# $NetBSD: CHANGES-5.2.3,v 1.1.2.26 2014/11/15 08:13:01 snj Exp $ A complete list of changes from the NetBSD 5.2.2 release to the NetBSD 5.2.3 release: doc/README.files patched by hand gnu/usr.bin/groff/tmac/mdoc.local patched by hand sys/sys/param.h patched by hand Welcome to 5.2.2_PATCH. [bouyer] sys/kern/kern_verifiedexec.c 1.132 Reorder code to avoid use-after-free on error. From Maxime Villard. [maxv, ticket #1899] sys/kern/vfs_syscalls.c 1.478, 1.480 via patch sys/coda/coda_vfsops.c 1.81 sys/fs/adosfs/advfsops.c 1.70 sys/fs/cd9660/cd9660_vfsops.c 1.84 sys/fs/efs/efs_vfsops.c 1.25 sys/fs/filecorefs/filecore_vfsops.c 1.76 sys/fs/hfs/hfs_vfsops.c 1.31 sys/fs/msdosfs/msdosfs_vfsops.c 1.107 sys/fs/ntfs/ntfs_vfsops.c 1.94 sys/fs/ptyfs/ptyfs_vfsops.c 1.50 via patch sys/fs/puffs/puffs_vfsops.c 1.110 via patch sys/fs/smbfs/smbfs_vfsops.c 1.100 sys/fs/sysvbfs/sysvbfs_vfsops.c 1.43 sys/fs/tmpfs/tmpfs_vfsops.c 1.59 via patch sys/fs/udf/udf_vfsops.c 1.67 sys/fs/union/union_vfsops.c 1.72 sys/fs/unionfs/unionfs_vfsops.c 1.13 sys/kern/vfs_syscalls.c 1.479 sys/miscfs/nullfs/null_vfsops.c 1.88 via patch sys/miscfs/overlay/overlay_vfsops.c 1.61 sys/miscfs/procfs/procfs_vfsops.c 1.91 sys/miscfs/umapfs/umap_vfsops.c 1.92 sys/nfs/nfs_vfsops.c 1.227 sys/ufs/ext2fs/ext2fs_vfsops.c 1.180 sys/ufs/ffs/ffs_vfsops.c 1.297 sys/ufs/lfs/lfs_vfsops.c 1.321 sys/ufs/mfs/mfs_vfsops.c 1.107 Due to missing checks in the mount syscall, and a wrong assumption on the file systems side, the kernel could allocate an unbounded or zero-sized memory buffer, and could dereference a NULL pointer when particular arguments are given by a user. [maxv, ticket #1901] src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ [maxv, ticket #1902] xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2 xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2 xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2 xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5 xsrc/xfree/xc/lib/font/fc/fserve.c 1.5 xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5 Fix multiple vulnerabilities in libXfont: - CVE-2014-0209: integer overflow of allocations in font metadata file parsing - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies - CVE-2014-0211: integer overflows calculating memory needs for xfs replies [spz, ticket #1905] sys/fs/cd9660/cd9660_node.c 1.31 PR kern/48787: inode calculation from ISO9660 block offset might get truncated to 32bit - force the whole expression to be evaluated as ino_t. Patch from Thomas Schmitt, with minor modifications (and reworded comment). [martin, ticket #1904] doc/3RDPARTY patch share/zoneinfo/africa patch share/zoneinfo/antarctica patch share/zoneinfo/asia patch share/zoneinfo/australasia patch share/zoneinfo/backward patch share/zoneinfo/etcetera patch share/zoneinfo/europe patch share/zoneinfo/iso3166.tab patch share/zoneinfo/leap-seconds.list patch share/zoneinfo/leapseconds patch share/zoneinfo/leapseconds.awk patch share/zoneinfo/northamerica patch share/zoneinfo/southamerica patch share/zoneinfo/zone.tab patch distrib/sets/lists/base/mi patch Update timezone database from tzdata2013d to tzdata2014c. This adds a new timezone, Antarctica/Troll, and updates many other timezones. The Asia/Riyadh{87,88,89} zones are retained for backward compatibility, although they have been removed from the upstream distribution. [apb, ticket #1906] crypto/dist/openssl/crypto/bn/bn.h patch crypto/dist/openssl/crypto/bn/bn_lib.c patch crypto/dist/openssl/crypto/ec/ec2_mult.c patch crypto/dist/openssl/ssl/d1_both.c patch crypto/dist/openssl/ssl/s3_clnt.c patch crypto/dist/openssl/ssl/s3_pkt.c patch crypto/dist/openssl/ssl/s3_srvr.c patch crypto/dist/openssl/ssl/ssl3.h patch Fix CVE-2014-0224, CVE-2014-0221, CVE-2014-0195 and CVE-2014-3470. [spz, ticket #1908] sys/compat/freebsd/freebsd_sched.c 1.20-1.21 Avoid NULL dereference and fix sched param conversion. Pointed out by Maxime Villard. [maxv, ticket #1909] libexec/httpd/CHANGES 1.3-1.18 libexec/httpd/Makefile 1.8-1.22 via patch libexec/httpd/Makefile.boot 1.3-1.6 libexec/httpd/auth-bozo.c 1.5-1.13 libexec/httpd/bozohttpd.8 1.6-1.46 libexec/httpd/bozohttpd.c 1.8,1.12-1.54 libexec/httpd/bozohttpd.h 1.8-1.32 libexec/httpd/cgi-bozo.c 1.11-1.25 libexec/httpd/content-bozo.c 1.4-1.10 libexec/httpd/daemon-bozo.c 1.5-1.16 libexec/httpd/dir-index-bozo.c 1.6-1.19 libexec/httpd/ssl-bozo.c 1.5-1.16 libexec/httpd/tilde-luzah-bozo.c 1.5-1.10 libexec/httpd/lua-bozo.c 1.1-1.9 libexec/httpd/main.c 1.1-1.7 libexec/httpd/netbsd_queue.h 1.1 libexec/httpd/printenv.lua 1.1-1.2 libexec/httpd/debug/Makefile 1.1 libexec/httpd/libbozohttpd/Makefile 1.2 libexec/httpd/libbozohttpd/libbozohttpd.3 1.3 libexec/httpd/libbozohttpd/shlib_version 1.1 libexec/httpd/lua/Makefile 1.1 libexec/httpd/lua/bozo.lua 1.1 libexec/httpd/lua/glue.c 1.1 libexec/httpd/lua/optparse.lua 1.1 libexec/httpd/lua/shlib_version 1.1 libexec/httpd/small/Makefile 1.1-1.2 libexec/httpd/testsuite/Makefile 1.4 libexec/httpd/testsuite/html_cmp 1.4 libexec/httpd/testsuite/t1.in 1.3 libexec/httpd/testsuite/t1.out 1.3 libexec/httpd/testsuite/t10.in 1.1 libexec/httpd/testsuite/t10.out 1.1 libexec/httpd/testsuite/t2.in 1.3 libexec/httpd/testsuite/t2.out 1.3 libexec/httpd/testsuite/t3.in 1.3 libexec/httpd/testsuite/t3.out 1.3 libexec/httpd/testsuite/t4.in 1.3 libexec/httpd/testsuite/t4.out 1.3 libexec/httpd/testsuite/t5.in 1.3 libexec/httpd/testsuite/t5.out 1.3 libexec/httpd/testsuite/t6.in 1.3 libexec/httpd/testsuite/t6.out 1.3 libexec/httpd/testsuite/t7.in 1.3 libexec/httpd/testsuite/t7.out 1.3 libexec/httpd/testsuite/t8.in 1.3 libexec/httpd/testsuite/t8.out 1.3 libexec/httpd/testsuite/t9.in 1.3 libexec/httpd/testsuite/t9.out 1.3 libexec/httpd/testsuite/test-bigfile 1.1 libexec/httpd/testsuite/data/bigfile 1.1 libexec/httpd/testsuite/data/bigfile.partial4000 1.1 libexec/httpd/testsuite/data/bigfile.partial8000 1.1 libexec/httpd/testsuite/data/file 1.3 libexec/httpd/testsuite/data/index.html 1.3 Update bozohttpd from 20080303+patches to 20140708. [mrg, ticket #1913] sys/kern/sys_module.c 1.15 via patch Fix a user-controlled memory allocation. [maxv, ticket #1914] sys/compat/linux/common/linux_socketcall.c 1.44 sys/compat/linux32/common/linux32_socketcall.c 1.9 If SCARG(uap, what) = 0, copyin() will copy (size_t)-1 bytes, and it's not a good idea; but not proven harmful. With the help of njoly@. [maxv, ticket #1916] distrib/sets/lists/base/mi patch doc/3RDPARTY patch share/zoneinfo/Makefile patch share/zoneinfo/africa patch share/zoneinfo/antarctica patch share/zoneinfo/asia patch share/zoneinfo/australasia patch share/zoneinfo/backward patch share/zoneinfo/etcetera patch share/zoneinfo/europe patch share/zoneinfo/factory patch share/zoneinfo/iso3166.tab patch share/zoneinfo/leap-seconds.list patch share/zoneinfo/northamerica patch share/zoneinfo/pacificnew patch share/zoneinfo/southamerica patch share/zoneinfo/systemv patch share/zoneinfo/yearistype.sh patch share/zoneinfo/zone.tab patch share/zoneinfo/zone1970.tab patch Update timezone database from tzdata2014c to tzdata2014f. This adds two new timezones (Asia/Chita and Asia/Srednekolymsk), updates many other timezones, and adds two new data files in the /usr/share/zoneinfo directory (leapseconds and zone1970.dat). [apb, ticket #1917] etc/namedb/root.cache patch doc/3RDPARTY patch Sync root.cache with the latest -current (rev. 1.18). [taca, ticket #1912] sys/miscfs/umapfs/umap_vfsops.c 1.94 Fix an overflow and a memory corruption bug in umapfs. [maxv, ticket #1921] sys/dev/pci/pci_usrreq.c 1.26 via patch Fix to make pci(4) reject unaligned configuration register reads and writes before feeding them to a kassert in pci_conf_read/write or to a trap in the hardware itself. [riastradh, ticket #1922] crypto/dist/openssl/crypto/asn1/a_object.c patch crypto/dist/openssl/crypto/asn1/asn1.h patch crypto/dist/openssl/crypto/asn1/asn1_err.c patch crypto/dist/openssl/crypto/objects/obj_dat.c patch crypto/dist/openssl/ssl/d1_both.c patch crypto/dist/openssl/ssl/s23_srvr.c patch crypto/dist/openssl/ssl/s3_clnt.c patch crypto/dist/openssl/ssl/t1_lib.c patch Patches for the following vulnerabilities: - Information leak in pretty printing functions (CVE-2014-3508) - Double Free when processing DTLS packets (CVE-2014-3505) - DTLS memory exhaustion (CVE-2014-3506) - DTLS memory leak from zero-length fragments (CVE-2014-3507) - OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) - Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) - OpenSSL TLS protocol downgrade attack (CVE-2014-3511) Backported from the recent 1.0.1i OpenSSL release. [spz, ticket #1918] sys/netinet6/ip6_output.c 1.158 via patch Fix a memory leak in calling setsockopt() on an INET6 socket. [maxv ticket #1920] crypto/dist/openssl/apps/s_client.c patch crypto/dist/openssl/crypto/LPdir_vms.c patch crypto/dist/openssl/crypto/LPdir_win.c patch crypto/dist/openssl/crypto/Makefile patch crypto/dist/openssl/crypto/constant_time_locl.h patch crypto/dist/openssl/crypto/constant_time_test.c patch crypto/dist/openssl/crypto/bn/bn_exp.c patch crypto/dist/openssl/crypto/bn/exptest.c patch crypto/dist/openssl/crypto/bn/asm/x86_64-gcc.c patch crypto/dist/openssl/crypto/dsa/dsa_ameth.c patch crypto/dist/openssl/crypto/ec/ec.h patch crypto/dist/openssl/crypto/ec/ec_ameth.c patch crypto/dist/openssl/crypto/ec/ec_asn1.c patch crypto/dist/openssl/crypto/ec/ec_key.c patch crypto/dist/openssl/crypto/ec/ecp_smpl.c patch crypto/dist/openssl/crypto/err/openssl.ec patch crypto/dist/openssl/crypto/evp/Makefile patch crypto/dist/openssl/crypto/evp/evp_enc.c patch crypto/dist/openssl/crypto/pkcs7/pkcs7.h patch crypto/dist/openssl/crypto/rsa/Makefile patch crypto/dist/openssl/crypto/rsa/rsa.h patch crypto/dist/openssl/crypto/rsa/rsa_err.c patch crypto/dist/openssl/crypto/rsa/rsa_oaep.c patch crypto/dist/openssl/crypto/rsa/rsa_pk1.c patch crypto/dist/openssl/crypto/rsa/rsa_sign.c patch crypto/dist/openssl/doc/apps/s_client.pod patch crypto/dist/openssl/doc/crypto/BIO_s_accept.pod patch crypto/dist/openssl/doc/crypto/CMS_add1_signer.pod patch crypto/dist/openssl/doc/crypto/EVP_DigestInit.pod patch crypto/dist/openssl/doc/crypto/EVP_DigestVerifyInit.pod patch crypto/dist/openssl/doc/crypto/EVP_EncryptInit.pod patch crypto/dist/openssl/doc/crypto/EVP_PKEY_set1_RSA.pod patch crypto/dist/openssl/doc/crypto/EVP_PKEY_sign.pod patch crypto/dist/openssl/doc/ssl/SSL_CTX_set_mode.pod patch crypto/dist/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod patch crypto/dist/openssl/ssl/Makefile patch crypto/dist/openssl/ssl/s23_clnt.c patch crypto/dist/openssl/ssl/s23_srvr.c patch crypto/dist/openssl/ssl/s2_lib.c patch crypto/dist/openssl/ssl/s3_clnt.c patch crypto/dist/openssl/ssl/s3_enc.c patch crypto/dist/openssl/ssl/s3_lib.c patch crypto/dist/openssl/ssl/s3_pkt.c patch crypto/dist/openssl/ssl/s3_srvr.c patch crypto/dist/openssl/ssl/ssl-lib.com patch crypto/dist/openssl/ssl/ssl.h patch crypto/dist/openssl/ssl/ssl3.h patch crypto/dist/openssl/ssl/ssl_err.c patch crypto/dist/openssl/ssl/ssl_lib.c patch crypto/dist/openssl/ssl/t1_enc.c patch crypto/dist/openssl/ssl/t1_lib.c patch crypto/dist/openssl/ssl/tls1.h patch crypto/dist/openssl/test/Makefile patch crypto/dist/openssl/test/constant_time_test.c patch OpenSSL security fixes derived from the diff between OpenSSL 1.0.0n and 1.0.0o, fixing CVE-2014-3567, CVE-2014-3568, and adding POODLE mitigation via support for TLS_FALLBACK_SCSV. [spz, ticket #1927] sys/compat/freebsd/freebsd_sysctl.c 1.17 Do not access a userland pointer from kernel space directly, use copyin() instead, avoiding a crash. [maxv, ticket #1926] usr.bin/ftp/fetch.c 1.206 via patch Don't pay attention to special characters if they don't come from the command line. [jmcneill, ticket #1928] usr.bin/ftp/version.h 1.85 Change the version that ftp announces to 20141026. It can be a useful method to determine if CVE-2014-8517 is fixed. [lukem, ticket #1929] distrib/common/Makefile.bootcd 1.20 via patch distrib/notes/arc/prep 1.3 via patch distrib/notes/cats/prep 1.12 via patch distrib/notes/common/main 1.512 via patch distrib/notes/macppc/prep.OPENFIRMWARE 1.16 via patch share/man/man7/release.7 1.33-1.36 via patch Install fully-populated .iso images in ${RELEASEDIR}/images instead of ${RELEASEDIR}/iso. Update documentation to reflect this. [snj, ticket #1930] distrib/common/Makefile.bootcd 1.18 distrib/notes/common/main 1.484 distrib/notes/macppc/prep.OPENFIRMWARE 1.15 distrib/notes/sparc/install 1.57 distrib/alpha/cdroms/installcd/Makefile 1.2 distrib/pmax/cdroms/installcd/Makefile 1.2 distrib/prep/cdroms/installcd/Makefile 1.3 distrib/sgimips/cdroms/installcd/Makefile 1.2 distrib/sparc/cdroms/installcd/Makefile 1.2 distrib/sparc64/cdroms/installcd/Makefile 1.14 distrib/sun3/cdroms/installcd/Makefile 1.2 distrib/vax/cdroms/installcd/Makefile 1.2 etc/Makefile 1.394 share/man/man7/release.7 1.32 Change release ISO's more meaningful names like NetBSD-5.2.3-i386.iso instead of i386cd.iso. Fix PR# install/44593. [snj, ticket #1931] distrib/notes/common/main patched by hand doc/LAST_MINUTE patched by hand sys/sys/param.h patched by hand Welcome to 5.2.3! [snj]