Author: des
Date: Tue Dec 23 22:55:14 2014
New Revision: 276158
URL: https://svnweb.freebsd.org/changeset/base/276158

Log:
  [SA-14:31] Fix multiple vulnerabilities in NTP suite.
  [EN-14:13] Fix directory deletion issue in freebsd-update.
  
  Approved by:  so

Modified:
  releng/10.0/UPDATING
  releng/10.0/contrib/ntp/ntpd/ntp_config.c
  releng/10.0/contrib/ntp/ntpd/ntp_control.c
  releng/10.0/contrib/ntp/ntpd/ntp_crypto.c
  releng/10.0/contrib/ntp/ntpd/ntp_proto.c
  releng/10.0/contrib/ntp/util/ntp-keygen.c
  releng/10.0/sys/conf/newvers.sh
  releng/10.0/usr.sbin/freebsd-update/freebsd-update.sh

Modified: releng/10.0/UPDATING
==============================================================================
--- releng/10.0/UPDATING        Tue Dec 23 22:54:25 2014        (r276157)
+++ releng/10.0/UPDATING        Tue Dec 23 22:55:14 2014        (r276158)
@@ -16,6 +16,12 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20141223:      p15     FreeBSD-SA-14:31.ntp
+                       FreeBSD-EN-14:13.freebsd-update
+
+       Fix multiple vulnerabilities in NTP suite.  [SA-14:31]
+       Fix directory deletion issue in freebsd-update.  [EN-14:13]
+
 20141217:      p14     FreeBSD-SA-14:30.unbound
        Fix unbound remote denial of service vulnerability.
 

Modified: releng/10.0/contrib/ntp/ntpd/ntp_config.c
==============================================================================
--- releng/10.0/contrib/ntp/ntpd/ntp_config.c   Tue Dec 23 22:54:25 2014        
(r276157)
+++ releng/10.0/contrib/ntp/ntpd/ntp_config.c   Tue Dec 23 22:55:14 2014        
(r276158)
@@ -1887,7 +1887,7 @@ getconfig(
 
                for (i = 0; i < 8; i++)
                        for (j = 1; j < 100; ++j) {
-                               rankey[i] = (char) (ntp_random() & 0xff);
+                               rankey[i] = (char) (arc4random() & 0xff);
                                if (rankey[i] != 0) break;
                        }
                rankey[8] = 0;

Modified: releng/10.0/contrib/ntp/ntpd/ntp_control.c
==============================================================================
--- releng/10.0/contrib/ntp/ntpd/ntp_control.c  Tue Dec 23 22:54:25 2014        
(r276157)
+++ releng/10.0/contrib/ntp/ntpd/ntp_control.c  Tue Dec 23 22:55:14 2014        
(r276158)
@@ -24,6 +24,10 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
+#ifndef MIN
+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
+#endif
+
 /*
  * Structure to hold request procedure information
  */
@@ -893,6 +897,7 @@ ctl_putdata(
        )
 {
        int overhead;
+       unsigned int currentlen;
 
        overhead = 0;
        if (!bin) {
@@ -916,12 +921,22 @@ ctl_putdata(
        /*
         * Save room for trailing junk
         */
-       if (dlen + overhead + datapt > dataend) {
+       while (dlen + overhead + datapt > dataend) {
                /*
                 * Not enough room in this one, flush it out.
                 */
+               currentlen = MIN(dlen, dataend - datapt);
+
+               memcpy(datapt, dp, currentlen);
+
+               datapt += currentlen;
+               dp += currentlen;
+               dlen -= currentlen;
+               datalinelen += currentlen;
+
                ctl_flushpkt(CTL_MORE);
        }
+
        memmove((char *)datapt, dp, (unsigned)dlen);
        datapt += dlen;
        datalinelen += dlen;

Modified: releng/10.0/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/10.0/contrib/ntp/ntpd/ntp_crypto.c   Tue Dec 23 22:54:25 2014        
(r276157)
+++ releng/10.0/contrib/ntp/ntpd/ntp_crypto.c   Tue Dec 23 22:55:14 2014        
(r276158)
@@ -864,12 +864,24 @@ crypto_recv(
                         * errors.
                         */
                        if (vallen == (u_int) EVP_PKEY_size(host_pkey)) {
-                               RSA_private_decrypt(vallen,
+                               u_int32 *cookiebuf = malloc(
+                                       RSA_size(host_pkey->pkey.rsa));
+                               if (cookiebuf == NULL) {
+                                       rval = XEVNT_CKY;
+                                       break;
+                               }
+                               if (RSA_private_decrypt(vallen,
                                    (u_char *)ep->pkt,
-                                   (u_char *)&temp32,
+                                   (u_char *)cookiebuf,
                                    host_pkey->pkey.rsa,
-                                   RSA_PKCS1_OAEP_PADDING);
-                               cookie = ntohl(temp32);
+                                   RSA_PKCS1_OAEP_PADDING) != 4) {
+                                       rval = XEVNT_CKY;
+                                       free(cookiebuf);
+                                       break;
+                               } else {
+                                       cookie = ntohl(*cookiebuf);
+                                       free(cookiebuf);
+                               }
                        } else {
                                rval = XEVNT_CKY;
                                break;
@@ -3914,7 +3926,7 @@ crypto_setup(void)
                    rand_file);
                exit (-1);
        }
-       get_systime(&seed);
+       arc4random_buf(&seed, sizeof(l_fp));
        RAND_seed(&seed, sizeof(l_fp));
        RAND_write_file(rand_file);
        OpenSSL_add_all_algorithms();

Modified: releng/10.0/contrib/ntp/ntpd/ntp_proto.c
==============================================================================
--- releng/10.0/contrib/ntp/ntpd/ntp_proto.c    Tue Dec 23 22:54:25 2014        
(r276157)
+++ releng/10.0/contrib/ntp/ntpd/ntp_proto.c    Tue Dec 23 22:55:14 2014        
(r276158)
@@ -649,6 +649,7 @@ receive(
                    has_mac)) {
                        is_authentic = AUTH_ERROR;
                        sys_badauth++;
+                       return;
                } else {
                        is_authentic = AUTH_OK;
                }

Modified: releng/10.0/contrib/ntp/util/ntp-keygen.c
==============================================================================
--- releng/10.0/contrib/ntp/util/ntp-keygen.c   Tue Dec 23 22:54:25 2014        
(r276157)
+++ releng/10.0/contrib/ntp/util/ntp-keygen.c   Tue Dec 23 22:55:14 2014        
(r276158)
@@ -642,7 +642,7 @@ gen_md5(
        for (i = 1; i <= MD5KEYS; i++) {
                for (j = 0; j < 16; j++) {
                        while (1) {
-                               temp = ntp_random() & 0xff;
+                               temp = arc4random() & 0xff;
                                if (temp == '#')
                                        continue;
                                if (temp > 0x20 && temp < 0x7f)
@@ -675,7 +675,7 @@ gen_rsa(
        FILE    *str;
 
        fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
-       rsa = RSA_generate_key(modulus, 3, cb, "RSA");
+       rsa = RSA_generate_key(modulus, 65537, cb, "RSA");
        fprintf(stderr, "\n");
        if (rsa == NULL) {
                fprintf(stderr, "RSA generate keys fails\n%s\n",
@@ -954,7 +954,7 @@ gen_gqpar(
         */
        fprintf(stderr,
            "Generating GQ parameters (%d bits)...\n", modulus);
-       rsa = RSA_generate_key(modulus, 3, cb, "GQ");
+       rsa = RSA_generate_key(modulus, 65537, cb, "GQ");
        fprintf(stderr, "\n");
        if (rsa == NULL) {
                fprintf(stderr, "RSA generate keys fails\n%s\n",

Modified: releng/10.0/sys/conf/newvers.sh
==============================================================================
--- releng/10.0/sys/conf/newvers.sh     Tue Dec 23 22:54:25 2014        
(r276157)
+++ releng/10.0/sys/conf/newvers.sh     Tue Dec 23 22:55:14 2014        
(r276158)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.0"
-BRANCH="RELEASE-p14"
+BRANCH="RELEASE-p15"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
        BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.0/usr.sbin/freebsd-update/freebsd-update.sh
==============================================================================
--- releng/10.0/usr.sbin/freebsd-update/freebsd-update.sh       Tue Dec 23 
22:54:25 2014        (r276157)
+++ releng/10.0/usr.sbin/freebsd-update/freebsd-update.sh       Tue Dec 23 
22:55:14 2014        (r276158)
@@ -1387,6 +1387,7 @@ fetch_filter_metadata () {
        # matter, since we add a leading "/" when we use paths later.
        cut -f 3- -d '|' $1 |
            sed -e 's,/|d|,|d|,' |
+           sed -e 's,/|-|,|-|,' |
            sort -u > $1.tmp
 
        # Figure out which lines to ignore and remove them.
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to