diff --git a/dhcp-4.3.6-options_overflow.patch b/dhcp-4.3.6-options_overflow.patch new file mode 100644 index 0000000..a51c0cc --- /dev/null +++ b/dhcp-4.3.6-options_overflow.patch @@ -0,0 +1,41 @@ +diff --git a/common/options.c b/common/options.c +index 83e0384..8a1deca 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -1672,7 +1672,8 @@ format_min_length(format, oc) + + + /* Format the specified option so that a human can easily read it. */ +- ++/* Maximum pretty printed size */ ++#define MAX_OUTPUT_SIZE 32*1024 + const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + struct option *option; + const unsigned char *data; +@@ -1680,8 +1681,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + int emit_commas; + int emit_quotes; + { +- static char optbuf [32768]; /* XXX */ +- static char *endbuf = &optbuf[sizeof(optbuf)]; ++ /* We add 128 byte pad so we don't have to add checks everywhere. */ ++ static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */ ++ static char *endbuf = optbuf + MAX_OUTPUT_SIZE; + int hunksize = 0; + int opthunk = 0; + int hunkinc = 0; +@@ -2132,7 +2134,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + log_error ("Unexpected format code %c", + fmtbuf [j]); + } ++ + op += strlen (op); ++ if (op >= endbuf) { ++ log_error ("Option data exceeds" ++ " maximum size %d", MAX_OUTPUT_SIZE); ++ return (""); ++ } ++ + if (dp == data + len) + break; + if (j + 1 < numelem && comma != ':') diff --git a/dhcp-4.3.6-reference_count_overflow.patch b/dhcp-4.3.6-reference_count_overflow.patch new file mode 100644 index 0000000..c6c94cd --- /dev/null +++ b/dhcp-4.3.6-reference_count_overflow.patch @@ -0,0 +1,13 @@ +diff --git a/common/options.c b/common/options.c +index 83e0384..a58c5fc 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -189,6 +189,8 @@ int parse_option_buffer (options, buffer, length, universe) + + /* If the length is outrageous, the options are bad. */ + if (offset + len > length) { ++ /* Avoid reference count overflow */ ++ option_dereference(&option, MDL); + reason = "option length exceeds option buffer length"; + bogus: + log_error("parse_option_buffer: malformed option " diff --git a/dhcp.spec b/dhcp.spec index be0fede..93bc4cd 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -16,7 +16,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.3.6 -Release: 16%{?dist} +Release: 17%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and # that's why it is at 12 now. It should have never been used, but it was. @@ -75,7 +75,8 @@ Patch38: dhcp-dhclient-preinit6s.patch Patch39: dhcp-handle_ctx_signals.patch Patch40: dhcp-4.3.6-omapi-leak.patch Patch41: dhcp-4.3.6-isc-util.patch - +Patch42: dhcp-4.3.6-options_overflow.patch +Patch43: dhcp-4.3.6-reference_count_overflow.patch BuildRequires: autoconf BuildRequires: automake @@ -344,6 +345,10 @@ rm bind/bind.tar.gz # include isc/util.h explicitly, is it no longer contained in used headers %patch41 -p1 -b .isc-util +## https://bugzilla.redhat.com/show_bug.cgi?id=1550246 +%patch42 -p1 +%patch43 -p1 + # DHCLIENT_DEFAULT_PREFIX_LEN 64 -> 128 # https://bugzilla.gnome.org/show_bug.cgi?id=656610 sed -i -e 's|DHCLIENT_DEFAULT_PREFIX_LEN 64|DHCLIENT_DEFAULT_PREFIX_LEN 128|g' includes/site.h @@ -666,6 +671,9 @@ done %endif %changelog +* Thu Mar 1 2018 Pavel Zhukov - 12:4.3.6-17 +- Fix CVE-2018-5732 CVE-2018-5733 (#1550246) + * Thu Feb 22 2018 Petr Menšík - 12:4.3.6-16 - Compile with recent bind includes, that does not include isc/util.h