diff --git a/0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch b/0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch new file mode 100644 index 0000000..8e645e2 --- /dev/null +++ b/0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch @@ -0,0 +1,61 @@ +From 1a6b62fe17a42b00fa234d06b6dfde3d03451894 Mon Sep 17 00:00:00 2001 +From: Thomas Markwalder +Date: Thu, 7 Dec 2017 11:23:36 -0500 +Subject: [PATCH] [master] Plugs a socket descriptor leak in OMAPI + + Merges in rt46767. +--- + RELNOTES | 5 +++++ + omapip/buffer.c | 9 +++++++++ + omapip/message.c | 2 +- + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/RELNOTES b/RELNOTES +index cf44b3e..d43e7b3 100644 +--- a/RELNOTES ++++ b/RELNOTES +@@ -919,6 +919,11 @@ by Eric Young (eay@cryptsoft.com). + and our website for directions on bug submissions. + [ISC-Bugs #24789] + ++- Plugged a socket descriptor leak in OMAPI, that can occur when there is ++ data pending to be written to an OMAPI connection, when the connection ++ is closed by the reader. ++ [ISc-Bugs #46767] ++ + Changes since 4.2.0 (new features) + + - If a client renews before 'dhcp-cache-threshold' percent of its lease +diff --git a/omapip/buffer.c b/omapip/buffer.c +index f7fdc32..809034d 100644 +--- a/omapip/buffer.c ++++ b/omapip/buffer.c +@@ -566,6 +566,15 @@ isc_result_t omapi_connection_writer (omapi_object_t *h) + omapi_buffer_dereference (&buffer, MDL); + } + } ++ ++ /* If we had data left to write when we're told to disconnect, ++ * we need recall disconnect, now that we're done writing. ++ * See rt46767. */ ++ if (c->out_bytes == 0 && c->state == omapi_connection_disconnecting) { ++ omapi_disconnect (h, 1); ++ return ISC_R_SHUTTINGDOWN; ++ } ++ + return ISC_R_SUCCESS; + } + +diff --git a/omapip/message.c b/omapip/message.c +index 59ccdc2..21bcfc3 100644 +--- a/omapip/message.c ++++ b/omapip/message.c +@@ -339,7 +339,7 @@ isc_result_t omapi_message_unregister (omapi_object_t *mo) + } + + #ifdef DEBUG_PROTOCOL +-static const char *omapi_message_op_name(int op) { ++const char *omapi_message_op_name(int op) { + switch (op) { + case OMAPI_OP_OPEN: return "OMAPI_OP_OPEN"; + case OMAPI_OP_REFRESH: return "OMAPI_OP_REFRESH"; diff --git a/0022-Optimized-if-and-when-DNS-client-context-and-ports.patch b/0022-Optimized-if-and-when-DNS-client-context-and-ports.patch new file mode 100644 index 0000000..c4a46a7 --- /dev/null +++ b/0022-Optimized-if-and-when-DNS-client-context-and-ports.patch @@ -0,0 +1,306 @@ +From df869de2b9f95f14ce4eca142afaf0f1fef29809 Mon Sep 17 00:00:00 2001 +From: Nirmoy Das +Date: Thu, 11 Jan 2018 10:20:59 +0100 +Subject: [PATCH] modified for SLES + +From ca22af89996483efd820de0084c964fc336ee7c1 Mon Sep 17 00:00:00 2001 +From: Thomas Markwalder +Date: Mon, 19 Jun 2017 14:44:29 -0400 +Subject: [PATCH] [master] Optimized if and when DNS client context and ports + are initted + + Merges in rt45290. +--- + RELNOTES | 9 ++++++ + client/dhclient.8 | 5 +-- + client/dhclient.c | 4 +-- + common/dns.c | 15 +++++++-- + includes/omapip/isclib.h | 9 +++++- + omapip/isclib.c | 80 ++++++++++++++++++++++++++++++------------------ + relay/dhcrelay.c | 3 +- + server/dhcpd.8 | 6 ++-- + server/dhcpd.c | 14 ++++++--- + 9 files changed, 100 insertions(+), 45 deletions(-) +--- + client/dhclient.8 | 5 +-- + client/dhclient.c | 4 +-- + common/dns.c | 15 +++++++-- + includes/omapip/isclib.h | 9 +++++- + omapip/isclib.c | 80 ++++++++++++++++++++++++++++++------------------ + relay/dhcrelay.c | 3 +- + server/dhcpd.8 | 4 +-- + server/dhcpd.c | 14 ++++++--- + 8 files changed, 90 insertions(+), 44 deletions(-) + +diff --git a/client/dhclient.8 b/client/dhclient.8 +index d9a26b7..8991e16 100644 +--- a/client/dhclient.8 ++++ b/client/dhclient.8 +@@ -461,8 +461,9 @@ port will be used for the established connection. + + When DDNS is enabled at compile time (see includes/site.h) + the client will open both a v4 and a v6 UDP socket on +-random ports. These ports are opened even if DDNS is disabled +-in the configuration file. ++random ports. These ports are not opened unless/until the ++client first attempts to do an update. If the client is not ++configured to do updates, the ports will never be opened. + .PP + .SH CONFIGURATION + The syntax of the \fBdhclient.conf(5)\fR file is discussed separately. +diff --git a/client/dhclient.c b/client/dhclient.c +index 2804ea8..d3fe751 100644 +--- a/client/dhclient.c ++++ b/client/dhclient.c +@@ -187,8 +187,8 @@ main(int argc, char **argv) { + #endif + + /* Set up the isc and dns library managers */ +- status = dhcp_context_create(DHCP_CONTEXT_PRE_DB | DHCP_CONTEXT_POST_DB, +- NULL, NULL); ++ status = dhcp_context_create(DHCP_CONTEXT_PRE_DB | DHCP_CONTEXT_POST_DB ++ | DHCP_DNS_CLIENT_LAZY_INIT, NULL, NULL); + if (status != ISC_R_SUCCESS) + log_fatal("Can't initialize context: %s", + isc_result_totext(status)); +diff --git a/common/dns.c b/common/dns.c +index 0f8be80..2ca4ba8 100644 +--- a/common/dns.c ++++ b/common/dns.c +@@ -3,8 +3,7 @@ + Domain Name Service subroutines. */ + + /* +- * Copyright (c) 2009-2015 by Internet Systems Consortium, Inc. ("ISC") +- * Copyright (c) 2004-2007 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 2001-2003 by Internet Software Consortium + * + * Permission to use, copy, modify, and distribute this software for any +@@ -2151,6 +2150,12 @@ ddns_modify_fwd(dhcp_ddns_cb_t *ddns_cb, const char *file, int line) + + isc_sockaddrlist_t *zlist = NULL; + ++ /* Creates client context if we need to */ ++ result = dns_client_init(); ++ if (result != ISC_R_SUCCESS) { ++ return result; ++ } ++ + /* Get a pointer to the clientname to make things easier. */ + clientname = (unsigned char *)ddns_cb->fwd_name.data; + +@@ -2359,6 +2364,12 @@ ddns_modify_ptr(dhcp_ddns_cb_t *ddns_cb, const char *file, int line) + unsigned char buf[256]; + int buflen; + ++ /* Creates client context if we need to */ ++ result = dns_client_init(); ++ if (result != ISC_R_SUCCESS) { ++ return result; ++ } ++ + /* + * Try to lookup the zone in the zone cache. As with the forward + * case it's okay if we don't have one, the DNS code will try to +diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h +index caa388a..e296308 100644 +--- a/includes/omapip/isclib.h ++++ b/includes/omapip/isclib.h +@@ -3,7 +3,7 @@ + connections to the isc and dns libraries */ + + /* +- * Copyright (c) 2009,2013,2014 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2009-2017 by Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -98,6 +98,10 @@ typedef struct dhcp_context { + isc_timermgr_t *timermgr; + #if defined (NSUPDATE) + dns_client_t *dnsclient; ++ int use_local4; ++ isc_sockaddr_t local4_sockaddr; ++ int use_local6; ++ isc_sockaddr_t local6_sockaddr; + #endif + } dhcp_context_t; + +@@ -125,6 +129,7 @@ isclib_make_dst_key(char *inname, + + #define DHCP_CONTEXT_PRE_DB 1 + #define DHCP_CONTEXT_POST_DB 2 ++#define DHCP_DNS_CLIENT_LAZY_INIT 4 + isc_result_t dhcp_context_create(int flags, + struct in_addr *local4, + struct in6_addr *local6); +@@ -133,4 +138,6 @@ void isclib_cleanup(void); + void dhcp_signal_handler(int signal); + extern int shutdown_signal; + ++isc_result_t dns_client_init(); ++ + #endif /* ISCLIB_H */ +diff --git a/omapip/isclib.c b/omapip/isclib.c +index 13f0d3e..ce86490 100644 +--- a/omapip/isclib.c ++++ b/omapip/isclib.c +@@ -1,5 +1,5 @@ + /* +- * Copyright(c) 2009-2010,2013-2014 by Internet Systems Consortium, Inc.("ISC") ++ * Copyright(c) 2009-2017 by Internet Systems Consortium, Inc.("ISC") + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -221,39 +221,24 @@ dhcp_context_create(int flags, + + #if defined (NSUPDATE) + if ((flags & DHCP_CONTEXT_POST_DB) != 0) { +- isc_sockaddr_t localaddr4, *localaddr4_ptr = NULL; +- isc_sockaddr_t localaddr6, *localaddr6_ptr = NULL; ++ /* Setting addresses only. ++ * All real work will be done later on if needed to avoid ++ * listening on ddns port if client/server was compiled with ++ * ddns support but not using it. */ + if (local4 != NULL) { +- isc_sockaddr_fromin(&localaddr4, local4, 0); +- localaddr4_ptr = &localaddr4; ++ dhcp_gbl_ctx.use_local4 = 1; ++ isc_sockaddr_fromin(&dhcp_gbl_ctx.local4_sockaddr, ++ local4, 0); + } ++ + if (local6 != NULL) { +- isc_sockaddr_fromin6(&localaddr6, local6, 0); +- localaddr6_ptr = &localaddr6; ++ dhcp_gbl_ctx.use_local6 = 1; ++ isc_sockaddr_fromin6(&dhcp_gbl_ctx.local6_sockaddr, ++ local6, 0); + } + +- result = dns_client_createx2(dhcp_gbl_ctx.mctx, +- dhcp_gbl_ctx.actx, +- dhcp_gbl_ctx.taskmgr, +- dhcp_gbl_ctx.socketmgr, +- dhcp_gbl_ctx.timermgr, +- 0, +- &dhcp_gbl_ctx.dnsclient, +- localaddr4_ptr, +- localaddr6_ptr); +- if (result != ISC_R_SUCCESS) +- goto cleanup; +- +- /* +- * If we can't set up the servers we may not be able to +- * do DDNS but we should continue to try and perform +- * our basic functions and let the user sort it out. +- */ +- result = dhcp_dns_client_setservers(); +- if (result != ISC_R_SUCCESS) { +- log_error("Unable to set resolver from resolv.conf; " +- "startup continuing but DDNS support " +- "may be affected"); ++ if (!(flags & DHCP_DNS_CLIENT_LAZY_INIT)) { ++ result = dns_client_init(); + } + } + #endif +@@ -360,3 +345,40 @@ void dhcp_signal_handler(int signal) { + (void) isc_app_ctxsuspend(ctx); + } + } ++ ++isc_result_t dns_client_init() { ++ isc_result_t result; ++ if (dhcp_gbl_ctx.dnsclient == NULL) { ++ result = dns_client_createx2(dhcp_gbl_ctx.mctx, ++ dhcp_gbl_ctx.actx, ++ dhcp_gbl_ctx.taskmgr, ++ dhcp_gbl_ctx.socketmgr, ++ dhcp_gbl_ctx.timermgr, ++ 0, ++ &dhcp_gbl_ctx.dnsclient, ++ (dhcp_gbl_ctx.use_local4 ? ++ &dhcp_gbl_ctx.local4_sockaddr ++ : NULL), ++ (dhcp_gbl_ctx.use_local6 ? ++ &dhcp_gbl_ctx.local6_sockaddr ++ : NULL)); ++ ++ if (result != ISC_R_SUCCESS) { ++ log_error("Unable to create DNS client context:" ++ " result: %d", result); ++ return result; ++ } ++ ++ /* If we can't set up the servers we may not be able to ++ * do DDNS but we should continue to try and perform ++ * our basic functions and let the user sort it out. */ ++ result = dhcp_dns_client_setservers(); ++ if (result != ISC_R_SUCCESS) { ++ log_error("Unable to set resolver from resolv.conf; " ++ "startup continuing but DDNS support " ++ "may be affected: result %d", result); ++ } ++ } ++ ++ return ISC_R_SUCCESS; ++} +diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c +index 9d39fae..3abbe1e 100644 +--- a/relay/dhcrelay.c ++++ b/relay/dhcrelay.c +@@ -204,8 +204,7 @@ main(int argc, char **argv) { + #endif + + /* Set up the isc and dns library managers */ +- status = dhcp_context_create(DHCP_CONTEXT_PRE_DB | DHCP_CONTEXT_POST_DB, +- NULL, NULL); ++ status = dhcp_context_create(DHCP_CONTEXT_PRE_DB, NULL, NULL); + if (status != ISC_R_SUCCESS) + log_fatal("Can't initialize context: %s", + isc_result_totext(status)); +diff --git a/server/dhcpd.8 b/server/dhcpd.8 +index bfda639..259b91c 100644 +--- a/server/dhcpd.8 ++++ b/server/dhcpd.8 +@@ -358,8 +358,8 @@ port will be used for the established connection. + + When DDNS is enabled at compile time (see includes/site.h) + the server will open both a v4 and a v6 UDP socket on +-random ports. These ports are opened even if DDNS is disabled +-in the configuration file. ++random ports, unless DDNS updates are globally disabled by ++setting ddns-update-style to none in the configuration file. + .PP + .SH CONFIGURATION + The syntax of the dhcpd.conf(5) file is discussed separately. This +diff --git a/server/dhcpd.c b/server/dhcpd.c +index 0f5c640..d7c4456 100644 +--- a/server/dhcpd.c ++++ b/server/dhcpd.c +@@ -1053,10 +1053,16 @@ void postconf_initialization (int quiet) + } + } + +- if (dhcp_context_create(DHCP_CONTEXT_POST_DB, local4_ptr, local6_ptr) +- != ISC_R_SUCCESS) +- log_fatal("Unable to complete ddns initialization"); +- ++ /* Don't init DNS client if update style is none. This avoids ++ * listening ports that aren't needed. We don't use ddns-udpates ++ * as that has multiple levels of scope. */ ++ if (ddns_update_style != DDNS_UPDATE_STYLE_NONE) { ++ if (dhcp_context_create(DHCP_CONTEXT_POST_DB, ++ local4_ptr, local6_ptr) ++ != ISC_R_SUCCESS) { ++ log_fatal("Unable to complete ddns initialization"); ++ } ++ } + #else + /* If we don't have support for updates compiled in tell the user */ + if (ddns_update_style != DDNS_UPDATE_STYLE_NONE) { +-- +2.15.0 + diff --git a/dhcp.changes b/dhcp.changes index 2531317..be94dec 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Fri Jan 19 12:16:47 CET 2018 - ndas@suse.de + +- Optimized if and when DNS client context and ports + are initted (bsc#1073935) + [+ 0022-Optimized-if-and-when-DNS-client-context-and-.patch] + +------------------------------------------------------------------- +Tue Jan 16 16:15:45 CET 2018 - ndas@suse.de + +- Plugs a socket descriptor leak in OMAPI(bsc#1076119, CVE-2017-3144) + [ +0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch] + ------------------------------------------------------------------- Wed Dec 13 15:52:25 UTC 2017 - mchandras@suse.de diff --git a/dhcp.spec b/dhcp.spec index 42c4651..1c946fa 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -1,7 +1,7 @@ # # spec file for package dhcp # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -113,6 +113,8 @@ Patch18: 0018-client-fail-on-script-pre-init-error-bsc-912098.patch # PATCH-FIX-SLE dhcp-4.2.4-P1-interval bsc#947780 Patch19: 0019-dhcp-4.2.4-P1-interval.patch Patch20: 0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch +Patch21: 0021-master-Plugs-a-socket-descriptor-leak-in-OMAPI.patch +Patch22: 0022-Optimized-if-and-when-DNS-client-context-and-ports.patch ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -249,6 +251,8 @@ Authors: %patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 +%patch22 -p1 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/*