diff options
author | delphij <delphij@FreeBSD.org> | 2015-08-05 22:05:18 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2015-08-05 22:05:18 +0000 |
commit | 436a453ad01ebb78146f9831fe0b344759bd5e79 (patch) | |
tree | 4ad75ec02a682fdb8a5c3b0570f5e362a8edcbb6 | |
parent | dd4b100356a223038ddc1868b315593d91143e21 (diff) | |
download | FreeBSD-src-436a453ad01ebb78146f9831fe0b344759bd5e79.zip FreeBSD-src-436a453ad01ebb78146f9831fe0b344759bd5e79.tar.gz |
Fix patch(1) shell injection vulnerability via ed(1). [SA-15:18]
Fix routed remote denial of service vulnerability. [SA-15:19]
Approved by: so
-rw-r--r-- | UPDATING | 8 | ||||
-rw-r--r-- | sbin/routed/input.c | 6 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
-rw-r--r-- | usr.bin/patch/pathnames.h | 2 | ||||
-rw-r--r-- | usr.bin/patch/pch.c | 18 |
5 files changed, 31 insertions, 5 deletions
@@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20150805: p17 FreeBSD-SA-15:18.bsdpatch + FreeBSD-SA-15:19.routed + + Fix patch(1) shell injection vulnerability via ed(1). + [SA-15:18] + + Fix routed remote denial of service vulnerability. [SA-15:19] + 20150728: p16 FreeBSD-SA-15:14.bsdpatch FreeBSD-SA-15:15.tcp FreeBSD-SA-15:16.openssh diff --git a/sbin/routed/input.c b/sbin/routed/input.c index aaef37c..6fc5529 100644 --- a/sbin/routed/input.c +++ b/sbin/routed/input.c @@ -160,6 +160,12 @@ input(struct sockaddr_in *from, /* received from this IP address */ trace_rip("Recv", "from", from, sifp, rip, cc); + if (sifp == 0) { + trace_pkt(" discard a request from an indirect router" + " (possibly an attack)"); + return; + } + if (rip->rip_vers == 0) { msglim(&bad_router, FROM_NADDR, "RIP version 0, cmd %d, packet received from %s", diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 886aac6..cf7a839 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p16" +BRANCH="RELEASE-p17" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/usr.bin/patch/pathnames.h b/usr.bin/patch/pathnames.h index d31300e..79d8fae 100644 --- a/usr.bin/patch/pathnames.h +++ b/usr.bin/patch/pathnames.h @@ -9,4 +9,4 @@ #include <paths.h> -#define _PATH_ED "/bin/ed" +#define _PATH_RED "/bin/red" diff --git a/usr.bin/patch/pch.c b/usr.bin/patch/pch.c index d9c4b3d..ccc913e 100644 --- a/usr.bin/patch/pch.c +++ b/usr.bin/patch/pch.c @@ -1,4 +1,3 @@ - /*- * Copyright 1986, Larry Wall * @@ -1400,13 +1399,14 @@ do_ed_script(void) char *t; long beginning_of_this_line; FILE *pipefp = NULL; + int continuation; if (!skip_rest_of_patch) { if (copy_file(filearg[0], TMPOUTNAME) < 0) { unlink(TMPOUTNAME); fatal("can't create temp file %s", TMPOUTNAME); } - snprintf(buf, buf_size, "%s%s%s", _PATH_ED, + snprintf(buf, buf_size, "%s%s%s", _PATH_RED, verbose ? " " : " -s ", TMPOUTNAME); pipefp = popen(buf, "w"); } @@ -1424,7 +1424,19 @@ do_ed_script(void) *t == 'd' || *t == 'i' || *t == 's')) { if (pipefp != NULL) fputs(buf, pipefp); - if (*t != 'd') { + if (*t == 's') { + for (;;) { + continuation = 0; + t = strchr(buf, '\0') - 1; + while (--t >= buf && *t == '\\') + continuation = !continuation; + if (!continuation || + pgets(true) == 0) + break; + if (pipefp != NULL) + fputs(buf, pipefp); + } + } else if (*t != 'd') { while (pgets(true)) { p_input_line++; if (pipefp != NULL) |