From f4eb8150197404342d331d61ab517ae524f92f96 Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Wed, 25 Jul 2012 16:19:41 +0200 Subject: [PATCH] Dhclient does not correctly parse zero-length options in dhclient6.leases (#633318) --- ...-dhclient6-leases_semicolon_expected.patch | 41 +++++++++++++++++++ dhcp.spec | 10 ++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 dhcp-4.2.4-P1-dhclient6-leases_semicolon_expected.patch diff --git a/dhcp-4.2.4-P1-dhclient6-leases_semicolon_expected.patch b/dhcp-4.2.4-P1-dhclient6-leases_semicolon_expected.patch new file mode 100644 index 0000000..c18380d --- /dev/null +++ b/dhcp-4.2.4-P1-dhclient6-leases_semicolon_expected.patch @@ -0,0 +1,41 @@ +diff -up dhcp-4.2.4-P1/client/dhclient.c.dhclient6-leases_semicolon dhcp-4.2.4-P1/client/dhclient.c +--- dhcp-4.2.4-P1/client/dhclient.c.dhclient6-leases_semicolon 2012-07-25 15:20:22.187164614 +0200 ++++ dhcp-4.2.4-P1/client/dhclient.c 2012-07-25 15:20:26.648152028 +0200 +@@ -3236,10 +3236,21 @@ void write_lease_option (struct option_c + } + if (evaluate_option_cache (&ds, packet, lease, client_state, + in_options, cfg_options, scope, oc, MDL)) { +- fprintf(leaseFile, "%soption %s%s%s %s;\n", preamble, +- name, dot, oc->option->name, +- pretty_print_option(oc->option, ds.data, ds.len, +- 1, 1)); ++ /* The option name */ ++ fprintf(leaseFile, "%soption %s%s%s", preamble, ++ name, dot, oc->option->name); ++ ++ /* The option value if there is one */ ++ if ((oc->option->format == NULL) || ++ (oc->option->format[0] != 'Z')) { ++ fprintf(leaseFile, " %s", ++ pretty_print_option(oc->option, ds.data, ++ ds.len, 1, 1)); ++ } ++ ++ /* The closing semi-colon and newline */ ++ fprintf(leaseFile, ";\n"); ++ + data_string_forget (&ds, MDL); + } + } +diff -up dhcp-4.2.4-P1/common/parse.c.dhclient6-leases_semicolon dhcp-4.2.4-P1/common/parse.c +--- dhcp-4.2.4-P1/common/parse.c.dhclient6-leases_semicolon 2012-07-25 15:10:39.683557386 +0200 ++++ dhcp-4.2.4-P1/common/parse.c 2012-07-25 15:16:50.826762985 +0200 +@@ -5772,7 +5772,7 @@ int parse_option_decl (oc, cfile) + goto alloc; + + case 'Z': /* Zero-length option */ +- token = next_token(&val, (unsigned *)0, cfile); ++ token = peek_token(&val, (unsigned *)0, cfile); + if (token != SEMI) { + parse_warn(cfile, + "semicolon expected."); diff --git a/dhcp.spec b/dhcp.spec index d4aab71..138f60f 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -18,7 +18,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.2.4 -Release: 7.%{patchver}%{?dist} +Release: 8.%{patchver}%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and # that's why it is at 12 now. It should have never been used, but it was. @@ -74,6 +74,7 @@ Patch39: dhcp-4.2.4-getifaddrs.patch Patch40: dhcp-4.2.4-send_release.patch Patch41: dhcp-4.2.3-P2-rfc5970-dhcpv6-options-for-network-boot.patch Patch42: dhcp-4.2.4-failOverPeer.patch +Patch43: dhcp-4.2.4-P1-dhclient6-leases_semicolon_expected.patch BuildRequires: autoconf BuildRequires: automake @@ -304,6 +305,9 @@ rm bind/bind.tar.gz # Dhcpd does not correctly follow DhcpFailOverPeerDN (#838400) %patch42 -p1 -b .failOverPeer +# Dhclient does not correctly parse zero-length options in dhclient6.leases (#633318) +%patch43 -p1 -b .dhclient6-leases_semicolon + pushd contrib %{__chmod} -x 3.0b1-lease-convert dhclient-tz-exithook.sh ldap/dhcpd-conf-to-ldap %{__chmod} -x sethostname.sh solaris.init @@ -571,6 +575,10 @@ fi %changelog +* Wed Jul 25 2012 Tomas Hozza - 12:4.2.4-8.P1 +- Dhclient does not correctly parse zero-length options in + dhclient6.leases (#633318) + * Wed Jul 25 2012 Tomas Hozza - 12:4.2.4-7.P1 - 4.2.4-P1: fix for CVE-2012-3570 CVE-2012-3571 and CVE-2012-3954 (#842892)