Bug#928351: unblock dhcpcd5/7.1.0-2

To: Paul Gevers <elbrus@debian.org>
Cc: 928351@bugs.debian.org
Subject: Bug#928351: unblock dhcpcd5/7.1.0-2
From: Scott Leggett <scott@sl.id.au>
Date: Sun, 5 May 2019 22:59:56 +0800
Message-id: <[🔎] 20190505145956.GA27727@mail.sl.id.au>
Reply-to: Scott Leggett <scott@sl.id.au>, 928351@bugs.debian.org
In-reply-to: <[🔎] 228723c5-156a-a188-413c-def20d62c0f1@debian.org>
References: <[🔎] 155681333765.29338.14423927661929322960.reportbug@thinky> <[🔎] 228723c5-156a-a188-413c-def20d62c0f1@debian.org> <[🔎] 155681333765.29338.14423927661929322960.reportbug@thinky>

Control: retitle -1 unblock dhcpcd5/7.1.0-2

On 2019-05-02.18:38, Paul Gevers wrote:
> We very much prefer you to try and cherry-pick at this point of the
> release cycle.

Hi Paul,

Please unblock package dhcpcd5.

See attached for the debdiff between the version of dhcpcd5 currently in
testing and unstable (7.1.0-1), and my proposed update (7.1.0-2).

The changes cherry-pick patches from upstream to address four security
issues disclosed in the last week or so.

The changelog entry is:

  dhcpcd5 (7.1.0-2) unstable; urgency=high

    * Apply upstream patches to fix potential security vulnerabilities
      (Closes: #928056, #928104, #928105, #928440)
    * Add lintian override for upstream patch spelling

   -- Scott Leggett <scott@sl.id.au>  Sun, 05 May 2019 21:55:14 +0800

-- 
Regards,
Scott Leggett.

diff -Nru dhcpcd5-7.1.0/debian/changelog dhcpcd5-7.1.0/debian/changelog
--- dhcpcd5-7.1.0/debian/changelog	2019-02-07 05:54:56.000000000 +0800
+++ dhcpcd5-7.1.0/debian/changelog	2019-05-05 21:55:14.000000000 +0800
@@ -1,3 +1,11 @@
+dhcpcd5 (7.1.0-2) unstable; urgency=high
+
+  * Apply upstream patches to fix potential security vulnerabilities
+    (Closes: #928056, #928104, #928105, #928440)
+  * Add lintian override for upstream patch spelling
+
+ -- Scott Leggett <scott@sl.id.au>  Sun, 05 May 2019 21:55:14 +0800
+
 dhcpcd5 (7.1.0-1) unstable; urgency=low
 
   * Upstream release 7.1.0
diff -Nru dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch
--- dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch	2019-02-07 05:54:56.000000000 +0800
+++ dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch	2019-05-05 21:54:20.000000000 +0800
@@ -7,7 +7,7 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/dhcpcd.conf.5.in b/src/dhcpcd.conf.5.in
-index c3e01d6..98a038a 100644
+index f792b15..b950fa0 100644
 --- a/src/dhcpcd.conf.5.in
 +++ b/src/dhcpcd.conf.5.in
 @@ -83,7 +83,7 @@ is
diff -Nru dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
--- dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch	1970-01-01 08:00:00.000000000 +0800
+++ dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch	2019-05-05 21:54:20.000000000 +0800
@@ -0,0 +1,33 @@
+From: Roy Marples <roy@marples.name>
+Date: Fri, 19 Apr 2019 09:45:02 +0100
+Subject: DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
+
+Only copy upto the size of the address option rather than the
+option length.
+
+Found by Maxime Villard <max@m00nbsd.net>
+
+(cherry picked from commit 8d11b33f6c60e2db257130fa383ba76b6018bcf6)
+---
+ src/dhcp6.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 6fef989..26db219 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2016,12 +2016,12 @@ dhcp6_findna(struct interface *ifp, uint16_t ot, const uint8_t *iaid,
+ 		nd = o + ol;
+ 		l -= (size_t)(nd - d);
+ 		d = nd;
+-		if (ol < 24) {
++		if (ol < sizeof(ia)) {
+ 			errno = EINVAL;
+ 			logerrx("%s: IA Address option truncated", ifp->name);
+ 			continue;
+ 		}
+-		memcpy(&ia, o, ol);
++		memcpy(&ia, o, sizeof(ia));
+ 		ia.pltime = ntohl(ia.pltime);
+ 		ia.vltime = ntohl(ia.vltime);
+ 		/* RFC 3315 22.6 */
diff -Nru dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
--- dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch	1970-01-01 08:00:00.000000000 +0800
+++ dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch	2019-05-05 21:54:20.000000000 +0800
@@ -0,0 +1,42 @@
+From: Roy Marples <roy@marples.name>
+Date: Fri, 19 Apr 2019 21:00:19 +0100
+Subject: DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
+
+This fix basically moves the option length check up and also
+corrects an off by one error with it.
+
+Thanks to Maxime Villard <max@m00nbsd.net>
+
+(cherry picked from commit 4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8)
+---
+ src/dhcp.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/dhcp.c b/src/dhcp.c
+index 1816034..502c592 100644
+--- a/src/dhcp.c
++++ b/src/dhcp.c
+@@ -212,6 +212,12 @@ get_option(struct dhcpcd_ctx *ctx,
+ 		}
+ 		l = *p++;
+ 
++		/* Check we can read the option data, if present */
++		if (p + l > e) {
++			errno = EINVAL;
++			return NULL;
++		}
++
+ 		if (o == DHO_OPTSOVERLOADED) {
+ 			/* Ensure we only get this option once by setting
+ 			 * the last bit as well as the value.
+@@ -246,10 +252,6 @@ get_option(struct dhcpcd_ctx *ctx,
+ 				bp += ol;
+ 			}
+ 			ol = l;
+-			if (p + ol >= e) {
+-				errno = EINVAL;
+-				return NULL;
+-			}
+ 			op = p;
+ 			bl += ol;
+ 		}
diff -Nru dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
--- dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch	1970-01-01 08:00:00.000000000 +0800
+++ dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch	2019-05-05 21:54:20.000000000 +0800
@@ -0,0 +1,113 @@
+From: Roy Marples <roy@marples.name>
+Date: Fri, 19 Apr 2019 21:40:14 +0100
+Subject: auth: Use consttime_memequal(3) to compare hashes
+
+This stops any attacker from trying to infer secrets from latency.
+
+Thanks to Maxime Villard <max@m00nbsd.net>
+
+(cherry picked from commit 7121040790b611ca3fbc400a1bbcd4364ef57233)
+
+compat: Provide consttime_memequal if not in libc
+
+Public domain version by Matthias Drochner <drochner@netbsd.org>
+
+(cherry picked from commit cfde89ab66cb4e5957b1c4b68ad6a9449e2784da)
+
+Really add consttime_memequal
+
+(cherry picked from commit aee631aadeef4283c8a749c1caf77823304acf5e)
+---
+ compat/consttime_memequal.h | 28 ++++++++++++++++++++++++++++
+ configure                   | 22 ++++++++++++++++++++++
+ src/auth.c                  |  2 +-
+ 3 files changed, 51 insertions(+), 1 deletion(-)
+ create mode 100644 compat/consttime_memequal.h
+
+diff --git a/compat/consttime_memequal.h b/compat/consttime_memequal.h
+new file mode 100644
+index 0000000..9830648
+--- /dev/null
++++ b/compat/consttime_memequal.h
+@@ -0,0 +1,28 @@
++/*
++ * Written by Matthias Drochner <drochner@NetBSD.org>.
++ * Public domain.
++ */
++
++#ifndef CONSTTIME_MEMEQUAL_H
++#define CONSTTIME_MEMEQUAL_H
++inline static int
++consttime_memequal(const void *b1, const void *b2, size_t len)
++{
++	const unsigned char *c1 = b1, *c2 = b2;
++	unsigned int res = 0;
++
++	while (len--)
++		res |= *c1++ ^ *c2++;
++
++	/*
++	 * Map 0 to 1 and [1, 256) to 0 using only constant-time
++	 * arithmetic.
++	 *
++	 * This is not simply `!res' because although many CPUs support
++	 * branchless conditional moves and many compilers will take
++	 * advantage of them, certain compilers generate branches on
++	 * certain CPUs for `!res'.
++	 */
++	return (1 & ((res - 1) >> 8));
++}
++#endif /* CONSTTIME_MEMEQUAL_H */
+diff --git a/configure b/configure
+index d0a80ba..0dce3bd 100755
+--- a/configure
++++ b/configure
+@@ -13,6 +13,7 @@ IPV4LL=
+ INET6=
+ ARC4RANDOM=
+ CLOSEFROM=
++CONSTTIME_MEMEQUAL=
+ STRLCPY=
+ UDEV=
+ OS=
+@@ -846,6 +847,27 @@ if [ "$STRTOI" = no ]; then
+ 	echo "#include			\"compat/strtoi.h\"" >>$CONFIG_H
+ fi
+ 
++if [ -z "$CONSTTIME_MEMEQUAL" ]; then
++	printf "Testing for consttime_memequal ... "
++	cat <<EOF >_consttime_memequal.c
++#include <string.h>
++int main(void) {
++	return consttime_memequal("deadbeef", "deadbeef", 8);
++}
++EOF
++	if $XCC _consttime_memequal.c -o _consttime_memequal 2>&3; then
++		CONSTTIME_MEMEQUAL=yes
++	else
++		CONSTTIME_MEMEQUAL=no
++	fi
++	echo "$CONSTTIME_MEMEQUAL"
++	rm -f _consttime_memequal.c _consttime_memequal
++fi
++if [ "$CONSTTIME_MEMEQUAL" = no ]; then
++	echo "#include			\"compat/consttime_memequal.h\"" \
++	    >>$CONFIG_H
++fi
++
+ if [ -z "$DPRINTF" ]; then
+ 	printf "Testing for dprintf ... "
+ 	cat <<EOF >_dprintf.c
+diff --git a/src/auth.c b/src/auth.c
+index 9e24998..ce97051 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -354,7 +354,7 @@ gottoken:
+ 	}
+ 
+ 	free(mm);
+-	if (memcmp(d, &hmac_code, dlen)) {
++	if (!consttime_memequal(d, &hmac_code, dlen)) {
+ 		errno = EPERM;
+ 		return NULL;
+ 	}
diff -Nru dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
--- dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch	1970-01-01 08:00:00.000000000 +0800
+++ dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch	2019-05-05 21:54:20.000000000 +0800
@@ -0,0 +1,88 @@
+From: Roy Marples <roy@marples.name>
+Date: Fri, 3 May 2019 14:44:06 +0100
+Subject: DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE
+
+dhcpcd only checks that the prefix length of the exclusion
+matches the prefix length of the ia and equals the length of the
+data in the option.
+This could potentially overrun the in6_addr structure.
+
+This is fixed by enforcing RFC 6603 section 4.2 option limits
+more clearly.
+
+Thanks to Maxime Villard <max@m00nbsd.net> for finding this.
+
+(cherry picked from commit c1ebeaafeb324bac997984abdcee2d4e8b61a8a8)
+
+DHCPv6: Fix exclude prefix length check.
+
+(cherry picked from commit 896ef4a54b0578985e5e1360b141593f1d62837b)
+---
+ src/dhcp6.c | 42 ++++++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 26db219..92e6c90 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2153,40 +2153,38 @@ dhcp6_findpd(struct interface *ifp, const uint8_t *iaid,
+ 			state->expire = a->prefix_vltime;
+ 		i++;
+ 
+-		o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
+ 		a->prefix_exclude_len = 0;
+ 		memset(&a->prefix_exclude, 0, sizeof(a->prefix_exclude));
+-#if 0
+-		if (ex == NULL) {
+-			struct dhcp6_option *w;
+-			uint8_t *wp;
+-
+-			w = calloc(1, 128);
+-			w->len = htons(2);
+-			wp = D6_OPTION_DATA(w);
+-			*wp++ = 64;
+-			*wp++ = 0x78;
+-			ex = w;
+-		}
+-#endif
++		o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
+ 		if (o == NULL)
+ 			continue;
+-		if (ol < 2) {
+-			logerrx("%s: truncated PD Exclude", ifp->name);
++
++		/* RFC 6603 4.2 says option length MUST be between 2 and 17.
++		 * This allows 1 octet for prefix length and 16 for the
++		 * subnet ID. */
++		if (ol < 2 || ol > 17) {
++			logerrx("%s: invalid PD Exclude option", ifp->name);
+ 			continue;
+ 		}
+-		a->prefix_exclude_len = *o++;
++
++		/* RFC 6603 4.2 says prefix length MUST be between the
++		 * length of the IAPREFIX prefix length + 1 and 128. */
++		if (*o < a->prefix_len + 1 || *o > 128) {
++			logerrx("%s: invalid PD Exclude length", ifp->name);
++			continue;
++		}
++
+ 		ol--;
+-		if (((a->prefix_exclude_len - a->prefix_len - 1) / NBBY) + 1
+-		    != ol)
+-		{
++		/* Check option length matches prefix length. */
++		if (((*o - a->prefix_len - 1) / NBBY) + 1 != ol) {
+ 			logerrx("%s: PD Exclude length mismatch", ifp->name);
+-			a->prefix_exclude_len = 0;
+ 			continue;
+ 		}
+-		nb = a->prefix_len % NBBY;
++		a->prefix_exclude_len = *o++;
++
+ 		memcpy(&a->prefix_exclude, &a->prefix,
+ 		    sizeof(a->prefix_exclude));
++		nb = a->prefix_len % NBBY;
+ 		if (nb)
+ 			ol--;
+ 		pw = a->prefix_exclude.s6_addr +
diff -Nru dhcpcd5-7.1.0/debian/patches/series dhcpcd5-7.1.0/debian/patches/series
--- dhcpcd5-7.1.0/debian/patches/series	2019-02-07 05:54:56.000000000 +0800
+++ dhcpcd5-7.1.0/debian/patches/series	2019-05-05 21:54:20.000000000 +0800
@@ -1 +1,5 @@
 0001-Fix-typo-in-manpage.patch
+0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
+0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
+0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
+0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
diff -Nru dhcpcd5-7.1.0/debian/source/lintian-overrides dhcpcd5-7.1.0/debian/source/lintian-overrides
--- dhcpcd5-7.1.0/debian/source/lintian-overrides	1970-01-01 08:00:00.000000000 +0800
+++ dhcpcd5-7.1.0/debian/source/lintian-overrides	2019-05-05 21:54:59.000000000 +0800
@@ -0,0 +1,2 @@
+# This commit is cherry-picked directly from upstream - spelling included.
+dhcpcd5 source: spelling-error-in-patch-description debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch upto up to

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#928351: unblock dhcpcd5/7.1.0-2
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#928351: unblock advice for dhcpcd5/7.2.1-1
  - From: Scott Leggett <scott@sl.id.au>
- Bug#928351: unblock advice for dhcpcd5/7.2.1-1
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Processed: Re: Bug#928351: unblock dhcpcd5/7.1.0-2
Next by Date: Bug#928011: marked as done (nmu: courier-unicode_2.1-3)
Previous by thread: Bug#928351: unblock advice for dhcpcd5/7.2.1-1
Next by thread: Bug#928351: unblock dhcpcd5/7.1.0-2
Index(es):
- Date
- Thread