bin/rcp/rcp.c: revision 1.50
In sink(), upon error, avoid multiple replies to the source as this
would lead to a desynchronization of the protocol and further files or
directories to be ignored or corrupted.
games/fortune/strfile/strfile.c: revision 1.39
games/fortune/unstr/unstr.c: revision 1.15
strfile: Check that input/output filenames don't exceed the buffer size
unstr: Check that the input filename fits in the buffer.
sys/netinet6/nd6_rtr.c: revision 1.148 (via patch)
Fix default route selection
The primary issue was that in revision 1.79 a check was added in the
nd6_defrouter_select() search loop to ignore the entry if RA processing
is enabled on its interface. In practice this results in all entries
being ignored.
This fix reverses the condition, so that an entry is ignored when RA
processing is NOT enabled on its interface. Further, the entry is
only ignored for being selected as the default router. The currently
installed router must be identified regardless of the (current) status
of its interface, so that we can delete the route before installing a
new one.
I also added error logging when adding or deleting a route fails. This
should help the administrator (or kernel developer) in noticing possible
problems.
Finally, if deleting a route fails, the corresponding default route
entry no longer has its "installed" flag cleared, so that deletion will
be retried. At a minimum, this will cause repeated messages about the
failed deletion as opposed to only getting repeated messages about the
installation of a new default route failing.
Fixes PR kern/55091 and also PR bin/54997 as far as the behaviour
observed with ndp(8).
external/bsd/ppp/dist/pppd/eap.c: revision 1.5
pppd: Fix bounds check in EAP code
Given that we have just checked vallen < len, it can never be the case
that vallen >= len + sizeof(rhostname). This fixes the check so we
actually avoid overflowing the rhostname array.
Reported-by: Ilja Van Sprundel <ivansprundel%ioactive.com@localhost>
Signed-off-by: Paul Mackerras <paulus%ozlabs.org@localhost>
From:
8d7970b8f3
sys/dev/cons.c: revision 1.76
sys/dev/cons.c: revision 1.77
Fix reference count leak in cons(4).
Don't forget to vrele after you're done, folks!
Restore historical $Hdr$ tag after git cvsexportcommit nixed it.
share/man/man4/rnd.4: revision 1.26
share/man/man4/rnd.4: revision 1.27
share/man/man4/rnd.4: revision 1.28
share/man/man4/rnd.4: revision 1.25
Update man page to reflect switch from CTR_DRBG to Hash_DRBG.
Replace slightly wrong rant by shorter and slightly less long rant.
(If X and Y in Z/2Z are independent, then so are X and X+Y. What was
I thinking.)
Update NIST SP800-90A reference.
New sentence, new line. Use \(em.
distrib/sets/lists/modules/mi: revision 1.127
sys/modules/Makefile: revision 1.230
sys/modules/filemon/Makefile: revision 1.4 (manually adjusted)
sys/modules/Makefile: revision 1.229
Disable filemon.
It isn't suited for general use (that is, it poses security risks),
but the existence of the module means it is auto-loaded when /dev/filemon
is opened, which can be done by any user.
Thanks Ilja van Sprundel for the heads up.
-
Continue to build the filemon module, but don't install it. Hopefully
this will help us detect any additional bit-rot that might occur.
XXX It might be a good idea to modify the file permissions on /dev/filemon
XXX to prevent auto-loading of the driver module by non-privileged users.
sys/netbt/hci_event.c: revision 1.26
sys/netbt/hci.h: revision 1.46
When encrypted connections are configured, verify that the encryption
key length has a minimum size when the adaptor supports that.
This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506
https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/
sys/netinet6/ip6_input.c: revision 1.209 via patch
sys/netinet/ip_input.c: revision 1.390 via patch
Packet filters can return an mbuf chain with fragmented headers, so
m_pullup() it if needed and remove the KASSERT()s.
sys/crypto/nist_hash_drbg/nist_hash_drbg.c: revision 1.1
sys/crypto/nist_hash_drbg/nist_hash_drbg.h: revision 1.1
sys/rump/kern/lib/libcrypto/Makefile: revision 1.5
sys/crypto/nist_hash_drbg/files.nist_hash_drbg: revision 1.1
sys/rump/librump/rumpkern/Makefile.rumpkern: revision 1.176
sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes256.h: file removal
sys/crypto/nist_ctr_drbg/nist_ctr_drbg_config.h: file removal
sys/conf/files: revision 1.1238
sys/dev/rndpseudo.c: revision 1.38
sys/crypto/nist_ctr_drbg/nist_ctr_drbg.c: file removal
sys/sys/cprng.h: revision 1.13 - 1.15
sys/crypto/nist_ctr_drbg/nist_ctr_drbg.h: file removal
sys/crypto/nist_ctr_drbg/nist_ctr_aes_rijndael.h: file removal
sys/crypto/nist_ctr_drbg/files.nist_ctr_drbg: file removal
sys/kern/subr_cprng.c: revision 1.31
sys/crypto/nist_ctr_drbg/nist_ctr_drbg_aes128.h: file removal
cprng.h: use static __inline for consistency with other include
headers and remove an unused function.
-
Switch from NIST CTR_DRBG with AES to NIST Hash_DRBG with SHA-256.
Benefits:
- larger seeds -- a 128-bit key alone is not enough for `128-bit security'
- better resistance to timing side channels than AES
- a better-understood security story (<a rel="nofollow" href="https://eprint.iacr.org/2018/349">https://eprint.iacr.org/2018/349</a>)
- no loss in compliance with US government standards that nobody ever
got fired for choosing, at least in the US-dominated western world
- no dirty endianness tricks
- self-tests
Drawbacks:
- performance hit: throughput is reduced to about 1/3 in naive measurements
=> possible to mitigate by using hardware SHA-256 instructions
=> all you really need is 32 bytes to seed a userland PRNG anyway
=> if we just used ChaCha this would go away...
sys/miscfs/kernfs/kernfs_vnops.c: revision 1.161
sys/miscfs/procfs/procfs_vnops.c: revision 1.207
Add missing operation VOP_GETPAGES() returning EFAULT.
Without this operation posix_fadvise(..., POSIX_FADV_WILLNEED)
would leave the v_interlock held.
Observed by maxv@
libexec/httpd/CHANGES 1.31-1.40
libexec/httpd/Makefile 1.28
libexec/httpd/auth-bozo.c 1.23-1.24
libexec/httpd/bozohttpd.8 1.75-1.79
libexec/httpd/bozohttpd.c 1.100-1.113
libexec/httpd/bozohttpd.h 1.58-1.60
libexec/httpd/cgi-bozo.c 1.46-1.48
libexec/httpd/daemon-bozo.c 1.20-1.21
libexec/httpd/dir-index-bozo.c 1.29-1.32
libexec/httpd/ssl-bozo.c 1.26
libexec/httpd/testsuite/Makefile 1.12-1.13
libexec/httpd/testsuite/t11.out 1.2
libexec/httpd/testsuite/test-bigfile 1.6
libexec/httpd/testsuite/test-simple 1.6
Don't display special files in the directory index. They aren't
served, but links to them are generated.
---
All from "Rajeev V. Pillai" <rajeev_v_pillai@yahoo.com>:
- use html tables for directory index.
- don't include "index.html" in html headers
- additional escaping of names
- re-add top/bottom borders
- adds an aquamarine table header
- Zebra-stripes table rows using CSS instead of code
- fix CGI '+' param and error handling.
- remove unused parameter to daemon_poll_err().
- avoid sign extension in % handling
fix a few problems pointed out by clang static analyzer:
- bozostrnsep() may return with "in = NULL", so check for it.
- nul terminating in bozo_escape_rfc3986() can be simpler
- don't use uniinit variables in check_remap()
- don't use re-used freed data in check_virtual().
- fix bozoprefs->size setting when increasing the size (new total was
being added to the prior total.)
however, bozostrdup() may reference request->hr_file.
---
Add ssl specific timeout value (30s). If SSL_accept() doesn't
work with in this timeout value, ssl setup now fails.
---
Fix handling of bozo_set_timeout() timeouts (and `-T' option parsing)
---
Avoid .htpasswd exposure to authenticated users when .htpasswd is
in the slashdir too.
---
Avoid possible NULL dereference when sending a big request that timeout.
---
Use strings.h for strcasecmp (on linux)
---
Account for cgihandler being set when counting the number of CGI environment
headers we are about to set. Avoids an assertion failure (and overruninng
the array) later.
sys/ufs/ffs/ffs_alloc.c: revision 1.164
PR/53990, PR/52380, PR/52102: UFS2 cylinder group inode allocation botch
Fix rare allocation botch in ffs_nodealloccg().
Conditions:
a) less than
#_of_initialized_inodes(cg->cg_initediblk)
- inodes_per_filesystem_block
are allocated in the cylinder group
b) cg->cg_irotor points to a uninterupted run of
allocated inodes in the inode bitmap up to the
end of dynamically initialized inodes
(cg->cg_initediblk)
In this case the next inode after this run was returned
without initializing the respective inode block. As the
block is not initialized these inodes could trigger panics
on inode consistency due to old (uninitialized) disk data.
In very rare cases data loss could occur when
the uninitialized inode block is initialized via the
normal mechanism.
Further conditions to occur after the above:
c) no panic
d) no (forced) fsck
e) and more than cg->cg_initediblk - inodes_per_filesystem_block
allocated inodes.
Fix:
Always insure allocation always in initialized inode range
extending the initialized inode range as needed.
Add KASSERTMSG() safeguards.
ok hannken@
sys/arch/amd64/amd64/copy.S: revision 1.33
sys/arch/i386/i386/copy.S: revision 1.31
Hum. Fix a potentially catastrophic bug: kcopy() sets DF=1 if the areas
overlap, but doesn't clear it if the copy faults. If this happens, we
return to the caller with DF=1, and each future memory copy will be
backwards.
I wonder if there really are places where kcopy() is called with
overlapping areas.
external/bsd/dhcpcd/dist/configure
external/bsd/dhcpcd/dist/src/auth.c
external/bsd/dhcpcd/dist/src/dhcp.c
external/bsd/dhcpcd/dist/src/dhcp6.c
external/bsd/dhcpcd/dist/compat/consttime_memequal.h
Security fixes for dhcpcd:
Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED.
Use consttime_memequal(3) to compare hashes.
sys/compat/linux/common/linux_socket.c: revision 1.145
sys/net/if.c: revision 1.449
sys/compat/linux32/common/linux32_socket.c: revision 1.30
sys/compat/common/uipc_syscalls_40.c: revision 1.19
Zero out the ifreq struct for SIOCGIFCONF to avoid up to 127 bytes of stack
disclosure. From Andy Nguyen, many thanks!
-
Zero out the ifreq struct for SIOCGIFCONF to avoid up to 127 bytes of stack
disclosure. From Andy Nguyen, many thanks! This is the compat code part
pointed out by ozaki-r@
sborrill