From a7c8513f1d318de7553b975cbb9089dc4b5ba8b8 Mon Sep 17 00:00:00 2001 From: Pavel Zhukov Date: Mar 01 2018 09:32:32 +0000 Subject: Security fix for CVE-2018-5732 CVE-2018-5733 --- diff --git a/dhcp-4.3.6-options_overflow.patch b/dhcp-4.3.6-options_overflow.patch new file mode 100644 index 0000000..a51c0cc --- /dev/null +++ b/dhcp-4.3.6-options_overflow.patch @@ -0,0 +1,41 @@ +diff --git a/common/options.c b/common/options.c +index 83e0384..8a1deca 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -1672,7 +1672,8 @@ format_min_length(format, oc) + + + /* Format the specified option so that a human can easily read it. */ +- ++/* Maximum pretty printed size */ ++#define MAX_OUTPUT_SIZE 32*1024 + const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + struct option *option; + const unsigned char *data; +@@ -1680,8 +1681,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + int emit_commas; + int emit_quotes; + { +- static char optbuf [32768]; /* XXX */ +- static char *endbuf = &optbuf[sizeof(optbuf)]; ++ /* We add 128 byte pad so we don't have to add checks everywhere. */ ++ static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */ ++ static char *endbuf = optbuf + MAX_OUTPUT_SIZE; + int hunksize = 0; + int opthunk = 0; + int hunkinc = 0; +@@ -2132,7 +2134,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + log_error ("Unexpected format code %c", + fmtbuf [j]); + } ++ + op += strlen (op); ++ if (op >= endbuf) { ++ log_error ("Option data exceeds" ++ " maximum size %d", MAX_OUTPUT_SIZE); ++ return (""); ++ } ++ + if (dp == data + len) + break; + if (j + 1 < numelem && comma != ':') diff --git a/dhcp-4.3.6-reference_count_overflow.patch b/dhcp-4.3.6-reference_count_overflow.patch new file mode 100644 index 0000000..c6c94cd --- /dev/null +++ b/dhcp-4.3.6-reference_count_overflow.patch @@ -0,0 +1,13 @@ +diff --git a/common/options.c b/common/options.c +index 83e0384..a58c5fc 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -189,6 +189,8 @@ int parse_option_buffer (options, buffer, length, universe) + + /* If the length is outrageous, the options are bad. */ + if (offset + len > length) { ++ /* Avoid reference count overflow */ ++ option_dereference(&option, MDL); + reason = "option length exceeds option buffer length"; + bogus: + log_error("parse_option_buffer: malformed option " diff --git a/dhcp.spec b/dhcp.spec index 4503862..eef571b 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -18,7 +18,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.3.6 -Release: 8%{?dist} +Release: 9%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and # that's why it is at 12 now. It should have never been used, but it was. @@ -75,7 +75,8 @@ Patch36: dhcp-option97-pxe-client-id.patch Patch37: dhcp-stateless-DUID-LLT.patch Patch38: dhcp-dhclient-preinit6s.patch Patch40: dhcp-4.3.6-omapi-leak.patch - +Patch42: dhcp-4.3.6-options_overflow.patch +Patch43: dhcp-4.3.6-reference_count_overflow.patch BuildRequires: autoconf BuildRequires: automake @@ -338,6 +339,10 @@ rm bind/bind.tar.gz # https://bugzilla.redhat.com/1523547 %patch40 -p1 -b .omapi-leak +## https://bugzilla.redhat.com/show_bug.cgi?id=1550246 +%patch42 -p1 +%patch43 -p1 + # DHCLIENT_DEFAULT_PREFIX_LEN 64 -> 128 # https://bugzilla.gnome.org/show_bug.cgi?id=656610 sed -i -e 's|DHCLIENT_DEFAULT_PREFIX_LEN 64|DHCLIENT_DEFAULT_PREFIX_LEN 128|g' includes/site.h @@ -664,6 +669,9 @@ done %endif %changelog +* Thu Mar 1 2018 Pavel Zhukov - 12:4.3.6-9 +- Fix CVE-2018-5732 CVE-2018-5733 (#1550246) + * Wed Jan 10 2018 Pavel Zhukov - 12:4.3.6-8 - Use released version