OpenBSD src changes summary for 2015-10-14 ==========================================
bin/pax distrib/sets etc/newsyslog.conf games/banner games/bcd games/caesar games/factor games/morse games/number games/pig games/pom games/ppt games/rain games/random lib/libc lib/libcrypto lib/libssl libexec/ld.so libexec/login_passwd libexec/login_reject regress/sbin regress/sys sbin/fsck_ext2fs sbin/fsck_ffs sbin/fsck_msdos sbin/newfs_ext2fs sbin/ping6 sys/kern sys/net sys/netinet sys/sys usr.bin/make usr.bin/sort usr.sbin/arp usr.sbin/eigrpctl usr.sbin/httpd usr.sbin/installboot usr.sbin/portmap usr.sbin/relayd usr.sbin/smtpd usr.sbin/snmpd usr.sbin/tcpdump == bin =============================================================== 01/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/bin pax ~ ar_io.c > Use a strict $PATH of "/usr/bin:/usr/local/bin" to run the (de)compressors > (gzip, compress, bzip2) rather than following the user's path. This > seems easier than hardcoding the paths elsewhere and using basename(). > pax/tar is pledged itself, but it can spawn one of these programs if > asked. The three found at the strict path use pledge "stdio" very early > during startup, providing a warm fuzzy pledge->exec->no-pledge->pledge > interlock. For bzip2, this assumes use of the ports/packages version > installed to /usr/local/bin, which has been pledged by sthen@. > Doing a 'tar tvfz hostile.tgz' becomes a bit safer, since an attacker > finding a buffer overflow or use after free has significantly fewer > system calls available (only pledge "stdio" in the decompressor). > ok millert sthen (deraadt@) == distrib =========================================================== 02/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib sets ~ lists/comp/mi > sync (deraadt@) ~ lists/base/md.landisk > sync (deraadt@) == etc =============================================================== 03/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc newsyslog.conf ~ newsyslog.conf > Allow group wheel to read the mail log. OK gilles@ sthen@ (millert@) == games ============================================================= 04/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/games banner ~ banner.c > Pledge "stdio" for simple games. > ok semarie@ (doug@) bcd ~ bcd.c > Pledge "stdio" for simple games. > ok semarie@ (doug@) caesar ~ caesar.c > Pledge "stdio" for simple games. > ok semarie@ (doug@) factor ~ factor.c > Pledge "stdio" for simple games. > ok semarie@ (doug@) morse ~ morse.c > Pledge "stdio" for simple games. > ok semarie@ (doug@) number ~ number.c > Pledge "stdio" for simple games. > ok semarie@ (doug@) pig ~ pig.c > Pledge "stdio" for simple games. > ok semarie@ (doug@) pom ~ pom.c > Pledge "stdio" for simple games. > ok semarie@ (doug@) ppt ~ ppt.c > Pledge "stdio" for simple games. > ok semarie@ (doug@) rain ~ rain.c > enable pledge(2) in rain(6) > it is libcurses program: at init it needs "stdio rpath getpw tty", and > after > drop to just "stdio tty". "tty" is needed at end for restoring the tty. > initial patch from doug@ > ok doug@ deraadt@ (semarie@) random ~ random.c > Pledge "stdio" for simple games. > ok semarie@ (doug@) == lib =============================================================== 05/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib libc ~ sys/pledge.2 > Document flock request (millert@) libcrypto ~ man/Makefile + man/EVP_AEAD_CTX_init.3 > Add EVP_AEAD_CTX_init(3) manpage to document the new(ish) AEAD API. > The "authenticated encryption with additional data" API is used for > ciphers like AES-GCM or ChaCha20-Poly1305. The manpage is a beginning > and certainly needs more work, especially improvements in the EXAMPLES > section. > Based on agl's source code comments. > Converted from pod to mandoc by schwarze@ > OK schwarze@ jsing@ (reyk@) ~ man/EVP_AEAD_CTX_init.3 > tweak previous (two details i apparently missed) (schwarze@) libssl ~ src/doc/crypto/evp.pod > Add EVP_AEAD_CTX_init(3) manpage to document the new(ish) AEAD API. > The "authenticated encryption with additional data" API is used for > ciphers like AES-GCM or ChaCha20-Poly1305. The manpage is a beginning > and certainly needs more work, especially improvements in the EXAMPLES > section. > Based on agl's source code comments. > Converted from pod to mandoc by schwarze@ > OK schwarze@ jsing@ (reyk@) ~ src/crypto/objects/obj_dat.c > Ensure we don't write a 0 byte past end of the buffer in the error case. > ok bcook@ deraadt@ (beck@) ~ src/crypto/objects/obj_dat.c > fix a memory leak reported by Qualys Security. > move the bndec variable in tighter since it's not used elsewhere in the > loop, then always free it after use. > ok bcook miod (tedu@) ~ src/crypto/objects/obj_dat.c > Bail out early if we have no buf_len > ok miod@ (beck@) ~ src/crypto/objects/obj_dat.c > better fix for overrun reported by Qualys Security. > buf is at all times kept nul terminated, so there is no need to enforce > this again upon exit. (no need to move buf around after we exahust space.) > ok beck miod (tedu@) == libexec =========================================================== 06/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/libexec ld.so - ldconfig/dl_prebind.c ~ dl_prebind.c ~ ldconfig/prebind.c > Check mmap and read return values. While at it, remove unused duplicated > file. > ok millert@ (tobias@) login_passwd ~ login_passwd.c > pledge "stdio rpath" is good enough for these mainline BSD auth login > programs. > (I am very surprised pledge ended up working for programs like this) > ok semarie millert (deraadt@) login_reject ~ login_reject.c > pledge "stdio rpath" is good enough for these mainline BSD auth login > programs. > (I am very surprised pledge ended up working for programs like this) > ok semarie millert (deraadt@) == regress =========================================================== 07/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/regress sbin ~ newfs/checknewfs > unbreak regress/sbin/newfs > /dev/prandom is no more since Nov 30, 2008 > OK otto@ (semarie@) sys + netinet6/autoport/Makefile + netinet6/autoport/autoport.pl > add regress tests for automatic port allocation (vgross@) ~ Makefile + netinet/Makefile + netinet/autoport/Makefile > add regress tests for automatic port allocation. > - enable ipv4 > - leave ipv6 disabled (vgross@) ~ netinet/autoport/Makefile > bugfix : use ${.CURDIR} to cope with obj symlinks (vgross@) ~ netinet6/autoport/Makefile > bugfix: add ${.CURDIR} to deal with obj symlinks (vgross@) == sbin ============================================================== 08/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin fsck_ext2fs ~ fsck_ext2fs.8 ~ main.c > Only accept one filesystem/device as argument for checking. Few people > will be calling these directly, and not for the multiple filesystem case. > fsck(8) is generally the parent and will handle things. > ok semarie; this change will also help a goal jsing has (deraadt@) ~ setup.c > Since the fsck_* programs now only handle one filesystem, this creates > a point where open() and disklabel reading have completed. After that > point, pledge "stdio". > As a result, an fsck of a hostile partition (noone ever does that, or > do they? :) is done by a program with SUBSTANTIALLY less system call > exposure. > ok semarie (deraadt@) fsck_ffs ~ fsck_ffs.8 ~ main.c > Only accept one filesystem/device as argument for checking. Few people > will be calling these directly, and not for the multiple filesystem case. > fsck(8) is generally the parent and will handle things. > ok semarie; this change will also help a goal jsing has (deraadt@) ~ setup.c > Since the fsck_* programs now only handle one filesystem, this creates > a point where open() and disklabel reading have completed. After that > point, pledge "stdio". > As a result, an fsck of a hostile partition (noone ever does that, or > do they? :) is done by a program with SUBSTANTIALLY less system call > exposure. > ok semarie (deraadt@) fsck_msdos ~ fsck_msdos.8 ~ main.c > Only accept one filesystem/device as argument for checking. Few people > will be calling these directly, and not for the multiple filesystem case. > fsck(8) is generally the parent and will handle things. > ok semarie; this change will also help a goal jsing has (deraadt@) ~ check.c > Since the fsck_* programs now only handle one filesystem, this creates > a point where open() and disklabel reading have completed. After that > point, pledge "stdio". > As a result, an fsck of a hostile partition (noone ever does that, or > do they? :) is done by a program with SUBSTANTIALLY less system call > exposure. > ok semarie (deraadt@) newfs_ext2fs ~ newfs_ext2fs.c > unfortunately rewritelabel() just before termination does a non-permitted > ioctl to rewrite the label, in support of the old-school "frag info in > the disklabel" concept. disklabel folk, please come talk to me... > (deraadt@) ping6 ~ ping6.c ~ ping6.8 > To specify a source address ping uses -I while ping6 uses -S. Switch > ping6 -I to the ping-alike semantics. > sthen@ thinks this is OK (florian@) == sys =============================================================== 09/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys kern ~ kern_pledge.c > sendmsg() is allowed to pass cmsg's which are not CMSG_RIGHTS - last > refactoring inverted the checks; spotted by sthen in ping6. (deraadt@) ~ kern_pledge.c > pledge "tty" can allow ioctl TIOCEXCL on a tty (deraadt@) ~ kern_pledge.c ~ vfs_syscalls.c > When pledged with "fattr", allow chown to supplimentary groups. This > came out of a discussion regarding "sort foo -o foo". > ok semarie (deraadt@) ~ kern_event.c TAGGED OPENBSD_5_8 > MFC: Always set the timeout at least one tick in the future for > EVFILT_TIMER > to avoid looping in softclock() (sthen@) ~ kern_event.c TAGGED OPENBSD_5_7 > MFC: Always set the timeout at least one tick in the future for > EVFILT_TIMER > to avoid looping in softclock() (sthen@) ~ kern_event.c TAGGED OPENBSD_5_6 > MFC: Always set the timeout at least one tick in the future for > EVFILT_TIMER > to avoid looping in softclock() (sthen@) ~ kern_pledge.c TAGGED OPENBSD_5_6 > Add a dummy "flock" request that will allow file locking. It is > not currently enforced but we want the kernel to be able to parse > it for an upcoming diff in the next few days. (millert@) ~ kern_pledge.c TAGGED OPENBSD_5_6 > FALTHROUGH->FALLTHROUGH in comment, ok deraadt a few days ago (sthen@) net ~ art.c ~ art.h ~ route.c ~ rtable.c > Rewrite the logic around the dymanic array of routing tables to help > turning rtable_get(9) MP-safe. > Use only one per-AF array, as suggested by claudio@, pointing to an > array of pointers to the routing table heads. > Routing tables are now allocated/initialized per-AF. This will let > us allocate routing table on-demand instead of always having an > AF_INET, AF_MPLS and AF_INET table as soon as a new rtableID is used. > This also get rid of the "void ***" madness. > ok dlg@, jmatthew@ (mpi@) ~ route.c > Reset the RTF_CONNECTED flag when cloning an entry. > While here check for RTF_CLONED insted of RTM_RESOLVE when adding an > entry. > Found while debugging naddy@'s NFS vs em(4) vs rtisvalid(9) issue. (mpi@) netinet ~ ip_carp.c > Init a variable in the recently added carp_vhe_match() function clang > and mpi believe could be used uninitialised. > ok mpi@ (jsg@) sys ~ pledge.h > When pledged with "fattr", allow chown to supplimentary groups. This > came out of a discussion regarding "sort foo -o foo". > ok semarie (deraadt@) == usr.bin =========================================================== 10/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin make ~ Makefile ~ defines.h ~ lst.h ~ main.c ~ lst.lib/lstFindFrom.c > make sure we use stdbool.h > Mostly diff by Daniel Dickman, who told me to commit in his stead, > as he's tied up at work. (espie@) ~ lst.h ~ lst.lib/lst.h ~ lst.lib/lstForEachFrom.c > gc lst_ForEachNodeWhile, which isn't actually in use anywhere (espie@) sort ~ sort.c > Copy permissions AND ownership when -o will override an input file. > with input by and ok deraadt@, millert@, tim@ (tobias@) == usr.sbin ========================================================== 11/11 == http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin arp ~ arp.c > I messed up reading the call graph. -d delete does use search, so a > late pledge is not possible in this way. (deraadt@) eigrpctl ~ parser.c > Don't use the NONE enum value where NULL was intended. Found with clang. > ok renato@ (jsg@) httpd ~ httpd.c > Two more char -> unsigned char in ctype functions. (reyk@) installboot ~ installboot.c ~ installboot.h ~ util.c > Backout last. Breaks sparc64, amoung other dubiousness. > requested by deraadt@ (krw@) ~ i386_installboot.c ~ installboot.h > add includes for crc32() and uuid_dec_be() missed in rev 1.11 > ok krw@ (jsg@) ~ stubs.c > worse, need even more includes... (deraadt@) portmap ~ portmap.c > include err.h for the err() calls added in rev 1.46 (jsg@) relayd ~ relayd.c > More (unsigned char) casts for ctype functions. > Pointed out by Michael McConville (reyk@) smtpd ~ smtpd.c > Convert fgetln to getline. > Ok millert@ eric@ gilles@ (sunil@) ~ lka.c ~ pony.c > pledge() pony and lookup > ok deraadt@ (gilles@) ~ smtpd.c > pledge() privileged process > ok deraadt@ (gilles@) ~ config.c > whitespace (gilles@) ~ enqueue.c > whitespace (gilles@) ~ envelope.c > we dump esc_code if we have an esc_class, code may be (and actually was) > confused as a pasto, so add a comment to make it clear that this is not > an error (gilles@) ~ esc.c ~ smtpd-api.h > fix define and enhanced status code reason for 5.5.0 (gilles@) ~ forward.c > whitespace (gilles@) ~ ca.c > remove a handful of log_warn that we should handle at a different place to > make them really useful (gilles@) ~ mproc.c > whitespace + only log TRACE_MPROC if not IMSG_STAT_{IN,DE}CREMENT (gilles@) ~ mproc.c > imsg_read() may return EAGAIN, handle it in mproc_dispatch() (gilles@) ~ queue_api.c > SMTPD_MAXPATHLEN -> PATH_MAX, this was unnoticed as file is not linked > (gilles@) ~ to.c ~ queue.c ~ mta_session.c ~ mta.c ~ lka.c ~ ioev.c ~ filter_api.c ~ enqueue.c ~ delivery_lmtp.c > whitespaces (gilles@) ~ smtpd.h > smtpd in tree is no longer neither 5.4.4, nor 5.4.5, bump SMTPD_VERSION > (gilles@) snmpd ~ proc.c > sync with httpd - no functional change, just C99 types (reyk@) tcpdump ~ Makefile ~ setsignal.c ~ setsignal.h ~ tcpdump.c > Remove conditional compilation and #defines around signal handling > Don't catch signals that were ignored on entry > Suppress SIGCHLD if our kid is stopped: we don't care and it's not an error > ok millert@ (guenther@) =============================================================================== _______________________________________________ odc mailing list [email protected] http://www.squish.net/mailman/listinfo/odc
