diff --git a/dhcp-4.1.0-CVE-2009-0692.patch b/dhcp-4.1.0-CVE-2009-0692.patch new file mode 100644 index 0000000..88afc11 --- /dev/null +++ b/dhcp-4.1.0-CVE-2009-0692.patch @@ -0,0 +1,21 @@ +diff -up dhcp-4.1.0/client/dhclient.c.CVE-2009-0692 dhcp-4.1.0/client/dhclient.c +--- dhcp-4.1.0/client/dhclient.c.CVE-2009-0692 2008-06-11 10:17:10.000000000 -1000 ++++ dhcp-4.1.0/client/dhclient.c 2009-08-05 11:32:24.000000000 -1000 +@@ -3054,8 +3054,15 @@ void script_write_params (client, prefix + if (data.len > 3) { + struct iaddr netmask, subnet, broadcast; + +- memcpy (netmask.iabuf, data.data, data.len); +- netmask.len = data.len; ++ /* ++ * No matter the length of the subnet-mask option, ++ * use only the first four octets. Note that ++ * subnet-mask options longer than 4 octets are not ++ * in conformance with RFC 2132, but servers with this ++ * flaw do exist. ++ */ ++ memcpy(netmask.iabuf, data.data, 4); ++ netmask.len = 4; + data_string_forget (&data, MDL); + + subnet = subnet_number (lease -> address, netmask); diff --git a/dhcp-4.1.0-CVE-2009-1892.patch b/dhcp-4.1.0-CVE-2009-1892.patch new file mode 100644 index 0000000..c174ecc --- /dev/null +++ b/dhcp-4.1.0-CVE-2009-1892.patch @@ -0,0 +1,12 @@ +diff -up dhcp-4.1.0/server/dhcp.c.CVE-2009-1892 dhcp-4.1.0/server/dhcp.c +--- dhcp-4.1.0/server/dhcp.c.CVE-2009-1892 2008-11-03 08:13:58.000000000 -1000 ++++ dhcp-4.1.0/server/dhcp.c 2009-08-05 11:34:07.000000000 -1000 +@@ -1755,6 +1755,8 @@ void ack_lease (packet, lease, offer, wh + host_reference (&host, h, MDL); + } + if (!host) { ++ if (hp) ++ host_dereference (&hp, MDL); + find_hosts_by_haddr (&hp, + packet -> raw -> htype, + packet -> raw -> chaddr, diff --git a/dhcp.spec b/dhcp.spec index 17783d3..b871142 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -10,7 +10,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.1.0 -Release: 26%{?dist} +Release: 27%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and # that's why it is at 12 now. It should have never been used, but it was. @@ -49,6 +49,8 @@ Patch18: %{name}-4.1.0-missing-ipv6-not-fatal.patch Patch19: %{name}-4.1.0-IFNAMSIZ.patch Patch20: %{name}-4.1.0-add_timeout_when_NULL.patch Patch21: %{name}-4.1.0-64_bit_lease_parse.patch +Patch22: %{name}-4.1.0-CVE-2009-0692.patch +Patch23: %{name}-4.1.0-CVE-2009-1892.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf @@ -203,6 +205,14 @@ libdhcpctl and libomapi static libraries are also included in this package. # Ensure 64-bit platforms parse lease file dates & times correctly (#448615) %patch21 -p1 +# Fix for CVE-2009-0692 (patch from Mandriva SRPM) +# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692 +%patch22 -p1 + +# Fix for CVE-2009-1892 (patch from Mandriva SRPM) +# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892 +%patch23 -p1 + # Copy in documentation and example scripts for LDAP patch to dhcpd %{__install} -p -m 0755 ldap-for-dhcp-%{ldappatchver}/dhcpd-conf-to-ldap contrib/ @@ -457,6 +467,10 @@ fi %attr(0644,root,root) %{_mandir}/man3/omapi.3.gz %changelog +* Wed Aug 05 2009 David Cantrell - 12:4.1.0-27 +- Fix for CVE-2009-0692 +- Fix for CVE-2009-1892 (#511834) + * Fri Jul 24 2009 Fedora Release Engineering - 12:4.1.0-26 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild