Re: ftp mput recursiv upload diff for testing

[Alexander Bluhm]

On Sat, Jul 28, 2012 at 10:02:05PM +0200, Jan Klemkow wrote:
> + if (stat(*cpp, &filestat) != 0) {
> + warn(NULL);
warn("local: %s", *cpp);
So the user can see which file causes trouble.
> + continue;
> + }

> + if (chdir("..") != 0) {
> + mflag = 0;
warn("local: %s", *cpp);
You have a warning in all other cases, put one here too.
> + goto out;
> + }

bluhm

Re: Another nsd vulnerability fix

[Stuart Henderson]

On 2012/07/28 12:21, Loganaden Velvindron wrote:
> It can be triggered if nsd was compiled with --enable-zone-stats.
> 
> http://www.nlnetlabs.nl/downloads/CVE-2012-2979.txt

nsd isn't built with this option in OpenBSD so I don't see any big
reason to take this as a separate patch, we will of course pick it up
when we sync with 3.2.13.

use time_uptime for various pf expirations

[Florian Obser]

Benno and me were looking into why pflow is sending flows with
starttime after endtime. We believe this was introduced with this
commit:


CVSROOT:/cvs
Module name:src
Changes by: d...@cvs.openbsd.org 2011/11/25 05:52:10

Modified files:
sys/net: if_pflow.c if_pfsync.c pf.c pf_ioctl.c
 pf_norm.c

Log message:
use time_uptime to set state creation values as time_second can be
skewed at runtime by things like date(1) and ntpd. time_uptime is
monotonic and therefore more useful to compare against.

ok deraadt@ mikeb@


So the startime comes from time_uptime while the expiration time
depends on time_second:
in pf_purge_expired_states(u_int32_t maxcheck):
} else if (pf_state_expires(cur) <= time_second) {

The following patch changes the state timeouts to time_uptime. There
are two additional patches for fragmentation and src track timeouts.

I believe the remaining usages of time_second are for display purpose
(in pf_ioctl.c, pf_table.c, pf_if.c and one in pf.c)

Index: sys/net/if_pfsync.c
===
RCS file: /opt/OpenBSD-CVS/src/sys/net/if_pfsync.c,v
retrieving revision 1.189
diff -u -p -r1.189 if_pfsync.c
--- sys/net/if_pfsync.c 26 Jul 2012 12:25:31 -  1.189
+++ sys/net/if_pfsync.c 28 Jul 2012 17:16:08 -
@@ -574,7 +574,7 @@ pfsync_state_import(struct pfsync_state 
/* copy to state */
bcopy(&sp->rt_addr, &st->rt_addr, sizeof(st->rt_addr));
st->creation = time_uptime - ntohl(sp->creation);
-   st->expire = time_second;
+   st->expire = time_uptime;
if (sp->expire) {
u_int32_t timeout;
 
@@ -948,7 +948,7 @@ pfsync_in_upd(caddr_t buf, int len, int 
if (sync < 2) {
pfsync_alloc_scrub_memory(&sp->dst, &st->dst);
pf_state_peer_ntoh(&sp->dst, &st->dst);
-   st->expire = time_second;
+   st->expire = time_uptime;
st->timeout = sp->timeout;
}
st->pfsync_time = time_uptime;
@@ -1022,7 +1022,7 @@ pfsync_in_upd_c(caddr_t buf, int len, in
if (sync < 2) {
pfsync_alloc_scrub_memory(&up->dst, &st->dst);
pf_state_peer_ntoh(&up->dst, &st->dst);
-   st->expire = time_second;
+   st->expire = time_uptime;
st->timeout = up->timeout;
}
st->pfsync_time = time_uptime;
Index: sys/net/pf.c
===
RCS file: /opt/OpenBSD-CVS/src/sys/net/pf.c,v
retrieving revision 1.809
diff -u -p -r1.809 pf.c
--- sys/net/pf.c26 Jul 2012 12:25:31 -  1.809
+++ sys/net/pf.c28 Jul 2012 17:16:08 -
@@ -1105,10 +1105,10 @@ pf_state_export(struct pfsync_state *sp,
bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
sp->creation = htonl(time_uptime - st->creation);
sp->expire = pf_state_expires(st);
-   if (sp->expire <= time_second)
+   if (sp->expire <= time_uptime)
sp->expire = htonl(0);
else
-   sp->expire = htonl(sp->expire - time_second);
+   sp->expire = htonl(sp->expire - time_uptime);
 
sp->direction = st->direction;
sp->log = st->log;
@@ -1179,7 +1179,7 @@ pf_state_expires(const struct pf_state *
 
/* handle all PFTM_* > PFTM_MAX here */
if (state->timeout == PFTM_PURGE)
-   return (time_second);
+   return (time_uptime);
KASSERT(state->timeout != PFTM_UNLINKED);
KASSERT(state->timeout < PFTM_MAX);
timeout = state->rule.ptr->timeout[state->timeout];
@@ -1199,7 +1199,7 @@ pf_state_expires(const struct pf_state *
return (state->expire + timeout * (end - states) /
(end - start));
else
-   return (time_second);
+   return (time_uptime);
}
return (state->expire + timeout);
 }
@@ -1343,7 +1343,7 @@ pf_purge_expired_states(u_int32_t maxche
locked = 1;
}
pf_free_state(cur);
-   } else if (pf_state_expires(cur) <= time_second) {
+   } else if (pf_state_expires(cur) <= time_uptime) {
/* unlink and free expired state */
pf_unlink_state(cur);
if (! locked) {
@@ -3761,7 +3761,7 @@ pf_create_state(struct pf_pdesc *pd, str
}
 
s->creation = time_uptime;
-   s->expire = time_second;
+   s->expire = time_uptime;
 
if (pd->proto == IPPROTO_TCP

Re: ftp mput recursiv upload diff for testing

[Jan Klemkow]

I fixed a few things from the mails bevor...

Index: cmds.c
===
RCS file: /cvs/src/usr.bin/ftp/cmds.c,v
retrieving revision 1.70
diff -u -p -r1.70 cmds.c
--- cmds.c  5 May 2009 19:35:30 -   1.70
+++ cmds.c  28 Jul 2012 19:48:56 -
@@ -231,15 +231,32 @@ mput(int argc, char *argv[])
extern int optind, optreset;
int ch, i, restartit = 0;
sig_t oldintr;
-   char *cmd, *tp;
+   char *cmd, *tp, *xargv[] = { argv[0], NULL, NULL };
+   const char *errstr;
+   static int depth = 0, max_depth = 0;
 
optind = optreset = 1;
 
-   while ((ch = getopt(argc, argv, "c")) != -1) {
+   if (depth)
+   depth++;
+
+   while ((ch = getopt(argc, argv, "cd:r")) != -1) {
switch(ch) {
case 'c':
restartit = 1;
break;
+   case 'd':
+   max_depth = strtonum(optarg, 0, INT_MAX, &errstr);
+   if (errstr != NULL) {
+   fprintf(ttyout, "bad depth value, %s: %s\n",
+   errstr, optarg);
+   code = -1;
+   return;
+   }
+   break;
+   case 'r':
+   depth = 1;
+   break;
default:
goto usage;
}
@@ -247,7 +264,8 @@ mput(int argc, char *argv[])
 
if (argc - optind < 1 && !another(&argc, &argv, "local-files")) {
 usage:
-   fprintf(ttyout, "usage: %s [-c] local-files\n", argv[0]);
+   fprintf(ttyout, "usage: %s [-cr] [-d depth] local-files\n",
+   argv[0]);
code = -1;
return;
}
@@ -318,11 +336,13 @@ usage:
mflag = 0;
return;
}
+
for (i = 1; i < argc; i++) {
char **cpp;
glob_t gl;
int flags;
 
+   /* Copy files without word expansion */
if (!doglob) {
if (mflag && confirm(argv[0], argv[i])) {
tp = (ntflag) ? dotrans(argv[i]) : argv[i];
@@ -348,6 +368,7 @@ usage:
continue;
}
 
+   /* expanding file names */
memset(&gl, 0, sizeof(gl));
flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
if (glob(argv[i], flags, NULL, &gl) || gl.gl_pathc == 0) {
@@ -355,33 +376,88 @@ usage:
globfree(&gl);
continue;
}
+
+   /* traverse all expanded file names */
for (cpp = gl.gl_pathv; cpp && *cpp != NULL; cpp++) {
-   if (mflag && confirm(argv[0], *cpp)) {
-   tp = (ntflag) ? dotrans(*cpp) : *cpp;
-   tp = (mapflag) ? domap(tp) : tp;
-   if (restartit == 1) {
-   off_t ret;
+   struct stat filestat;
 
-   if (curtype != type)
-   changetype(type, 0);
-   ret = remotesize(tp, 0);
-   restart_point = (ret < 0) ? 0 : ret;
-   }
-   cmd = restartit ? "APPE" : ((sunique) ?
-   "STOU" : "STOR");
-   sendrequest(cmd, *cpp, tp,
-   *cpp != tp || !interactive);
-   restart_point = 0;
-   if (!mflag && fromatty) {
-   if (confirm(argv[0], NULL))
-   mflag = 1;
+   if (!mflag)
+   continue;
+   if (stat(*cpp, &filestat) != 0) {
+   warn(NULL);
+   continue;
+   }
+   if (S_ISDIR(filestat.st_mode) && depth == max_depth)
+   continue;
+   if (!confirm(argv[0], *cpp))
+   continue;
+
+   /*
+* If file is a directory then create a new one
+* at the remote machine.
+*/
+   if (S_ISDIR(filestat.st_mode)) {
+   xargv[1] = *cpp;
+   makedir(2, xargv);
+   cd(2, xargv);
+   if (dirchange != 1) {
+   warnx("remote: %s"

Another nsd vulnerability fix

[Loganaden Velvindron]

It can be triggered if nsd was compiled with --enable-zone-stats.

http://www.nlnetlabs.nl/downloads/CVE-2012-2979.txt

OpenBSD patch:

Index: query.c
===
RCS file: /cvs/src/usr.sbin/nsd/query.c,v
retrieving revision 1.6
diff -u -p -r1.6 query.c
--- query.c 19 Jul 2012 17:46:11 -  1.6
+++ query.c 28 Jul 2012 16:02:54 -
@@ -1209,9 +1209,11 @@ answer_query(struct nsd *nsd, struct que
answer_lookup_zone(nsd, q, &answer, 0, exact, closest_match,
closest_encloser, q->qname);
 
-   ZTATUP2(q->zone, opcode, q->opcode);
-   ZTATUP2(q->zone, qtype, q->qtype);
-   ZTATUP2(q->zone, opcode, q->qclass);
+if (q->zone) {
+   ZTATUP2(q->zone, opcode, q->opcode);
+   ZTATUP2(q->zone, qtype, q->qtype);
+   ZTATUP2(q->zone, opcode, q->qclass);
+   }
 
offset = 
dname_label_offsets(q->qname)[domain_dname(closest_encloser)->label_count - 1] 
+ QHEADERSZ;
query_add_compression_domain(q, closest_encloser, offset);
@@ -1403,7 +1405,9 @@ query_add_optional(query_type *q, nsd_ty
}
ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
STATUP(nsd, edns);
-   ZTATUP(q->zone, edns);
+   if (q->zone) {
+   ZTATUP(q->zone, edns);
+   }
break;
case EDNS_ERROR:
if (q->edns.dnssec_ok)  edns->error[7] = 0x80;
@@ -1412,7 +1416,9 @@ query_add_optional(query_type *q, nsd_ty
buffer_write(q->packet, edns->rdata_none, OPT_RDATA);
ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
STATUP(nsd, ednserr);
-   ZTATUP(q->zone, ednserr);
+   if (q->zone) {
+   ZTATUP(q->zone, ednserr);
+   }
break;
}
 
Index: server.c
===
RCS file: /cvs/src/usr.sbin/nsd/server.c,v
retrieving revision 1.5
diff -u -p -r1.5 server.c
--- server.c9 Jul 2012 21:56:41 -   1.5
+++ server.c28 Jul 2012 16:02:55 -
@@ -1417,15 +1417,20 @@ handle_udp(netio_type *ATTR_UNUSED(netio
 #ifdef BIND8_STATS
if (RCODE(q->packet) == RCODE_OK && !AA(q->packet)) {
STATUP(data->nsd, nona);
-   ZTATUP(q->zone, nona);
+# ifdef USE_ZONE_STATS
+   if (q->zone)
+   ZTATUP(q->zone, nona);
+# endif
}
 
 # ifdef USE_ZONE_STATS
+   if (q->zone) {
if (data->socket->addr->ai_family == AF_INET) {
ZTATUP(q->zone, qudp);
} else if (data->socket->addr->ai_family == AF_INET6) {
ZTATUP(q->zone, qudp6);
}
+   }
 # endif
 #endif
 
@@ -1443,17 +1448,27 @@ handle_udp(netio_type *ATTR_UNUSED(netio
if (sent == -1) {
log_msg(LOG_ERR, "sendto failed: %s", 
strerror(errno));
STATUP(data->nsd, txerr);
-   ZTATUP(q->zone, txerr);
+
+#ifdef USE_ZONE_STATS
+   if (q->zone)
+   ZTATUP(q->zone, txerr);
+#endif
} else if ((size_t) sent != 
buffer_remaining(q->packet)) {
log_msg(LOG_ERR, "sent %d in place of %d 
bytes", sent, (int) buffer_remaining(q->packet));
 #ifdef BIND8_STATS
} else {
/* Account the rcode & TC... */
STATUP2(data->nsd, rcode, RCODE(q->packet));
-   ZTATUP2(q->zone, rcode, RCODE(q->packet));
+# ifdef USE_ZONE_STATS
+   if (q->zone)
+   ZTATUP2(q->zone, rcode, 
RCODE(q->packet));
+# endif
if (TC(q->packet)) {
STATUP(data->nsd, truncated);
-   ZTATUP(q->zone, truncated);
+# ifdef USE_ZONE_STATS
+   if (q->zone)
+   ZTATUP(q->zone, truncated);
+# endif
}
 #endif /* BIND8_STATS */
}
@@ -1665,12 +1680,16 @@ handle_tcp_reading(netio_type *netio,
&& !AA(data->query->packet))
{
STATUP(data->nsd, nona);
-   ZTATUP(data->query->zone, nona);
+# ifdef USE_ZONE_STATS
+   if (data->query->zone)
+   ZTATUP(data->query->zone, nona);
+# endif
}
 
 # ifdef USE_ZONE_STATS
+   if (data->query->zone) {
 #  ifndef INET6
-   ZTAT

Re: Diff pflog.4 - sync struct pfloghdr with current

[Johan Ryberg]

Has this been noticed?

// Johan

2012/7/26 Johan Ryberg :
> Index: share/man/man4/pflog.4
> ===
> RCS file: /cvs/src/share/man/man4/pflog.4,v
> retrieving revision 1.10
> diff -u -r1.10 pflog.4
> --- share/man/man4/pflog.4  31 May 2007 19:19:51 -  1.10
> +++ share/man/man4/pflog.4  26 Jul 2012 17:39:56 -
> @@ -68,7 +68,7 @@
> u_int8_taction;
> u_int8_treason;
> charifname[IFNAMSIZ];
> -   charruleset[PF_RULESET_NAME_SIZE];
> +   charruleset[PFLOG_RULESET_NAME_SIZE];
> u_int32_t   rulenr;
> u_int32_t   subrulenr;
> uid_t   uid;
> @@ -76,7 +76,13 @@
> uid_t   rule_uid;
> pid_t   rule_pid;
> u_int8_tdir;
> -   u_int8_tpad[3];
> +   u_int8_trewritten;
> +   sa_family_t naf;
> +   u_int8_tpad[1];
> +   struct pf_addr  saddr;
> +   struct pf_addr  daddr;
> +   u_int16_t   sport;
> +   u_int16_t   dport;
>  };
>  .Ed
>  .Sh EXAMPLES

Re: rm -P

[Ryan McBride]

I'm a bit late to the party, I know. But I just wanted to point out that
NIST now requires only the regular 'secure erase' ATA command to
sanitize a drive for anything that wouldn't require the drive to be
pitched into a metal shredder, pulverised, ground into powder, and then
melted into slag.

In other words, on modern hard drives, a single write with zeros is
probably enough. And if it isn't, the data shouldn't have been
unencrypted on the drive in the first place.

I'm opposed to adding more complication to this utility. I'd prefer that
it does it quickly and correctly, so that I will use it. The people who
want 35 overwrites won't trust the tool we provide anyways.


P.S.  An advantage of writing with zeros is that it's easy to verify
that the overwrite was done correctly. arc4random()... not so much.


On Wed, Jul 25, 2012 at 10:01:13AM -0500, Todd T. Fries wrote:
> Penned by Christian Weisgerber on 20120725  9:37.07, we have:
> | Ted Unangst  wrote:
> | 
> | > So I'm wiping a file from a fairly slow USB stick and it's taking
> | > forever.  I don't really give a shit about some guy with a quantum
> | > tachyon microscope taking it apart,
> | 
> | But if you do, overwriting with a constant pattern is stupid.  You
> | want to overwrite the old data with random bytes, effectively running
> | a stream cipher on any remnant signal.
> | 
> | (And forget about this with flash media, where you each write to
> | the same logical block may end up in different physical blocks.)
> | 
> | > I just want the files to be gone
> | > enough that a simple undelete tool won't bring them back.  The three
> | > wipes is the charm approach of rm -P is a little heavy handed.
> | > 
> | > What I propose is making -P wipe the file once each time it's
> | > provided.  I get the simple whack the data for good option I want, the
> | > paranoid weirdos get the rm `jot -b -P 4096` scrubber they want.
> | 
> | Replace the memset() in pass() with arc4random_buf() and I'm starting
> | to like it.
> 
> There is a paper entitled "Secure Deletion of Data from Magnetic and 
> Solid-State Memory"
> from the Sixth (6th) Annual USENiX Security Symposium that talks about this.
> 
> For the extreme bit twiddling bunch, the recommendation is to use 35 rounds.
> 1-4 using /dev/arandom
> 5-31 using Guttman's deterministic patterns
> 32-35 using /dev/arandom again
> 
> I've seen diffs proposed to do this in 'rm' before introduce another flag.
> 
> I could easily see how we could do parts of the above until 35 -P's are given.
> 
> Also, consider the ramdisks, and make -P become something that is not compiled
> `#ifdef SMALL'.
> 
> One could, alternately, provide a 'secrm' alias to call some other tool to do
> the bit wiping and finally call rm.
> 
> I won't complain what happens either way, but I would be rather pleased if 
> something
> of the Guttman's recommondations could be incorporated for high counts of -P.

Esto Es Para Vos -tech- No Te Lo Pierdas

[Descarga Inmediata 1800 Contratos]

tech, si no podes visualizar este correo, podes hacerlo clickeando en
este enlace.
1800 Modelos De Contratos | Documentos Legales Pre-Diseñados

1800 Modelos De Contratos Pre Diseñados Listos Para
Usar

UNICA OPORTUNIDAD A PRECIO PROMOCIONAL
Para visitar la web y ver mas detalles haga CLIC ACA

Este email tiene como unico destinatario tech

Para ser eliminado de nuestras listas envienos un email y en asunto
aclarar REMOVER

sxmkjsaprfmyngsoxrpy

Sesiones Anticelulitis | Masajes Relajantes | Uñas Esculpidas | Tratamiento Capilar femenino | Maquillaje y Peinado | Permanente de Pestañas

[Bonus Cupon Especial Mujer!]

Si no podes visualizar este mail, ingresa a:
http://news1.bonuscupon.com.ar/r.html?uid=1.29.295h.12t.yz5oief06h