[dhcp/f15] DoS due to processing certain regular expressions (CVE-2011-4539, #765681)
Jiří Popelka
jpopelka at fedoraproject.org
Fri Dec 9 13:25:17 UTC 2011
commit ae0776633767b34f38aa5d1a0ef1533d4cd8e78c
Author: Jiri Popelka <jpopelka at redhat.com>
Date: Fri Dec 9 14:25:10 2011 +0100
DoS due to processing certain regular expressions (CVE-2011-4539, #765681)
dhcp-4.2.1-P1-CVE-2011-4539.patch | 25 +++++++++++++++++++++++++
dhcp.spec | 9 ++++++++-
2 files changed, 33 insertions(+), 1 deletions(-)
---
diff --git a/dhcp-4.2.1-P1-CVE-2011-4539.patch b/dhcp-4.2.1-P1-CVE-2011-4539.patch
new file mode 100644
index 0000000..b6d826b
--- /dev/null
+++ b/dhcp-4.2.1-P1-CVE-2011-4539.patch
@@ -0,0 +1,25 @@
+diff -up dhcp-4.2.1-P1/common/dhcp-eval.5.CVE-2011-4539 dhcp-4.2.1-P1/common/dhcp-eval.5
+--- dhcp-4.2.1-P1/common/dhcp-eval.5.CVE-2011-4539 2010-07-06 21:03:11.000000000 +0200
++++ dhcp-4.2.1-P1/common/dhcp-eval.5 2011-12-09 13:58:44.000000000 +0100
+@@ -133,8 +133,8 @@ extended regex(7) matching of the values
+ true if \fIdata-expression-1\fR matches against the regular expression
+ evaluated by \fIdata-expression-2\fR, or false if it does not match or
+ encounters some error. If either the left-hand side or the right-hand side
+-are null, the result is also false. The \fB~~\fR operator differs from the
+-\fB~=\fR operator in that it is case-insensitive.
++are null or empty strings, the result is also false. The \fB~~\fR operator
++differs from the \fB~=\fR operator in that it is case-insensitive.
+ .RE
+ .PP
+ .I boolean-expression-1 \fBand\fR \fIboolean-expression-2\fR
+diff -up dhcp-4.2.1-P1/common/tree.c.CVE-2011-4539 dhcp-4.2.1-P1/common/tree.c
+--- dhcp-4.2.1-P1/common/tree.c.CVE-2011-4539 2009-11-20 02:49:01.000000000 +0100
++++ dhcp-4.2.1-P1/common/tree.c 2011-12-09 13:58:44.000000000 +0100
+@@ -1120,6 +1120,7 @@ int evaluate_boolean_expression (result,
+ *result = 0;
+ memset(&re, 0, sizeof(re));
+ if (bleft && bright &&
++ (left.data != NULL) && (right.data != NULL) &&
+ (regcomp(&re, (char *)right.data, regflags) == 0) &&
+ (regexec(&re, (char *)left.data, (size_t)0, NULL, 0) == 0))
+ *result = 1;
diff --git a/dhcp.spec b/dhcp.spec
index 5ac506f..b5d38db 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -16,7 +16,7 @@
Summary: Dynamic host configuration protocol software
Name: dhcp
Version: 4.2.1
-Release: 13.%{patchver}%{?dist}
+Release: 14.%{patchver}%{?dist}
# NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to
# dcantrell maintaining the package) made incorrect use of the epoch and
# that's why it is at 12 now. It should have never been used, but it was.
@@ -70,6 +70,7 @@ Patch30: dhcp420-sharedlib.patch
Patch31: dhcp-4.2.0-PPP.patch
Patch32: dhcp-4.2.1-P1-CVE-2011-0997.patch
Patch33: dhcp-4.2.1-P1-CVE-2011-2748-2749.patch
+Patch34: dhcp-4.2.1-P1-CVE-2011-4539.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -319,6 +320,9 @@ rm bind/bind.tar.gz
# CVE-2011-2748, CVE-2011-2749, #729850
%patch33 -p1 -b .CVE-2011-2748-2749
+# DoS due to processing certain regular expressions (CVE-2011-4539, #765681)
+%patch34 -p1 -b .CVE-2011-4539
+
# Copy in the Fedora/RHEL dhclient script
%{__install} -p -m 0755 %{SOURCE4} client/scripts/linux
%{__install} -p -m 0644 %{SOURCE5} .
@@ -655,6 +659,9 @@ fi
%{_initddir}/dhcrelay
%changelog
+* Fri Dec 09 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.1-14.P1
+- DoS due to processing certain regular expressions (CVE-2011-4539, #765681)
+
* Fri Sep 30 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.1-13.P1
- 56dhclient: ifcfg file was not sourced (#742482)
More information about the scm-commits
mailing list