Fix bspatch heap overflow vulnerability. [SA-16:25]

Fix freebsd-update(8) support of FreeBSD 11.0 release distribution. [EN-16:09] Approved by: so (cherry picked from commit 3a6620f8b6)
2026-06-09 08:43:19 -04:00 · 2016-07-25 15:04:17 +00:00 · 2016-07-25 15:04:17 +00:00 · 3797e5699d
commit 3797e5699d
parent 0fe488774c
4 changed files with 14 additions and 2 deletions
--- a/8
+++ b/8
@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.

+20160725	p6	FreeBSD-SA-16:25.bspatch
+			FreeBSD-EN-16:09.freebsd-update
+
+	Fix bspatch heap overflow vulnerability. [SA-16:25]
+
+	Fix freebsd-update(8) support of FreeBSD 11.0 release
+	distribution. [EN-16:09]
+
 20160604	p5	FreeBSD-SA-16:24.ntp

 	Fix multiple vulnerabilities of ntp.
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@ -32,7 +32,7 @@

 TYPE="FreeBSD"
 REVISION="10.3"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
--- a/usr.bin/bsdiff/bspatch/bspatch.c
+++ b/usr.bin/bsdiff/bspatch/bspatch.c
@ -154,6 +154,10 @@ int main(int argc,char * argv[])
 			ctrl[i]=offtin(buf);
 		};

+		/* Sanity-check */
+		if ((ctrl[0] < 0) || (ctrl[1] < 0))
+			errx(1,"Corrupt patch\n");
+
 		/* Sanity-check */
 		if(newpos+ctrl[0]>newsize)
 			errx(1,"Corrupt patch\n");
--- a/usr.sbin/freebsd-update/freebsd-update.sh
+++ b/usr.sbin/freebsd-update/freebsd-update.sh
@ -1250,7 +1250,7 @@ fetch_metadata_sanity () {

 	# Check that the first four fields make sense.
 	if gunzip -c < files/$1.gz |
-	    grep -qvE "^[a-z]+\|[0-9a-z]+\|${P}+\|[fdL-]\|"; then
+	    grep -qvE "^[a-z]+\|[0-9a-z-]+\|${P}+\|[fdL-]\|"; then
 		fetch_metadata_bogus ""
 		return 1
 	fi