OpenBSD 2.4 Errata

Patches for the OpenBSD base system are distributed as unified diffs. Each patch contains usage instructions. All the following patches are also available in one tar.gz file for convenience.

Patches for supported releases are also incorporated into the -stable branch.

• 001: RELIABILITY FIX   All architectures
  A local user can crash the system by reading a file larger than 64meg from an ext2fs partition.
  A source code patch exists which remedies this problem.

• 002: RELIABILITY FIX   All architectures
  A local user can crash the system because of a bug in the vfs layer.
  A source code patch exists which remedies this problem.

• 003: SECURITY FIX   All architectures
  A machine crash is possible when playing with poll(2).
  A source code patch exists which remedies this problem.

• 004: SECURITY FIX   All architectures
  A machine crash is possible when playing with link(2) on FFS.
  A source code patch exists which remedies this problem. This is version four of the patch.

• 005: SECURITY FIX   All architectures
  A buffer overflow existed in ping(8), which may have a security issue.
  A source code patch exists which remedies this problem.

• 006: SECURITY FIX   All architectures
  A race condition in IP ipq handling could permit a remote crash.
  A source code patch exists which remedies this problem.
  It must be installed after the maxqueue patch. and the tcp decoding patch.

• 007: SECURITY FIX   All architectures
  A race condition existed between accept(2) and select(2) which could permit an attacker to hang sockets from remote.
  A source code patch exists which remedies this problem.

• 008: SECURITY FIX   All architectures
  IP fragment assembly can bog the machine excessively and cause problems.
  A source code patch exists which remedies this problem.

• 009: FUNCTIONALITY FIX   All architectures
  The readv(2) and writev(2) system calls would not accept a struct iovec with an iov_len of 0. This causes a db test in perl to fail.
  A source code patch exists which remedies this problem.

• 010: SECURITY FIX   All architectures
  TCP/IP RST handling was too sloppy.
  A source code patch exists which remedies this problem.

• 011: FUNCTIONALITY FIX   All architectures
  During bootup, kvm_mkdb may exit with the error "kvm_mkdb: cannot allocate memory".
  A source code patch exists which remedies this problem.

• 012: FUNCTIONALITY FIX   All architectures
  A problem with writing to NFS version 3 mounted filesystems from Solaris 7 hosts exists. Attempts to create files will result in an error such as "Inappropriate file type or format".
  A source code patch exists which remedies this problem.

• 013: FUNCTIONALITY FIX   All architectures
  A problem with NFS version 3 mounts on big endian machines (m68k, sparc and powerpc) exists when mounting filesystems larger than 2gig. You can see evidence of the bug by running df(1) and checking for negative partition sizes.
  A source code patch exists which remedies this problem.

• 014: SECURITY FIX   All architectures
  A security problem exists in the curses and ocurses libraries that affect setuid programs linked with -lcurses or -locurses.
  A source code patch exists which remedies this problem.
  Precompiled versions of libcurses and libocurses exist for the
  i386 platform. Unpack it in /usr/lib.

• 015: FUNCTIONALITY FIX   All architectures
  A workaround for an xterm problem that causes vi to not restore the correct cursor position on exit.
  A source code patch exists which remedies this problem.
  Alternately, you can also download a pre-compiled terminfo file to be installed as /usr/share/misc/terminfo.db. For i386, alpha and mips, use the little endian version. For sparc, m68k and powerpc, use the big endian version.

• 016: FUNCTIONALITY FIX   All architectures
  userdir support was accidentally left out of httpd(8).
  A source code patch exists which remedies this problem.

• 017: SECURITY FIX   All architectures
  A remotely exploitable problem exists in bootpd(8). bootpd is disabled by default, but some people may actually be using it.
  A source code patch exists which remedies this problem. This is the second version of the patch.

• 018: SECURITY FIX   All architectures
  A remote machine lockup problem exists in the TCP decoding code.
  A source code patch exists which remedies this problem.

• 019: SECURITY FIX
  This is another fix for a kernel crash caused by the crashme program.
  A source code patch exists which remedies this problem.

• 020: FUNCTIONALITY FIX
  The kernel was using a fixed and hard-coded location for the arguments vector passed from the /boot loader. This prevented /boot from placing the boot arguments vector at any other location, causing a kernel crash early in the autoconfiguration stage. In 2.5, the bootblocks will be modified to use a new location. Hence, if you wish old kernels to boot on a new bootblock, those kernels will only work if they were linked with this patch.
  A source code patch exists which remedies this problem.

• 021: SECURITY FIX
  i386 trace-trap handling when DDB was configured could cause a system crash.
  A source code patch exists which remedies this problem.

• 022: FUNCTIONALITY FIX
  i386 installboot had a sign extension bug which prevented proper bootblock initialization when the root filesystem was placed beyond 4GB.
  A source code patch exists which remedies this problem. Unfortunately, updated 2.4 install floppies are not available. Just ensure that your root filesystem is below 4GB, for now.

• 023: DRIVER FIX
  The sparc hme(4) and be(4) drivers work poorly on some types of SS-20 machines. This is because those machines lie, saying they support 64-bit DMA bursting. No sun4m machines support that.
  A source code patch exists which remedies this problem.

• 024: DRIVER FIX
  The sparc le(4) driver does media changes incorrectly on one type of sbus le(4) card.
  A source code patch exists which remedies this problem.

• 025: FUNCTIONALITY FIX
  The Xhp as shipped does not have the execute permissions set. The fix is 'chmod 755 /usr/X11R6/bin/Xhp' if you have installed X.