diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/CVE-2022-2928.patch b/SOURCES/CVE-2022-2928.patch new file mode 100644 index 0000000..4ad31c4 --- /dev/null +++ b/SOURCES/CVE-2022-2928.patch @@ -0,0 +1,32 @@ +diff --git a/common/options.c b/common/options.c +index a53484e..40238f7 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -4499,6 +4499,8 @@ add_option(struct option_state *options, + if (!option_cache_allocate(&oc, MDL)) { + log_error("No memory for option cache adding %s (option %d).", + option->name, option_num); ++ /* Get rid of reference created during hash lookup. */ ++ option_dereference(&option, MDL); + return 0; + } + +@@ -4510,6 +4512,8 @@ add_option(struct option_state *options, + MDL)) { + log_error("No memory for constant data adding %s (option %d).", + option->name, option_num); ++ /* Get rid of reference created during hash lookup. */ ++ option_dereference(&option, MDL); + option_cache_dereference(&oc, MDL); + return 0; + } +@@ -4518,6 +4522,9 @@ add_option(struct option_state *options, + save_option(&dhcp_universe, options, oc); + option_cache_dereference(&oc, MDL); + ++ /* Get rid of reference created during hash lookup. */ ++ option_dereference(&option, MDL); ++ + return 1; + } + diff --git a/SOURCES/CVE-2022-2929.patch b/SOURCES/CVE-2022-2929.patch new file mode 100644 index 0000000..938a275 --- /dev/null +++ b/SOURCES/CVE-2022-2929.patch @@ -0,0 +1,25 @@ +diff --git a/common/options.c b/common/options.c +index 40238f7..11b1961 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options, + while (s < &bp -> data[0] + length + 2) { + len = *s; + if (len > 63) { +- log_info ("fancy bits in fqdn option"); +- return 0; ++ log_info ("label length exceeds 63 in fqdn option"); ++ goto bad; + } + if (len == 0) { + terminated = 1; + break; + } + if (s + len > &bp -> data [0] + length + 3) { +- log_info ("fqdn tag longer than buffer"); +- return 0; ++ log_info ("fqdn label longer than buffer"); ++ goto bad; + } + + if (first_len == 0) { diff --git a/SOURCES/dhcp.sysusers b/SOURCES/dhcp.sysusers new file mode 100644 index 0000000..4841cdd --- /dev/null +++ b/SOURCES/dhcp.sysusers @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +g dhcpd 177 +u dhcpd 177 "DHCP server" / /sbin/nologin diff --git a/SPECS/dhcp.spec b/SPECS/dhcp.spec index c436fc1..ce39e57 100644 --- a/SPECS/dhcp.spec +++ b/SPECS/dhcp.spec @@ -15,7 +15,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.4.2 -Release: 17.b1%{?dist} +Release: 18.b1%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and @@ -32,6 +32,7 @@ Source5: 56dhclient Source6: dhcpd.service Source7: dhcpd6.service Source8: dhcrelay.service +Source9: dhcp.sysusers Patch1: 0001-change-bug-url.patch Patch2: 0002-additional-dhclient-options.patch @@ -64,6 +65,8 @@ Patch28: 0028-Fix-for-CVE-2021-25217.patch Patch29: 0029-Use-system-getaddrinfo-for-dhcp.patch Patch30: CVE-2021-25220.patch Patch31: omshell-hmac-sha512-support.patch +Patch32: CVE-2022-2928.patch +Patch33: CVE-2022-2929.patch BuildRequires: autoconf @@ -85,6 +88,7 @@ BuildRequires: doxygen BuildRequires: systemtap-sdt-devel %global tapsetdir /usr/share/systemtap/tapset %endif +BuildRequires: systemd-rpm-macros # In _docdir we ship some perl scripts and module from contrib subdirectory. # Because nothing under _docdir is allowed to "require" anything, @@ -98,11 +102,9 @@ DHCP (Dynamic Host Configuration Protocol) %package server Summary: Provides the ISC DHCP server Requires: %{name}-common = %{epoch}:%{version}-%{release} -Requires(pre): shadow-utils Requires(post): coreutils grep sed -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd +%{?sysusers_requires_compat} +%{?systemd_requires} %description server DHCP (Dynamic Host Configuration Protocol) is a protocol which allows @@ -117,9 +119,7 @@ This package provides the ISC DHCP server. Summary: Provides the ISC DHCP relay agent Requires: %{name}-common = %{epoch}:%{version}-%{release} Requires(post): grep sed -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd +%{?systemd_requires} %description relay DHCP (Dynamic Host Configuration Protocol) is a protocol which allows @@ -200,7 +200,7 @@ This package contains doxygen-generated documentation. %prep %setup -n dhcp-%{DHCPVERSION} pushd bind -tar -xvf bind.tar.gz +tar -xf bind.tar.gz ln -s bind-9* bind popd %autopatch -p1 @@ -288,6 +288,9 @@ install -m 644 %{SOURCE6} %{buildroot}%{_unitdir} install -m 644 %{SOURCE7} %{buildroot}%{_unitdir} install -m 644 %{SOURCE8} %{buildroot}%{_unitdir} +# systemd-sysusers +install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/dhcp.conf + # Start empty lease databases mkdir -p %{buildroot}%{_localstatedir}/lib/dhcpd/ touch %{buildroot}%{_localstatedir}/lib/dhcpd/dhcpd.leases @@ -364,17 +367,7 @@ install -D -p -m 0644 contrib/ldap/dhcp.schema %{buildroot}%{_sysconfdir}/openld find %{buildroot} -type f -name "*.la" -delete -print %pre server -# /usr/share/doc/setup/uidgid -%global gid_uid 177 -getent group dhcpd >/dev/null || groupadd --force --gid %{gid_uid} --system dhcpd -if ! getent passwd dhcpd >/dev/null ; then - if ! getent passwd %{gid_uid} >/dev/null ; then - useradd --system --uid %{gid_uid} --gid dhcpd --home / --shell /sbin/nologin --comment "DHCP server" dhcpd - else - useradd --system --gid dhcpd --home / --shell /sbin/nologin --comment "DHCP server" dhcpd - fi -fi -exit 0 +%sysusers_create_compat %{SOURCE9} %post server # Initial installation @@ -458,6 +451,7 @@ done %config(noreplace) %{_sysconfdir}/openldap/schema/dhcp.schema %attr(0644,root,root) %{_unitdir}/dhcpd.service %attr(0644,root,root) %{_unitdir}/dhcpd6.service +%{_sysusersdir}/dhcp.conf %{_sbindir}/dhcpd %{_bindir}/omshell %attr(0644,root,root) %{_mandir}/man1/omshell.1.gz @@ -514,8 +508,10 @@ done %endif %changelog -* Tue Nov 15 2022 CentOS Sources - 4.4.2-17.b1.el9.centos -- Apply debranding changes +* Mon Oct 10 2022 Martin Osvald - 12:4.4.2-18.b1 +- Fix for CVE-2022-2928 +- Fix for CVE-2022-2929 +- Use systemd-sysusers for dhcp user and group (#2095396) * Tue May 10 2022 Martin Osvald - 12:4.4.2-17.b1 - omshell: add support for hmac-sha512 algorithm (#2083553)