From aa511ca27f0afbea355e89135a998bcbc6f4a527 Mon Sep 17 00:00:00 2001 From: Jiri Popelka Date: Wed, 23 Dec 2015 12:12:27 +0100 Subject: [PATCH 1/2] CVE-2015-8373 --- kea-CVE-2015-8373.patch | 185 ++++++++++++++++++++++++++++++++++++++++ kea.spec | 7 +- 2 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 kea-CVE-2015-8373.patch diff --git a/kea-CVE-2015-8373.patch b/kea-CVE-2015-8373.patch new file mode 100644 index 0000000..0ea3597 --- /dev/null +++ b/kea-CVE-2015-8373.patch @@ -0,0 +1,185 @@ +diff --git a/src/bin/dhcp4/dhcp4_messages.mes b/src/bin/dhcp4/dhcp4_messages.mes +index f8e471b..fc992a0 100644 +--- a/src/bin/dhcp4/dhcp4_messages.mes ++++ b/src/bin/dhcp4/dhcp4_messages.mes +@@ -429,6 +429,11 @@ This error message is issued when preparing an on-wire format of the packet + has failed. The first argument identifies the client and the DHCP transaction. + The second argument includes the error string. + ++% DHCP4_PACKET_PROCESS_EXCEPTION exception occurred during packet processing: %1 ++This error message indicates that an exception was raised during packet processing ++that was not caught by other, more specific exception handlers. This packet will ++be dropped and the server will continue operation. ++ + % DHCP4_PACKET_RECEIVED %1: %2 (type %3) received from %4 to %5 on interface %6 + A debug message noting that the server has received the specified type of + packet on the specified interface. The first argument specifies the +diff --git a/src/bin/dhcp4/dhcp4_srv.cc b/src/bin/dhcp4/dhcp4_srv.cc +index 6ade319..1bdfc9a 100644 +--- a/src/bin/dhcp4/dhcp4_srv.cc ++++ b/src/bin/dhcp4/dhcp4_srv.cc +@@ -358,6 +358,8 @@ Dhcpv4Srv::run() { + Pkt4Ptr rsp; + + try { ++ ++ try { + // The lease database backend may install some timers for which + // the handlers need to be executed periodically. Retrieve the + // maximum interval at which the handlers must be executed from +@@ -716,6 +718,20 @@ Dhcpv4Srv::run() { + .arg(rsp->getLabel()) + .arg(e.what()); + } ++ ++ } catch (const std::exception& e) { ++ // General catch-all exception that are not caught by more specific ++ // catches. This one is for exceptions derived from std::exception. ++ LOG_ERROR(packet4_logger, DHCP4_PACKET_PROCESS_EXCEPTION) ++ .arg(e.what()); ++ } catch (...) { ++ // General catch-all exception that are not caught by more specific ++ // catches. This one is for other exceptions, not derived from ++ // std::exception. ++ LOG_ERROR(packet4_logger, DHCP4_PACKET_PROCESS_EXCEPTION) ++ .arg("an unknown exception not derived from std::exception"); ++ } ++ + } + + return (true); +diff --git a/src/bin/dhcp6/dhcp6_messages.mes b/src/bin/dhcp6/dhcp6_messages.mes +index 5b62bb7..9b84797 100644 +--- a/src/bin/dhcp6/dhcp6_messages.mes ++++ b/src/bin/dhcp6/dhcp6_messages.mes +@@ -413,6 +413,11 @@ This is a general catch-all message indicating that the processing of the + specified packet type from the indicated address failed. The reason is given in the + message. The server will not send a response but will instead ignore the packet. + ++% DHCP6_PACKET_PROCESS_EXCEPTION exception occurred during packet processing: %1 ++This error message indicates that an exception was raised during packet processing ++that was not caught by other, more specific exception handlers. This packet will ++be dropped and the server will continue operation. ++ + % DHCP6_PACKET_RECEIVED %1: %2 (type %3) received from %4 to %5 on interface %6 + A debug message noting that the server has received the specified type of + packet on the specified interface. The first argument specifies the +diff --git a/src/bin/dhcp6/dhcp6_srv.cc b/src/bin/dhcp6/dhcp6_srv.cc +index 9f29e9d..33f54a0 100644 +--- a/src/bin/dhcp6/dhcp6_srv.cc ++++ b/src/bin/dhcp6/dhcp6_srv.cc +@@ -315,6 +315,8 @@ bool Dhcpv6Srv::run() { + Pkt6Ptr rsp; + + try { ++ ++ try { + // The lease database backend may install some timers for which + // the handlers need to be executed periodically. Retrieve the + // maximum interval at which the handlers must be executed from +@@ -710,6 +712,13 @@ bool Dhcpv6Srv::run() { + .arg(e.what()); + } + } ++ ++ } catch (const std::exception& e) { ++ // General catch-all exception that are not caught by more specific ++ // catches. ++ LOG_ERROR(packet6_logger, DHCP6_PACKET_PROCESS_EXCEPTION) ++ .arg(e.what()); ++ } + } + + return (true); +diff --git a/src/lib/dhcp/pkt4.cc b/src/lib/dhcp/pkt4.cc +index 44a96ca..2a82969 100644 +--- a/src/lib/dhcp/pkt4.cc ++++ b/src/lib/dhcp/pkt4.cc +@@ -343,15 +343,31 @@ std::string + Pkt4::getLabel() const { + + /// @todo If and when client id is extracted into Pkt4, this method should +- /// the instance member rather than fetch it every time. ++ /// use the instance member rather than fetch it every time. ++ std::string suffix; + ClientIdPtr client_id; + OptionPtr client_opt = getOption(DHO_DHCP_CLIENT_IDENTIFIER); +- if (client_opt ) { +- client_id = ClientIdPtr(new ClientId(client_opt->getData())); ++ if (client_opt) { ++ try { ++ client_id = ClientIdPtr(new ClientId(client_opt->getData())); ++ } catch (...) { ++ // ClientId may throw if the client-id is too short. ++ suffix = " (malformed client-id)"; ++ } + } + +- return makeLabel(hwaddr_, client_id, transid_); +- ++ std::ostringstream label; ++ try { ++ label << makeLabel(hwaddr_, client_id, transid_); ++ } catch (...) { ++ // This should not happen with the current code, but we may add extra ++ // sanity checks in the future that would possibly throw if ++ // the hwaddr length is 0. ++ label << " (malformed hw address)"; ++ } ++ ++ label << suffix; ++ return (label.str()); + } + + std::string +diff --git a/src/lib/dhcp/pkt4.h b/src/lib/dhcp/pkt4.h +index 549be78..12af2cf 100644 +--- a/src/lib/dhcp/pkt4.h ++++ b/src/lib/dhcp/pkt4.h +@@ -103,6 +103,8 @@ public: + /// wrapper around static makeLabel(). See this method for string + /// content. + /// ++ /// This method is exception safe. ++ /// + /// @return string with text representation + std::string getLabel() const; + +diff --git a/src/lib/dhcp/pkt6.cc b/src/lib/dhcp/pkt6.cc +index 7881672..d0fd5e5 100644 +--- a/src/lib/dhcp/pkt6.cc ++++ b/src/lib/dhcp/pkt6.cc +@@ -544,7 +544,18 @@ Pkt6::toText() const { + DuidPtr + Pkt6::getClientId() const { + OptionPtr opt_duid = getOption(D6O_CLIENTID); +- return (opt_duid ? DuidPtr(new DUID(opt_duid->getData())) : DuidPtr()); ++ try { ++ // This will throw if the DUID length is larger than 128 bytes ++ // or is too short. ++ return (opt_duid ? DuidPtr(new DUID(opt_duid->getData())) : DuidPtr()); ++ } catch (...) { ++ // Do nothing. This method is used only by getLabel(), which is ++ // used for logging purposes. We should not throw, but rather ++ // report no DUID. We should not log anything, as we're in the ++ // process of logging something for this packet. So the only ++ // choice left is to return an empty pointer. ++ } ++ return (DuidPtr()); + } + + isc::dhcp::OptionCollection +diff --git a/src/lib/dhcp/pkt6.h b/src/lib/dhcp/pkt6.h +index febb92d..3228dad 100644 +--- a/src/lib/dhcp/pkt6.h ++++ b/src/lib/dhcp/pkt6.h +@@ -217,6 +217,8 @@ public: + + /// @brief Retrieves the DUID from the Client Identifier option. + /// ++ /// This method is exception safe. ++ /// + /// @return Pointer to the DUID or NULL if the option doesn't exist. + DuidPtr getClientId() const; + + diff --git a/kea.spec b/kea.spec index 81d6a15..01fdd60 100644 --- a/kea.spec +++ b/kea.spec @@ -11,13 +11,14 @@ Summary: DHCPv4, DHCPv6 and DDNS server from ISC Name: kea Version: 0.9.2 -Release: 1%{?dist} +Release: 2%{?dist} License: ISC and Boost URL: http://kea.isc.org Source0: http://ftp.isc.org/isc/kea/%{VERSION}/kea-%{VERSION}.tar.gz # http://kea.isc.org/ticket/3529 Patch0: kea-systemd.patch +Patch1: kea-CVE-2015-8373.patch # autoreconf BuildRequires: autoconf automake libtool @@ -73,6 +74,7 @@ Header files and API documentation. %setup -q -n kea-%{VERSION} %patch0 -p1 -b .systemd +%patch1 -p1 -b .CVE-2015-8373 # install leases db in /var/lib/kea/ not /var/kea/ # http://kea.isc.org/ticket/3523 @@ -229,6 +231,9 @@ EOF %{_libdir}/pkgconfig/dns++.pc %changelog +* Wed Dec 23 2015 Jiri Popelka - 0.9.2-2 +- CVE-2015-8373 + * Tue Jul 28 2015 Jiri Popelka - 0.9.2-1 - 0.9.2 From 1b5362b284b2b4354e68bac767f5bcddf3c1f103 Mon Sep 17 00:00:00 2001 From: Jiri Popelka Date: Wed, 30 Dec 2015 00:23:15 +0100 Subject: [PATCH 2/2] 1.0.0 --- .gitignore | 1 + kea.spec | 39 ++++++++++++++++++++------------------- sources | 2 +- 3 files changed, 22 insertions(+), 20 deletions(-) diff --git a/.gitignore b/.gitignore index dab1a79..1d05233 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /kea-0.9.1.tar.gz /kea-0.9.2-beta.tar.gz /kea-0.9.2.tar.gz +/kea-1.0.0.tar.gz diff --git a/kea.spec b/kea.spec index 4833691..f550db7 100644 --- a/kea.spec +++ b/kea.spec @@ -3,22 +3,20 @@ %global prever beta -#%%global VERSION %{version}-%{patchver} -#%%global VERSION %{version}-%{prever} +#%%global VERSION %%{version}-%%{patchver} +#%%global VERSION %%{version}-%%{prever} %global VERSION %{version} - Summary: DHCPv4, DHCPv6 and DDNS server from ISC Name: kea -Version: 0.9.2 -Release: 4%{?dist} -License: ISC and Boost +Version: 1.0.0 +Release: 1%{?dist} +License: MPLv2.0 and Boost URL: http://kea.isc.org Source0: http://ftp.isc.org/isc/kea/%{VERSION}/kea-%{VERSION}.tar.gz # http://kea.isc.org/ticket/3529 Patch0: kea-systemd.patch -Patch1: kea-CVE-2015-8373.patch # autoreconf BuildRequires: autoconf automake libtool @@ -74,7 +72,6 @@ Header files and API documentation. %setup -q -n kea-%{VERSION} %patch0 -p1 -b .systemd -%patch1 -p1 -b .CVE-2015-8373 # install leases db in /var/lib/kea/ not /var/kea/ # http://kea.isc.org/ticket/3523 @@ -92,6 +89,7 @@ autoreconf --verbose --force --install --enable-systemd \ --with-dhcp-mysql \ --with-dhcp-pgsql \ + --with-gnu-ld \ --with-gtest \ --with-log4cplus \ --with-openssl @@ -113,7 +111,7 @@ mkdir -p %{buildroot}%{_sharedstatedir}/kea/ touch %{buildroot}%{_sharedstatedir}/kea/kea-leases4.csv touch %{buildroot}%{_sharedstatedir}/kea/kea-leases6.csv -install -p -m 644 ext/LICENSE_1_0.txt %{buildroot}%{_defaultdocdir}/kea/ +rm -f %{buildroot}%{_defaultdocdir}/kea/COPYING mkdir -p %{buildroot}/run install -d -m 0755 %{buildroot}/run/kea/ @@ -153,7 +151,7 @@ EOF %{_sbindir}/kea-lfc %{_sbindir}/keactrl %{_sbindir}/perfdhcp -%{_bindir}/message +%{_bindir}/kea-msg-compiler %{_unitdir}/kea-dhcp4.service %{_unitdir}/kea-dhcp6.service %{_unitdir}/kea-dhcp-ddns.service @@ -161,17 +159,12 @@ EOF %config(noreplace) %{_sysconfdir}/kea/kea.conf %config(noreplace) %{_sysconfdir}/kea/keactrl.conf %dir %{_datarootdir}/kea/ -%dir %{_datarootdir}/kea/scripts/ -%dir %{_datarootdir}/kea/scripts/mysql/ -%dir %{_datarootdir}/kea/scripts/pgsql/ +%{_datarootdir}/kea/scripts %dir /run/kea/ %{_tmpfilesdir}/kea.conf %{_datarootdir}/kea/dhcp-ddns.spec %{_datarootdir}/kea/dhcp4.spec %{_datarootdir}/kea/dhcp6.spec -%{_datarootdir}/kea/scripts/admin-utils.sh -%{_datarootdir}/kea/scripts/mysql -%{_datarootdir}/kea/scripts/pgsql %dir %{_sharedstatedir}/kea %config(noreplace) %{_sharedstatedir}/kea/kea-leases4.csv %config(noreplace) %{_sharedstatedir}/kea/kea-leases6.csv @@ -180,6 +173,7 @@ EOF %{_defaultdocdir}/kea/README %{_defaultdocdir}/kea/examples %{_defaultdocdir}/kea/kea-guide.* +%{_defaultdocdir}/kea/kea-logo-100x70.png %{_defaultdocdir}/kea/kea-messages.html %{_mandir}/man8/kea-admin.8.gz %{_mandir}/man8/kea-dhcp-ddns.8.gz @@ -190,9 +184,11 @@ EOF %{_mandir}/man8/perfdhcp.8.gz %files libs -%dir %{_defaultdocdir}/kea/ -%{_defaultdocdir}/kea/COPYING -%{_defaultdocdir}/kea/LICENSE_1_0.txt +#%%dir %%{_defaultdocdir}/kea/ +#%%{_defaultdocdir}/kea/COPYING +#%%{_defaultdocdir}/kea/LICENSE_1_0.txt +%license COPYING +%license ext/coroutine/LICENSE_1_0.txt %{_libdir}/libkea-asiodns.so.* %{_libdir}/libkea-asiolink.so.* %{_libdir}/libkea-cc.so.* @@ -202,6 +198,7 @@ EOF %{_libdir}/libkea-dhcp_ddns.so.* %{_libdir}/libkea-dhcpsrv.so.* %{_libdir}/libkea-dns++.so.* +%{_libdir}/libkea-eval.so.* %{_libdir}/libkea-exceptions.so.* %{_libdir}/libkea-hooks.so.* %{_libdir}/libkea-log.so.* @@ -221,6 +218,7 @@ EOF %{_libdir}/libkea-dhcp_ddns.so %{_libdir}/libkea-dhcpsrv.so %{_libdir}/libkea-dns++.so +%{_libdir}/libkea-eval.so %{_libdir}/libkea-exceptions.so %{_libdir}/libkea-hooks.so %{_libdir}/libkea-log.so @@ -231,6 +229,9 @@ EOF %{_libdir}/pkgconfig/dns++.pc %changelog +* Tue Dec 29 2015 Jiri Popelka - 1.0.0-1 +- 1.0.0 + * Wed Dec 23 2015 Jiri Popelka - 0.9.2-4 - CVE-2015-8373 diff --git a/sources b/sources index 613d78d..a68dcf0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6d5929e284c642a210b4bc8a18f48c54 kea-0.9.2.tar.gz +d53bc47ecbbfb2e25267b63c456519c4 kea-1.0.0.tar.gz