXkJaR
+3I1a6Dhmti0gHEEUJrvGVW7wpqiVAyy2Qz2m3k2mSz0yr54PVCwGSQnUYBNI5GdG
+xC6Zv3e1PMDhKc5ZMq2f/3x/1yS+NzK9JsRcth3yTqA+LazcNZm2B4quGkfKfL/L
+Zz43Z+d67ZW5CRkfYGQlp6c70sryCltmyQXTlLTWhVEWpSrkN5zDjnKvAdnXo1gK
+Eb7sAimL8vbUyiphv7uAg7M4OrJ5LRWyLRSiWHVi1LTcVXS6OuWeIsxS3wFrqsZD
+EyhNyq95pyy9lE5csoUbsbNjvkjT/+M4WdSk+38QitYcJhIltLENYTViW3SFZ70T
+FThZdYwq1i5NyMeWWe5FF3IeU7obcXrtdNsNYgY1GDTfShwHYs5ViEKaVa9tw5qk
+6Me1HcBs1JoyZklNUrFyXyf1fMp5mtDrRrsgOOfu4r5tqJFHqW8GBFWLlJsJVJzq
+65jnNToSlKPGN4aO4iCMA2S1EZOOE0hi5b3/u+FlAg/QmZAQCTwXAQzrgumetklX
+DPyffhEx0NacaRuRSjE77GkQ8GIR9XxJW+or3a5WaVoHfIwER1SZdJjbOZ8hzog3
+I2TIqmvbzGx89Ref84kjio3S786cvPQvFbDeDJbaatn+V0SedG23+TM8txUtwUOt
+dll5L1WYjpDnPqSj3R7V
+=c72I
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-14:26/ftp-8.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:26/ftp-8.patch Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,69 @@
+Index: contrib/lukemftp/src/fetch.c
+===================================================================
+--- contrib/lukemftp/src/fetch.c.orig
++++ contrib/lukemftp/src/fetch.c
+@@ -540,7 +540,7 @@
+ url_decode(decodedpath);
+
+ if (outfile)
+- savefile = xstrdup(outfile);
++ savefile = outfile;
+ else {
+ cp = strrchr(decodedpath, '/'); /* find savefile */
+ if (cp != NULL)
+@@ -566,8 +566,7 @@
+ rangestart = rangeend = entitylen = -1;
+ mtime = -1;
+ if (restartautofetch) {
+- if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
+- stat(savefile, &sb) == 0)
++ if (stat(savefile, &sb) == 0)
+ restart_point = sb.st_size;
+ }
+ if (urltype == FILE_URL_T) { /* file:// URLs */
+@@ -1085,17 +1084,25 @@
+ } /* end of ftp:// or http:// specific setup */
+
+ /* Open the output file. */
+- if (strcmp(savefile, "-") == 0) {
+- fout = stdout;
+- } else if (*savefile == '|') {
+- oldintp = xsignal(SIGPIPE, SIG_IGN);
+- fout = popen(savefile + 1, "w");
+- if (fout == NULL) {
+- warn("Can't run `%s'", savefile + 1);
+- goto cleanup_fetch_url;
++
++ /*
++ * Only trust filenames with special meaning if they came from
++ * the command line
++ */
++ if (outfile == savefile) {
++ if (strcmp(savefile, "-") == 0) {
++ fout = stdout;
++ } else if (*savefile == '|') {
++ oldintp = xsignal(SIGPIPE, SIG_IGN);
++ fout = popen(savefile + 1, "w");
++ if (fout == NULL) {
++ warn("Can't execute `%s'", savefile + 1);
++ goto cleanup_fetch_url;
++ }
++ closefunc = pclose;
+ }
+- closefunc = pclose;
+- } else {
++ }
++ if (fout == NULL) {
+ if ((rangeend != -1 && rangeend <= restart_point) ||
+ (rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
+ /* already done */
+@@ -1278,7 +1285,8 @@
+ (*closefunc)(fout);
+ if (res0)
+ freeaddrinfo(res0);
+- FREEPTR(savefile);
++ if (savefile != outfile)
++ FREEPTR(savefile);
+ FREEPTR(user);
+ FREEPTR(pass);
+ FREEPTR(host);
Added: head/share/security/patches/SA-14:26/ftp-8.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:26/ftp-8.patch.asc Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJUWU5zAAoJEO1n7NZdz2rnL8oP/RHdyCs8fERJMVysB5JvlZNi
+ONzdlUforbspVVcftM5eATZFYxzSPxiGnkBV/K3iudglaHHOnhIB3B8vDi4RXQhI
+aSTEPJ8WvjhhBdld3he+EsihDEmx0e64EG8RlViv8Uec35FqzmGH36fQIu7pVp0M
+0NfPma0h2WjK4mifBunEyg4KEv8pmsWzzPUZUALTXO2Q4INLhSKu6yiAxiab2RXn
+cE09UX6MPHT5lkISSBAN1YjJDjg2sL86d01Ar+1G5iH/Rf3IIoV30bPvfYO2c5Co
+cZacymlTiakc/JWTxyZAd9jWJTfp6I2Htt8YSygsiRZnJ0WYMaoFb/tzel8U+jXf
+UkZTeJtm08xeMS2jVax2j7ceJkWxsFcD0P5LDzIDw3Y+atdONJlknIjEyUq5+9uZ
+IywGZGyQFwh3Xz0YVEdKI+81kEW5amRypdRFKijpLkwKwo9FIIQmtBNQZR7xMdgo
+JcPvtnzy/3AARVVjv3KLFnj+VTAwnGVOuEb3164ISfhaeU+ny9CKeR/6XRstNaW2
+c0oKO+LsX+6xXC3QIUqBo0grNsNk0SBQpBQCApwPWE0SP/fQ4IcCjx6HsSTnnOKJ
+Z1ssejQUPex7Dz8I+wdl92qbUGckdqH/dIl+oI+fxMHRpsNPOEBN6i46zVideojt
+NhBAdZGUtj80bGfm+2g1
+=KPRE
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-14:26/ftp.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-14:26/ftp.patch Wed Nov 5 00:28:45 2014 (r45928)
@@ -0,0 +1,69 @@
+Index: contrib/tnftp/src/fetch.c
+===================================================================
+--- contrib/tnftp/src/fetch.c.orig
++++ contrib/tnftp/src/fetch.c
+@@ -547,7 +547,7 @@
+ url_decode(decodedpath);
+
+ if (outfile)
+- savefile = ftp_strdup(outfile);
++ savefile = outfile;
+ else {
+ cp = strrchr(decodedpath, '/'); /* find savefile */
+ if (cp != NULL)
+@@ -571,8 +571,7 @@
+ rangestart = rangeend = entitylen = -1;
+ mtime = -1;
+ if (restartautofetch) {
+- if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
+- stat(savefile, &sb) == 0)
++ if (stat(savefile, &sb) == 0)
+ restart_point = sb.st_size;
+ }
+ if (urltype == FILE_URL_T) { /* file:// URLs */
+@@ -1098,17 +1097,25 @@
+ } /* end of ftp:// or http:// specific setup */
+
+ /* Open the output file. */
+- if (strcmp(savefile, "-") == 0) {
+- fout = stdout;
+- } else if (*savefile == '|') {
+- oldintp = xsignal(SIGPIPE, SIG_IGN);
+- fout = popen(savefile + 1, "w");
+- if (fout == NULL) {
+- warn("Can't execute `%s'", savefile + 1);
+- goto cleanup_fetch_url;
++
++ /*
++ * Only trust filenames with special meaning if they came from
++ * the command line
++ */
++ if (outfile == savefile) {
++ if (strcmp(savefile, "-") == 0) {
++ fout = stdout;
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-all
mailing list