From 1ee8c62763a37ee400876ab0ab091d8e1fbc8bcc Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Mon, 25 Jul 2016 15:04:17 +0000
Subject: [PATCH] Fix bspatch heap overflow vulnerability. [SA-16:25]

Fix freebsd-update(8) support of FreeBSD 11.0 release
distribution. [EN-16:09]

Approved by:	so


git-svn-id: svn://svn.freebsd.org/base/releng/9.3@303304 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                                  | 8 ++++++++
 sys/conf/newvers.sh                       | 2 +-
 usr.bin/bsdiff/bspatch/bspatch.c          | 4 ++++
 usr.sbin/freebsd-update/freebsd-update.sh | 2 +-
 4 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/UPDATING b/UPDATING
index 25e7b10ab..218a9cb1a 100644
--- a/UPDATING
+++ b/UPDATING
@@ -11,6 +11,14 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20160725	p45	FreeBSD-SA-16:25.bspatch
+			FreeBSD-EN-16:09.freebsd-update
+
+	Fix bspatch heap overflow vulnerability. [SA-16:25]
+
+	Fix freebsd-update(8) support of FreeBSD 11.0 release
+	distribution. [EN-16:09]
+
 20160604	p44	FreeBSD-SA-16:24.ntp
 
 	Fix multiple vulnerabilities of ntp.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index ce264ab68..6010d089a 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p44"
+BRANCH="RELEASE-p45"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/usr.bin/bsdiff/bspatch/bspatch.c b/usr.bin/bsdiff/bspatch/bspatch.c
index d2af3ca86..92bc75b63 100644
--- a/usr.bin/bsdiff/bspatch/bspatch.c
+++ b/usr.bin/bsdiff/bspatch/bspatch.c
@@ -154,6 +154,10 @@ int main(int argc,char * argv[])
 			ctrl[i]=offtin(buf);
 		};
 
+		/* Sanity-check */
+		if ((ctrl[0] < 0) || (ctrl[1] < 0))
+			errx(1,"Corrupt patch\n");
+
 		/* Sanity-check */
 		if(newpos+ctrl[0]>newsize)
 			errx(1,"Corrupt patch\n");
diff --git a/usr.sbin/freebsd-update/freebsd-update.sh b/usr.sbin/freebsd-update/freebsd-update.sh
index bacdfa720..46004d465 100644
--- a/usr.sbin/freebsd-update/freebsd-update.sh
+++ b/usr.sbin/freebsd-update/freebsd-update.sh
@@ -1229,7 +1229,7 @@ fetch_metadata_sanity () {
 
 	# Check that the first four fields make sense.
 	if gunzip -c < files/$1.gz |
-	    grep -qvE "^[a-z]+\|[0-9a-z]+\|${P}+\|[fdL-]\|"; then
+	    grep -qvE "^[a-z]+\|[0-9a-z-]+\|${P}+\|[fdL-]\|"; then
 		fetch_metadata_bogus ""
 		return 1
 	fi
-- 
2.42.0