Bug#611217: marked as done (CVE-2011-0413: crash after DHCPv6 decline message)

Debian Bug Tracking System Sat, 12 Feb 2011 08:21:26 -0800

Your message dated Sat, 12 Feb 2011 16:17:43 +0000
with message-id <e1poiaj-0004b2...@franck.debian.org>
and subject line Bug#611217: fixed in isc-dhcp 4.1.1-P1-16
has caused the Debian Bug report #611217,
regarding CVE-2011-0413: crash after DHCPv6 decline message
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
611217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: isc-dhcp-server
Version: 4.1.1-P1-15
Severity: grave
Tags: security patch

Hi Ari,

Just as a public record, the following advisory (CVE-2011-0413[0]) has been 
published by ISC[1]:

> When the DHCPv6 server code processes a message for an address that was
> previously declined and internally tagged as abandoned it can trigger an
> assert failure resulting in the server crashing. This could be used to
> crash DHCPv6 servers remotely. This issue only affects DHCPv6 servers.
> DHCPv4 servers are unaffected.

I'm attaching the patch that was used for 4.1-ESV, which applies almost 
cleanly in 4.1.1-P1 (3 lines diff between hunks.) I have not tested it, though.


[0]http://security-tracker.debian.org/tracker/CVE-2011-0413
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0413
[1]http://www.isc.org/software/dhcp/advisories/cve-2011-0413

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

--- dhcp-4.1-ESV/server/mdb6.c
+++ dhcp-4.1-ESV-R1/server/mdb6.c
@@ -1009,7 +1009,7 @@ move_lease_to_active(struct ipv6_pool *pool, struct iasubopt *lease) {
  * Renew an lease in the pool.
  *
  * To do this, first set the new hard_lifetime_end_time for the resource,
- * and then invoke renew_lease() on it.
+ * and then invoke renew_lease6() on it.
  *
  * WARNING: lease times must only be extended, never reduced!!!
  */
@@ -1019,12 +1019,24 @@ renew_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
 	 * If we're already active, then we can just move our expiration
 	 * time down the heap. 
 	 *
+	 * If we're abandoned then we are already on the active list
+	 * but we need to retag the lease and move our expiration
+	 * from infinite to the current value
+	 *
 	 * Otherwise, we have to move from the inactive heap to the 
 	 * active heap.
 	 */
 	if (lease->state == FTS_ACTIVE) {
 		isc_heap_decreased(pool->active_timeouts, lease->heap_index);
 		return ISC_R_SUCCESS;
+	} else if (lease->state == FTS_ABANDONED) {
+		char tmp_addr[INET6_ADDRSTRLEN];
+                lease->state = FTS_ACTIVE;
+                isc_heap_increased(pool->active_timeouts, lease->heap_index);
+		log_info("Reclaiming previously abandoned address %s",
+			 inet_ntop(AF_INET6, &(lease->addr), tmp_addr,
+				   sizeof(tmp_addr)));
+                return ISC_R_SUCCESS;
 	} else {
 		return move_lease_to_active(pool, lease);
 	}
@@ -1112,7 +1124,8 @@ isc_result_t
 decline_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
 	isc_result_t result;
 
-	if (lease->state != FTS_ACTIVE) {
+	if ((lease->state != FTS_ACTIVE) &&
+	    (lease->state != FTS_ABANDONED)) {
 		result = move_lease_to_active(pool, lease);
 		if (result != ISC_R_SUCCESS) {
 			return result;

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

Source: isc-dhcp
Source-Version: 4.1.1-P1-16

We believe that the bug you reported is fixed in the latest version of
isc-dhcp, which is due to be installed in the Debian FTP archive:

dhcp3-client_4.1.1-P1-16_all.deb
  to main/i/isc-dhcp/dhcp3-client_4.1.1-P1-16_all.deb
dhcp3-common_4.1.1-P1-16_all.deb
  to main/i/isc-dhcp/dhcp3-common_4.1.1-P1-16_all.deb
dhcp3-dev_4.1.1-P1-16_all.deb
  to main/i/isc-dhcp/dhcp3-dev_4.1.1-P1-16_all.deb
dhcp3-relay_4.1.1-P1-16_all.deb
  to main/i/isc-dhcp/dhcp3-relay_4.1.1-P1-16_all.deb
dhcp3-server_4.1.1-P1-16_all.deb
  to main/i/isc-dhcp/dhcp3-server_4.1.1-P1-16_all.deb
isc-dhcp-client-dbg_4.1.1-P1-16_i386.deb
  to main/i/isc-dhcp/isc-dhcp-client-dbg_4.1.1-P1-16_i386.deb
isc-dhcp-client-udeb_4.1.1-P1-16_i386.udeb
  to main/i/isc-dhcp/isc-dhcp-client-udeb_4.1.1-P1-16_i386.udeb
isc-dhcp-client_4.1.1-P1-16_i386.deb
  to main/i/isc-dhcp/isc-dhcp-client_4.1.1-P1-16_i386.deb
isc-dhcp-common_4.1.1-P1-16_i386.deb
  to main/i/isc-dhcp/isc-dhcp-common_4.1.1-P1-16_i386.deb
isc-dhcp-dev_4.1.1-P1-16_i386.deb
  to main/i/isc-dhcp/isc-dhcp-dev_4.1.1-P1-16_i386.deb
isc-dhcp-relay-dbg_4.1.1-P1-16_i386.deb
  to main/i/isc-dhcp/isc-dhcp-relay-dbg_4.1.1-P1-16_i386.deb
isc-dhcp-relay_4.1.1-P1-16_i386.deb
  to main/i/isc-dhcp/isc-dhcp-relay_4.1.1-P1-16_i386.deb
isc-dhcp-server-dbg_4.1.1-P1-16_i386.deb
  to main/i/isc-dhcp/isc-dhcp-server-dbg_4.1.1-P1-16_i386.deb
isc-dhcp-server-ldap_4.1.1-P1-16_i386.deb
  to main/i/isc-dhcp/isc-dhcp-server-ldap_4.1.1-P1-16_i386.deb
isc-dhcp-server_4.1.1-P1-16_i386.deb
  to main/i/isc-dhcp/isc-dhcp-server_4.1.1-P1-16_i386.deb
isc-dhcp_4.1.1-P1-16.diff.gz
  to main/i/isc-dhcp/isc-dhcp_4.1.1-P1-16.diff.gz
isc-dhcp_4.1.1-P1-16.dsc
  to main/i/isc-dhcp/isc-dhcp_4.1.1-P1-16.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 611...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Pollock <apoll...@debian.org> (supplier of updated isc-dhcp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 03 Feb 2011 22:20:55 -0800
Source: isc-dhcp
Binary: isc-dhcp-server isc-dhcp-server-dbg isc-dhcp-server-ldap 
isc-dhcp-common isc-dhcp-dev isc-dhcp-client isc-dhcp-client-dbg 
isc-dhcp-client-udeb isc-dhcp-relay isc-dhcp-relay-dbg dhcp3-server 
dhcp3-client dhcp3-relay dhcp3-common dhcp3-dev
Architecture: source i386 all
Version: 4.1.1-P1-16
Distribution: unstable
Urgency: high
Maintainer: Debian ISC DHCP maintainers <pkg-dhcp-de...@lists.alioth.debian.org>
Changed-By: Andrew Pollock <apoll...@debian.org>
Description: 
 dhcp3-client - ISC DHCP server (transitional package)
 dhcp3-common - ISC DHCP common files (transitional package)
 dhcp3-dev  - ISC DHCP development files (transitional package)
 dhcp3-relay - ISC DHCP relay (transitional package)
 dhcp3-server - ISC DHCP server (transitional package)
 isc-dhcp-client - ISC DHCP client
 isc-dhcp-client-dbg - ISC DHCP client (debugging symbols)
 isc-dhcp-client-udeb - ISC DHCP Client for debian-installer (udeb)
 isc-dhcp-common - common files used by all the isc-dhcp* packages
 isc-dhcp-dev - API for accessing and modifying the DHCP server and client state
 isc-dhcp-relay - ISC DHCP relay daemon
 isc-dhcp-relay-dbg - DHCP relay daemon (debugging symbols)
 isc-dhcp-server - ISC DHCP server for automatic IP address assignment
 isc-dhcp-server-dbg - ISC DHCP server for automatic IP address assignment 
(debug)
 isc-dhcp-server-ldap - DHCP server able to use LDAP as backend
Closes: 611217
Changes: 
 isc-dhcp (4.1.1-P1-16) unstable; urgency=high
 .
   * Patch by Raphael Geissert from 4.1-ESV for CVE-2011-0413 (closes: #611217)
Checksums-Sha1: 
 9ba46554deeea54f0a4f8d2920db923ea29182b5 2176 isc-dhcp_4.1.1-P1-16.dsc
 c12bc87e24e1f2151da3a395558ebc8253cebcf3 130845 isc-dhcp_4.1.1-P1-16.diff.gz
 a6f789ca6731b99985fb7f28340b860f1eb6db93 377526 
isc-dhcp-server_4.1.1-P1-16_i386.deb
 1a359b6dfe00363d8289b0412975c1fe675b0c6e 797608 
isc-dhcp-server-dbg_4.1.1-P1-16_i386.deb
 f8a516c2bc0d27bb75a6eb41a5cae512b05561e9 338630 
isc-dhcp-server-ldap_4.1.1-P1-16_i386.deb
 60f938732afe334e1e452c992bcbfcf028f8beef 315520 
isc-dhcp-common_4.1.1-P1-16_i386.deb
 648d6edaa805b2087e40e17db07659dbdd18924d 668954 
isc-dhcp-dev_4.1.1-P1-16_i386.deb
 df92d191f1df28da9486e34e297e808b5ac828b3 253796 
isc-dhcp-client_4.1.1-P1-16_i386.deb
 517530b9ceb6a0a41d274fbb4445d3da36db46d2 619518 
isc-dhcp-client-dbg_4.1.1-P1-16_i386.deb
 03ad8598ffb95abb83d2f6055975fe96ae79e9f2 202392 
isc-dhcp-client-udeb_4.1.1-P1-16_i386.udeb
 6f0e1c8501e58879bd365e47cd2982f2cc853271 204314 
isc-dhcp-relay_4.1.1-P1-16_i386.deb
 758a59ef3d40c008ebe8546b2ac9c9fe2d17c894 563582 
isc-dhcp-relay-dbg_4.1.1-P1-16_i386.deb
 feef02515312b1ae6b2890e87122410c89b8c996 25752 dhcp3-server_4.1.1-P1-16_all.deb
 c1c54a6873846f452949902c2f9a2de421b27d3c 25320 dhcp3-client_4.1.1-P1-16_all.deb
 735778060b97f345e77eb2492b9602c8633dd770 25458 dhcp3-relay_4.1.1-P1-16_all.deb
 6599ca45bd4b28d34624d5032e85ebc5593f5884 24876 dhcp3-common_4.1.1-P1-16_all.deb
 ecc704c97ef4cea41e778878b407a7724228d0fc 24924 dhcp3-dev_4.1.1-P1-16_all.deb
Checksums-Sha256: 
 d96647da85c88f74106f8315cab7e556e1300454d9d70940ad5b2e9a4f90c289 2176 
isc-dhcp_4.1.1-P1-16.dsc
 63a7cdb7c70a532137e75c29958232f49f92bd1e294bf24a78024076c6f207a3 130845 
isc-dhcp_4.1.1-P1-16.diff.gz
 3194c563283c4b049420e071306953d34eee027998408d51d0986d662720e94d 377526 
isc-dhcp-server_4.1.1-P1-16_i386.deb
 8ebcaa62bad5a6f92a8d81830c824fa205a16c3cd82a989f176d90eb254d7f41 797608 
isc-dhcp-server-dbg_4.1.1-P1-16_i386.deb
 56118909e59128109f5dde6866bf7d4aee65ba4771ad064102a30fd59811eb34 338630 
isc-dhcp-server-ldap_4.1.1-P1-16_i386.deb
 4281610eb534cd8eff797699cbf0ba1ec2288fa30a8b54cba5a3aca5ba39fc1c 315520 
isc-dhcp-common_4.1.1-P1-16_i386.deb
 21b456e75923edca8113977aee9525bd973bbfbfdebb0b09436d8e9110bb0305 668954 
isc-dhcp-dev_4.1.1-P1-16_i386.deb
 74cba34df48e4976e26491f1c4c37182e2152efe764020b0f9ec1eb95424b8e4 253796 
isc-dhcp-client_4.1.1-P1-16_i386.deb
 4518f986fa33624c5d2040485b1fc356a665db7caf69a66b3dab50934efe44de 619518 
isc-dhcp-client-dbg_4.1.1-P1-16_i386.deb
 14f20771abf3369858b779890e83bcea4668dcf6a24acc107344122c9cdc4563 202392 
isc-dhcp-client-udeb_4.1.1-P1-16_i386.udeb
 dea9639365b2fe2c82b62843c905f5e626b9be39df833a5f1e37152f3699e71c 204314 
isc-dhcp-relay_4.1.1-P1-16_i386.deb
 6b0c7663e81a7a962b0d83ce20ab27a9a452bf13a9069b57048eeee26331c842 563582 
isc-dhcp-relay-dbg_4.1.1-P1-16_i386.deb
 850e08507be0d6eefa348de2c16d673d2b3a418bd22e35902a54267ea8293eed 25752 
dhcp3-server_4.1.1-P1-16_all.deb
 2b604457ede032d8c7f37e1539ec3cee801652e099c9f70b012ea2a16d840c26 25320 
dhcp3-client_4.1.1-P1-16_all.deb
 4fc399aa25c34c5aa8c7db08e0c947371601e1052787a1a7ff06c2b5a0b7c528 25458 
dhcp3-relay_4.1.1-P1-16_all.deb
 78b5c9a8d3e844d266725783ba16bf52c7f54d02a151648c361dfd8174f29260 24876 
dhcp3-common_4.1.1-P1-16_all.deb
 99060504f5b499f4d1c5eae9f956499bfbc25c7244a2d0868ceeb4aaf7e8bb8d 24924 
dhcp3-dev_4.1.1-P1-16_all.deb
Files: 
 18d3669ce6efef79129d1520411a254d 2176 net important isc-dhcp_4.1.1-P1-16.dsc
 b0af1f460051b15d0cedc3156ae46ee5 130845 net important 
isc-dhcp_4.1.1-P1-16.diff.gz
 5dea5f406c5814593726e0eb2101ae64 377526 net optional 
isc-dhcp-server_4.1.1-P1-16_i386.deb
 7e0eb405ae29a05da0694b46ac9d6d71 797608 debug extra 
isc-dhcp-server-dbg_4.1.1-P1-16_i386.deb
 d3a5e4b9c931f19d820b2fb92450b62f 338630 net optional 
isc-dhcp-server-ldap_4.1.1-P1-16_i386.deb
 72af94cf9ae87304341cb5d30ee28118 315520 net important 
isc-dhcp-common_4.1.1-P1-16_i386.deb
 9efe819dfb6ba33b101c8723263d37b1 668954 devel optional 
isc-dhcp-dev_4.1.1-P1-16_i386.deb
 aaf63f669b7e5924f9a85334b82af6f4 253796 net important 
isc-dhcp-client_4.1.1-P1-16_i386.deb
 0239cefa75c3f930f7a9c3de855275d3 619518 debug extra 
isc-dhcp-client-dbg_4.1.1-P1-16_i386.deb
 7e35019c4ce55e024144cc560b06fa1e 202392 debian-installer extra 
isc-dhcp-client-udeb_4.1.1-P1-16_i386.udeb
 7ba8ce8002f65912e542e613a3ae90b6 204314 net optional 
isc-dhcp-relay_4.1.1-P1-16_i386.deb
 96b63509ad0342c51f54c118c8382474 563582 debug extra 
isc-dhcp-relay-dbg_4.1.1-P1-16_i386.deb
 6ddea7d35cf5381a32d4369e902a01bc 25752 oldlibs extra 
dhcp3-server_4.1.1-P1-16_all.deb
 b7521f6b7ef6143199938d46a77c8438 25320 oldlibs extra 
dhcp3-client_4.1.1-P1-16_all.deb
 1dec2303845b54371202b4502a6c56dd 25458 oldlibs extra 
dhcp3-relay_4.1.1-P1-16_all.deb
 8449f5b62a5ec9857efc22b0ba33c9a6 24876 oldlibs extra 
dhcp3-common_4.1.1-P1-16_all.deb
 74d70ca3649effb741ba0bf22106d4b6 24924 oldlibs extra 
dhcp3-dev_4.1.1-P1-16_all.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBAgAGBQJNS52bAAoJEFHf2Ts++3nv1doP/jUghrEKmwOgoDEJNoDoM0en
/w6/OL5GVDDjEXT3Wjqv94yQdOPiNBwf6Cvzr0P4dcf92Z7+h/aqaCF+2TTD6PLn
Vns8U9JM1/1Bal5HFOYUXkX1qVVKS9umKKIhalpvuwjtVTNd9nlQ63dc48lIp5I4
6kjmjYv6HtXO4Y6JQLeHC6gRC0VvkUUdCUIJxY+D+ZKTZMMGZZ1lQaPLe0BP6Ta6
yruqfC51LblJovN9d7qd1imZxjWvZRkEsGJ9C8bbAjWFzvPHY+RbfZszmVgL4yDY
sRIsRo0xo4I89P3tB1CllhmqPhMu5daKNQ9CMzMv+K4Ur72bzmSWQcnPTLG2CkfI
2HEr0HKjsW7JQMPiv4qwvDOr95oY4Hugq6sadmHrSfjxfGuDuK0LgC4cOqWSQhHc
s2MfuTbEZgc/9ljohGIp98MeKj2K1S+E5n3UeKA8PQkG5IqB+wvT7WZR6GjsOPcz
f84YV3Va2MhbE1XI7TK5fwNOIojH/XMF7PuRsK7SRJWbG1ovZa9qWv4+uyJ+QV/p
1yTyivWGfaKhIojc6zvvsUwjYQ1GrgYH10A1WdtufLRDaxOvs59IjCaUxhSYqryM
lWDfQ6LkW2KCP+vsaRYW7Y42X8jLzjjdDOrJZefC8YOa+cg1UinUuAoEhzo4rEfj
haoc6Gks7bm05hkIvohX
=KfbU
-----END PGP SIGNATURE-----

--- End Message ---

Bug#611217: marked as done (CVE-2011-0413: crash after DHCPv6 decline message)

Reply via email to