From b4a831ca1e084a420027718ca1b52c0b0def20fd Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 26 2018 15:29:55 +0000 Subject: import NetworkManager-1.12.0-8.el7_6 --- diff --git a/SOURCES/0009-dhcp-internal-fixes-cve-2018-15688-rh1643984.patch b/SOURCES/0009-dhcp-internal-fixes-cve-2018-15688-rh1643984.patch new file mode 100644 index 0000000..8d67575 --- /dev/null +++ b/SOURCES/0009-dhcp-internal-fixes-cve-2018-15688-rh1643984.patch @@ -0,0 +1,506 @@ +From 0d4220fa98fbbd8aa0944a6ed87122b579716ff5 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Mon, 10 Sep 2018 15:22:28 +0200 +Subject: [PATCH 1/9] systemd/dhcp: fix assertion starting DHCP client without + MAC address + +An assertion in dhcp_network_bind_raw_socket() is triggered when +starting an sd_dhcp_client without setting setting a MAC address +first. + + - sd_dhcp_client_start() + - client_start() + - client_start_delayed() + - dhcp_network_bind_raw_socket() + +In that case, the arp-type and MAC address is still unset. Note that +dhcp_network_bind_raw_socket() already checks for a valid arp-type +and MAC address below, so we should just gracefully return -EINVAL. + +Maybe sd_dhcp_client_start() should fail earlier when starting without +MAC address. But the failure here will be correctly propagated and +the start aborted. + +See-also: https://github.com/systemd/systemd/pull/10054 +(cherry picked from commit 34af574d5810ab2b0d6d354cbc28135cde4a55b1) +(cherry picked from commit 0a797bdc2a592385a21e7ed918c08ef54a346d99) +(cherry picked from commit f37ed84ca495ee212b1e82b9c5a5682c4acfebcd) +--- + src/systemd/src/libsystemd-network/dhcp-network.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/systemd/src/libsystemd-network/dhcp-network.c b/src/systemd/src/libsystemd-network/dhcp-network.c +index 90fe29d04..80e9577cd 100644 +--- a/src/systemd/src/libsystemd-network/dhcp-network.c ++++ b/src/systemd/src/libsystemd-network/dhcp-network.c +@@ -128,8 +128,6 @@ int dhcp_network_bind_raw_socket(int ifindex, union sockaddr_union *link, + const uint8_t *bcast_addr = NULL; + uint8_t dhcp_hlen = 0; + +- assert_return(mac_addr_len > 0, -EINVAL); +- + if (arp_type == ARPHRD_ETHER) { + assert_return(mac_addr_len == ETH_ALEN, -EINVAL); + memcpy(ð_mac, mac_addr, ETH_ALEN); +-- +2.17.1 + + +From ee92f8164c0ecee86cec104240f0bbe155901891 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 30 Sep 2018 20:23:58 +0900 +Subject: [PATCH 2/9] dhcp6: check option length before reading values + +Fixes oss-fuzz#10746 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10746. + +https://github.com/systemd/systemd/pull/10213 +https://github.com/systemd/systemd/commit/84452783b8bcc44e0dbb7fa6ddc6dad8c064bdfe +(cherry picked from commit 484e92e17f93aa9658944dc886d420ef32bc625e) +(cherry picked from commit 0cec1cb93edd2efa6bee8e2ec1000d94a86ec61e) +(cherry picked from commit 8b8b248679ee17b5c8e68fb8e8e6f6cd3ec32f03) +--- + src/systemd/src/libsystemd-network/dhcp6-internal.h | 2 +- + src/systemd/src/libsystemd-network/dhcp6-option.c | 11 ++++++----- + src/systemd/src/libsystemd-network/sd-dhcp6-client.c | 2 +- + 3 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/src/systemd/src/libsystemd-network/dhcp6-internal.h b/src/systemd/src/libsystemd-network/dhcp6-internal.h +index f1cbd6a4f..06e2e5324 100644 +--- a/src/systemd/src/libsystemd-network/dhcp6-internal.h ++++ b/src/systemd/src/libsystemd-network/dhcp6-internal.h +@@ -91,7 +91,7 @@ int dhcp6_option_append_pd(uint8_t *buf, size_t len, DHCP6IA *pd); + int dhcp6_option_append_fqdn(uint8_t **buf, size_t *buflen, const char *fqdn); + int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, + size_t *optlen, uint8_t **optvalue); +-int dhcp6_option_parse_status(DHCP6Option *option); ++int dhcp6_option_parse_status(DHCP6Option *option, size_t len); + int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia); + int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen, + struct in6_addr **addrs, size_t count, +diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c +index a8a56463a..e462b7083 100644 +--- a/src/systemd/src/libsystemd-network/dhcp6-option.c ++++ b/src/systemd/src/libsystemd-network/dhcp6-option.c +@@ -249,10 +249,11 @@ int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, + return 0; + } + +-int dhcp6_option_parse_status(DHCP6Option *option) { ++int dhcp6_option_parse_status(DHCP6Option *option, size_t len) { + DHCP6StatusOption *statusopt = (DHCP6StatusOption *)option; + +- if (be16toh(option->len) + sizeof(DHCP6Option) < sizeof(*statusopt)) ++ if (len < sizeof(DHCP6StatusOption) || ++ be16toh(option->len) + sizeof(DHCP6Option) < sizeof(DHCP6StatusOption)) + return -ENOBUFS; + + return be16toh(statusopt->status); +@@ -279,7 +280,7 @@ static int dhcp6_option_parse_address(DHCP6Option *option, DHCP6IA *ia, + } + + if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*addr_option)) { +- r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options); ++ r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*addr_option)); + if (r != 0) + return r < 0 ? r: 0; + } +@@ -319,7 +320,7 @@ static int dhcp6_option_parse_pdprefix(DHCP6Option *option, DHCP6IA *ia, + } + + if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*pdprefix_option)) { +- r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options); ++ r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*pdprefix_option)); + if (r != 0) + return r < 0 ? r: 0; + } +@@ -464,7 +465,7 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) { + + case SD_DHCP6_OPTION_STATUS_CODE: + +- status = dhcp6_option_parse_status(option); ++ status = dhcp6_option_parse_status(option, optlen); + if (status) { + log_dhcp6_client(client, "IA status %d", + status); +diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c +index ca03f580e..b82e3f45f 100644 +--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c ++++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c +@@ -828,7 +828,7 @@ static int client_parse_message( + break; + + case SD_DHCP6_OPTION_STATUS_CODE: +- status = dhcp6_option_parse_status(option); ++ status = dhcp6_option_parse_status(option, optlen); + if (status) { + log_dhcp6_client(client, "%s Status %s", + dhcp6_message_type_to_string(message->type), +-- +2.17.1 + + +From a944785f244e92094eb4379cf12e76f5205037d3 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Sat, 29 Sep 2018 03:06:10 +0000 +Subject: [PATCH 3/9] dhcp6: fix an off-by-one error in + dhcp6_option_parse_domainname + +==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200055fa9c at pc 0x0000005458f1 bp 0x7ffc78940d90 sp 0x7ffc78940d88 +READ of size 1 at 0x60200055fa9c thread T0 + #0 0x5458f0 in dhcp6_option_parse_domainname /work/build/../../src/systemd/src/libsystemd-network/dhcp6-option.c:555:29 + #1 0x54706e in dhcp6_lease_set_domains /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-lease.c:242:13 + #2 0x53fce0 in client_parse_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:984:29 + #3 0x53f3bc in client_receive_advertise /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1083:13 + #4 0x53d57f in client_receive_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1182:21 + #5 0x7f0f7159deee in source_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3042:21 + #6 0x7f0f7159d431 in sd_event_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3455:21 + #7 0x7f0f7159ea8d in sd_event_run /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3512:21 + #8 0x531f2b in fuzz_client /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:44:9 + #9 0x531bc1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:53:9 + #10 0x57bec8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15 + #11 0x579d67 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3 + #12 0x57dc92 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19 + #13 0x580ca6 in fuzzer::Fuzzer::Loop(std::__1::vector, std::__1::allocator >, fuzzer::fuzzer_allocator, std::__1::allocator > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5 + #14 0x55e968 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6 + #15 0x551a1c in main /src/libfuzzer/FuzzerMain.cpp:20:10 + #16 0x7f0f701a082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) + #17 0x41e928 in _start (/out/fuzz-dhcp6-client+0x41e928) + +https://github.com/systemd/systemd/pull/10200 +https://github.com/systemd/systemd/commit/b387d3c1327a3ad2a2509bd3d3491e674392ff21 +(cherry picked from commit 7cb7cffc4962245a32e87017bcf264005c043250) +(cherry picked from commit cd3aacefdd0b91741b7b2e7b5ee5baab210addd9) +(cherry picked from commit 5b140a77bc7b01dc002dbf28a7a2507a27a63d7c) +--- + src/systemd/src/libsystemd-network/dhcp6-option.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c +index e462b7083..ff1cbf13d 100644 +--- a/src/systemd/src/libsystemd-network/dhcp6-option.c ++++ b/src/systemd/src/libsystemd-network/dhcp6-option.c +@@ -566,7 +566,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char * + /* Literal label */ + label = (const char *)&optval[pos]; + pos += c; +- if (pos > optlen) ++ if (pos >= optlen) + return -EMSGSIZE; + + if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) { +-- +2.17.1 + + +From fc04015063d44a61b85bdf2c2648d9ac9fb4a446 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 27 Sep 2018 18:04:59 +0900 +Subject: [PATCH 4/9] sd-dhcp-lease: fix memleaks + +(cherry picked from commit e2975f854831d08a25b4f5eb329b6d04102e115f) +(cherry picked from commit 157094abd83f933fad142758a7d177cfa1a347f7) +(cherry picked from commit 3fd9d11619a5e60d375076fbe13851dd1d3a4a63) +--- + src/systemd/src/libsystemd-network/sd-dhcp-lease.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/systemd/src/libsystemd-network/sd-dhcp-lease.c b/src/systemd/src/libsystemd-network/sd-dhcp-lease.c +index 33a0796a8..841d07926 100644 +--- a/src/systemd/src/libsystemd-network/sd-dhcp-lease.c ++++ b/src/systemd/src/libsystemd-network/sd-dhcp-lease.c +@@ -279,6 +279,8 @@ sd_dhcp_lease *sd_dhcp_lease_unref(sd_dhcp_lease *lease) { + free(option); + } + ++ free(lease->root_path); ++ free(lease->timezone); + free(lease->hostname); + free(lease->domainname); + free(lease->dns); +-- +2.17.1 + + +From ae56f71f5bd4233f335ec4c2a5172b59be3d80ca Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 27 Sep 2018 23:48:51 +0900 +Subject: [PATCH 5/9] dhcp6: fix buffer size checking + +(cherry picked from commit cb1bdeaf56852275e6b0dd1fba932bb174767f70) +(cherry picked from commit 91fb1673d5217aaf1461998fd2675630f5c265f9) +(cherry picked from commit 15a3c6c692ee0125d4673df42ef8986e9e3d69c7) +--- + src/systemd/src/libsystemd-network/sd-dhcp6-client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c +index b82e3f45f..b65c31171 100644 +--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c ++++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c +@@ -776,8 +776,8 @@ static int client_parse_message( + uint8_t *optval; + be32_t iaid_lease; + +- if (len < offsetof(DHCP6Option, data) || +- len < offsetof(DHCP6Option, data) + be16toh(option->len)) ++ if (len < pos + offsetof(DHCP6Option, data) || ++ len < pos + offsetof(DHCP6Option, data) + be16toh(option->len)) + return -ENOBUFS; + + optcode = be16toh(option->code); +-- +2.17.1 + + +From 9babde953073b460d8bcda13329c60a0a74cdc3c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 19 Oct 2018 03:44:56 +0900 +Subject: [PATCH 6/9] sd-dhcp6: fix argument and error handling of + dhcp6_option_parse_status() + +(cherry picked from commit 91c43f3978fa7c8341550b9ca279e460ba7e74e6) +(cherry picked from commit 373cbfc8c6e9591b3c8cc12d58c4b31ac35ab24f) +(cherry picked from commit 0e93fd895daa6f0f578ffa8fc4ed3e0ea85c62e8) +(cherry picked from commit 6ea13fc82523bebaa08cf2ab8404e751a654261f) +--- + src/systemd/src/libsystemd-network/dhcp6-option.c | 10 ++++++---- + src/systemd/src/libsystemd-network/sd-dhcp6-client.c | 9 +++++---- + 2 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c +index ff1cbf13d..cfddefcb5 100644 +--- a/src/systemd/src/libsystemd-network/dhcp6-option.c ++++ b/src/systemd/src/libsystemd-network/dhcp6-option.c +@@ -465,13 +465,15 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) { + + case SD_DHCP6_OPTION_STATUS_CODE: + +- status = dhcp6_option_parse_status(option, optlen); +- if (status) { ++ status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option)); ++ if (status < 0) { ++ r = status; ++ goto error; ++ } ++ if (status > 0) { + log_dhcp6_client(client, "IA status %d", + status); + +- dhcp6_lease_free_ia(ia); +- + r = -EINVAL; + goto error; + } +diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c +index b65c31171..15c4f445f 100644 +--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c ++++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c +@@ -828,13 +828,14 @@ static int client_parse_message( + break; + + case SD_DHCP6_OPTION_STATUS_CODE: +- status = dhcp6_option_parse_status(option, optlen); +- if (status) { ++ status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option)); ++ if (status < 0) ++ return status; ++ ++ if (status > 0) { + log_dhcp6_client(client, "%s Status %s", + dhcp6_message_type_to_string(message->type), + dhcp6_message_status_to_string(status)); +- dhcp6_lease_free_ia(&lease->ia); +- dhcp6_lease_free_ia(&lease->pd); + + return -EINVAL; + } +-- +2.17.1 + + +From 19b82104da425efdb9ad0207ccabf5a1a091b81a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 19 Oct 2018 03:42:10 +0900 +Subject: [PATCH 7/9] sd-dhcp6: make dhcp6_option_parse_domainname() not store + empty domain + +This improves performance of fuzzer. +C.f. oss-fuzz#11019. + +(cherry picked from commit 3c72b6ed4252e7ff5f7704bfe44557ec197b47fa) +(cherry picked from commit 50403cccee28c7dcd54b138a0d3b3f69ea0204fe) +(cherry picked from commit f11f5abb1a8b96b553d2d156f8b5cf440695c04d) +(cherry picked from commit c836279fca80fb22ca7ef02acaa5b987fee61123) +--- + .../src/libsystemd-network/dhcp6-option.c | 66 ++++++++----------- + 1 file changed, 29 insertions(+), 37 deletions(-) + +diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c +index cfddefcb5..be5c22237 100644 +--- a/src/systemd/src/libsystemd-network/dhcp6-option.c ++++ b/src/systemd/src/libsystemd-network/dhcp6-option.c +@@ -555,6 +555,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char * + bool first = true; + + for (;;) { ++ const char *label; + uint8_t c; + + c = optval[pos++]; +@@ -562,47 +563,41 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char * + if (c == 0) + /* End of name */ + break; +- else if (c <= 63) { +- const char *label; +- +- /* Literal label */ +- label = (const char *)&optval[pos]; +- pos += c; +- if (pos >= optlen) +- return -EMSGSIZE; +- +- if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) { +- r = -ENOMEM; +- goto fail; +- } +- +- if (first) +- first = false; +- else +- ret[n++] = '.'; +- +- r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX); +- if (r < 0) +- goto fail; +- +- n += r; +- continue; +- } else { +- r = -EBADMSG; +- goto fail; +- } +- } ++ if (c > 63) ++ return -EBADMSG; ++ ++ /* Literal label */ ++ label = (const char *)&optval[pos]; ++ pos += c; ++ if (pos >= optlen) ++ return -EMSGSIZE; ++ ++ if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) ++ return -ENOMEM; ++ ++ if (first) ++ first = false; ++ else ++ ret[n++] = '.'; ++ ++ r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX); ++ if (r < 0) ++ return r; + +- if (!GREEDY_REALLOC(ret, allocated, n + 1)) { +- r = -ENOMEM; +- goto fail; ++ n += r; + } + ++ if (n == 0) ++ continue; ++ ++ if (!GREEDY_REALLOC(ret, allocated, n + 1)) ++ return -ENOMEM; ++ + ret[n] = 0; + + r = strv_extend(&names, ret); + if (r < 0) +- goto fail; ++ return r; + + idx++; + } +@@ -610,7 +605,4 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char * + *str_arr = TAKE_PTR(names); + + return idx; +- +-fail: +- return r; + } +-- +2.17.1 + + +From 7dd0b1ae8cc44a6e3c91dc921a278f939d045f0d Mon Sep 17 00:00:00 2001 +From: Li Song +Date: Fri, 19 Oct 2018 13:41:51 -0400 +Subject: [PATCH 8/9] sd-dhcp: remove unreachable route after rebinding return + NAK + +(cherry picked from commit cc3981b1272b9ce37e7d734a7b2f42e84acac535) +(cherry picked from commit 915c2f675a23b2ae16d292d1ac570706f76b384d) +(cherry picked from commit cb77290a696dce924e2a993690634986ac035490) +(cherry picked from commit f211b140a5861ddedc2424946e3ab07d3b642b5f) +--- + src/systemd/src/libsystemd-network/sd-dhcp-client.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/systemd/src/libsystemd-network/sd-dhcp-client.c b/src/systemd/src/libsystemd-network/sd-dhcp-client.c +index c2f81e1c4..c28025410 100644 +--- a/src/systemd/src/libsystemd-network/sd-dhcp-client.c ++++ b/src/systemd/src/libsystemd-network/sd-dhcp-client.c +@@ -1649,6 +1649,8 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i + client->timeout_resend = + sd_event_source_unref(client->timeout_resend); + ++ client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED); ++ + r = client_initialize(client); + if (r < 0) + goto error; +-- +2.17.1 + + +From 5a89e393279e8d0c8c2943b4cce99b91c5ebe903 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 19 Oct 2018 12:12:33 +0200 +Subject: [PATCH 9/9] dhcp6: make sure we have enough space for the DHCP6 + option header + +Fixes a vulnerability originally discovered by Felix Wilhelm from +Google. + +CVE-2018-15688 +LP: #1795921 +https://bugzilla.redhat.com/show_bug.cgi?id=1639067 + +(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892) +(cherry picked from commit 01ca2053bbea09f35b958c8cc7631e15469acb79) +(cherry picked from commit fc230dca139142f409d7bac99dbfabe9b004e2fb) +(cherry picked from commit cc1e5a7f5731f223d1eb8473fa0eecbedfc0ae5f) +--- + src/systemd/src/libsystemd-network/dhcp6-option.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c +index be5c22237..22970443d 100644 +--- a/src/systemd/src/libsystemd-network/dhcp6-option.c ++++ b/src/systemd/src/libsystemd-network/dhcp6-option.c +@@ -105,7 +105,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) { + return -EINVAL; + } + +- if (*buflen < len) ++ if (*buflen < offsetof(DHCP6Option, data) + len) + return -ENOBUFS; + + ia_hdr = *buf; +-- +2.17.1 + diff --git a/SPECS/NetworkManager.spec b/SPECS/NetworkManager.spec index 701889b..083b184 100644 --- a/SPECS/NetworkManager.spec +++ b/SPECS/NetworkManager.spec @@ -10,7 +10,7 @@ %global epoch_version 1 %global rpm_version 1.12.0 %global real_version 1.12.0 -%global release_version 7 +%global release_version 8 %global snapshot %{nil} %global git_sha %{nil} @@ -124,6 +124,7 @@ Patch5: 0005-ibft-cap-sys-admin-rh1371201.patch Patch6: 0006-support-aes256-private-keys-rh1623798.patch Patch7: 0007-core-fix-wireless-bitrate-property-name-on-D-Bus-rh1626391.patch Patch8: 0008-dns-dnsmsaq-avoid-crash-no-rev-domains-rh1628576.patch +Patch9: 0009-dhcp-internal-fixes-cve-2018-15688-rh1643984.patch Patch1000: 1000-cli-remove-assertion-in-nmc_device_state_to_color.patch Patch1001: 1001-translations-rh1569438.patch @@ -889,6 +890,9 @@ fi %changelog +* Fri Nov 2 2018 Thomas Haller - 1:1.12.0-8 +- dhcp: fix out-of-bounds heap write for DHCPv6 with internal plugin (CVE-2018-15688) + * Mon Oct 22 2018 Beniamino Galvani - 1:1.12.0-7 - manager: accept non-null device for VPN activations (rh #1641174) - drop dependency of NetworkManager-ovs on openvswitch (rh #1633190)