svn commit: r286351 - in releng/10.1: . sbin/routed sys/conf usr.bin/patch
Xin LI
delphij at FreeBSD.org
Wed Aug 5 22:05:21 UTC 2015
Author: delphij
Date: Wed Aug 5 22:05:18 2015
New Revision: 286351
URL: https://svnweb.freebsd.org/changeset/base/286351
Log:
Fix patch(1) shell injection vulnerability via ed(1). [SA-15:18]
Fix routed remote denial of service vulnerability. [SA-15:19]
Approved by: so
Modified:
releng/10.1/UPDATING
releng/10.1/sbin/routed/input.c
releng/10.1/sys/conf/newvers.sh
releng/10.1/usr.bin/patch/pathnames.h
releng/10.1/usr.bin/patch/pch.c
Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING Wed Aug 5 22:05:12 2015 (r286350)
+++ releng/10.1/UPDATING Wed Aug 5 22:05:18 2015 (r286351)
@@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITH
stable/10, and then rebuild without this option. The bootstrap process from
older version of current is a bit fragile.
+20150805: p17 FreeBSD-SA-15:18.bsdpatch
+ FreeBSD-SA-15:19.routed
+
+ Fix patch(1) shell injection vulnerability via ed(1).
+ [SA-15:18]
+
+ Fix routed remote denial of service vulnerability. [SA-15:19]
+
20150728: p16 FreeBSD-SA-15:14.bsdpatch
FreeBSD-SA-15:15.tcp
FreeBSD-SA-15:16.openssh
Modified: releng/10.1/sbin/routed/input.c
==============================================================================
--- releng/10.1/sbin/routed/input.c Wed Aug 5 22:05:12 2015 (r286350)
+++ releng/10.1/sbin/routed/input.c Wed Aug 5 22:05:18 2015 (r286351)
@@ -160,6 +160,12 @@ input(struct sockaddr_in *from, /* rece
trace_rip("Recv", "from", from, sifp, rip, cc);
+ if (sifp == 0) {
+ trace_pkt(" discard a request from an indirect router"
+ " (possibly an attack)");
+ return;
+ }
+
if (rip->rip_vers == 0) {
msglim(&bad_router, FROM_NADDR,
"RIP version 0, cmd %d, packet received from %s",
Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh Wed Aug 5 22:05:12 2015 (r286350)
+++ releng/10.1/sys/conf/newvers.sh Wed Aug 5 22:05:18 2015 (r286351)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="10.1"
-BRANCH="RELEASE-p16"
+BRANCH="RELEASE-p17"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/10.1/usr.bin/patch/pathnames.h
==============================================================================
--- releng/10.1/usr.bin/patch/pathnames.h Wed Aug 5 22:05:12 2015 (r286350)
+++ releng/10.1/usr.bin/patch/pathnames.h Wed Aug 5 22:05:18 2015 (r286351)
@@ -9,4 +9,4 @@
#include <paths.h>
-#define _PATH_ED "/bin/ed"
+#define _PATH_RED "/bin/red"
Modified: releng/10.1/usr.bin/patch/pch.c
==============================================================================
--- releng/10.1/usr.bin/patch/pch.c Wed Aug 5 22:05:12 2015 (r286350)
+++ releng/10.1/usr.bin/patch/pch.c Wed Aug 5 22:05:18 2015 (r286351)
@@ -1,4 +1,3 @@
-
/*-
* Copyright 1986, Larry Wall
*
@@ -1400,13 +1399,14 @@ do_ed_script(void)
char *t;
long beginning_of_this_line;
FILE *pipefp = NULL;
+ int continuation;
if (!skip_rest_of_patch) {
if (copy_file(filearg[0], TMPOUTNAME) < 0) {
unlink(TMPOUTNAME);
fatal("can't create temp file %s", TMPOUTNAME);
}
- snprintf(buf, buf_size, "%s%s%s", _PATH_ED,
+ snprintf(buf, buf_size, "%s%s%s", _PATH_RED,
verbose ? " " : " -s ", TMPOUTNAME);
pipefp = popen(buf, "w");
}
@@ -1424,7 +1424,19 @@ do_ed_script(void)
*t == 'd' || *t == 'i' || *t == 's')) {
if (pipefp != NULL)
fputs(buf, pipefp);
- if (*t != 'd') {
+ if (*t == 's') {
+ for (;;) {
+ continuation = 0;
+ t = strchr(buf, '\0') - 1;
+ while (--t >= buf && *t == '\\')
+ continuation = !continuation;
+ if (!continuation ||
+ pgets(true) == 0)
+ break;
+ if (pipefp != NULL)
+ fputs(buf, pipefp);
+ }
+ } else if (*t != 'd') {
while (pgets(true)) {
p_input_line++;
if (pipefp != NULL)
More information about the svn-src-all
mailing list