From 2a7b119d1b9a67e34fa0ea9404ab5ecaceaccbf7 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 12 2018 17:30:10 +0000
Subject: import dhcp-4.2.5-58.el7_4.3


---

diff --git a/SOURCES/dhcp-4.2.5-centos-branding.patch b/SOURCES/dhcp-4.2.5-centos-branding.patch
deleted file mode 100644
index f3e7113..0000000
--- a/SOURCES/dhcp-4.2.5-centos-branding.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -uNrp dhcp-4.1.1-P1.orig/omapip/errwarn.c dhcp-4.1.1-P1/omapip/errwarn.c
---- dhcp-4.1.1-P1.orig/omapip/errwarn.c 2012-08-15 14:04:33.149141000 +0000
-+++ dhcp-4.1.1-P1/omapip/errwarn.c      2012-08-15 14:13:05.582416057 +0000
-@@ -81,8 +81,8 @@ void log_fatal (const char * fmt, ... )
-   log_error ("have been made to the base software release in order to make");
-   log_error ("it work better with this distribution.");
-   log_error ("%s", "");
--  log_error ("Please report for this software via the Red Hat Bugzilla site:");
--  log_error ("    http://bugzilla.redhat.com");
-+  log_error ("Please report for this software via the CentOS Bugs Database:");
-+  log_error ("    http://bugs.centos.org/");
-   log_error ("%s", "");
-   log_error ("exiting.");
- #endif
diff --git a/SOURCES/dhcp-4.2.5-options_overflow.patch b/SOURCES/dhcp-4.2.5-options_overflow.patch
new file mode 100644
index 0000000..a51c0cc
--- /dev/null
+++ b/SOURCES/dhcp-4.2.5-options_overflow.patch
@@ -0,0 +1,41 @@
+diff --git a/common/options.c b/common/options.c
+index 83e0384..8a1deca 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -1672,7 +1672,8 @@ format_min_length(format, oc)
+ 
+ 
+ /* Format the specified option so that a human can easily read it. */
+-
++/* Maximum pretty printed size */
++#define MAX_OUTPUT_SIZE 32*1024
+ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
+ 	struct option *option;
+ 	const unsigned char *data;
+@@ -1680,8 +1681,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
+ 	int emit_commas;
+ 	int emit_quotes;
+ {
+-	static char optbuf [32768]; /* XXX */
+-	static char *endbuf = &optbuf[sizeof(optbuf)];
++	/* We add 128 byte pad so we don't have to add checks everywhere. */
++	static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */
++	static char *endbuf = optbuf + MAX_OUTPUT_SIZE;
+ 	int hunksize = 0;
+ 	int opthunk = 0;
+ 	int hunkinc = 0;
+@@ -2132,7 +2134,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
+ 				log_error ("Unexpected format code %c",
+ 					   fmtbuf [j]);
+ 			}
++
+ 			op += strlen (op);
++			if (op >= endbuf) {
++				log_error ("Option data exceeds"
++					   " maximum size %d", MAX_OUTPUT_SIZE);
++					   return ("<error>");
++			}
++
+ 			if (dp == data + len)
+ 				break;
+ 			if (j + 1 < numelem && comma != ':')
diff --git a/SOURCES/dhcp-4.2.5-reference_count_overflow.patch b/SOURCES/dhcp-4.2.5-reference_count_overflow.patch
new file mode 100644
index 0000000..c6c94cd
--- /dev/null
+++ b/SOURCES/dhcp-4.2.5-reference_count_overflow.patch
@@ -0,0 +1,13 @@
+diff --git a/common/options.c b/common/options.c
+index 83e0384..a58c5fc 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -189,6 +189,8 @@ int parse_option_buffer (options, buffer, length, universe)
+ 
+ 		/* If the length is outrageous, the options are bad. */
+ 		if (offset + len > length) {
++			/* Avoid reference count overflow */
++			option_dereference(&option, MDL);
+ 			reason = "option length exceeds option buffer length";
+ 		      bogus:
+ 			log_error("parse_option_buffer: malformed option "
diff --git a/SPECS/dhcp.spec b/SPECS/dhcp.spec
index 1eb0b9d..5214dfa 100644
--- a/SPECS/dhcp.spec
+++ b/SPECS/dhcp.spec
@@ -18,7 +18,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.2.5
-Release:  58%{?dist}.1
+Release:  58%{?dist}.3
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -98,7 +98,10 @@ Patch62:  dhcp-max-fd-value.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1355827
 Patch63:  dhcp-4.2.5-rh1355827.patch
 Patch64:  dhcp-4.2.5-reap_orphan_sockets.patch
-Patch65:  dhcp-4.2.5-centos-branding.patch
+# CVE-2018-5732
+Patch65:  dhcp-4.2.5-options_overflow.patch
+# CVE-2018-5733
+Patch66:  dhcp-4.2.5-reference_count_overflow.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -410,7 +413,9 @@ rm -rf includes/isc-dhcp
 %patch63 -p1
 
 %patch64 -p1 -b .omapi_sd_leak
-%patch65 -p1
+
+%patch65 -p1 -b .options_overflow
+%patch66 -p1 -b .reference_overflow
 
 # Update paths in all man pages
 for page in client/dhclient.conf.5 client/dhclient.leases.5 \
@@ -692,8 +697,11 @@ done
 
 
 %changelog
-* Thu Jan 25 2018 CentOS Sources <bugs@centos.org> - 4.2.5-58.el7.centos.1
-- Roll in CentOS Branding
+* Wed Feb 28 2018 Pavel Zhukov <pzhukov@redhat.com> - 12:4.2.5-68
+- Resolves: #1550000 - CVE-2018-5733  Avoid buffer overflow reference counter
+
+* Wed Feb 28 2018 Pavel Zhukov <pzhukov@redhat.com> - 12:4.2.5-58.2
+- Resolves: #1549979 - CVE-2018-5732  Avoid buffer overflow in options parser
 
 * Wed Dec 13 2017 Pavel Zhukov <pzhukov@redhat.com> - 12:4.2.5-58.1
 - Resolves: #1523475 - Fix omapi socket descriptors leak