diff options
author | Colin Percival <cperciva@FreeBSD.org> | 2006-12-06 09:18:02 +0000 |
---|---|---|
committer | Colin Percival <cperciva@FreeBSD.org> | 2006-12-06 09:18:02 +0000 |
commit | bd1be22e3c9cf62f60c784c402390b821441a344 (patch) | |
tree | a4cc7838e72842fea0c62cb11241506f9ba3b43f | |
parent | c86ddc159169e05b81ff2b0c5b81e698a4ecf6c8 (diff) | |
download | src-releng/4.11.tar.gz src-releng/4.11.zip |
Correct a signedness bug which allowed members of the operatorreleng/4.11
group to read kernel memory. [1]
Disable handling of GNUTYPE_NAMES tar file entries by default,
since they can be used to extract files outside of the cwd. [2]
Security: FreeBSD-SA-06:25.kmem [1]
Security: FreeBSD-SA-06:26.gtar [2]
Approved by: so (cperciva)
Notes
Notes:
svn path=/releng/4.11/; revision=164944
-rw-r--r-- | UPDATING | 7 | ||||
-rw-r--r-- | contrib/tar/src/common.h | 3 | ||||
-rw-r--r-- | contrib/tar/src/extract.c | 8 | ||||
-rw-r--r-- | contrib/tar/src/tar.c | 8 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
-rw-r--r-- | sys/dev/firewire/fwdev.c | 2 |
6 files changed, 27 insertions, 3 deletions
@@ -17,6 +17,13 @@ minimal number of processes, if possible, for that patch. For those updates that don't have an advisory, or to be safe, you can do a full build and install as described in the COMMON ITEMS section. +20061206: p26 FreeBSD-SA-06:25.kmem, FreeBSD-SA-06.26.gtar + Correct a signedness bug which allowed members of the operator + group to read kernel memory. [06:25] + + Disable handling of GNUTYPE_NAMES tar file entries by default, + since they can be used to extract files outside of the cwd. [06:26] + 20060930: p25 FreeBSD-SA-06:22.openssh Correct multiple vulnerabilities in sshd(8). diff --git a/contrib/tar/src/common.h b/contrib/tar/src/common.h index 40e0ab61d78f..ee2548e7d37e 100644 --- a/contrib/tar/src/common.h +++ b/contrib/tar/src/common.h @@ -124,6 +124,9 @@ GLOBAL size_t record_size; /* Boolean value. */ GLOBAL int absolute_names_option; +/* Allow GNUTYPE_NAMES type? */ +GLOBAL bool allow_name_mangling_option; + /* This variable tells how to interpret newer_mtime_option, below. If zero, files get archived if their mtime is not less than newer_mtime_option. If nonzero, files get archived if *either* their ctime or mtime is not less diff --git a/contrib/tar/src/extract.c b/contrib/tar/src/extract.c index 3032da06ceb3..81010a79c1c7 100644 --- a/contrib/tar/src/extract.c +++ b/contrib/tar/src/extract.c @@ -1219,7 +1219,13 @@ extract_archive (void) break; case GNUTYPE_NAMES: - extract_mangle (); + if (allow_name_mangling_option) + extract_mangle (); + else { + ERROR ((0, 0, _("GNUTYPE_NAMES mangling ignored"))); + if (backup_option) + undo_last_backup (); + } break; case GNUTYPE_MULTIVOL: diff --git a/contrib/tar/src/tar.c b/contrib/tar/src/tar.c index 7d872faf11a3..27ac28e35609 100644 --- a/contrib/tar/src/tar.c +++ b/contrib/tar/src/tar.c @@ -129,6 +129,7 @@ confirm (const char *message_action, const char *message_name) enum { ANCHORED_OPTION = CHAR_MAX + 1, + ALLOW_NAME_MANGLING_OPTION, BACKUP_OPTION, DELETE_OPTION, EXCLUDE_OPTION, @@ -178,6 +179,7 @@ static struct option long_options[] = {"absolute-names", no_argument, 0, 'P'}, {"absolute-paths", no_argument, 0, OBSOLETE_ABSOLUTE_NAMES}, {"after-date", required_argument, 0, 'N'}, + {"allow-name-mangling", no_argument, 0, ALLOW_NAME_MANGLING_OPTION}, {"anchored", no_argument, 0, ANCHORED_OPTION}, {"append", no_argument, 0, 'r'}, {"atime-preserve", no_argument, &atime_preserve_option, 1}, @@ -392,6 +394,8 @@ Archive format selection:\n\ PATTERN at list/extract time, a globbing PATTERN\n\ -o, --old-archive, --portability write a V7 format archive\n\ --posix write a POSIX format archive\n\ + --allow-name-mangling allow GNUTYPE_NAMES mangling --\n\ + considered dangerous\n\ -j, -y, --bzip, --bzip2, --bunzip2 filter the archive through bzip2\n\ -z, --gzip, --ungzip filter the archive through gzip\n\ -Z, --compress, --uncompress filter the archive through compress\n\ @@ -901,6 +905,10 @@ decode_options (int argc, char **argv) set_use_compress_program_option ("compress"); break; + case ALLOW_NAME_MANGLING_OPTION: + allow_name_mangling_option = true; + break; + case OBSOLETE_VERSION_CONTROL: WARN ((0, 0, _("Obsolete option name replaced by --backup"))); /* Fall through. */ diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 3be26cc90acf..95cdb9c9a868 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -36,7 +36,7 @@ TYPE="FreeBSD" REVISION="4.11" -BRANCH="RELEASE-p25" +BRANCH="RELEASE-p26" RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" diff --git a/sys/dev/firewire/fwdev.c b/sys/dev/firewire/fwdev.c index ae736c2969ba..f8789ec6f60f 100644 --- a/sys/dev/firewire/fwdev.c +++ b/sys/dev/firewire/fwdev.c @@ -704,7 +704,7 @@ out: else len = fwdev->rommax - CSRROMOFF + 4; } - if (crom_buf->len < len) + if (crom_buf->len < len && crom_buf->len >= 0) len = crom_buf->len; else crom_buf->len = len; |