# $NetBSD: CHANGES-6.0.4,v 1.1.2.18 2014/01/17 18:19:15 bouyer Exp $ A complete list of changes from the NetBSD 6.0.3 release to the NetBSD 6.0.4 release: doc/README.files patched by hand gnu/usr.bin/groff/tmac/mdoc.local patched by hand sys/sys/param.h patched by hand Welcome to 6.0.3_PATCH. [jdc] xsrc/external/mit/xorg-server/dist/dix/dixfonts.c 1.2 xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c 1.4 Fix CVE-2013-4396 using a patch from Alan Coopersmith: Save a pointer to the passed in closure structure before copying it and overwriting the *c pointer to point to our copy instead of the original. If we hit an error, once we free(c), reset c to point to the original structure before jumping to the cleanup code that references *c. [spz, ticket #966] sys/arch/x86/pci/pci_machdep.c 1.61 via patch Force PCI mode 1 when running under QEMU, to work around QEMU bug 897771. This should also make it possible to boot NetBSD under versions of KVM that have inherited said QEMU bug. Fixes PR kern/45671. [gson, ticket #963] sys/netinet/tcp_usrreq.c 1.168 PR/48098: Brian Marcotte: Avoid kernel assertion for embryonic sockets that don't have credentials yet. [spz, ticket #967] external/mit/xorg/server/drivers/xf86-video-intel/Makefile 1.11 Add missing i810_dri.c file to SRCS. PR xsrc/48315. [martin, ticket #971] distrib/utils/sysinst/mbr.c 1.92 Add missing braces, which caused the offset of MBR partition 0 to be unintentionally set to 2048 even on small (<=128GB) disks. PR/48304. [tsutsui, ticket #972] sys/arch/xen/xen/xbdback_xenbus.c 1.58 Fix a dom0 panic, or crash with a hypervisor panic, when creating some domUs (domUs where the frontend driver doesn't provide a "protocol" entry in the xenstore). [bouyer, ticket #974] libexec/ld.elf_so/tls.c 1.9 tests/lib/libc/tls/dso/h_tls_dlopen.c 1.5 Only initialise TLS space from the PT_TLS segment, if the size is positive and the offset has been computed. Fixes PR lib/48324. [joerg, ticket #976] usr.sbin/npf/npfctl/npf_ncgen.c patch sys/net/npf/npf_instr.c patch fix the byteorder for port range comparison [rmind, ticket #986] sys/kern/uipc_socket.c 1.220 PR/48098: Brian Marcotte: panic: kernel diagnostic assertion "cred != NULL": Fix from Michael van Elst, tcpdrop crashes kernel on ebryonic connections. [spz, ticket #988] sys/uvm/uvm_km.c 1.125 uvm_km_kmem_alloc: don't hardcode kmem_va_arena. This could lead to freeing to the wrong vmem arena in case of failed page allocations. [para, ticket #989] sys/arch/sparc64/sparc64/locore.s 1.350 Increase an interrupt depth only in the case of hardware interrupts, and remove the ci_idepth trick in softint_fastintr. Fixes the following diagnostic panic reported in port-sparc64. panic: kernel diagnostic assertion "!cpu_intr_p()" failed: file "../../../../kern/subr_xcall.c", line 351 [nakayama, ticket #994] sys/kern/uipc_syscalls.c 1.163 PR/47591: Michael Plass: If the unix socket is closed before accept, unp->unp_conn will be NULL in PRU_ACCEPT, as called from sys_accept->so_accept. This will cause the usrreq to return with no error, leaving the mbuf gotten from m_get() with an uninitialized length, containing junk from a previous call. Initialize m_len to be 0 to handle this case. [spz, ticket #996] sys/netinet6/nd6.c 1.146 usr.sbin/ndp/ndp.c 1.42 Instead of voodo casts use simple byte pointer arithmetic and memcpy to create the "packed" binary format we pass out to userland when querying the router/prefix list. Simplify code to print the router/prefix list: use memcpy and local structs properly aligned on the stack to decode the binary format passed by the kernel - instead of (bogusly) assuming the format will obey all local alignement requirements. [martin, ticket #998] sys/compat/common/compat_util.c 1.45 Free pathbuf in an error path. [martin, ticket #999] sbin/fsck_ffs/inode.c 1.70 Fix cut-and-paste error in the non-ufs2 case which can cause fsck_ffs to exit with an internal error. [bouyer, ticket #991] sys/arch/xen/xen/evtchn.c 1.70 Remove the "evtchn_do_event: handler %p didn't lower ipl %d %d\n" printf as analysis shows it actually isn't a bug in the handler, but related to spin mutexes. Fixes port-xen/46313. [bouyer, ticket #995] distrib/ews4800mips/Makefile 1.3 Add "cdroms" to the SUBDIR list for src/distrib/ews4800mips. Should prevent the iso image from being created in the source tree [apb, ticket #1009] etc/ntp.conf 1.16, 1.17, 1.18 via patch external/bsd/ntp/dist/ntpd/ntp_request.c patch Patch from ntp 4.2.7p404 to prevent an amplifier and DoS attack. Add several "restrict" lines to the default ntp.conf and improve comments [spz, ticket #1010] xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c patch xsrc/xfree/xc/lib/font/bitmap/bdfread.c patch Fix CVE-2013-6462: scanf without field width limits can crash with huge input data. [wiz, ticket #1011] external/gpl3/gcc/dist/gcc/config/sparc/constraints.md 1.2 external/gpl3/gcc/dist/gcc/config/sparc/predicates.md 1.2 external/gpl3/gcc/dist/gcc/config/sparc/sync.md 1.2 Port from newer gcc, fixes compile errors (invalid asm generated by gcc). This fixes the build of gtk+-3.10.6 from pkgsrc on sparc64. [martin, ticket #1006] sys/arch/evbsh3/t_sh7706lan/ssumci.c 1.3 fix CS bit, fixing card detection. [nonaka, ticket #1007] external/bsd/bind/dist/bin/named/query.c 1.13 via patch a fix by ISC for CVE-2014-0591: 3693. [security] memcpy was incorrectly called with overlapping ranges resulting in malformed names being generated on some platforms. This could cause INSIST failures when serving NSEC3 signed zones. [RT #35120] [spz, ticket #1016] distrib/notes/common/main patched by hand doc/LAST_MINUTE patched by hand doc/README.files patched by hand sys/sys/param.h patched by hand Welcome to 6.0.4! [bouyer]