Security fix for CVE-2018-5732 CVE-2018-5733

2018-03-01 10:25:39 +01:00 · 2018-03-01 10:25:39 +01:00 · 6b39f020c6
commit 6b39f020c6
parent c6bcdf99e5
3 changed files with 64 additions and 2 deletions
--- a/dhcp-4.3.6-options_overflow.patch
+++ b/dhcp-4.3.6-options_overflow.patch
@ -0,0 +1,41 @@
 diff --git a/common/options.c b/common/options.c
 index 83e0384..8a1deca 100644
 --- a/common/options.c
 +++ b/common/options.c
@@ -1672,7 +1672,8 @@ format_min_length(format, oc)
 /* Format the specified option so that a human can easily read it. */
 -
 +/* Maximum pretty printed size */
 +#define MAX_OUTPUT_SIZE 32*1024
 const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
 	struct option *option;
 	const unsigned char *data;
@@ -1680,8 +1681,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
 	int emit_commas;
 	int emit_quotes;
 {
 -	static char optbuf [32768]; /* XXX */
 -	static char *endbuf = &optbuf[sizeof(optbuf)];
 +	/* We add 128 byte pad so we don't have to add checks everywhere. */
 +	static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */
 +	static char *endbuf = optbuf + MAX_OUTPUT_SIZE;
 	int hunksize = 0;
 	int opthunk = 0;
 	int hunkinc = 0;
@@ -2132,7 +2134,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
 				log_error ("Unexpected format code %c",
 					   fmtbuf [j]);
 			}
 +
 			op += strlen (op);
 +			if (op >= endbuf) {
 +				log_error ("Option data exceeds"
 +					   " maximum size %d", MAX_OUTPUT_SIZE);
 +					   return ("<error>");
 +			}
 +
 			if (dp == data + len)
 				break;
 			if (j + 1 < numelem && comma != ':')
--- a/dhcp-4.3.6-reference_count_overflow.patch
+++ b/dhcp-4.3.6-reference_count_overflow.patch
@ -0,0 +1,13 @@
 diff --git a/common/options.c b/common/options.c
 index 83e0384..a58c5fc 100644
 --- a/common/options.c
 +++ b/common/options.c
@@ -189,6 +189,8 @@ int parse_option_buffer (options, buffer, length, universe)
 		/* If the length is outrageous, the options are bad. */
 		if (offset + len > length) {
 +			/* Avoid reference count overflow */
 +			option_dereference(&option, MDL);
 			reason = "option length exceeds option buffer length";
 		      bogus:
 			log_error("parse_option_buffer: malformed option "
--- a/dhcp.spec
+++ b/dhcp.spec
@ -16,7 +16,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.3.6
-Release:  16%{?dist}
+Release:  17%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@ -75,7 +75,8 @@ Patch38:  dhcp-dhclient-preinit6s.patch
 Patch39:  dhcp-handle_ctx_signals.patch
 Patch40:  dhcp-4.3.6-omapi-leak.patch
 Patch41:  dhcp-4.3.6-isc-util.patch
-
+Patch42:  dhcp-4.3.6-options_overflow.patch
 Patch43:  dhcp-4.3.6-reference_count_overflow.patch
 BuildRequires: autoconf
 BuildRequires: automake
@ -344,6 +345,10 @@ rm bind/bind.tar.gz
 # include isc/util.h explicitly, is it no longer contained in used headers
 %patch41 -p1 -b .isc-util
 ## https://bugzilla.redhat.com/show_bug.cgi?id=1550246
 %patch42 -p1 
 %patch43 -p1
 # DHCLIENT_DEFAULT_PREFIX_LEN  64 -> 128
 # https://bugzilla.gnome.org/show_bug.cgi?id=656610
 sed -i -e 's|DHCLIENT_DEFAULT_PREFIX_LEN 64|DHCLIENT_DEFAULT_PREFIX_LEN 128|g' includes/site.h
@ -666,6 +671,9 @@ done
 %endif
 %changelog
 * Thu Mar  1 2018 Pavel Zhukov <pzhukov@redhat.com> - 12:4.3.6-17
 - Fix CVE-2018-5732 CVE-2018-5733 (#1550246)
 * Thu Feb 22 2018 Petr Menšík <pemensik@redhat.com> - 12:4.3.6-16
 - Compile with recent bind includes, that does not include isc/util.h