From owner-svn-doc-all@freebsd.org Tue Nov 27 20:00:30 2018 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 896C5115A4F2; Tue, 27 Nov 2018 20:00:30 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 33DC96AA99; Tue, 27 Nov 2018 20:00:30 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 14A7C20047; Tue, 27 Nov 2018 20:00:30 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wARK0UpQ043645; Tue, 27 Nov 2018 20:00:30 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wARK0Sde043635; Tue, 27 Nov 2018 20:00:28 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201811272000.wARK0Sde043635@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 27 Nov 2018 20:00:28 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52522 - in head/share: security/advisories security/patches/EN-18:13 security/patches/EN-18:14 security/patches/EN-18:15 security/patches/SA-18:13 xml X-SVN-Group: doc-head X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in head/share: security/advisories security/patches/EN-18:13 security/patches/EN-18:14 security/patches/EN-18:15 security/patches/SA-18:13 xml X-SVN-Commit-Revision: 52522 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 33DC96AA99 X-Spamd-Result: default: False [1.68 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_SPAM_SHORT(0.25)[0.254,0]; NEURAL_SPAM_MEDIUM(0.79)[0.790,0]; NEURAL_SPAM_LONG(0.63)[0.632,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2018 20:00:31 -0000 Author: gordon (src,ports committer) Date: Tue Nov 27 20:00:28 2018 New Revision: 52522 URL: https://svnweb.freebsd.org/changeset/doc/52522 Log: Add SA-18:13 and EN-18:13 through EN-18:15. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-18:13.icmp.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-18:14.tzdata.asc (contents, props changed) head/share/security/advisories/FreeBSD-EN-18:15.loader.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-18:13.nfs.asc (contents, props changed) head/share/security/patches/EN-18:13/ head/share/security/patches/EN-18:13/icmp.patch (contents, props changed) head/share/security/patches/EN-18:13/icmp.patch.asc (contents, props changed) head/share/security/patches/EN-18:14/ head/share/security/patches/EN-18:14/tzdata-2018g.patch (contents, props changed) head/share/security/patches/EN-18:14/tzdata-2018g.patch.asc (contents, props changed) head/share/security/patches/EN-18:15/ head/share/security/patches/EN-18:15/loader.patch (contents, props changed) head/share/security/patches/EN-18:15/loader.patch.asc (contents, props changed) head/share/security/patches/SA-18:13/ head/share/security/patches/SA-18:13/nfs.patch (contents, props changed) head/share/security/patches/SA-18:13/nfs.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-18:13.icmp.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:13.icmp.asc Tue Nov 27 20:00:28 2018 (r52522) @@ -0,0 +1,135 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:13.icmp Errata Notice + The FreeBSD Project + +Topic: ICMP buffer underwrite + +Category: core +Module: kernel +Announced: 2018-11-27 +Affects: All supported versions of FreeBSD. +Corrected: 2018-11-08 21:58:51 UTC (stable/11, 11.2-STABLE) + 2018-11-27 19:43:16 UTC (releng/11.2, 11.2-RELEASE-p5) +CVE Name: CVE-2018-17156 + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +ICMP messages are control messages used to send error messages and +operational information. + +II. Problem Description + +The icmp_error routine allocates either an mbuf or a cluster depending on the +size of the data to be quoted in the ICMP reply, but the calculation failed +to account for additional padding on 64-bit platforms when using a +non-default sysctl value for net.inet.icmp.quotelen. + +III. Impact + +For systems that set net.inet.icmp.quotelen to a non-default value, a buffer +underwrite condition occurs. + +IV. Workaround + +Reset net.inet.icmp.quotelen to default value of 8 using sysctl(8): + +# sysctl net.inet.icmp.quotelen=8 + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterwards, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterwards, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/EN-18:13/icmp.patch +# fetch https://security.FreeBSD.org/patches/EN-18:13/icmp.patch.asc +# gpg --verify icmp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r340268 +releng/11.2/ r341089 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n+FfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKLuRAAqkua0loRn3k5N5OjGl1MFMiCX3Yg7pu7oQ0N/ZifqDOt8B8slp4+qjSO +VyH07EFrk5FTz2WKXShqWcdZAL8+dBUHQaMATBI++ORiPBE+lBjYCZ1/+wrw7ie4 +bOjJ4F0d/4ijs+qkt/T0hFBPGMVbF8Xafbm29P6H0mjYPNSID64g+TQacVVUQfhN +aLXCfkXFXusbOzFT0DRY8vy+SdsV2anqo3979W4G//+ytGvvwxqy6g+8N8CphUSM +3vxCSvNxkd5o0C5EY53QbwueZ3A4nCnQQwGB2AFQnN9fDT1genIPzGjo0fQ8iY36 +lQiSeEg9VVSMLRiey8ix7JlLShVCUADt3dNamSMJiNz4Vo4dAjD4tKNPDGFfKhoQ +edUEDTSBbqtN8BbW2e/hiHZSu6vQmXwgI6tKtuEcKPHZbnW/wr+XzyrwcwYBXsNA +xK1aGokHr7W0T2FTOZ9b9i4mfZLL8gfr70FBi7/INEbmQYPDylT2VCsoQO7Wox8o +uhbXRxtlwZ1ix3POlhzTotjJSou8ny2PZnBVzu/64fGbIFWS4bCk35HmRIlN4lt6 +ViAGBFJprJpcitFhOX51SBEgh689LKOuVUmucO2rpXAg53XzUR1xCvC3O2uY78AU +fHp/0Gro0HeA45NY8zqQgv0VjbjTXw9mBOi2WCI9EKo+G3cYjOg= +=kqz6 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-18:14.tzdata.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:14.tzdata.asc Tue Nov 27 20:00:28 2018 (r52522) @@ -0,0 +1,143 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:14.tzdata Errata Notice + The FreeBSD Project + +Topic: Timezone database information update + +Category: contrib +Module: zoneinfo +Announced: 2018-11-27 +Credits: Philip Paeps +Affects: All supported versions of FreeBSD. +Corrected: 2018-10-31 02:01:28 UTC (stable/11, 11.2-STABLE) + 2018-11-27 19:44:39 UTC (releng/11.2, 11.2-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The tzsetup(8) program allows the user to specify the default local timezone. +Based on the selected timezone, tzsetup(8) copies one of the files from +/usr/share/zoneinfo to /etc/localtime. This file actually controls the +conversion. + +II. Problem Description + +Several changes in Daylight Savings Time happened after previous FreeBSD +releases were released that would affect many people who live in different +countries. Because of these changes, the data in the zoneinfo files need to +be updated, and if the local timezone on the running system is affected, +tzsetup(8) needs to be run so the /etc/localtime is updated. + +III. Impact + +An incorrect time will be displayed on a system configured to use one of the +affected timezones if the /usr/share/zoneinfo and /etc/localtime files are +not updated, and all applications on the system that rely on the system time, +such as cron(8) and syslog(8), will be affected. + +IV. Workaround + +The system administrator can install an updated timezone database from the +misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected. + +Applications that store and display times in Coordinated Universal Time (UTC) +are not affected. + +V. Solution + +Please note that some third party software, for instance PHP, Ruby, Java and +Perl, may be using different zoneinfo data source, in such cases this +software must be updated separately. For software packages that is installed +via binary packages, they can be upgraded by executing `pkg upgrade'. + +Following the instructions in this Errata Notice will update all of the +zoneinfo files to be the same as what was released with FreeBSD release. + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. Restart all the affected +applications and daemons, or reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Restart all the affected applications and daemons, or reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-18:14/tzdata-2018g.patch +# fetch https://security.FreeBSD.org/patches/EN-18:14/tzdata-2018g.patch.asc +# gpg --verify tzdata-2018g.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in . + +Restart all the affected applications and daemons, or reboot the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r339938 +releng/11.2/ r341091 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n+ZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKLTA//f+IoMMK1aLX9Dj1JxdapNpqDjAhL1G+K13uUaLFI8r5+2/WGkZXWvwfh +8z9+KQA76gidGia4zac7DcXXogsqU2ld/JWOMKNgt5RxS43U4LvBAzyMnD1VxWUs +1Z+aMre+h4FW0sB+Hx7/Uo2Mcd70mNEmGMFCilEO6P+XaYY98AGyLIkX7t5XW4cF +6chmLy/gJAXKAsPv1sDHvlvvkLf8rdZuZ/Z5JID6nQsZU7RHKhr0IQqZ6SIURhEo +9TZSnUy+F9CCBPQNz8Sv6S9i/7ggCjyAeaiXQUO4gEvsGUJiovt6MOdeeCQbTnOK +0Gk7gCZ4SGF3nLXSKX4/AFLJn5Kro0v+88Lwoi/hJWhkEGQKgsE4BMMFXxI3Ukah +AQ1snXG1/H9dgY1Os1XEjXx4Oxq2Qbeu+Hqppc+YY00Q9b3k8OAEVBDZlgtHlBGc +oyOeffWw2nB/Vn8vOl3r+r2wUoTsjU8nVNXZLFMROQadRH2WPEpfSeHM/5PyBCW8 +0LPru9Nrt/GbR8wqXSY8Zr7KWIAEC5nLxT0HO8sfbYv6gbEHjUNPezalaTWRn4TZ +0m2OHu2x2Tir5rcUgxsDvz0/LrB6RM8B0TPAqF77fIxvB+Hor6W3PCJbLuNnPiyK +ELx2PeumYDKoSxpcQXFPku24SqMYY5du9x80aoFv1tGxZOAJfMw= +=2jLJ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-EN-18:15.loader.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-18:15.loader.asc Tue Nov 27 20:00:28 2018 (r52522) @@ -0,0 +1,132 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-18:15.loader Errata Notice + The FreeBSD Project + +Topic: Deferred kernel loading breaks loader password + +Category: core +Module: loader +Announced: 2018-11-27 +Credits: Devin Teske +Affects: All supported versions of FreeBSD. +Corrected: 2018-10-24 23:17:17 UTC (stable/11, 11.2-STABLE) + 2018-11-27 19:45:25 UTC (releng/11.2, 11.2-RELEASE-p5) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +. + +I. Background + +The loader is a FreeBSD component which is part of the boot sequence for a +machine. The loader is most commonly visible with the "beastie" boot menu, +allowing specification of different boot time parameters. + +II. Problem Description + +A change in the loader to allow deferred loading of the kernel introduced a +bug when using a loader password. After this change and when the loader +password is enabled, the menu is not loaded and instead the machine goes into +the autoboot routine. The autoboot routine then fails when the kernel has +not yet been loaded, yielding a loader prompt where the user has full control +of the boot process. + +III. Impact + +Setting the loader password with the intention of preventing the user from +bypassing the boot process instead causes the boot to fail and gives the user +full control of the boot process. + +IV. Workaround + +No workaround is available, but systems that do not use a loader password are +not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/EN-18:15/loader.patch +# fetch https://security.FreeBSD.org/patches/EN-18:15/loader.patch.asc +# gpg --verify loader.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in and reboot +the system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r339697 +releng/11.2/ r341093 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n+tfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJRKQ//cJzGNBcKnH3cAltXRM2eWqv6L2UAPYfOs5QEArIB5x4IR+wqc53AbyG4 +AlpWAUf1KCwOFV+ceflihmYiWPPUqSV6nn+0My+uEFQebu8j00D5Mer/x9g6SikB +x65zXS//rHidaf5KWOKMajEW+jtC9JS42ffdyk+KgEYM4UCNY60iKhJ74rtwRjun +RwYKBXdtOcbS9Tp/SIIB3tQm1orhK5xe4w+kG4nM9Cz5OYk4j/GmcudWICjzjNzG +QxGENiDePEjLoCZTHn2Rgntwp0AjNY5FxdR8CgN5GtYHIepJIscE7BlYA6kZDoG9 +e+01e3d7oAz92Dx8h59AkOGZPNI2lL4ZnBAcrpsZa+YkV67kxMHOIGp6faRYdWsf ++Ew8fh7AbVVhBO4yKWyoHkbREof07Iq3hXX7pi/Imb+nsYYPC6x0vax+qv823P4/ +jnqIryC3MWezOIkTD6B752yED3prP3TDFi+/Lo2ke2K4rPkVRsMfRojcKaKVnWLl +HpgyffSiVv/dwv005Mdx0kCBnKtZthO9D0GHZSkRIXw2r5C5QQ8F7/EABfWFq1iN +sM+J682zjJhbFgFzJGceAQGrgVlN91AIl3Ipp2ggi33qQTEOreItRJdN7WBgSI3s +fTqA6OqgbknpWmCvusu/gi+SMjbO3Hk2hR6noB4bDVNPhPPCIZE= +=om/y +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-18:13.nfs.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-18:13.nfs.asc Tue Nov 27 20:00:28 2018 (r52522) @@ -0,0 +1,139 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-18:13.nfs Security Advisory + The FreeBSD Project + +Topic: Multiple vulnerabilities in NFS server code + +Category: core +Module: nfs +Announced: 2018-11-27 +Credits: Jakub Jirasek, Secunia Research at Flexera +Affects: All supported versions of FreeBSD. +Corrected: 2018-11-23 20:41:54 UTC (stable/11, 11.2-STABLE) + 2018-11-27 19:42:16 UTC (releng/11.2, 11.2-RELEASE-p5) +CVE Name: CVE-2018-17157, CVE-2018-17158, CVE-2018-17159 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit . + +I. Background + +The Network File System (NFS) allows a host to export some or all of its file +systems so that other hosts can access them over the network and mount them +as if they were local. FreeBSD includes both server and client +implementations of NFS. + +II. Problem Description + +Insufficient and improper checking in the NFS server code could cause a +denial of service or possibly remote code execution via a specially crafted +network packet. + +III. Impact + +A remote attacker could cause the NFS server to crash, resulting in a denial +of service, or possibly execute arbitrary code on the server. + +IV. Workaround + +No workaround is available, but systems that do not provide NFS services are +not vulnerable. + +Additionally, it is highly recommended the NFS service port (default port +number 2049) is protected via a host or network based firewall to prevent +arbitrary, untrusted clients from being able to connect. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Afterward, reboot the system. + +2) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterward, reboot the system. + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 11.2] +# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch +# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch.asc +# gpg --verify nfs.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in + and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/11/ r340854 +releng/11.2/ r341088 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + + + +VII. References + + + + + + + +The latest revision of this advisory is available at + +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n85fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cKJEg//Umbe1QOUgV0Z6EsdlQffNMo9MHbAz75vCqeaibI36Ng9vmkLKGlS6nCA +5mKFS+BvM5CkekBaiQ6BR8t0xWsrFwX6JCUayQ2FsCSo4rwCZms3AIbvt68vjQAm +xWuQIMJzYku5+kALtcXXvVkLhMCaioVDpZmuPCO+rY79OVM4xP1MsnTfqEZSNo+n +Cz2urH4eO60YsM8w05coQ3hnOsUjTCk8yCh3+R/uYK1VouLDgD8q96T1eG2ozny6 +vwEMK3AjmcpvFkTIF3/2I6TTA5K+Zd+nqzhzPM5HjbLZmdQV02NHcoGaZrK1wsQw +D+3wf8icBMfLt9rTUbEqVdvg5FRDkTo8/dH1wY85gWZ2wsSgCqI2wRuqBH4bp3bb +Gcf2+D4vgX6YY5cZ/wFDcYWpghhrmXUbgnH7PnyVfYB0Ufta9utgMOQKMS0mUWwM +DlHP+fL/A8lhPvXIhl1DtSa/TQAiAdMG1JwktzThKrUzjL8bntmjoqtr1Xcp2txJ +hgALulqz9nzkHaHcEolgk5xFTvx4gCzhjII7XEU3/rLNPPlJK3Pfo0UvPLAUkdLj +McnKqOyQ6uSl8/lNuVsd3JCZ3dlsES7VmdEu0YJ4goc/6/AB8KXnSqzheT7Cjn1p +lGzbFYmXosUj9NEQl/SOg6O8LnRrJIw4Tbm9vfkDss1G+sjUdaA= +=m/Lh +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:13/icmp.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:13/icmp.patch Tue Nov 27 20:00:28 2018 (r52522) @@ -0,0 +1,21 @@ +--- sys/netinet/ip_icmp.c.orig ++++ sys/netinet/ip_icmp.c +@@ -310,7 +310,8 @@ + #endif + icmplen = min(icmplen, M_TRAILINGSPACE(m) - + sizeof(struct ip) - ICMP_MINLEN); +- m_align(m, ICMP_MINLEN + icmplen); ++ m_align(m, sizeof(struct ip) + ICMP_MINLEN + icmplen); ++ m->m_data += sizeof(struct ip); + m->m_len = ICMP_MINLEN + icmplen; + + /* XXX MRT make the outgoing packet use the same FIB +@@ -352,6 +353,8 @@ + * reply should bypass as well. + */ + m->m_flags |= n->m_flags & M_SKIP_FIREWALL; ++ KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ip), ++ ("insufficient space for ip header")); + m->m_data -= sizeof(struct ip); + m->m_len += sizeof(struct ip); + m->m_pkthdr.len = m->m_len; Added: head/share/security/patches/EN-18:13/icmp.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:13/icmp.patch.asc Tue Nov 27 20:00:28 2018 (r52522) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9oBpfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJHYA//TFweS8EPSWTo+0jzir7aI3zg8rJUrle6cH0iGI36mNFFY3/+hlij2pNe +XJ4K9O2m/v95sg0WbgVwCwP5jlMPYu7rEnyvzCEhHbmOrAXrQCnrbEan35QCXzEy +ihceI//li414WxEd0W2RpTUS3fkWroxA7xf3TL0eKG51GYrBNdrTZUMTbleL8Zvp +v24V0lB8gx1mZMI8+bOFgK/dW9Kay5tCAo75oOkafbba9ddtVgZrnYdCj6ikedWm +CNAkFPW55c+G5yHXvtTxFTaw9mtz8rY6vy1ZA4DB7SI62AvCSbepOVB28Czo0+w3 +Rvs3UL2ia55se6jG4OlAWkASC4H8b3BaTDOoETh7Fm0VsA0drN+VarEdi0Tf6SVq +yDveVsDJR2/qU6Np0eWUTto0J/9PElte6kiNsWBgPgI7L3aawJ9Czuxu5BIP3U5j +7Mvnp2AsC75uku66UnejBQ67q5+jqWjqdXhis5Fs63s69GIFYWMpZa/+djLO2ZlG +CLSHmzRwdgKhi6VKXO6q3OwWfOEncUTZJXdYIwKzSyr18LQHfxT1lkWsrV2Pq49S +zcuSRZZxRFx0ADWGHg/90pgDAiyNFehmsn7sj0wFD104P/KU/avaFsTYb8at4osa +IXLlJuYFG/dzIxk6FRkgUKG1Pt3in+CFJ0TAwZydx20EmWgqtmM= +=PTdi +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-18:14/tzdata-2018g.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-18:14/tzdata-2018g.patch Tue Nov 27 20:00:28 2018 (r52522) @@ -0,0 +1,3617 @@ +--- contrib/tzdata/CONTRIBUTING.orig ++++ contrib/tzdata/CONTRIBUTING +@@ -17,11 +17,14 @@ + 'diff -u old/europe new/europe >myfix.patch', and attach + myfix.patch to the email. + +-For more-elaborate changes, please read the theory.html file and browse +-the mailing list archives for +-examples of patches that tend to work well. Additions to +-data should contain commentary citing reliable sources as +-justification. Citations should use https: URLs if available. ++For more-elaborate or possibly-controversial changes, ++such as renaming, adding or removing zones, please read ++ or the file ++theory.html. It is also good to browse the mailing list archives ++ for examples of patches that tend ++to work well. Additions to data should contain commentary citing ++reliable sources as justification. Citations should use https: URLs ++if available. + + Please submit changes against either the latest release in + or the master branch of the development +--- contrib/tzdata/Makefile.orig ++++ contrib/tzdata/Makefile +@@ -1,3 +1,5 @@ ++# Make and install tzdb code and data. ++ + # This file is in the public domain, so clarified as of + # 2009-05-17 by Arthur David Olson. + +@@ -19,9 +21,9 @@ + # DATAFORM= rearguard + DATAFORM= main + +-# Change the line below for your time zone (after finding the zone you want in +-# the time zone files, or adding it to a time zone file). +-# Alternatively, if you discover you've got the wrong time zone, you can just ++# Change the line below for your timezone (after finding the one you want in ++# one of the $(TDATA) source files, or adding it to a source file). ++# Alternatively, if you discover you've got the wrong timezone, you can just + # zic -l rightzone + # to correct things. + # Use the command +@@ -31,14 +33,14 @@ + LOCALTIME= GMT + + # If you want something other than Eastern United States time as a template +-# for handling POSIX-style time zone environment variables, +-# change the line below (after finding the zone you want in the +-# time zone files, or adding it to a time zone file). ++# for handling POSIX-style timezone environment variables, ++# change the line below (after finding the timezone you want in the ++# one of the $(TDATA) source files, or adding it to a source file). + # When a POSIX-style environment variable is handled, the rules in the + # template file are used to determine "spring forward" and "fall back" days and + # times; the environment variable itself specifies UT offsets of standard and + # daylight saving time. +-# Alternatively, if you discover you've got the wrong time zone, you can just ++# Alternatively, if you discover you've got the wrong timezone, you can just + # zic -p rightzone + # to correct things. + # Use the command +@@ -75,7 +77,7 @@ + # TOPDIR should be empty or an absolute name unless you're just testing. + TOPDIR = + +-# The default local time zone is taken from the file TZDEFAULT. ++# The default local timezone is taken from the file TZDEFAULT. + TZDEFAULT = $(TOPDIR)/etc/localtime + + # The subdirectory containing installed program and data files, and +@@ -84,7 +86,7 @@ + USRDIR = usr + USRSHAREDIR = $(USRDIR)/share + +-# "Compiled" time zone information is placed in the "TZDIR" directory ++# "Compiled" timezone information is placed in the "TZDIR" directory + # (and subdirectories). + # TZDIR_BASENAME should not contain "/" and should not be ".", ".." or empty. + TZDIR_BASENAME= zoneinfo +@@ -106,9 +108,13 @@ + LIBDIR = $(TOPDIR)/$(USRDIR)/lib + + +-# Types to try, as an alternative to time_t. int64_t should be first. +-TIME_T_ALTERNATIVES = int64_t int32_t uint32_t uint64_t ++# Types to try, as an alternative to time_t. ++TIME_T_ALTERNATIVES = $(TIME_T_ALTERNATIVES_HEAD) $(TIME_T_ALTERNATIVES_TAIL) ++TIME_T_ALTERNATIVES_HEAD = int64_t ++TIME_T_ALTERNATIVES_TAIL = int32_t uint32_t uint64_t + ++# What kind of TZif data files to generate. ++# (TZif is the binary time zone data format that zic generates.) + # If you want only POSIX time, with time values interpreted as + # seconds since the epoch (not counting leap seconds), use + # REDO= posix_only +@@ -129,7 +135,7 @@ + + REDO= posix_right + +-# To install data in text form that has all the information of the binary data, ++# To install data in text form that has all the information of the TZif data, + # (optionally incorporating leap second information), use + # TZDATA_TEXT= tzdata.zi leapseconds + # To install text data without leap second information (e.g., because +@@ -171,7 +177,6 @@ + + # Add the following to the end of the "CFLAGS=" line as needed to override + # defaults specified in the source code. "-DFOO" is equivalent to "-DFOO=1". +-# -DBIG_BANG=-9999999LL if the Big Bang occurred at time -9999999 (see zic.c) + # -DDEPRECATE_TWO_DIGIT_YEARS for optional runtime warnings about strftime + # formats that generate only the last two digits of year numbers + # -DEPOCH_LOCAL if the 'time' function returns local time not UT +@@ -295,7 +300,7 @@ + # "tzsetwall", "offtime", "timelocal", "timegm", "timeoff", + # "posix2time", and "time2posix" to be added to the time conversion library. + # "tzsetwall" is like "tzset" except that it arranges for local wall clock +-# time (rather than the time specified in the TZ environment variable) ++# time (rather than the timezone specified in the TZ environment variable) + # to be used. + # "offtime" is like "gmtime" except that it accepts a second (long) argument + # that gives an offset to add to the time_t when converting it. +@@ -318,7 +323,7 @@ + # "posix2time_z" and "time2posix_z" are added as well. + # The functions ending in "_z" (or "_rz") are like their unsuffixed + # (or suffixed-by-"_r") counterparts, except with an extra first +-# argument of opaque type timezone_t that specifies the time zone. ++# argument of opaque type timezone_t that specifies the timezone. + # "tzalloc" allocates a timezone_t value, and "tzfree" frees it. + # + # If you want to allocate state structures in localtime, add +@@ -357,11 +362,14 @@ + + ZFLAGS= + +-# How to use zic to install tz binary files. ++# How to use zic to install TZif files. + + ZIC_INSTALL= $(ZIC) -d '$(DESTDIR)$(TZDIR)' $(LEAPSECONDS) + + # The name of a Posix-compliant 'awk' on your system. ++# Older 'mawk' versions, such as the 'mawk' in Ubuntu 16.04, might dump core; ++# on Ubuntu you can work around this with ++# AWK= gawk + AWK= awk + + # The full path name of a Posix-compliant shell, preferably one that supports +@@ -410,10 +418,16 @@ + SAFE_CHARSET= $(SAFE_CHARSET1)$(SAFE_CHARSET2)$(SAFE_CHARSET3) + SAFE_CHAR= '[]'$(SAFE_CHARSET)'-]' + ++# These characters are Latin-1, and so are likely to be displayable ++# even in editors with limited character sets. ++UNUSUAL_OK_LATIN_1 = «°±»½¾× ++# This IPA symbol is represented in Unicode as the composition of ++# U+0075 and U+032F, and U+032F is not considered alphabetic by some ++# grep implementations that do not grok composition. ++UNUSUAL_OK_IPA = u̯ + # Non-ASCII non-letters that OK_CHAR allows, as these characters are +-# useful in commentary. XEmacs 21.5.34 displays them correctly, +-# presumably because they are Latin-1. +-UNUSUAL_OK_CHARSET= °±½¾× ++# useful in commentary. ++UNUSUAL_OK_CHARSET= $(UNUSUAL_OK_LATIN_1)$(UNUSUAL_OK_IPA) + + # OK_CHAR matches any character allowed in the distributed files. + # This is the same as SAFE_CHAR, except that UNUSUAL_OK_CHARSET and +@@ -492,11 +506,14 @@ + ziguard.awk zishrink.awk + MISC= $(AWK_SCRIPTS) zoneinfo2tdf.pl + TZS_YEAR= 2050 ++TZS_CUTOFF_FLAG= -c $(TZS_YEAR) + TZS= to$(TZS_YEAR).tzs + TZS_NEW= to$(TZS_YEAR)new.tzs + TZS_DEPS= $(PRIMARY_YDATA) asctime.c localtime.c \ + private.h tzfile.h zdump.c zic.c +-ENCHILADA= $(COMMON) $(DOCS) $(SOURCES) $(DATA) $(MISC) $(TZS) tzdata.zi ++# EIGHT_YARDS is just a yard short of the whole ENCHILADA. ++EIGHT_YARDS = $(COMMON) $(DOCS) $(SOURCES) $(DATA) $(MISC) tzdata.zi ++ENCHILADA = $(EIGHT_YARDS) $(TZS) + + # Consult these files when deciding whether to rebuild the 'version' file. + # This list is not the same as the output of 'git ls-files', since +@@ -560,14 +577,21 @@ + printf '%s\n' "$$V" >$@.out + mv $@.out $@ + +-# These files can be tailored by setting BACKWARD, PACKRATDATA, etc. ++# These files can be tailored by setting BACKWARD and PACKRATDATA. + vanguard.zi main.zi rearguard.zi: $(DSTDATA_ZI_DEPS) + $(AWK) -v DATAFORM=`expr $@ : '\(.*\).zi'` -f ziguard.awk \ + $(TDATA) $(PACKRATDATA) >$@.out + mv $@.out $@ +-tzdata.zi: $(DATAFORM).zi version ++# This file has a version comment that attempts to capture any tailoring ++# via BACKWARD, DATAFORM, PACKRATDATA, and REDO. ++tzdata.zi: $(DATAFORM).zi version zishrink.awk + version=`sed 1q version` && \ +- LC_ALL=C $(AWK) -v version="$$version" -f zishrink.awk \ ++ LC_ALL=C $(AWK) \ ++ -v dataform='$(DATAFORM)' \ ++ -v deps='$(DSTDATA_ZI_DEPS) zishrink.awk' \ ++ -v redo='$(REDO)' \ ++ -v version="$$version" \ ++ -f zishrink.awk \ + $(DATAFORM).zi >$@.out + mv $@.out $@ + +@@ -605,14 +629,16 @@ + YEARISTYPE='$(YEARISTYPE)' \ + ZIC='$(ZIC)' + +-# 'make install_data' installs one set of tz binary files. +-install_data: zic leapseconds yearistype tzdata.zi ++INSTALL_DATA_DEPS = zic leapseconds yearistype tzdata.zi ++ ++# 'make install_data' installs one set of TZif files. ++install_data: $(INSTALL_DATA_DEPS) + $(ZIC_INSTALL) tzdata.zi + +-posix_only: ++posix_only: $(INSTALL_DATA_DEPS) + $(MAKE) $(INSTALLARGS) LEAPSECONDS= install_data + +-right_only: ++right_only: $(INSTALL_DATA_DEPS) + $(MAKE) $(INSTALLARGS) LEAPSECONDS='-L leapseconds' \ + install_data + +@@ -639,7 +665,7 @@ + + # This obsolescent rule is present for backwards compatibility with + # tz releases 2014g through 2015g. It should go away eventually. +-posix_packrat: ++posix_packrat: $(INSTALL_DATA_DEPS) + $(MAKE) $(INSTALLARGS) PACKRATDATA=backzone posix_only + + zones: $(REDO) +@@ -650,29 +676,33 @@ + # Rule used only by submakes invoked by the $(TZS_NEW) rule. + # It is separate so that GNU 'make -j' can run instances in parallel. + $(ZDS): zdump +- ./zdump -i -c $(TZS_YEAR) '$(wd)/'$$(expr $@ : '\(.*\).zd') >$@ ++ ./zdump -i $(TZS_CUTOFF_FLAG) '$(wd)/'$$(expr $@ : '\(.*\).zd') \ ++ >$@ + +-$(TZS_NEW): tzdata.zi zdump zic +- rm -fr tzs.dir +- mkdir tzs.dir +- $(zic) -d tzs.dir tzdata.zi ++TZS_NEW_DEPS = tzdata.zi zdump zic ++$(TZS_NEW): $(TZS_NEW_DEPS) ++ rm -fr tzs$(TZS_YEAR).dir ++ mkdir tzs$(TZS_YEAR).dir ++ $(zic) -d tzs$(TZS_YEAR).dir tzdata.zi + $(AWK) '/^L/{print "Link\t" $$2 "\t" $$3}' \ + tzdata.zi | LC_ALL=C sort >$@.out + wd=`pwd` && \ +- set x `$(AWK) '/^Z/{print "tzs.dir/" $$2 ".zd"}' tzdata.zi \ ++ x=`$(AWK) '/^Z/{print "tzs$(TZS_YEAR).dir/" $$2 ".zd"}' \ ++ tzdata.zi \ + | LC_ALL=C sort -t . -k 2,2` && \ ++ set x $$x && \ + shift && \ + ZDS=$$* && \ +- $(MAKE) wd="$$wd" TZS_YEAR=$(TZS_YEAR) ZDS="$$ZDS" $$ZDS && \ +- sed 's,^TZ=".*tzs\.dir/,TZ=",' $$ZDS >>$@.out +- rm -fr tzs.dir ++ $(MAKE) wd="$$wd" TZS_CUTOFF_FLAG="$(TZS_CUTOFF_FLAG)" \ ++ ZDS="$$ZDS" $$ZDS && \ ++ sed 's,^TZ=".*\.dir/,TZ=",' $$ZDS >>$@.out ++ rm -fr tzs$(TZS_YEAR).dir + mv $@.out $@ + +-# If $(TZS) does not already exist (e.g., old-format tarballs), create it. +-# If it exists but 'make check_tzs' fails, a maintainer should inspect the ++# If $(TZS) exists but 'make check_tzs' fails, a maintainer should inspect the + # failed output and fix the inconsistency, perhaps by running 'make force_tzs'. + $(TZS): +- $(MAKE) force_tzs ++ touch $@ + + force_tzs: $(TZS_NEW) + cp $(TZS_NEW) $(TZS) +@@ -711,18 +741,21 @@ + $(MISC) $(SOURCES) $(WEB_PAGES) \ + CONTRIBUTING LICENSE README \ + version tzdata.zi && \ +- ! grep -Env $(SAFE_LINE)'|^UNUSUAL_OK_CHARSET='$(OK_CHAR)'*$$' \ ++ ! grep -Env $(SAFE_LINE)'|^UNUSUAL_OK_'$(OK_CHAR)'*$$' \ + Makefile && \ + ! grep -Env $(SAFE_SHARP_LINE) $(TDATA_TO_CHECK) backzone \ + leapseconds yearistype.sh zone.tab && \ + ! grep -Env $(OK_LINE) $(ENCHILADA); \ + } ++ touch $@ + + check_white_space: $(ENCHILADA) + patfmt=' \t|[\f\r\v]' && pat=`printf "$$patfmt\\n"` && \ +- ! grep -En "$$pat" $(ENCHILADA) ++ ! grep -En "$$pat" \ ++ $$(ls $(ENCHILADA) | grep -Fvx leap-seconds.list) + ! grep -n '[[:space:]]$$' \ + $$(ls $(ENCHILADA) | grep -Fvx leap-seconds.list) ++ touch $@ + + PRECEDES_FILE_NAME = ^(Zone|Link[[:space:]]+[^[:space:]]+)[[:space:]]+ + FILE_NAME_COMPONENT_TOO_LONG = \ +@@ -731,6 +764,7 @@ + check_name_lengths: $(TDATA_TO_CHECK) backzone + ! grep -En '$(FILE_NAME_COMPONENT_TOO_LONG)' \ + $(TDATA_TO_CHECK) backzone ++ touch $@ + + CHECK_CC_LIST = { n = split($$1,a,/,/); for (i=2; i<=n; i++) print a[1], a[i]; } + +@@ -743,10 +777,12 @@ + LC_ALL=C sort -c + $(AWK) '/^[^#]/ $(CHECK_CC_LIST)' zone1970.tab | \ + LC_ALL=C sort -cu ++ touch $@ + + check_links: checklinks.awk $(TDATA_TO_CHECK) tzdata.zi + $(AWK) -f checklinks.awk $(TDATA_TO_CHECK) + $(AWK) -f checklinks.awk tzdata.zi ++ touch $@ + + check_tables: checktab.awk $(PRIMARY_YDATA) $(ZONETABLES) + for tab in $(ZONETABLES); do \ +@@ -753,42 +789,49 @@ + $(AWK) -f checktab.awk -v zone_table=$$tab $(PRIMARY_YDATA) \ + || exit; \ + done ++ touch $@ + + check_tzs: $(TZS) $(TZS_NEW) +- diff -u $(TZS) $(TZS_NEW) ++ if test -s $(TZS); then \ ++ diff -u $(TZS) $(TZS_NEW); \ ++ else \ ++ cp $(TZS_NEW) $(TZS); \ ++ fi ++ touch $@ + + # This checks only the HTML 4.01 strict page. + # To check the the other pages, use . + check_web: tz-how-to.html + $(VALIDATE_ENV) $(VALIDATE) $(VALIDATE_FLAGS) tz-how-to.html ++ touch $@ + + # Check that zishrink.awk does not alter the data, and that ziguard.awk + # preserves main-format data. +-check_zishrink: zic leapseconds $(PACKRATDATA) $(TDATA) \ +- $(DATAFORM).zi tzdata.zi +- for type in posix right; do \ +- mkdir -p time_t.dir/$$type time_t.dir/$$type-t \ +- time_t.dir/$$type-shrunk && \ +- case $$type in \ +- right) leap='-L leapseconds';; \ +- *) leap=;; \ +- esac && \ +- $(ZIC) $$leap -d time_t.dir/$$type $(DATAFORM).zi && \ ++check_zishrink: check_zishrink_posix check_zishrink_right ++check_zishrink_posix check_zishrink_right: \ ++ zic leapseconds $(PACKRATDATA) $(TDATA) $(DATAFORM).zi tzdata.zi ++ rm -fr $@.dir $@-t.dir $@-shrunk.dir ++ mkdir $@.dir $@-t.dir $@-shrunk.dir ++ case $@ in \ ++ *_right) leap='-L leapseconds';; \ ++ *) leap=;; \ ++ esac && \ ++ $(ZIC) $$leap -d $@.dir $(DATAFORM).zi && \ ++ $(ZIC) $$leap -d $@-shrunk.dir tzdata.zi && \ + case $(DATAFORM) in \ + main) \ +- $(ZIC) $$leap -d time_t.dir/$$type-t $(TDATA) && \ ++ $(ZIC) $$leap -d $@-t.dir $(TDATA) && \ + $(AWK) '/^Rule/' $(TDATA) | \ +- $(ZIC) $$leap -d time_t.dir/$$type-t - \ +- $(PACKRATDATA) && \ +- diff -r time_t.dir/$$type time_t.dir/$$type-t;; \ +- esac && \ +- $(ZIC) $$leap -d time_t.dir/$$type-shrunk tzdata.zi && \ +- diff -r time_t.dir/$$type time_t.dir/$$type-shrunk || exit; \ +- done +- rm -fr time_t.dir ++ $(ZIC) $$leap -d $@-t.dir - $(PACKRATDATA) && \ ++ diff -r $@.dir $@-t.dir;; \ ++ esac ++ diff -r $@.dir $@-shrunk.dir ++ rm -fr $@.dir $@-t.dir $@-shrunk.dir *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***