From owner-svn-src-stable-10@freebsd.org  Wed Aug  5 22:05:04 2015
Return-Path: <owner-svn-src-stable-10@freebsd.org>
Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 581EA9B47BC;
 Wed,  5 Aug 2015 22:05:04 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1B64D1998;
 Wed,  5 Aug 2015 22:05:04 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t75M53tW063410;
 Wed, 5 Aug 2015 22:05:03 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by repo.freebsd.org (8.14.9/8.14.9/Submit) id t75M53Xo063407;
 Wed, 5 Aug 2015 22:05:03 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201508052205.t75M53Xo063407@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Wed, 5 Aug 2015 22:05:03 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r286348 - in stable/10: sbin/routed usr.bin/patch
X-SVN-Group: stable-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-10@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for only the 10-stable src tree
 <svn-src-stable-10.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-10>, 
 <mailto:svn-src-stable-10-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-10/>
List-Post: <mailto:svn-src-stable-10@freebsd.org>
List-Help: <mailto:svn-src-stable-10-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10>, 
 <mailto:svn-src-stable-10-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 22:05:04 -0000

Author: delphij
Date: Wed Aug  5 22:05:02 2015
New Revision: 286348
URL: https://svnweb.freebsd.org/changeset/base/286348

Log:
  Fix patch(1) shell injection vulnerability via ed(1). [SA-15:18]
  
  Fix routed remote denial of service vulnerability. [SA-15:19]

Modified:
  stable/10/sbin/routed/input.c
  stable/10/usr.bin/patch/pathnames.h
  stable/10/usr.bin/patch/pch.c

Modified: stable/10/sbin/routed/input.c
==============================================================================
--- stable/10/sbin/routed/input.c	Wed Aug  5 22:04:56 2015	(r286347)
+++ stable/10/sbin/routed/input.c	Wed Aug  5 22:05:02 2015	(r286348)
@@ -160,6 +160,12 @@ input(struct sockaddr_in *from,		/* rece
 
 	trace_rip("Recv", "from", from, sifp, rip, cc);
 
+	if (sifp == 0) {
+		trace_pkt("    discard a request from an indirect router"
+		    " (possibly an attack)");
+		return;
+	}
+
 	if (rip->rip_vers == 0) {
 		msglim(&bad_router, FROM_NADDR,
 		       "RIP version 0, cmd %d, packet received from %s",

Modified: stable/10/usr.bin/patch/pathnames.h
==============================================================================
--- stable/10/usr.bin/patch/pathnames.h	Wed Aug  5 22:04:56 2015	(r286347)
+++ stable/10/usr.bin/patch/pathnames.h	Wed Aug  5 22:05:02 2015	(r286348)
@@ -9,4 +9,4 @@
 
 #include <paths.h>
 
-#define	_PATH_ED		"/bin/ed"
+#define	_PATH_RED		"/bin/red"

Modified: stable/10/usr.bin/patch/pch.c
==============================================================================
--- stable/10/usr.bin/patch/pch.c	Wed Aug  5 22:04:56 2015	(r286347)
+++ stable/10/usr.bin/patch/pch.c	Wed Aug  5 22:05:02 2015	(r286348)
@@ -1,4 +1,3 @@
-
 /*-
  * Copyright 1986, Larry Wall
  * 
@@ -1409,13 +1408,14 @@ do_ed_script(void)
 	char	*t;
 	off_t	beginning_of_this_line;
 	FILE	*pipefp = NULL;
+	int	continuation;
 
 	if (!skip_rest_of_patch) {
 		if (copy_file(filearg[0], TMPOUTNAME) < 0) {
 			unlink(TMPOUTNAME);
 			fatal("can't create temp file %s", TMPOUTNAME);
 		}
-		snprintf(buf, buf_size, "%s%s%s", _PATH_ED,
+		snprintf(buf, buf_size, "%s%s%s", _PATH_RED,
 		    verbose ? " " : " -s ", TMPOUTNAME);
 		pipefp = popen(buf, "w");
 	}
@@ -1433,7 +1433,19 @@ do_ed_script(void)
 		    (*t == 'a' || *t == 'c' || *t == 'd' || *t == 'i' || *t == 's')) {
 			if (pipefp != NULL)
 				fputs(buf, pipefp);
-			if (*t != 'd') {
+			if (*t == 's') {
+				for (;;) {
+					continuation = 0;
+					t = strchr(buf, '\0') - 1;
+					while (--t >= buf && *t == '\\')
+						continuation = !continuation;
+					if (!continuation ||
+					    pgets(true) == 0)
+						break;
+					if (pipefp != NULL)
+						fputs(buf, pipefp);
+				}
+			} else if (*t != 'd') {
 				while (pgets(true)) {
 					p_input_line++;
 					if (pipefp != NULL)