[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#770463: marked as done (unblock: dhcpcd5/6.0.5-2)

Your message dated Fri, 21 Nov 2014 20:30:37 +0100
with message-id <546F92DD.4000704@thykier.net>
and subject line Re: Bug#770463: unblock: dhcpcd5/6.0.5-2
has caused the Debian Bug report #770463,
regarding unblock: dhcpcd5/6.0.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
770463: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770463
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

Please unblock package dhcpcd5, which fixed as denial-of-service vulnerability
(CVE-2014-6060). Relevant bug in the BTS is #770043.  Additionally to the patch
I have updated the maintainer field to Debian QA group as previous maintainer
orphaned the package. Full changelog is as follows:

dhcpcd5 (6.0.5-2) unstable; urgency=medium

  * QA upload.

  [ Pierre Schweitzer ]
  * Fix denial of service (CVE-2014-6060) in dhcpcd5. (Closes: #770043).

  [ Salvatore Bonaccorso ]
  * Refresh CVE-2014-6060.patch (offset)
  * Update patch headers for CVE-2014-6060.patch.
    Wrap long lines in fields and use Description field.
    Add Applied-Upstream value.
  * Set Maintainer to Debian QA Group (cf. #770082)

 -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 19 Nov 2014 17:08:30 +0100

Attached is also the full debdiff.

Could you thus

unblock dhcpcd5/6.0.5-2

Many thanks in advance!

Regards,
Salvatore

diff -Nru dhcpcd5-6.0.5/debian/changelog dhcpcd5-6.0.5/debian/changelog
--- dhcpcd5-6.0.5/debian/changelog	2013-12-04 14:49:45.000000000 +0100
+++ dhcpcd5-6.0.5/debian/changelog	2014-11-19 19:50:28.000000000 +0100
@@ -1,3 +1,19 @@
+dhcpcd5 (6.0.5-2) unstable; urgency=medium
+
+  * QA upload.
+
+  [ Pierre Schweitzer ]
+  * Fix denial of service (CVE-2014-6060) in dhcpcd5. (Closes: #770043).
+
+  [ Salvatore Bonaccorso ]
+  * Refresh CVE-2014-6060.patch (offset)
+  * Update patch headers for CVE-2014-6060.patch.
+    Wrap long lines in fields and use Description field.
+    Add Applied-Upstream value.
+  * Set Maintainer to Debian QA Group (cf. #770082)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 19 Nov 2014 17:08:30 +0100
+
 dhcpcd5 (6.0.5-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru dhcpcd5-6.0.5/debian/control dhcpcd5-6.0.5/debian/control
--- dhcpcd5-6.0.5/debian/control	2013-06-25 15:47:59.000000000 +0200
+++ dhcpcd5-6.0.5/debian/control	2014-11-19 19:50:28.000000000 +0100
@@ -1,7 +1,7 @@
 Source: dhcpcd5
 Section: net
 Priority: optional
-Maintainer: Roy Marples <roy@marples.name>
+Maintainer: Debian QA Group <packages@qa.debian.org>
 Build-Depends: debhelper (>= 9)
 Standards-Version: 3.9.4.0
 Homepage: http://roy.marples.name/projects/dhcpcd
diff -Nru dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch
--- dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch	1970-01-01 01:00:00.000000000 +0100
+++ dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch	2014-11-19 19:50:28.000000000 +0100
@@ -0,0 +1,27 @@
+Description: Fix CVE-2014-6060
+ Only bits 1 and 2 are used in the DHCP overload option, so when we
+ encounter the option set the last bit as well to ensure servername and
+ bootfile are only checked once as their check unsets bits 1 and 2.
+ Thanks to Tobias Stoeckmann.
+Origin: upstream, http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0
+Bug-Debian: https://bugs.debian.org/770043
+From: Roy Marples <roy@marples.name>
+Applied-Upstream: 6.4.3
+
+--- a/dhcp.c
++++ b/dhcp.c
+@@ -343,9 +343,12 @@ get_option(const struct dhcp_message *dh
+ 				goto exit;
+ 			break;
+ 		case DHO_OPTIONSOVERLOADED:
+-			/* Ensure we only get this option once */
++			/* Ensure we only get this option once by setting
++			 * the last bit as well as the value.
++			 * This is valid because only the first two bits
++			 * actually mean anything in RFC2132 Section 9.3 */
+ 			if (!overl)
+-				overl = p[1];
++				overl = 0x80 | p[1];
+ 			break;
+ 		}
+ 		l = *p++;
diff -Nru dhcpcd5-6.0.5/debian/patches/series dhcpcd5-6.0.5/debian/patches/series
--- dhcpcd5-6.0.5/debian/patches/series	2013-12-04 14:52:31.000000000 +0100
+++ dhcpcd5-6.0.5/debian/patches/series	2014-11-19 19:50:28.000000000 +0100
@@ -1 +1,2 @@
 kfreebsd.diff
+CVE-2014-6060.patch

--- End Message ---
--- Begin Message --- 
On 2014-11-21 14:56, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi Release Team,
> 
> Please unblock package dhcpcd5, which fixed as denial-of-service vulnerability
> (CVE-2014-6060). Relevant bug in the BTS is #770043.  Additionally to the patch
> I have updated the maintainer field to Debian QA group as previous maintainer
> orphaned the package. Full changelog is as follows:
> 
> [...]
> 
> unblock dhcpcd5/6.0.5-2
> 
> Many thanks in advance!
> 
> Regards,
> Salvatore
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: