Control: retitle -1 tpu: isc-dhcp/4.2.2.dfsg.1-5+deb7u1 Control: user release.debian....@packages.debian.org Control: usertags -1 = tpu
Le 19/08/2012 12:23, Cyril Brulebois a écrit : > I don't see any reasons why the version currently sitting in testing > would not be the version in wheezy. I've prepared a tpu for isc-dhcp, addressing three grave security issues. Thanks in advance for considering it. Regards David
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/changelog isc-dhcp-4.2.2.dfsg.1/debian/changelog --- isc-dhcp-4.2.2.dfsg.1/debian/changelog 2012-04-28 16:03:12.000000000 -0400 +++ isc-dhcp-4.2.2.dfsg.1/debian/changelog 2012-09-09 18:30:42.000000000 -0400 @@ -1,3 +1,14 @@ +isc-dhcp (4.2.2.dfsg.1-5+deb7u1) wheezy; urgency=low + + * Non-maintainer upload. + * Backport upstream changes for the following security issues: + - CVE-2012-3954: memory leaks in dhcpv6 mode + - CVE-2012-3570: DoS via crafted client identifier parameter + - CVE-2012-3571: DoS via malformed client ids + (closes: #686174) + + -- David Prévot <taf...@debian.org> Sun, 09 Sep 2012 18:30:02 -0400 + isc-dhcp (4.2.2.dfsg.1-5) unstable; urgency=medium [ Andrew Pollock ] diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 --- isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 1969-12-31 20:00:00.000000000 -0400 +++ isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 2012-09-09 18:26:22.000000000 -0400 @@ -0,0 +1,157 @@ +Description: Backport upstream changes for CVE-2012-3954, CVE-2012-3570 and CVE-2012-3571 + - CVE-2012-3954: memory leaks in dhcpv6 mode + - CVE-2012-3570: DoS via crafted client identifier parameter + - CVE-2012-3571: DoS via malformed client ids + +Bug-Debian: http://bugs.debian.org/686174 +Origin: upstream +Forwarded: not-needed +Reviewed-By: David Prévot <taf...@debian.org> +Last-Update: 2012-09-09 + +--- a/common/options.c ++++ b/common/options.c +@@ -2359,6 +2359,8 @@ + + /* And let go of our references. */ + cleanup: ++ if (lbp != NULL) ++ buffer_dereference(&lbp, MDL); + option_dereference(&option, MDL); + + return 1; +@@ -3754,11 +3756,13 @@ + data_string_forget (&dp, MDL); + } + } +- +- if (decoded_packet -> packet_type) +- dhcp (decoded_packet); +- else +- bootp (decoded_packet); ++ ++ if (validate_packet(decoded_packet) != 0) { ++ if (decoded_packet->packet_type) ++ dhcp(decoded_packet); ++ else ++ bootp(decoded_packet); ++ } + + /* If the caller kept the packet, they'll have upped the refcnt. */ + packet_dereference (&decoded_packet, MDL); +@@ -4076,4 +4080,47 @@ + return 1; + } + ++/** ++ * Checks if received BOOTP/DHCPv4 packet is sane ++ * ++ * @param packet received, decoded packet ++ * ++ * @return 1 if packet is sane, 0 if it is not ++ */ ++int validate_packet(struct packet *packet) ++{ ++ struct option_cache *oc = NULL; ++ ++ oc = lookup_option (&dhcp_universe, packet->options, ++ DHO_DHCP_CLIENT_IDENTIFIER); ++ if (oc) { ++ /* Let's check if client-identifier is sane */ ++ if (oc->data.len == 0) { ++ log_debug("Dropped DHCPv4 packet with zero-length client-id"); ++ return (0); + ++ } else if (oc->data.len == 1) { ++ /* ++ * RFC2132, section 9.14 states that minimum length of client-id ++ * is 2. We will allow single-character client-ids for now (for ++ * backwards compatibility), but warn the user that support for ++ * this is against the standard. ++ */ ++ log_debug("Accepted DHCPv4 packet with one-character client-id - " ++ "a future version of ISC DHCP will reject this"); ++ } ++ } else { ++ /* ++ * If hlen is 0 we don't have any identifier, we warn the user ++ * but continue processing the packet as we can. ++ */ ++ if (packet->raw->hlen == 0) { ++ log_debug("Received DHCPv4 packet without client-id" ++ " option and empty hlen field."); ++ } ++ } ++ ++ /* @todo: Add checks for other received options */ ++ ++ return (1); ++} +--- a/includes/dhcpd.h ++++ b/includes/dhcpd.h +@@ -432,11 +432,17 @@ + isc_boolean_t unicast; + }; + +-/* A network interface's MAC address. */ ++/* ++ * A network interface's MAC address. ++ * 20 bytes for the hardware address ++ * and 1 byte for the type tag ++ */ ++ ++#define HARDWARE_ADDR_LEN 20 + + struct hardware { + u_int8_t hlen; +- u_int8_t hbuf [17]; ++ u_int8_t hbuf[HARDWARE_ADDR_LEN + 1]; + }; + + #if defined(LDAP_CONFIGURATION) +@@ -1851,6 +1857,8 @@ + int, int, const struct iaddr *, isc_boolean_t); + int packet6_len_okay(const char *, int); + ++int validate_packet(struct packet *); ++ + int add_option(struct option_state *options, + unsigned int option_num, + void *data, +--- a/server/dhcpv6.c ++++ b/server/dhcpv6.c +@@ -1241,6 +1241,8 @@ + struct data_string packet_oro; + isc_boolean_t no_resources_avail; + ++ memset(&packet_oro, 0, sizeof(packet_oro)); ++ + /* Locate the client. */ + if (shared_network_from_packet6(&reply.shared, + packet) != ISC_R_SUCCESS) +@@ -1263,7 +1265,6 @@ + * Get the ORO from the packet, if any. + */ + oc = lookup_option(&dhcpv6_universe, packet->options, D6O_ORO); +- memset(&packet_oro, 0, sizeof(packet_oro)); + if (oc != NULL) { + if (!evaluate_option_cache(&packet_oro, packet, + NULL, NULL, +@@ -1524,6 +1525,8 @@ + packet_dereference(&reply.packet, MDL); + if (reply.client_id.data != NULL) + data_string_forget(&reply.client_id, MDL); ++ if (packet_oro.buffer != NULL) ++ data_string_forget(&packet_oro, MDL); + reply.renew = reply.rebind = reply.prefer = reply.valid = 0; + reply.cursor = 0; + } +@@ -6029,7 +6032,7 @@ + break; + } + +- if (hlen == 0) ++ if ((hlen == 0) || (hlen > HARDWARE_ADDR_LEN)) + return 0; + + /* diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/patches/series isc-dhcp-4.2.2.dfsg.1/debian/patches/series --- isc-dhcp-4.2.2.dfsg.1/debian/patches/series 2012-04-28 15:52:10.000000000 -0400 +++ isc-dhcp-4.2.2.dfsg.1/debian/patches/series 2012-09-09 18:24:57.000000000 -0400 @@ -4,3 +4,4 @@ bind-autoconf cve-2011-4539.patch cve-2011-4868.patch +CVE-2012-3570_CVE-2012-3571_CVE-2012-3954
signature.asc
Description: OpenPGP digital signature
