# $NetBSD: CHANGES-3.0.2,v 1.1.2.36 2006/10/28 13:31:32 ghen Exp $ A complete list of changes from the NetBSD 3.0.1 release to the NetBSD 3.0.2 release: File Revision(s) ---- -------- gnu/usr.bin/groff/tmac/mdoc.local patch sys/sys/param.h patch Welcome to 3.0.1_STABLE sys/arch/sparc/sparc/machdep.c patch Avoid panic in memory management on some SPARC systems with QFE cards. This fixes PR port-sparc/33340 and PR port-sparc/33894. [fair, ticket #1401] sys/nfs/nfs_vnops.c 1.239-1.240 via patch sys/nfs/nfs_var.h 1.62 via patch Fix race condition in NFS renaming that could cause the renamed file to be deleted. [jld, ticket #1424] lib/libm/arch/i387/s_scalbn.S 1.8 lib/libm/arch/i387/s_scalbnf.S 1.7 Fix the ldexp() bug reported on the port-amd64 mailing list. [drochner, ticket #1236] sys/uvm/uvm_bio.c patch Avoid a panic in page fault handling that can occur under low-memory conditions. [jld, ticket #1323] xsrc/xfree/xc/programs/Xserver/hw/xfree86/drivers/nv/nv_driver.c 1.8 xsrc/xfree/xc/programs/Xserver/hw/xfree86/drivers/nv/riva_driver.c 1.3 Fix unresolved symbol in the "nv" driver. [jmmv, ticket #1439] lib/libc/arch/i386/sys/__sigtramp2.S 1.2 Fix PR port-i386/34112 where a program could mysteriously exit on return from a signal handler. [jld, ticket #1447] usr.bin/column/column.c 1.13-1.14 - PR bin/32322: Division by zero in column(1) with certain column widths. - Plug memory leak. [daniel, ticket #1449] usr.bin/whereis/whereis.c 1.18 PR bin/34114: which(1) doesn't handle commands given as absolute pathnames. [cube, ticket #1456] sys/dev/usb/ehci.c 1.96 sys/dev/usb/ohci.c 1.159 sys/dev/usb/uhci.c 1.188 sys/dev/usb/usbdivar.h 1.74 Fix a race condition in xfer abort. Derived from a FreeBSD patch. Fixes occasional crashes while printing. PR#33250 [abs, ticket #1459] distrib/utils/sysinst/label.c 1.48 pointer signedness comparison fixes (needed for following pullup). [dsl, ticket #1462] distrib/utils/sysinst/defs.h 1.130 distrib/utils/sysinst/label.c 1.49 distrib/utils/sysinst/mbr.c 1.75 When we read 'last mounted' from an FFSv2 superblock set the flag to default the partition to FFSv2 (instead of FFSv1). This makes update installs add the correct bootstrap code. Fixes PR/33682 and PR/32636 (and 33228 which has alrady been closed as a duplicate of 32636). [dsl, ticket #1463] sys/net/if_spppsubr.c 1.96 Avoid buffer overflow in the in-kernel PPP code shared by ISDN PPP interfaces ippp(4) and pppoe(4). This fixes SA2006-019 (CVE-2006-4304). [adrianp, ticket #1476] sys/kern/uipc_syscalls.c 1.102 Don't leave a dangling socket (no associated struct file) if user supplied a bad name or anamelen parameter to accept(2). If bad paramaters were suplied and a copyout() failed, the struct file was cleaned up but not the associated socket. This could leave sockets in CLOSE_WAIT that could never be closed. [seanb, ticket #1472] lib/libpthread/pthread_mutex.c 1.22 Close a window in which we can not notice a recently-slept-on-our mutex thread, thus leaving a thread sleeping on an unlocked mutex. Reviewed by myself and Christos. Problem reported by Arne H. Juul, arnej at pvv dot ntnu dot no, in PR 26208. This fix represents option 1 presented in the PR. [wrstuden, ticket #1474] sys/arch/cobalt/conf/GENERIC 1.102 sys/arch/cobalt/conf/INSTALL 1.24 Add option SOSEND_NO_LOAN to fix a panic on cobalt. [tsutsui, ticket #1478] xsrc/xfree/xc/lib/font/bitmap/pcfread.c 1.2 Fix for CVE-2006-3467 via the X.Org foundation. "Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors." [adrianp, ticket #1486] usr.sbin/bind/Makefile.inc 1.24 Avoid named(8) crash on sparc and sparc64 by disabling threading support on those platforms. [jdc, ticket #1489] gnu/dist/sendmail/sendmail/main.c patch Fixes potential DoS attack with sendmail(8). [adrianp, ticket #1495] dist/bind/bin/named/query.c 1.3 dist/bind/lib/dns/resolver.c 1.2 Fixes for CVE-2006-4095 and CVE-2006-4096 from bind-9.3.2-P1. [adrianp, ticket #1498] sys/kern/vfs_subr.c 1.269 Fix the output of the ddb(4) "show mount" command. [jld, ticket #1493] crypto/dist/openssl/crypto/rsa/rsa_sign.c 1.2-1.3 Fix for CVE-2006-4339 (RSA signature forgery) from openssl-0.9.7k. [adrianp, ticket #1504] sys/arch/xen/xen/clock.c 1.26 via patch Avoid hanging in the timer event handler when a glitch in Xen's timekeeping occurs. [jld, ticket #1506] xfree/xc/lib/font/Type1/afm.c 1.2 xfree/xc/lib/font/Type1/scanfont.c 1.2 xfree/xc/lib/font/Type1/util.c 1.2 Fix vulnerability in Adobe Type 1 font handling. [adrianp, ticket #1516] crypto/dist/openssl/crypto/asn1/tasn_dec.c patch crypto/dist/openssl/crypto/dh/dh.h patch crypto/dist/openssl/crypto/dh/dh_err.c patch crypto/dist/openssl/crypto/dh/dh_key.c patch crypto/dist/openssl/crypto/dsa/dsa.h patch crypto/dist/openssl/crypto/dsa/dsa_err.c patch crypto/dist/openssl/crypto/dsa/dsa_ossl.c patch crypto/dist/openssl/crypto/rsa/rsa.h patch crypto/dist/openssl/crypto/rsa/rsa_eay.c patch crypto/dist/openssl/crypto/rsa/rsa_err.c patch crypto/dist/openssl/ssl/s2_clnt.c patch crypto/dist/openssl/ssl/s3_srvr.c patch crypto/dist/openssl/ssl/ssl_lib.c patch Fix security issues reported in CVE-2006-2937, CVE-2006-2940, CVE-2006-3738 and CVE-2006-4343. [ghen, ticket #1537] gnu/dist/binutils/ChangeLog patch gnu/dist/binutils/bfd/coff-alpha.c patch gnu/dist/binutils/bfd/elf32-iq2000.c patch gnu/dist/binutils/bfd/pdp11.c patch gnu/dist/binutils/gas/as.h patch gnu/dist/binutils/gas/itbl-lex.h patch gnu/dist/binutils/gas/itbl-lex.l patch gnu/dist/binutils/gas/itbl-parse.y patch gnu/dist/binutils/gas/subsegs.h patch gnu/dist/binutils/gas/tc.h patch gnu/dist/binutils/gas/config/obj-coff.c patch gnu/dist/binutils/gas/config/obj-ecoff.h patch gnu/dist/binutils/gas/config/tc-arc.c patch gnu/dist/binutils/gas/config/tc-arm.c patch gnu/dist/binutils/gas/config/tc-cris.h patch gnu/dist/binutils/gas/config/tc-frv.c patch gnu/dist/binutils/gas/config/tc-mcore.c patch gnu/dist/binutils/gas/config/tc-mips.c patch gnu/dist/binutils/gas/config/tc-mmix.c patch gnu/dist/binutils/gas/config/tc-s390.c patch gnu/dist/binutils/gas/config/tc-sh.c patch gnu/dist/binutils/gas/config/tc-sparc.c patch gnu/dist/binutils/gas/config/tc-tic4x.c patch gnu/dist/binutils/gas/config/tc-tic4x.h patch gnu/dist/binutils/gas/config/tc-vax.c patch gnu/dist/binutils/gas/config/tc-xstormy16.c patch gnu/dist/binutils/opcodes/fr30-desc.h patch gnu/dist/binutils/opcodes/frv-desc.h patch gnu/dist/binutils/opcodes/ip2k-desc.h patch gnu/dist/binutils/opcodes/iq2000-asm.c patch gnu/dist/gcc/gcc/cp/decl.c patch gnu/dist/gcc/include/obstack.h patch gnu/dist/gdb/include/obstack.h patch gnu/dist/groff/src/preproc/eqn/box.h patch gnu/dist/groff/src/roff/troff/div.h patch gnu/dist/groff/src/roff/troff/env.h patch gnu/dist/groff/src/roff/troff/input.cpp patch usr.bin/mkesdb/ldef.h patch usr.sbin/makefs/ffs/ffs_alloc.c patch usr.sbin/makefs/ffs/ufs_inode.h patch Fix cross-building NetBSD 3.x binutils with GCC 4.x. [skrll, ticket #1529] sys/kern/kern_systrace.c 1.59 sys/sys/systrace.h 1.21 Fix an exploitable integer overflow found by Chris Evans of Google Security: the systrace replace policy struct fields that were supplied by the user were not checked properly and could access memory that was not intended, for example they could be negative or much larger than allowed. [christos, ticket #1544] distrib/notes/mac68k/prep 1.15 distrib/utils/sysinst/arch/mac68k/md.c 1.49 Fix sysinst on mac68k: make it newfs and mount the target filesystem. [pavel, ticket #1548] sys/arch/amd64/amd64/trap.c 1.22 Use panic() instead of cpu_reboot() for unhandled kernel traps, to make sure that NetBSD/amd64 actually reboots after certain panics instead of halting and waiting for someone to press a key. [tron, ticket #1550] usr.sbin/user/user.c 1.112 In userinfo, initialize buf (the buffer which will hold group names) to be a null-terminated string. Otherwise, if the user is not a member of any secondary groups, buf is completely uninitialized and userinfo adds garbage to the list of groups printed. [pavel, ticket #1554] crypto/dist/ssh/sshd_config 1.25 Change the default sshd configuration file so that only protocol version 2 is enabled by default. Users can manually add back support for protocol version 1 in their sshd_config if they have a specific need for it. [adrianp, ticket #1555] sys/net/bpf_filter.c 1.32 Be more robust in setting and detecting error values in bpf_filter() and the MINDEX macro. src/regress/sys/net/bpf/out-of-bounds now passes the regression test. [oster, ticket #1539] sys/arch/acorn26/acorn26/except.c 1.17 Remove a route by which a user can trivially panic NetBSD/acorn26. Pass regress/sys/arch/arm/abort-fixup. [bjh21, ticket #1552] lib/libc/rpc/svc_vc.c 1.20 Only retry if we were able to clean up some descriptors, this prevents RPC services like NIS and NFS from getting stuck in an infinite loop. [tron, ticket #1558] usr.sbin/bind/include/config.h 1.5 If we're not using pthreads, claim also that we don't have sigwait. This works around the problems observed on sparc and sparc64 (where we've disabled use of pthreads) where the BIND applications end up being killed with SIGTERM instead of exiting gracefully. [he, ticket #1565] sys/compat/darwin/darwin_iohidsystem.c 1.35 via patch sys/compat/darwin/darwin_ktrace.c 1.6 via patch sys/compat/freebsd/freebsd_misc.c 1.26 via patch sys/kern/kern_ktrace.c 1.110 via patch sys/sys/ktrace.h 1.45 via patch Make ktruser enforce the maximum buffer length, and return an error. [adrianp, ticket #1564] sys/kern/uipc_syscalls.c 1.104 Fix local denial of service (kernel panic through sendmsg()). [elad, ticket #1566] sys/miscfs/procfs/procfs_linux.c 1.28 Fix a kernel panic when trying to access /emul/linux/proc/0/stat. [elad, ticket #1567] sys/kern/sys_process.c 1.111 via patch Don't allow ptrace to copyout arbitrary sized data. [christos, ticket #1556] crypto/dist/ssh/auth.h patch crypto/dist/ssh/deattack.c patch crypto/dist/ssh/deattack.h patch crypto/dist/ssh/log.c patch crypto/dist/ssh/log.h patch crypto/dist/ssh/packet.c patch crypto/dist/ssh/session.c patch crypto/dist/ssh/sshd.c patch crypto/dist/ssh/version.h patch OpenSSH: fix CVE-2006-4924 and CVE-2006-5051 (patches backported from OpenSSH 4.4). [adrianp, ticket #1569] sys/netinet/tcp_input.c 1.250 Don't accept TCP connections to broadcast addresses. [rpaulo, ticket #1547] sys/net/if.c 1.172,1.173,1.175 Fix a memory disclosure in interface name buffer. [christos, tickets #1563 and #1572] gnu/usr.bin/groff/tmac/mdoc.local patch sys/sys/param.h patch Welcome to NetBSD 3.0.2.