svn commit: r287147 - in releng/9.3: . crypto/openssh sys/amd64/amd64 sys/conf usr.sbin/pkg
Xin LI
delphij at FreeBSD.org
Tue Aug 25 20:49:09 UTC 2015
Author: delphij
Date: Tue Aug 25 20:49:05 2015
New Revision: 287147
URL: https://svnweb.freebsd.org/changeset/base/287147
Log:
Fix local privilege escalation in IRET handler. [SA-15:21]
Fix OpenSSH multiple vulnerabilities. [SA-15:22]
Fix insufficient check of unsupported pkg(7) signature methods.
[EN-15:15]
Approved by: so
Modified:
releng/9.3/UPDATING
releng/9.3/crypto/openssh/monitor.c
releng/9.3/crypto/openssh/monitor_wrap.c
releng/9.3/crypto/openssh/mux.c
releng/9.3/sys/amd64/amd64/exception.S
releng/9.3/sys/amd64/amd64/machdep.c
releng/9.3/sys/amd64/amd64/trap.c
releng/9.3/sys/conf/newvers.sh
releng/9.3/usr.sbin/pkg/pkg.c
Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING Tue Aug 25 20:48:58 2015 (r287146)
+++ releng/9.3/UPDATING Tue Aug 25 20:49:05 2015 (r287147)
@@ -11,6 +11,17 @@ handbook:
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20150825: p24 FreeBSD-SA-15:21.amd64
+ FreeBSD-SA-15:22.openssh
+ FreeBSD-EN-15:15.pkg
+
+ Fix local privilege escalation in IRET handler. [SA-15:21]
+
+ Fix OpenSSH multiple vulnerabilities. [SA-15:22]
+
+ Fix insufficient check of unsupported pkg(7) signature methods.
+ [EN-15:15]
+
20150818: p23 FreeBSD-SA-15:20.expat
Fix multiple integer overflows in expat (libbsdxml) XML parser.
Modified: releng/9.3/crypto/openssh/monitor.c
==============================================================================
--- releng/9.3/crypto/openssh/monitor.c Tue Aug 25 20:48:58 2015 (r287146)
+++ releng/9.3/crypto/openssh/monitor.c Tue Aug 25 20:49:05 2015 (r287147)
@@ -1027,9 +1027,7 @@ extern KbdintDevice sshpam_device;
int
mm_answer_pam_init_ctx(int sock, Buffer *m)
{
-
debug3("%s", __func__);
- authctxt->user = buffer_get_string(m, NULL);
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
sshpam_authok = NULL;
buffer_clear(m);
@@ -1111,14 +1109,16 @@ mm_answer_pam_respond(int sock, Buffer *
int
mm_answer_pam_free_ctx(int sock, Buffer *m)
{
+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
debug3("%s", __func__);
(sshpam_device.free_ctx)(sshpam_ctxt);
+ sshpam_ctxt = sshpam_authok = NULL;
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
auth_method = "keyboard-interactive";
auth_submethod = "pam";
- return (sshpam_authok == sshpam_ctxt);
+ return r;
}
#endif
Modified: releng/9.3/crypto/openssh/monitor_wrap.c
==============================================================================
--- releng/9.3/crypto/openssh/monitor_wrap.c Tue Aug 25 20:48:58 2015 (r287146)
+++ releng/9.3/crypto/openssh/monitor_wrap.c Tue Aug 25 20:49:05 2015 (r287147)
@@ -820,7 +820,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
debug3("%s", __func__);
buffer_init(&m);
- buffer_put_cstring(&m, authctxt->user);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
Modified: releng/9.3/crypto/openssh/mux.c
==============================================================================
--- releng/9.3/crypto/openssh/mux.c Tue Aug 25 20:48:58 2015 (r287146)
+++ releng/9.3/crypto/openssh/mux.c Tue Aug 25 20:49:05 2015 (r287147)
@@ -635,7 +635,8 @@ process_mux_open_fwd(u_int rid, Channel
u_int lport, cport;
int i, ret = 0, freefwd = 1;
- fwd.listen_host = fwd.connect_host = NULL;
+ memset(&fwd, 0, sizeof(fwd));
+
if (buffer_get_int_ret(&ftype, m) != 0 ||
(fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&lport, m) != 0 ||
@@ -785,7 +786,8 @@ process_mux_close_fwd(u_int rid, Channel
int i, listen_port, ret = 0;
u_int lport, cport;
- fwd.listen_host = fwd.connect_host = NULL;
+ memset(&fwd, 0, sizeof(fwd));
+
if (buffer_get_int_ret(&ftype, m) != 0 ||
(fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
buffer_get_int_ret(&lport, m) != 0 ||
Modified: releng/9.3/sys/amd64/amd64/exception.S
==============================================================================
--- releng/9.3/sys/amd64/amd64/exception.S Tue Aug 25 20:48:58 2015 (r287146)
+++ releng/9.3/sys/amd64/amd64/exception.S Tue Aug 25 20:49:05 2015 (r287147)
@@ -154,9 +154,13 @@ IDTVEC(xmm)
IDTVEC(tss)
TRAP_ERR(T_TSSFLT)
IDTVEC(missing)
- TRAP_ERR(T_SEGNPFLT)
+ subq $TF_ERR,%rsp
+ movl $T_SEGNPFLT,TF_TRAPNO(%rsp)
+ jmp prot_addrf
IDTVEC(stk)
- TRAP_ERR(T_STKFLT)
+ subq $TF_ERR,%rsp
+ movl $T_STKFLT,TF_TRAPNO(%rsp)
+ jmp prot_addrf
IDTVEC(align)
TRAP_ERR(T_ALIGNFLT)
@@ -319,6 +323,7 @@ IDTVEC(page)
IDTVEC(prot)
subq $TF_ERR,%rsp
movl $T_PROTFLT,TF_TRAPNO(%rsp)
+prot_addrf:
movq $0,TF_ADDR(%rsp)
movq %rdi,TF_RDI(%rsp) /* free up a GP register */
leaq doreti_iret(%rip),%rdi
Modified: releng/9.3/sys/amd64/amd64/machdep.c
==============================================================================
--- releng/9.3/sys/amd64/amd64/machdep.c Tue Aug 25 20:48:58 2015 (r287146)
+++ releng/9.3/sys/amd64/amd64/machdep.c Tue Aug 25 20:49:05 2015 (r287147)
@@ -428,6 +428,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi,
regs->tf_rflags &= ~(PSL_T | PSL_D);
regs->tf_cs = _ucodesel;
regs->tf_ds = _udatasel;
+ regs->tf_ss = _udatasel;
regs->tf_es = _udatasel;
regs->tf_fs = _ufssel;
regs->tf_gs = _ugssel;
Modified: releng/9.3/sys/amd64/amd64/trap.c
==============================================================================
--- releng/9.3/sys/amd64/amd64/trap.c Tue Aug 25 20:48:58 2015 (r287146)
+++ releng/9.3/sys/amd64/amd64/trap.c Tue Aug 25 20:49:05 2015 (r287147)
@@ -473,8 +473,6 @@ trap(struct trapframe *frame)
goto out;
case T_STKFLT: /* stack fault */
- break;
-
case T_PROTFLT: /* general protection fault */
case T_SEGNPFLT: /* segment not present fault */
if (td->td_intr_nesting_level != 0)
Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh Tue Aug 25 20:48:58 2015 (r287146)
+++ releng/9.3/sys/conf/newvers.sh Tue Aug 25 20:49:05 2015 (r287147)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.3"
-BRANCH="RELEASE-p23"
+BRANCH="RELEASE-p24"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.3/usr.sbin/pkg/pkg.c
==============================================================================
--- releng/9.3/usr.sbin/pkg/pkg.c Tue Aug 25 20:48:58 2015 (r287146)
+++ releng/9.3/usr.sbin/pkg/pkg.c Tue Aug 25 20:49:05 2015 (r287147)
@@ -749,7 +749,13 @@ bootstrap_pkg(bool force)
goto fetchfail;
if (signature_type != NULL &&
- strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+ strcasecmp(signature_type, "NONE") != 0) {
+ if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
+ warnx("Signature type %s is not supported for "
+ "bootstrapping.", signature_type);
+ goto cleanup;
+ }
+
snprintf(tmpsig, MAXPATHLEN, "%s/pkg.txz.sig.XXXXXX",
getenv("TMPDIR") ? getenv("TMPDIR") : _PATH_TMP);
snprintf(url, MAXPATHLEN, "%s/Latest/pkg.txz.sig",
@@ -834,7 +840,13 @@ bootstrap_pkg_local(const char *pkgpath,
return (-1);
}
if (signature_type != NULL &&
- strcasecmp(signature_type, "FINGERPRINTS") == 0) {
+ strcasecmp(signature_type, "NONE") != 0) {
+ if (strcasecmp(signature_type, "FINGERPRINTS") != 0) {
+ warnx("Signature type %s is not supported for "
+ "bootstrapping.", signature_type);
+ goto cleanup;
+ }
+
snprintf(path, sizeof(path), "%s.sig", pkgpath);
if ((fd_sig = open(path, O_RDONLY)) == -1) {
More information about the svn-src-all
mailing list