Hi, * Nico Golde <[EMAIL PROTECTED]> [2007-10-29 22:30]: > * Steve Kemp <[EMAIL PROTECTED]> [2007-10-29 21:59]: > > On Mon Oct 29, 2007 at 19:33:17 +0100, Tomas Hoger wrote: > > > > > During testing of our updated dhcp packages, we have found out that > > > patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was > > > still possible to crash dhcpd. Your dhcp packages released in DSA > > > 1388-1 also seem affected. You can find better patch based on dhcp-3.x > > > code here: > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5 > > > > > > Note: [EMAIL PROTECTED] was notified on 2007-10-23. > > > Updated DSA 1388-3 released on 2007-10-29. > > > > Thanks, we have a built package already. I'm not sure who is > > releasing it - I guess I should since I did the previous one. > > I'll chase it tomorrow/wednesday. > > I'll reupload the NMU for unstable to fix this.
Attached is the patch for this, I am uploading it now. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u dhcp-2.0pl5dfsg1/debian/changelog dhcp-2.0pl5dfsg1/debian/changelog
--- dhcp-2.0pl5dfsg1/debian/changelog
+++ dhcp-2.0pl5dfsg1/debian/changelog
@@ -1,3 +1,11 @@
+dhcp (2.0pl5dfsg1-20.2) unstable; urgency=high
+
+ * Non-maintainer upload by testing-security team.
+ * Updated 305_CVE-2007-5365.patch to fix incomplete
+ upstream patch for CVE-2007-5365 (Closes: #446354).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Mon, 29 Oct 2007 22:40:21 +0100
+
dhcp (2.0pl5dfsg1-20.1) unstable; urgency=high
* Non-maintainer upload by the testing-security team
diff -u dhcp-2.0pl5dfsg1/debian/patches/305_CVE-2007-5365.patch dhcp-2.0pl5dfsg1/debian/patches/305_CVE-2007-5365.patch
--- dhcp-2.0pl5dfsg1/debian/patches/305_CVE-2007-5365.patch
+++ dhcp-2.0pl5dfsg1/debian/patches/305_CVE-2007-5365.patch
@@ -1,16 +1,17 @@
---- options.c.orig 2007-10-12 12:22:41.000000000 +0000
-+++ dhcp-2.0pl5dfsg1/common/options.c 2007-10-12 12:23:42.000000000 +0000
-@@ -188,9 +188,12 @@
- inpacket &&
- inpacket -> options [DHO_DHCP_MAX_MESSAGE_SIZE].data &&
- (inpacket -> options [DHO_DHCP_MAX_MESSAGE_SIZE].len >=
-- sizeof (u_int16_t)))
-+ sizeof (u_int16_t))){
- mms = getUShort (inpacket -> options
- [DHO_DHCP_MAX_MESSAGE_SIZE].data);
-+ if (mms < 576)
-+ mms = 576; /* mms must be >= minimum IP MTU */
-+ }
-
- /* If the client has provided a maximum DHCP message size,
- use that; otherwise, if it's BOOTP, only 64 bytes; otherwise
+diff -Nurad dhcp-2.0pl5dfsg1.orig/common/options.c dhcp-2.0pl5dfsg1/common/options.c
+--- dhcp-2.0pl5dfsg1.orig/common/options.c 2007-10-29 22:29:34.000000000 +0100
++++ dhcp-2.0pl5dfsg1/common/options.c 2007-10-29 22:35:22.000000000 +0100
+@@ -197,9 +197,11 @@
+ use up to the minimum IP MTU size (576 bytes). */
+ /* XXX if a BOOTP client specifies a max message size, we will
+ honor it. */
+- if (mms)
++ if (mms){
++ if(mms < 576)
++ mms = 576; /* mms must be >= minimum IP MTU */
+ main_buffer_size = mms - DHCP_FIXED_LEN;
+- else if (bootpp)
++ } else if (bootpp)
+ main_buffer_size = 64;
+ else
+ main_buffer_size = 576 - DHCP_FIXED_LEN;
pgpMn15dbc3uL.pgp
Description: PGP signature
