From 9a8de5a716e799811388cb4abc3f98e5450d6798 Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Fri, 26 Jul 2013 22:40:23 +0000
Subject: [PATCH] Fix Denial of Service vulnerability in named(8). [13:07]

Fix a bug that allows remote client bypass the normal
access checks when when -network or -host restrictions
are used at the same time with -mapall. [13:08]

Security:	CVE-2013-4854
Security:	FreeBSD-SA-13:07.bind
Security:	CVE-2013-4851
Security:	FreeBSD-SA-13:08.nfsserver
Approved by:	so


git-svn-id: svn://svn.freebsd.org/base/releng/9.1@253693 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                                            | 7 +++++++
 contrib/bind9/lib/dns/rdata/generic/keydata_65533.c | 2 +-
 sys/conf/newvers.sh                                 | 2 +-
 sys/kern/vfs_export.c                               | 2 +-
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/UPDATING b/UPDATING
index 7c45e16b..b7bdd234 100644
--- a/UPDATING
+++ b/UPDATING
@@ -9,6 +9,13 @@ handbook.
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20130726:	p5	FreeBSD-SA-13:07.bind FreeBSD-SA-13:08.nfsserver
+	Fix Denial of Service vulnerability in named(8). [13:07]
+
+	Fix a bug that allows remote client bypass the normal
+	access checks when when -network or -host restrictions are
+	used at the same time with -mapall. [13:08]
+
 20130618:	p4	FreeBSD-SA-13:06.mmap
         Fix a bug that allowed a tracing process (e.g. gdb) to write
         to a memory-mapped file in the traced process's address space
diff --git a/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c b/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c
index 2592c30f..317e1a87 100644
--- a/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c
+++ b/contrib/bind9/lib/dns/rdata/generic/keydata_65533.c
@@ -176,7 +176,7 @@ fromwire_keydata(ARGS_FROMWIRE) {
 	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
+	if (sr.length < 16)
 		return (ISC_R_UNEXPECTEDEND);
 
 	isc_buffer_forward(source, sr.length);
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index fa1f0998..350524ae 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.1"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/kern/vfs_export.c b/sys/kern/vfs_export.c
index 4185211e..114c23ed 100644
--- a/sys/kern/vfs_export.c
+++ b/sys/kern/vfs_export.c
@@ -208,7 +208,7 @@ vfs_hang_addrlist(struct mount *mp, struct netexport *nep,
 	np->netc_anon = crget();
 	np->netc_anon->cr_uid = argp->ex_anon.cr_uid;
 	crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups,
-	    np->netc_anon->cr_groups);
+	    argp->ex_anon.cr_groups);
 	np->netc_anon->cr_prison = &prison0;
 	prison_hold(np->netc_anon->cr_prison);
 	np->netc_numsecflavors = argp->ex_numsecflavors;
-- 
2.42.0