From a85ba17c6a2d73e5205431dc12b1506bc64816ae Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 12 2018 17:29:49 +0000 Subject: import dhcp-4.2.5-58.el7_4.3 --- diff --git a/SOURCES/dhcp-4.2.5-centos-branding.patch b/SOURCES/dhcp-4.2.5-centos-branding.patch deleted file mode 100644 index f3e7113..0000000 --- a/SOURCES/dhcp-4.2.5-centos-branding.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -uNrp dhcp-4.1.1-P1.orig/omapip/errwarn.c dhcp-4.1.1-P1/omapip/errwarn.c ---- dhcp-4.1.1-P1.orig/omapip/errwarn.c 2012-08-15 14:04:33.149141000 +0000 -+++ dhcp-4.1.1-P1/omapip/errwarn.c 2012-08-15 14:13:05.582416057 +0000 -@@ -81,8 +81,8 @@ void log_fatal (const char * fmt, ... ) - log_error ("have been made to the base software release in order to make"); - log_error ("it work better with this distribution."); - log_error ("%s", ""); -- log_error ("Please report for this software via the Red Hat Bugzilla site:"); -- log_error (" http://bugzilla.redhat.com"); -+ log_error ("Please report for this software via the CentOS Bugs Database:"); -+ log_error (" http://bugs.centos.org/"); - log_error ("%s", ""); - log_error ("exiting."); - #endif diff --git a/SOURCES/dhcp-4.2.5-options_overflow.patch b/SOURCES/dhcp-4.2.5-options_overflow.patch new file mode 100644 index 0000000..a51c0cc --- /dev/null +++ b/SOURCES/dhcp-4.2.5-options_overflow.patch @@ -0,0 +1,41 @@ +diff --git a/common/options.c b/common/options.c +index 83e0384..8a1deca 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -1672,7 +1672,8 @@ format_min_length(format, oc) + + + /* Format the specified option so that a human can easily read it. */ +- ++/* Maximum pretty printed size */ ++#define MAX_OUTPUT_SIZE 32*1024 + const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + struct option *option; + const unsigned char *data; +@@ -1680,8 +1681,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + int emit_commas; + int emit_quotes; + { +- static char optbuf [32768]; /* XXX */ +- static char *endbuf = &optbuf[sizeof(optbuf)]; ++ /* We add 128 byte pad so we don't have to add checks everywhere. */ ++ static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */ ++ static char *endbuf = optbuf + MAX_OUTPUT_SIZE; + int hunksize = 0; + int opthunk = 0; + int hunkinc = 0; +@@ -2132,7 +2134,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + log_error ("Unexpected format code %c", + fmtbuf [j]); + } ++ + op += strlen (op); ++ if (op >= endbuf) { ++ log_error ("Option data exceeds" ++ " maximum size %d", MAX_OUTPUT_SIZE); ++ return (""); ++ } ++ + if (dp == data + len) + break; + if (j + 1 < numelem && comma != ':') diff --git a/SOURCES/dhcp-4.2.5-reference_count_overflow.patch b/SOURCES/dhcp-4.2.5-reference_count_overflow.patch new file mode 100644 index 0000000..c6c94cd --- /dev/null +++ b/SOURCES/dhcp-4.2.5-reference_count_overflow.patch @@ -0,0 +1,13 @@ +diff --git a/common/options.c b/common/options.c +index 83e0384..a58c5fc 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -189,6 +189,8 @@ int parse_option_buffer (options, buffer, length, universe) + + /* If the length is outrageous, the options are bad. */ + if (offset + len > length) { ++ /* Avoid reference count overflow */ ++ option_dereference(&option, MDL); + reason = "option length exceeds option buffer length"; + bogus: + log_error("parse_option_buffer: malformed option " diff --git a/SPECS/dhcp.spec b/SPECS/dhcp.spec index 1eb0b9d..5214dfa 100644 --- a/SPECS/dhcp.spec +++ b/SPECS/dhcp.spec @@ -18,7 +18,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.2.5 -Release: 58%{?dist}.1 +Release: 58%{?dist}.3 # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and # that's why it is at 12 now. It should have never been used, but it was. @@ -98,7 +98,10 @@ Patch62: dhcp-max-fd-value.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1355827 Patch63: dhcp-4.2.5-rh1355827.patch Patch64: dhcp-4.2.5-reap_orphan_sockets.patch -Patch65: dhcp-4.2.5-centos-branding.patch +# CVE-2018-5732 +Patch65: dhcp-4.2.5-options_overflow.patch +# CVE-2018-5733 +Patch66: dhcp-4.2.5-reference_count_overflow.patch BuildRequires: autoconf BuildRequires: automake @@ -410,7 +413,9 @@ rm -rf includes/isc-dhcp %patch63 -p1 %patch64 -p1 -b .omapi_sd_leak -%patch65 -p1 + +%patch65 -p1 -b .options_overflow +%patch66 -p1 -b .reference_overflow # Update paths in all man pages for page in client/dhclient.conf.5 client/dhclient.leases.5 \ @@ -692,8 +697,11 @@ done %changelog -* Thu Jan 25 2018 CentOS Sources - 4.2.5-58.el7.centos.1 -- Roll in CentOS Branding +* Wed Feb 28 2018 Pavel Zhukov - 12:4.2.5-68 +- Resolves: #1550000 - CVE-2018-5733 Avoid buffer overflow reference counter + +* Wed Feb 28 2018 Pavel Zhukov - 12:4.2.5-58.2 +- Resolves: #1549979 - CVE-2018-5732 Avoid buffer overflow in options parser * Wed Dec 13 2017 Pavel Zhukov - 12:4.2.5-58.1 - Resolves: #1523475 - Fix omapi socket descriptors leak