Re: klibc 1.5.20 stable/oldstable update
On Thu, 19 May 2011, Adam D. Barratt wrote:
> On Wed, 2011-05-18 at 15:41 +0000, maximilian attems wrote:
> > * [klibc] ipconfig: comment new escape function
> > security fix for CVE-2011-0997 type vulnerability
> > corresponding cve requested but not yet given out.
> > http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff
>
> As mentioned on oss-sec, it would be nice if this didn't write to a
> predictable filename. From the stable update point-of-view though, I
> realise that's not a regression relative to the current lenny / squeeze
> versions.
It is not of relevance for current pre-init usage, as you don't have
unpriviliged users there, but it will get fixed upstream, by making the
used dir an optional switch.
> > * [klibc] ipconfig: Only peek and discard packets from specified device.
> > This fixes netbooting on boxes with several connected network dev.
> > (the commit is on the largeish size, but got tested together with 1.5.20)
> > http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c
> >
> >
> > concerning oldstable only the first one should be fixed.
> > ipconfig has deeper troubles there.
> >
> > if acked by SRM I'd upload a klibc-1.5.20-2 with just the 2 aboves fixes
> > for stable and a 1.5.12-3 for oldstable with just the first fix?
>
> It's conventional to use e.g. -1+squeeze1, but afaics the above versions
> have not been previously uploaded to Debian so could be used if you
> wish.
ok cool, used the "conventional" numbering.
> I'd appreciate debdiffs for a final check before the uploads, but the
> above sounds good; thanks.
do you mean belows output of debdiff on the dsc files?
belows is for stable, oldstable will follow once this is acked.
thank you
--
maks
diff -Nru klibc-1.5.20/debian/changelog klibc-1.5.20/debian/changelog
--- klibc-1.5.20/debian/changelog 2010-08-28 13:07:23.000000000 +0200
+++ klibc-1.5.20/debian/changelog 2011-05-30 17:20:39.000000000 +0200
@@ -1,3 +1,10 @@
+klibc (1.5.20-1+squeeze1) stable; urgency=low
+
+ * ipconfig: handle multiple connected network dev. (closes: #621065)
+ * ipconfig: Escape DHCP options. (CVE-2011-1930)
+
+ -- maximilian attems <maks@debian.org> Mon, 30 May 2011 17:17:18 +0200
+
klibc (1.5.20-1) unstable; urgency=high
* New upstream release
diff -Nru klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 klibc-1.5.20/debian/patches/debian-changes-1.5.20-1
--- klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 2010-08-28 13:09:43.000000000 +0200
+++ klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 1970-01-01 01:00:00.000000000 +0100
@@ -1,54 +0,0 @@
-Description: Upstream changes introduced in version 1.5.20-1
- This patch has been created by dpkg-source during the package build.
- Here's the last changelog entry, hopefully it gives details on why
- those changes were made:
- .
- klibc (1.5.20-1) unstable; urgency=high
- .
- * New upstream release
- - ipconfig: fix infinite loop. (closes: #552554)
- - ipconfig: fix multiple dns domains. (closes: #594208)
- * klibc-utils.postinst: Nuke non empty dirs too. (closes: #594651)
- .
- The person named in the Author field signed this changelog entry.
-Author: maximilian attems <maks@debian.org>
-Bug-Debian: http://bugs.debian.org/552554
-Bug-Debian: http://bugs.debian.org/594208
-Bug-Debian: http://bugs.debian.org/594651
-
----
-The information above should follow the Patch Tagging Guidelines, please
-checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
-are templates for supplementary fields that you might want to add:
-
-Origin: <vendor|upstream|other>, <url of original patch>
-Bug: <url in upstream bugtracker>
-Bug-Debian: http://bugs.debian.org/<bugnumber>
-Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
-Forwarded: <no|not-needed|url proving that it has been forwarded>
-Reviewed-By: <name and email of someone who approved the patch>
-Last-Update: <YYYY-MM-DD>
-
---- /dev/null
-+++ klibc-1.5.20/maketar.sh
-@@ -0,0 +1,20 @@
-+#!/bin/bash -xe
-+#
-+# Make a tarball from the current git repository
-+#
-+
-+[ -z "$tmpdir" ] && tmpdir=/var/tmp
-+
-+tmp=$tmpdir/klibc.$$
-+rm -rf $tmp
-+cg-export $tmp
-+cd $tmp
-+make release
-+version=`cat usr/klibc/version`
-+rm -rf $tmpdir/klibc-$version
-+mv $tmp $tmpdir/klibc-$version
-+cd ..
-+rm -f klibc-$version.tar*
-+tar cvvf klibc-$version.tar klibc-$version
-+gzip -9 klibc-$version.tar
-+rm -rf klibc-$version
diff -Nru klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1
--- klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 1970-01-01 01:00:00.000000000 +0100
+++ klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 2011-05-30 17:27:42.000000000 +0200
@@ -0,0 +1,50 @@
+Description: Upstream changes introduced in version 1.5.20-1+squeeze1
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ klibc (1.5.20-1+squeeze1) stable; urgency=low
+ .
+ * ipconfig: handle multiple connected network dev. (closes: #621065)
+ * ipconfig: Escape DHCP options. (CVE-2011-1930)
+ .
+ The person named in the Author field signed this changelog entry.
+Author: maximilian attems <maks@debian.org>
+Bug-Debian: http://bugs.debian.org/621065
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- /dev/null
++++ klibc-1.5.20/maketar.sh
+@@ -0,0 +1,20 @@
++#!/bin/bash -xe
++#
++# Make a tarball from the current git repository
++#
++
++[ -z "$tmpdir" ] && tmpdir=/var/tmp
++
++tmp=$tmpdir/klibc.$$
++rm -rf $tmp
++cg-export $tmp
++cd $tmp
++make release
++version=`cat usr/klibc/version`
++rm -rf $tmpdir/klibc-$version
++mv $tmp $tmpdir/klibc-$version
++cd ..
++rm -f klibc-$version.tar*
++tar cvvf klibc-$version.tar klibc-$version
++gzip -9 klibc-$version.tar
++rm -rf klibc-$version
diff -Nru klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch
--- klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch 1970-01-01 01:00:00.000000000 +0100
+++ klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch 2011-05-30 17:15:37.000000000 +0200
@@ -0,0 +1,97 @@
+From 46a0f831582629612f0ff9707ad1292887f26bff Mon Sep 17 00:00:00 2001
+From: Ulrich Dangel <uli@spamt.net>
+Date: Fri, 15 Apr 2011 18:22:08 +0200
+Subject: [PATCH] [klibc] ipconfig: Escape DHCP options written to
+ /tmp/net-$DEVCICE.conf
+
+DHCP options like domain-name or hostname are written to
+/tmp/net-$DEVICE.conf which is typically later used by other scripts to
+determine the network configuration. This is done by sourcing the
+/tmp/net-$DEVICE.conf file to get all defined variables.
+
+This patch escapes the DHCP options written to /tmp/net-$DEVICE.conf
+to prevent arbitrary code execution.
+
+Signed-off-by: Ulrich Dangel <uli@spamt.net>
+Reviewed-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: maximilian attems <max@stro.at>
+---
+ usr/kinit/ipconfig/main.c | 55 +++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 16 deletions(-)
+
+diff --git a/usr/kinit/ipconfig/main.c b/usr/kinit/ipconfig/main.c
+index 76708a9..a577b2d 100644
+--- a/usr/kinit/ipconfig/main.c
++++ b/usr/kinit/ipconfig/main.c
+@@ -95,6 +95,25 @@ static void configure_device(struct netdev *dev)
+ dev->hostname, dev->name);
+ }
+
++static void write_option(FILE* f, const char* name, const char* chr)
++{
++
++ fprintf(f, "%s='", name);
++ while (*chr) {
++ switch (*chr) {
++ case '!':
++ case '\'':
++ fprintf(f, "'\\%c'", *chr);
++ break;
++ default:
++ fprintf(f, "%c", *chr);
++ break;
++ }
++ ++chr;
++ }
++ fprintf(f, "'\n");
++}
++
+ static void dump_device_config(struct netdev *dev)
+ {
+ char fn[40];
+@@ -103,22 +122,26 @@ static void dump_device_config(struct netdev *dev)
+ snprintf(fn, sizeof(fn), "/tmp/net-%s.conf", dev->name);
+ f = fopen(fn, "w");
+ if (f) {
+- fprintf(f, "DEVICE=%s\n", dev->name);
+- fprintf(f, "IPV4ADDR=%s\n", my_inet_ntoa(dev->ip_addr));
+- fprintf(f, "IPV4BROADCAST=%s\n",
+- my_inet_ntoa(dev->ip_broadcast));
+- fprintf(f, "IPV4NETMASK=%s\n", my_inet_ntoa(dev->ip_netmask));
+- fprintf(f, "IPV4GATEWAY=%s\n", my_inet_ntoa(dev->ip_gateway));
+- fprintf(f, "IPV4DNS0=%s\n",
+- my_inet_ntoa(dev->ip_nameserver[0]));
+- fprintf(f, "IPV4DNS1=%s\n",
+- my_inet_ntoa(dev->ip_nameserver[1]));
+- fprintf(f, "HOSTNAME=%s\n", dev->hostname);
+- fprintf(f, "DNSDOMAIN=\"%s\"\n", dev->dnsdomainname);
+- fprintf(f, "NISDOMAIN=%s\n", dev->nisdomainname);
+- fprintf(f, "ROOTSERVER=%s\n", my_inet_ntoa(dev->ip_server));
+- fprintf(f, "ROOTPATH=%s\n", dev->bootpath);
+- fprintf(f, "filename=\"%s\"\n", dev->filename);
++ write_option(f, "DEVICE", dev->name);
++ write_option(f, "IPV4ADDR",
++ my_inet_ntoa(dev->ip_addr));
++ write_option(f, "IPV4BROADCAST",
++ my_inet_ntoa(dev->ip_broadcast));
++ write_option(f, "IPV4NETMASK",
++ my_inet_ntoa(dev->ip_netmask));
++ write_option(f, "IPV4GATEWAY",
++ my_inet_ntoa(dev->ip_gateway));
++ write_option(f, "IPV4DNS0",
++ my_inet_ntoa(dev->ip_nameserver[0]));
++ write_option(f, "IPV4DNS1",
++ my_inet_ntoa(dev->ip_nameserver[1]));
++ write_option(f, "HOSTNAME", dev->hostname);
++ write_option(f, "DNSDOMAIN", dev->dnsdomainname);
++ write_option(f, "NISDOMAIN", dev->nisdomainname);
++ write_option(f, "ROOTSERVER",
++ my_inet_ntoa(dev->ip_server));
++ write_option(f, "ROOTPATH", dev->bootpath);
++ write_option(f, "filename", dev->filename);
+ fclose(f);
+ }
+ }
+--
+1.7.4.4
+
diff -Nru klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch
--- klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch 1970-01-01 01:00:00.000000000 +0100
+++ klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch 2011-05-30 17:16:25.000000000 +0200
@@ -0,0 +1,173 @@
+From 92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c Mon Sep 17 00:00:00 2001
+From: Ulrich Dangel <uli@spamt.net>
+Date: Mon, 28 Mar 2011 18:59:34 +0200
+Subject: [PATCH] [klibc] ipconfig: Only peek and discard packets from
+ specified device.
+
+This patch fixes a bug on systems with multiple connected network devices.
+As packet_peek uses all devices to receive data instead of a specific
+device. As the return value was never reset it was possible that packets
+from other devices were returned by packet_peek. That means that the
+ifindex did not match any ifindex of the specified devices the packet was
+never removed and packets for the correct device were never processed.
+
+This patch enhance packet_peek and packet_discard to only work on packages
+for the specified device instead of all packets.
+
+Signed-off-by: Ulrich Dangel <uli@spamt.net>
+Signed-off-by: maximilian attems <max@stro.at>
+---
+ usr/kinit/ipconfig/bootp_proto.c | 2 +-
+ usr/kinit/ipconfig/dhcp_proto.c | 2 +-
+ usr/kinit/ipconfig/main.c | 16 ++++++----------
+ usr/kinit/ipconfig/packet.c | 16 +++++++++-------
+ usr/kinit/ipconfig/packet.h | 6 +++---
+ 5 files changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/usr/kinit/ipconfig/bootp_proto.c b/usr/kinit/ipconfig/bootp_proto.c
+index baf9d3e..f2cc90c 100644
+--- a/usr/kinit/ipconfig/bootp_proto.c
++++ b/usr/kinit/ipconfig/bootp_proto.c
+@@ -169,7 +169,7 @@ int bootp_recv_reply(struct netdev *dev)
+ };
+ int ret;
+
+- ret = packet_recv(iov, 3);
++ ret = packet_recv(dev, iov, 3);
+ if (ret <= 0)
+ return ret;
+
+diff --git a/usr/kinit/ipconfig/dhcp_proto.c b/usr/kinit/ipconfig/dhcp_proto.c
+index fc0494d..993db52 100644
+--- a/usr/kinit/ipconfig/dhcp_proto.c
++++ b/usr/kinit/ipconfig/dhcp_proto.c
+@@ -147,7 +147,7 @@ static int dhcp_recv(struct netdev *dev)
+ };
+ int ret;
+
+- ret = packet_recv(iov, 3);
++ ret = packet_recv(dev, iov, 3);
+ if (ret <= 0)
+ return ret;
+
+diff --git a/usr/kinit/ipconfig/main.c b/usr/kinit/ipconfig/main.c
+index d501bec..1e48083 100644
+--- a/usr/kinit/ipconfig/main.c
++++ b/usr/kinit/ipconfig/main.c
+@@ -304,23 +304,19 @@ struct netdev *ifaces;
+ */
+ static int do_pkt_recv(int pkt_fd, time_t now)
+ {
+- int ifindex, ret;
++ int ret = 0;
+ struct state *s;
+
+- ret = packet_peek(&ifindex);
+- if (ret == 0)
+- return ret;
+-
+ for (s = slist; s; s = s->next) {
+- if (s->dev->ifindex == ifindex) {
++ ret = packet_peek(s->dev);
++ if (ret) {
+ ret = process_receive_event(s, now);
++ if (ret == 0) {
++ packet_discard(s->dev);
++ }
+ break;
+ }
+ }
+-
+- if (ret == 0)
+- packet_discard();
+-
+ return ret;
+ }
+
+diff --git a/usr/kinit/ipconfig/packet.c b/usr/kinit/ipconfig/packet.c
+index 84267b7..993a2fa 100644
+--- a/usr/kinit/ipconfig/packet.c
++++ b/usr/kinit/ipconfig/packet.c
+@@ -167,17 +167,18 @@ int packet_send(struct netdev *dev, struct iovec *iov, int iov_len)
+ }
+
+ /*
+- * Fetches a bootp packet, but doesn't remove it.
++ * Fetches a bootp packet from specified device, but doesn't remove it.
+ * Returns:
+ * 0 = Error
+ * >0 = A packet of size "ret" is available for interface ifindex
+ */
+-int packet_peek(int *ifindex)
++int packet_peek(struct netdev *dev)
+ {
+ struct sockaddr_ll sll;
+ struct iphdr iph;
+ int ret, sllen = sizeof(struct sockaddr_ll);
+
++ sll.sll_ifindex = dev->ifindex;
+ /*
+ * Peek at the IP header.
+ */
+@@ -192,21 +193,22 @@ int packet_peek(int *ifindex)
+ if (iph.ihl < 5 || iph.version != IPVERSION)
+ goto discard_pkt;
+
+- *ifindex = sll.sll_ifindex;
+
+ return ret;
+
+ discard_pkt:
+- packet_discard();
++ packet_discard(dev);
+ return 0;
+ }
+
+-void packet_discard(void)
++void packet_discard(struct netdev *dev)
+ {
+ struct iphdr iph;
+ struct sockaddr_ll sll;
+ socklen_t sllen = sizeof(sll);
+
++ sll.sll_ifindex = dev->ifindex;
++
+ recvfrom(pkt_fd, &iph, sizeof(iph), 0,
+ (struct sockaddr *)&sll, &sllen);
+ }
+@@ -219,7 +221,7 @@ void packet_discard(void)
+ * 0 = Discarded packet (non-DHCP/BOOTP traffic)
+ * >0 = Size of packet
+ */
+-int packet_recv(struct iovec *iov, int iov_len)
++int packet_recv(struct netdev* dev, struct iovec *iov, int iov_len)
+ {
+ struct iphdr *ip, iph;
+ struct udphdr *udp;
+@@ -293,6 +295,6 @@ free_pkt:
+
+ discard_pkt:
+ dprintf("discarded\n");
+- packet_discard();
++ packet_discard(dev);
+ return 0;
+ }
+diff --git a/usr/kinit/ipconfig/packet.h b/usr/kinit/ipconfig/packet.h
+index 627d282..524f393 100644
+--- a/usr/kinit/ipconfig/packet.h
++++ b/usr/kinit/ipconfig/packet.h
+@@ -6,8 +6,8 @@ struct iovec;
+ int packet_open(void);
+ void packet_close(void);
+ int packet_send(struct netdev *dev, struct iovec *iov, int iov_len);
+-int packet_peek(int *ifindex);
+-void packet_discard(void);
+-int packet_recv(struct iovec *iov, int iov_len);
++int packet_peek(struct netdev *dev);
++void packet_discard(struct netdev *dev);
++int packet_recv(struct netdev *dev, struct iovec *iov, int iov_len);
+
+ #endif /* IPCONFIG_PACKET_H */
+--
+1.7.4.4
+
diff -Nru klibc-1.5.20/debian/patches/series klibc-1.5.20/debian/patches/series
--- klibc-1.5.20/debian/patches/series 2010-08-28 13:09:43.000000000 +0200
+++ klibc-1.5.20/debian/patches/series 2011-05-30 17:27:42.000000000 +0200
@@ -1,4 +1,6 @@
ia64-static
klibc-linux-libc-dev
+ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch
+ipconfig-Only-peek-and-discard-packets-from-sp.patch
insmod
-debian-changes-1.5.20-1
+debian-changes-1.5.20-1+squeeze1
Reply to: