From a66d02d4db61c31113015846ecffc79a4448c587d4af5bb39f3fb259079a5e41 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Mon, 16 Jan 2012 17:05:05 +0000 Subject: [PATCH] - Updated to ISC dhcp-4.2.3-P2 release, providing a DDNS security fix: Modify the DDNS handling code. In a previous patch we added logging code to the DDNS handling. This code included a bug that caused it to attempt to dereference a NULL pointer and eventually segfault. While reviewing the code as we addressed this problem, we determined that some of the updates to the lease structures would not work as planned since the structures being updated were in the process of being freed: these updates were removed. In addition we removed an incorrect call to the DDNS removal function that could cause a failure during the removal of DDNS information from the DNS server. Thanks to Jasper Jongmans for reporting this issue. ([ISC-Bugs #27078], CVE: CVE-2011-4868, bnc#741239) - Fixed close-on-exec patch to not set it on stderr (bnc#732910) - Fixed incorrect "a" array type option parsing causing to discard e.g. classless static routes from lease file [reported as ISC-Bug 27289] and zero-length option parsing such as dhcp6.rapid-commit in dhclient6 [reported as ISC-Bug 27314] (bnc#739696). - Fixed dhclient to include its pid number in syslog messages. - Fixed to use P2 in the spec version, not in the release tag. OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=85 --- dhcp-4.2.2-close-on-exec.diff | 71 ------------------- dhcp-4.2.3-P1-dhclient-log-pid.diff | 29 ++++++++ dhcp-4.2.3-P1-dhclient-option_param-a.diff | 41 +++++++++++ ....2.3-P1-dhclient-zero-length-options.patch | 65 +++++++++++++++++ dhcp-4.2.3-P1.tar.bz2 | 3 - dhcp-4.2.3-P2.tar.bz2 | 3 + dhcp.changes | 23 ++++++ dhcp.spec | 14 ++-- 8 files changed, 171 insertions(+), 78 deletions(-) create mode 100644 dhcp-4.2.3-P1-dhclient-log-pid.diff create mode 100644 dhcp-4.2.3-P1-dhclient-option_param-a.diff create mode 100644 dhcp-4.2.3-P1-dhclient-zero-length-options.patch delete mode 100644 dhcp-4.2.3-P1.tar.bz2 create mode 100644 dhcp-4.2.3-P2.tar.bz2 diff --git a/dhcp-4.2.2-close-on-exec.diff b/dhcp-4.2.2-close-on-exec.diff index a633a05..ccd31b6 100644 --- a/dhcp-4.2.2-close-on-exec.diff +++ b/dhcp-4.2.2-close-on-exec.diff @@ -24,21 +24,6 @@ diff --git a/client/dhclient.c b/client/dhclient.c index 82c26bb..a1cab01 100644 --- a/client/dhclient.c +++ b/client/dhclient.c -@@ -131,11 +131,11 @@ main(int argc, char **argv) { - /* Make sure that file descriptors 0 (stdin), 1, (stdout), and - 2 (stderr) are open. To do this, we assume that when we - open a file the lowest available file descriptor is used. */ -- fd = open("/dev/null", O_RDWR); -+ fd = open("/dev/null", O_RDWR | O_CLOEXEC); - if (fd == 0) -- fd = open("/dev/null", O_RDWR); -+ fd = open("/dev/null", O_RDWR | O_CLOEXEC); - if (fd == 1) -- fd = open("/dev/null", O_RDWR); -+ fd = open("/dev/null", O_RDWR | O_CLOEXEC); - if (fd == 2) - log_perror = 0; /* No sense logging to /dev/null. */ - else if (fd != -1) @@ -423,7 +423,7 @@ main(int argc, char **argv) { int e; @@ -84,19 +69,6 @@ index 82c26bb..a1cab01 100644 if (leaseFile == NULL) { log_error ("can't create %s: %m", path_dhclient_db); return 0; -@@ -3472,9 +3472,9 @@ void go_daemon () - close(2); - - /* Reopen them on /dev/null. */ -- open("/dev/null", O_RDWR); -- open("/dev/null", O_RDWR); -- open("/dev/null", O_RDWR); -+ open("/dev/null", O_RDWR | O_CLOEXEC); -+ open("/dev/null", O_RDWR | O_CLOEXEC); -+ open("/dev/null", O_RDWR | O_CLOEXEC); - - write_client_pid_file (); - diff --git a/common/bpf.c b/common/bpf.c index 8bd5727..7b8f1d4 100644 --- a/common/bpf.c @@ -276,21 +248,6 @@ diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c index f21f16f..d2aa90e 100644 --- a/relay/dhcrelay.c +++ b/relay/dhcrelay.c -@@ -183,11 +183,11 @@ main(int argc, char **argv) { - /* Make sure that file descriptors 0(stdin), 1,(stdout), and - 2(stderr) are open. To do this, we assume that when we - open a file the lowest available file descriptor is used. */ -- fd = open("/dev/null", O_RDWR); -+ fd = open("/dev/null", O_RDWR | O_CLOEXEC); - if (fd == 0) -- fd = open("/dev/null", O_RDWR); -+ fd = open("/dev/null", O_RDWR | O_CLOEXEC); - if (fd == 1) -- fd = open("/dev/null", O_RDWR); -+ fd = open("/dev/null", O_RDWR | O_CLOEXEC); - if (fd == 2) - log_perror = 0; /* No sense logging to /dev/null. */ - else if (fd != -1) @@ -540,13 +540,14 @@ main(int argc, char **argv) { if (no_pid_file == ISC_FALSE) { @@ -356,21 +313,6 @@ diff --git a/server/dhcpd.c b/server/dhcpd.c index 27e04e4..9233d26 100644 --- a/server/dhcpd.c +++ b/server/dhcpd.c -@@ -274,11 +274,11 @@ main(int argc, char **argv) { - /* Make sure that file descriptors 0 (stdin), 1, (stdout), and - 2 (stderr) are open. To do this, we assume that when we - open a file the lowest available file descriptor is used. */ -- fd = open("/dev/null", O_RDWR); -+ fd = open("/dev/null", O_RDWR | O_CLOEXEC); - if (fd == 0) -- fd = open("/dev/null", O_RDWR); -+ fd = open("/dev/null", O_RDWR | O_CLOEXEC); - if (fd == 1) -- fd = open("/dev/null", O_RDWR); -+ fd = open("/dev/null", O_RDWR | O_CLOEXEC); - if (fd == 2) - log_perror = 0; /* No sense logging to /dev/null. */ - else if (fd != -1) @@ -809,7 +809,7 @@ main(int argc, char **argv) { */ if (no_pid_file == ISC_FALSE) { @@ -389,19 +331,6 @@ index 27e04e4..9233d26 100644 if (i >= 0) { sprintf(pbuf, "%d\n", (int) getpid()); IGNORE_RET (write(i, pbuf, strlen(pbuf))); -@@ -856,9 +856,9 @@ main(int argc, char **argv) { - close(2); - - /* Reopen them on /dev/null. */ -- open("/dev/null", O_RDWR); -- open("/dev/null", O_RDWR); -- open("/dev/null", O_RDWR); -+ open("/dev/null", O_RDWR | O_CLOEXEC); -+ open("/dev/null", O_RDWR | O_CLOEXEC); -+ open("/dev/null", O_RDWR | O_CLOEXEC); - log_perror = 0; /* No sense logging to /dev/null. */ - - IGNORE_RET (chdir("/")); diff --git a/server/ldap.c b/server/ldap.c index 68acbbb..77efe26 100644 --- a/server/ldap.c diff --git a/dhcp-4.2.3-P1-dhclient-log-pid.diff b/dhcp-4.2.3-P1-dhclient-log-pid.diff new file mode 100644 index 0000000..7df647d --- /dev/null +++ b/dhcp-4.2.3-P1-dhclient-log-pid.diff @@ -0,0 +1,29 @@ +From 1f30e4707e13cb09315cbda2cf36bae099285a79 Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski +Date: Thu, 5 Jan 2012 16:25:18 +0100 +Subject: [PATCH] Use pid number in dhclient log messages + +Troubleshooting help to make it visible which client is reporting +as there may be more than one running (v4 + v6 multiple interfaces). + +Signed-off-by: Marius Tomaschewski +--- + client/dhclient.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/client/dhclient.c b/client/dhclient.c +index ff5ede5..bee8e1d 100644 +--- a/client/dhclient.c ++++ b/client/dhclient.c +@@ -141,7 +141,7 @@ main(int argc, char **argv) { + else if (fd != -1) + close(fd); + +- openlog("dhclient", LOG_NDELAY, LOG_DAEMON); ++ openlog("dhclient", LOG_NDELAY | LOG_PID, LOG_DAEMON); + + #if !(defined(DEBUG) || defined(__CYGWIN32__)) + setlogmask(LOG_UPTO(LOG_INFO)); +-- +1.7.7 + diff --git a/dhcp-4.2.3-P1-dhclient-option_param-a.diff b/dhcp-4.2.3-P1-dhclient-option_param-a.diff new file mode 100644 index 0000000..db11c28 --- /dev/null +++ b/dhcp-4.2.3-P1-dhclient-option_param-a.diff @@ -0,0 +1,41 @@ +From 3e3874a4e322536a683d2c22602c6c1a3f39df8e Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski +Date: Thu, 5 Jan 2012 16:20:42 +0100 +Subject: [PATCH] dhclient: parse_option_param: Bad format a + +When the server provides options using the "a" array type, such as: +option rfc3442-classless-routes code 121 = array of unsigned integer 8; +the option is stored into the lease file, but when the client reads the +lease file next time, it complains about, because "a" array type aren't +recognized in the parsing loop and the option (lease?) discarded. + +Signed-off-by: Marius Tomaschewski +--- + common/parse.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/parse.c b/common/parse.c +index 61488c1..0fca63c 100644 +--- a/common/parse.c ++++ b/common/parse.c +@@ -5518,7 +5518,7 @@ int parse_option_decl (oc, cfile) + /* Parse the option data... */ + do { + for (fmt = option -> format; *fmt; fmt++) { +- if (*fmt == 'A') ++ if (*fmt == 'A' || *fmt == 'a') + break; + if (*fmt == 'o' && fmt != option -> format) + continue; +@@ -5732,7 +5732,7 @@ int parse_option_decl (oc, cfile) + } + } + token = next_token (&val, (unsigned *)0, cfile); +- } while (*fmt == 'A' && token == COMMA); ++ } while ((*fmt == 'A' || *fmt == 'a') && token == COMMA); + + if (token != SEMI) { + parse_warn (cfile, "semicolon expected."); +-- +1.7.7 + diff --git a/dhcp-4.2.3-P1-dhclient-zero-length-options.patch b/dhcp-4.2.3-P1-dhclient-zero-length-options.patch new file mode 100644 index 0000000..9127c45 --- /dev/null +++ b/dhcp-4.2.3-P1-dhclient-zero-length-options.patch @@ -0,0 +1,65 @@ +From 70330e5cb91616dd235b63e54b9fe0dc15f3d61b Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski +Date: Thu, 5 Jan 2012 16:28:50 +0100 +Subject: [PATCH] zero-length option lease parse error in dhclient6 + +common/parse.c: +Use peek_token only or the next_token call behind the while loop +will cause two warnings / errors in the log: + lease line XX: semicolon expected. + lease line XX: Unexpected end of file. + [there is a } behind the semicolon as the next token in my case] +and the option (lease?) gets discarded. +To reproduce, use "send dhcp6.rapid-commit;" to /etc/dhclient6.conf, +remove the lease file and start the client. When the lease is bound, +kill the client and start it again. + +client/dhclient.c: +More of cosmetic nature - do not print zero-length options like there +would be a value missed, e.g. " option dhcp6.rapid-commit ;". + +Signed-off-by: Marius Tomaschewski +--- + client/dhclient.c | 11 ++++++++--- + common/parse.c | 2 +- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/client/dhclient.c b/client/dhclient.c +index bee8e1d..ee87aa6 100644 +--- a/client/dhclient.c ++++ b/client/dhclient.c +@@ -2769,10 +2769,15 @@ void write_lease_option (struct option_cache *oc, + } + if (evaluate_option_cache (&ds, packet, lease, client_state, + in_options, cfg_options, scope, oc, MDL)) { +- fprintf(leaseFile, "%soption %s%s%s %s;\n", preamble, +- name, dot, oc->option->name, +- pretty_print_option(oc->option, ds.data, ds.len, ++ if(oc->option->format && oc->option->format[0] == 'Z' && ds.len == 0) { ++ fprintf(leaseFile, "%soption %s%s%s;\n", preamble, ++ name, dot, oc->option->name); ++ } else { ++ fprintf(leaseFile, "%soption %s%s%s %s;\n", preamble, ++ name, dot, oc->option->name, ++ pretty_print_option(oc->option, ds.data, ds.len, + 1, 1)); ++ } + data_string_forget (&ds, MDL); + } + } +diff --git a/common/parse.c b/common/parse.c +index 0fca63c..fe661d5 100644 +--- a/common/parse.c ++++ b/common/parse.c +@@ -5715,7 +5715,7 @@ int parse_option_decl (oc, cfile) + goto alloc; + + case 'Z': /* Zero-length option */ +- token = next_token(&val, (unsigned *)0, cfile); ++ token = peek_token(&val, (unsigned *)0, cfile); + if (token != SEMI) { + parse_warn(cfile, + "semicolon expected."); +-- +1.7.7 + diff --git a/dhcp-4.2.3-P1.tar.bz2 b/dhcp-4.2.3-P1.tar.bz2 deleted file mode 100644 index 5f98d05..0000000 --- a/dhcp-4.2.3-P1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b3b924fef93e7cdb72e84dce81f0121a43964e43995f40e12c17b933c38148bf -size 9367106 diff --git a/dhcp-4.2.3-P2.tar.bz2 b/dhcp-4.2.3-P2.tar.bz2 new file mode 100644 index 0000000..4eb0ee6 --- /dev/null +++ b/dhcp-4.2.3-P2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ba303393c9e986c51265c6ffded0d8bab1abeb3fe37103d4385802345a2b1109 +size 9369048 diff --git a/dhcp.changes b/dhcp.changes index 5a618be..14db6d1 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Fri Jan 13 15:26:43 UTC 2012 - mt@suse.com + +- Updated to ISC dhcp-4.2.3-P2 release, providing a DDNS security fix: + Modify the DDNS handling code. In a previous patch we added logging + code to the DDNS handling. This code included a bug that caused it + to attempt to dereference a NULL pointer and eventually segfault. + While reviewing the code as we addressed this problem, we determined + that some of the updates to the lease structures would not work as + planned since the structures being updated were in the process of + being freed: these updates were removed. In addition we removed an + incorrect call to the DDNS removal function that could cause a failure + during the removal of DDNS information from the DNS server. + Thanks to Jasper Jongmans for reporting this issue. + ([ISC-Bugs #27078], CVE: CVE-2011-4868, bnc#741239) +- Fixed close-on-exec patch to not set it on stderr (bnc#732910) +- Fixed incorrect "a" array type option parsing causing to discard + e.g. classless static routes from lease file [reported as ISC-Bug + 27289] and zero-length option parsing such as dhcp6.rapid-commit + in dhclient6 [reported as ISC-Bug 27314] (bnc#739696). +- Fixed dhclient to include its pid number in syslog messages. +- Fixed to use P2 in the spec version, not in the release tag. + ------------------------------------------------------------------- Fri Dec 9 13:40:53 UTC 2011 - mt@suse.com diff --git a/dhcp.spec b/dhcp.spec index 6d8d1ac..2a1b05c 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -1,7 +1,7 @@ # # spec file for package dhcp # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ # norootforbuild -%define isc_version 4.2.3-P1 +%define isc_version 4.2.3-P2 %define susefw2dir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %define omc_prefix /usr/share/omc %define omc_svcdir %{omc_prefix}/svcinfo.d @@ -40,8 +40,8 @@ BuildRequires: libtool License: BSD-3-Clause Group: Productivity/Networking/Boot/Servers AutoReqProv: on -Version: 4.2.3 -Release: P1.0. +Version: 4.2.3.P2 +Release: 0. Summary: Common Files Used by ISC DHCP Software Url: http://www.isc.org/software/dhcp Source0: dhcp-%{isc_version}.tar.bz2 @@ -88,6 +88,9 @@ Patch44: dhcp-4.2.2-xen-checksum.diff Patch45: dhcp-4.2.2-dhclient-option-checks.bnc675052.diff Patch46: dhcp-4.2.2-close-on-exec.diff Patch47: dhcp-4.2.2-quiet-dhclient.bnc711420.diff +Patch48: dhcp-4.2.3-P1-dhclient-option_param-a.diff +Patch49: dhcp-4.2.3-P1-dhclient-log-pid.diff +Patch50: dhcp-4.2.3-P1-dhclient-zero-length-options.patch ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -216,6 +219,9 @@ Authors: %patch45 -p1 %patch46 -p1 %patch47 -p1 +%patch48 -p1 +%patch49 -p1 +%patch50 -p1 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/*