CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 21:24:54 Modified files: sys/net: if_vlan.c Log message: whitespace tweak. no functional change.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: j...@cvs.openbsd.org2021/06/08 20:56:45 Modified files: sys/dev/pci/drm/amd/amdgpu: amdgpu_ttm.c Log message: don't fatally error on failing to map visible VRAM Mapping VRAM here is an optimisation only attempted on 64 bit archs, there is a fallback path if it fails. Reported and fix tested by Jerome Kasper on RX 5500 XT (Navi 14) who mentioned the mapping error did not occur with 6.9-stable.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 17:18:43 Modified files: sys/arch/amd64/amd64: vmm.c Log message: cleanup printf pattern to remove double 0x when printing pointer mlarkin: "sure"
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 16:30:27 Modified files: regress/usr.bin/ssh: cert-hostkey.sh Log message: test that UserKnownHostsFile correctly accepts multiple arguments; would have caught readconf.c r1.356 regression
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 16:06:12 Modified files: usr.bin/ssh: readconf.c Log message: fix regression in r1.356: for ssh_config options that accepted multiple string arguments, ssh was only recording the first. Reported by Lucas via bugs@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2021/06/08 13:34:44 Modified files: lib/libssl : ssl_tlsext.c Log message: Simplify tlsext_ecpf_parse() The default alert in the tlsext parsing code is a decode_error, so there's no need for an error path that only sets that alert. suggested by/ok jsing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2021/06/08 12:13:50 Modified files: lib/libssl : tls13_client.c Log message: Rewrap a comment to avoid an overlong line
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2021/06/08 12:05:47 Modified files: lib/libssl : tls13_record_layer.c Log message: Ignore the record version for early alerts On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI. Part of an issue reported by danj. ok jsing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2021/06/08 11:41:52 Modified files: lib/libssl : tls13_server.c Log message: TLSv1.3 server: avoid sending alerts in legacy records As soon as we know that we're dealing with a TLSv1.3 client, set the legacy version in the record layer to 0x0303 so that we send alerts with the correct record version. Previously we would send early alerts with a record version of 0x0300. ok jsing
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: bl...@cvs.openbsd.org 2021/06/08 11:30:26 Modified files: . : errata68.html errata69.html Log message: Release vmd errata.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: t...@cvs.openbsd.org2021/06/08 11:22:00 Modified files: lib/libssl : ssl_tlsext.c Log message: Adjust alert for ECPF without uncompressed point format According to RFC 8422, we must send an illegal_parameter alert on receiving an ECPF extension that doesn't include the uncompressed format, not a decode_error. Reported via GitHub issue #675. ok jsing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: bl...@cvs.openbsd.org 2021/06/08 08:42:24 Modified files: usr.sbin/vmd : Tag: OPENBSD_6_8 dhcp.c Log message: vmd(8): malicious dhcp packets on local ifs can cause stack overflows A sufficiently large dhcp packet can cause a stack overflow in vmd's internal dhcp server used for providing ip addresses to local guest interfaces. (This does not affect non-local interfaces.) The primary changes drop larger packets and change the memory copying logic to use a compile-time constant. The dhcp option processing also additional prevention for out of bound reads. While here, improve construction of the dhcp response's hostname handling to guard against overflowing the response dhcp options. Vulnerability reported by Maxime Villard. ok claudio@ from dv@ this is errata/6.8/025_vmd.patch.sig
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: bl...@cvs.openbsd.org 2021/06/08 08:41:14 Modified files: usr.sbin/vmd : Tag: OPENBSD_6_9 dhcp.c Log message: vmd(8): malicious dhcp packets on local ifs can cause stack overflows A sufficiently large dhcp packet can cause a stack overflow in vmd's internal dhcp server used for providing ip addresses to local guest interfaces. (This does not affect non-local interfaces.) The primary changes drop larger packets and change the memory copying logic to use a compile-time constant. The dhcp option processing also additional prevention for out of bound reads. While here, improve construction of the dhcp response's hostname handling to guard against overflowing the response dhcp options. Vulnerability reported by Maxime Villard. ok claudio@ from dv@ this is errata/6.9/008_vmd.patch.sig
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 08:37:48 Modified files: usr.sbin/vmd : dhcp.c Log message: vmd(8): malicious dhcp packets on local ifs can cause stack overflows A sufficiently large dhcp packet can cause a stack overflow in vmd's internal dhcp server used for providing ip addresses to local guest interfaces. (This does not affect non-local interfaces.) The primary changes drop larger packets and change the memory copying logic to use a compile-time constant. The dhcp option processing also additional prevention for out of bound reads. While here, improve construction of the dhcp response's hostname handling to guard against overflowing the response dhcp options. Vulnerability reported by Maxime Villard. ok claudio@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: inogu...@cvs.openbsd.org2021/06/08 05:19:39 Modified files: lib/libcrypto : generate_pkgconfig.sh lib/libssl : generate_pkgconfig.sh Log message: Fix pkg-config .pc files with LibreSSL In libssl.pc, Libs: should not have '-lcrypto', and Requires.private: should have it as 'libcrypto'. openssl.pc does not need Libs: and Cflags:, but should have Requires:. OK millert@
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: bent...@cvs.openbsd.org 2021/06/08 03:46:36 Modified files: . : plus69.html faq/pf : config.html Log message: Typo fixes from Stephane Huc.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 01:40:12 Modified files: regress/usr.bin/ssh/unittests/misc: test_argv.c Log message: test argv_split() optional termination on comments
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 01:09:42 Modified files: usr.bin/ssh: servconf.c Log message: switch sshd_config parsing to argv_split() similar to the previous commit, this switches sshd_config parsing to the newer tokeniser. Config parsing will be a little stricter wrt quote correctness and directives appearing without arguments. feedback and ok markus@ tested in snaps for the last five or so days - thanks Theo and those who caught bugs
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 01:07:15 Modified files: usr.bin/ssh: readconf.c ssh.c Log message: Switch ssh_config parsing to use argv_split() This fixes a couple of problems with the previous tokeniser, strdelim() 1. strdelim() is permissive wrt accepting '=' characters. This is intended to allow it to tokenise "Option=value" but because it cannot keep state, it will incorrectly split "Opt=val=val2". 2. strdelim() has rudimentry handling of quoted strings, but it is incomplete and inconsistent. E.g. it doesn't handle escaped quotes inside a quoted string. 3. It has no support for stopping on a (unquoted) comment. Because of this readconf.c r1.343 added chopping of lines at '#', but this caused a regression because these characters may legitimately appear inside quoted strings. The new tokeniser is stricter is a number of cases, including #1 above but previously it was also possible for some directives to appear without arguments. AFAIK these were nonsensical in all cases, and the new tokeniser refuses to accept them. The new code handles quotes much better, permitting quoted space as well as escaped closing quotes. Finally, comment handling should be fixed - the tokeniser will terminate only on unquoted # characters. feedback & ok markus@ tested in snaps for the last five or so days - thanks Theo and those who caught bugs
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dtuc...@cvs.openbsd.org 2021/06/08 01:05:28 Modified files: regress/usr.bin/ssh: sshcfgparse.sh Log message: Add testcases from bz#3319 for IPQoS and TunnelDevice being overridden on the command line.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: dtuc...@cvs.openbsd.org 2021/06/08 01:02:46 Modified files: usr.bin/ssh: readconf.c Log message: Check if IPQoS or TunnelDevice are already set before overriding. Prevents values in config files from overriding values supplied on the command line. bz#3319, ok markus.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 00:54:40 Modified files: usr.bin/ssh: auth2-pubkey.c misc.c misc.h sshconnect.c Log message: Allow argv_split() to optionally terminate tokenisation when it encounters an unquoted comment. Add some additional utility function for working with argument vectors, since we'll be switching to using them to parse ssh/sshd_config shortly. ok markus@ as part of a larger diff; tested in snaps
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 00:52:43 Modified files: regress/usr.bin/ssh: servcfginclude.sh cfgmatch.sh cfginclude.sh Log message: sprinkle some "# comment" at end of configuration lines to test comment handling
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: d...@cvs.openbsd.org2021/06/08 00:51:47 Modified files: regress/usr.bin/ssh: sshcfgparse.sh Log message: more descriptive failure message