Control: retitle -1 tpu: isc-dhcp/4.2.2.dfsg.1-5+deb7u1 Control: user release.debian.org@packages.debian.org Control: usertags -1 = tpu Le 19/08/2012 12:23, Cyril Brulebois a écrit : > I don't see any reasons why the version currently sitting in testing > would not be the version in wheezy. I've prepared a tpu for isc-dhcp, addressing three grave security issues. Thanks in advance for considering it. Regards David
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/changelog isc-dhcp-4.2.2.dfsg.1/debian/changelog
--- isc-dhcp-4.2.2.dfsg.1/debian/changelog 2012-04-28 16:03:12.000000000 -0400
+++ isc-dhcp-4.2.2.dfsg.1/debian/changelog 2012-09-09 18:30:42.000000000 -0400
@@ -1,3 +1,14 @@
+isc-dhcp (4.2.2.dfsg.1-5+deb7u1) wheezy; urgency=low
+
+ * Non-maintainer upload.
+ * Backport upstream changes for the following security issues:
+ - CVE-2012-3954: memory leaks in dhcpv6 mode
+ - CVE-2012-3570: DoS via crafted client identifier parameter
+ - CVE-2012-3571: DoS via malformed client ids
+ (closes: #686174)
+
+ -- David Prévot <taffit@debian.org> Sun, 09 Sep 2012 18:30:02 -0400
+
isc-dhcp (4.2.2.dfsg.1-5) unstable; urgency=medium
[ Andrew Pollock ]
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954
--- isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 1969-12-31 20:00:00.000000000 -0400
+++ isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-3570_CVE-2012-3571_CVE-2012-3954 2012-09-09 18:26:22.000000000 -0400
@@ -0,0 +1,157 @@
+Description: Backport upstream changes for CVE-2012-3954, CVE-2012-3570 and CVE-2012-3571
+ - CVE-2012-3954: memory leaks in dhcpv6 mode
+ - CVE-2012-3570: DoS via crafted client identifier parameter
+ - CVE-2012-3571: DoS via malformed client ids
+
+Bug-Debian: http://bugs.debian.org/686174
+Origin: upstream
+Forwarded: not-needed
+Reviewed-By: David Prévot <taffit@debian.org>
+Last-Update: 2012-09-09
+
+--- a/common/options.c
++++ b/common/options.c
+@@ -2359,6 +2359,8 @@
+
+ /* And let go of our references. */
+ cleanup:
++ if (lbp != NULL)
++ buffer_dereference(&lbp, MDL);
+ option_dereference(&option, MDL);
+
+ return 1;
+@@ -3754,11 +3756,13 @@
+ data_string_forget (&dp, MDL);
+ }
+ }
+-
+- if (decoded_packet -> packet_type)
+- dhcp (decoded_packet);
+- else
+- bootp (decoded_packet);
++
++ if (validate_packet(decoded_packet) != 0) {
++ if (decoded_packet->packet_type)
++ dhcp(decoded_packet);
++ else
++ bootp(decoded_packet);
++ }
+
+ /* If the caller kept the packet, they'll have upped the refcnt. */
+ packet_dereference (&decoded_packet, MDL);
+@@ -4076,4 +4080,47 @@
+ return 1;
+ }
+
++/**
++ * Checks if received BOOTP/DHCPv4 packet is sane
++ *
++ * @param packet received, decoded packet
++ *
++ * @return 1 if packet is sane, 0 if it is not
++ */
++int validate_packet(struct packet *packet)
++{
++ struct option_cache *oc = NULL;
++
++ oc = lookup_option (&dhcp_universe, packet->options,
++ DHO_DHCP_CLIENT_IDENTIFIER);
++ if (oc) {
++ /* Let's check if client-identifier is sane */
++ if (oc->data.len == 0) {
++ log_debug("Dropped DHCPv4 packet with zero-length client-id");
++ return (0);
+
++ } else if (oc->data.len == 1) {
++ /*
++ * RFC2132, section 9.14 states that minimum length of client-id
++ * is 2. We will allow single-character client-ids for now (for
++ * backwards compatibility), but warn the user that support for
++ * this is against the standard.
++ */
++ log_debug("Accepted DHCPv4 packet with one-character client-id - "
++ "a future version of ISC DHCP will reject this");
++ }
++ } else {
++ /*
++ * If hlen is 0 we don't have any identifier, we warn the user
++ * but continue processing the packet as we can.
++ */
++ if (packet->raw->hlen == 0) {
++ log_debug("Received DHCPv4 packet without client-id"
++ " option and empty hlen field.");
++ }
++ }
++
++ /* @todo: Add checks for other received options */
++
++ return (1);
++}
+--- a/includes/dhcpd.h
++++ b/includes/dhcpd.h
+@@ -432,11 +432,17 @@
+ isc_boolean_t unicast;
+ };
+
+-/* A network interface's MAC address. */
++/*
++ * A network interface's MAC address.
++ * 20 bytes for the hardware address
++ * and 1 byte for the type tag
++ */
++
++#define HARDWARE_ADDR_LEN 20
+
+ struct hardware {
+ u_int8_t hlen;
+- u_int8_t hbuf [17];
++ u_int8_t hbuf[HARDWARE_ADDR_LEN + 1];
+ };
+
+ #if defined(LDAP_CONFIGURATION)
+@@ -1851,6 +1857,8 @@
+ int, int, const struct iaddr *, isc_boolean_t);
+ int packet6_len_okay(const char *, int);
+
++int validate_packet(struct packet *);
++
+ int add_option(struct option_state *options,
+ unsigned int option_num,
+ void *data,
+--- a/server/dhcpv6.c
++++ b/server/dhcpv6.c
+@@ -1241,6 +1241,8 @@
+ struct data_string packet_oro;
+ isc_boolean_t no_resources_avail;
+
++ memset(&packet_oro, 0, sizeof(packet_oro));
++
+ /* Locate the client. */
+ if (shared_network_from_packet6(&reply.shared,
+ packet) != ISC_R_SUCCESS)
+@@ -1263,7 +1265,6 @@
+ * Get the ORO from the packet, if any.
+ */
+ oc = lookup_option(&dhcpv6_universe, packet->options, D6O_ORO);
+- memset(&packet_oro, 0, sizeof(packet_oro));
+ if (oc != NULL) {
+ if (!evaluate_option_cache(&packet_oro, packet,
+ NULL, NULL,
+@@ -1524,6 +1525,8 @@
+ packet_dereference(&reply.packet, MDL);
+ if (reply.client_id.data != NULL)
+ data_string_forget(&reply.client_id, MDL);
++ if (packet_oro.buffer != NULL)
++ data_string_forget(&packet_oro, MDL);
+ reply.renew = reply.rebind = reply.prefer = reply.valid = 0;
+ reply.cursor = 0;
+ }
+@@ -6029,7 +6032,7 @@
+ break;
+ }
+
+- if (hlen == 0)
++ if ((hlen == 0) || (hlen > HARDWARE_ADDR_LEN))
+ return 0;
+
+ /*
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/patches/series isc-dhcp-4.2.2.dfsg.1/debian/patches/series
--- isc-dhcp-4.2.2.dfsg.1/debian/patches/series 2012-04-28 15:52:10.000000000 -0400
+++ isc-dhcp-4.2.2.dfsg.1/debian/patches/series 2012-09-09 18:24:57.000000000 -0400
@@ -4,3 +4,4 @@
bind-autoconf
cve-2011-4539.patch
cve-2011-4868.patch
+CVE-2012-3570_CVE-2012-3571_CVE-2012-3954
Attachment:
signature.asc
Description: OpenPGP digital signature