Fix patch(1) shell injection vulnerability via ed(1). [SA-15:18]

Fix routed remote denial of service vulnerability. [SA-15:19] Approved by: so
2026-06-09 08:43:19 -04:00 · 2015-08-05 22:05:18 +00:00 · 2015-08-05 22:05:18 +00:00 · 401f5ab320
commit 401f5ab320
parent 17909a47b2
5 changed files with 31 additions and 5 deletions
--- a/8
+++ b/8
@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.

+20150805:	p17	FreeBSD-SA-15:18.bsdpatch
+			FreeBSD-SA-15:19.routed
+
+	Fix patch(1) shell injection vulnerability via ed(1).
+	[SA-15:18]
+
+	Fix routed remote denial of service vulnerability. [SA-15:19]
+
 20150728:	p16	FreeBSD-SA-15:14.bsdpatch
 			FreeBSD-SA-15:15.tcp
 			FreeBSD-SA-15:16.openssh
--- a/sbin/routed/input.c
+++ b/sbin/routed/input.c
@ -160,6 +160,12 @@ input(struct sockaddr_in *from,		/* received from this IP address */

 	trace_rip("Recv", "from", from, sifp, rip, cc);

+	if (sifp == 0) {
+		trace_pkt("    discard a request from an indirect router"
+		    " (possibly an attack)");
+		return;
+	}
+
 	if (rip->rip_vers == 0) {
 		msglim(&bad_router, FROM_NADDR,
 		       "RIP version 0, cmd %d, packet received from %s",
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@ -32,7 +32,7 @@

 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p16"
+BRANCH="RELEASE-p17"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
--- a/usr.bin/patch/pathnames.h
+++ b/usr.bin/patch/pathnames.h
@ -9,4 +9,4 @@

 #include <paths.h>

-#define	_PATH_ED		"/bin/ed"
+#define	_PATH_RED		"/bin/red"
--- a/usr.bin/patch/pch.c
+++ b/usr.bin/patch/pch.c
@ -1,4 +1,3 @@
-
 /*-
 * Copyright 1986, Larry Wall
 * 
@ -1400,13 +1399,14 @@ do_ed_script(void)
 	char	*t;
 	long	beginning_of_this_line;
 	FILE	*pipefp = NULL;
+	int	continuation;

 	if (!skip_rest_of_patch) {
 		if (copy_file(filearg[0], TMPOUTNAME) < 0) {
 			unlink(TMPOUTNAME);
 			fatal("can't create temp file %s", TMPOUTNAME);
 		}
-		snprintf(buf, buf_size, "%s%s%s", _PATH_ED,
+		snprintf(buf, buf_size, "%s%s%s", _PATH_RED,
 		    verbose ? " " : " -s ", TMPOUTNAME);
 		pipefp = popen(buf, "w");
 	}
@ -1424,7 +1424,19 @@ do_ed_script(void)
 		    *t == 'd' || *t == 'i' || *t == 's')) {
 			if (pipefp != NULL)
 				fputs(buf, pipefp);
-			if (*t != 'd') {
+			if (*t == 's') {
+				for (;;) {
+					continuation = 0;
+					t = strchr(buf, '\0') - 1;
+					while (--t >= buf && *t == '\\')
+						continuation = !continuation;
+					if (!continuation ||
+					    pgets(true) == 0)
+						break;
+					if (pipefp != NULL)
+						fputs(buf, pipefp);
+				}
+			} else if (*t != 'd') {
 				while (pgets(true)) {
 					p_input_line++;
 					if (pipefp != NULL)