From nobody@FreeBSD.org  Sun Apr 21 03:35:59 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id C6947D2F
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 21 Apr 2013 03:35:59 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id B80B1171
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 21 Apr 2013 03:35:59 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r3L3ZwOQ062534
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 21 Apr 2013 03:35:58 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r3L3Zwo6062533;
	Sun, 21 Apr 2013 03:35:58 GMT
	(envelope-from nobody)
Message-Id: <201304210335.r3L3Zwo6062533@red.freebsd.org>
Date: Sun, 21 Apr 2013 03:35:58 GMT
From: Adam Nowacki <nowak@tepeserwery.pl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: nfsserver readdir panic, missing vnode type check
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         178016
>Category:       kern
>Synopsis:       [nfs] [patch] nfsserver readdir panic, missing vnode type check
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 21 03:40:00 UTC 2013
>Closed-Date:    Mon May 06 12:35:02 UTC 2013
>Last-Modified:  Mon May 06 12:35:02 UTC 2013
>Originator:     Adam Nowacki
>Release:        9.1-RELEASE
>Organization:
>Environment:
FreeBSD storage 9.1-RELEASE FreeBSD 9.1-RELEASE #0: Sat Feb 23 15:51:26 UTC 2013     root@storage:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
New nfs server will process READDIR on non-directories. Kernel panic is almost certain if readdir is executed on regular file.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Index: sys/fs/nfsserver/nfs_nfsdport.c
===================================================================
--- sys/fs/nfsserver/nfs_nfsdport.c	(revision 249437)
+++ sys/fs/nfsserver/nfs_nfsdport.c	(working copy)
@@ -1575,6 +1575,8 @@
 			nd->nd_repstat = NFSERR_BAD_COOKIE;
 #endif
 	}
+	if (!nd->nd_repstat && vp->v_type != VDIR)
+		nd->nd_repstat = NFSERR_NOTDIR;
 	if (nd->nd_repstat == 0 && cnt == 0) {
 		if (nd->nd_flag & ND_NFSV2)
 			/* NFSv2 does not have NFSERR_TOOSMALL */


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-fs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Apr 21 19:26:18 UTC 2013 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=178016 
Responsible-Changed-From-To: freebsd-fs->secteam 
Responsible-Changed-By: des 
Responsible-Changed-When: Tue Apr 23 08:42:36 UTC 2013 
Responsible-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=178016 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 20:16:43 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 20:16:25 2013
 New Revision: 250062
 URL: http://svnweb.freebsd.org/changeset/base/250062
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	re
 
 Modified:
   releng/8.4/sys/fs/nfsserver/nfs_nfsdport.c
 
 Modified: releng/8.4/sys/fs/nfsserver/nfs_nfsdport.c
 ==============================================================================
 --- releng/8.4/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:16:00 2013	(r250061)
 +++ releng/8.4/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:16:25 2013	(r250062)
 @@ -1569,6 +1569,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd
  			nd->nd_repstat = NFSERR_BAD_COOKIE;
  #endif
  	}
 +	if (!nd->nd_repstat && vp->v_type != VDIR)
 +		nd->nd_repstat = NFSERR_NOTDIR;
  	if (nd->nd_repstat == 0 && cnt == 0) {
  		if (nd->nd_flag & ND_NFSV2)
  			/* NFSv2 does not have NFSERR_TOOSMALL */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 20:09:57 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 20:09:44 2013
 New Revision: 250055
 URL: http://svnweb.freebsd.org/changeset/base/250055
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
 
 Modified:
   head/sys/fs/nfsserver/nfs_nfsdport.c
 
 Modified: head/sys/fs/nfsserver/nfs_nfsdport.c
 ==============================================================================
 --- head/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 19:30:35 2013	(r250054)
 +++ head/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:09:44 2013	(r250055)
 @@ -1574,6 +1574,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd
  			nd->nd_repstat = NFSERR_BAD_COOKIE;
  #endif
  	}
 +	if (!nd->nd_repstat && vp->v_type != VDIR)
 +		nd->nd_repstat = NFSERR_NOTDIR;
  	if (nd->nd_repstat == 0 && cnt == 0) {
  		if (nd->nd_flag & ND_NFSV2)
  			/* NFSv2 does not have NFSERR_TOOSMALL */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 20:16:17 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 20:15:55 2013
 New Revision: 250060
 URL: http://svnweb.freebsd.org/changeset/base/250060
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	so
 
 Modified:
   stable/9/sys/fs/nfsserver/nfs_nfsdport.c
 
 Modified: stable/9/sys/fs/nfsserver/nfs_nfsdport.c
 ==============================================================================
 --- stable/9/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:15:47 2013	(r250059)
 +++ stable/9/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:15:55 2013	(r250060)
 @@ -1575,6 +1575,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd
  			nd->nd_repstat = NFSERR_BAD_COOKIE;
  #endif
  	}
 +	if (!nd->nd_repstat && vp->v_type != VDIR)
 +		nd->nd_repstat = NFSERR_NOTDIR;
  	if (nd->nd_repstat == 0 && cnt == 0) {
  		if (nd->nd_flag & ND_NFSV2)
  			/* NFSv2 does not have NFSERR_TOOSMALL */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 20:16:07 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 20:15:47 2013
 New Revision: 250059
 URL: http://svnweb.freebsd.org/changeset/base/250059
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	so
 
 Modified:
   releng/8.3/sys/fs/nfsserver/nfs_nfsdport.c
 
 Modified: releng/8.3/sys/fs/nfsserver/nfs_nfsdport.c
 ==============================================================================
 --- releng/8.3/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:15:43 2013	(r250058)
 +++ releng/8.3/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:15:47 2013	(r250059)
 @@ -1568,6 +1568,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd
  			nd->nd_repstat = NFSERR_BAD_COOKIE;
  #endif
  	}
 +	if (!nd->nd_repstat && vp->v_type != VDIR)
 +		nd->nd_repstat = NFSERR_NOTDIR;
  	if (nd->nd_repstat == 0 && cnt == 0) {
  		if (nd->nd_flag & ND_NFSV2)
  			/* NFSv2 does not have NFSERR_TOOSMALL */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 20:16:02 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 20:15:43 2013
 New Revision: 250058
 URL: http://svnweb.freebsd.org/changeset/base/250058
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	so
 
 Modified:
   stable/8/sys/fs/nfsserver/nfs_nfsdport.c
 
 Modified: stable/8/sys/fs/nfsserver/nfs_nfsdport.c
 ==============================================================================
 --- stable/8/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:14:11 2013	(r250057)
 +++ stable/8/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:15:43 2013	(r250058)
 @@ -1569,6 +1569,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd
  			nd->nd_repstat = NFSERR_BAD_COOKIE;
  #endif
  	}
 +	if (!nd->nd_repstat && vp->v_type != VDIR)
 +		nd->nd_repstat = NFSERR_NOTDIR;
  	if (nd->nd_repstat == 0 && cnt == 0) {
  		if (nd->nd_flag & ND_NFSV2)
  			/* NFSv2 does not have NFSERR_TOOSMALL */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 20:16:34 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 20:16:00 2013
 New Revision: 250061
 URL: http://svnweb.freebsd.org/changeset/base/250061
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	so
 
 Modified:
   releng/9.1/sys/fs/nfsserver/nfs_nfsdport.c
 
 Modified: releng/9.1/sys/fs/nfsserver/nfs_nfsdport.c
 ==============================================================================
 --- releng/9.1/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:15:55 2013	(r250060)
 +++ releng/9.1/sys/fs/nfsserver/nfs_nfsdport.c	Mon Apr 29 20:16:00 2013	(r250061)
 @@ -1574,6 +1574,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd
  			nd->nd_repstat = NFSERR_BAD_COOKIE;
  #endif
  	}
 +	if (!nd->nd_repstat && vp->v_type != VDIR)
 +		nd->nd_repstat = NFSERR_NOTDIR;
  	if (nd->nd_repstat == 0 && cnt == 0) {
  		if (nd->nd_flag & ND_NFSV2)
  			/* NFSv2 does not have NFSERR_TOOSMALL */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 20:54:12 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 20:53:58 2013
 New Revision: 41519
 URL: http://svnweb.freebsd.org/changeset/doc/41519
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	so
 
 Added:
   head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc   (contents, props changed)
   head/share/security/patches/SA-13:05/
   head/share/security/patches/SA-13:05/nfsserver.patch   (contents, props changed)
   head/share/security/patches/SA-13:05/nfsserver.patch.asc   (contents, props changed)
 Modified:
   head/share/xml/advisories.xml
 
 Added: head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc	Mon Apr 29 20:53:58 2013	(r41519)
 @@ -0,0 +1,139 @@
 +-----BEGIN PGP SIGNED MESSAGE-----
 +Hash: SHA1
 +
 +=============================================================================
 +FreeBSD-SA-13:05.nfsserver                                  Security Advisory
 +                                                          The FreeBSD Project
 +
 +Topic:          Insufficient input validation in the NFS server
 +
 +Category:       core
 +Module:         nfsserver
 +Announced:      2013-04-29
 +Credits:        Adam Nowacki
 +Affects:        All supported versions of FreeBSD.
 +Corrected:      2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE)
 +                2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8)
 +                2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1)
 +                2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1)
 +                2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE)
 +                2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3)
 +CVE Name:       CVE-2013-3266
 +
 +For general information regarding FreeBSD Security Advisories,
 +including descriptions of the fields above, security branches, and the
 +following sections, please visit <URL:http://security.FreeBSD.org/>.
 +
 +I.   Background
 +
 +The Network File System (NFS) allows a host to export some or all of its
 +file systems so that other hosts can access them over the network and mount
 +them as if they were on local disks.  FreeBSD includes server and client
 +implementations of NFS.
 +
 +FreeBSD 8.0 and onward has two NFS implementations: the original CSRG
 +NFSv2 and NFSv3 implementation and a new implementation which also
 +supports NFSv4.
 +
 +FreeBSD 9.0 and onward uses the new NFS implementation by default.
 +
 +II.  Problem Description
 +
 +When processing READDIR requests, the NFS server does not check that
 +it is in fact operating on a directory node.  An attacker can use a
 +specially modified NFS client to submit a READDIR request on a file,
 +causing the underlying filesystem to interpret that file as a
 +directory.
 +
 +III. Impact
 +
 +The exact consequences of an attack depend on the amount of input
 +validation in the underlying filesystem:
 +
 + - If the file resides on a UFS filesystem on a little-endian server,
 +   an attacker can cause random heap corruption with completely
 +   unpredictable consequences.
 +
 + - If the file resides on a ZFS filesystem, an attacker can write
 +   arbitrary data on the stack.  It is believed, but has not been
 +   confirmed, that this can be exploited to run arbitrary code in
 +   kernel context.
 +
 +Other filesystems may also be vulnerable.
 +
 +IV.  Workaround
 +
 +Systems that do not provide NFS service are not vulnerable.  Neither
 +are systems that do but use the old NFS implementation, which is the
 +default in FreeBSD 8.x.
 +
 +To determine which implementation an NFS server is running, run the
 +following command:
 +
 +# kldstat -v | grep -cw nfsd
 +
 +This will print 1 if the system is running the new NFS implementation,
 +and 0 otherwise.
 +
 +V.   Solution
 +
 +Perform one of the following:
 +
 +1) Upgrade your vulnerable system to a supported FreeBSD stable or
 +release / security branch (releng) dated after the correction date.
 +
 +2) To update your vulnerable system via a source code patch:
 +
 +The following patches have been verified to apply to the applicable
 +FreeBSD release branches.
 +
 +a) Download the relevant patch from the location below, and verify the
 +detached PGP signature using your PGP utility.
 +
 +# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch
 +# fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc
 +# gpg --verify nfsserver.patch.asc
 +
 +b) Apply the patch.
 +
 +# cd /usr/src
 +# patch < /path/to/patch
 +
 +c) Recompile your kernel as described in
 +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
 +system.
 +
 +3) To update your vulnerable system via a binary patch:
 +
 +Systems running a RELEASE version of FreeBSD on the i386 or amd64
 +platforms can be updated via the freebsd-update(8) utility:
 +
 +# freebsd-update fetch
 +# freebsd-update install
 +
 +VI.  Correction details
 +
 +The following list contains the revision numbers of each file that was
 +corrected in FreeBSD.
 +
 +Branch/path                                                      Revision
 +- -------------------------------------------------------------------------
 +stable/8/                                                         r250058
 +releng/8.3/                                                       r250059
 +releng/8.4/                                                       r250062
 +stable/9/                                                         r250060
 +releng/9.1/                                                       r250061
 +- -------------------------------------------------------------------------
 +
 +VII. References
 +
 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266
 +
 +The latest revision of this advisory is available at
 +http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc
 +-----BEGIN PGP SIGNATURE-----
 +
 +iEYEARECAAYFAlF+18oACgkQFdaIBMps37J1PACgm+zcbGd6xF1hkpvFVJbbwR0Q
 +9PoAnivbP1R0qXFyTlF/t3+sUYcxBtfQ
 +=polM
 +-----END PGP SIGNATURE-----
 
 Added: head/share/security/patches/SA-13:05/nfsserver.patch
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/share/security/patches/SA-13:05/nfsserver.patch	Mon Apr 29 20:53:58 2013	(r41519)
 @@ -0,0 +1,13 @@
 +Index: sys/fs/nfsserver/nfs_nfsdport.c
 +===================================================================
 +--- sys/fs/nfsserver/nfs_nfsdport.c	(revision 249651)
 ++++ sys/fs/nfsserver/nfs_nfsdport.c	(working copy)
 +@@ -1568,6 +1568,8 @@ nfsrvd_readdir(struct nfsrv_descript *nd, int isdg
 + 			nd->nd_repstat = NFSERR_BAD_COOKIE;
 + #endif
 + 	}
 ++	if (!nd->nd_repstat && vp->v_type != VDIR)
 ++		nd->nd_repstat = NFSERR_NOTDIR;
 + 	if (nd->nd_repstat == 0 && cnt == 0) {
 + 		if (nd->nd_flag & ND_NFSV2)
 + 			/* NFSv2 does not have NFSERR_TOOSMALL */
 
 Added: head/share/security/patches/SA-13:05/nfsserver.patch.asc
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/share/security/patches/SA-13:05/nfsserver.patch.asc	Mon Apr 29 20:53:58 2013	(r41519)
 @@ -0,0 +1,6 @@
 +-----BEGIN PGP SIGNATURE-----
 +
 +iEYEABECAAYFAlF+1+sACgkQFdaIBMps37J22ACeM6TTZjh94AhbnwqTaCfcMjnO
 +F74AnAiX1rUC1Zvo3XU42efklaBo6F1g
 +=yQwz
 +-----END PGP SIGNATURE-----
 
 Modified: head/share/xml/advisories.xml
 ==============================================================================
 --- head/share/xml/advisories.xml	Mon Apr 29 16:02:00 2013	(r41518)
 +++ head/share/xml/advisories.xml	Mon Apr 29 20:53:58 2013	(r41519)
 @@ -14,6 +14,14 @@
  	<name>2</name>
  
  	<advisory>
 +	  <name>FreeBSD-SA-13:05.bind</name>
 +	</advisory>
 +
 +	<advisory>
 +	  <name>FreeBSD-SA-13:04.bind</name>
 +	</advisory>
 +
 +	<advisory>
  	  <name>FreeBSD-SA-13:04.bind</name>
  	</advisory>
  
 _______________________________________________
 svn-doc-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-doc-all
 To unsubscribe, send any mail to "svn-doc-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 21:10:57 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 21:10:49 2013
 New Revision: 250068
 URL: http://svnweb.freebsd.org/changeset/base/250068
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   (files missing from previous commit)
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	so
 
 Modified:
   stable/8/UPDATING
 
 Modified: stable/8/UPDATING
 ==============================================================================
 --- stable/8/UPDATING	Mon Apr 29 21:05:12 2013	(r250067)
 +++ stable/8/UPDATING	Mon Apr 29 21:10:49 2013	(r250068)
 @@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
  	debugging tools present in HEAD were left in place because
  	sun4v support still needs work to become production ready.
  
 +20130429:
 +	Fix a bug that allows NFS clients to issue READDIR on files.
 +
  20130225:
  	A new compression method (lz4) has been merged.  Please refer to
  	zpool-features(7) for more information.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 21:11:12 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 21:10:53 2013
 New Revision: 250069
 URL: http://svnweb.freebsd.org/changeset/base/250069
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   (files missing from previous commit)
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	so
 
 Modified:
   releng/8.3/UPDATING
   releng/8.3/sys/conf/newvers.sh
 
 Modified: releng/8.3/UPDATING
 ==============================================================================
 --- releng/8.3/UPDATING	Mon Apr 29 21:10:49 2013	(r250068)
 +++ releng/8.3/UPDATING	Mon Apr 29 21:10:53 2013	(r250069)
 @@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
  	debugging tools present in HEAD were left in place because
  	sun4v support still needs work to become production ready.
  
 +20130429:	p8	FreeBSD-SA-13:05.nfsserver
 +	Fix a bug that allows NFS clients to issue READDIR on files.
 +
  20130402:	p7	FreeBSD-SA-13:03.openssl
  	Fix multiple vulnerabilities in OpenSSL.
  
 
 Modified: releng/8.3/sys/conf/newvers.sh
 ==============================================================================
 --- releng/8.3/sys/conf/newvers.sh	Mon Apr 29 21:10:49 2013	(r250068)
 +++ releng/8.3/sys/conf/newvers.sh	Mon Apr 29 21:10:53 2013	(r250069)
 @@ -32,7 +32,7 @@
  
  TYPE="FreeBSD"
  REVISION="8.3"
 -BRANCH="RELEASE-p7"
 +BRANCH="RELEASE-p8"
  if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
  	BRANCH=${BRANCH_OVERRIDE}
  fi
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 21:11:41 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 21:11:05 2013
 New Revision: 250071
 URL: http://svnweb.freebsd.org/changeset/base/250071
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   (files missing from previous commit)
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	so
 
 Modified:
   releng/9.1/UPDATING
   releng/9.1/sys/conf/newvers.sh
 
 Modified: releng/9.1/UPDATING
 ==============================================================================
 --- releng/9.1/UPDATING	Mon Apr 29 21:11:01 2013	(r250070)
 +++ releng/9.1/UPDATING	Mon Apr 29 21:11:05 2013	(r250071)
 @@ -9,6 +9,9 @@ handbook.
  Items affecting the ports and packages system can be found in
  /usr/ports/UPDATING.  Please read that file before running portupgrade.
  
 +20130429:	p3	FreeBSD-SA-13:05.nfsserver
 +	Fix a bug that allows NFS clients to issue READDIR on files.
 +
  20130402:	p2	FreeBSD-SA-13:03.openssl FreeBSD-SA-13:04.bind
  	Fix multiple vulnerabilities in OpenSSL.
  
 
 Modified: releng/9.1/sys/conf/newvers.sh
 ==============================================================================
 --- releng/9.1/sys/conf/newvers.sh	Mon Apr 29 21:11:01 2013	(r250070)
 +++ releng/9.1/sys/conf/newvers.sh	Mon Apr 29 21:11:05 2013	(r250071)
 @@ -32,7 +32,7 @@
  
  TYPE="FreeBSD"
  REVISION="9.1"
 -BRANCH="RELEASE-p2"
 +BRANCH="RELEASE-p3"
  if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
  	BRANCH=${BRANCH_OVERRIDE}
  fi
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 21:12:04 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 21:11:31 2013
 New Revision: 250073
 URL: http://svnweb.freebsd.org/changeset/base/250073
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   (files missing from previous commit)
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	re
 
 Modified:
   releng/8.4/UPDATING
 
 Modified: releng/8.4/UPDATING
 ==============================================================================
 --- releng/8.4/UPDATING	Mon Apr 29 21:11:21 2013	(r250072)
 +++ releng/8.4/UPDATING	Mon Apr 29 21:11:31 2013	(r250073)
 @@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
  	debugging tools present in HEAD were left in place because
  	sun4v support still needs work to become production ready.
  
 +20130429:
 +	Fix a bug that allows NFS clients to issue READDIR on files.
 +
  20130225:
  	A new compression method (lz4) has been merged.  Please refer to
  	zpool-features(7) for more information.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/178016: commit references a PR
Date: Mon, 29 Apr 2013 21:11:33 +0000 (UTC)

 Author: des
 Date: Mon Apr 29 21:11:01 2013
 New Revision: 250070
 URL: http://svnweb.freebsd.org/changeset/base/250070
 
 Log:
   Fix a bug that allows NFS clients to issue READDIR on files.
   
   (files missing from previous commit)
   
   PR:		kern/178016
   Security:	CVE-2013-3266
   Security:	FreeBSD-SA-13:05.nfsserver
   Approved by:	so
 
 Modified:
   stable/9/UPDATING
 
 Modified: stable/9/UPDATING
 ==============================================================================
 --- stable/9/UPDATING	Mon Apr 29 21:10:53 2013	(r250069)
 +++ stable/9/UPDATING	Mon Apr 29 21:11:01 2013	(r250070)
 @@ -11,6 +11,9 @@ handbook:
  Items affecting the ports and packages system can be found in
  /usr/ports/UPDATING.  Please read that file before running portupgrade.
  
 +20130429:
 +	Fix a bug that allows NFS clients to issue READDIR on files.
 +
  20130315:
  	The install(1) option -M has changed meaning and now takes an
  	argument that is a file or path to append logs to.  In the
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: gavin 
State-Changed-When: Mon May 6 12:33:57 UTC 2013 
State-Changed-Why:  
This PR can be closed, it has been released as security advisory 
FreeBSD-SA-13:05.nfsserver (CVE-2013-3266) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=178016 
>Unformatted:
