From 1f57393408ee780f23f7c92c6e96cdb6a5762c5750ca60cd0a05df992860ccb0 Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Mon, 21 Feb 2011 16:47:36 +0000 Subject: [PATCH 1/4] Updating link to change in openSUSE:Factory/dhcp revision 50.0 OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=b3e5156cc3bf59825ee92d06343b571b --- dhcp.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dhcp.spec b/dhcp.spec index 7e388dc..04a8282 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -36,7 +36,7 @@ License: BSD3c(or similar) Group: Productivity/Networking/Boot/Servers AutoReqProv: on Version: 4.2.0.P2 -Release: 2 +Release: 8 Summary: Common Files Used by ISC DHCP Software Url: http://www.isc.org/software/dhcp Source0: dhcp-%{isc_version}.tar.bz2 From b2f0f653123e574cf4a54626c12e59f094e2110e599bc703476d2d6bbd6c9810 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Wed, 30 Mar 2011 15:58:00 +0000 Subject: [PATCH 2/4] - first test to update to 4.2.1 OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=60 --- ...4.1.1-P1-optional-value-infinite-loop.diff | 46 ----------- dhcp-4.2.0-P1-ldap-patch-mt01.diff.bz2 | 3 - dhcp-4.2.0-P1-no-libcrypto.diff | 17 ---- dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff | 78 ------------------- dhcp-4.2.0-P2.tar.bz2 | 3 - ...dhcp-4.2.1-dhclient-send-hostname-rml.diff | 36 ++++----- dhcp-4.2.1-ldap-patch-mt01.diff.bz2 | 3 + dhcp-4.2.1.tar.bz2 | 3 + dhcp.changes | 5 ++ dhcp.spec | 16 ++-- 10 files changed, 34 insertions(+), 176 deletions(-) delete mode 100644 dhcp-4.1.1-P1-optional-value-infinite-loop.diff delete mode 100644 dhcp-4.2.0-P1-ldap-patch-mt01.diff.bz2 delete mode 100644 dhcp-4.2.0-P1-no-libcrypto.diff delete mode 100644 dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff delete mode 100644 dhcp-4.2.0-P2.tar.bz2 rename dhcp-4.2.0-P1-dhclient-send-hostname-rml.diff => dhcp-4.2.1-dhclient-send-hostname-rml.diff (75%) create mode 100644 dhcp-4.2.1-ldap-patch-mt01.diff.bz2 create mode 100644 dhcp-4.2.1.tar.bz2 diff --git a/dhcp-4.1.1-P1-optional-value-infinite-loop.diff b/dhcp-4.1.1-P1-optional-value-infinite-loop.diff deleted file mode 100644 index cfe480d..0000000 --- a/dhcp-4.1.1-P1-optional-value-infinite-loop.diff +++ /dev/null @@ -1,46 +0,0 @@ -From 912eb17103f764ef4486b30a4801af64321a23ed Mon Sep 17 00:00:00 2001 -From: Marius Tomaschewski -Date: Fri, 29 Oct 2010 18:51:02 +0200 -Subject: [PATCH] dhcp-4.1.1-P1-optional-value-infinite-loop - -Fixed dhcp server infinite loop while parsing options with optional -parts in the value such as in slp-service-scope option (bnc#643845, -[ISC-Bugs #22410]). - -Signed-off-by: Marius Tomaschewski ---- - common/parse.c | 17 ++++++++++++++++- - 1 files changed, 16 insertions(+), 1 deletions(-) - -diff --git a/common/parse.c b/common/parse.c -index 34b909a..081dcc9 100644 ---- a/common/parse.c -+++ b/common/parse.c -@@ -4931,8 +4931,23 @@ struct option *option; - do { - if ((*fmt == 'A') || (*fmt == 'a')) - break; -- if (*fmt == 'o') -+ if (*fmt == 'o') { -+ /* previous value were optional */ -+ fmt++; - continue; -+ } -+ if (fmt[1] == 'o') { -+ /* -+ * value for current format code is optional -+ * check if the next token is a semicolon; -+ * it is expected to be read by our caller. -+ */ -+ token = peek_token (&val, (unsigned *)0, cfile); -+ if (token == SEMI) { -+ fmt++; -+ continue; -+ } -+ } - - tmp = *expr; - *expr = NULL; --- -1.7.1 - diff --git a/dhcp-4.2.0-P1-ldap-patch-mt01.diff.bz2 b/dhcp-4.2.0-P1-ldap-patch-mt01.diff.bz2 deleted file mode 100644 index d5d9410..0000000 --- a/dhcp-4.2.0-P1-ldap-patch-mt01.diff.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1e58b92113ba2502a7f3957065dac709d8d7e8fe3e23bc3e2543cec0a2c11450 -size 9915 diff --git a/dhcp-4.2.0-P1-no-libcrypto.diff b/dhcp-4.2.0-P1-no-libcrypto.diff deleted file mode 100644 index 2ee2481..0000000 --- a/dhcp-4.2.0-P1-no-libcrypto.diff +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index b880616..3e0d11b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -420,8 +420,12 @@ AC_TRY_LINK( - AC_CHECK_HEADERS(sys/socket.h net/if_dl.h net/if6.h regex.h) - - # find an MD5 library -+saved_LIBS="$LIBS" -+LIBS="" - AC_SEARCH_LIBS(MD5_Init, [crypto]) - AC_SEARCH_LIBS(MD5Init, [crypto]) -+CRYPTO_LIBS="$LIBS" -+LIBS="$saved_LIBS" - - # Solaris needs some libraries for functions - AC_SEARCH_LIBS(socket, [socket]) diff --git a/dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff b/dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff deleted file mode 100644 index 5941b03..0000000 --- a/dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff +++ /dev/null @@ -1,78 +0,0 @@ -From ef8d97cd543d87135b3aae2d778a6f91cb800498 Mon Sep 17 00:00:00 2001 -From: Marius Tomaschewski -Date: Wed, 2 Feb 2011 09:18:39 +0100 -Subject: [PATCH] Unexpected abort caused by a DHCPv6 decline - -Security fix (CVE-2011-0413, VU#686084, bnc#667655) extracted from -dhcp-4.2.1b1 sources; description from dhcp-4.2.1b1/RELNOTES: -! When processing a request in the DHCPv6 server code that specifies - an address that is tagged as abandoned (meaning we received a - decline request for it previously) don't attempt to move it from - the inactive to active pool as doing so can result in the server - crshing on an assert failure. Also retag the lease as active - and reset it's timeout value. - [ISC-Bugs #21921] - -Signed-off-by: Marius Tomaschewski ---- - server/mdb6.c | 19 ++++++++++++++++--- - 1 files changed, 16 insertions(+), 3 deletions(-) - -diff --git a/server/mdb6.c b/server/mdb6.c -index 87bd152..9d410f5 100644 ---- a/server/mdb6.c -+++ b/server/mdb6.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2007-2010 by Internet Systems Consortium, Inc. ("ISC") -+ * Copyright (C) 2007-2011 by Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above -@@ -1010,7 +1010,7 @@ move_lease_to_active(struct ipv6_pool *pool, struct iasubopt *lease) { - * Renew an lease in the pool. - * - * To do this, first set the new hard_lifetime_end_time for the resource, -- * and then invoke renew_lease() on it. -+ * and then invoke renew_lease6() on it. - * - * WARNING: lease times must only be extended, never reduced!!! - */ -@@ -1020,12 +1020,24 @@ renew_lease6(struct ipv6_pool *pool, struct iasubopt *lease) { - * If we're already active, then we can just move our expiration - * time down the heap. - * -+ * If we're abandoned then we are already on the active list -+ * but we need to retag the lease and move our expiration -+ * from infinite to the current value -+ * - * Otherwise, we have to move from the inactive heap to the - * active heap. - */ - if (lease->state == FTS_ACTIVE) { - isc_heap_decreased(pool->active_timeouts, lease->heap_index); - return ISC_R_SUCCESS; -+ } else if (lease->state == FTS_ABANDONED) { -+ char tmp_addr[INET6_ADDRSTRLEN]; -+ lease->state = FTS_ACTIVE; -+ isc_heap_increased(pool->active_timeouts, lease->heap_index); -+ log_info("Reclaiming previously abandoned address %s", -+ inet_ntop(AF_INET6, &(lease->addr), tmp_addr, -+ sizeof(tmp_addr))); -+ return ISC_R_SUCCESS; - } else { - return move_lease_to_active(pool, lease); - } -@@ -1115,7 +1127,8 @@ isc_result_t - decline_lease6(struct ipv6_pool *pool, struct iasubopt *lease) { - isc_result_t result; - -- if (lease->state != FTS_ACTIVE) { -+ if ((lease->state != FTS_ACTIVE) && -+ (lease->state != FTS_ABANDONED)) { - result = move_lease_to_active(pool, lease); - if (result != ISC_R_SUCCESS) { - return result; --- -1.7.1 - diff --git a/dhcp-4.2.0-P2.tar.bz2 b/dhcp-4.2.0-P2.tar.bz2 deleted file mode 100644 index 3815edd..0000000 --- a/dhcp-4.2.0-P2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1fb1e8f4f4bef848bc7c5cbac510c2d4091cf4a10ca831ab892512f48274983e -size 8432072 diff --git a/dhcp-4.2.0-P1-dhclient-send-hostname-rml.diff b/dhcp-4.2.1-dhclient-send-hostname-rml.diff similarity index 75% rename from dhcp-4.2.0-P1-dhclient-send-hostname-rml.diff rename to dhcp-4.2.1-dhclient-send-hostname-rml.diff index 6aca931..89be585 100644 --- a/dhcp-4.2.0-P1-dhclient-send-hostname-rml.diff +++ b/dhcp-4.2.1-dhclient-send-hostname-rml.diff @@ -1,34 +1,34 @@ diff --git a/client/dhclient.8 b/client/dhclient.8 -index b805528..d31fa8d 100644 +index 7a3c154..e284210 100644 --- a/client/dhclient.8 +++ b/client/dhclient.8 -@@ -60,6 +60,9 @@ dhclient - Dynamic Host Configuration Protocol Client +@@ -64,6 +64,10 @@ dhclient - Dynamic Host Configuration Protocol Client .I port ] [ -+.B -H hostname ++.B -H ++.I hostname +] +[ .B -d ] [ -@@ -227,6 +230,11 @@ If a different port is specified for the client to listen on and - transmit on, the client will also use a different destination port - +@@ -305,6 +309,10 @@ If a different port is specified on which the client should listen and + transmit, the client will also use a different destination port - one less than the specified port. - .PP -+The -+.B -H -+flag may be used to specify a client hostname that should be sent to + .TP ++.BI \-H \ hostname ++This flag may be used to specify a client hostname that should be sent to +the DHCP server. Note, that this option is a SUSE/Novell extension. -+.PP - The DHCP client normally transmits any protocol messages it sends - before acquiring an IP address to, 255.255.255.255, the IP limited - broadcast address. For debugging purposes, it may be useful to have ++.TP + .BI \-s \ server + Specify the server IP address or fully qualified domain name to use as + a destination for DHCP protocol messages before diff --git a/client/dhclient.c b/client/dhclient.c -index 15c31a5..65e9c23 100644 +index dc19e8b..bd02cc9 100644 --- a/client/dhclient.c +++ b/client/dhclient.c -@@ -108,6 +108,7 @@ main(int argc, char **argv) { +@@ -110,6 +110,7 @@ main(int argc, char **argv) { int no_dhclient_db = 0; int no_dhclient_pid = 0; int no_dhclient_script = 0; @@ -36,7 +36,7 @@ index 15c31a5..65e9c23 100644 #ifdef DHCPv6 int local_family_set = 0; #endif /* DHCPv6 */ -@@ -212,6 +213,16 @@ main(int argc, char **argv) { +@@ -220,6 +221,16 @@ main(int argc, char **argv) { if (++i == argc) usage(); mockup_relay = argv[i]; @@ -53,7 +53,7 @@ index 15c31a5..65e9c23 100644 } else if (!strcmp(argv[i], "-nw")) { nowait = 1; } else if (!strcmp(argv[i], "-n")) { -@@ -445,6 +456,32 @@ main(int argc, char **argv) { +@@ -468,6 +479,32 @@ main(int argc, char **argv) { /* Parse the dhclient.conf file. */ read_client_conf(); @@ -86,7 +86,7 @@ index 15c31a5..65e9c23 100644 /* Parse the lease database. */ read_client_leases(); -@@ -674,12 +711,12 @@ static void usage() +@@ -676,12 +713,12 @@ static void usage() log_error("Usage: dhclient %s %s", #ifdef DHCPv6 diff --git a/dhcp-4.2.1-ldap-patch-mt01.diff.bz2 b/dhcp-4.2.1-ldap-patch-mt01.diff.bz2 new file mode 100644 index 0000000..87aa665 --- /dev/null +++ b/dhcp-4.2.1-ldap-patch-mt01.diff.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8c2229228431fa1b71761a76a45952fb8ec6e7a7cc7e84d7f49f953f96c303ad +size 10004 diff --git a/dhcp-4.2.1.tar.bz2 b/dhcp-4.2.1.tar.bz2 new file mode 100644 index 0000000..09becf6 --- /dev/null +++ b/dhcp-4.2.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:172851e0eedbbb009142b143a5f1ed9d6d370d909475a356ac9a753c15c354e9 +size 8656089 diff --git a/dhcp.changes b/dhcp.changes index 97542ec..3267ba4 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Mar 30 15:56:14 UTC 2011 - mt@suse.de + +- first test to update to 4.2.1 + ------------------------------------------------------------------- Mon Feb 21 14:51:43 UTC 2011 - mt@suse.de diff --git a/dhcp.spec b/dhcp.spec index 04a8282..82230d1 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -17,7 +17,7 @@ # norootforbuild -%define isc_version 4.2.0-P2 +%define isc_version 4.2.1 %define susefw2dir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %define omc_prefix /usr/share/omc %define omc_svcdir %{omc_prefix}/svcinfo.d @@ -35,8 +35,8 @@ BuildRequires: dos2unix License: BSD3c(or similar) Group: Productivity/Networking/Boot/Servers AutoReqProv: on -Version: 4.2.0.P2 -Release: 8 +Version: 4.2.1 +Release: 0 Summary: Common Files Used by ISC DHCP Software Url: http://www.isc.org/software/dhcp Source0: dhcp-%{isc_version}.tar.bz2 @@ -76,14 +76,11 @@ Patch13: dhcp-4.1.1-tmpfile.diff Patch14: dhcp-4.1.1-in6_pktinfo-prototype.diff Patch15: contrib-lease-path.diff Patch20: dhcp-4.1.1-dhclient-exec-filedes.diff -Patch21: dhcp-4.2.0-P1-dhclient-send-hostname-rml.diff +Patch21: dhcp-4.2.1-dhclient-send-hostname-rml.diff ## patch lives here: http://www.suse.de/~mt/git/dhcp-ldap.git/ -Patch30: dhcp-4.2.0-P1-ldap-patch-mt01.diff.bz2 -Patch39: dhcp-4.2.0-P1-no-libcrypto.diff +Patch30: dhcp-4.2.1-ldap-patch-mt01.diff.bz2 Patch40: dhcp-4.1.1-P1-lpf-bind-msg-fix.diff Patch41: dhcp-4.1.1-P1-relay-no-ip-on-interface.diff -Patch42: dhcp-4.1.1-P1-optional-value-infinite-loop.diff -Patch43: dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff Patch44: dhcp-4.2.0-xen-checksum.patch ## PreReq: /bin/touch /sbin/chkconfig sysconfig @@ -206,11 +203,8 @@ Authors: %if 0%{?with_ldap} %patch30 -p1 %endif -%patch39 -p1 %patch40 -p1 %patch41 -p1 -%patch42 -p1 -%patch43 -p1 %patch44 -p1 ## find . -type f -name \*.cat\* -exec rm -f {} \; From c3435bba351f165f4d8ccb4495e802cc205f8afc7780a03837f5890ad4c1d0f4 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Thu, 31 Mar 2011 09:28:41 +0000 Subject: [PATCH 3/4] Fixed ldap patch merge Added changelog to changes file OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=61 --- dhcp-4.2.1-ldap-patch-mt01.diff.bz2 | 4 ++-- dhcp.changes | 22 ++++++++++++++++++++-- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/dhcp-4.2.1-ldap-patch-mt01.diff.bz2 b/dhcp-4.2.1-ldap-patch-mt01.diff.bz2 index 87aa665..c4e4828 100644 --- a/dhcp-4.2.1-ldap-patch-mt01.diff.bz2 +++ b/dhcp-4.2.1-ldap-patch-mt01.diff.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8c2229228431fa1b71761a76a45952fb8ec6e7a7cc7e84d7f49f953f96c303ad -size 10004 +oid sha256:5d5a0f6d8570eda14268c48207f6df9c0360ddf2e91de50676e6e6d9a8df3d82 +size 10234 diff --git a/dhcp.changes b/dhcp.changes index 3267ba4..c161f3c 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,7 +1,25 @@ ------------------------------------------------------------------- -Wed Mar 30 15:56:14 UTC 2011 - mt@suse.de +Thu Mar 31 09:00:19 UTC 2011 - mt@suse.de -- first test to update to 4.2.1 +- Updated to ISC DHCP 4.2.1 release (bnc#680298), that provides + following fixes (digest): + * Several fixes to OMAPI, cleanup of dereferenced pointers in + the omapi handle, handling of pipe failures and status code + in omapi signal handler that may cause connect failure and + 100% CPU use. + * Handle some DDNS corner cases better + * Several fixes to lease input and output + * Corrected side effect of printing all data strings as hex. + * Host record references leaks causing applying config to all + innocent clients. + * Memory leak when parsing a domain name + * Fixes to configuration parsing including infinite loop. + * Fixed for unexpected abort caused by a DHCPv6 decline. + For the complete list see the RELNOTES file, that is available + also online at http://ftp.isc.org/isc/dhcp/dhcp-4.2.1-RELNOTES. +- Removed obsolete optional-value-infinite-loop, no-libcrypto + and CVE-2011-0413.bnc667655 patches. +- Merged the dhclient-send-hostname and ldap patches. ------------------------------------------------------------------- Mon Feb 21 14:51:43 UTC 2011 - mt@suse.de From 43cf8a56655f0cc4bcf61d74e76735e8af69004d309820b6804e9a6a7b7bc6c0 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Wed, 6 Apr 2011 09:08:11 +0000 Subject: [PATCH 4/4] - Discard string options such as host and domain names containing disallowed characters or beeing too long. This proctive patch limits root-path to a-zA-Z0-9, #%+-_:.,@~/\[]= and a space (bnc#675052, CVE-2011-0997). OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=62 --- dhclient-script | 25 +- ....2.1-dhclient-option-checks.bnc675052.diff | 248 ++++++++++++++++++ dhcp.changes | 8 + dhcp.spec | 2 + 4 files changed, 274 insertions(+), 9 deletions(-) create mode 100644 dhcp-4.2.1-dhclient-option-checks.bnc675052.diff diff --git a/dhclient-script b/dhclient-script index 74abf8f..02afc92 100644 --- a/dhclient-script +++ b/dhclient-script @@ -236,21 +236,26 @@ set_ipv6_routes() } set_hostname() { + rx_host='^[[:alnum:]][[:alnum:]_-]{0,62}$' if [ "$DHCLIENT_SET_HOSTNAME" = yes ] ; then + new_host_name="${new_host_name%%.*}" + [[ ${new_host_name} =~ ${rx_host} ]] || unset new_host_name current_hostname=`hostname` - if [ "x${current_hostname%%.*}" = "x" ] || \ - [ "x${current_hostname%%.*}" = "x(none)" ] || \ - [ "x${current_hostname%%.*}" = "xlocalhost" ] || \ - [ "x${current_hostname%%.*}" != "x${new_host_name%%.*}" ]; then + current_hostname="${current_hostname%%.*}" + [[ ${current_hostname} =~ ${rx_host} ]] || unset current_hostname - if [ "x${new_host_name%%.*}" != "x" ]; then - hostname "${new_host_name%%.*}" + if [ "x${current_hostname}" = "x" ] || \ + [ "x${current_hostname}" = "xlocalhost" ] || \ + [ "x${current_hostname}" != "x${new_host_name}" ]; then + if [ "x${new_host_name}" != "x" ]; then + hostname "${new_host_name}" else if [ -x /usr/bin/host ] ; then if out=`host -W 2 "$new_ip_address" 2>/dev/null` ; then - _hostname="`echo "$out" | sed 's:^.* ::; s:\..*::'`" + _hostname="`echo "$out" | sed 's:^.* ::; s:\..*::; s:.*[)]::'`" + [[ ${_hostname} =~ ${rx_host} ]] || unset _hostname if [ "x${_hostname}" != "x" -a \ - "x${_hostname}" != "x${current_hostname%%.*}" ]; then + "x${_hostname}" != "x${current_hostname}" ]; then hostname "${_hostname}" fi fi @@ -264,7 +269,9 @@ set_hostname() # it changed, we've to handle it anyway... local OLD_HOSTNAME=`read_cached_config_data hostname $interface` local CUR_HOSTNAME=`hostname 2>/dev/null` - if test "x$OLD_HOSTNAME" != "x$CUR_HOSTNAME" ; then + CUR_HOSTNAME="${CUR_HOSTNAME%%.*}" + if [[ ${CUR_HOSTNAME} =~ ${rx_host} ]] && \ + [ "x$OLD_HOSTNAME" != "x$CUR_HOSTNAME" ] ; then write_cached_config_data hostname "$CUR_HOSTNAME" $interface commit_cached_config_data $interface diff --git a/dhcp-4.2.1-dhclient-option-checks.bnc675052.diff b/dhcp-4.2.1-dhclient-option-checks.bnc675052.diff new file mode 100644 index 0000000..99d948b --- /dev/null +++ b/dhcp-4.2.1-dhclient-option-checks.bnc675052.diff @@ -0,0 +1,248 @@ +From 632c8ceeff26a7663f939895f77aecb8377773f2 Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski +Date: Sun, 27 Mar 2011 13:15:58 +0200 +Subject: [PATCH] dhclient: discard incorrect string options + +Discard string options such as host and domain names +containing disallowed characters or beeing too long. +This proctive patch limits root-path to the a-zA-Z0-9, +space and the #%+-_:.,@~/\[]= characters. + +Signed-off-by: Marius Tomaschewski +--- + client/dhclient.c | 186 +++++++++++++++++++++++++++++++++++++++++++++++++---- + common/options.c | 3 +- + 2 files changed, 175 insertions(+), 14 deletions(-) + +diff --git a/client/dhclient.c b/client/dhclient.c +index dc19e8b..5d96c72 100644 +--- a/client/dhclient.c ++++ b/client/dhclient.c +@@ -91,6 +91,11 @@ static void usage(void); + + static isc_result_t write_duid(struct data_string *duid); + ++static int check_domain_name(const char *ptr, size_t len, int dots); ++static int check_domain_name_list(const char *ptr, size_t len, int dots); ++static int check_option_values(struct universe *universe, unsigned int opt, ++ const char *ptr, size_t len); ++ + int + main(int argc, char **argv) { + int fd; +@@ -3034,13 +3039,23 @@ void client_option_envadd (struct option_cache *oc, + if (data.len) { + char name [256]; + if (dhcp_option_ev_name (name, sizeof name, +- oc -> option)) { +- client_envadd (es -> client, es -> prefix, +- name, "%s", +- (pretty_print_option +- (oc -> option, +- data.data, data.len, +- 0, 0))); ++ oc->option)) { ++ const char *value; ++ value = pretty_print_option(oc->option, ++ data.data, ++ data.len, 0, 0); ++ size_t length = strlen(value); ++ ++ if (check_option_values(oc->option->universe, ++ oc->option->code, ++ value, length) == 0) { ++ client_envadd(es->client, es->prefix, ++ name, "%s", value); ++ } else { ++ log_error("suspect value in %s " ++ "option - discarded", ++ name); ++ } + data_string_forget (&data, MDL); + } + } +@@ -3118,12 +3133,32 @@ void script_write_params (client, prefix, lease) + data_string_forget (&data, MDL); + } + +- if (lease -> filename) +- client_envadd (client, +- prefix, "filename", "%s", lease -> filename); +- if (lease -> server_name) +- client_envadd (client, prefix, "server_name", +- "%s", lease -> server_name); ++ if (lease->filename) { ++ if (check_option_values(NULL, DHO_ROOT_PATH, ++ lease->filename, ++ strlen(lease->filename)) == 0) { ++ client_envadd(client, prefix, "filename", ++ "%s", lease->filename); ++ } else { ++ log_error("suspect value in %s " ++ "option - discarded", ++ "filename"); ++ } ++ } ++ ++ if (lease->server_name) { ++ if (check_option_values(NULL, DHO_HOST_NAME, ++ lease->server_name, ++ strlen(lease->server_name)) == 0 ) { ++ client_envadd (client, prefix, "server_name", ++ "%s", lease->server_name); ++ } else { ++ log_error("suspect value in %s " ++ "option - discarded", ++ "server_name"); ++ } ++ } ++ + + for (i = 0; i < lease -> options -> universe_count; i++) { + option_space_foreach ((struct packet *)0, (struct lease *)0, +@@ -4026,3 +4061,128 @@ dhcpv4_client_assignments(void) + } else + remote_port = htons (ntohs (local_port) - 1); /* XXX */ + } ++ ++/* ++ * The following routines are used to check that certain ++ * strings are reasonable before we pass them to the scripts. ++ * This avoids some problems with scripts treating the strings ++ * as commands - see ticket 23722 ++ * The domain checking code should be done as part of assembling ++ * the string but we are doing it here for now due to time ++ * constraints. ++ */ ++ ++static int check_domain_name(const char *ptr, size_t len, int dots) ++{ ++ const char *p; ++ ++ /* not empty or complete length not over 255 characters */ ++ if ((len == 0) || (len >= 256)) ++ return(-1); ++ ++ /* consists of [[:alnum:]-]+ labels separated by [.] */ ++ /* a [_] is against RFC but seems to be "widely used"... */ ++ for (p=ptr; (*p != 0) && (len-- > 0); p++) { ++ if ((*p == '-') || (*p == '_')) { ++ /* not allowed at begin or end of a label */ ++ if (((p - ptr) == 0) || (len == 0) || (p[1] == '.')) ++ return(-1); ++ } else if (*p == '.') { ++ /* each label has to be 1-63 characters; ++ we allow [.] at the end ('foo.bar.') */ ++ size_t d = p - ptr; ++ if ((d <= 0) || (d >= 64)) ++ return(-1); ++ ptr = p + 1; /* jump to the next label */ ++ if ((dots > 0) && (len > 0)) ++ dots--; ++ } else if (isalnum((unsigned char)*p) == 0) { ++ /* also numbers at the begin are fine */ ++ return(-1); ++ } ++ } ++ return(dots ? -1 : 0); ++} ++ ++static int check_domain_name_list(const char *ptr, size_t len, int dots) ++{ ++ const char *p; ++ int ret = -1; /* at least one needed */ ++ ++ if ((ptr == NULL) || (len == 0)) ++ return(-1); ++ ++ for (p=ptr; (*p != 0) && (len > 0); p++, len--) { ++ if (*p != ' ') ++ continue; ++ if (p > ptr) { ++ if (check_domain_name(ptr, p - ptr, dots) != 0) ++ return(-1); ++ ret = 0; ++ } ++ ptr = p + 1; ++ } ++ if (p > ptr) ++ return(check_domain_name(ptr, p - ptr, dots)); ++ else ++ return(ret); ++} ++ ++static int check_option_values(struct universe *universe, ++ unsigned int opt, ++ const char *ptr, ++ size_t len) ++{ ++ if (ptr == NULL) ++ return(-1); ++ ++ /* just reject options we want to protect, will be escaped anyway */ ++ if ((universe == NULL) || (universe == &dhcp_universe)) { ++ switch(opt) { ++ case DHO_HOST_NAME: ++ case DHO_DOMAIN_NAME: ++ case DHO_NIS_DOMAIN: ++ case DHO_NETBIOS_SCOPE: ++ return check_domain_name(ptr, len, 0); ++ break; ++ case DHO_DOMAIN_SEARCH: ++ return check_domain_name_list(ptr, len, 0); ++ break; ++ case DHO_ROOT_PATH: ++ if (len == 0) ++ return(-1); ++ for (; (*ptr != 0) && (len-- > 0); ptr++) { ++ if(!(isalnum((unsigned char)*ptr) || ++ *ptr == '#' || *ptr == '%' || ++ *ptr == '+' || *ptr == '-' || ++ *ptr == '_' || *ptr == ':' || ++ *ptr == '.' || *ptr == ',' || ++ *ptr == '@' || *ptr == '~' || ++ *ptr == '\\' || *ptr == '/' || ++ *ptr == '[' || *ptr == ']' || ++ *ptr == '=' || *ptr == ' ')) ++ return(-1); ++ } ++ return(0); ++ break; ++ } ++ } ++ ++#ifdef DHCPv6 ++ if (universe == &dhcpv6_universe) { ++ switch(opt) { ++ case D6O_SIP_SERVERS_DNS: ++ case D6O_DOMAIN_SEARCH: ++ case D6O_NIS_DOMAIN_NAME: ++ case D6O_NISP_DOMAIN_NAME: ++ return check_domain_name_list(ptr, len, 0); ++ break; ++ } ++ } ++#endif ++ ++ return(0); ++} ++ ++ ++ +diff --git a/common/options.c b/common/options.c +index 28c36e6..3a6cb33 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -3915,7 +3915,8 @@ pretty_escape(char **dst, char *dend, const unsigned char **src, + count += 4; + } + } else if (**src == '"' || **src == '\'' || **src == '$' || +- **src == '`' || **src == '\\') { ++ **src == '`' || **src == '\\' || **src == '|' || ++ **src == '&' || **src == ';') { + if (*dst + 2 > dend) + return -1; + +-- +1.7.3.4 + diff --git a/dhcp.changes b/dhcp.changes index c161f3c..0423d76 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Mar 31 09:56:02 UTC 2011 - mt@suse.de + +- Discard string options such as host and domain names containing + disallowed characters or beeing too long. This proctive patch + limits root-path to a-zA-Z0-9, #%+-_:.,@~/\[]= and a space + (bnc#675052, CVE-2011-0997). + ------------------------------------------------------------------- Thu Mar 31 09:00:19 UTC 2011 - mt@suse.de diff --git a/dhcp.spec b/dhcp.spec index 82230d1..b0339ac 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -82,6 +82,7 @@ Patch30: dhcp-4.2.1-ldap-patch-mt01.diff.bz2 Patch40: dhcp-4.1.1-P1-lpf-bind-msg-fix.diff Patch41: dhcp-4.1.1-P1-relay-no-ip-on-interface.diff Patch44: dhcp-4.2.0-xen-checksum.patch +Patch45: dhcp-4.2.1-dhclient-option-checks.bnc675052.diff ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -206,6 +207,7 @@ Authors: %patch40 -p1 %patch41 -p1 %patch44 -p1 +%patch45 -p1 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/*