From owner-svn-src-stable-6@FreeBSD.ORG Tue Apr 21 10:51:22 2009 Return-Path: Delivered-To: svn-src-stable-6@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 730441065743; Tue, 21 Apr 2009 10:51:22 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 605A78FC0A; Tue, 21 Apr 2009 10:51:22 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n3LApMJQ080498; Tue, 21 Apr 2009 10:51:22 GMT (envelope-from cperciva@svn.freebsd.org) Received: (from cperciva@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n3LApMPv080497; Tue, 21 Apr 2009 10:51:22 GMT (envelope-from cperciva@svn.freebsd.org) Message-Id: <200904211051.n3LApMPv080497@svn.freebsd.org> From: Colin Percival Date: Tue, 21 Apr 2009 10:51:22 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org X-SVN-Group: stable-6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r191352 - in stable/6/contrib/ntp: . ntpq X-BeenThere: svn-src-stable-6@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 6-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Apr 2009 10:51:23 -0000 Author: cperciva Date: Tue Apr 21 10:51:22 2009 New Revision: 191352 URL: http://svn.freebsd.org/changeset/base/191352 Log: MFH r191302: Fix a buffer overflow. For reasons of stack alignment, it does not appear that this is exploitable on any systems FreeBSD runs on, so this will not be getting a security advisory. Modified: stable/6/contrib/ntp/ (props changed) stable/6/contrib/ntp/ntpq/ntpq.c Modified: stable/6/contrib/ntp/ntpq/ntpq.c ============================================================================== --- stable/6/contrib/ntp/ntpq/ntpq.c Tue Apr 21 10:49:40 2009 (r191351) +++ stable/6/contrib/ntp/ntpq/ntpq.c Tue Apr 21 10:51:22 2009 (r191352) @@ -3185,9 +3185,9 @@ cookedprint( if (!decodeuint(value, &uval)) output_raw = '?'; else { - char b[10]; + char b[12]; - (void) sprintf(b, "%03lo", uval); + (void) snprintf(b, sizeof(b), "%03lo", uval); output(fp, name, b); } break; From owner-svn-src-stable-6@FreeBSD.ORG Wed Apr 22 14:07:16 2009 Return-Path: Delivered-To: svn-src-stable-6@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DDF091065670; Wed, 22 Apr 2009 14:07:16 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id C814E8FC19; Wed, 22 Apr 2009 14:07:16 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n3ME7GI2058332; Wed, 22 Apr 2009 14:07:16 GMT (envelope-from cperciva@svn.freebsd.org) Received: (from cperciva@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n3ME7GFV058329; Wed, 22 Apr 2009 14:07:16 GMT (envelope-from cperciva@svn.freebsd.org) Message-Id: <200904221407.n3ME7GFV058329@svn.freebsd.org> From: Colin Percival Date: Wed, 22 Apr 2009 14:07:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org X-SVN-Group: stable-6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r191381 - head/crypto/openssl/crypto/asn1 releng/6.3 releng/6.3/crypto/openssl/crypto/asn1 releng/6.3/lib/libc/db/btree releng/6.3/lib/libc/db/hash releng/6.3/lib/libc/db/mpool releng/6... X-BeenThere: svn-src-stable-6@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 6-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Apr 2009 14:07:17 -0000 Author: cperciva Date: Wed Apr 22 14:07:14 2009 New Revision: 191381 URL: http://svn.freebsd.org/changeset/base/191381 Log: Don't leak information via uninitialized space in db(3) records. [09:07] Sanity-check string lengths in order to stop OpenSSL crashing when printing corrupt BMPString or UniversalString objects. [09:08] Security: FreeBSD-SA-09:07.libc Security: FreeBSD-SA-09:08.openssl Security: CVE-2009-0590 Approved by: re (kensmith) Approved by: so (cperciva) Modified: stable/6/crypto/openssl/crypto/asn1/asn1.h stable/6/crypto/openssl/crypto/asn1/asn1_err.c stable/6/crypto/openssl/crypto/asn1/tasn_dec.c Changes in other areas also in this revision: Modified: head/crypto/openssl/crypto/asn1/asn1.h head/crypto/openssl/crypto/asn1/asn1_err.c head/crypto/openssl/crypto/asn1/tasn_dec.c releng/6.3/UPDATING releng/6.3/crypto/openssl/crypto/asn1/asn1.h releng/6.3/crypto/openssl/crypto/asn1/asn1_err.c releng/6.3/crypto/openssl/crypto/asn1/tasn_dec.c releng/6.3/lib/libc/db/btree/bt_split.c releng/6.3/lib/libc/db/hash/hash_buf.c releng/6.3/lib/libc/db/mpool/mpool.c releng/6.3/sys/conf/newvers.sh releng/6.4/UPDATING releng/6.4/crypto/openssl/crypto/asn1/asn1.h releng/6.4/crypto/openssl/crypto/asn1/asn1_err.c releng/6.4/crypto/openssl/crypto/asn1/tasn_dec.c releng/6.4/lib/libc/db/btree/bt_split.c releng/6.4/lib/libc/db/hash/hash_buf.c releng/6.4/lib/libc/db/mpool/mpool.c releng/6.4/sys/conf/newvers.sh releng/7.0/UPDATING releng/7.0/crypto/openssl/crypto/asn1/asn1.h releng/7.0/crypto/openssl/crypto/asn1/asn1_err.c releng/7.0/crypto/openssl/crypto/asn1/tasn_dec.c releng/7.0/lib/libc/db/btree/bt_split.c releng/7.0/lib/libc/db/hash/hash_buf.c releng/7.0/lib/libc/db/mpool/mpool.c releng/7.0/sys/conf/newvers.sh releng/7.1/UPDATING releng/7.1/crypto/openssl/crypto/asn1/asn1.h releng/7.1/crypto/openssl/crypto/asn1/asn1_err.c releng/7.1/crypto/openssl/crypto/asn1/tasn_dec.c releng/7.1/lib/libc/db/btree/bt_split.c releng/7.1/lib/libc/db/hash/hash_buf.c releng/7.1/lib/libc/db/mpool/mpool.c releng/7.1/sys/conf/newvers.sh releng/7.2/UPDATING releng/7.2/crypto/openssl/crypto/asn1/asn1.h releng/7.2/crypto/openssl/crypto/asn1/asn1_err.c releng/7.2/crypto/openssl/crypto/asn1/tasn_dec.c stable/7/crypto/openssl/crypto/asn1/asn1.h stable/7/crypto/openssl/crypto/asn1/asn1_err.c stable/7/crypto/openssl/crypto/asn1/tasn_dec.c Modified: stable/6/crypto/openssl/crypto/asn1/asn1.h ============================================================================== --- stable/6/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 13:31:52 2009 (r191380) +++ stable/6/crypto/openssl/crypto/asn1/asn1.h Wed Apr 22 14:07:14 2009 (r191381) @@ -1030,6 +1030,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 #define ASN1_R_BUFFER_TOO_SMALL 107 @@ -1088,6 +1089,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 +#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 #define ASN1_R_UNKNOWN_FORMAT 160 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 Modified: stable/6/crypto/openssl/crypto/asn1/asn1_err.c ============================================================================== --- stable/6/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 13:31:52 2009 (r191380) +++ stable/6/crypto/openssl/crypto/asn1/asn1_err.c Wed Apr 22 14:07:14 2009 (r191381) @@ -153,6 +153,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ASN1_R_BAD_OBJECT_HEADER ,"bad object header"}, {ASN1_R_BAD_PASSWORD_READ ,"bad password read"}, {ASN1_R_BAD_TAG ,"bad tag"}, +{ASN1_R_BMPSTRING_IS_WRONG_LENGTH ,"bmpstring is wrong length"}, {ASN1_R_BN_LIB ,"bn lib"}, {ASN1_R_BOOLEAN_IS_WRONG_LENGTH ,"boolean is wrong length"}, {ASN1_R_BUFFER_TOO_SMALL ,"buffer too small"}, @@ -211,6 +212,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ASN1_R_UNABLE_TO_DECODE_RSA_KEY ,"unable to decode rsa key"}, {ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"}, {ASN1_R_UNEXPECTED_EOC ,"unexpected eoc"}, +{ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH ,"universalstring is wrong length"}, {ASN1_R_UNKNOWN_FORMAT ,"unknown format"}, {ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"}, {ASN1_R_UNKNOWN_OBJECT_TYPE ,"unknown object type"}, Modified: stable/6/crypto/openssl/crypto/asn1/tasn_dec.c ============================================================================== --- stable/6/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 13:31:52 2009 (r191380) +++ stable/6/crypto/openssl/crypto/asn1/tasn_dec.c Wed Apr 22 14:07:14 2009 (r191381) @@ -768,6 +768,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsig case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (utype == V_ASN1_BMPSTRING && (len & 1)) + { + ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, + ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; + } + if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) + { + ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, + ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); + goto err; + } /* All based on ASN1_STRING and handled the same */ if(!*pval) { stmp = ASN1_STRING_type_new(utype);