tags 686174 + patch tags 686174 + pending thanks Dear maintainer,
I've prepared an NMU for isc-dhcp (versioned as 4.2.4-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards. David
diff -Nru isc-dhcp-4.2.4/debian/changelog isc-dhcp-4.2.4/debian/changelog --- isc-dhcp-4.2.4/debian/changelog 2012-06-30 17:26:39.000000000 -0400 +++ isc-dhcp-4.2.4/debian/changelog 2012-09-09 18:15:55.000000000 -0400 @@ -1,3 +1,14 @@ +isc-dhcp (4.2.4-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Backport upstream changes for the following security issues: + - CVE-2012-3954: memory leaks in dhcpv6 mode + - CVE-2012-3570: DoS via crafted client identifier parameter + - CVE-2012-3571: DoS via malformed client ids + (closes: #686174) + + -- David Prévot <taf...@debian.org> Sun, 09 Sep 2012 18:15:53 -0400 + isc-dhcp (4.2.4-1) unstable; urgency=low * New upstream release diff -Nru isc-dhcp-4.2.4/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 isc-dhcp-4.2.4/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 --- isc-dhcp-4.2.4/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 1969-12-31 20:00:00.000000000 -0400 +++ isc-dhcp-4.2.4/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 2012-09-09 18:15:13.000000000 -0400 @@ -0,0 +1,157 @@ +Description: Backport upstream changes for CVE-2012-3954, CVE-2012-3570 and CVE-2012-3571 + - CVE-2012-3954: memory leaks in dhcpv6 mode + - CVE-2012-3570: DoS via crafted client identifier parameter + - CVE-2012-3571: DoS via malformed client ids + +Bug-Debian: http://bugs.debian.org/686174 +Origin: upstream +Forwarded: not-needed +Reviewed-By: David Prévot <taf...@debian.org> +Last-Update: 2012-09-09 + +--- isc-dhcp-4.2.4.orig/common/options.c ++++ isc-dhcp-4.2.4/common/options.c +@@ -2359,6 +2359,8 @@ prepare_option_buffer(struct universe *u + + /* And let go of our references. */ + cleanup: ++ if (lbp != NULL) ++ buffer_dereference(&lbp, MDL); + option_dereference(&option, MDL); + + return status; +@@ -3754,11 +3756,13 @@ void do_packet (interface, packet, len, + data_string_forget (&dp, MDL); + } + } +- +- if (decoded_packet -> packet_type) +- dhcp (decoded_packet); +- else +- bootp (decoded_packet); ++ ++ if (validate_packet(decoded_packet) != 0) { ++ if (decoded_packet->packet_type) ++ dhcp(decoded_packet); ++ else ++ bootp(decoded_packet); ++ } + + /* If the caller kept the packet, they'll have upped the refcnt. */ + packet_dereference (&decoded_packet, MDL); +@@ -4078,4 +4082,47 @@ add_option(struct option_state *options, + return 1; + } + ++/** ++ * Checks if received BOOTP/DHCPv4 packet is sane ++ * ++ * @param packet received, decoded packet ++ * ++ * @return 1 if packet is sane, 0 if it is not ++ */ ++int validate_packet(struct packet *packet) ++{ ++ struct option_cache *oc = NULL; ++ ++ oc = lookup_option (&dhcp_universe, packet->options, ++ DHO_DHCP_CLIENT_IDENTIFIER); ++ if (oc) { ++ /* Let's check if client-identifier is sane */ ++ if (oc->data.len == 0) { ++ log_debug("Dropped DHCPv4 packet with zero-length client-id"); ++ return (0); + ++ } else if (oc->data.len == 1) { ++ /* ++ * RFC2132, section 9.14 states that minimum length of client-id ++ * is 2. We will allow single-character client-ids for now (for ++ * backwards compatibility), but warn the user that support for ++ * this is against the standard. ++ */ ++ log_debug("Accepted DHCPv4 packet with one-character client-id - " ++ "a future version of ISC DHCP will reject this"); ++ } ++ } else { ++ /* ++ * If hlen is 0 we don't have any identifier, we warn the user ++ * but continue processing the packet as we can. ++ */ ++ if (packet->raw->hlen == 0) { ++ log_debug("Received DHCPv4 packet without client-id" ++ " option and empty hlen field."); ++ } ++ } ++ ++ /* @todo: Add checks for other received options */ ++ ++ return (1); ++} +--- isc-dhcp-4.2.4.orig/includes/dhcpd.h ++++ isc-dhcp-4.2.4/includes/dhcpd.h +@@ -432,11 +432,17 @@ + isc_boolean_t unicast; + }; + +-/* A network interface's MAC address. */ ++/* ++ * A network interface's MAC address. ++ * 20 bytes for the hardware address ++ * and 1 byte for the type tag ++ */ ++ ++#define HARDWARE_ADDR_LEN 20 + + struct hardware { + u_int8_t hlen; +- u_int8_t hbuf[21]; ++ u_int8_t hbuf[HARDWARE_ADDR_LEN + 1]; + }; + + #if defined(LDAP_CONFIGURATION) +@@ -1853,6 +1853,8 @@ void do_packet6(struct interface_info *, + int, int, const struct iaddr *, isc_boolean_t); + int packet6_len_okay(const char *, int); + ++int validate_packet(struct packet *); ++ + int add_option(struct option_state *options, + unsigned int option_num, + void *data, +--- isc-dhcp-4.2.4.orig/server/dhcpv6.c ++++ isc-dhcp-4.2.4/server/dhcpv6.c +@@ -1254,6 +1254,8 @@ lease_to_client(struct data_string *repl + isc_boolean_t no_resources_avail = ISC_FALSE; + #endif + ++ memset(&packet_oro, 0, sizeof(packet_oro)); ++ + /* Locate the client. */ + if (shared_network_from_packet6(&reply.shared, + packet) != ISC_R_SUCCESS) +@@ -1276,7 +1278,6 @@ lease_to_client(struct data_string *repl + * Get the ORO from the packet, if any. + */ + oc = lookup_option(&dhcpv6_universe, packet->options, D6O_ORO); +- memset(&packet_oro, 0, sizeof(packet_oro)); + if (oc != NULL) { + if (!evaluate_option_cache(&packet_oro, packet, + NULL, NULL, +@@ -1519,6 +1520,8 @@ lease_to_client(struct data_string *repl + packet_dereference(&reply.packet, MDL); + if (reply.client_id.data != NULL) + data_string_forget(&reply.client_id, MDL); ++ if (packet_oro.buffer != NULL) ++ data_string_forget(&packet_oro, MDL); + reply.renew = reply.rebind = reply.prefer = reply.valid = 0; + reply.cursor = 0; + } +@@ -6037,7 +6040,7 @@ + break; + } + +- if (hlen == 0) ++ if ((hlen == 0) || (hlen > HARDWARE_ADDR_LEN)) + return 0; + + /* diff -Nru isc-dhcp-4.2.4/debian/patches/series isc-dhcp-4.2.4/debian/patches/series --- isc-dhcp-4.2.4/debian/patches/series 2012-06-10 16:36:19.000000000 -0400 +++ isc-dhcp-4.2.4/debian/patches/series 2012-09-09 18:01:08.000000000 -0400 @@ -1,3 +1,4 @@ dhclient-script-exit-status fix_exit_hook_doc_manpage no_loopback_checksum +CVE-2012-3570_CVE-2012-3571_CVE-2012-3954
signature.asc
Description: Digital signature
