From ecacd62ef039c625fe5684f0ed091da9fa03ef77 Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Mon, 25 Jul 2016 15:04:17 +0000
Subject: [PATCH] Fix bspatch heap overflow vulnerability. [SA-16:25]

Fix freebsd-update(8) support of FreeBSD 11.0 release
distribution. [EN-16:09]

Approved by:	so


git-svn-id: svn://svn.freebsd.org/base/releng/10.3@303304 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                                  | 8 ++++++++
 sys/conf/newvers.sh                       | 2 +-
 usr.bin/bsdiff/bspatch/bspatch.c          | 4 ++++
 usr.sbin/freebsd-update/freebsd-update.sh | 2 +-
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/UPDATING b/UPDATING
index 3febf9f79..a033fd013 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,14 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160725	p6	FreeBSD-SA-16:25.bspatch
+			FreeBSD-EN-16:09.freebsd-update
+
+	Fix bspatch heap overflow vulnerability. [SA-16:25]
+
+	Fix freebsd-update(8) support of FreeBSD 11.0 release
+	distribution. [EN-16:09]
+
 20160604	p5	FreeBSD-SA-16:24.ntp
 
 	Fix multiple vulnerabilities of ntp.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index b0022a6d0..ed9a2faf3 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.3"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/usr.bin/bsdiff/bspatch/bspatch.c b/usr.bin/bsdiff/bspatch/bspatch.c
index d2af3ca86..92bc75b63 100644
--- a/usr.bin/bsdiff/bspatch/bspatch.c
+++ b/usr.bin/bsdiff/bspatch/bspatch.c
@@ -154,6 +154,10 @@ int main(int argc,char * argv[])
 			ctrl[i]=offtin(buf);
 		};
 
+		/* Sanity-check */
+		if ((ctrl[0] < 0) || (ctrl[1] < 0))
+			errx(1,"Corrupt patch\n");
+
 		/* Sanity-check */
 		if(newpos+ctrl[0]>newsize)
 			errx(1,"Corrupt patch\n");
diff --git a/usr.sbin/freebsd-update/freebsd-update.sh b/usr.sbin/freebsd-update/freebsd-update.sh
index 9fcc01214..cac709198 100644
--- a/usr.sbin/freebsd-update/freebsd-update.sh
+++ b/usr.sbin/freebsd-update/freebsd-update.sh
@@ -1250,7 +1250,7 @@ fetch_metadata_sanity () {
 
 	# Check that the first four fields make sense.
 	if gunzip -c < files/$1.gz |
-	    grep -qvE "^[a-z]+\|[0-9a-z]+\|${P}+\|[fdL-]\|"; then
+	    grep -qvE "^[a-z]+\|[0-9a-z-]+\|${P}+\|[fdL-]\|"; then
 		fetch_metadata_bogus ""
 		return 1
 	fi
-- 
2.42.0