diff --git a/dhcp-4.1.0-CVE-2009-0692.patch b/dhcp-4.1.0-CVE-2009-0692.patch new file mode 100644 index 0000000..88afc11 --- /dev/null +++ b/dhcp-4.1.0-CVE-2009-0692.patch @@ -0,0 +1,21 @@ +diff -up dhcp-4.1.0/client/dhclient.c.CVE-2009-0692 dhcp-4.1.0/client/dhclient.c +--- dhcp-4.1.0/client/dhclient.c.CVE-2009-0692 2008-06-11 10:17:10.000000000 -1000 ++++ dhcp-4.1.0/client/dhclient.c 2009-08-05 11:32:24.000000000 -1000 +@@ -3054,8 +3054,15 @@ void script_write_params (client, prefix + if (data.len > 3) { + struct iaddr netmask, subnet, broadcast; + +- memcpy (netmask.iabuf, data.data, data.len); +- netmask.len = data.len; ++ /* ++ * No matter the length of the subnet-mask option, ++ * use only the first four octets. Note that ++ * subnet-mask options longer than 4 octets are not ++ * in conformance with RFC 2132, but servers with this ++ * flaw do exist. ++ */ ++ memcpy(netmask.iabuf, data.data, 4); ++ netmask.len = 4; + data_string_forget (&data, MDL); + + subnet = subnet_number (lease -> address, netmask); diff --git a/dhcp-4.1.0-CVE-2009-1892.patch b/dhcp-4.1.0-CVE-2009-1892.patch new file mode 100644 index 0000000..c174ecc --- /dev/null +++ b/dhcp-4.1.0-CVE-2009-1892.patch @@ -0,0 +1,12 @@ +diff -up dhcp-4.1.0/server/dhcp.c.CVE-2009-1892 dhcp-4.1.0/server/dhcp.c +--- dhcp-4.1.0/server/dhcp.c.CVE-2009-1892 2008-11-03 08:13:58.000000000 -1000 ++++ dhcp-4.1.0/server/dhcp.c 2009-08-05 11:34:07.000000000 -1000 +@@ -1755,6 +1755,8 @@ void ack_lease (packet, lease, offer, wh + host_reference (&host, h, MDL); + } + if (!host) { ++ if (hp) ++ host_dereference (&hp, MDL); + find_hosts_by_haddr (&hp, + packet -> raw -> htype, + packet -> raw -> chaddr, diff --git a/dhcp-4.1.0-lease-file-semicolons.patch b/dhcp-4.1.0-lease-file-semicolons.patch deleted file mode 100644 index 87962c3..0000000 --- a/dhcp-4.1.0-lease-file-semicolons.patch +++ /dev/null @@ -1,55 +0,0 @@ -diff -up dhcp-4.1.0/client/dhclient.c.semicolons dhcp-4.1.0/client/dhclient.c ---- dhcp-4.1.0/client/dhclient.c.semicolons 2008-06-11 10:17:10.000000000 -1000 -+++ dhcp-4.1.0/client/dhclient.c 2009-08-04 17:46:38.000000000 -1000 -@@ -2780,7 +2780,7 @@ write_client6_lease(struct client_state - if (addr->options != NULL) - write_options(client, addr->options, " "); - -- stat = fprintf(leaseFile, " }\n"); -+ stat = fprintf(leaseFile, " };\n"); - if (stat <= 0) - return ISC_R_IOERROR; - } -@@ -2788,7 +2788,7 @@ write_client6_lease(struct client_state - if (ia->options != NULL) - write_options(client, ia->options, " "); - -- stat = fprintf(leaseFile, " }\n"); -+ stat = fprintf(leaseFile, " };\n"); - if (stat <= 0) - return ISC_R_IOERROR; - } -@@ -2802,7 +2802,7 @@ write_client6_lease(struct client_state - if (lease->options != NULL) - write_options(client, lease->options, " "); - -- stat = fprintf(leaseFile, "}\n"); -+ stat = fprintf(leaseFile, "};\n"); - if (stat <= 0) - return ISC_R_IOERROR; - -@@ -2926,20 +2926,20 @@ int write_client_lease (client, lease, r - - tval = print_time(lease->renewal); - if (tval == NULL || -- fprintf(leaseFile, " renew %s\n", tval) < 0) -+ fprintf(leaseFile, " renew %s;\n", tval) < 0) - errors++; - - tval = print_time(lease->rebind); - if (tval == NULL || -- fprintf(leaseFile, " rebind %s\n", tval) < 0) -+ fprintf(leaseFile, " rebind %s;\n", tval) < 0) - errors++; - - tval = print_time(lease->expiry); - if (tval == NULL || -- fprintf(leaseFile, " expire %s\n", tval) < 0) -+ fprintf(leaseFile, " expire %s;\n", tval) < 0) - errors++; - -- if (fprintf(leaseFile, "}\n") < 0) -+ if (fprintf(leaseFile, "};\n") < 0) - errors++; - - if (fflush(leaseFile) != 0) diff --git a/dhcp.spec b/dhcp.spec index 4f4ef14..a8986dc 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -10,7 +10,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.1.0 -Release: 24%{?dist} +Release: 25%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and # that's why it is at 12 now. It should have never been used, but it was. @@ -47,7 +47,8 @@ Patch17: %{name}-4.1.0-invalid-dhclient-conf.patch Patch18: %{name}-4.1.0-missing-ipv6-not-fatal.patch Patch19: %{name}-4.1.0-IFNAMSIZ.patch Patch20: %{name}-4.1.0-add_timeout_when_NULL.patch -Patch21: %{name}-4.1.0-lease-file-semicolons.patch +Patch21: %{name}-4.1.0-CVE-2009-0692.patch +Patch22: %{name}-4.1.0-CVE-2009-1892.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf @@ -200,9 +201,14 @@ libdhcpctl and libomapi static libraries are also included in this package. # (Submitted to dhcp-bugs@isc.org - [ISC-Bugs #19867]) %patch20 -p1 -# Add missing semicolons to lines in the client lease file (#514828) +# Fix for CVE-2009-0692 (patch from Mandriva SRPM) +# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 %patch21 -p1 +# Fix for CVE-2009-1892 (patch from Mandriva SRPM) +# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892 +%patch22 -p1 + # Copy in documentation and example scripts for LDAP patch to dhcpd %{__install} -p -m 0755 ldap-for-dhcp-%{ldappatchver}/dhcpd-conf-to-ldap contrib/ @@ -448,6 +454,11 @@ fi %attr(0644,root,root) %{_mandir}/man3/omapi.3.gz %changelog +* Wed Aug 05 2009 David Cantrell - 12:4.1.0-25 +- Fix for CVE-2009-0692 +- Fix for CVE-2009-1892 (#511834) +- Disable patch for #514828 since that fix is still in updates-testing + * Tue Aug 04 2009 David Cantrell - 12:4.1.0-24 - Correct lease file format written by dhclient (#514828)