Security fix for CVE-2018-5732 CVE-2018-5733

dhcp-4.3.6-options_overflow.patch

@@ -0,0 +1,41 @@
+diff --git a/common/options.c b/common/options.c
+index 83e0384..8a1deca 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -1672,7 +1672,8 @@ format_min_length(format, oc)
+ 
+ 
+ /* Format the specified option so that a human can easily read it. */
+-
++/* Maximum pretty printed size */
++#define MAX_OUTPUT_SIZE 32*1024
+ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
+ 	struct option *option;
+ 	const unsigned char *data;
+@@ -1680,8 +1681,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
+ 	int emit_commas;
+ 	int emit_quotes;
+ {
+-	static char optbuf [32768]; /* XXX */
+-	static char *endbuf = &optbuf[sizeof(optbuf)];
++	/* We add 128 byte pad so we don't have to add checks everywhere. */
++	static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */
++	static char *endbuf = optbuf + MAX_OUTPUT_SIZE;
+ 	int hunksize = 0;
+ 	int opthunk = 0;
+ 	int hunkinc = 0;
+@@ -2132,7 +2134,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
+ 				log_error ("Unexpected format code %c",
+ 					   fmtbuf [j]);
+ 			}
++
+ 			op += strlen (op);
++			if (op >= endbuf) {
++				log_error ("Option data exceeds"
++					   " maximum size %d", MAX_OUTPUT_SIZE);
++					   return ("<error>");
++			}
++
+ 			if (dp == data + len)
+ 				break;
+ 			if (j + 1 < numelem && comma != ':')

dhcp-4.3.6-reference_count_overflow.patch

@@ -0,0 +1,13 @@
+diff --git a/common/options.c b/common/options.c
+index 83e0384..a58c5fc 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -189,6 +189,8 @@ int parse_option_buffer (options, buffer, length, universe)
+ 
+ 		/* If the length is outrageous, the options are bad. */
+ 		if (offset + len > length) {
++			/* Avoid reference count overflow */
++			option_dereference(&option, MDL);
+ 			reason = "option length exceeds option buffer length";
+ 		      bogus:
+ 			log_error("parse_option_buffer: malformed option "

dhcp.spec

@@ -16,7 +16,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.3.6
-Release:  16%{?dist}
+Release:  17%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -75,7 +75,8 @@ Patch38:  dhcp-dhclient-preinit6s.patch
 Patch39:  dhcp-handle_ctx_signals.patch
 Patch40:  dhcp-4.3.6-omapi-leak.patch
 Patch41:  dhcp-4.3.6-isc-util.patch
-
+Patch42:  dhcp-4.3.6-options_overflow.patch
+Patch43:  dhcp-4.3.6-reference_count_overflow.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -344,6 +345,10 @@ rm bind/bind.tar.gz
 # include isc/util.h explicitly, is it no longer contained in used headers
 %patch41 -p1 -b .isc-util
 
+## https://bugzilla.redhat.com/show_bug.cgi?id=1550246
+%patch42 -p1 
+%patch43 -p1
+
 # DHCLIENT_DEFAULT_PREFIX_LEN  64 -> 128
 # https://bugzilla.gnome.org/show_bug.cgi?id=656610
 sed -i -e 's|DHCLIENT_DEFAULT_PREFIX_LEN 64|DHCLIENT_DEFAULT_PREFIX_LEN 128|g' includes/site.h
@@ -666,6 +671,9 @@ done
 %endif
 
 %changelog
+* Thu Mar  1 2018 Pavel Zhukov <pzhukov@redhat.com> - 12:4.3.6-17
+- Fix CVE-2018-5732 CVE-2018-5733 (#1550246)
+
 * Thu Feb 22 2018 Petr Menšík <pemensik@redhat.com> - 12:4.3.6-16
 - Compile with recent bind includes, that does not include isc/util.h