- Update to dhcp-4.3.3-P1 correcting bounds checking when

receiving a packet (bsc#961305,CVE-2015-8605,ISC-Bugs#41267).
- adjusted interval check.
  [*0019-dhcp-4.2.4-P1-interval.patch]
- Fixed improper lease duration checking. Also added fixes for integer
  overflows in the date and time handling code(bsc#936923, bsc#880984).
  [+0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch]
- fixed service files to start dhcpd after slapd (bsc#956159)
- dhclient-script: complain in the log about conflicts, added
  a see log messages to the dhclient log message (bsc#960506)
  [* 0018-client-fail-on-script-pre-init-error-bsc-912098.patch]

OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=163

0018-client-fail-on-script-pre-init-error-bsc-912098.patch

@@ -40,7 +40,7 @@ index b438629..82d6ed5 100644
 +			}
 +		}
 +		if (failed) {
-+			log_fatal("%s: unable to pre-init requested interfaces",
++			log_fatal("%s: unable to pre-init requested interfaces -- see log messages",
 +					path_dhclient_script);
  		}
  	}

0019-dhcp-4.2.4-P1-interval.patch

@@ -4,7 +4,7 @@ Date:   Fri Jul 27 10:00:49 2012 +0200
 
     isc_time_nowplusinterval() is not safe with 64-bit time_t (#662254, #789601)
 
-References: bsc#947780
+References: bsc#947780, bsc#880984
 Index: dhcp-4.2.4-P2/common/dispatch.c
 ===================================================================
 --- dhcp-4.2.4-P2.orig/common/dispatch.c
@@ -31,3 +31,20 @@ Index: dhcp-4.2.4-P2/common/dispatch.c
  	status = isc_time_nowplusinterval(&expires, &interval);
  	if (status != ISC_R_SUCCESS) {
  		/*
+From: Nirmoy Das <ndas@suse.de>
+Date: Tue, 26 Jan 2016 13:36:28 +0100
+Subject: [PATCH] adjusted interval check
+
+Index: dhcp-4.3.3/common/dispatch.c
+===================================================================
+--- dhcp-4.3.3.orig/common/dispatch.c
++++ dhcp-4.3.3/common/dispatch.c
+@@ -349,7 +349,7 @@ void add_timeout (when, where, what, ref
+ 	 * gone by since the last call to gettimeofday() and the one in
+ 	 * isc_time_nowplusinterval().
+ 	 */
+-	if (sec > TIME_MAX)
++	if (sec > TIME_MAX - 9)
+ 		sec = TIME_MAX - 9;
+ 
+ 	isc_interval_set(&interval, sec, usec * 1000);

0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch

@@ -0,0 +1,71 @@
+From: Marius Tomaschewski <mt@suse.de> 
+Date: Tue, 12 Jan 2016 15:42:22 +0100    
+Subject: [PATCH] fixed improper lease duration checking. 
+References: bsc#936923, bsc#880984
+
+year 2038 is EOT only for 32 bit machine. This patch checks 
+wordsize and do a proper EOT checking on lease duration. It  
+also fixes integer overflows in the date and time handling code.
+
+diff --git a/common/parse.c b/common/parse.c
+index 22e7d58..e9e53a4 100644
+--- a/common/parse.c
++++ b/common/parse.c
+@@ -939,7 +939,7 @@ TIME
+ parse_date_core(cfile)
+ 	struct parse *cfile;
+ {
+-	int guess;
++	long guess;
+ 	int tzoff, year, mon, mday, hour, min, sec;
+ 	const char *val;
+ 	enum dhcp_token token;
+@@ -966,7 +966,7 @@ parse_date_core(cfile)
+ 		}
+ 
+ 		skip_token(&val, NULL, cfile); /* consume number */
+-		guess = atoi(val);
++		guess = atol(val);
+ 
+ 		return((TIME)guess);
+ 	}
+@@ -1113,11 +1113,22 @@ parse_date_core(cfile)
+ 	 * overflow issues.  We could try and be more precise but there
+ 	 * doesn't seem to be a good reason to worry about it and waste
+ 	 * the cpu looking at the rest of the date. */
+-	if (year >= 138)
+-		return(MAX_TIME);
+-
++	if (sizeof(time_t) == 8) {
++		/* 2038 is not an issue on 64bit. time calculations
++		 * start to fail at almost INT_MAX (- some guard) */
++		if (year > 0x7fff0000)
++			return(MAX_TIME);
++	} else {
++		/* assume 32bit with end in 2038 */
++		if (year >= 138)
++			return(MAX_TIME);
++	}
++	/* I don't think we need to care about lease starts before 1900 */
++	if (year < 0)
++		return((TIME)0);
++ 
+ 	/* Guess the time value... */
+-	guess = ((((((365 * (year - 70) +	/* Days in years since '70 */
++	guess = ((((((365 * ((long)year - 70) +	/* Days in years since '70 */
+ 		      (year - 69) / 4 +		/* Leap days since '70 */
+ 		      (mon			/* Days in months this year */
+ 		       ? months [mon - 1]
+diff --git a/includes/dhcpd.h b/includes/dhcpd.h
+index 4270edc..1af4c5b 100644
+--- a/includes/dhcpd.h
++++ b/includes/dhcpd.h
+@@ -1561,7 +1561,7 @@ typedef unsigned char option_mask [16];
+ #define DHCPD_LOG_FACILITY	LOG_DAEMON
+ #endif
+ 
+-#define MAX_TIME 0x7fffffff
++#define MAX_TIME LONG_MAX
+ #define MIN_TIME 0
+ 
+ #ifdef USE_LOG_PID

dhclient-script

@@ -73,14 +73,26 @@ network_service_conflicts()
 {
 	local _id=`/usr/bin/systemctl --no-pager -p Id show network.service 2>/dev/null`
 	case "${_id#Id=}" in
-	# wicked is using an another dhcp client
-	wicked.service)                 return 1 ;;
+	# wicked is using an another dhcp client - dhclient
+	# is not supported with enabled wicked and disabled.
+	wicked.service)
+		logger -t "${0##*/}" -p daemon.error -- \
+			"dhclient conflicts with enabled ${_id#Id=} and disabled"
+		return 1
+	;;
 
-	# NetworkManager is using another script
-	#NetworkManager.service)	return 1 ;;
+	# NetworkManager is using an another script
+	# [disarmed except maintainer requests it]
+	#NetworkManager.service)
+	#	logger -t "${0##*/}" -p daemon.error -- \
+	#		"dhclient-script conflicts with enabled ${_id#Id=} script and disabled"
+	#	return 1
+	#;;
 
-	# sysconfig network were using it, other?
-	network.service|*)              return 0 ;;
+	# sysconfig network [gone] were using it, other?
+	network.service|*)
+		return 0
+	;;
 	esac
 }
 

dhcp-4.3.3-P1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c11e896dffa1bfbc49462965d3f6dec45534e34068603546d9a236f2aa669921
+size 9204043

dhcp-4.3.3-P1.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQEcBAABAgAGBQJWdAE2AAoJEG+m68mRGkwCuAoIAIJDWxX1ENjTOcSP3SLaloIB
+0ZMlWF5HvWFDQNoARDAB0k35gYm7Qk3xuqBpboRm8N6z0kVZIj59b9mdK5YeuFBD
+qhmXE5AQyGPytyPMmK4x2IDqxksGoz5tUMCXFTX1OA8De8ejTn5XkcIh/wlr7A93
+f3nnFKxKvKeNhyfLyonraZbEhKZ4nGogGEqT5ewQ3BSegrECnFvMTjCwUq58nYM6
+RT8AeATU/MHjLeZcQLByvda9F5VhqUdGnqhEjMJhuI2NCFfMVILXgIZ2Ietl0S2a
+I0s0y1wu9I3gPvhlD6VwQsWZWN3v1oV1uGeJS+1HGxrqJUB4QhztiNY0tElL1Y8=
+=QT0D
+-----END PGP SIGNATURE-----

dhcp-4.3.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:553c4945b09b1c1b904c4780f34f72aaefa2fc8c6556715de0bc9d4e3d255ede
-size 9205539

dhcp-4.3.3.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQEcBAABAgAGBQJV5YwhAAoJEG+m68mRGkwC0yYH/2qvlrVxE9odY8mooEWL3Mw4
-h7KycYZC5js2rY+u2DT7UHE3UnD671NzZQyGVYZaHYfFo3daW0OIt+CXV+H14jOt
-Ai2OXU+6HiKNhT3WhCeoA4YFU1wflnxVeT0Cx7J40AUDewjkuAthZrF1jXrh8djQ
-1VJ1Dq6HtkX5P1X+L84ugsMosXRoqMWmnUITE6GdzKqK29VQ8Y3jnCF1PJE1BwFJ
-kYC3iwPjLKfPElEPROuK7bFUej1mr8agTM8lBcipMCtYx6R4DJoyviZ81tI+TzOm
-PvPySKcM59o89XOqdgJ9xM2onlWCZHFLuw8ngY7MnyGFWLD92wFktAK6K6H2gWQ=
-=Ezci
------END PGP SIGNATURE-----

dhcp.changes

@@ -1,4 +1,18 @@
 -------------------------------------------------------------------
+Tue Jan 26 17:16:45 CET 2016 - ndas@suse.de
+
+- Update to dhcp-4.3.3-P1 correcting bounds checking when 
+  receiving a packet (bsc#961305,CVE-2015-8605,ISC-Bugs#41267).
+- adjusted interval check.
+  [*0019-dhcp-4.2.4-P1-interval.patch]
+- Fixed improper lease duration checking. Also added fixes for integer
+  overflows in the date and time handling code(bsc#936923, bsc#880984).
+  [+0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch]
+- fixed service files to start dhcpd after slapd (bsc#956159)
+- dhclient-script: complain in the log about conflicts, added
+  a see log messages to the dhclient log message (bsc#960506)
+  [* 0018-client-fail-on-script-pre-init-error-bsc-912098.patch]
+-------------------------------------------------------------------
 Tue Oct 13 12:59:00 UTC 2015 - mt@suse.de
 
 - Applied a patch by Jiri Popelka catching dhcp server aborts with

dhcp.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package dhcp
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,7 +16,7 @@
 #
 
 
-%define isc_version   4.3.3
+%define isc_version   4.3.3-P1
 %define susefw2dir    %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
 %define omc_prefix    /usr/share/omc
 %define omc_svcdir    %{omc_prefix}/svcinfo.d
@@ -41,7 +41,7 @@ BuildRequires:  openldap2-devel
 %endif
 BuildRequires:  dos2unix
 BuildRequires:  libtool
-Version:        4.3.3
+Version:        4.3.3.P1
 Release:        0
 Summary:        Common Files Used by ISC DHCP Software
 License:        BSD-3-Clause
@@ -118,6 +118,7 @@ Patch17:        0017-server-no-success-report-before-send.919959.patch
 Patch18:        0018-client-fail-on-script-pre-init-error-bsc-912098.patch
 # PATCH-FIX-SLE dhcp-4.2.4-P1-interval bsc#947780
 Patch19:        0019-dhcp-4.2.4-P1-interval.patch
+Patch20:        0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch
 ##
 PreReq:         /bin/touch /sbin/chkconfig sysconfig
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -249,6 +250,7 @@ Authors:
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1
 ##
 find . -type f -name \*.cat\* -exec rm -f {} \;
 dos2unix contrib/ms2isc/*

dhcpd.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=ISC DHCPv4 Server
 Before=multi-user.target
-After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
+After=remote-fs.target network.target nss-lookup.target time-sync.target slapd.service sssd.service  ndsd.service
 
 [Service]
 Type=forking

dhcpd6.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=ISC DHCPv6 Server
 Before=multi-user.target
-After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service
+After=remote-fs.target network.target nss-lookup.target time-sync.target slapd.service sssd.service ndsd.service
 
 [Service]
 Type=forking