Dear Salvatore, El 06/10/22 a las 22:57, Salvatore Bonaccorso escribió: > Control: tags 1021320 + patch > Control: tags 1021320 + pending > > > Dear maintainer, > > I've prepared an NMU for isc-dhcp (versioned as 4.4.3-2.1) and > uploaded it to DELAYED/2. Please feel free to tell me if I > should delay it longer. > > This follows for updates already done in bullseye, so we have not a > regression. Cf. DSA 5251-1. > > Pushed as well to > > https://salsa.debian.org/debian/isc-dhcp/-/tree/security-2022-10-05 > https://salsa.debian.org/debian/isc-dhcp/-/tags/debian%2F4.4.3-2.1 > > (creating a proper merge request does not seem possible for the > project), but the tag can be merged into master branch once/if the NMU > is accepted in the archive. >
Sorry. It should be fixed now (this project was moved to debian/ from the former maintainers' namespace). > Let me as well know if you would be fine with the NMU and have it > moved faster. > Please, upload as soon as possible. Thanks for your work! -- Santiago > Regards, > Salvatore > diff -Nru isc-dhcp-4.4.3/debian/changelog isc-dhcp-4.4.3/debian/changelog > --- isc-dhcp-4.4.3/debian/changelog 2022-05-26 21:31:55.000000000 +0200 > +++ isc-dhcp-4.4.3/debian/changelog 2022-10-06 22:20:47.000000000 +0200 > @@ -1,3 +1,12 @@ > +isc-dhcp (4.4.3-2.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * An option refcount overflow exists in dhcpd (CVE-2022-2928) > + (Closes: #1021320) > + * DHCP memory leak (CVE-2022-2929) (Closes: #1021320) > + > + -- Salvatore Bonaccorso <car...@debian.org> Thu, 06 Oct 2022 22:20:47 +0200 > + > isc-dhcp (4.4.3-2) unstable; urgency=medium > > * Explicitly link against -latomic to fix FTBFS on mipsel, m68k, powerpc > and > diff -Nru isc-dhcp-4.4.3/debian/patches/CVE-2022-2928.patch > isc-dhcp-4.4.3/debian/patches/CVE-2022-2928.patch > --- isc-dhcp-4.4.3/debian/patches/CVE-2022-2928.patch 1970-01-01 > 01:00:00.000000000 +0100 > +++ isc-dhcp-4.4.3/debian/patches/CVE-2022-2928.patch 2022-10-06 > 22:20:47.000000000 +0200 > @@ -0,0 +1,111 @@ > +Description: An option refcount overflow exists in dhcpd > +Origin: upstream > +Bug-Debian: https://bugs.debian.org/1021320 > +Bug-Debian-Security: > https://security-tracker.debian.org/tracker/CVE-2022-2928 > +Forwarded: not-needed > +Last-Update: 2022-10-04 > + > +diff --git a/common/options.c b/common/options.c > +index 92c8fee6..f0959cb2 100644 > +--- a/common/options.c > ++++ b/common/options.c > +@@ -4452,6 +4452,8 @@ add_option(struct option_state *options, > + if (!option_cache_allocate(&oc, MDL)) { > + log_error("No memory for option cache adding %s (option %d).", > + option->name, option_num); > ++ /* Get rid of reference created during hash lookup. */ > ++ option_dereference(&option, MDL); > + return 0; > + } > + > +@@ -4463,6 +4465,8 @@ add_option(struct option_state *options, > + MDL)) { > + log_error("No memory for constant data adding %s (option %d).", > + option->name, option_num); > ++ /* Get rid of reference created during hash lookup. */ > ++ option_dereference(&option, MDL); > + option_cache_dereference(&oc, MDL); > + return 0; > + } > +@@ -4471,6 +4475,9 @@ add_option(struct option_state *options, > + save_option(&dhcp_universe, options, oc); > + option_cache_dereference(&oc, MDL); > + > ++ /* Get rid of reference created during hash lookup. */ > ++ option_dereference(&option, MDL); > ++ > + return 1; > + } > + > +diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c > +index 600ebe60..963b5663 100644 > +--- a/common/tests/option_unittest.c > ++++ b/common/tests/option_unittest.c > +@@ -213,6 +213,59 @@ ATF_TC_BODY(parse_X, tc) > + } > + } > + > ++ATF_TC(add_option_ref_cnt); > ++ > ++ATF_TC_HEAD(add_option_ref_cnt, tc) > ++{ > ++ atf_tc_set_md_var(tc, "descr", > ++ "Verify add_option() does not leak option ref counts."); > ++} > ++ > ++ATF_TC_BODY(add_option_ref_cnt, tc) > ++{ > ++ struct option_state *options = NULL; > ++ struct option *option = NULL; > ++ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER; > ++ char *cid_str = "1234"; > ++ int refcnt_before = 0; > ++ > ++ // Look up the option we're going to add. > ++ initialize_common_option_spaces(); > ++ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, > ++ &cid_code, 0, MDL)) { > ++ atf_tc_fail("cannot find option definition?"); > ++ } > ++ > ++ // Get the option's reference count before we call add_options. > ++ refcnt_before = option->refcnt; > ++ > ++ // Allocate a option_state to which to add an option. > ++ if (!option_state_allocate(&options, MDL)) { > ++ atf_tc_fail("cannot allocat options state"); > ++ } > ++ > ++ // Call add_option() to add the option to the option state. > ++ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) { > ++ atf_tc_fail("add_option returned 0"); > ++ } > ++ > ++ // Verify that calling add_option() only adds 1 to the option ref count. > ++ if (option->refcnt != (refcnt_before + 1)) { > ++ atf_tc_fail("after add_option(), count is wrong, before %d, after: > %d", > ++ refcnt_before, option->refcnt); > ++ } > ++ > ++ // Derefrence the option_state, this should reduce the ref count to > ++ // it's starting value. > ++ option_state_dereference(&options, MDL); > ++ > ++ // Verify that dereferencing option_state restores option ref count. > ++ if (option->refcnt != refcnt_before) { > ++ atf_tc_fail("after state deref, count is wrong, before %d, after: > %d", > ++ refcnt_before, option->refcnt); > ++ } > ++} > ++ > + /* This macro defines main() method that will call specified > + test cases. tp and simple_test_case names can be whatever you want > + as long as it is a valid variable identifier. */ > +@@ -221,6 +274,7 @@ ATF_TP_ADD_TCS(tp) > + ATF_TP_ADD_TC(tp, option_refcnt); > + ATF_TP_ADD_TC(tp, pretty_print_option); > + ATF_TP_ADD_TC(tp, parse_X); > ++ ATF_TP_ADD_TC(tp, add_option_ref_cnt); > + > + return (atf_no_error()); > + } > diff -Nru isc-dhcp-4.4.3/debian/patches/CVE-2022-2929.patch > isc-dhcp-4.4.3/debian/patches/CVE-2022-2929.patch > --- isc-dhcp-4.4.3/debian/patches/CVE-2022-2929.patch 1970-01-01 > 01:00:00.000000000 +0100 > +++ isc-dhcp-4.4.3/debian/patches/CVE-2022-2929.patch 2022-10-06 > 22:20:47.000000000 +0200 > @@ -0,0 +1,32 @@ > +Description: DHCP memory leak > +Origin: upstream > +Bug-Debian: https://bugs.debian.org/1021320 > +Bug-Debian-Security: > https://security-tracker.debian.org/tracker/CVE-2022-2929 > +Forwarded: not-needed > +Last-Update: 2022-10-04 > + > +diff --git a/common/options.c b/common/options.c > +index f0959cb2..25450e1d 100644 > +--- a/common/options.c > ++++ b/common/options.c > +@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options, > + while (s < &bp -> data[0] + length + 2) { > + len = *s; > + if (len > 63) { > +- log_info ("fancy bits in fqdn option"); > +- return 0; > ++ log_info ("label length exceeds 63 in fqdn > option"); > ++ goto bad; > + } > + if (len == 0) { > + terminated = 1; > + break; > + } > + if (s + len > &bp -> data [0] + length + 3) { > +- log_info ("fqdn tag longer than buffer"); > +- return 0; > ++ log_info ("fqdn label longer than buffer"); > ++ goto bad; > + } > + > + if (first_len == 0) { > diff -Nru isc-dhcp-4.4.3/debian/patches/series > isc-dhcp-4.4.3/debian/patches/series > --- isc-dhcp-4.4.3/debian/patches/series 2022-05-06 17:38:40.000000000 > +0200 > +++ isc-dhcp-4.4.3/debian/patches/series 2022-10-06 22:20:47.000000000 > +0200 > @@ -17,3 +17,5 @@ > > configure.patch > > +CVE-2022-2928.patch > +CVE-2022-2929.patch
signature.asc
Description: PGP signature
