[dhcp/f14] CVE-2011-2748, CVE-2011-2749, #729850

Jiří Popelka jpopelka at fedoraproject.org
Thu Aug 11 08:13:25 UTC 2011 

commit 6bbdf5c91a8e71e2f898303e16acbe3a2ec88db9
Author: Jiri Popelka <jpopelka at redhat.com>
Date:   Thu Aug 11 09:31:12 2011 +0200

    CVE-2011-2748, CVE-2011-2749, #729850

 dhcp-4.2.0-P2-CVE-2011-2748-2749.patch |   59 ++++++++++++++++++++++++++++++++
 dhcp.spec                              |   13 ++++++-
 2 files changed, 70 insertions(+), 2 deletions(-)
---
diff --git a/dhcp-4.2.0-P2-CVE-2011-2748-2749.patch b/dhcp-4.2.0-P2-CVE-2011-2748-2749.patch
new file mode 100644
index 0000000..1a52233
--- /dev/null
+++ b/dhcp-4.2.0-P2-CVE-2011-2748-2749.patch
@@ -0,0 +1,59 @@
+diff -up dhcp-4.2.1-P1/common/discover.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/common/discover.c
+--- dhcp-4.2.1-P1/common/discover.c.CVE-2011-2748-2749	2011-08-11 09:31:41.105937401 +0200
++++ dhcp-4.2.1-P1/common/discover.c	2011-08-11 09:31:41.217936038 +0200
+@@ -1389,12 +1389,16 @@ isc_result_t got_one (h)
+ 	if (result == 0)
+ 		return ISC_R_UNEXPECTED;
+ 
+-	/* If we didn't at least get the fixed portion of the BOOTP
+-	   packet, drop the packet.  We're allowing packets with no
+-	   sname or filename, because we're aware of at least one
+-	   client that sends such packets, but this definitely falls
+-	   into the category of being forgiving. */
+-	if (result < DHCP_FIXED_NON_UDP - DHCP_SNAME_LEN - DHCP_FILE_LEN)
++	/*
++	 * If we didn't at least get the fixed portion of the BOOTP
++	 * packet, drop the packet.
++	 * Previously we allowed packets with no sname or filename
++	 * as we were aware of at least one client that did.  But
++	 * a bug caused short packets to not work and nobody has
++	 * complained, it seems rational to tighten up that
++	 * restriction.
++	 */
++	if (result < DHCP_FIXED_NON_UDP)
+ 		return ISC_R_UNEXPECTED;
+ 
+ 	if (bootp_packet_handler) {
+diff -up dhcp-4.2.1-P1/common/options.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/common/options.c
+--- dhcp-4.2.1-P1/common/options.c.CVE-2011-2748-2749	2011-08-11 09:31:41.160936728 +0200
++++ dhcp-4.2.1-P1/common/options.c	2011-08-11 09:31:41.218936026 +0200
+@@ -592,8 +592,8 @@ cons_options(struct packet *inpacket, st
+ 	} else if (bootpp) {
+ 		mb_size = 64;
+ 		if (inpacket != NULL &&
+-		    (inpacket->packet_length - DHCP_FIXED_LEN >= 64))
+-			mb_size = inpacket->packet_length - DHCP_FIXED_LEN;
++		    (inpacket->packet_length >= 64 + DHCP_FIXED_NON_UDP))
++			mb_size = inpacket->packet_length - DHCP_FIXED_NON_UDP;
+ 	} else
+ 		mb_size = DHCP_MIN_OPTION_LEN;
+ 
+diff -up dhcp-4.2.1-P1/server/dhcp.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/server/dhcp.c
+--- dhcp-4.2.1-P1/server/dhcp.c.CVE-2011-2748-2749	2011-08-11 09:31:41.034938265 +0200
++++ dhcp-4.2.1-P1/server/dhcp.c	2011-08-11 09:31:41.220936002 +0200
+@@ -2336,6 +2336,7 @@ void ack_lease (packet, lease, offer, wh
+ 	 * giaddr.
+ 	 */
+ 	if (!packet->agent_options_stashed &&
++	    (packet->options != NULL) &&
+ 	    packet->options->universe_count > agent_universe.index &&
+ 	    packet->options->universes[agent_universe.index] != NULL) {
+ 	    oc = lookup_option (&server_universe, state -> options,
+@@ -4448,6 +4449,7 @@ maybe_return_agent_options(struct packet
+ 	 * by the user into the new state, not just give up.
+ 	 */
+ 	if (!packet->agent_options_stashed &&
++	    (packet->options != NULL) &&
+ 	    packet->options->universe_count > agent_universe.index &&
+ 	    packet->options->universes[agent_universe.index] != NULL &&
+ 	    (options->universe_count <= agent_universe.index ||
diff --git a/dhcp.spec b/dhcp.spec
index 1b74b72..54b2042 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -12,7 +12,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.2.0
-Release:  22.%{patchver}%{?dist}
+Release:  23.%{patchver}%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -67,6 +67,7 @@ Patch33:  dhcp-4.2.0-P2-omapi.patch
 Patch34:  dhcp-4.2.0-P2-ldap-configuration.patch
 Patch35:  dhcp-4.2.0-P2-CVE-2011-0413.patch
 Patch36:  dhcp-4.2.0-P2-CVE-2011-0997.patch
+Patch37:  dhcp-4.2.0-P2-CVE-2011-2748-2749.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf
@@ -278,6 +279,10 @@ libdhcpctl and libomapi static libraries are also included in this package.
 # dhclient: insufficient sanitization of certain DHCP response values (#694005)
 %patch36 -p1 -b .CVE-2011-0997
 
+# A pair of defects cause the server to halt upon processing certain packets
+# CVE-2011-2748, CVE-2011-2749, #729850
+%patch37 -p1 -b .CVE-2011-2748-2749
+
 # Copy in the Fedora/RHEL dhclient script
 %{__install} -p -m 0755 %{SOURCE4} client/scripts/linux
 %{__install} -p -m 0644 %{SOURCE5} .
@@ -559,7 +564,11 @@ fi
 %attr(0644,root,root) %{_mandir}/man3/omapi.3.gz
 
 %changelog
-* Mon May 09 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.0-22.P1
+* Thu Aug 11 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.0-23.P2
+- A pair of defects cause the server to halt upon processing certain packets
+  (CVE-2011-2748, CVE-2011-2749, #729850)
+
+* Mon May 09 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.0-22.P2
 - Fix 11-dhclient to export variables (#702735)
 
 * Wed Apr 06 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.0-21.P2

More information about the scm-commits mailing list