Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi Release Team,
Please unblock package dhcpcd5, which fixed as denial-of-service vulnerability
(CVE-2014-6060). Relevant bug in the BTS is #770043. Additionally to the patch
I have updated the maintainer field to Debian QA group as previous maintainer
orphaned the package. Full changelog is as follows:
dhcpcd5 (6.0.5-2) unstable; urgency=medium
* QA upload.
[ Pierre Schweitzer ]
* Fix denial of service (CVE-2014-6060) in dhcpcd5. (Closes: #770043).
[ Salvatore Bonaccorso ]
* Refresh CVE-2014-6060.patch (offset)
* Update patch headers for CVE-2014-6060.patch.
Wrap long lines in fields and use Description field.
Add Applied-Upstream value.
* Set Maintainer to Debian QA Group (cf. #770082)
-- Salvatore Bonaccorso <car...@debian.org> Wed, 19 Nov 2014 17:08:30 +0100
Attached is also the full debdiff.
Could you thus
unblock dhcpcd5/6.0.5-2
Many thanks in advance!
Regards,
Salvatore
diff -Nru dhcpcd5-6.0.5/debian/changelog dhcpcd5-6.0.5/debian/changelog
--- dhcpcd5-6.0.5/debian/changelog 2013-12-04 14:49:45.000000000 +0100
+++ dhcpcd5-6.0.5/debian/changelog 2014-11-19 19:50:28.000000000 +0100
@@ -1,3 +1,19 @@
+dhcpcd5 (6.0.5-2) unstable; urgency=medium
+
+ * QA upload.
+
+ [ Pierre Schweitzer ]
+ * Fix denial of service (CVE-2014-6060) in dhcpcd5. (Closes: #770043).
+
+ [ Salvatore Bonaccorso ]
+ * Refresh CVE-2014-6060.patch (offset)
+ * Update patch headers for CVE-2014-6060.patch.
+ Wrap long lines in fields and use Description field.
+ Add Applied-Upstream value.
+ * Set Maintainer to Debian QA Group (cf. #770082)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Wed, 19 Nov 2014 17:08:30 +0100
+
dhcpcd5 (6.0.5-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru dhcpcd5-6.0.5/debian/control dhcpcd5-6.0.5/debian/control
--- dhcpcd5-6.0.5/debian/control 2013-06-25 15:47:59.000000000 +0200
+++ dhcpcd5-6.0.5/debian/control 2014-11-19 19:50:28.000000000 +0100
@@ -1,7 +1,7 @@
Source: dhcpcd5
Section: net
Priority: optional
-Maintainer: Roy Marples <r...@marples.name>
+Maintainer: Debian QA Group <packa...@qa.debian.org>
Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.4.0
Homepage: http://roy.marples.name/projects/dhcpcd
diff -Nru dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch
--- dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch 1970-01-01 01:00:00.000000000 +0100
+++ dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch 2014-11-19 19:50:28.000000000 +0100
@@ -0,0 +1,27 @@
+Description: Fix CVE-2014-6060
+ Only bits 1 and 2 are used in the DHCP overload option, so when we
+ encounter the option set the last bit as well to ensure servername and
+ bootfile are only checked once as their check unsets bits 1 and 2.
+ Thanks to Tobias Stoeckmann.
+Origin: upstream, http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0
+Bug-Debian: https://bugs.debian.org/770043
+From: Roy Marples <r...@marples.name>
+Applied-Upstream: 6.4.3
+
+--- a/dhcp.c
++++ b/dhcp.c
+@@ -343,9 +343,12 @@ get_option(const struct dhcp_message *dh
+ goto exit;
+ break;
+ case DHO_OPTIONSOVERLOADED:
+- /* Ensure we only get this option once */
++ /* Ensure we only get this option once by setting
++ * the last bit as well as the value.
++ * This is valid because only the first two bits
++ * actually mean anything in RFC2132 Section 9.3 */
+ if (!overl)
+- overl = p[1];
++ overl = 0x80 | p[1];
+ break;
+ }
+ l = *p++;
diff -Nru dhcpcd5-6.0.5/debian/patches/series dhcpcd5-6.0.5/debian/patches/series
--- dhcpcd5-6.0.5/debian/patches/series 2013-12-04 14:52:31.000000000 +0100
+++ dhcpcd5-6.0.5/debian/patches/series 2014-11-19 19:50:28.000000000 +0100
@@ -1 +1,2 @@
kfreebsd.diff
+CVE-2014-6060.patch
