svn commit: r40128 - in head/share: security/advisories security/patches/SA-12:06 security/patches/SA-12:07 security/patches/SA-12:08 xml
Simon L. Nielsen
simon at FreeBSD.org
Thu Nov 22 23:46:27 UTC 2012
Author: simon
Date: Thu Nov 22 23:46:26 2012
New Revision: 40128
URL: http://svnweb.freebsd.org/changeset/doc/40128
Log:
Add latest advisories.
Added:
head/share/security/advisories/FreeBSD-SA-12:06.bind.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-12:07.hostapd.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-12:08.linux.asc (contents, props changed)
head/share/security/patches/SA-12:06/
head/share/security/patches/SA-12:06/bind.patch (contents, props changed)
head/share/security/patches/SA-12:06/bind.patch.asc (contents, props changed)
head/share/security/patches/SA-12:07/
head/share/security/patches/SA-12:07/hostapd-8.patch (contents, props changed)
head/share/security/patches/SA-12:07/hostapd-8.patch.asc (contents, props changed)
head/share/security/patches/SA-12:07/hostapd.patch (contents, props changed)
head/share/security/patches/SA-12:07/hostapd.patch.asc (contents, props changed)
head/share/security/patches/SA-12:08/
head/share/security/patches/SA-12:08/linux.patch (contents, props changed)
head/share/security/patches/SA-12:08/linux.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-12:06.bind.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-12:06.bind.asc Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,139 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-12:06.bind Security Advisory
+ The FreeBSD Project
+
+Topic: Multiple Denial of Service vulnerabilities with named(8)
+
+Category: contrib
+Module: bind
+Announced: 2012-11-22
+Affects: All supported versions of FreeBSD before 9.1-RC2.
+Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE)
+ 2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11)
+ 2012-10-11 13:25:09 UTC (RELENG_8, 8.3-STABLE)
+ 2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
+ 2012-10-10 19:50:15 UTC (RELENG_9, 9.1-PRERELEASE)
+ 2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
+ 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
+ 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
+ 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
+CVE Name: CVE-2012-4244, CVE-2012-5166
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+II. Problem Description
+
+The BIND daemon would crash when a query is made on a resource record
+with RDATA that exceeds 65535 bytes.
+
+The BIND daemon would lock up when a query is made on specific
+combinations of RDATA.
+
+III. Impact
+
+A remote attacker can query a resolving name server to retrieve a record
+whose RDATA is known to be larger than 65535 bytes, thereby causing the
+resolving server to crash via an assertion failure in named.
+
+An attacker who is in a position to add a record with RDATA larger than
+65535 bytes to an authoritative name server can cause that server to
+crash by later querying for that record.
+
+The attacker can also cause the server to lock up with specific
+combinations of RDATA.
+
+IV. Workaround
+
+No workaround is available, but systems not running the BIND name
+server are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
+or to the RELENG_7_4, RELENG_8_3, or RELENG_9_0 security branch dated
+after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to FreeBSD 7.4,
+8.3, and 9.0 systems.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch
+# fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, or 9.1-RC1 on
+the i386 or amd64 platforms can be updated via the freebsd-update(8)
+utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+4) Install and run BIND from the Ports Collection after the correction
+date. The following versions and newer versions of BIND installed from
+the Ports Collection are not affected by this vulnerability:
+
+ bind96-9.6.3.1.ESV.R7.4
+ bind97-9.7.6.4
+ bind98-9.8.3.4
+ bind99-9.9.1.4
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Subversion:
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/7/ r243418
+releng/7.4/ r243417
+stable/8/ r241443
+releng/8.3/ r243417
+stable/9/ r241415
+releng/9.0/ r243417
+releng/9.1/ r243417
+- -------------------------------------------------------------------------
+
+VII. References
+
+https://kb.isc.org/article/AA-00778
+https://kb.isc.org/article/AA-00801
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.bind.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEARECAAYFAlCutVIACgkQFdaIBMps37JhPQCfcwCHE7CxzBnrMdszdFYODgQs
+1+kAn316Rx2d0Ecig5JHUR3broq5Hpog
+=EklC
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-12:07.hostapd.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-12:07.hostapd.asc Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-12:07.hostapd Security Advisory
+ The FreeBSD Project
+
+Topic: Insufficient message length validation for EAP-TLS messages
+
+Category: contrib
+Module: wpa
+Announced: 2012-11-22
+Credits: Timo Warns, Jouni Malinen
+Affects: FreeBSD 8.0 and later.
+Corrected: 2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE)
+ 2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
+ 2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE)
+ 2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
+ 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
+ 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
+ 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
+CVE Name: CVE-2012-4445
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+The hostapd utility is an authenticator for IEEE 802.11 networks. It
+provides full support for WPA/IEEE 802.11i and can also act as an IEEE
+802.1X Authenticator with a suitable backend Authentication Server
+(typically FreeRADIUS).
+
+EAP-TLS is the original, standard wireless LAN EAP authentication
+protocol defined in RFC 5216. It uses PKI to secure communication to a
+RADIUS authentication server or another type of authentication server.
+
+II. Problem Description
+
+The internal authentication server of hostapd does not sufficiently
+validate the message length field of EAP-TLS messages.
+
+III. Impact
+
+A remote attacker could cause the hostapd daemon to abort by sending
+specially crafted EAP-TLS messages, resulting in a Denial of Service.
+
+IV. Workaround
+
+No workaround is available, but systems not running hostapd are not
+vulnerable.
+
+Note that for FreeBSD 8.x systems, the EAP-TLS authentication method
+is not enabled by default. Systems running FreeBSD 8.x are only
+affected when hostapd is built with -DEAP_SERVER and as such, binary
+installations from the official release are not affected.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to 8-STABLE or 9-STABLE, or to
+the RELENG_8_3, or RELENG_9_0 security branch dated after the
+correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to FreeBSD 8.3
+and 9.0 systems.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 8.x]
+# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch
+# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch.asc
+
+[FreeBSD 9.x]
+
+# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch
+# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1, 9.1-RC2, or 9.1-RC3
+on the i386 or amd64 platforms can be updated via the
+freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Subversion:
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/8/ r<revision>
+releng/8.3/ r<revision>
+stable/9/ r<revision>
+releng/9.0/ r<revision>
+releng/9.1/ r<revision>
+- -------------------------------------------------------------------------
+
+VII. References
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.hostapd.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEARECAAYFAlCutVYACgkQFdaIBMps37IiwACfb85bpNnyzDRhlDnQiQ4lc6rC
+MFsAoJ0KXKPu6focwcOGgwuQLhHjTpMx
+=wijQ
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-12:08.linux.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-12:08.linux.asc Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,123 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-12:08.linux Security Advisory
+ The FreeBSD Project
+
+Topic: Linux compatibility layer input validation error
+
+Category: core
+Module: kernel
+Announced: 2012-11-22
+Credits: Mateusz Guzik
+Affects: All supported versions of FreeBSD.
+Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE)
+ 2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11)
+ 2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE)
+ 2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
+ 2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE)
+ 2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
+ 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
+ 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
+ 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
+CVE Name: CVE-2012-4576
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+FreeBSD is binary-compatible with the Linux operating system through a
+loadable kernel module/optional kernel component.
+
+II. Problem Description
+
+A programming error in the handling of some Linux system calls may
+result in memory locations being accessed without proper validation.
+
+III. Impact
+
+It is possible for a local attacker to overwrite portions of kernel
+memory, which may result in a privilege escalation or cause a system
+panic.
+
+IV. Workaround
+
+No workaround is available, but systems not using the Linux binary
+compatibility layer are not vulnerable.
+
+The following command can be used to test if the Linux binary
+compatibility layer is loaded:
+
+ # kldstat -m linuxelf
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
+or to the RELENG_7_4, RELENG_8_3, RELENG_9_0, or RELENG_9_1 security
+branch dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to FreeBSD 7.4,
+8.3, 9.0, and 9.1 systems.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch
+# fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch.asc
+
+b) Apply the patch.
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1,
+9.1-RC2, or 9.1-RC3 on the i386 or amd64 platforms can be updated via
+the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Subversion:
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/7/ r243418
+releng/7.4/ r243417
+stable/8/ r243417
+releng/8.3/ r243417
+stable/9/ r243417
+releng/9.0/ r243417
+releng/9.1/ r243417
+- -------------------------------------------------------------------------
+
+VII. References
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4576
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-12:08.linux.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEARECAAYFAlCutVoACgkQFdaIBMps37JA4QCfZ/wp/ysDIJd1VwF525PzimTt
+BUwAoJdU6pddJeJCsHfZ8812cAsrsLqP
+=KVp4
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-12:06/bind.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-12:06/bind.patch Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,184 @@
+Index: contrib/bind9/bin/named/query.c
+===================================================================
+--- contrib/bind9/bin/named/query.c (revision 241362)
++++ contrib/bind9/bin/named/query.c (working copy)
+@@ -1140,7 +1140,0 @@ query_isduplicate(ns_client_t *client, dns_name_t
+- /*
+- * If the dns_name_t we're looking up is already in the message,
+- * we don't want to trigger the caller's name replacement logic.
+- */
+- if (name == mname)
+- mname = NULL;
+-
+@@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_t *name, d
+ if (dns_rdataset_isassociated(rdataset) &&
+ !query_isduplicate(client, fname, type, &mname)) {
+ if (mname != NULL) {
++ INSIST(mname != fname);
+ query_releasename(client, &fname);
+ fname = mname;
+ } else
+@@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_t *name, d
+ mname = NULL;
+ if (!query_isduplicate(client, fname,
+ dns_rdatatype_a, &mname)) {
++ if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, &fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
++ }
+ ISC_LIST_APPEND(fname->list, rdataset, link);
+ added_something = ISC_TRUE;
+ if (sigrdataset != NULL &&
+@@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_t *name, d
+ mname = NULL;
+ if (!query_isduplicate(client, fname,
+ dns_rdatatype_aaaa, &mname)) {
++ if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, &fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
++ }
+ ISC_LIST_APPEND(fname->list, rdataset, link);
+ added_something = ISC_TRUE;
+ if (sigrdataset != NULL &&
+@@ -1960,6 +1958,7 @@ query_addadditional2(void *arg, dns_name_t *name,
+ crdataset->type == dns_rdatatype_aaaa) {
+ if (!query_isduplicate(client, fname, crdataset->type,
+ &mname)) {
++ if (mname != fname) {
+ if (mname != NULL) {
+ /*
+ * A different type of this name is
+@@ -1976,6 +1975,7 @@ query_addadditional2(void *arg, dns_name_t *name,
+ mname0 = mname;
+ } else
+ need_addname = ISC_TRUE;
++ }
+ ISC_LIST_UNLINK(cfname.list, crdataset, link);
+ ISC_LIST_APPEND(fname->list, crdataset, link);
+ added_something = ISC_TRUE;
+Index: contrib/bind9/lib/dns/include/dns/rdata.h
+===================================================================
+--- contrib/bind9/lib/dns/include/dns/rdata.h (revision 241362)
++++ contrib/bind9/lib/dns/include/dns/rdata.h (working copy)
+@@ -147,6 +147,17 @@ struct dns_rdata {
+ (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
+
+ /*
++ * The maximum length of a RDATA that can be sent on the wire.
++ * Max packet size (65535) less header (12), less name (1), type (2),
++ * class (2), ttl(4), length (2).
++ *
++ * None of the defined types that support name compression can exceed
++ * this and all new types are to be sent uncompressed.
++ */
++
++#define DNS_RDATA_MAXLENGTH 65512U
++
++/*
+ * Flags affecting rdata formatting style. Flags 0xFFFF0000
+ * are used by masterfile-level formatting and defined elsewhere.
+ * See additional comments at dns_rdata_tofmttext().
+Index: contrib/bind9/lib/dns/master.c
+===================================================================
+--- contrib/bind9/lib/dns/master.c (revision 241362)
++++ contrib/bind9/lib/dns/master.c (working copy)
+@@ -75,7 +75,7 @@
+ /*%
+ * max message size - header - root - type - class - ttl - rdlen
+ */
+-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
++#define MINTSIZ DNS_RDATA_MAXLENGTH
+ /*%
+ * Size for tokens in the presentation format,
+ * The largest tokens are the base64 blocks in KEY and CERT records,
+Index: contrib/bind9/lib/dns/rdata.c
+===================================================================
+--- contrib/bind9/lib/dns/rdata.c (revision 241362)
++++ contrib/bind9/lib/dns/rdata.c (working copy)
+@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl
+ isc_buffer_t st;
+ isc_boolean_t use_default = ISC_FALSE;
+ isc_uint32_t activelength;
++ size_t length;
+
+ REQUIRE(dctx != NULL);
+ if (rdata != NULL) {
+@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl
+ }
+
+ /*
++ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
++ * as we cannot transmit it.
++ */
++ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
++ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
++ result = DNS_R_FORMERR;
++
++ /*
+ * We should have consumed all of our buffer.
+ */
+ if (result == ISC_R_SUCCESS && !buffer_empty(source))
+@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdatacl
+
+ if (rdata != NULL && result == ISC_R_SUCCESS) {
+ region.base = isc_buffer_used(&st);
+- region.length = isc_buffer_usedlength(target) -
+- isc_buffer_usedlength(&st);
++ region.length = length;
+ dns_rdata_fromregion(rdata, rdclass, type, ®ion);
+ }
+
+@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdatacl
+ unsigned long line;
+ void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
+ isc_result_t tresult;
++ size_t length;
+
+ REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
+ if (rdata != NULL) {
+@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdatacl
+ }
+ } while (1);
+
++ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
++ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
++ result = ISC_R_NOSPACE;
++
+ if (rdata != NULL && result == ISC_R_SUCCESS) {
+ region.base = isc_buffer_used(&st);
+- region.length = isc_buffer_usedlength(target) -
+- isc_buffer_usedlength(&st);
++ region.length = length;
+ dns_rdata_fromregion(rdata, rdclass, type, ®ion);
+ }
+ if (result != ISC_R_SUCCESS) {
+@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdata
+ isc_buffer_t st;
+ isc_region_t region;
+ isc_boolean_t use_default = ISC_FALSE;
++ size_t length;
+
+ REQUIRE(source != NULL);
+ if (rdata != NULL) {
+@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdata
+ if (use_default)
+ (void)NULL;
+
++ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
++ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
++ result = ISC_R_NOSPACE;
++
+ if (rdata != NULL && result == ISC_R_SUCCESS) {
+ region.base = isc_buffer_used(&st);
+- region.length = isc_buffer_usedlength(target) -
+- isc_buffer_usedlength(&st);
++ region.length = length;
+ dns_rdata_fromregion(rdata, rdclass, type, ®ion);
+ }
+ if (result != ISC_R_SUCCESS)
Added: head/share/security/patches/SA-12:06/bind.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-12:06/bind.patch.asc Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEABECAAYFAlCutW0ACgkQFdaIBMps37Jv4ACfQSkD3485eTAzkfovm8D93DvE
+qXEAn3IiThUYmh8j//lwUN1iKcf61Wp/
+=TTmP
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-12:07/hostapd-8.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-12:07/hostapd-8.patch Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,18 @@
+Index: contrib/wpa/src/eap_server/eap_tls_common.c
+===================================================================
+--- contrib/wpa/src/eap_server/eap_tls_common.c (revision 240976)
++++ contrib/wpa/src/eap_server/eap_tls_common.c (working copy)
+@@ -220,6 +220,13 @@ static int eap_server_tls_process_fragment(struct
+ " over 64 kB)");
+ return -1;
+ }
++ if (len > message_length) {
++ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++ "first fragment of frame (TLS Message "
++ "Length %d bytes)",
++ (int) len, (int) message_length);
++ return -1;
++ }
+
+ data->in_buf = wpabuf_alloc(message_length);
+ if (data->in_buf == NULL) {
Added: head/share/security/patches/SA-12:07/hostapd-8.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-12:07/hostapd-8.patch.asc Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEABECAAYFAlCutWkACgkQFdaIBMps37ID9wCghACRhZoqwo7c2lb2yS4CeT+r
+mLcAn03eMFp1mpjDmq6ZU95v4ocwmSfP
+=qF0E
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-12:07/hostapd.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-12:07/hostapd.patch Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,19 @@
+Index: contrib/wpa/src/eap_server/eap_server_tls_common.c
+===================================================================
+--- contrib/wpa/src/eap_server/eap_server_tls_common.c (revision 240924)
++++ contrib/wpa/src/eap_server/eap_server_tls_common.c (working copy)
+@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragment(struct
+ return -1;
+ }
+
++ if (len > message_length) {
++ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
++ "first fragment of frame (TLS Message "
++ "Length %d bytes)",
++ (int) len, (int) message_length);
++ return -1;
++ }
++
+ data->tls_in = wpabuf_alloc(message_length);
+ if (data->tls_in == NULL) {
+ wpa_printf(MSG_DEBUG, "SSL: No memory for message");
Added: head/share/security/patches/SA-12:07/hostapd.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-12:07/hostapd.patch.asc Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEABECAAYFAlCutWYACgkQFdaIBMps37J+fACfXVjO/+y2+MwRSzNqKGg8aqJ+
+rpMAn0YUlFyhwIlMISyDUAQl+NZ75QLI
+=Yl8o
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-12:08/linux.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-12:08/linux.patch Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,16 @@
+Index: sys/compat/linux/linux_ioctl.c
+===================================================================
+--- sys/compat/linux/linux_ioctl.c (revision 242578)
++++ sys/compat/linux/linux_ioctl.c (working copy)
+@@ -2260,8 +2260,9 @@ again:
+
+ ifc.ifc_len = valid_len;
+ sbuf_finish(sb);
+- memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
+- error = copyout(&ifc, uifc, sizeof(ifc));
++ error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
++ if (error == 0)
++ error = copyout(&ifc, uifc, sizeof(ifc));
+ sbuf_delete(sb);
+ CURVNET_RESTORE();
+
Added: head/share/security/patches/SA-12:08/linux.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-12:08/linux.patch.asc Thu Nov 22 23:46:26 2012 (r40128)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9
+
+iEYEABECAAYFAlCutWMACgkQFdaIBMps37JOZQCdE0l9Djh4BQUR7EmtU4GLVfGl
+4RcAnjbbX3c7i759WOQmSWrItD8NyI/g
+=nWGE
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Thu Nov 22 13:44:34 2012 (r40127)
+++ head/share/xml/advisories.xml Thu Nov 22 23:46:26 2012 (r40128)
@@ -8,6 +8,26 @@
<name>2012</name>
<month>
+ <name>11</name>
+
+ <day>
+ <name>22</name>
+
+ <advisory>
+ <name>FreeBSD-SA-12:08.bind</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-12:07.hostapd</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-12:06.bind</name>
+ </advisory>
+ </day>
+ </month>
+
+ <month>
<name>8</name>
<day>
More information about the svn-doc-all
mailing list