[dhcp/f14] CVE-2011-2748, CVE-2011-2749, #729850
Jiří Popelka
jpopelka at fedoraproject.org
Thu Aug 11 08:13:25 UTC 2011
commit 6bbdf5c91a8e71e2f898303e16acbe3a2ec88db9
Author: Jiri Popelka <jpopelka at redhat.com>
Date: Thu Aug 11 09:31:12 2011 +0200
CVE-2011-2748, CVE-2011-2749, #729850
dhcp-4.2.0-P2-CVE-2011-2748-2749.patch | 59 ++++++++++++++++++++++++++++++++
dhcp.spec | 13 ++++++-
2 files changed, 70 insertions(+), 2 deletions(-)
---
diff --git a/dhcp-4.2.0-P2-CVE-2011-2748-2749.patch b/dhcp-4.2.0-P2-CVE-2011-2748-2749.patch
new file mode 100644
index 0000000..1a52233
--- /dev/null
+++ b/dhcp-4.2.0-P2-CVE-2011-2748-2749.patch
@@ -0,0 +1,59 @@
+diff -up dhcp-4.2.1-P1/common/discover.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/common/discover.c
+--- dhcp-4.2.1-P1/common/discover.c.CVE-2011-2748-2749 2011-08-11 09:31:41.105937401 +0200
++++ dhcp-4.2.1-P1/common/discover.c 2011-08-11 09:31:41.217936038 +0200
+@@ -1389,12 +1389,16 @@ isc_result_t got_one (h)
+ if (result == 0)
+ return ISC_R_UNEXPECTED;
+
+- /* If we didn't at least get the fixed portion of the BOOTP
+- packet, drop the packet. We're allowing packets with no
+- sname or filename, because we're aware of at least one
+- client that sends such packets, but this definitely falls
+- into the category of being forgiving. */
+- if (result < DHCP_FIXED_NON_UDP - DHCP_SNAME_LEN - DHCP_FILE_LEN)
++ /*
++ * If we didn't at least get the fixed portion of the BOOTP
++ * packet, drop the packet.
++ * Previously we allowed packets with no sname or filename
++ * as we were aware of at least one client that did. But
++ * a bug caused short packets to not work and nobody has
++ * complained, it seems rational to tighten up that
++ * restriction.
++ */
++ if (result < DHCP_FIXED_NON_UDP)
+ return ISC_R_UNEXPECTED;
+
+ if (bootp_packet_handler) {
+diff -up dhcp-4.2.1-P1/common/options.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/common/options.c
+--- dhcp-4.2.1-P1/common/options.c.CVE-2011-2748-2749 2011-08-11 09:31:41.160936728 +0200
++++ dhcp-4.2.1-P1/common/options.c 2011-08-11 09:31:41.218936026 +0200
+@@ -592,8 +592,8 @@ cons_options(struct packet *inpacket, st
+ } else if (bootpp) {
+ mb_size = 64;
+ if (inpacket != NULL &&
+- (inpacket->packet_length - DHCP_FIXED_LEN >= 64))
+- mb_size = inpacket->packet_length - DHCP_FIXED_LEN;
++ (inpacket->packet_length >= 64 + DHCP_FIXED_NON_UDP))
++ mb_size = inpacket->packet_length - DHCP_FIXED_NON_UDP;
+ } else
+ mb_size = DHCP_MIN_OPTION_LEN;
+
+diff -up dhcp-4.2.1-P1/server/dhcp.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/server/dhcp.c
+--- dhcp-4.2.1-P1/server/dhcp.c.CVE-2011-2748-2749 2011-08-11 09:31:41.034938265 +0200
++++ dhcp-4.2.1-P1/server/dhcp.c 2011-08-11 09:31:41.220936002 +0200
+@@ -2336,6 +2336,7 @@ void ack_lease (packet, lease, offer, wh
+ * giaddr.
+ */
+ if (!packet->agent_options_stashed &&
++ (packet->options != NULL) &&
+ packet->options->universe_count > agent_universe.index &&
+ packet->options->universes[agent_universe.index] != NULL) {
+ oc = lookup_option (&server_universe, state -> options,
+@@ -4448,6 +4449,7 @@ maybe_return_agent_options(struct packet
+ * by the user into the new state, not just give up.
+ */
+ if (!packet->agent_options_stashed &&
++ (packet->options != NULL) &&
+ packet->options->universe_count > agent_universe.index &&
+ packet->options->universes[agent_universe.index] != NULL &&
+ (options->universe_count <= agent_universe.index ||
diff --git a/dhcp.spec b/dhcp.spec
index 1b74b72..54b2042 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -12,7 +12,7 @@
Summary: Dynamic host configuration protocol software
Name: dhcp
Version: 4.2.0
-Release: 22.%{patchver}%{?dist}
+Release: 23.%{patchver}%{?dist}
# NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to
# dcantrell maintaining the package) made incorrect use of the epoch and
# that's why it is at 12 now. It should have never been used, but it was.
@@ -67,6 +67,7 @@ Patch33: dhcp-4.2.0-P2-omapi.patch
Patch34: dhcp-4.2.0-P2-ldap-configuration.patch
Patch35: dhcp-4.2.0-P2-CVE-2011-0413.patch
Patch36: dhcp-4.2.0-P2-CVE-2011-0997.patch
+Patch37: dhcp-4.2.0-P2-CVE-2011-2748-2749.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf
@@ -278,6 +279,10 @@ libdhcpctl and libomapi static libraries are also included in this package.
# dhclient: insufficient sanitization of certain DHCP response values (#694005)
%patch36 -p1 -b .CVE-2011-0997
+# A pair of defects cause the server to halt upon processing certain packets
+# CVE-2011-2748, CVE-2011-2749, #729850
+%patch37 -p1 -b .CVE-2011-2748-2749
+
# Copy in the Fedora/RHEL dhclient script
%{__install} -p -m 0755 %{SOURCE4} client/scripts/linux
%{__install} -p -m 0644 %{SOURCE5} .
@@ -559,7 +564,11 @@ fi
%attr(0644,root,root) %{_mandir}/man3/omapi.3.gz
%changelog
-* Mon May 09 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.0-22.P1
+* Thu Aug 11 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.0-23.P2
+- A pair of defects cause the server to halt upon processing certain packets
+ (CVE-2011-2748, CVE-2011-2749, #729850)
+
+* Mon May 09 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.0-22.P2
- Fix 11-dhclient to export variables (#702735)
* Wed Apr 06 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.0-21.P2
More information about the scm-commits
mailing list