Date: Wed, 5 Aug 2015 22:05:03 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r286348 - in stable/10: sbin/routed usr.bin/patch Message-ID: <201508052205.t75M53Xo063407@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Aug 5 22:05:02 2015 New Revision: 286348 URL: https://svnweb.freebsd.org/changeset/base/286348 Log: Fix patch(1) shell injection vulnerability via ed(1). [SA-15:18] Fix routed remote denial of service vulnerability. [SA-15:19] Modified: stable/10/sbin/routed/input.c stable/10/usr.bin/patch/pathnames.h stable/10/usr.bin/patch/pch.c Modified: stable/10/sbin/routed/input.c ============================================================================== --- stable/10/sbin/routed/input.c Wed Aug 5 22:04:56 2015 (r286347) +++ stable/10/sbin/routed/input.c Wed Aug 5 22:05:02 2015 (r286348) @@ -160,6 +160,12 @@ input(struct sockaddr_in *from, /* rece trace_rip("Recv", "from", from, sifp, rip, cc); + if (sifp == 0) { + trace_pkt(" discard a request from an indirect router" + " (possibly an attack)"); + return; + } + if (rip->rip_vers == 0) { msglim(&bad_router, FROM_NADDR, "RIP version 0, cmd %d, packet received from %s", Modified: stable/10/usr.bin/patch/pathnames.h ============================================================================== --- stable/10/usr.bin/patch/pathnames.h Wed Aug 5 22:04:56 2015 (r286347) +++ stable/10/usr.bin/patch/pathnames.h Wed Aug 5 22:05:02 2015 (r286348) @@ -9,4 +9,4 @@ #include <paths.h> -#define _PATH_ED "/bin/ed" +#define _PATH_RED "/bin/red" Modified: stable/10/usr.bin/patch/pch.c ============================================================================== --- stable/10/usr.bin/patch/pch.c Wed Aug 5 22:04:56 2015 (r286347) +++ stable/10/usr.bin/patch/pch.c Wed Aug 5 22:05:02 2015 (r286348) @@ -1,4 +1,3 @@ - /*- * Copyright 1986, Larry Wall * @@ -1409,13 +1408,14 @@ do_ed_script(void) char *t; off_t beginning_of_this_line; FILE *pipefp = NULL; + int continuation; if (!skip_rest_of_patch) { if (copy_file(filearg[0], TMPOUTNAME) < 0) { unlink(TMPOUTNAME); fatal("can't create temp file %s", TMPOUTNAME); } - snprintf(buf, buf_size, "%s%s%s", _PATH_ED, + snprintf(buf, buf_size, "%s%s%s", _PATH_RED, verbose ? " " : " -s ", TMPOUTNAME); pipefp = popen(buf, "w"); } @@ -1433,7 +1433,19 @@ do_ed_script(void) (*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) { if (pipefp != NULL) fputs(buf, pipefp); - if (*t != 'd') { + if (*t == 's') { + for (;;) { + continuation = 0; + t = strchr(buf, '\0') - 1; + while (--t >= buf && *t == '\\') + continuation = !continuation; + if (!continuation || + pgets(true) == 0) + break; + if (pipefp != NULL) + fputs(buf, pipefp); + } + } else if (*t != 'd') { while (pgets(true)) { p_input_line++; if (pipefp != NULL)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508052205.t75M53Xo063407>