Backport libexpat regression fix from version 2.7.1.
Relevant for OpenBSD are bug fixes #980 #989, other changes #986.
errata/7.5/021_expat.patch
Backport libexpat security fix from version 2.7.0.
Relevant for OpenBSD are security fix #893 #973, other change #885,
and bug fix #839 #841. CVE-2024-8176
this is errata/7.5/019_expat.patch.sig
Don't reply to PING in preauth phase or during KEX
Reported by the Qualys Security Advisory team. ok markus@
Fix cases where error codes were not correctly set
Reported by the Qualys Security Advisory team. ok markus@
from djm@
this is errata/7.5/017_ssh.patch.sig
Fix pf fragment hole count.
Fragment reassembly finishes when no holes are left in the fragment
queue. In certain overlap conditions, the hole counter was wrong
and pf(4) created an incomplete IP packet. Before adjusting the
length, remove the overlapping fragment from the queue and insert
it again afterwards. pf_frent_remove() and pf_frent_insert() adjust
the hole counter automatically.
bug reported and fix tested by Lucas Aubard with Johan Mazel, Gilles
Guette and Pierre Chifflier; OK claudio@
this is errata/7.5/016_pffrag.patch
Rewrite mbuf handling in wg(4).
. Use m_align() to ensure that mbufs are packed towards the end so that
additional headers don't require costly m_prepends.
. Stop using m_copyback(), the way it was used there was actually wrong,
instead just use memcpy since this is just a single mbuf.
. Kill all usage of m_calchdrlen(), again this is not needed or can simply
be m->m_pkthdr.len = m->m_len since all this code uses a single buffer.
. In wg_encap() remove the min() with t->t_mtu when calculating plaintext_len
and out_len. The code does not correctly cope with this min() at all with
severe consequences.
Initial diff by dhill@ who found the m_prepend() issue.
Tested by various people.
from claudio@; OK dhill@ mvs@ bluhm@ sthen@
this is errata/7.5/015_wg.patch.sig
OpenBSD/src fA0UNre — lib/libexpat Changes, lib/libexpat/examples element_declarations.c
Backport libexpat security fixes from version 2.6.4.
Relevant for OpenBSD are security fix #915 and other change #914.
No library bump is necessary as existing error code has been reused.
CVE-2024-50602
OK tb@
this is errata/7.5/014_expat.patch.sig
Set AP power state. Fixes the SMC initialization on (at least) the M1
MacBook with the latest system firmware.
from kettenis@; ok patrick@, jsg@
this is errata/7.5/013_aplsmc.patch.sig
OpenBSD/src bb7Rzro — sbin/unwind/libunbound/util/data msgencode.c, usr.sbin/unbound/util/data msgencode.c
Fix unbound CVE-2024-8508, put a limit on resources used for handling
DNS compression. OK florian
from unbound 1.21.1.
apply the CVE-2024-8508 fix from unbound (put a limit on resources used
for handling DNS compression). OK florian
from @sthen
this is errata/7.5/011_unbound.patch.sig
Invalid pintables in ELF binaries can crash the kernel.
from deraadt@; Fix from yufeng.gao at uq.edu.au
this is errata/7.5/010_elf.patch.sig
Ensure that file names passed back by readdir do not include a '/'
character. The '/' char is the path separator and is not allowed in
any filename.
NFS specific report by Apple Security Engineering and Architecture (SEAR).
Input from guenther@ and millert@
from claudio@; OK beck@ miod@
msdos already transfroms for Windows long names a '/' char into '?'.
Do the same for the 8.3 case as well.
This is not ideal since now it is possible that two files in the same
directory have the same name but the msdos code already does a lot of
this and so the problem already exists.
from claudio@; OK beck@ miod@
Do a basic sanity check that dirents returned via fuse are kind of sane.
[9 lines not shown] After calling m_freem() on nmi_mrep (or nmi_mreq) set the pointer to NULL.
Only do this if struct nfsm_info doesn't have local scope.
In some cases the caller would perfrom another m_freem and double free
the mbuf and Bad Things(TM) would happen.
from claudio@; Reported by Claes M Nyberg on bugs@; with & ok miod@
nfsm_srvnamesiz() may set up an NFSERR_NAMETOL error, which nfsm_reply() would
consider as not tragic enough to abort the operation, in order to batch error
replies.
This would end up invoking nfs_namei() using the length obtained from
the NFS request, and Bad Things(TM) would happen if this value is larger
than MAXPATHLEN.
from miod@; Reported by Claes M Nyberg on bugs@; tweaks & ok claudio@
this is errata/7.5/008_nfs.patch.sig
Backport libexpat security fixes from version 2.6.3.
Relevant for OpenBSD are security fixes #887 #890 #888 #891 #889
#892. No library bump necessary.
CVE-2024-45490 CVE-2024-45491 CVE-2024-45492
OK tb@
errata/7.5/007_expat.patch
Fix CVE-2024-43688, buffer underflow for very large step values
In get_number(), reject values that are so large that they are
interpreted as negative numbers. In set_range(), step values smaller
than one or larger than the "stop" value are ignored. This prevents
bit_nset() from being called with out-of-range values.
from millert@; Bug found by Dave G. of Supernetworks.
this is errata/7.5/006_cron.patch.sig
sndiod: Fix insufficent check of input from clients
Fixes possible sndiod(8) crashes caused by a global table overread
triggered by the client.
Found and analysed by Henry Ford <henryfordkjv at gmail.com>, thanks!
from ratchov@; OK bluhm@, help from millert@, mlarkin@
this is errata/7.5/005_sndiod.patch.sig
When filling prefixes with pt_writebuf() keep 2 bytes reserved in the
withdraw case. Those bytes are needed for the attribute length field.
Without this withdraw messages can become overfull and are dropped
without notice.
Problem found and fix tested by denis@
from claudio@; OK denis@ tb@
this is errata/7.5/004_bgpd.patch.sig
A missing bounds check could lead to a crash due to dereferencing a zero-sized
allocation.
this is errata/7.5/003_libcrypto.patch.sig
OpenBSD 7.5 Errata 002:
Install media for alpha architecture was broken due to strip(1) bug.
ok deraadt@
7.5-stable
