4.2.0-P2: fix for CVE-2010-3616 (#662326)

- Use upstream fix for #628258
- Provide versioned symbols for rpmlint
This commit is contained in:
Jiri Popelka 2010-12-13 11:36:02 +01:00
parent 77e77eaef7
commit 7b41fdb208
10 changed files with 247 additions and 170 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
/dhcp-4.2.0-P1.tar.gz /dhcp-4.2.0-P2.tar.gz

0
11-dhclient Executable file → Normal file
View File

0
12-dhcpd Executable file → Normal file
View File

0
56dhclient Executable file → Normal file
View File

0
dhclient-script Executable file → Normal file
View File

View File

@ -1,151 +0,0 @@
diff -up dhcp-4.2.0/common/dispatch.c.64-bit_lease_parse dhcp-4.2.0/common/dispatch.c
--- dhcp-4.2.0/common/dispatch.c.64-bit_lease_parse 2010-09-02 18:21:00.000000000 +0200
+++ dhcp-4.2.0/common/dispatch.c 2010-09-02 18:29:50.000000000 +0200
@@ -185,7 +185,7 @@ void add_timeout (when, where, what, ref
struct timeout *t, *q;
int usereset = 0;
isc_result_t status;
- int sec, usec;
+ struct timeval relative_time;
isc_interval_t interval;
isc_time_t expires;
@@ -297,24 +297,24 @@ void add_timeout (when, where, what, ref
* about the usec value, if it's zero we assume the caller didn't care.
*/
- sec = when->tv_sec - cur_tv.tv_sec;
- usec = when->tv_usec - cur_tv.tv_usec;
+ relative_time.tv_sec = when->tv_sec - cur_tv.tv_sec;
+ relative_time.tv_usec = when->tv_usec - cur_tv.tv_usec;
- if ((when->tv_usec != 0) && (usec < 0)) {
- sec--;
- usec += USEC_MAX;
+ if ((when->tv_usec != 0) && (relative_time.tv_usec < 0)) {
+ relative_time.tv_sec--;
+ relative_time.tv_usec += USEC_MAX;
}
- if (sec < 0) {
- sec = 0;
- usec = 0;
- } else if (usec < 0) {
- usec = 0;
- } else if (usec >= USEC_MAX) {
- usec = USEC_MAX - 1;
+ if (relative_time.tv_sec < 0) {
+ relative_time.tv_sec = 0;
+ relative_time.tv_usec = 0;
+ } else if (relative_time.tv_usec < 0) {
+ relative_time.tv_usec = 0;
+ } else if (relative_time.tv_usec >= USEC_MAX) {
+ relative_time.tv_usec = USEC_MAX - 1;
}
- isc_interval_set(&interval, sec, usec * 1000);
+ isc_interval_set(&interval, relative_time.tv_sec, relative_time.tv_usec * 1000);
status = isc_time_nowplusinterval(&expires, &interval);
if (status != ISC_R_SUCCESS) {
/*
diff -up dhcp-4.2.0/common/parse.c.64-bit_lease_parse dhcp-4.2.0/common/parse.c
--- dhcp-4.2.0/common/parse.c.64-bit_lease_parse 2009-10-28 05:12:29.000000000 +0100
+++ dhcp-4.2.0/common/parse.c 2010-09-02 18:21:00.000000000 +0200
@@ -905,8 +905,8 @@ TIME
parse_date_core(cfile)
struct parse *cfile;
{
- int guess;
- int tzoff, wday, year, mon, mday, hour, min, sec;
+ TIME guess;
+ long int tzoff, wday, year, mon, mday, hour, min, sec;
const char *val;
enum dhcp_token token;
static int months [11] = { 31, 59, 90, 120, 151, 181,
@@ -931,7 +931,7 @@ parse_date_core(cfile)
return (TIME)0;
}
- guess = atoi(val);
+ guess = atol(val);
if (!parse_semi(cfile))
return (TIME)0;
@@ -945,7 +945,7 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- wday = atoi (val);
+ wday = atol (val);
/* Year... */
token = next_token (&val, (unsigned *)0, cfile);
@@ -960,7 +960,7 @@ parse_date_core(cfile)
somebody invents a time machine, I think we can safely disregard
it. This actually works around a stupid Y2K bug that was present
in a very early beta release of dhcpd. */
- year = atoi (val);
+ year = atol (val);
if (year > 1900)
year -= 1900;
@@ -982,7 +982,7 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- mon = atoi (val) - 1;
+ mon = atol (val) - 1;
/* Slash separating month from day... */
token = next_token (&val, (unsigned *)0, cfile);
@@ -1002,7 +1002,7 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- mday = atoi (val);
+ mday = atol (val);
/* Hour... */
token = next_token (&val, (unsigned *)0, cfile);
@@ -1012,7 +1012,7 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- hour = atoi (val);
+ hour = atol (val);
/* Colon separating hour from minute... */
token = next_token (&val, (unsigned *)0, cfile);
@@ -1032,7 +1032,7 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- min = atoi (val);
+ min = atol (val);
/* Colon separating minute from second... */
token = next_token (&val, (unsigned *)0, cfile);
@@ -1052,12 +1052,12 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- sec = atoi (val);
+ sec = atol (val);
token = peek_token (&val, (unsigned *)0, cfile);
if (token == NUMBER) {
token = next_token (&val, (unsigned *)0, cfile);
- tzoff = atoi (val);
+ tzoff = atol (val);
} else
tzoff = 0;
@@ -1090,7 +1090,7 @@ TIME
parse_date(cfile)
struct parse *cfile;
{
- int guess;
+ TIME guess;
guess = parse_date_core(cfile);
/* Make sure the date ends in a semicolon... */

View File

@ -0,0 +1,215 @@
diff -up dhcp-4.2.0-P1/common/dispatch.c.64-bit_lease_parse dhcp-4.2.0-P1/common/dispatch.c
--- dhcp-4.2.0-P1/common/dispatch.c.64-bit_lease_parse 2010-12-13 11:06:36.000000000 +0100
+++ dhcp-4.2.0-P1/common/dispatch.c 2010-12-13 10:56:59.000000000 +0100
@@ -174,6 +174,7 @@ isclib_timer_callback(isc_task_t *taskp
/* maximum value for usec */
#define USEC_MAX 1000000
+#define DHCP_SEC_MAX 0xFFFFFFFF
void add_timeout (when, where, what, ref, unref)
struct timeval *when;
@@ -185,7 +186,8 @@ void add_timeout (when, where, what, ref
struct timeout *t, *q;
int usereset = 0;
isc_result_t status;
- int sec, usec;
+ int64_t sec;
+ int usec;
isc_interval_t interval;
isc_time_t expires;
@@ -231,9 +233,49 @@ void add_timeout (when, where, what, ref
q->what = what;
}
- /* We don't really need this, but keep it for now */
- q->when.tv_sec = when->tv_sec;
- q->when.tv_usec = when->tv_usec;
+ /*
+ * The value passed in is a time from an epoch but we need a relative
+ * time so we need to do some math to try and recover the period.
+ * This is complicated by the fact that not all of the calls cared
+ * about the usec value, if it's zero we assume the caller didn't care.
+ *
+ * The ISC timer library doesn't seem to like negative values
+ * and can't accept any values above 4G-1 seconds so we limit
+ * the values to 0 <= value < 4G-1. We do it before
+ * checking the trace option so that both the trace code and
+ * the working code use the same values.
+ */
+
+ sec = when->tv_sec - cur_tv.tv_sec;
+ usec = when->tv_usec - cur_tv.tv_usec;
+
+ if ((when->tv_usec != 0) && (usec < 0)) {
+ sec--;
+ usec += USEC_MAX;
+ }
+
+ if (sec < 0) {
+ sec = 0;
+ usec = 0;
+ } else if (sec > DHCP_SEC_MAX) {
+ log_error("Timeout requested too large %lld "
+ "reducing to 2^^32-1", sec);
+ sec = DHCP_SEC_MAX;
+ usec = 0;
+ }
+ else if (usec < 0) {
+ usec = 0;
+ } else if (usec >= USEC_MAX) {
+ usec = USEC_MAX - 1;
+ }
+
+ /*
+ * This is necessary for the tracing code but we put it
+ * here in case we want to compare timing information
+ * for some reason, like debugging.
+ */
+ q->when.tv_sec = cur_tv.tv_sec + (sec & DHCP_SEC_MAX);
+ q->when.tv_usec = usec;
#if defined (TRACING)
if (trace_playback()) {
@@ -283,38 +325,7 @@ void add_timeout (when, where, what, ref
q->next = timeouts;
timeouts = q;
- /*
- * Set up the interval values - The previous timers allowed
- * negative values to be set, the ISC timer library doesn't like
- * that so we make any negative values 0 which sould amount to
- * the same thing.
- */
-
- /*
- * The value passed in is a time from an epoch but we need a relative
- * time so we need to do some math to try and recover the period.
- * This is complicated by the fact that not all of the calls cared
- * about the usec value, if it's zero we assume the caller didn't care.
- */
-
- sec = when->tv_sec - cur_tv.tv_sec;
- usec = when->tv_usec - cur_tv.tv_usec;
-
- if ((when->tv_usec != 0) && (usec < 0)) {
- sec--;
- usec += USEC_MAX;
- }
-
- if (sec < 0) {
- sec = 0;
- usec = 0;
- } else if (usec < 0) {
- usec = 0;
- } else if (usec >= USEC_MAX) {
- usec = USEC_MAX - 1;
- }
-
- isc_interval_set(&interval, sec, usec * 1000);
+ isc_interval_set(&interval, sec & 0xFFFFFFFF, usec * 1000);
status = isc_time_nowplusinterval(&expires, &interval);
if (status != ISC_R_SUCCESS) {
/*
diff -up dhcp-4.2.0-P1/common/parse.c.64-bit_lease_parse dhcp-4.2.0-P1/common/parse.c
--- dhcp-4.2.0-P1/common/parse.c.64-bit_lease_parse 2009-10-28 05:12:29.000000000 +0100
+++ dhcp-4.2.0-P1/common/parse.c 2010-12-13 11:06:36.000000000 +0100
@@ -905,8 +905,8 @@ TIME
parse_date_core(cfile)
struct parse *cfile;
{
- int guess;
- int tzoff, wday, year, mon, mday, hour, min, sec;
+ TIME guess;
+ long int tzoff, wday, year, mon, mday, hour, min, sec;
const char *val;
enum dhcp_token token;
static int months [11] = { 31, 59, 90, 120, 151, 181,
@@ -931,7 +931,7 @@ parse_date_core(cfile)
return (TIME)0;
}
- guess = atoi(val);
+ guess = atol(val);
if (!parse_semi(cfile))
return (TIME)0;
@@ -945,7 +945,7 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- wday = atoi (val);
+ wday = atol (val);
/* Year... */
token = next_token (&val, (unsigned *)0, cfile);
@@ -960,7 +960,7 @@ parse_date_core(cfile)
somebody invents a time machine, I think we can safely disregard
it. This actually works around a stupid Y2K bug that was present
in a very early beta release of dhcpd. */
- year = atoi (val);
+ year = atol (val);
if (year > 1900)
year -= 1900;
@@ -982,7 +982,7 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- mon = atoi (val) - 1;
+ mon = atol (val) - 1;
/* Slash separating month from day... */
token = next_token (&val, (unsigned *)0, cfile);
@@ -1002,7 +1002,7 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- mday = atoi (val);
+ mday = atol (val);
/* Hour... */
token = next_token (&val, (unsigned *)0, cfile);
@@ -1012,7 +1012,7 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- hour = atoi (val);
+ hour = atol (val);
/* Colon separating hour from minute... */
token = next_token (&val, (unsigned *)0, cfile);
@@ -1032,7 +1032,7 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- min = atoi (val);
+ min = atol (val);
/* Colon separating minute from second... */
token = next_token (&val, (unsigned *)0, cfile);
@@ -1052,12 +1052,12 @@ parse_date_core(cfile)
skip_to_semi (cfile);
return (TIME)0;
}
- sec = atoi (val);
+ sec = atol (val);
token = peek_token (&val, (unsigned *)0, cfile);
if (token == NUMBER) {
token = next_token (&val, (unsigned *)0, cfile);
- tzoff = atoi (val);
+ tzoff = atol (val);
} else
tzoff = 0;
@@ -1090,7 +1090,7 @@ TIME
parse_date(cfile)
struct parse *cfile;
{
- int guess;
+ TIME guess;
guess = parse_date_core(cfile);
/* Make sure the date ends in a semicolon... */

View File

@ -70,7 +70,7 @@ diff -up dhcp-4.2.0/common/dhcp-options.5.rfc3442 dhcp-4.2.0/common/dhcp-options
.PP .PP
.nf .nf
+.B option \fBclassless-static-routes\fR \fIdestination-descriptor ip-address\fR +.B option \fBclassless-static-routes\fR \fIdestination-descriptor ip-address\fR
+ [\fB,\fR \fIdestination-descriptor ip-address\fR...]\fB;\fR + [\fB,\fR \fIdestination-descriptor ip-address\fR...]\fB;\fR
+.fi +.fi
+.RS 0.25i +.RS 0.25i
+.PP +.PP

View File

@ -5,14 +5,14 @@
%global dhcpconfdir %{_sysconfdir}/dhcp %global dhcpconfdir %{_sysconfdir}/dhcp
# Patch version # Patch version
%global patchver P1 %global patchver P2
%global VERSION %{version}-%{patchver} %global VERSION %{version}-%{patchver}
Summary: Dynamic host configuration protocol software Summary: Dynamic host configuration protocol software
Name: dhcp Name: dhcp
Version: 4.2.0 Version: 4.2.0
Release: 21.%{patchver}%{?dist} Release: 22.%{patchver}%{?dist}
# NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to
# dcantrell maintaining the package) made incorrect use of the epoch and # dcantrell maintaining the package) made incorrect use of the epoch and
# that's why it is at 12 now. It should have never been used, but it was. # that's why it is at 12 now. It should have never been used, but it was.
@ -53,7 +53,7 @@ Patch15: dhcp-4.2.0-invalid-dhclient-conf.patch
Patch16: dhcp-4.2.0-missing-ipv6-not-fatal.patch Patch16: dhcp-4.2.0-missing-ipv6-not-fatal.patch
Patch17: dhcp-4.2.0-IFNAMSIZ.patch Patch17: dhcp-4.2.0-IFNAMSIZ.patch
Patch18: dhcp-4.2.0-add_timeout_when_NULL.patch Patch18: dhcp-4.2.0-add_timeout_when_NULL.patch
Patch19: dhcp-4.2.0-64_bit_lease_parse.patch Patch19: dhcp-4.2.0-P1-64_bit_lease_parse.patch
Patch20: dhcp-4.2.0-capability.patch Patch20: dhcp-4.2.0-capability.patch
Patch21: dhcp-4.2.0-logpid.patch Patch21: dhcp-4.2.0-logpid.patch
Patch22: dhcp-4.2.0-UseMulticast.patch Patch22: dhcp-4.2.0-UseMulticast.patch
@ -87,7 +87,8 @@ Requires(preun): systemd-units
Requires(postun): initscripts Requires(postun): initscripts
Requires(postun): systemd-units Requires(postun): systemd-units
Obsoletes: dhcpv6 Obsoletes: dhcpv6 <= 2.0.0alpha4-1
Provides: dhcpv6 = 2.0.0alpha4-2
%description %description
DHCP (Dynamic Host Configuration Protocol) is a protocol which allows DHCP (Dynamic Host Configuration Protocol) is a protocol which allows
@ -108,10 +109,13 @@ Requires: initscripts
Requires(post): coreutils Requires(post): coreutils
Requires(post): grep Requires(post): grep
Obsoletes: dhcpcd <= 1.3.22pl1-7 Obsoletes: dhcpcd <= 1.3.22pl1-7
Obsoletes: libdhcp4client Provides: dhcpcd = 1.3.22pl1-8
Obsoletes: libdhcp Obsoletes: libdhcp4client <= 12:4.0.0-34
Obsoletes: dhcpv6-client Provides: libdhcp4client = 12:4.0.0-35
Provides: dhcpcd = 1.3.22pl1-8 Obsoletes: libdhcp <= 1.99.8-1
Provides: libdhcp = 1.99.8-2
Obsoletes: dhcpv6-client <= 2.0.0alpha4-1
Provides: dhcpv6-client = 2.0.0alpha4-2
%description -n dhclient %description -n dhclient
DHCP (Dynamic Host Configuration Protocol) is a protocol which allows DHCP (Dynamic Host Configuration Protocol) is a protocol which allows
@ -135,8 +139,10 @@ This package contains shared libraries used by ISC dhcp client and server
%package devel %package devel
Summary: Development headers and libraries for interfacing to the DHCP server Summary: Development headers and libraries for interfacing to the DHCP server
Group: Development/Libraries Group: Development/Libraries
Obsoletes: libdhcp4client-devel Obsoletes: libdhcp4client-devel <= 12:4.0.0-34
Obsoletes: libdhcp-devel Provides: libdhcp4client-devel = 12:4.0.0-35
Obsoletes: libdhcp-devel <= 1.99.8-1
Provides: libdhcp-devel = 1.99.8-2
Requires: %{name}-libs = %{epoch}:%{version}-%{release} Requires: %{name}-libs = %{epoch}:%{version}-%{release}
%description devel %description devel
@ -217,7 +223,7 @@ rm bind/bind.tar.gz
# (Submitted to dhcp-bugs@isc.org - [ISC-Bugs #19867]) # (Submitted to dhcp-bugs@isc.org - [ISC-Bugs #19867])
%patch18 -p1 -b .dracut %patch18 -p1 -b .dracut
# Ensure 64-bit platforms parse lease file dates & times correctly (#448615) # Ensure 64-bit platforms parse lease file dates & times correctly (#448615, #628258)
# (Partly submitted to dhcp-bugs@isc.org - [ISC-Bugs #22033]) # (Partly submitted to dhcp-bugs@isc.org - [ISC-Bugs #22033])
%patch19 -p1 -b .64-bit_lease_parse %patch19 -p1 -b .64-bit_lease_parse
@ -264,16 +270,18 @@ rm bind/bind.tar.gz
# check whether there is any unexpired address in previous lease # check whether there is any unexpired address in previous lease
# prior to confirming (INIT-REBOOT) the lease (#585418) # prior to confirming (INIT-REBOOT) the lease (#585418)
# (Submitted to dhcp-suggest@isc.org - [ISC-Bugs #22675])
%patch30 -p1 -b .honor-expired %patch30 -p1 -b .honor-expired
# 1) When server has empty pool of addresses/prefixes it must send Advertise with # 1) When server has empty pool of addresses/prefixes it must send Advertise with
# NoAddrsAvail/NoPrefixAvail status in response to clients Solicit. # NoAddrsAvail/NoPrefixAvail status in response to clients Solicit.
# Without this patch server having empty pool of addresses/prefixes ignored # Without this patch server having empty pool of addresses/prefixes was ignoring
# client's' Solicit when client was also sending address in IA_NA or prefix in IA_PD as a preference. # client's' Solicit when client was also sending address in IA_NA or prefix in IA_PD as a preference.
# 2) When client sends prefix in IA_NA as a preference and server doesn't have # 2) When client sends prefix in IA_PD as a preference and server doesn't have
# this prefix in any pool the server should offer other free prefix. # this prefix in any pool the server should offer other free prefix.
# Without this patch server ignored client's Solicit in which the client was sending # Without this patch server ignored client's Solicit in which the client was sending
# prefix in IA_PD (as a preference) and this prefix was not in any of server's pools. # prefix in IA_PD (as a preference) and this prefix was not in any of server's pools.
# (Submitted to dhcp-bugs@isc.org - [ISC-Bugs #22676])
%patch31 -p1 -b .noprefixavail %patch31 -p1 -b .noprefixavail
%patch32 -p1 -b .rh637017 %patch32 -p1 -b .rh637017
@ -561,9 +569,9 @@ fi
%{_initddir}/dhcpd %{_initddir}/dhcpd
%{_initddir}/dhcpd6 %{_initddir}/dhcpd6
%{_initddir}/dhcrelay %{_initddir}/dhcrelay
%attr(0644,root,root) /lib/systemd/system/dhcpd.service %attr(0644,root,root) /lib/systemd/system/dhcpd.service
%attr(0644,root,root) /lib/systemd/system/dhcpd6.service %attr(0644,root,root) /lib/systemd/system/dhcpd6.service
%attr(0644,root,root) /lib/systemd/system/dhcrelay.service %attr(0644,root,root) /lib/systemd/system/dhcrelay.service
%{_bindir}/omshell %{_bindir}/omshell
%{_sbindir}/dhcpd %{_sbindir}/dhcpd
%{_sbindir}/dhcrelay %{_sbindir}/dhcrelay
@ -611,6 +619,11 @@ fi
%attr(0644,root,root) %{_mandir}/man3/omapi.3.gz %attr(0644,root,root) %{_mandir}/man3/omapi.3.gz
%changelog %changelog
* Mon Dec 13 2010 Jiri Popelka <jpopelka@redhat.com> - 12:4.2.0-22.P2
- 4.2.0-P2: fix for CVE-2010-3616 (#662326)
- Use upstream fix for #628258
- Provide versioned symbols for rpmlint
* Tue Dec 07 2010 Jiri Popelka <jpopelka@redhat.com> - 12:4.2.0-21.P1 * Tue Dec 07 2010 Jiri Popelka <jpopelka@redhat.com> - 12:4.2.0-21.P1
- Porting dhcpd/dhcpd6/dhcrelay services from SysV to Systemd - Porting dhcpd/dhcpd6/dhcrelay services from SysV to Systemd

View File

@ -1 +1 @@
1c268a2368b2565252b5f9d7255d3c72 dhcp-4.2.0-P1.tar.gz a98f4ce3ca651e7e28a5a1ae6398689e dhcp-4.2.0-P2.tar.gz