From 3e8864fa10fd5b8278de4563c253de8ebf243670a570069bd266c1d14391d55c Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Wed, 2 Feb 2011 09:03:02 +0000 Subject: [PATCH] - Applied security fix for unexpected abort caused by a DHCPv6 decline message (CVE-2011-0413, VU#686084, bnc#667655). - Fixed dhclient.conf to request the domain-search option. OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=53 --- dhclient.conf | 2 +- dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff | 76 ++++++++++++++++++++++ dhcp.changes | 7 ++ dhcp.spec | 2 + 4 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff diff --git a/dhclient.conf b/dhclient.conf index 2497fa1..c1a4340 100644 --- a/dhclient.conf +++ b/dhclient.conf @@ -35,7 +35,7 @@ option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; # Request several well known/usefull dhcp options. request subnet-mask, broadcast-address, routers, rfc3442-classless-static-routes, - interface-mtu, host-name, domain-name, + interface-mtu, host-name, domain-name, domain-search, domain-name-servers, nis-domain, nis-servers, nds-context, nds-servers, nds-tree-name, netbios-name-servers, netbios-dd-server, diff --git a/dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff b/dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff new file mode 100644 index 0000000..f7341d7 --- /dev/null +++ b/dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff @@ -0,0 +1,76 @@ +From d995f772e6b957c7569a640d024daa3e58c08f56 Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski +Date: Wed, 2 Feb 2011 09:18:39 +0100 +Subject: [PATCH] Unexpected abort caused by a DHCPv6 decline + +! When processing a request in the DHCPv6 server code that specifies + an address that is tagged as abandoned (meaning we received a + decline request for it previously) don't attempt to move it from + the inactive to active pool as doing so can result in the server + crshing on an assert failure. Also retag the lease as active + and reset it's timeout value. + [ISC-Bugs #21921] (CVE-2011-0413, VU#686084) + +Signed-off-by: Marius Tomaschewski +--- + server/mdb6.c | 19 ++++++++++++++++--- + 1 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/server/mdb6.c b/server/mdb6.c +index 87bd152..9d410f5 100644 +--- a/server/mdb6.c ++++ b/server/mdb6.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2007-2010 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (C) 2007-2011 by Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -1010,7 +1010,7 @@ move_lease_to_active(struct ipv6_pool *pool, struct iasubopt *lease) { + * Renew an lease in the pool. + * + * To do this, first set the new hard_lifetime_end_time for the resource, +- * and then invoke renew_lease() on it. ++ * and then invoke renew_lease6() on it. + * + * WARNING: lease times must only be extended, never reduced!!! + */ +@@ -1020,12 +1020,24 @@ renew_lease6(struct ipv6_pool *pool, struct iasubopt *lease) { + * If we're already active, then we can just move our expiration + * time down the heap. + * ++ * If we're abandoned then we are already on the active list ++ * but we need to retag the lease and move our expiration ++ * from infinite to the current value ++ * + * Otherwise, we have to move from the inactive heap to the + * active heap. + */ + if (lease->state == FTS_ACTIVE) { + isc_heap_decreased(pool->active_timeouts, lease->heap_index); + return ISC_R_SUCCESS; ++ } else if (lease->state == FTS_ABANDONED) { ++ char tmp_addr[INET6_ADDRSTRLEN]; ++ lease->state = FTS_ACTIVE; ++ isc_heap_increased(pool->active_timeouts, lease->heap_index); ++ log_info("Reclaiming previously abandoned address %s", ++ inet_ntop(AF_INET6, &(lease->addr), tmp_addr, ++ sizeof(tmp_addr))); ++ return ISC_R_SUCCESS; + } else { + return move_lease_to_active(pool, lease); + } +@@ -1115,7 +1127,8 @@ isc_result_t + decline_lease6(struct ipv6_pool *pool, struct iasubopt *lease) { + isc_result_t result; + +- if (lease->state != FTS_ACTIVE) { ++ if ((lease->state != FTS_ACTIVE) && ++ (lease->state != FTS_ABANDONED)) { + result = move_lease_to_active(pool, lease); + if (result != ISC_R_SUCCESS) { + return result; +-- +1.7.1 + diff --git a/dhcp.changes b/dhcp.changes index 689e067..692c7d3 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 2 09:02:18 UTC 2011 - mt@suse.de + +- Applied security fix for unexpected abort caused by a DHCPv6 + decline message (CVE-2011-0413, VU#686084, bnc#667655). +- Fixed dhclient.conf to request the domain-search option. + ------------------------------------------------------------------- Mon Dec 13 08:51:59 UTC 2010 - mt@suse.de diff --git a/dhcp.spec b/dhcp.spec index 74f92d7..6549c5e 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -83,6 +83,7 @@ Patch39: dhcp-4.2.0-P1-no-libcrypto.diff Patch40: dhcp-4.1.1-P1-lpf-bind-msg-fix.diff Patch41: dhcp-4.1.1-P1-relay-no-ip-on-interface.diff Patch42: dhcp-4.1.1-P1-optional-value-infinite-loop.diff +Patch43: dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -208,6 +209,7 @@ Authors: %patch40 -p1 %patch41 -p1 %patch42 -p1 +%patch43 -p1 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/*