Author: simon
Date: Tue Jan 13 21:19:27 2009
New Revision: 187194
URL: http://svn.freebsd.org/changeset/base/187194
Log:
Correct ntpd(8) cryptographic signature bypass [SA-09:04].
Correct BIND DNSSEC incorrect checks for malformed signatures
[SA-09:04].
Security: FreeBSD-SA-09:03.ntpd
Security: FreeBSD-SA-09:04.bind
Obtained from: ISC [SA-09:04]
Approved by: so (simon)
Modified:
releng/6.3/UPDATING
releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c
releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c
releng/6.3/contrib/ntp/ntpd/ntp_crypto.c
releng/6.3/sys/conf/newvers.sh
releng/6.4/UPDATING
releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c
releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c
releng/6.4/contrib/ntp/ntpd/ntp_crypto.c
releng/6.4/sys/conf/newvers.sh
releng/7.0/UPDATING
releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c
releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c
releng/7.0/contrib/ntp/ntpd/ntp_crypto.c
releng/7.0/sys/conf/newvers.sh
releng/7.1/UPDATING
releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c
releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c
releng/7.1/contrib/ntp/ntpd/ntp_crypto.c
releng/7.1/sys/conf/newvers.sh
Changes in other areas also in this revision:
Modified:
head/contrib/ntp/ntpd/ntp_crypto.c
stable/6/contrib/ntp/ntpd/ntp_crypto.c
stable/7/contrib/ntp/ntpd/ntp_crypto.c
Modified: releng/6.3/UPDATING
==============================================================================
--- releng/6.3/UPDATING Tue Jan 13 21:19:02 2009 (r187193)
+++ releng/6.3/UPDATING Tue Jan 13 21:19:27 2009 (r187194)
@@ -8,6 +8,12 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090113: p9 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind
+ Correct ntpd cryptographic signature bypass. [09:03]
+
+ Correct BIND DNSSEC incorrect checks for malformed
+ signatures. [09:04]
+
20090107: p8 FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl
Prevent cross-site forgery attacks on lukemftpd(8) due to splitting
long commands into multiple requests. [09:01]
Modified: releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c
==============================================================================
--- releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:02
2009 (r187193)
+++ releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:27
2009 (r187194)
@@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c
status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
DSA_SIG_free(dsasig);
- if (status == 0)
+ if (status != 1)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
Modified: releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c
==============================================================================
--- releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:02
2009 (r187193)
+++ releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:27
2009 (r187194)
@@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c
status = RSA_verify(type, digest, digestlen, sig->base,
RSA_size(rsa), rsa);
- if (status == 0)
+ if (status != 1)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
Modified: releng/6.3/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/6.3/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:02 2009
(r187193)
+++ releng/6.3/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:27 2009
(r187194)
@@ -1536,7 +1536,7 @@ crypto_verify(
EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen +
12);
if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen,
- pkey)) {
+ pkey) == 1) {
if (peer->crypto & CRYPTO_FLAG_VRFY)
peer->crypto |= CRYPTO_FLAG_PROV;
} else {
Modified: releng/6.3/sys/conf/newvers.sh
==============================================================================
--- releng/6.3/sys/conf/newvers.sh Tue Jan 13 21:19:02 2009
(r187193)
+++ releng/6.3/sys/conf/newvers.sh Tue Jan 13 21:19:27 2009
(r187194)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.3"
-BRANCH="RELEASE-p8"
+BRANCH="RELEASE-p9"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/6.4/UPDATING
==============================================================================
--- releng/6.4/UPDATING Tue Jan 13 21:19:02 2009 (r187193)
+++ releng/6.4/UPDATING Tue Jan 13 21:19:27 2009 (r187194)
@@ -8,6 +8,12 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090113: p9 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind
+ Correct ntpd cryptographic signature bypass. [09:03]
+
+ Correct BIND DNSSEC incorrect checks for malformed
+ signatures. [09:04]
+
20090107: p2 FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl
Prevent cross-site forgery attacks on lukemftpd(8) due to splitting
long commands into multiple requests. [09:01]
Modified: releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c
==============================================================================
--- releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:02
2009 (r187193)
+++ releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:27
2009 (r187194)
@@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c
status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
DSA_SIG_free(dsasig);
- if (status == 0)
+ if (status != 1)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
Modified: releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c
==============================================================================
--- releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:02
2009 (r187193)
+++ releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:27
2009 (r187194)
@@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c
status = RSA_verify(type, digest, digestlen, sig->base,
RSA_size(rsa), rsa);
- if (status == 0)
+ if (status != 1)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
Modified: releng/6.4/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/6.4/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:02 2009
(r187193)
+++ releng/6.4/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:27 2009
(r187194)
@@ -1612,7 +1612,7 @@ crypto_verify(
*/
EVP_VerifyInit(&ctx, peer->digest);
EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
- if (!EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey))
+ if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0)
return (XEVNT_SIG);
if (peer->crypto & CRYPTO_FLAG_VRFY) {
Modified: releng/6.4/sys/conf/newvers.sh
==============================================================================
--- releng/6.4/sys/conf/newvers.sh Tue Jan 13 21:19:02 2009
(r187193)
+++ releng/6.4/sys/conf/newvers.sh Tue Jan 13 21:19:27 2009
(r187194)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.4"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.0/UPDATING
==============================================================================
--- releng/7.0/UPDATING Tue Jan 13 21:19:02 2009 (r187193)
+++ releng/7.0/UPDATING Tue Jan 13 21:19:27 2009 (r187194)
@@ -8,6 +8,12 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090113: p9 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind
+ Correct ntpd cryptographic signature bypass. [09:03]
+
+ Correct BIND DNSSEC incorrect checks for malformed
+ signatures. [09:04]
+
20090107: p8 FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl
Prevent cross-site forgery attacks on lukemftpd(8) due to splitting
long commands into multiple requests. [09:01]
Modified: releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c
==============================================================================
--- releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:02
2009 (r187193)
+++ releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:27
2009 (r187194)
@@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c
status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
DSA_SIG_free(dsasig);
- if (status == 0)
+ if (status != 1)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
Modified: releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c
==============================================================================
--- releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:02
2009 (r187193)
+++ releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:27
2009 (r187194)
@@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c
status = RSA_verify(type, digest, digestlen, sig->base,
RSA_size(rsa), rsa);
- if (status == 0)
+ if (status != 1)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
Modified: releng/7.0/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/7.0/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:02 2009
(r187193)
+++ releng/7.0/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:27 2009
(r187194)
@@ -1536,7 +1536,7 @@ crypto_verify(
EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen +
12);
if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen,
- pkey)) {
+ pkey) == 1) {
if (peer->crypto & CRYPTO_FLAG_VRFY)
peer->crypto |= CRYPTO_FLAG_PROV;
} else {
Modified: releng/7.0/sys/conf/newvers.sh
==============================================================================
--- releng/7.0/sys/conf/newvers.sh Tue Jan 13 21:19:02 2009
(r187193)
+++ releng/7.0/sys/conf/newvers.sh Tue Jan 13 21:19:27 2009
(r187194)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.0"
-BRANCH="RELEASE-p8"
+BRANCH="RELEASE-p9"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.1/UPDATING
==============================================================================
--- releng/7.1/UPDATING Tue Jan 13 21:19:02 2009 (r187193)
+++ releng/7.1/UPDATING Tue Jan 13 21:19:27 2009 (r187194)
@@ -8,6 +8,12 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20090113: p2 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind
+ Correct ntpd cryptographic signature bypass. [09:03]
+
+ Correct BIND DNSSEC incorrect checks for malformed
+ signatures. [09:04]
+
20090107: p1 FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl
Prevent cross-site forgery attacks on lukemftpd(8) due to splitting
long commands into multiple requests. [09:01]
Modified: releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c
==============================================================================
--- releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:02
2009 (r187193)
+++ releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:27
2009 (r187194)
@@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c
status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
DSA_SIG_free(dsasig);
- if (status == 0)
+ if (status != 1)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
Modified: releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c
==============================================================================
--- releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:02
2009 (r187193)
+++ releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:27
2009 (r187194)
@@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c
status = RSA_verify(type, digest, digestlen, sig->base,
RSA_size(rsa), rsa);
- if (status == 0)
+ if (status != 1)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
Modified: releng/7.1/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/7.1/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:02 2009
(r187193)
+++ releng/7.1/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:27 2009
(r187194)
@@ -1612,7 +1612,7 @@ crypto_verify(
*/
EVP_VerifyInit(&ctx, peer->digest);
EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
- if (!EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey))
+ if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0)
return (XEVNT_SIG);
if (peer->crypto & CRYPTO_FLAG_VRFY) {
Modified: releng/7.1/sys/conf/newvers.sh
==============================================================================
--- releng/7.1/sys/conf/newvers.sh Tue Jan 13 21:19:02 2009
(r187193)
+++ releng/7.1/sys/conf/newvers.sh Tue Jan 13 21:19:27 2009
(r187194)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.1"
-BRANCH="RELEASE-p1"
+BRANCH="RELEASE-p2"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
