svn commit: r41014 - in head/share: security/advisories security/patches/SA-13:01 security/patches/SA-13:02 xml
Bjoern A. Zeeb
bz at FreeBSD.org
Tue Feb 19 13:56:51 UTC 2013
Author: bz (src committer)
Date: Tue Feb 19 13:56:49 2013
New Revision: 41014
URL: http://svnweb.freebsd.org/changeset/doc/41014
Log:
Add latest security advisories:
Fix Denial of Service vulnerability in named(8) with DNS64. [13:01]
Fix Denial of Service vulnerability in libc's glob(3) functionality.
[13:02]
Security: CVE-2012-5688
Security: FreeBSD-SA-13:01.bind
Security: CVE-2010-2632
Security: FreeBSD-SA-13:02.libc
Added:
head/share/security/advisories/FreeBSD-SA-13:01.bind.asc (contents, props changed)
head/share/security/advisories/FreeBSD-SA-13:02.libc.asc (contents, props changed)
head/share/security/patches/SA-13:01/
head/share/security/patches/SA-13:01/bind.patch (contents, props changed)
head/share/security/patches/SA-13:01/bind.patch.asc (contents, props changed)
head/share/security/patches/SA-13:02/
head/share/security/patches/SA-13:02/libc.patch (contents, props changed)
head/share/security/patches/SA-13:02/libc.patch.asc (contents, props changed)
Modified:
head/share/xml/advisories.xml
Added: head/share/security/advisories/FreeBSD-SA-13:01.bind.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-13:01.bind.asc Tue Feb 19 13:56:49 2013 (r41014)
@@ -0,0 +1,122 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:01.bind Security Advisory
+ The FreeBSD Project
+
+Topic: BIND remote DoS with deliberately crafted DNS64 query
+
+Category: contrib
+Module: bind
+Announced: 2013-02-19
+Affects: FreeBSD 9.x and later
+Corrected: 2013-01-08 09:05:09 UTC (stable/9, 9.1-STABLE)
+ 2013-02-19 13:27:20 UTC (releng/9.0, 9.0-RELEASE-p6)
+ 2013-02-19 13:27:20 UTC (releng/9.1, 9.1-RELEASE-p1)
+CVE Name: CVE-2012-5688
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+BIND 9 is an implementation of the Domain Name System (DNS) protocols.
+The named(8) daemon is an Internet Domain Name Server.
+
+DNS64 is an IPv6 transition mechanism that will return a synthesized
+AAAA response even if there is only an A record available.
+
+II. Problem Description
+
+Due to a software defect a crafted query can cause named(8) to crash
+with an assertion failure.
+
+III. Impact
+
+If named(8) is configured to use DNS64, an attacker who can send it a
+query can cause named(8) to crash, resulting in a denial of service.
+
+IV. Workaround
+
+No workaround is available, but systems not configured to use DNS64
+using the "dns64" configuration statement are not vulnerable. DNS64
+is not enabled in the default configuration on FreeBSD.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Restart the named(8) daemon, or reboot your system.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-13:01/bind.patch
+# fetch http://security.FreeBSD.org/patches/SA-13:01/bind.patch.asc
+# gpg --verify bind.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart the named(8) daemon, or reboot your system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart the named(8) daemon, or reboot your system.
+
+4) Alternatively, install and run BIND from the Ports Collection after
+the correction date. The following versions and newer versions of
+BIND installed from the Ports Collection are not affected by this
+vulnerability:
+
+ bind98-9.8.4.1
+ bind99-9.9.2.1
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/9/ r245163
+releng/9.0/ r246989
+releng/9.1/ r246989
+- -------------------------------------------------------------------------
+
+VII. References
+
+https://kb.isc.org/article/AA-00828
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-13:01.bind.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (FreeBSD)
+
+iEYEARECAAYFAlEjf8MACgkQFdaIBMps37JUigCeIvjGL59H2froSeFqfPvlzM7L
+XpAAni7nW5GZt4AE3eSDQwE4ivCne6SK
+=Rxq4
+-----END PGP SIGNATURE-----
Added: head/share/security/advisories/FreeBSD-SA-13:02.libc.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/advisories/FreeBSD-SA-13:02.libc.asc Tue Feb 19 13:56:49 2013 (r41014)
@@ -0,0 +1,114 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+=============================================================================
+FreeBSD-SA-13:02.libc Security Advisory
+ The FreeBSD Project
+
+Topic: glob(3) related resource exhaustion
+
+Category: core
+Module: libc
+Announced: 2013-02-19
+Affects: All supported versions of FreeBSD.
+Corrected: 2013-02-05 09:53:32 UTC (stable/7, 7.4-STABLE)
+ 2013-02-19 13:27:20 UTC (releng/7.4, 7.4-RELEASE-p12)
+ 2013-02-05 09:53:32 UTC (stable/8, 8.3-STABLE)
+ 2013-02-19 13:27:20 UTC (releng/8.3, 8.3-RELEASE-p6)
+ 2013-02-05 09:53:32 UTC (stable/9, 9.1-STABLE)
+ 2013-02-19 13:27:20 UTC (releng/9.0, 9.0-RELEASE-p6)
+ 2013-02-19 13:27:20 UTC (releng/9.1, 9.1-RELEASE-p1)
+CVE Name: CVE-2010-2632
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I. Background
+
+The glob(3) function is a pathname generator that implements the rules for
+file name pattern matching used by the shell.
+
+II. Problem Description
+
+GLOB_LIMIT is supposed to limit the number of paths to prevent against
+memory or CPU attacks. The implementation however is insufficient.
+
+III. Impact
+
+An attacker that is able to exploit this vulnerability could cause excessive
+memory or CPU usage, resulting in a Denial of Service. A common target for
+a remote attacker could be ftpd(8).
+
+IV. Workaround
+
+No workaround is available.
+
+V. Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/SA-13:02/libc.patch
+# fetch http://security.FreeBSD.org/patches/SA-13:02/libc.patch.asc
+# gpg --verify libc.patch.asc
+
+b) Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all daemons, or reboot the system.
+
+VI. Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path Revision
+- -------------------------------------------------------------------------
+stable/7/ r246357
+releng/7.4/ r246989
+stable/8/ r246357
+releng/8.3/ r246989
+stable/9/ r246357
+releng/9.0/ r246989
+releng/9.1/ r246989
+- -------------------------------------------------------------------------
+
+VII. References
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632
+
+The latest revision of this advisory is available at
+http://security.FreeBSD.org/advisories/FreeBSD-SA-13:02.libc.asc
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (FreeBSD)
+
+iEYEARECAAYFAlEjf80ACgkQFdaIBMps37JFUgCfUrw8Ky4U19COja6fna49Calv
+z/YAn1JSGxzHCo8vLj4XhtXqrQt68or4
+=mCPv
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-13:01/bind.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-13:01/bind.patch Tue Feb 19 13:56:49 2013 (r41014)
@@ -0,0 +1,18 @@
+Index: contrib/bind9/bin/named/query.c
+===================================================================
+--- contrib/bind9/bin/named/query.c
++++ contrib/bind9/bin/named/query.c
+@@ -5183,10 +5183,12 @@
+ isc_result_t result;
+ isc_uint32_t ttl = ISC_UINT32_MAX;
+
++ dns_rdataset_init(&rdataset);
++
+ result = dns_db_getoriginnode(db, &node);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup;
+- dns_rdataset_init(&rdataset);
++
+ result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
+ 0, 0, &rdataset, NULL);
+ if (result != ISC_R_SUCCESS)
Added: head/share/security/patches/SA-13:01/bind.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-13:01/bind.patch.asc Tue Feb 19 13:56:49 2013 (r41014)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (FreeBSD)
+
+iEYEABECAAYFAlEjf/cACgkQFdaIBMps37LjHwCfQ0g0m9lvCY/AZmzYq6NfupNU
+cjQAn1ovam14yAE0+WT3FAhOM0lr7INw
+=gwXh
+-----END PGP SIGNATURE-----
Added: head/share/security/patches/SA-13:02/libc.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-13:02/libc.patch Tue Feb 19 13:56:49 2013 (r41014)
@@ -0,0 +1,215 @@
+Index: lib/libc/gen/glob.c
+===================================================================
+--- lib/libc/gen/glob.c (revision 246357)
++++ lib/libc/gen/glob.c (working copy)
+@@ -94,6 +94,25 @@ __FBSDID("$FreeBSD$");
+
+ #include "collate.h"
+
++/*
++ * glob(3) expansion limits. Stop the expansion if any of these limits
++ * is reached. This caps the runtime in the face of DoS attacks. See
++ * also CVE-2010-2632
++ */
++#define GLOB_LIMIT_BRACE 128 /* number of brace calls */
++#define GLOB_LIMIT_PATH 65536 /* number of path elements */
++#define GLOB_LIMIT_READDIR 16384 /* number of readdirs */
++#define GLOB_LIMIT_STAT 1024 /* number of stat system calls */
++#define GLOB_LIMIT_STRING ARG_MAX /* maximum total size for paths */
++
++struct glob_limit {
++ size_t l_brace_cnt;
++ size_t l_path_lim;
++ size_t l_readdir_cnt;
++ size_t l_stat_cnt;
++ size_t l_string_cnt;
++};
++
+ #define DOLLAR '$'
+ #define DOT '.'
+ #define EOS '\0'
+@@ -153,15 +172,18 @@ static const Char *g_strchr(const Char *, wchar_t)
+ static Char *g_strcat(Char *, const Char *);
+ #endif
+ static int g_stat(Char *, struct stat *, glob_t *);
+-static int glob0(const Char *, glob_t *, size_t *);
+-static int glob1(Char *, glob_t *, size_t *);
+-static int glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *);
+-static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *);
+-static int globextend(const Char *, glob_t *, size_t *);
+-static const Char *
++static int glob0(const Char *, glob_t *, struct glob_limit *);
++static int glob1(Char *, glob_t *, struct glob_limit *);
++static int glob2(Char *, Char *, Char *, Char *, glob_t *,
++ struct glob_limit *);
++static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
++ struct glob_limit *);
++static int globextend(const Char *, glob_t *, struct glob_limit *);
++static const Char *
+ globtilde(const Char *, Char *, size_t, glob_t *);
+-static int globexp1(const Char *, glob_t *, size_t *);
+-static int globexp2(const Char *, const Char *, glob_t *, int *, size_t *);
++static int globexp1(const Char *, glob_t *, struct glob_limit *);
++static int globexp2(const Char *, const Char *, glob_t *, int *,
++ struct glob_limit *);
+ static int match(Char *, Char *, Char *);
+ #ifdef DEBUG
+ static void qprintf(const char *, Char *);
+@@ -171,8 +193,8 @@ int
+ glob(const char * __restrict pattern, int flags,
+ int (*errfunc)(const char *, int), glob_t * __restrict pglob)
+ {
++ struct glob_limit limit = { 0, 0, 0, 0, 0 };
+ const char *patnext;
+- size_t limit;
+ Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
+ mbstate_t mbs;
+ wchar_t wc;
+@@ -186,11 +208,10 @@ glob(const char * __restrict pattern, int flags,
+ pglob->gl_offs = 0;
+ }
+ if (flags & GLOB_LIMIT) {
+- limit = pglob->gl_matchc;
+- if (limit == 0)
+- limit = ARG_MAX;
+- } else
+- limit = 0;
++ limit.l_path_lim = pglob->gl_matchc;
++ if (limit.l_path_lim == 0)
++ limit.l_path_lim = GLOB_LIMIT_PATH;
++ }
+ pglob->gl_flags = flags & ~GLOB_MAGCHAR;
+ pglob->gl_errfunc = errfunc;
+ pglob->gl_matchc = 0;
+@@ -243,11 +264,17 @@ glob(const char * __restrict pattern, int flags,
+ * characters
+ */
+ static int
+-globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
++globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ const Char* ptr = pattern;
+ int rv;
+
++ if ((pglob->gl_flags & GLOB_LIMIT) &&
++ limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
++ errno = 0;
++ return (GLOB_NOSPACE);
++ }
++
+ /* Protect a single {}, for find(1), like csh */
+ if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
+ return glob0(pattern, pglob, limit);
+@@ -266,7 +293,8 @@ static int
+ * If it fails then it tries to glob the rest of the pattern and returns.
+ */
+ static int
+-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit)
++globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
++ struct glob_limit *limit)
+ {
+ int i;
+ Char *lm, *ls;
+@@ -436,7 +464,7 @@ globtilde(const Char *pattern, Char *patbuf, size_
+ * if things went well, nonzero if errors occurred.
+ */
+ static int
+-glob0(const Char *pattern, glob_t *pglob, size_t *limit)
++glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ const Char *qpatnext;
+ int err;
+@@ -529,7 +557,7 @@ compare(const void *p, const void *q)
+ }
+
+ static int
+-glob1(Char *pattern, glob_t *pglob, size_t *limit)
++glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ Char pathbuf[MAXPATHLEN];
+
+@@ -547,7 +575,7 @@ static int
+ */
+ static int
+ glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
+- glob_t *pglob, size_t *limit)
++ glob_t *pglob, struct glob_limit *limit)
+ {
+ struct stat sb;
+ Char *p, *q;
+@@ -563,6 +591,15 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_
+ if (g_lstat(pathbuf, &sb, pglob))
+ return(0);
+
++ if ((pglob->gl_flags & GLOB_LIMIT) &&
++ limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
++ errno = 0;
++ if (pathend + 1 > pathend_last)
++ return (GLOB_ABORTED);
++ *pathend++ = SEP;
++ *pathend = EOS;
++ return (GLOB_NOSPACE);
++ }
+ if (((pglob->gl_flags & GLOB_MARK) &&
+ pathend[-1] != SEP) && (S_ISDIR(sb.st_mode)
+ || (S_ISLNK(sb.st_mode) &&
+@@ -606,7 +643,7 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_
+ static int
+ glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
+ Char *pattern, Char *restpattern,
+- glob_t *pglob, size_t *limit)
++ glob_t *pglob, struct glob_limit *limit)
+ {
+ struct dirent *dp;
+ DIR *dirp;
+@@ -652,6 +689,19 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_
+ size_t clen;
+ mbstate_t mbs;
+
++ if ((pglob->gl_flags & GLOB_LIMIT) &&
++ limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
++ errno = 0;
++ if (pathend + 1 > pathend_last)
++ err = GLOB_ABORTED;
++ else {
++ *pathend++ = SEP;
++ *pathend = EOS;
++ err = GLOB_NOSPACE;
++ }
++ break;
++ }
++
+ /* Initial DOT must be matched literally. */
+ if (dp->d_name[0] == DOT && *pattern != DOT)
+ continue;
+@@ -702,14 +752,15 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_
+ * gl_pathv points to (gl_offs + gl_pathc + 1) items.
+ */
+ static int
+-globextend(const Char *path, glob_t *pglob, size_t *limit)
++globextend(const Char *path, glob_t *pglob, struct glob_limit *limit)
+ {
+ char **pathv;
+ size_t i, newsize, len;
+ char *copy;
+ const Char *p;
+
+- if (*limit && pglob->gl_pathc > *limit) {
++ if ((pglob->gl_flags & GLOB_LIMIT) &&
++ pglob->gl_matchc > limit->l_path_lim) {
+ errno = 0;
+ return (GLOB_NOSPACE);
+ }
+@@ -737,6 +788,12 @@ static int
+ for (p = path; *p++;)
+ continue;
+ len = MB_CUR_MAX * (size_t)(p - path); /* XXX overallocation */
++ limit->l_string_cnt += len;
++ if ((pglob->gl_flags & GLOB_LIMIT) &&
++ limit->l_string_cnt >= GLOB_LIMIT_STRING) {
++ errno = 0;
++ return (GLOB_NOSPACE);
++ }
+ if ((copy = malloc(len)) != NULL) {
+ if (g_Ctoc(path, copy, len)) {
+ free(copy);
Added: head/share/security/patches/SA-13:02/libc.patch.asc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/security/patches/SA-13:02/libc.patch.asc Tue Feb 19 13:56:49 2013 (r41014)
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (FreeBSD)
+
+iEYEABECAAYFAlEjf/0ACgkQFdaIBMps37Kw1ACfX+M73KQtFkdrAhFWVyVm2G44
+DLYAn2SoJT4c98Frj75ttappPsvFDgVk
+=H9Gv
+-----END PGP SIGNATURE-----
Modified: head/share/xml/advisories.xml
==============================================================================
--- head/share/xml/advisories.xml Tue Feb 19 13:27:07 2013 (r41013)
+++ head/share/xml/advisories.xml Tue Feb 19 13:56:49 2013 (r41014)
@@ -5,6 +5,26 @@
</cvs:keyword>
<year>
+ <name>2013</name>
+
+ <month>
+ <name>2</name>
+
+ <day>
+ <name>19</name>
+
+ <advisory>
+ <name>FreeBSD-SA-13:02.libc</name>
+ </advisory>
+
+ <advisory>
+ <name>FreeBSD-SA-13:01.bind</name>
+ </advisory>
+ </day>
+ </month>
+ </year>
+
+ <year>
<name>2012</name>
<month>
More information about the svn-doc-head
mailing list