Build date: 1781042403 - Tue Jun 9 22:00:03 UTC 2026 Build cvs date: 1781041608 - Tue Jun 9 21:46:48 UTC 2026 Build id: 2026-06-10.1 Build tags: amd64-regress ports sysupgrade Applied the following diff(s): /home/anton/tmp/robsd/src-sys-em.diff /home/anton/tmp/robsd/src-sys-uhidev-sispm.diff /home/anton/tmp/robsd/src-sysupgrade.diff P gnu/llvm/clang/lib/Driver/ToolChains/Arch/RISCV.cpp P gnu/usr.bin/perl/regcomp_study.c P gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm P gnu/usr.bin/perl/cpan/Archive-Tar/t/04_resolved_issues.t P gnu/usr.bin/perl/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm P gnu/usr.bin/perl/cpan/IO-Compress/bin/zipdetails P gnu/usr.bin/perl/cpan/IO-Compress/lib/File/GlobMapper.pm P gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm P gnu/usr.bin/perl/cpan/IO-Compress/t/globmapper.t P lib/libcrypto/asn1/a_mbstr.c P lib/libcrypto/cms/cms_pwri.c P lib/libcrypto/ec/ec_lib.c P lib/libcrypto/ecdh/ecdh.c P lib/libcrypto/pkcs7/pk7_smime.c P lib/libutil/fmt_scaled.c P regress/lib/libssl/unit/ssl_kex.c P regress/lib/libutil/fmt_scaled/fmt_test.c P sys/arch/powerpc64/conf/RAMDISK P sys/dev/pci/if_mwx.c P sys/dev/pci/if_mwxreg.h P sys/dev/pci/drm/i915/i915_driver.c M sys/dev/usb/uhidev.c P sys/nfs/nfs_serv.c P sys/nfs/nfs_socket.c P sys/nfs/nfs_srvsubs.c P sys/nfs/nfs_subs.c P sys/nfs/nfs_var.h P sys/nfs/nfs_vfsops.c P sys/nfs/nfs_vnops.c P sys/nfs/nfsm_subs.h P usr.bin/tmux/cmd-display-panes.c P usr.bin/tmux/cmd-kill-pane.c P usr.bin/tmux/cmd-kill-session.c P usr.bin/tmux/cmd-kill-window.c P usr.bin/tmux/cmd-server-access.c P usr.bin/tmux/cmd-split-window.c P usr.bin/tmux/menu.c P usr.bin/tmux/popup.c P usr.bin/tmux/screen-redraw.c P usr.bin/tmux/screen-write.c P usr.bin/tmux/server-client.c P usr.bin/tmux/server.c P usr.bin/tmux/tmux.1 P usr.bin/tmux/tmux.h P usr.bin/tmux/tty-draw.c P usr.bin/tmux/tty.c P usr.bin/tmux/utf8-combined.c P usr.bin/tmux/window-copy.c P usr.bin/tmux/window.c M usr.sbin/bgpd/session.c P usr.sbin/lpr/lpd/printjob.c commit 9JX6P56p3V7wbeTD Author: millert Date: 2026/06/09 21:46:48 lpd: require data file path name to be in the spool dir When processing the control file, any file to be printed must be located in the spool directory (e.g. dfA000foobar) either as a regular file or a symbolic link to another file to be printed. This matches the handling of the 'U' (unlink) directive. OK deraadt@ usr.sbin/lpr/lpd/printjob.c commit yEMTnmANAFnOsYpi Author: nicm Date: 2026/06/09 21:31:16 Preserve the original text in the first line for display-panes. usr.bin/tmux/cmd-display-panes.c commit 8RSgeJrzjjsvN2We Author: claudio Date: 2026/06/09 21:27:25 Inline mwx_mcu_init() into mwx_init_hardware() and add mt7925_mcu_set_eeprom() which must be called during hardware init. Tested on 7921 and 7925 (which now fails in mt7921_mac_init). sys/dev/pci/if_mwx.c sys/dev/pci/if_mwxreg.h commit 7FuAeUj09NwDCcxX Author: nicm Date: 2026/06/09 21:22:22 Add a context for cell/palette/hyperlinks when drawing to tty to avoid passing so much in parameters. usr.bin/tmux/cmd-display-panes.c usr.bin/tmux/cmd-kill-pane.c usr.bin/tmux/menu.c usr.bin/tmux/popup.c usr.bin/tmux/screen-redraw.c usr.bin/tmux/screen-write.c usr.bin/tmux/tmux.h usr.bin/tmux/tty-draw.c usr.bin/tmux/tty.c usr.bin/tmux/window-copy.c commit ZGaljMpCVeu2H3yu Author: claudio Date: 2026/06/09 21:19:41 Add various checks in mwx_load_firmware() to ensure that the buffer passed to mwx_mcu_send_firmware() does not move beyond the firmware image. For regions flagged with FW_FEATURE_NON_DL don't forget to increase the offset. sys/dev/pci/if_mwx.c commit dKzvk85HUlwHNAgI Author: claudio Date: 2026/06/09 21:07:15 Kill MWX_IS_CONNAC2 macro and just use sc->sc_hwtype != MWX_HW_MT7925 like everywhere else. Right now only MT7925 is different from MT7920/21/22 so just use one common way to do these checks. sys/dev/pci/if_mwx.c commit oOpuymlZnnWU6PQj Author: kirill Date: 2026/06/09 15:18:26 sys/powerpc64: add em* to RAMDISK OK: deraadt@ sys/arch/powerpc64/conf/RAMDISK commit djS32rMXLvOt4BDU Author: nicm Date: 2026/06/09 12:58:40 Use name as marker for failure not type (which must be set to be in the error). usr.bin/tmux/cmd-server-access.c commit KXN5BP1ajxov1mbg Author: nicm Date: 2026/06/09 12:57:40 Add missing headers. usr.bin/tmux/cmd-kill-session.c usr.bin/tmux/cmd-kill-window.c commit q0s97ObfpFd01dII Author: nicm Date: 2026/06/09 12:51:57 Clarify -a for kill-window, kill-session. usr.bin/tmux/tmux.1 commit co5IIvieK5fgGtER Author: tb Date: 2026/06/09 12:34:08 Avoid freeing a caller-owned buffer in PKCS7_verify() If a PKCS#7 S/MIME message comes with an empty set of digestAlgorithms in the SignedData, PKCS7_verify() would incorrectly free a caller-owned buffer. Fix the freeing logic to avoid this situation. From Igor Ustinov via OpenSSL lib/libcrypto/pkcs7/pk7_smime.c commit iupIsBNyrgLP2eAJ Author: tb Date: 2026/06/09 12:29:47 Add some missing bounds checks to ASN1_mbstring_copy() If the in string is unreasonably long, assigning strlen(in) to an int may overflow, so exclude this situation. Moreover, the code would unconditionally multiply nchar by 2 or 4, which could again overflow an int. Check for this situation and error out to avoid an out of bounds write. More may be needed in here, which will be revisited later. Based on a diff by Viktor Dukhovni via OpenSSL. lib/libcrypto/asn1/a_mbstr.c commit MGTcaxS8uo3rhiAD Author: nicm Date: 2026/06/09 12:24:59 Add -f for filter with -a to kill-pane, kill-window, kill-session. GitHub issue 4782. usr.bin/tmux/cmd-kill-pane.c usr.bin/tmux/cmd-kill-session.c usr.bin/tmux/cmd-kill-window.c usr.bin/tmux/tmux.1 commit mnJsjBTI2AQEBsZY Author: tb Date: 2026/06/09 12:20:34 Avoid out-of-bounds read in CMS password-based decryption The RFC 3211 PWRI integrity check when unwrapping the password-derived key accesses seven bytes from a heap-allocated buffer. If an (invalid) block cipher with short blocks is in use 2 * blocksize may not be sufficient room for 7 bytes. In that silly case, the function performs an OOB read. Add length check to avoid this situation From Igor Ustinov via OpenSSL. lib/libcrypto/cms/cms_pwri.c commit leQ9bA9VQ6t0S6Dc Author: tb Date: 2026/06/09 12:12:34 Avoid NULL dereference in password-based CMS decryption The keyDerivationAlgorithm field is OPTIONAL in the ASN.1 but required for password-based CMS. Check that the field is present before using it to avoid a crash. From Igor Ustinov via OpenSSL lib/libcrypto/cms/cms_pwri.c commit Cxx5Xd28BrXKioPL Author: nicm Date: 2026/06/09 11:49:36 Two fixes for RI codepoints. Firstly, do not combine more than two of them - previously we were ending up with four codepoints in one cell which tmux believed to be width 2, but terminals considered width 4. Secondly, invalidate cursor position before redrawing the cell when the second codepoint is received, terminals vary in how they manage backspace and cursor movement across these characters, so it is better to use absolute rather than relative positioning. GitHub issue 4853. usr.bin/tmux/tty.c usr.bin/tmux/utf8-combined.c commit F7bFj8hS2NZ39FhW Author: jsg Date: 2026/06/09 11:23:02 call rasops_show_screen() in inteldrm_activate() wakeup From Walter Alejandro Iglesias who reports this stops garbage on screen when resuming from hibernate without switching vt, on a unknown machine. Avoids a similar problem on matthieu's Framework Alder Lake, and mvs' Gemini Lake and Alder Lake machines. sys/dev/pci/drm/i915/i915_driver.c commit wk72xJrcEWkPWJ9D Author: nicm Date: 2026/06/09 09:11:05 Add -B to new-pane/split-window to block until the command exits, like run-shell -b. usr.bin/tmux/cmd-split-window.c usr.bin/tmux/server.c usr.bin/tmux/tmux.1 usr.bin/tmux/tmux.h usr.bin/tmux/window.c commit s5k7hTUb8E2mHY3D Author: nicm Date: 2026/06/09 08:11:53 Do not use NULL arguments, bug spotted by Dane Jensen. usr.bin/tmux/window.c commit BepC87NTOVmwcsvg Author: robert Date: 2026/06/09 06:41:08 fix a mismerged patch for defaulting to -mno-relax on OpenBSD; from Brad gnu/llvm/clang/lib/Driver/ToolChains/Arch/RISCV.cpp commit Y2hJrstRU8eXlUq0 Author: tb Date: 2026/06/09 06:01:28 fmt_scaled: add some regress for signed overflow edge cases. looks good to claudio, ok djm regress/lib/libutil/fmt_scaled/fmt_test.c commit xyHQ5MtMDiSFi2pQ Author: tb Date: 2026/06/09 06:00:13 Avoid signed overflow in fmt_scaled Adding the scaled fractional part to whole may result in a signed overflow. Guard against this by adding checks before subtracting or adding. problem pointed out by a friend of claudio's fix looks good to claudio, ok djm lib/libutil/fmt_scaled.c commit 4sJ1QHYL2BkLEd3z Author: tb Date: 2026/06/09 05:58:51 fmt_scaled: make regress compile again with old gcc looks good to claudio ok djm regress/lib/libutil/fmt_scaled/fmt_test.c commit Y882ikxYRTOfFThk Author: tb Date: 2026/06/09 05:24:47 ecdh: add error codes for point at infinity/not on curve The point at infinity would previously raise EC_R_POINT_AT_INFINITY via EC_POINT_get_affine_coordinates(). For consistency, also raise an error for off-curve points. pointed out by/ok kenjiro lib/libcrypto/ecdh/ecdh.c commit vSXAnPsCWqSqevWH Author: tb Date: 2026/06/09 05:23:30 Fix strange error check in EC_POINT_get_affine_coordinates EC_POINT_is_at_infinity() has a Boolean return nowadays, so drop > 0. ok jsing kenjiro lib/libcrypto/ec/ec_lib.c commit 2Aa1jkl9uSjAz3et Author: tb Date: 2026/06/09 05:20:38 ssl_kex: exercise an invalid point as well regress/lib/libssl/unit/ssl_kex.c commit 0ONhKbYRmVeECm8U Author: tb Date: 2026/06/09 05:17:24 ssl_kex: ensure decode_error alert is raised regress/lib/libssl/unit/ssl_kex.c commit EyGXaxxllFi2UGaM Author: jsg Date: 2026/06/09 03:20:01 switch nfs_getreq() to nfsd_adv() from miod@ ok jsg@ This round of commits was prompted by a double-free report from Andrew Griffiths at Calif. server nfs request mbuf pointers were stored in two structs: nmi_mrep in struct nfsm_info nd_mrep in struct nfsrv_descript but only set to NULL after m_freem() in nmi_mrep This problem is avoided by removing the use of struct nfsm_info in the server paths and passing struct nfsrv_descript to new versions of the nfsm functions. sys/nfs/nfs_socket.c commit 1KLkffBHkVQ8amYM Author: jsg Date: 2026/06/09 03:14:22 remove use of struct nfsm_info in nfs_serv.c (the non-trivial part) with and ok miod@ sys/nfs/nfs_serv.c commit gH6cVX8Y4UtbR77K Author: jsg Date: 2026/06/09 03:12:46 remove use of struct nfsm_info in nfs_serv.c with and ok miod@ sys/nfs/nfs_serv.c commit GwV5iLxYlhF8IiGO Author: jsg Date: 2026/06/09 03:11:12 convert nfs_serv.c from nfsm_mtouio() to nfsd_mtouio() with and ok miod@ sys/nfs/nfs_serv.c commit hz7bCzPWiyMaEZTN Author: jsg Date: 2026/06/09 03:09:31 convert nfs_serv.c from nfsm_strsiz() to nfsd_strsiz() with and ok miod@ sys/nfs/nfs_serv.c commit xNU2ytDkqK69XU7c Author: jsg Date: 2026/06/09 03:07:19 convert nfs_socket.c from nfsm_dissect() to nfsd_dissect() with and ok miod@ sys/nfs/nfs_socket.c commit HiyFkhrzMy02zDzx Author: jsg Date: 2026/06/09 03:05:19 convert nfs_serv.c from nfsm_dissect() to nfsd_dissect() with and ok miod@ sys/nfs/nfs_serv.c commit gwWvB9OudpAtTOWb Author: jsg Date: 2026/06/09 03:02:07 remove nfsm_info argument from nfsm_srvmtofh1() with and ok miod@ sys/nfs/nfs_serv.c commit rh8vXnWduWMpRZfJ Author: jsg Date: 2026/06/09 03:00:10 remove nfsm_info argument from nfsm_reply() callers all set info.nmi_mreq = NULL with and ok miod@ sys/nfs/nfs_serv.c commit Vx6ZMtnsu41f9eOA Author: jsg Date: 2026/06/09 02:57:57 make nfsm_srvnamesiz() take an nfsrv_descript argument with and ok miod@ sys/nfs/nfs_serv.c commit zjTN81IXNh5PQKhO Author: jsg Date: 2026/06/09 02:56:44 make nfsm_srvmtofh2() take an nfsrv_descript argument with and ok miod@ sys/nfs/nfs_serv.c commit qesik414GiudTdq4 Author: jsg Date: 2026/06/09 02:55:17 make nfsm_srvsattr() take an nfsrv_descript argument with and ok miod@ sys/nfs/nfs_serv.c sys/nfs/nfs_srvsubs.c sys/nfs/nfs_var.h commit J3wXlR7bkFW7Ko77 Author: jsg Date: 2026/06/09 02:52:26 add nfsrv_descript versions of nfsm functions ok miod@ sys/nfs/nfsm_subs.h commit s9MzmI3mq8ljTQSk Author: jsg Date: 2026/06/09 02:50:21 remove nmi_mb from struct nfsm_info ok miod@ sys/nfs/nfs_serv.c sys/nfs/nfs_vfsops.c sys/nfs/nfs_vnops.c sys/nfs/nfsm_subs.h commit zxJ407dFpuzJcBoY Author: jsg Date: 2026/06/09 02:47:59 make nfsm_srvmtofh1() take an mbuf argument ok miod@ sys/nfs/nfs_serv.c commit KtV1lGmIi2cKSANN Author: jsg Date: 2026/06/09 02:46:02 make nfsm_srvwcc() take an mbuf argument ok miod@ sys/nfs/nfs_serv.c sys/nfs/nfs_srvsubs.c sys/nfs/nfs_var.h commit lmVs4gHnnoDMzO1f Author: jsg Date: 2026/06/09 02:44:06 make nfsm_fhtom() take an mbuf argument ok miod@ sys/nfs/nfs_subs.c sys/nfs/nfs_var.h sys/nfs/nfs_vfsops.c sys/nfs/nfs_vnops.c commit nBdFW73CYaS4rKbM Author: jsg Date: 2026/06/09 02:42:10 make nfsm_srvpostop_fh() take an mbuf argument ok miod@ sys/nfs/nfs_serv.c commit 4T3dS7m4mxphAmU5 Author: jsg Date: 2026/06/09 02:40:16 make nfsm_srvpostop_attr() take an mbuf argument ok miod@ sys/nfs/nfs_serv.c sys/nfs/nfs_srvsubs.c sys/nfs/nfs_var.h commit hAo91y8jir0ode9D Author: jsg Date: 2026/06/09 02:38:24 make nfsm_reply() take an mbuf argument ok miod@ sys/nfs/nfs_serv.c commit qzoT38SUrjCzFtAK Author: jsg Date: 2026/06/09 02:36:29 make nfsm_strtom() take an mbuf argument ok miod@ sys/nfs/nfs_vnops.c sys/nfs/nfsm_subs.h commit b62kI7XYUVGkRggT Author: afresh1 Date: 2026/06/09 01:37:55 Upstream patch for buffer overflow in 32-bit perl * CVE-2026-8376 https://lists.security.metacpan.org/cve-announce/msg/40396161/ Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds gnu/usr.bin/perl/regcomp_study.c commit znydDs5EXdv3TW1j Author: afresh1 Date: 2026/06/09 01:37:30 Upstream patches for IO-Compress perl dist * CVE-2026-48961 https://lists.security.metacpan.org/cve-announce/msg/40434383/ IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID * CVE-2026-48962 https://lists.security.metacpan.org/cve-announce/msg/40434385/ IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob * CVE-2025-15649 https://lists.security.metacpan.org/cve-announce/msg/40434380/ IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date * CVE-2026-48959 https://lists.security.metacpan.org/cve-announce/msg/40434381/ IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward gnu/usr.bin/perl/cpan/IO-Compress/bin/zipdetails gnu/usr.bin/perl/cpan/IO-Compress/lib/File/GlobMapper.pm gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Uncompress/Unzip.pm gnu/usr.bin/perl/cpan/IO-Compress/t/globmapper.t commit xkJUDI2NCcc41e2t Author: afresh1 Date: 2026/06/09 01:36:51 Upstream patch for HTTP-Tiny perl dist * CVE-2026-7010 https://lists.security.metacpan.org/cve-announce/msg/39952806/ HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values gnu/usr.bin/perl/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm commit 5kDjAsghmPcFnYZc Author: afresh1 Date: 2026/06/09 01:36:20 Upstream patches for Archive-Tar perl dist * CVE-2026-42496 https://lists.security.metacpan.org/cve-announce/msg/40396459/ Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory * CVE-2026-42497 https://lists.security.metacpan.org/cve-announce/msg/40396457/ Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory * CVE-2026-9538 https://lists.security.metacpan.org/cve-announce/msg/40396448/ Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar.pm gnu/usr.bin/perl/cpan/Archive-Tar/t/04_resolved_issues.t commit 7RFiFasloQkLblnS Author: nicm Date: 2026/06/08 23:06:21 Fix mouse events on tiled pane status line - when panes share a border, prefer the pane for which the border is the status line. With Dane Jensen. usr.bin/tmux/server-client.c usr.bin/tmux/window.c