[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: klibc 1.5.20 stable/oldstable update



On Thu, 19 May 2011, Adam D. Barratt wrote:

> On Wed, 2011-05-18 at 15:41 +0000, maximilian attems wrote:
> > * [klibc] ipconfig: comment new escape function
> >   security fix for CVE-2011-0997 type vulnerability
> >   corresponding cve requested but not yet given out.
> > http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff
> 
> As mentioned on oss-sec, it would be nice if this didn't write to a
> predictable filename.  From the stable update point-of-view though, I
> realise that's not a regression relative to the current lenny / squeeze
> versions.

It is not of relevance for current pre-init usage, as you don't have
unpriviliged users there, but it will get fixed upstream, by making the
used dir an optional switch.
 
> > * [klibc] ipconfig: Only peek and discard packets from specified device.
> >   This fixes netbooting on boxes with several connected network dev.
> >   (the commit is on the largeish size, but got tested together with 1.5.20)
> > http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c
> > 
> > 
> > concerning oldstable only the first one should be fixed.
> > ipconfig has deeper troubles there.
> > 
> > if acked by SRM I'd upload a klibc-1.5.20-2 with just the 2 aboves fixes
> > for stable and a 1.5.12-3 for oldstable with just the first fix?
> 
> It's conventional to use e.g. -1+squeeze1, but afaics the above versions
> have not been previously uploaded to Debian so could be used if you
> wish.

ok cool, used the "conventional" numbering.
 
> I'd appreciate debdiffs for a final check before the uploads, but the
> above sounds good; thanks.

do you mean belows output of debdiff on the dsc files?
belows is for stable, oldstable will follow once this is acked.

thank you

-- 
maks


diff -Nru klibc-1.5.20/debian/changelog klibc-1.5.20/debian/changelog
--- klibc-1.5.20/debian/changelog	2010-08-28 13:07:23.000000000 +0200
+++ klibc-1.5.20/debian/changelog	2011-05-30 17:20:39.000000000 +0200
@@ -1,3 +1,10 @@
+klibc (1.5.20-1+squeeze1) stable; urgency=low
+
+  * ipconfig: handle multiple connected network dev. (closes: #621065)
+  * ipconfig: Escape DHCP options. (CVE-2011-1930)
+
+ -- maximilian attems <maks@debian.org>  Mon, 30 May 2011 17:17:18 +0200
+
 klibc (1.5.20-1) unstable; urgency=high
 
   * New upstream release
diff -Nru klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 klibc-1.5.20/debian/patches/debian-changes-1.5.20-1
--- klibc-1.5.20/debian/patches/debian-changes-1.5.20-1	2010-08-28 13:09:43.000000000 +0200
+++ klibc-1.5.20/debian/patches/debian-changes-1.5.20-1	1970-01-01 01:00:00.000000000 +0100
@@ -1,54 +0,0 @@
-Description: Upstream changes introduced in version 1.5.20-1
- This patch has been created by dpkg-source during the package build.
- Here's the last changelog entry, hopefully it gives details on why
- those changes were made:
- .
- klibc (1.5.20-1) unstable; urgency=high
- .
-   * New upstream release
-     - ipconfig: fix infinite loop. (closes: #552554)
-     - ipconfig: fix multiple dns domains. (closes: #594208)
-   * klibc-utils.postinst: Nuke non empty dirs too. (closes: #594651)
- .
- The person named in the Author field signed this changelog entry.
-Author: maximilian attems <maks@debian.org>
-Bug-Debian: http://bugs.debian.org/552554
-Bug-Debian: http://bugs.debian.org/594208
-Bug-Debian: http://bugs.debian.org/594651
-
----
-The information above should follow the Patch Tagging Guidelines, please
-checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
-are templates for supplementary fields that you might want to add:
-
-Origin: <vendor|upstream|other>, <url of original patch>
-Bug: <url in upstream bugtracker>
-Bug-Debian: http://bugs.debian.org/<bugnumber>
-Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
-Forwarded: <no|not-needed|url proving that it has been forwarded>
-Reviewed-By: <name and email of someone who approved the patch>
-Last-Update: <YYYY-MM-DD>
-
---- /dev/null
-+++ klibc-1.5.20/maketar.sh
-@@ -0,0 +1,20 @@
-+#!/bin/bash -xe
-+#
-+# Make a tarball from the current git repository
-+#
-+
-+[ -z "$tmpdir" ] && tmpdir=/var/tmp
-+
-+tmp=$tmpdir/klibc.$$
-+rm -rf $tmp
-+cg-export $tmp
-+cd $tmp
-+make release
-+version=`cat usr/klibc/version`
-+rm -rf $tmpdir/klibc-$version
-+mv $tmp $tmpdir/klibc-$version
-+cd ..
-+rm -f klibc-$version.tar*
-+tar cvvf klibc-$version.tar klibc-$version
-+gzip -9 klibc-$version.tar
-+rm -rf klibc-$version
diff -Nru klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1
--- klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1	1970-01-01 01:00:00.000000000 +0100
+++ klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1	2011-05-30 17:27:42.000000000 +0200
@@ -0,0 +1,50 @@
+Description: Upstream changes introduced in version 1.5.20-1+squeeze1
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ klibc (1.5.20-1+squeeze1) stable; urgency=low
+ .
+   * ipconfig: handle multiple connected network dev. (closes: #621065)
+   * ipconfig: Escape DHCP options. (CVE-2011-1930)
+ .
+ The person named in the Author field signed this changelog entry.
+Author: maximilian attems <maks@debian.org>
+Bug-Debian: http://bugs.debian.org/621065
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- /dev/null
++++ klibc-1.5.20/maketar.sh
+@@ -0,0 +1,20 @@
++#!/bin/bash -xe
++#
++# Make a tarball from the current git repository
++#
++
++[ -z "$tmpdir" ] && tmpdir=/var/tmp
++
++tmp=$tmpdir/klibc.$$
++rm -rf $tmp
++cg-export $tmp
++cd $tmp
++make release
++version=`cat usr/klibc/version`
++rm -rf $tmpdir/klibc-$version
++mv $tmp $tmpdir/klibc-$version
++cd ..
++rm -f klibc-$version.tar*
++tar cvvf klibc-$version.tar klibc-$version
++gzip -9 klibc-$version.tar
++rm -rf klibc-$version
diff -Nru klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch
--- klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch	2011-05-30 17:15:37.000000000 +0200
@@ -0,0 +1,97 @@
+From 46a0f831582629612f0ff9707ad1292887f26bff Mon Sep 17 00:00:00 2001
+From: Ulrich Dangel <uli@spamt.net>
+Date: Fri, 15 Apr 2011 18:22:08 +0200
+Subject: [PATCH] [klibc] ipconfig: Escape DHCP options written to
+ /tmp/net-$DEVCICE.conf
+
+DHCP options like domain-name or hostname are written to
+/tmp/net-$DEVICE.conf which is typically later used by other scripts to
+determine the network configuration. This is done by sourcing the
+/tmp/net-$DEVICE.conf file to get all defined variables.
+
+This patch escapes the DHCP options written to /tmp/net-$DEVICE.conf
+to prevent arbitrary code execution.
+
+Signed-off-by: Ulrich Dangel <uli@spamt.net>
+Reviewed-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: maximilian attems <max@stro.at>
+---
+ usr/kinit/ipconfig/main.c |   55 +++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 16 deletions(-)
+
+diff --git a/usr/kinit/ipconfig/main.c b/usr/kinit/ipconfig/main.c
+index 76708a9..a577b2d 100644
+--- a/usr/kinit/ipconfig/main.c
++++ b/usr/kinit/ipconfig/main.c
+@@ -95,6 +95,25 @@ static void configure_device(struct netdev *dev)
+ 			dev->hostname, dev->name);
+ }
+ 
++static void write_option(FILE* f, const char* name, const char* chr)
++{
++
++	fprintf(f, "%s='", name);
++	while (*chr) {
++		switch (*chr) {
++			case '!':
++			case '\'':
++				fprintf(f, "'\\%c'", *chr);
++				break;
++			default:
++				fprintf(f, "%c", *chr);
++				break;
++		}
++		++chr;
++	}
++	fprintf(f, "'\n");
++}
++
+ static void dump_device_config(struct netdev *dev)
+ {
+ 	char fn[40];
+@@ -103,22 +122,26 @@ static void dump_device_config(struct netdev *dev)
+ 	snprintf(fn, sizeof(fn), "/tmp/net-%s.conf", dev->name);
+ 	f = fopen(fn, "w");
+ 	if (f) {
+-		fprintf(f, "DEVICE=%s\n", dev->name);
+-		fprintf(f, "IPV4ADDR=%s\n", my_inet_ntoa(dev->ip_addr));
+-		fprintf(f, "IPV4BROADCAST=%s\n",
+-			my_inet_ntoa(dev->ip_broadcast));
+-		fprintf(f, "IPV4NETMASK=%s\n", my_inet_ntoa(dev->ip_netmask));
+-		fprintf(f, "IPV4GATEWAY=%s\n", my_inet_ntoa(dev->ip_gateway));
+-		fprintf(f, "IPV4DNS0=%s\n",
+-			my_inet_ntoa(dev->ip_nameserver[0]));
+-		fprintf(f, "IPV4DNS1=%s\n",
+-			my_inet_ntoa(dev->ip_nameserver[1]));
+-		fprintf(f, "HOSTNAME=%s\n", dev->hostname);
+-		fprintf(f, "DNSDOMAIN=\"%s\"\n", dev->dnsdomainname);
+-		fprintf(f, "NISDOMAIN=%s\n", dev->nisdomainname);
+-		fprintf(f, "ROOTSERVER=%s\n", my_inet_ntoa(dev->ip_server));
+-		fprintf(f, "ROOTPATH=%s\n", dev->bootpath);
+-		fprintf(f, "filename=\"%s\"\n", dev->filename);
++		write_option(f, "DEVICE", dev->name);
++		write_option(f, "IPV4ADDR",
++				my_inet_ntoa(dev->ip_addr));
++		write_option(f, "IPV4BROADCAST",
++				my_inet_ntoa(dev->ip_broadcast));
++		write_option(f, "IPV4NETMASK",
++				my_inet_ntoa(dev->ip_netmask));
++		write_option(f, "IPV4GATEWAY",
++				my_inet_ntoa(dev->ip_gateway));
++		write_option(f, "IPV4DNS0",
++				my_inet_ntoa(dev->ip_nameserver[0]));
++		write_option(f, "IPV4DNS1",
++				my_inet_ntoa(dev->ip_nameserver[1]));
++		write_option(f, "HOSTNAME",  dev->hostname);
++		write_option(f, "DNSDOMAIN", dev->dnsdomainname);
++		write_option(f, "NISDOMAIN", dev->nisdomainname);
++		write_option(f, "ROOTSERVER",
++				my_inet_ntoa(dev->ip_server));
++		write_option(f, "ROOTPATH", dev->bootpath);
++		write_option(f, "filename", dev->filename);
+ 		fclose(f);
+ 	}
+ }
+-- 
+1.7.4.4
+
diff -Nru klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch
--- klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch	2011-05-30 17:16:25.000000000 +0200
@@ -0,0 +1,173 @@
+From 92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c Mon Sep 17 00:00:00 2001
+From: Ulrich Dangel <uli@spamt.net>
+Date: Mon, 28 Mar 2011 18:59:34 +0200
+Subject: [PATCH] [klibc] ipconfig: Only peek and discard packets from
+ specified device.
+
+This patch fixes a bug on systems with multiple connected network devices.
+As packet_peek uses all devices to receive data instead of a specific
+device. As the return value was never reset it was possible that packets
+from other devices were returned by packet_peek. That means that the
+ifindex did not match any ifindex of the specified devices the packet was
+never removed and packets for the correct device were never processed.
+
+This patch enhance packet_peek and packet_discard to only work on packages
+for the specified device instead of all packets.
+
+Signed-off-by: Ulrich Dangel <uli@spamt.net>
+Signed-off-by: maximilian attems <max@stro.at>
+---
+ usr/kinit/ipconfig/bootp_proto.c |    2 +-
+ usr/kinit/ipconfig/dhcp_proto.c  |    2 +-
+ usr/kinit/ipconfig/main.c        |   16 ++++++----------
+ usr/kinit/ipconfig/packet.c      |   16 +++++++++-------
+ usr/kinit/ipconfig/packet.h      |    6 +++---
+ 5 files changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/usr/kinit/ipconfig/bootp_proto.c b/usr/kinit/ipconfig/bootp_proto.c
+index baf9d3e..f2cc90c 100644
+--- a/usr/kinit/ipconfig/bootp_proto.c
++++ b/usr/kinit/ipconfig/bootp_proto.c
+@@ -169,7 +169,7 @@ int bootp_recv_reply(struct netdev *dev)
+ 	};
+ 	int ret;
+ 
+-	ret = packet_recv(iov, 3);
++	ret = packet_recv(dev, iov, 3);
+ 	if (ret <= 0)
+ 		return ret;
+ 
+diff --git a/usr/kinit/ipconfig/dhcp_proto.c b/usr/kinit/ipconfig/dhcp_proto.c
+index fc0494d..993db52 100644
+--- a/usr/kinit/ipconfig/dhcp_proto.c
++++ b/usr/kinit/ipconfig/dhcp_proto.c
+@@ -147,7 +147,7 @@ static int dhcp_recv(struct netdev *dev)
+ 	};
+ 	int ret;
+ 
+-	ret = packet_recv(iov, 3);
++	ret = packet_recv(dev, iov, 3);
+ 	if (ret <= 0)
+ 		return ret;
+ 
+diff --git a/usr/kinit/ipconfig/main.c b/usr/kinit/ipconfig/main.c
+index d501bec..1e48083 100644
+--- a/usr/kinit/ipconfig/main.c
++++ b/usr/kinit/ipconfig/main.c
+@@ -304,23 +304,19 @@ struct netdev *ifaces;
+  */
+ static int do_pkt_recv(int pkt_fd, time_t now)
+ {
+-	int ifindex, ret;
++	int ret = 0;
+ 	struct state *s;
+ 
+-	ret = packet_peek(&ifindex);
+-	if (ret == 0)
+-		return ret;
+-
+ 	for (s = slist; s; s = s->next) {
+-		if (s->dev->ifindex == ifindex) {
++		ret = packet_peek(s->dev);
++		if (ret) {
+ 			ret = process_receive_event(s, now);
++			if (ret == 0) {
++				packet_discard(s->dev);
++			}
+ 			break;
+ 		}
+ 	}
+-
+-	if (ret == 0)
+-		packet_discard();
+-
+ 	return ret;
+ }
+ 
+diff --git a/usr/kinit/ipconfig/packet.c b/usr/kinit/ipconfig/packet.c
+index 84267b7..993a2fa 100644
+--- a/usr/kinit/ipconfig/packet.c
++++ b/usr/kinit/ipconfig/packet.c
+@@ -167,17 +167,18 @@ int packet_send(struct netdev *dev, struct iovec *iov, int iov_len)
+ }
+ 
+ /*
+- * Fetches a bootp packet, but doesn't remove it.
++ * Fetches a bootp packet from specified device, but doesn't remove it.
+  * Returns:
+  *  0 = Error
+  * >0 = A packet of size "ret" is available for interface ifindex
+  */
+-int packet_peek(int *ifindex)
++int packet_peek(struct netdev *dev)
+ {
+ 	struct sockaddr_ll sll;
+ 	struct iphdr iph;
+ 	int ret, sllen = sizeof(struct sockaddr_ll);
+ 
++	sll.sll_ifindex = dev->ifindex;
+ 	/*
+ 	 * Peek at the IP header.
+ 	 */
+@@ -192,21 +193,22 @@ int packet_peek(int *ifindex)
+ 	if (iph.ihl < 5 || iph.version != IPVERSION)
+ 		goto discard_pkt;
+ 
+-	*ifindex = sll.sll_ifindex;
+ 
+ 	return ret;
+ 
+ discard_pkt:
+-	packet_discard();
++	packet_discard(dev);
+ 	return 0;
+ }
+ 
+-void packet_discard(void)
++void packet_discard(struct netdev *dev)
+ {
+ 	struct iphdr iph;
+ 	struct sockaddr_ll sll;
+ 	socklen_t sllen = sizeof(sll);
+ 
++	sll.sll_ifindex = dev->ifindex;
++
+ 	recvfrom(pkt_fd, &iph, sizeof(iph), 0,
+ 		 (struct sockaddr *)&sll, &sllen);
+ }
+@@ -219,7 +221,7 @@ void packet_discard(void)
+ *   0 = Discarded packet (non-DHCP/BOOTP traffic)
+  * >0 = Size of packet
+  */
+-int packet_recv(struct iovec *iov, int iov_len)
++int packet_recv(struct netdev* dev, struct iovec *iov, int iov_len)
+ {
+ 	struct iphdr *ip, iph;
+ 	struct udphdr *udp;
+@@ -293,6 +295,6 @@ free_pkt:
+ 
+ discard_pkt:
+ 	dprintf("discarded\n");
+-	packet_discard();
++	packet_discard(dev);
+ 	return 0;
+ }
+diff --git a/usr/kinit/ipconfig/packet.h b/usr/kinit/ipconfig/packet.h
+index 627d282..524f393 100644
+--- a/usr/kinit/ipconfig/packet.h
++++ b/usr/kinit/ipconfig/packet.h
+@@ -6,8 +6,8 @@ struct iovec;
+ int packet_open(void);
+ void packet_close(void);
+ int packet_send(struct netdev *dev, struct iovec *iov, int iov_len);
+-int packet_peek(int *ifindex);
+-void packet_discard(void);
+-int packet_recv(struct iovec *iov, int iov_len);
++int packet_peek(struct netdev *dev);
++void packet_discard(struct netdev *dev);
++int packet_recv(struct netdev *dev, struct iovec *iov, int iov_len);
+ 
+ #endif /* IPCONFIG_PACKET_H */
+-- 
+1.7.4.4
+
diff -Nru klibc-1.5.20/debian/patches/series klibc-1.5.20/debian/patches/series
--- klibc-1.5.20/debian/patches/series	2010-08-28 13:09:43.000000000 +0200
+++ klibc-1.5.20/debian/patches/series	2011-05-30 17:27:42.000000000 +0200
@@ -1,4 +1,6 @@
 ia64-static
 klibc-linux-libc-dev
+ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch
+ipconfig-Only-peek-and-discard-packets-from-sp.patch
 insmod
-debian-changes-1.5.20-1
+debian-changes-1.5.20-1+squeeze1


Reply to: