-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-14:13.freebsd-update Errata Notice
The FreeBSD Project
Topic: freebsd-update attempts to remove the root directory
Category: base
Module: freebsd-update
Announced: 2014-12-23
Credits: Colin Percival
Affects: All supported versions of FreeBSD.
Corrected: 2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3)
2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15)
2014-12-22 22:11:39 UTC (stable/10, 10.0-STABLE)
2014-12-22 22:11:50 UTC (stable/9, 9.3-STABLE)
2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7)
2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17)
2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24)
2014-12-22 22:11:45 UTC (stable/8, 8.4-STABLE)
2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.freebsd.org/>.
I. Background
The freebsd-update(8) utility is used to apply binary patches to FreeBSD
systems installed from official release images, as an alternative to
rebuilding from source. A freebsd-update(8) build server generates the
signed update packages, consisting of an index of files and directories
with checksums before the update, a set of binary patches, and an
index of files and directories with checksums after the update. The
client downloades the indexes, verifies the signatures and checksums,
then downloads and applies the required patches.
The freebsd-update(8) utility views the system as a set of components:
"world", "kernel" and "src". The "world" component is divided into
four subcomponents: "base", "doc", "lib32" and "games". These
components and subcomponents correspond to six of the seven system
components offered during installation (the seventh being ports, which
is handled by the portsnap utility).
II. Problem Description
1) The default configuration for freebsd-update(8) has all six
components enabled. Components which are not installed should be
disabled in the configuration file. Failing to do so is normally
harmless, as the freebsd-update(8) client will ignore instructions
to patch files that do not exist on the system. However, if an
update adds a file, it will be installed even if it belongs to
a component which was not previously installed.
Due to human error, the world/lib32 component, containing 32-bit
compatibility libraries for 64-bit systems, was left out of the
freebsd-update(8) server's baseline for FreeBSD 10.1-RELEASE. As a
result, the freebsd-update(8) client removed these libraries when
upgrading a system from an earlier release. The 32-bit libraries
were re-added as part of the first set of updates released after
the mistake was discovered.
2) Under certain circumstances, it is possible for the freebsd-update(8)
build server to generate an update package requiring the client to
both remove and create the same directory. The client will normally
detect this situation and ignore the conflicting instructions.
Due to insufficient input normalization, if the directory being
both removed and created is the root directory, the freebsd-update(8)
client will fail to recognize that both instructions refer to the
same directory. It will then attempt and fail to 'rmdir /',
producing an error message.
III. Impact
The first issue will cause freebsd-update(8) to install 32-bit libraries
on 10.1 systems where they were intentionally left out during installation
but /etc/freebsd-update.conf was not edited to reflect this.
The second issue, which is triggered by the addition of lib32, will
result in a harmless but disconcerting error message when installing
updates.
IV. Workaround
The first issue is strictly speaking a configuration error. To
address it, update /etc/freebsd-update.conf to reflect the set of
components that are installed on the system. Specifically, replace
"world" on the Components line with "world/base", and add "world/doc"
and / or "world/games" if those those components were selected during
installation.
The second issue is harmless and can safely be ignored. A workaround
has been put in place on the freebsd-update(8) build server so the error
will not occur while installing the update that corrects it.
Systems which are updated from source rather than using freebsd-update(8)
are not affected.
V. Solution
Perform one of the following:
1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
2) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your present system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-14:13/freebsd-update.patch
# fetch https://security.FreeBSD.org/patches/EN-14:13/freebsd-update.patch.asc
# gpg --verify freebsd-update.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/freebsd-update.patch
c) Rebuild and reinstall the freebsd-update(8) client:
# cd /usr/src/usr.sbin/freebsd-update
# make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276089
releng/8.4/ r276154
stable/9/ r276090
releng/9.1/ r276155
releng/9.2/ r276156
releng/9.3/ r276157
stable/10/ r276088
releng/10.0/ r276158
releng/10.1/ r276159
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this Errata Notice is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-14:13.freebsd-update.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUmfVpAAoJEO1n7NZdz2rnbgkP/1XSnED0ly1kjGuK5g+148YW
gHsB0oiJ3E3qGMHl0Z3E8HSl3XA4f+rMkEM6Ez/cADlzLbWsQFo0HXaT/bEandq4
OmmJF5cvWzOpk4Zc9svae5zfoCWqpMCderHoUyfF+GIjxOwES5Ga7Fj8kxiGuSlg
WPWNoSJJnBcDLabNH4XiFo6S3OP21oJS1D9U0jlcIzknf5t+TDXwj4xM+fr1lqh2
sRmkqSkRFNQga7RN323gocX9u7wP/ePsKiAPUFLAj/gYYJVTOtfz2gwgHNg9tC2O
7T1VkbpTNvnbqz3J/bUza2jExyUuFsZpS1uFrbY0eKXRQpKSyMMUYV1sPz9g6fTV
At1kYsnsOdXkSV47zMdXTVbunO/EGsM0JSwHBIFaLfXbq1edT/SNgh/QN6s4Zehz
ZD3YUIjD062wVJW+ZRjIgTpPo9tG1vA70hmG5DKbjawF3dVg0W3ypgGRJYkjJmh2
zwSyz6V5XwtP/f5A8tw0uo6KqbO8GPDL/c2dOww79Up/9jCiqep5uNdMhnsL3w17
DRhuIluQlGMIkU7uizZWGqETW3Ok8/CVAznphJEvgXWknbr/trbAmyACdXdFwKkD
Q+oH9U+H+qA5evbC4jGpwCWN2vYZnN+gqImv/ArYxhAOt+zWQqRedFaUZdJmbzwV
fGqk6qlqwPs2F8V/VGg0
=CMmV
-----END PGP SIGNATURE-----