- Fix for CVE-2009-0692

- Fix for CVE-2009-1892 (#511834)

dhcp-4.1.0-CVE-2009-0692.patch

@@ -0,0 +1,21 @@
+diff -up dhcp-4.1.0/client/dhclient.c.CVE-2009-0692 dhcp-4.1.0/client/dhclient.c
+--- dhcp-4.1.0/client/dhclient.c.CVE-2009-0692	2008-06-11 10:17:10.000000000 -1000
++++ dhcp-4.1.0/client/dhclient.c	2009-08-05 11:32:24.000000000 -1000
+@@ -3054,8 +3054,15 @@ void script_write_params (client, prefix
+ 		if (data.len > 3) {
+ 			struct iaddr netmask, subnet, broadcast;
+ 
+-			memcpy (netmask.iabuf, data.data, data.len);
+-			netmask.len = data.len;
++			/*
++			 * No matter the length of the subnet-mask option,
++			 * use only the first four octets.  Note that
++			 * subnet-mask options longer than 4 octets are not
++			 * in conformance with RFC 2132, but servers with this
++			 * flaw do exist.
++			 */
++			memcpy(netmask.iabuf, data.data, 4);
++			netmask.len = 4;
+ 			data_string_forget (&data, MDL);
+ 
+ 			subnet = subnet_number (lease -> address, netmask);

dhcp-4.1.0-CVE-2009-1892.patch

@@ -0,0 +1,12 @@
+diff -up dhcp-4.1.0/server/dhcp.c.CVE-2009-1892 dhcp-4.1.0/server/dhcp.c
+--- dhcp-4.1.0/server/dhcp.c.CVE-2009-1892	2008-11-03 08:13:58.000000000 -1000
++++ dhcp-4.1.0/server/dhcp.c	2009-08-05 11:34:07.000000000 -1000
+@@ -1755,6 +1755,8 @@ void ack_lease (packet, lease, offer, wh
+ 				host_reference (&host, h, MDL);
+ 		}
+ 		if (!host) {
++			if (hp)
++				host_dereference (&hp, MDL);
+ 			find_hosts_by_haddr (&hp,
+ 					     packet -> raw -> htype,
+ 					     packet -> raw -> chaddr,

dhcp.spec

@@ -10,7 +10,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.1.0
-Release:  26%{?dist}
+Release:  27%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -49,6 +49,8 @@ Patch18:  %{name}-4.1.0-missing-ipv6-not-fatal.patch
 Patch19:  %{name}-4.1.0-IFNAMSIZ.patch
 Patch20:  %{name}-4.1.0-add_timeout_when_NULL.patch
 Patch21:  %{name}-4.1.0-64_bit_lease_parse.patch
+Patch22:  %{name}-4.1.0-CVE-2009-0692.patch
+Patch23:  %{name}-4.1.0-CVE-2009-1892.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf
@@ -203,6 +205,14 @@ libdhcpctl and libomapi static libraries are also included in this package.
 # Ensure 64-bit platforms parse lease file dates & times correctly (#448615)
 %patch21 -p1
 
+# Fix for CVE-2009-0692 (patch from Mandriva SRPM)
+# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0692
+%patch22 -p1
+
+# Fix for CVE-2009-1892 (patch from Mandriva SRPM)
+# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1892
+%patch23 -p1
+
 # Copy in documentation and example scripts for LDAP patch to dhcpd
 %{__install} -p -m 0755 ldap-for-dhcp-%{ldappatchver}/dhcpd-conf-to-ldap contrib/
 
@@ -457,6 +467,10 @@ fi
 %attr(0644,root,root) %{_mandir}/man3/omapi.3.gz
 
 %changelog
+* Wed Aug 05 2009 David Cantrell <dcantrell@redhat.com> - 12:4.1.0-27
+- Fix for CVE-2009-0692
+- Fix for CVE-2009-1892 (#511834)
+
 * Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 12:4.1.0-26
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild