Control: tags 887413 + patch Control: tags 887413 + pending Control: tags 891785 + patch Control: tags 891785 + pending Control: tags 891786 + patch Control: tags 891786 + pending
Dear maintainer, I've prepared an NMU for isc-dhcp (versioned as 4.3.5-3.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. You will note I included as well in the diff the part with respect of the unittests. I was unable to get a setup working so that i can run those to verify the fixes specifically with the unittest added. But I opted in to keep those for benefit of any fetching the source and able to run the unittests. Regards, Salvatore
diff -Nru isc-dhcp-4.3.5/debian/changelog isc-dhcp-4.3.5/debian/changelog --- isc-dhcp-4.3.5/debian/changelog 2017-01-09 05:55:32.000000000 +0100 +++ isc-dhcp-4.3.5/debian/changelog 2018-03-04 21:35:31.000000000 +0100 @@ -1,3 +1,13 @@ +isc-dhcp (4.3.5-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * Plugs a socket descriptor leak in OMAPI (CVE-2017-3144) (Closes: #887413) + * Corrected refcnt loss in option parsing (CVE-2018-5733) (Closes: #891785) + * Correct buffer overrun in pretty_print_option (CVE-2018-5732) + (Closes: #891786) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 04 Mar 2018 21:35:31 +0100 + isc-dhcp (4.3.5-3) unstable; urgency=medium * Add support for read-only /etc (closes: #642544). diff -Nru isc-dhcp-4.3.5/debian/patches/CVE-2017-3144.patch isc-dhcp-4.3.5/debian/patches/CVE-2017-3144.patch --- isc-dhcp-4.3.5/debian/patches/CVE-2017-3144.patch 1970-01-01 01:00:00.000000000 +0100 +++ isc-dhcp-4.3.5/debian/patches/CVE-2017-3144.patch 2018-03-04 21:35:31.000000000 +0100 @@ -0,0 +1,47 @@ +From: Thomas Markwalder <tm...@isc.org> +Date: Thu, 7 Dec 2017 11:23:36 -0500 +Subject: [master] Plugs a socket descriptor leak in OMAPI +Origin: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894 +Bug: https://bugs.isc.org/Public/Bug/Display.html?id=46767 +Bug-Debian: https://bugs.debian.org/887413 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-3144 + + Merges in rt46767. +--- + +diff --git a/omapip/buffer.c b/omapip/buffer.c +index 6e0621b5..a21f0a80 100644 +--- a/omapip/buffer.c ++++ b/omapip/buffer.c +@@ -565,6 +565,15 @@ isc_result_t omapi_connection_writer (omapi_object_t *h) + omapi_buffer_dereference (&buffer, MDL); + } + } ++ ++ /* If we had data left to write when we're told to disconnect, ++ * we need recall disconnect, now that we're done writing. ++ * See rt46767. */ ++ if (c->out_bytes == 0 && c->state == omapi_connection_disconnecting) { ++ omapi_disconnect (h, 1); ++ return ISC_R_SHUTTINGDOWN; ++ } ++ + return ISC_R_SUCCESS; + } + +diff --git a/omapip/message.c b/omapip/message.c +index ee15d821..37abbd25 100644 +--- a/omapip/message.c ++++ b/omapip/message.c +@@ -339,7 +339,7 @@ isc_result_t omapi_message_unregister (omapi_object_t *mo) + } + + #ifdef DEBUG_PROTOCOL +-static const char *omapi_message_op_name(int op) { ++const char *omapi_message_op_name(int op) { + switch (op) { + case OMAPI_OP_OPEN: return "OMAPI_OP_OPEN"; + case OMAPI_OP_REFRESH: return "OMAPI_OP_REFRESH"; +-- +2.16.2 + diff -Nru isc-dhcp-4.3.5/debian/patches/CVE-2018-5732.patch isc-dhcp-4.3.5/debian/patches/CVE-2018-5732.patch --- isc-dhcp-4.3.5/debian/patches/CVE-2018-5732.patch 1970-01-01 01:00:00.000000000 +0100 +++ isc-dhcp-4.3.5/debian/patches/CVE-2018-5732.patch 2018-03-04 21:35:31.000000000 +0100 @@ -0,0 +1,144 @@ +From: Thomas Markwalder <tm...@isc.org> +Date: Sat, 10 Feb 2018 12:15:27 -0500 +Subject: [master] Correct buffer overrun in pretty_print_option +Origin: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=c5931725b48b121d232df4ba9e45bc41e0ba114d +Bug: https://bugs.isc.org/Public/Bug/Display.html?id=47139 +Bug-Debian: https://bugs.debian.org/891786 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5732 + + Merges in rt47139. +--- + +diff --git a/common/options.c b/common/options.c +index 6f23bc15..fc0e0889 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -1776,7 +1776,8 @@ format_min_length(format, oc) + + + /* Format the specified option so that a human can easily read it. */ +- ++/* Maximum pretty printed size */ ++#define MAX_OUTPUT_SIZE 32*1024 + const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + struct option *option; + const unsigned char *data; +@@ -1784,8 +1785,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + int emit_commas; + int emit_quotes; + { +- static char optbuf [32768]; /* XXX */ +- static char *endbuf = &optbuf[sizeof(optbuf)]; ++ /* We add 128 byte pad so we don't have to add checks everywhere. */ ++ static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */ ++ static char *endbuf = optbuf + MAX_OUTPUT_SIZE; + int hunksize = 0; + int opthunk = 0; + int hunkinc = 0; +@@ -2211,7 +2213,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + log_error ("Unexpected format code %c", + fmtbuf [j]); + } ++ + op += strlen (op); ++ if (op >= endbuf) { ++ log_error ("Option data exceeds" ++ " maximum size %d", MAX_OUTPUT_SIZE); ++ return ("<error>"); ++ } ++ + if (dp == data + len) + break; + if (j + 1 < numelem && comma != ':') +diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c +index 36236b84..cd52cfb4 100644 +--- a/common/tests/option_unittest.c ++++ b/common/tests/option_unittest.c +@@ -43,7 +43,7 @@ ATF_TC_BODY(option_refcnt, tc) + if (!option_state_allocate(&options, MDL)) { + atf_tc_fail("can't allocate option state"); + } +- ++ + option = NULL; + code = 15; /* domain-name */ + if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, +@@ -68,12 +68,75 @@ ATF_TC_BODY(option_refcnt, tc) + } + } + ++ATF_TC(pretty_print_option); ++ ++ATF_TC_HEAD(pretty_print_option, tc) ++{ ++ atf_tc_set_md_var(tc, "descr", ++ "Verify pretty_print_option does not overrun its buffer."); ++} ++ ++ ++/* ++ * This test verifies that pretty_print_option() will not overrun its ++ * internal, static buffer when given large 'x/X' format options. ++ * ++ */ ++ATF_TC_BODY(pretty_print_option, tc) ++{ ++ struct option *option; ++ unsigned code; ++ unsigned char bad_data[32*1024]; ++ unsigned char good_data[] = { 1,2,3,4,5,6 }; ++ int emit_commas = 1; ++ int emit_quotes = 1; ++ const char *output_buf; ++ ++ /* Initialize whole thing to non-printable chars */ ++ memset(bad_data, 0x1f, sizeof(bad_data)); ++ ++ initialize_common_option_spaces(); ++ ++ /* We'll use dhcp_client_identitifer because it happens to be format X */ ++ code = 61; ++ option = NULL; ++ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, ++ &code, 0, MDL)) { ++ atf_tc_fail("can't find option %d", code); ++ } ++ ++ if (option == NULL) { ++ atf_tc_fail("option is NULL"); ++ } ++ ++ /* First we will try a good value we know should fit. */ ++ output_buf = pretty_print_option (option, good_data, sizeof(good_data), ++ emit_commas, emit_quotes); ++ ++ /* Make sure we get what we expect */ ++ if (!output_buf || strcmp(output_buf, "1:2:3:4:5:6")) { ++ atf_tc_fail("pretty_print_option did not return \"<error>\""); ++ } ++ ++ ++ /* Now we'll try a data value that's too large */ ++ output_buf = pretty_print_option (option, bad_data, sizeof(bad_data), ++ emit_commas, emit_quotes); ++ ++ /* Make sure we safely get an error */ ++ if (!output_buf || strcmp(output_buf, "<error>")) { ++ atf_tc_fail("pretty_print_option did not return \"<error>\""); ++ } ++} ++ ++ + /* This macro defines main() method that will call specified + test cases. tp and simple_test_case names can be whatever you want + as long as it is a valid variable identifier. */ + ATF_TP_ADD_TCS(tp) + { + ATF_TP_ADD_TC(tp, option_refcnt); ++ ATF_TP_ADD_TC(tp, pretty_print_option); + + return (atf_no_error()); + } +-- +2.16.2 + diff -Nru isc-dhcp-4.3.5/debian/patches/CVE-2018-5733.patch isc-dhcp-4.3.5/debian/patches/CVE-2018-5733.patch --- isc-dhcp-4.3.5/debian/patches/CVE-2018-5733.patch 1970-01-01 01:00:00.000000000 +0100 +++ isc-dhcp-4.3.5/debian/patches/CVE-2018-5733.patch 2018-03-04 21:35:31.000000000 +0100 @@ -0,0 +1,131 @@ +From: Thomas Markwalder <tm...@isc.org> +Date: Fri, 9 Feb 2018 14:46:08 -0500 +Subject: [master] Corrected refcnt loss in option parsing +Origin: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=197b26f25309f947b97a83b8fdfc414b767798f8 +Bug: https://bugs.isc.org/Public/Bug/Display.html?id=47140 +Bug-Debian: https://bugs.debian.org/891785 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5733 + + Merges in 47140. +--- + +--- a/common/options.c ++++ b/common/options.c +@@ -177,6 +177,8 @@ int parse_option_buffer (options, buffer + + /* If the length is outrageous, the options are bad. */ + if (offset + len > length) { ++ /* Avoid reference count overflow */ ++ option_dereference(&option, MDL); + reason = "option length exceeds option buffer length"; + bogus: + log_error("parse_option_buffer: malformed option " +--- a/common/tests/Makefile.am ++++ b/common/tests/Makefile.am +@@ -10,7 +10,8 @@ ATF_TESTS = + + if HAVE_ATF + +-ATF_TESTS += alloc_unittest dns_unittest misc_unittest ns_name_unittest ++ATF_TESTS += alloc_unittest dns_unittest misc_unittest ns_name_unittest \ ++ option_unittest + + alloc_unittest_SOURCES = test_alloc.c $(top_srcdir)/tests/t_api_dhcp.c + alloc_unittest_LDADD = $(ATF_LDFLAGS) +@@ -36,6 +37,14 @@ ns_name_unittest_LDADD += ../libdhcp.a + ../../omapip/libomapi.a $(BINDLIBDIR)/libirs.a \ + $(BINDLIBDIR)/libdns.a $(BINDLIBDIR)/libisccfg.a $(BINDLIBDIR)/libisc.a + ++option_unittest_SOURCES = option_unittest.c $(top_srcdir)/tests/t_api_dhcp.c ++option_unittest_LDADD = $(ATF_LDFLAGS) ++option_unittest_LDADD += ../libdhcp.@A@ ../../omapip/libomapi.@A@ \ ++ @BINDLIBIRSDIR@/libirs.@A@ \ ++ @BINDLIBDNSDIR@/libdns.@A@ \ ++ @BINDLIBISCCFGDIR@/libisccfg.@A@ \ ++ @BINDLIBISCDIR@/libisc.@A@ ++ + check: $(ATF_TESTS) + @if test $(top_srcdir) != ${top_builddir}; then \ + cp $(top_srcdir)/common/tests/Atffile Atffile; \ +--- /dev/null ++++ b/common/tests/option_unittest.c +@@ -0,0 +1,79 @@ ++/* ++ * Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH ++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY ++ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, ++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM ++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE ++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ++ * PERFORMANCE OF THIS SOFTWARE. ++ */ ++ ++#include <config.h> ++#include <atf-c.h> ++#include "dhcpd.h" ++ ++ATF_TC(option_refcnt); ++ ++ATF_TC_HEAD(option_refcnt, tc) ++{ ++ atf_tc_set_md_var(tc, "descr", ++ "Verify option reference count does not overflow."); ++} ++ ++/* This test does a simple check to see if option reference count is ++ * decremented even an error path exiting parse_option_buffer() ++ */ ++ATF_TC_BODY(option_refcnt, tc) ++{ ++ struct option_state *options; ++ struct option *option; ++ unsigned code; ++ int refcnt; ++ unsigned char buffer[3] = { 15, 255, 0 }; ++ ++ initialize_common_option_spaces(); ++ ++ options = NULL; ++ if (!option_state_allocate(&options, MDL)) { ++ atf_tc_fail("can't allocate option state"); ++ } ++ ++ option = NULL; ++ code = 15; /* domain-name */ ++ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, ++ &code, 0, MDL)) { ++ atf_tc_fail("can't find option 15"); ++ } ++ if (option == NULL) { ++ atf_tc_fail("option is NULL"); ++ } ++ refcnt = option->refcnt; ++ ++ buffer[0] = 15; ++ buffer[1] = 255; /* invalid */ ++ buffer[2] = 0; ++ ++ if (parse_option_buffer(options, buffer, 3, &dhcp_universe)) { ++ atf_tc_fail("parse_option_buffer is expected to fail"); ++ } ++ ++ if (refcnt != option->refcnt) { ++ atf_tc_fail("refcnt changed from %d to %d", refcnt, option->refcnt); ++ } ++} ++ ++/* This macro defines main() method that will call specified ++ test cases. tp and simple_test_case names can be whatever you want ++ as long as it is a valid variable identifier. */ ++ATF_TP_ADD_TCS(tp) ++{ ++ ATF_TP_ADD_TC(tp, option_refcnt); ++ ++ return (atf_no_error()); ++} diff -Nru isc-dhcp-4.3.5/debian/patches/series isc-dhcp-4.3.5/debian/patches/series --- isc-dhcp-4.3.5/debian/patches/series 2017-01-09 05:55:32.000000000 +0100 +++ isc-dhcp-4.3.5/debian/patches/series 2018-03-04 21:35:31.000000000 +0100 @@ -19,3 +19,7 @@ disable-nsupdate.patch system-bind.patch + +CVE-2017-3144.patch +CVE-2018-5733.patch +CVE-2018-5732.patch
