libexec/httpd/testsuite/data/.bzremap up to 1.1
libexec/httpd/testsuite/t12.out up to 1.1
libexec/httpd/testsuite/t12.in up to 1.1
libexec/httpd/testsuite/t13.out up to 1.1
libexec/httpd/testsuite/t13.in up to 1.1
libexec/httpd/testsuite/t14.out up to 1.1
libexec/httpd/testsuite/t14.in up to 1.1
libexec/httpd/testsuite/t15.out up to 1.1
libexec/httpd/testsuite/t15.in up to 1.1
libexec/httpd/CHANGES up to 1.28
libexec/httpd/Makefile up to 1.27
libexec/httpd/auth-bozo.c up to 1.22
libexec/httpd/bozohttpd.8 up to 1.74
libexec/httpd/bozohttpd.c up to 1.96
libexec/httpd/bozohttpd.h up to 1.56
libexec/httpd/cgi-bozo.c up to 1.44
libexec/httpd/content-bozo.c up to 1.16
libexec/httpd/daemon-bozo.c up to 1.19
libexec/httpd/dir-index-bozo.c up to 1.28
libexec/httpd/lua-bozo.c up to 1.15
libexec/httpd/main.c up to 1.21
libexec/httpd/ssl-bozo.c up to 1.25
libexec/httpd/tilde-luzah-bozo.c up to 1.16
libexec/httpd/libbozohttpd/Makefile up to 1.3
libexec/httpd/lua/bozo.lua up to 1.3
libexec/httpd/lua/glue.c up to 1.5
libexec/httpd/lua/optparse.lua up to 1.2
libexec/httpd/testsuite/Makefile up to 1.11
libexec/httpd/testsuite/html_cmp up to 1.6
libexec/httpd/testsuite/t3.out up to 1.4
libexec/httpd/testsuite/t5.out up to 1.4
libexec/httpd/testsuite/t6.out up to 1.4
libexec/httpd/testsuite/test-bigfile up to 1.5
libexec/httpd/testsuite/test-simple up to 1.5
Cosmetic changes to Lua binding in bozohttpd.
- Don't use negative indicies to read arguments of Lua functions.
- On error, return nil, "error string".
- Use ssize_t for return values from bozo_read() and bozo_write().
- Prefer lstring especially when if saves you from appending NUL and
doing len + 1 which can potentially wraparound.
- Don't mix C allocations with Lua functions marked with "m" in the Lua
manual. Those functions may throw (longjump) and leak data allocated
by C function. In one case, I use luaL_Buffer, in the other case,
I rearranged calls a bit.
fix ordering of a couple of words. from Edgar Pettijohn in PR#52375.
thanks!
s/u_int/unsigned/.
from Jan Danielsson. increases/fixes portability.
PR bin/52194: bozohttpd fails to exec scripts via the -C mechanism
sometimes with EFAULT due to not NULL terminated environment.
Document script handler issues with httpd(8).
From martin@, addressing PR 52194.
While here, use American spelling consistently and upper-case some
abbreviations.
Bump date.
fix output since protocol agnostic change went in.
XXX: i thought someone hooked this into atf already, please do :)
Add support for remapping requested paths via a .bzredirect file.
Fixes PR 52772. Ok: mrg@
Bump date
Remove trailing whitespace.
use __func__ in debug().
fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP.
avoid memory leak in sending multiple auth headers.
mostly mitigated by previous patch to limit total header size,
but still a real problem here.
note the changes present in bozohttpd 20181118:
o add url remap support via .bzremap file, from martin%netbsd.org@localhost
o handle redirections for any protocol, not just http:
o fix a denial of service attack against header contents, which
is now bounded at 16KiB. reported by JP.
from CHANGES:
o reduce default timeouts, and add expand timeouts to handle the
initial line, each header, and the total time spent
o add -T option to expose new timeout settings
o minor RFC fixes related to timeout handling responses
old timeouts:
60 seconds for initial request like, 60 seconds per header line,
and no whole timeout (though the recent total header size changes
do introduce one that would be about 11 hours.)
new timeouts:
30 seconds for initial request like, 10 seconds per header line,
and a total request time of 600 seconds.
the new global timeout is implemented using CLOCK_MONOTONIC, with
a fallback to CLOCK_REALTIME if monotonic time is unavailable.
reject multiple Host: headers. besides being protocol standard,
this closes one additional memory leak found by JP. add a simple
test to check this.
clean up option and usage handling some.
move some #if support into bozohttpd.h.
fix previous: have_debug was reversed.
also fix have_dynamic_content from the previous previous. re-order
the debug and dynamic content to match the same pattern as everything
else so similar problems are less likely in the future.
- move special files defines into bozohttpd.h, so we can ...
- consolidate all the special file checks into
bozo_check_special_files() so that all builds check the same
list of special files, regardless of build options.
- convert "(void)bozo_http_error(...); return -1;" into plain
"return bozo_http_error(...);"
- fix the call to bozo_check_special_files() to be used on all
input types. part of the fixes for failure to reject access
to /.htpasswd as reported by JP on tech-security.
- use warn_unused_result attribute on bozo_check_special_files(),
and fix the failures to return failure. second part of the
htpasswd access fix.
- update testsuite to use a fixed fake hostname.
call this bozohttpd 20181121.
two fixes reported by mouse:
- don't check contents of 'st' if stat(2) failed.
- round up instead of truncate. now 10000 byte files say 10kB not 9kB.
use MAP_SHARED for the bzremap file. avoids netbsd kernel complaining:
WARNING: defaulted mmap() share type to MAP_PRIVATE (pid 15478 command bozohttpd)
many clean ups:
- keep a list of special files and their human names
- remove (void) casts on bozo_http_error()
- fix a few more misuses of bozo_http_error()
- rename check_mapping() to check_remap() and perform some CSE
- switch away from ``%s'' to '%s'
- remove a bunch of #ifdef using new have_feature defines
alpha sort the option switch.
add an assert() check on array bounds.
minor style fixes. simplify bozo_match_content_map().
in ticket #1644:
external/public-domain/tz/dist/CONTRIBUTING up to 1.1.1.6
external/public-domain/tz/dist/Makefile up to 1.1.1.22
external/public-domain/tz/dist/NEWS up to 1.1.1.24
external/public-domain/tz/dist/README up to 1.1.1.7
external/public-domain/tz/dist/TZDATA_VERSION up to 1.14
external/public-domain/tz/dist/africa up to 1.1.1.17
external/public-domain/tz/dist/antarctica up to 1.1.1.11
external/public-domain/tz/dist/asia up to 1.1.1.21
external/public-domain/tz/dist/australasia up to 1.1.1.16
external/public-domain/tz/dist/backward up to 1.1.1.9
external/public-domain/tz/dist/backzone up to 1.1.1.15
external/public-domain/tz/dist/etcetera up to 1.1.1.3
external/public-domain/tz/dist/europe up to 1.1.1.23
external/public-domain/tz/dist/factory up to 1.1.1.3
external/public-domain/tz/dist/leap-seconds.list up to 1.1.1.10
external/public-domain/tz/dist/leapseconds up to 1.1.1.11
external/public-domain/tz/dist/leapseconds.awk up to 1.1.1.7
external/public-domain/tz/dist/northamerica up to 1.1.1.21
external/public-domain/tz/dist/pacificnew up to 1.1.1.2
external/public-domain/tz/dist/southamerica up to 1.1.1.15
external/public-domain/tz/dist/systemv up to 1.1.1.2
external/public-domain/tz/dist/theory.html up to 1.1.1.6
external/public-domain/tz/dist/version up to 1.1.1.11
external/public-domain/tz/dist/yearistype.sh up to 1.1.1.2
external/public-domain/tz/dist/ziguard.awk up to 1.1.1.3
external/public-domain/tz/dist/zishrink.awk up to 1.1.1.5
external/public-domain/tz/dist/zone.tab up to 1.1.1.15
external/public-domain/tz/dist/zone1970.tab up to 1.1.1.17
external/public-domain/tz/dist/zoneinfo2tdf.pl up to 1.1.1.2
doc/3RDPARTY (apply patch)
Import tzdata2018f from ftp://ftp.iana.org/tz/releases/tzdata2018f.tar.gz
Volgograd moves from +03 to +04 on 2018-10-28.
Fiji ends DST 2019-01-13, not 2019-01-20.
Most of Chile changes DST dates, effective 2019-04-06.
Plus corrections to North Korea's 2018-05-05 and China's April 1988
updates (getting the actual time/date of the transition correct)
Corrections for Macau pre 1992, Japan in late 1940's - early 1950's,
and China (Shanghai) 1940's. The Phillipines get their timezone
name abbreviations back.
-
Import tzdata2018g from ftp://ftp.iana.org/tz/releases/tzdata2018g.tar.gz
Summary of changes in tzdata2018g (2018-10-26 22:22:45 -0700):
Morocco switches to permanent +01 on 2018-10-27.
usr.bin/printf/printf.c: revision 1.37-1.39
fix some error handling.
From leot@ on tech-userlevel:
Avoid running off into oblivion when a format string,
or arg to a %b conversion ends in an unescaped backslash.
Patch from Leo slightly modified by me.
Avoid printing error messages twice when an invalid
escape sequence (\ sequence) is present in an arg to a %b
conversion.
share/i18n/esdb/ISO-8859/ISO-8859.alias: revision 1.4
Add more aliases for Hebrew and Arabic ISO-8859-... encodings.
ISO-8859-8 is supposed to be visual order (i.e. legible if displayed ltr)
ISO-8859-8-i is supposed to be implicit logic order
ISO-8859-8-e is supposed to be explicit about order
In practice, ISO-8859-8 implying visual order is rare, and logic
order is used. ISO-8859-8-e is rarely used.
Same for Arabic, which uses ISO-8859-6-...
Mentioned in RFC 1555, RFC 1556.
usr.sbin/makefs/ffs.c: revision 1.70
PR/52828: Mark Johnston: makefs UFS2 lazy inode initialization is buggy
makefs(8) emulates UFS2 in performing lazy initialization of inode
blocks when allocating and writing inodes. However, it only ever
initializes one inode block at a time, which may be insufficient.
If so, a later initialization may clobber an inode, resulting in
an inconsistent filesystem.
I committed a minimal fix for the problem to FreeBSD:
https://svnweb.freebsd.org/changeset/base/326912
sys/netinet/udp_usrreq.c: revision 1.237 (via patch)
Fix three pretty bad mistakes in NAT-T:
* If we got a keepalive packet, we need to call m_freem, not m_free.
Here the next mbufs in the chain are not freed. Seems easy to remotely
DoS the system by sending fragmented keepalives in a loop.
* If !ipsec_used, free the mbuf.
* In udp_input, we need to update 'uh', because udp4_realinput may have
modified the chain. Perhaps we also need to re-enforce alignment, so
add an XXX.
sys/kern/uipc_mbuf.c: revision 1.214
Revert my rev1.190, remove the M_READONLY check. The initial code was
correct: what is read-only is the mbuf storage, not the mbuf itself. The
storage contains the packet payload, and never has anything related to
mbufs. So it is fine to remove M_PKTHDR on mbufs that have a read-only
storage.
In fact it was kind of obvious, since several places already manually
remove M_PKTHDR without taking care of the external storage.
sys/kern/uipc_mbuf.c: revision 1.211 (via patch)
Modify m_defrag, so that it never frees the first mbuf of the chain. While
here use the given 'flags' argument, and not M_DONTWAIT.
We have a problem with several drivers: they poll an mbuf chain from their
queues and call m_defrag on them, but m_defrag could update the mbuf
pointer, so the mbuf in the queue is no longer valid. It is not easy to
fix each driver, because doing pop+push will reorder the queue, and we
don't really want that to happen.
This problem was independently spotted by me, Kengo, Masanobu, and other
people too it seems (perhaps PR/53218).
Now m_defrag leaves the first mbuf in place, and compresses the chain
only starting from the second mbuf in the chain.
It is important not to compress the first mbuf with hacks, because the
storage of this first mbuf may be shared with other mbufs.
sys/net/npf/npf_inet.c: revision 1.45
sys/net/npf/npf_alg_icmp.c: revision 1.27-1.29
Fix use-after-free.
The nbuf can be reallocated as a result of caching 'enpc', so it is
necessary to recache 'npc', otherwise it contains pointers to the freed
mbuf - pointers which are then used in the ruleset machinery.
We recache 'npc' when we are sure we won't use 'enpc' anymore, because
'enpc' can be clobbered as a result of caching 'npc' (in other words,
only one of the two can be cached at the same time).
Also, we recache 'npc' unconditionally, because there is no way to know
whether the nbuf got clobbered relatively to it. We can't use the
NBUF_DATAREF_RESET flag, because it is stored in the nbuf and not in the
cache.
Discussed with rmind@.
Change npf_cache_all so that it ensures the potential ICMP Query Id is in
the nbuf. In such a way that we don't need to ensure that later.
Change npfa_icmp4_inspect and npfa_icmp6_inspect so that they touch neither
the nbuf nor npc. Adapt their callers accordingly.
In the end, if a packet has a Query Id, we set NPC_ICMP_ID in npc and leave
right away, without recaching npc (not needed since we didn't touch the
nbuf).
This fixes the handling of Query Id packets (that I broke in my previous
commit), and also fixes another possible use-after-free.
Ah, fix compilation. I tested my previous change by loading the kernel
module from the filesystem, but the Makefile didn't have DIAGNOSTIC
enabled, and the two KASSERTs I added did not compile properly.
sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)
Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).
Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.
Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.
sys/netipsec/ipsec_mbuf.c: revision 1.23,1.24 (via patch)
Don't assume M_PKTHDR is set only on the first mbuf of the chain. It
should, but it looks like there are several places that can put M_PKTHDR
on secondary mbufs (PR/53189), so drop this assumption right now to
prevent further bugs.
The check is replaced by (m1 != m), which is equivalent to the previous
code: we want to modify m->m_pkthdr.len only when 'm' was not passed in
m_adj().
Fix a pretty bad mistake, that has always been there.
m_adj(m1, -(m1->m_len - roff));
if (m1 != m)
m->m_pkthdr.len -= (m1->m_len - roff);
This is wrong: m_adj will modify m1->m_len, so we're using a wrong value
when manually adjusting m->m_pkthdr.len.
Because of that, it is possible to exploit the attack I described in
uipc_mbuf.c::rev1.182. The exploit is more complicated, but works 100%
reliably.
sys/kern/uipc_mbuf.c: revision 1.190
If the mbuf is shared leave M_PKTHDR in place. Given where this function
is called from that's not supposed to happen, but I'm growing unconfident
about our mbuf code.
bin/ed/ed.1: revision 1.32
bin/ed/main.c: revision 1.29
usr.bin/patch/pch.c: revision 1.29
Pass -S to ed(1) so that patches containing ! commands don't run commands.
Real cause of CVS-2018-0492:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894667)
add -S to disable ! commands.
external/gpl3/binutils/dist/bfd/elflink.c: revision 1.14
When trying to decide the status of a weak symbol, resolve any
indirectness first. In the case of various Qt5 libraries, __bss_start
ends up with a Qt5 version, but it has to be resolved first to match the
actual (implicit) definition. This fixes the root cause of pkg/53089.
sys/kern/uipc_mbuf.c: revision 1.182
sys/netinet6/frag6.c: revision 1.67
sys/netinet/ip_reass.c: revision 1.14
sys/sys/mbuf.h: revision 1.179
Remove M_PKTHDR from secondary mbufs when reassembling packets.
This is a real problem, because I found at least one component that relies
on the fact that only the first mbuf has M_PKTHDR: far from here, in
m_splithdr, we don't update m->m_pkthdr.len if M_PKTHDR is found in a
secondary mbuf. (The initial intention there was to avoid updating
m_pkthdr.len twice, the assumption was that if M_PKTHDR is set then we're
dealing with the first mbuf.) Therefore, when handling fragmented IPsec
packets (in particular IPv6, IPv4 is a bit more complicated), we may end
up with an incorrect m_pkthdr.len after authentication or decryption. In
the case of ESP, this can lead to a remote crash on this instruction:
m_copydata(m, m->m_pkthdr.len - 3, 3, lastthree);
m_pkthdr.len is bigger than the actual mbuf chain.
It seems possible to me to trigger this bug even if you don't have the ESP
key, because the fragmentation part is outside of the encrypted ESP
payload.
So if you MITM the target, and intercept an incoming ESP packet (which you
can't decrypt), you should be able to forge a new specially-crafted,
fragmented packet and stuff the ESP payload (still encrypted, as you
intercepted it) into it. The decryption succeeds and the target crashes.
sys/net/npf/npf.h 1.55
Fix a vulnerability in NPF, that allows whatever incoming IPv6 packet to
bypass a certain number of filtering rules.
Basically there is an integer overflow in npf_cache_ip: npc_hlen is a
8bit unsigned int, and can wrap to zero if the IPv6 packet being processed
has large extensions.
As a result of an overflow, (mbuf + npc_hlen) won't point at the real
protocol header, but instead at some garbage within the packet. That
garbage, is what NPF applies its rules on.
If these filtering rules allow the packet to enter, that packet is given
to the main IPv6 entry point. This entry point, however, is not subject to
an integer overflow, so it will actually parse the correct protocol header.
The result is: NPF read a wrong header, allowed the packet to enter, the
kernel read the correct header, and delivered the packet depending on this
correct header. So the offending packet was supposed to be kicked, but
still went through the firewall.
Simple example, a packet with:
packet + 0 = IP6 Header
packet + 40 = IP6 Routing header (ip6r_len = 31)
packet + 48 = Crafted UDP header (uh_dport = 7777)
packet + 296 = IP6 Dest header (ip6e_len = 0)
packet + 304 = Real UDP header (uh_dport = 6666)
Will bypass a rule of the kind "block port 6666". Here NPF reads the
crafted UDP header, sees 7777, lets the packet in; later the kernel reads
the real UDP header, and delivers it on port 6666.
Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
sys/netinet6/ip6_forward.c: revision 1.91 (via patch)
Fix two pretty bad mistakes. If ipsec6_check_policy fails m is not freed,
and a 'goto out' is missing after ipsec6_process_packet.
external/public-domain/tz/dist/ziguard.awk up to 1.1.1.1
external/public-domain/tz/dist/CONTRIBUTING up to 1.1.1.5
external/public-domain/tz/dist/Makefile up to 1.1.1.20
external/public-domain/tz/dist/NEWS up to 1.1.1.21
external/public-domain/tz/dist/README up to 1.1.1.6
external/public-domain/tz/dist/TZDATA_VERSION up to 1.11
external/public-domain/tz/dist/africa up to 1.1.1.14
external/public-domain/tz/dist/antarctica up to 1.1.1.10
external/public-domain/tz/dist/asia up to 1.1.1.19
external/public-domain/tz/dist/australasia up to 1.1.1.14
external/public-domain/tz/dist/backzone up to 1.1.1.14
external/public-domain/tz/dist/checktab.awk up to 1.1.1.9
external/public-domain/tz/dist/europe up to 1.1.1.20
external/public-domain/tz/dist/leap-seconds.list up to 1.1.1.9
external/public-domain/tz/dist/leapseconds up to 1.1.1.10
external/public-domain/tz/dist/northamerica up to 1.1.1.19
external/public-domain/tz/dist/southamerica up to 1.1.1.14
external/public-domain/tz/dist/theory.html up to 1.1.1.3
external/public-domain/tz/dist/version up to 1.1.1.8
external/public-domain/tz/dist/zishrink.awk up to 1.1.1.3
external/public-domain/tz/dist/zone.tab up to 1.1.1.14
external/public-domain/tz/dist/zone1970.tab up to 1.1.1.16
Update of /cvsroot/src/external/public-domain/tz/dist
In directory ivanova.netbsd.org:/tmp/cvs-serv18468
Log Message:
Import tzdata2018d from ftp://ftp.iana.org/tz/releases/tzdata2018d.tar.gz
Summary of changes in tzdata2018d (2018-03-22 07:05:46 -0700):
In 2018, Palestine starts DST on March 24 (today!), not March 31
Casey Station in Antarctica changed from +11 to +08 on 2018-03-11
at 04:00.
Various adjustments to some historical conversions (several for
Uruguay (1920 .. 1990), one fpr Enderbury and Kiritimati (1994/5),
one for Portugal and colonies (1912) and Jamaica and Turks & Caicos
(pre 1913)).
sys/sys/bitops.h: revision 1.12
sys/sys/bitops.h: revision 1.13
sys/sys/bitops.h: revision 1.14
fix sign issues
use 1ul for a left shift that may be greater than int sized.
noticed by martin.
fixes PR#53081.
PR/53081: Fix size of the shift to depend on the type of the bitmap so that
we get the correct width.
martin