rpm/dhcp
SHA256
1
0
Fork 0
forked from pool/dhcp
Code Pull Requests Activity

Accepting request 100295 from network:dhcp

Browse Source 
Bug 741239 - VUL-1: CVE-2011-4868: dhcp DDNS DoS, update to 4.2.3-P2

OBS-URL: https://build.opensuse.org/request/show/100295
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dhcp?expand=0&rev=67
This commit is contained in:
Stephan Kulow 2012-01-17 10:32:42 +00:00 committed by Git OBS Bridge
commit 0696eb6d13
8 changed files with 171 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
dhcp-4.2.2-close-on-exec.diff
View File

@ -24,21 +24,6 @@ diff --git a/client/dhclient.c b/client/dhclient.c
index 82c26bb..a1cab01 100644
--- a/client/dhclient.c
+++ b/client/dhclient.c
@@ -131,11 +131,11 @@ main(int argc, char **argv) {
/* Make sure that file descriptors 0 (stdin), 1, (stdout), and
2 (stderr) are open. To do this, we assume that when we
open a file the lowest available file descriptor is used. */
- fd = open("/dev/null", O_RDWR);
+ fd = open("/dev/null", O_RDWR | O_CLOEXEC);
if (fd == 0)
- fd = open("/dev/null", O_RDWR);
+ fd = open("/dev/null", O_RDWR | O_CLOEXEC);
if (fd == 1)
- fd = open("/dev/null", O_RDWR);
+ fd = open("/dev/null", O_RDWR | O_CLOEXEC);
if (fd == 2)
log_perror = 0; /* No sense logging to /dev/null. */
else if (fd != -1)
@@ -423,7 +423,7 @@ main(int argc, char **argv) {
int e;
@ -84,19 +69,6 @@ index 82c26bb..a1cab01 100644
if (leaseFile == NULL) {
log_error ("can't create %s: %m", path_dhclient_db);
return 0;
@@ -3472,9 +3472,9 @@ void go_daemon ()
close(2);
/* Reopen them on /dev/null. */
- open("/dev/null", O_RDWR);
- open("/dev/null", O_RDWR);
- open("/dev/null", O_RDWR);
+ open("/dev/null", O_RDWR | O_CLOEXEC);
+ open("/dev/null", O_RDWR | O_CLOEXEC);
+ open("/dev/null", O_RDWR | O_CLOEXEC);
write_client_pid_file ();
diff --git a/common/bpf.c b/common/bpf.c
index 8bd5727..7b8f1d4 100644
--- a/common/bpf.c
@ -276,21 +248,6 @@ diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c
index f21f16f..d2aa90e 100644
--- a/relay/dhcrelay.c
+++ b/relay/dhcrelay.c
@@ -183,11 +183,11 @@ main(int argc, char **argv) {
/* Make sure that file descriptors 0(stdin), 1,(stdout), and
2(stderr) are open. To do this, we assume that when we
open a file the lowest available file descriptor is used. */
- fd = open("/dev/null", O_RDWR);
+ fd = open("/dev/null", O_RDWR | O_CLOEXEC);
if (fd == 0)
- fd = open("/dev/null", O_RDWR);
+ fd = open("/dev/null", O_RDWR | O_CLOEXEC);
if (fd == 1)
- fd = open("/dev/null", O_RDWR);
+ fd = open("/dev/null", O_RDWR | O_CLOEXEC);
if (fd == 2)
log_perror = 0; /* No sense logging to /dev/null. */
else if (fd != -1)
@@ -540,13 +540,14 @@ main(int argc, char **argv) {
if (no_pid_file == ISC_FALSE) {
@ -356,21 +313,6 @@ diff --git a/server/dhcpd.c b/server/dhcpd.c
index 27e04e4..9233d26 100644
--- a/server/dhcpd.c
+++ b/server/dhcpd.c
@@ -274,11 +274,11 @@ main(int argc, char **argv) {
/* Make sure that file descriptors 0 (stdin), 1, (stdout), and
2 (stderr) are open. To do this, we assume that when we
open a file the lowest available file descriptor is used. */
- fd = open("/dev/null", O_RDWR);
+ fd = open("/dev/null", O_RDWR | O_CLOEXEC);
if (fd == 0)
- fd = open("/dev/null", O_RDWR);
+ fd = open("/dev/null", O_RDWR | O_CLOEXEC);
if (fd == 1)
- fd = open("/dev/null", O_RDWR);
+ fd = open("/dev/null", O_RDWR | O_CLOEXEC);
if (fd == 2)
log_perror = 0; /* No sense logging to /dev/null. */
else if (fd != -1)
@@ -809,7 +809,7 @@ main(int argc, char **argv) {
*/
if (no_pid_file == ISC_FALSE) {
@ -389,19 +331,6 @@ index 27e04e4..9233d26 100644
if (i >= 0) {
sprintf(pbuf, "%d\n", (int) getpid());
IGNORE_RET (write(i, pbuf, strlen(pbuf)));
@@ -856,9 +856,9 @@ main(int argc, char **argv) {
close(2);
/* Reopen them on /dev/null. */
- open("/dev/null", O_RDWR);
- open("/dev/null", O_RDWR);
- open("/dev/null", O_RDWR);
+ open("/dev/null", O_RDWR | O_CLOEXEC);
+ open("/dev/null", O_RDWR | O_CLOEXEC);
+ open("/dev/null", O_RDWR | O_CLOEXEC);
log_perror = 0; /* No sense logging to /dev/null. */
IGNORE_RET (chdir("/"));
diff --git a/server/ldap.c b/server/ldap.c
index 68acbbb..77efe26 100644
--- a/server/ldap.c

29
dhcp-4.2.3-P1-dhclient-log-pid.diff Normal file
View File

@ -0,0 +1,29 @@
From 1f30e4707e13cb09315cbda2cf36bae099285a79 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.de>
Date: Thu, 5 Jan 2012 16:25:18 +0100
Subject: [PATCH] Use pid number in dhclient log messages
Troubleshooting help to make it visible which client is reporting
as there may be more than one running (v4 + v6 multiple interfaces).
Signed-off-by: Marius Tomaschewski <mt@suse.de>
---
client/dhclient.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/client/dhclient.c b/client/dhclient.c
index ff5ede5..bee8e1d 100644
--- a/client/dhclient.c
+++ b/client/dhclient.c
@@ -141,7 +141,7 @@ main(int argc, char **argv) {
else if (fd != -1)
close(fd);
- openlog("dhclient", LOG_NDELAY, LOG_DAEMON);
+ openlog("dhclient", LOG_NDELAY | LOG_PID, LOG_DAEMON);
#if !(defined(DEBUG) || defined(__CYGWIN32__))
setlogmask(LOG_UPTO(LOG_INFO));
--
1.7.7

41
dhcp-4.2.3-P1-dhclient-option_param-a.diff Normal file
View File

@ -0,0 +1,41 @@
From 3e3874a4e322536a683d2c22602c6c1a3f39df8e Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.de>
Date: Thu, 5 Jan 2012 16:20:42 +0100
Subject: [PATCH] dhclient: parse_option_param: Bad format a
When the server provides options using the "a" array type, such as:
option rfc3442-classless-routes code 121 = array of unsigned integer 8;
the option is stored into the lease file, but when the client reads the
lease file next time, it complains about, because "a" array type aren't
recognized in the parsing loop and the option (lease?) discarded.
Signed-off-by: Marius Tomaschewski <mt@suse.de>
---
common/parse.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/common/parse.c b/common/parse.c
index 61488c1..0fca63c 100644
--- a/common/parse.c
+++ b/common/parse.c
@@ -5518,7 +5518,7 @@ int parse_option_decl (oc, cfile)
/* Parse the option data... */
do {
for (fmt = option -> format; *fmt; fmt++) {
- if (*fmt == 'A')
+ if (*fmt == 'A' || *fmt == 'a')
break;
if (*fmt == 'o' && fmt != option -> format)
continue;
@@ -5732,7 +5732,7 @@ int parse_option_decl (oc, cfile)
}
}
token = next_token (&val, (unsigned *)0, cfile);
- } while (*fmt == 'A' && token == COMMA);
+ } while ((*fmt == 'A' || *fmt == 'a') && token == COMMA);
if (token != SEMI) {
parse_warn (cfile, "semicolon expected.");
--
1.7.7

65
dhcp-4.2.3-P1-dhclient-zero-length-options.patch Normal file
View File

@ -0,0 +1,65 @@
From 70330e5cb91616dd235b63e54b9fe0dc15f3d61b Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.de>
Date: Thu, 5 Jan 2012 16:28:50 +0100
Subject: [PATCH] zero-length option lease parse error in dhclient6
common/parse.c:
Use peek_token only or the next_token call behind the while loop
will cause two warnings / errors in the log:
lease line XX: semicolon expected.
lease line XX: Unexpected end of file.
[there is a } behind the semicolon as the next token in my case]
and the option (lease?) gets discarded.
To reproduce, use "send dhcp6.rapid-commit;" to /etc/dhclient6.conf,
remove the lease file and start the client. When the lease is bound,
kill the client and start it again.
client/dhclient.c:
More of cosmetic nature - do not print zero-length options like there
would be a value missed, e.g. " option dhcp6.rapid-commit ;".
Signed-off-by: Marius Tomaschewski <mt@suse.de>
---
client/dhclient.c | 11 ++++++++---
common/parse.c | 2 +-
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/client/dhclient.c b/client/dhclient.c
index bee8e1d..ee87aa6 100644
--- a/client/dhclient.c
+++ b/client/dhclient.c
@@ -2769,10 +2769,15 @@ void write_lease_option (struct option_cache *oc,
}
if (evaluate_option_cache (&ds, packet, lease, client_state,
in_options, cfg_options, scope, oc, MDL)) {
- fprintf(leaseFile, "%soption %s%s%s %s;\n", preamble,
- name, dot, oc->option->name,
- pretty_print_option(oc->option, ds.data, ds.len,
+ if(oc->option->format && oc->option->format[0] == 'Z' && ds.len == 0) {
+ fprintf(leaseFile, "%soption %s%s%s;\n", preamble,
+ name, dot, oc->option->name);
+ } else {
+ fprintf(leaseFile, "%soption %s%s%s %s;\n", preamble,
+ name, dot, oc->option->name,
+ pretty_print_option(oc->option, ds.data, ds.len,
1, 1));
+ }
data_string_forget (&ds, MDL);
}
}
diff --git a/common/parse.c b/common/parse.c
index 0fca63c..fe661d5 100644
--- a/common/parse.c
+++ b/common/parse.c
@@ -5715,7 +5715,7 @@ int parse_option_decl (oc, cfile)
goto alloc;
case 'Z': /* Zero-length option */
- token = next_token(&val, (unsigned *)0, cfile);
+ token = peek_token(&val, (unsigned *)0, cfile);
if (token != SEMI) {
parse_warn(cfile,
"semicolon expected.");
--
1.7.7

3
dhcp-4.2.3-P1.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b3b924fef93e7cdb72e84dce81f0121a43964e43995f40e12c17b933c38148bf
size 9367106

3
dhcp-4.2.3-P2.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ba303393c9e986c51265c6ffded0d8bab1abeb3fe37103d4385802345a2b1109
size 9369048

23
dhcp.changes
View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Fri Jan 13 15:26:43 UTC 2012 - mt@suse.com
- Updated to ISC dhcp-4.2.3-P2 release, providing a DDNS security fix:
Modify the DDNS handling code. In a previous patch we added logging
code to the DDNS handling. This code included a bug that caused it
to attempt to dereference a NULL pointer and eventually segfault.
While reviewing the code as we addressed this problem, we determined
that some of the updates to the lease structures would not work as
planned since the structures being updated were in the process of
being freed: these updates were removed. In addition we removed an
incorrect call to the DDNS removal function that could cause a failure
during the removal of DDNS information from the DNS server.
Thanks to Jasper Jongmans for reporting this issue.
([ISC-Bugs #27078], CVE: CVE-2011-4868, bnc#741239)
- Fixed close-on-exec patch to not set it on stderr (bnc#732910)
- Fixed incorrect "a" array type option parsing causing to discard
e.g. classless static routes from lease file [reported as ISC-Bug
27289] and zero-length option parsing such as dhcp6.rapid-commit
in dhclient6 [reported as ISC-Bug 27314] (bnc#739696).
- Fixed dhclient to include its pid number in syslog messages.
- Fixed to use P2 in the spec version, not in the release tag.
-------------------------------------------------------------------
Fri Dec 9 13:40:53 UTC 2011 - mt@suse.com

14
dhcp.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package dhcp
#
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
# norootforbuild
%define isc_version 4.2.3-P1
%define isc_version 4.2.3-P2
%define susefw2dir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
%define omc_prefix /usr/share/omc
%define omc_svcdir %{omc_prefix}/svcinfo.d
@ -40,8 +40,8 @@ BuildRequires: libtool
License: BSD-3-Clause
Group: Productivity/Networking/Boot/Servers
AutoReqProv: on
Version: 4.2.3
Release: P1.0.<RELEASE0>
Version: 4.2.3.P2
Release: 0.<RELEASE0>
Summary: Common Files Used by ISC DHCP Software
Url: http://www.isc.org/software/dhcp
Source0: dhcp-%{isc_version}.tar.bz2
@ -88,6 +88,9 @@ Patch44: dhcp-4.2.2-xen-checksum.diff
Patch45: dhcp-4.2.2-dhclient-option-checks.bnc675052.diff
Patch46: dhcp-4.2.2-close-on-exec.diff
Patch47: dhcp-4.2.2-quiet-dhclient.bnc711420.diff
Patch48: dhcp-4.2.3-P1-dhclient-option_param-a.diff
Patch49: dhcp-4.2.3-P1-dhclient-log-pid.diff
Patch50: dhcp-4.2.3-P1-dhclient-zero-length-options.patch
##
PreReq: /bin/touch /sbin/chkconfig sysconfig
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -216,6 +219,9 @@ Authors:
%patch45 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch49 -p1
%patch50 -p1
##
find . -type f -name \*.cat\* -exec rm -f {} \;
dos2unix contrib/ms2isc/*