From owner-svn-src-all@FreeBSD.ORG Tue Dec 23 22:55:17 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 80C8DD7B; Tue, 23 Dec 2014 22:55:17 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6B5B4647E3; Tue, 23 Dec 2014 22:55:17 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sBNMtHR8097461; Tue, 23 Dec 2014 22:55:17 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sBNMtFld097449; Tue, 23 Dec 2014 22:55:15 GMT (envelope-from des@FreeBSD.org) Message-Id: <201412232255.sBNMtFld097449@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org using -f From: Dag-Erling Smørgrav Date: Tue, 23 Dec 2014 22:55:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r276158 - in releng/10.0: . contrib/ntp/ntpd contrib/ntp/util sys/conf usr.sbin/freebsd-update X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 22:55:17 -0000 Author: des Date: Tue Dec 23 22:55:14 2014 New Revision: 276158 URL: https://svnweb.freebsd.org/changeset/base/276158 Log: [SA-14:31] Fix multiple vulnerabilities in NTP suite. [EN-14:13] Fix directory deletion issue in freebsd-update. Approved by: so Modified: releng/10.0/UPDATING releng/10.0/contrib/ntp/ntpd/ntp_config.c releng/10.0/contrib/ntp/ntpd/ntp_control.c releng/10.0/contrib/ntp/ntpd/ntp_crypto.c releng/10.0/contrib/ntp/ntpd/ntp_proto.c releng/10.0/contrib/ntp/util/ntp-keygen.c releng/10.0/sys/conf/newvers.sh releng/10.0/usr.sbin/freebsd-update/freebsd-update.sh Modified: releng/10.0/UPDATING ============================================================================== --- releng/10.0/UPDATING Tue Dec 23 22:54:25 2014 (r276157) +++ releng/10.0/UPDATING Tue Dec 23 22:55:14 2014 (r276158) @@ -16,6 +16,12 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20141223: p15 FreeBSD-SA-14:31.ntp + FreeBSD-EN-14:13.freebsd-update + + Fix multiple vulnerabilities in NTP suite. [SA-14:31] + Fix directory deletion issue in freebsd-update. [EN-14:13] + 20141217: p14 FreeBSD-SA-14:30.unbound Fix unbound remote denial of service vulnerability. Modified: releng/10.0/contrib/ntp/ntpd/ntp_config.c ============================================================================== --- releng/10.0/contrib/ntp/ntpd/ntp_config.c Tue Dec 23 22:54:25 2014 (r276157) +++ releng/10.0/contrib/ntp/ntpd/ntp_config.c Tue Dec 23 22:55:14 2014 (r276158) @@ -1887,7 +1887,7 @@ getconfig( for (i = 0; i < 8; i++) for (j = 1; j < 100; ++j) { - rankey[i] = (char) (ntp_random() & 0xff); + rankey[i] = (char) (arc4random() & 0xff); if (rankey[i] != 0) break; } rankey[8] = 0; Modified: releng/10.0/contrib/ntp/ntpd/ntp_control.c ============================================================================== --- releng/10.0/contrib/ntp/ntpd/ntp_control.c Tue Dec 23 22:54:25 2014 (r276157) +++ releng/10.0/contrib/ntp/ntpd/ntp_control.c Tue Dec 23 22:55:14 2014 (r276158) @@ -24,6 +24,10 @@ #include #include +#ifndef MIN +#define MIN(a, b) (((a) <= (b)) ? (a) : (b)) +#endif + /* * Structure to hold request procedure information */ @@ -893,6 +897,7 @@ ctl_putdata( ) { int overhead; + unsigned int currentlen; overhead = 0; if (!bin) { @@ -916,12 +921,22 @@ ctl_putdata( /* * Save room for trailing junk */ - if (dlen + overhead + datapt > dataend) { + while (dlen + overhead + datapt > dataend) { /* * Not enough room in this one, flush it out. */ + currentlen = MIN(dlen, dataend - datapt); + + memcpy(datapt, dp, currentlen); + + datapt += currentlen; + dp += currentlen; + dlen -= currentlen; + datalinelen += currentlen; + ctl_flushpkt(CTL_MORE); } + memmove((char *)datapt, dp, (unsigned)dlen); datapt += dlen; datalinelen += dlen; Modified: releng/10.0/contrib/ntp/ntpd/ntp_crypto.c ============================================================================== --- releng/10.0/contrib/ntp/ntpd/ntp_crypto.c Tue Dec 23 22:54:25 2014 (r276157) +++ releng/10.0/contrib/ntp/ntpd/ntp_crypto.c Tue Dec 23 22:55:14 2014 (r276158) @@ -864,12 +864,24 @@ crypto_recv( * errors. */ if (vallen == (u_int) EVP_PKEY_size(host_pkey)) { - RSA_private_decrypt(vallen, + u_int32 *cookiebuf = malloc( + RSA_size(host_pkey->pkey.rsa)); + if (cookiebuf == NULL) { + rval = XEVNT_CKY; + break; + } + if (RSA_private_decrypt(vallen, (u_char *)ep->pkt, - (u_char *)&temp32, + (u_char *)cookiebuf, host_pkey->pkey.rsa, - RSA_PKCS1_OAEP_PADDING); - cookie = ntohl(temp32); + RSA_PKCS1_OAEP_PADDING) != 4) { + rval = XEVNT_CKY; + free(cookiebuf); + break; + } else { + cookie = ntohl(*cookiebuf); + free(cookiebuf); + } } else { rval = XEVNT_CKY; break; @@ -3914,7 +3926,7 @@ crypto_setup(void) rand_file); exit (-1); } - get_systime(&seed); + arc4random_buf(&seed, sizeof(l_fp)); RAND_seed(&seed, sizeof(l_fp)); RAND_write_file(rand_file); OpenSSL_add_all_algorithms(); Modified: releng/10.0/contrib/ntp/ntpd/ntp_proto.c ============================================================================== --- releng/10.0/contrib/ntp/ntpd/ntp_proto.c Tue Dec 23 22:54:25 2014 (r276157) +++ releng/10.0/contrib/ntp/ntpd/ntp_proto.c Tue Dec 23 22:55:14 2014 (r276158) @@ -649,6 +649,7 @@ receive( has_mac)) { is_authentic = AUTH_ERROR; sys_badauth++; + return; } else { is_authentic = AUTH_OK; } Modified: releng/10.0/contrib/ntp/util/ntp-keygen.c ============================================================================== --- releng/10.0/contrib/ntp/util/ntp-keygen.c Tue Dec 23 22:54:25 2014 (r276157) +++ releng/10.0/contrib/ntp/util/ntp-keygen.c Tue Dec 23 22:55:14 2014 (r276158) @@ -642,7 +642,7 @@ gen_md5( for (i = 1; i <= MD5KEYS; i++) { for (j = 0; j < 16; j++) { while (1) { - temp = ntp_random() & 0xff; + temp = arc4random() & 0xff; if (temp == '#') continue; if (temp > 0x20 && temp < 0x7f) @@ -675,7 +675,7 @@ gen_rsa( FILE *str; fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus); - rsa = RSA_generate_key(modulus, 3, cb, "RSA"); + rsa = RSA_generate_key(modulus, 65537, cb, "RSA"); fprintf(stderr, "\n"); if (rsa == NULL) { fprintf(stderr, "RSA generate keys fails\n%s\n", @@ -954,7 +954,7 @@ gen_gqpar( */ fprintf(stderr, "Generating GQ parameters (%d bits)...\n", modulus); - rsa = RSA_generate_key(modulus, 3, cb, "GQ"); + rsa = RSA_generate_key(modulus, 65537, cb, "GQ"); fprintf(stderr, "\n"); if (rsa == NULL) { fprintf(stderr, "RSA generate keys fails\n%s\n", Modified: releng/10.0/sys/conf/newvers.sh ============================================================================== --- releng/10.0/sys/conf/newvers.sh Tue Dec 23 22:54:25 2014 (r276157) +++ releng/10.0/sys/conf/newvers.sh Tue Dec 23 22:55:14 2014 (r276158) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.0" -BRANCH="RELEASE-p14" +BRANCH="RELEASE-p15" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.0/usr.sbin/freebsd-update/freebsd-update.sh ============================================================================== --- releng/10.0/usr.sbin/freebsd-update/freebsd-update.sh Tue Dec 23 22:54:25 2014 (r276157) +++ releng/10.0/usr.sbin/freebsd-update/freebsd-update.sh Tue Dec 23 22:55:14 2014 (r276158) @@ -1387,6 +1387,7 @@ fetch_filter_metadata () { # matter, since we add a leading "/" when we use paths later. cut -f 3- -d '|' $1 | sed -e 's,/|d|,|d|,' | + sed -e 's,/|-|,|-|,' | sort -u > $1.tmp # Figure out which lines to ignore and remove them.