Hello community, here is the log from the commit of package dhcp for openSUSE:Factory checked in at Wed Apr 6 12:54:19 CEST 2011.
-------- --- dhcp/dhcp.changes 2011-02-21 15:52:15.000000000 +0100 +++ /mounts/work_src_done/STABLE/dhcp/dhcp.changes 2011-04-05 20:58:14.000000000 +0200 @@ -1,0 +2,31 @@ +Thu Mar 31 09:56:02 UTC 2011 - [email protected] + +- Discard string options such as host and domain names containing + disallowed characters or beeing too long. This proctive patch + limits root-path to a-zA-Z0-9, #%+-_:.,@~/\[]= and a space + (bnc#675052, CVE-2011-0997). + +------------------------------------------------------------------- +Thu Mar 31 09:00:19 UTC 2011 - [email protected] + +- Updated to ISC DHCP 4.2.1 release (bnc#680298), that provides + following fixes (digest): + * Several fixes to OMAPI, cleanup of dereferenced pointers in + the omapi handle, handling of pipe failures and status code + in omapi signal handler that may cause connect failure and + 100% CPU use. + * Handle some DDNS corner cases better + * Several fixes to lease input and output + * Corrected side effect of printing all data strings as hex. + * Host record references leaks causing applying config to all + innocent clients. + * Memory leak when parsing a domain name + * Fixes to configuration parsing including infinite loop. + * Fixed for unexpected abort caused by a DHCPv6 decline. + For the complete list see the RELNOTES file, that is available + also online at http://ftp.isc.org/isc/dhcp/dhcp-4.2.1-RELNOTES. +- Removed obsolete optional-value-infinite-loop, no-libcrypto + and CVE-2011-0413.bnc667655 patches. +- Merged the dhclient-send-hostname and ldap patches. + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- dhcp-4.1.1-P1-optional-value-infinite-loop.diff dhcp-4.2.0-P1-dhclient-send-hostname-rml.diff dhcp-4.2.0-P1-ldap-patch-mt01.diff.bz2 dhcp-4.2.0-P1-no-libcrypto.diff dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff dhcp-4.2.0-P2.tar.bz2 New: ---- dhcp-4.2.1-dhclient-option-checks.bnc675052.diff dhcp-4.2.1-dhclient-send-hostname-rml.diff dhcp-4.2.1-ldap-patch-mt01.diff.bz2 dhcp-4.2.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dhcp.spec ++++++ --- /var/tmp/diff_new_pack.nmJ5GV/_old 2011-04-06 12:53:45.000000000 +0200 +++ /var/tmp/diff_new_pack.nmJ5GV/_new 2011-04-06 12:53:45.000000000 +0200 @@ -17,7 +17,7 @@ # norootforbuild -%define isc_version 4.2.0-P2 +%define isc_version 4.2.1 %define susefw2dir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %define omc_prefix /usr/share/omc %define omc_svcdir %{omc_prefix}/svcinfo.d @@ -35,8 +35,8 @@ License: BSD3c(or similar) Group: Productivity/Networking/Boot/Servers AutoReqProv: on -Version: 4.2.0.P2 -Release: 8 +Version: 4.2.1 +Release: 1 Summary: Common Files Used by ISC DHCP Software Url: http://www.isc.org/software/dhcp Source0: dhcp-%{isc_version}.tar.bz2 @@ -76,15 +76,13 @@ Patch14: dhcp-4.1.1-in6_pktinfo-prototype.diff Patch15: contrib-lease-path.diff Patch20: dhcp-4.1.1-dhclient-exec-filedes.diff -Patch21: dhcp-4.2.0-P1-dhclient-send-hostname-rml.diff +Patch21: dhcp-4.2.1-dhclient-send-hostname-rml.diff ## patch lives here: http://www.suse.de/~mt/git/dhcp-ldap.git/ -Patch30: dhcp-4.2.0-P1-ldap-patch-mt01.diff.bz2 -Patch39: dhcp-4.2.0-P1-no-libcrypto.diff +Patch30: dhcp-4.2.1-ldap-patch-mt01.diff.bz2 Patch40: dhcp-4.1.1-P1-lpf-bind-msg-fix.diff Patch41: dhcp-4.1.1-P1-relay-no-ip-on-interface.diff -Patch42: dhcp-4.1.1-P1-optional-value-infinite-loop.diff -Patch43: dhcp-4.2.0-P2-CVE-2011-0413.bnc667655.diff Patch44: dhcp-4.2.0-xen-checksum.patch +Patch45: dhcp-4.2.1-dhclient-option-checks.bnc675052.diff ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -206,12 +204,10 @@ %if 0%{?with_ldap} %patch30 -p1 %endif -%patch39 -p1 %patch40 -p1 %patch41 -p1 -%patch42 -p1 -%patch43 -p1 %patch44 -p1 +%patch45 -p1 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/* ++++++ dhclient-script ++++++ --- /var/tmp/diff_new_pack.nmJ5GV/_old 2011-04-06 12:53:45.000000000 +0200 +++ /var/tmp/diff_new_pack.nmJ5GV/_new 2011-04-06 12:53:45.000000000 +0200 @@ -236,21 +236,26 @@ } set_hostname() { + rx_host='^[[:alnum:]][[:alnum:]_-]{0,62}$' if [ "$DHCLIENT_SET_HOSTNAME" = yes ] ; then + new_host_name="${new_host_name%%.*}" + [[ ${new_host_name} =~ ${rx_host} ]] || unset new_host_name current_hostname=`hostname` - if [ "x${current_hostname%%.*}" = "x" ] || \ - [ "x${current_hostname%%.*}" = "x(none)" ] || \ - [ "x${current_hostname%%.*}" = "xlocalhost" ] || \ - [ "x${current_hostname%%.*}" != "x${new_host_name%%.*}" ]; then + current_hostname="${current_hostname%%.*}" + [[ ${current_hostname} =~ ${rx_host} ]] || unset current_hostname - if [ "x${new_host_name%%.*}" != "x" ]; then - hostname "${new_host_name%%.*}" + if [ "x${current_hostname}" = "x" ] || \ + [ "x${current_hostname}" = "xlocalhost" ] || \ + [ "x${current_hostname}" != "x${new_host_name}" ]; then + if [ "x${new_host_name}" != "x" ]; then + hostname "${new_host_name}" else if [ -x /usr/bin/host ] ; then if out=`host -W 2 "$new_ip_address" 2>/dev/null` ; then - _hostname="`echo "$out" | sed 's:^.* ::; s:\..*::'`" + _hostname="`echo "$out" | sed 's:^.* ::; s:\..*::; s:.*[)]::'`" + [[ ${_hostname} =~ ${rx_host} ]] || unset _hostname if [ "x${_hostname}" != "x" -a \ - "x${_hostname}" != "x${current_hostname%%.*}" ]; then + "x${_hostname}" != "x${current_hostname}" ]; then hostname "${_hostname}" fi fi @@ -264,7 +269,9 @@ # it changed, we've to handle it anyway... local OLD_HOSTNAME=`read_cached_config_data hostname $interface` local CUR_HOSTNAME=`hostname 2>/dev/null` - if test "x$OLD_HOSTNAME" != "x$CUR_HOSTNAME" ; then + CUR_HOSTNAME="${CUR_HOSTNAME%%.*}" + if [[ ${CUR_HOSTNAME} =~ ${rx_host} ]] && \ + [ "x$OLD_HOSTNAME" != "x$CUR_HOSTNAME" ] ; then write_cached_config_data hostname "$CUR_HOSTNAME" $interface commit_cached_config_data $interface ++++++ dhcp-4.2.1-dhclient-option-checks.bnc675052.diff ++++++ >From 632c8ceeff26a7663f939895f77aecb8377773f2 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <[email protected]> Date: Sun, 27 Mar 2011 13:15:58 +0200 Subject: [PATCH] dhclient: discard incorrect string options Discard string options such as host and domain names containing disallowed characters or beeing too long. This proctive patch limits root-path to the a-zA-Z0-9, space and the #%+-_:.,@~/\[]= characters. Signed-off-by: Marius Tomaschewski <[email protected]> --- client/dhclient.c | 186 +++++++++++++++++++++++++++++++++++++++++++++++++---- common/options.c | 3 +- 2 files changed, 175 insertions(+), 14 deletions(-) diff --git a/client/dhclient.c b/client/dhclient.c index dc19e8b..5d96c72 100644 --- a/client/dhclient.c +++ b/client/dhclient.c @@ -91,6 +91,11 @@ static void usage(void); static isc_result_t write_duid(struct data_string *duid); +static int check_domain_name(const char *ptr, size_t len, int dots); +static int check_domain_name_list(const char *ptr, size_t len, int dots); +static int check_option_values(struct universe *universe, unsigned int opt, + const char *ptr, size_t len); + int main(int argc, char **argv) { int fd; @@ -3034,13 +3039,23 @@ void client_option_envadd (struct option_cache *oc, if (data.len) { char name [256]; if (dhcp_option_ev_name (name, sizeof name, - oc -> option)) { - client_envadd (es -> client, es -> prefix, - name, "%s", - (pretty_print_option - (oc -> option, - data.data, data.len, - 0, 0))); + oc->option)) { + const char *value; + value = pretty_print_option(oc->option, + data.data, + data.len, 0, 0); + size_t length = strlen(value); + + if (check_option_values(oc->option->universe, + oc->option->code, + value, length) == 0) { + client_envadd(es->client, es->prefix, + name, "%s", value); + } else { + log_error("suspect value in %s " + "option - discarded", + name); + } data_string_forget (&data, MDL); } } @@ -3118,12 +3133,32 @@ void script_write_params (client, prefix, lease) data_string_forget (&data, MDL); } - if (lease -> filename) - client_envadd (client, - prefix, "filename", "%s", lease -> filename); - if (lease -> server_name) - client_envadd (client, prefix, "server_name", - "%s", lease -> server_name); + if (lease->filename) { + if (check_option_values(NULL, DHO_ROOT_PATH, + lease->filename, + strlen(lease->filename)) == 0) { + client_envadd(client, prefix, "filename", + "%s", lease->filename); + } else { + log_error("suspect value in %s " + "option - discarded", + "filename"); + } + } + + if (lease->server_name) { + if (check_option_values(NULL, DHO_HOST_NAME, + lease->server_name, + strlen(lease->server_name)) == 0 ) { + client_envadd (client, prefix, "server_name", + "%s", lease->server_name); + } else { + log_error("suspect value in %s " + "option - discarded", + "server_name"); + } + } + for (i = 0; i < lease -> options -> universe_count; i++) { option_space_foreach ((struct packet *)0, (struct lease *)0, @@ -4026,3 +4061,128 @@ dhcpv4_client_assignments(void) } else remote_port = htons (ntohs (local_port) - 1); /* XXX */ } + +/* + * The following routines are used to check that certain + * strings are reasonable before we pass them to the scripts. + * This avoids some problems with scripts treating the strings + * as commands - see ticket 23722 + * The domain checking code should be done as part of assembling + * the string but we are doing it here for now due to time + * constraints. + */ + +static int check_domain_name(const char *ptr, size_t len, int dots) +{ + const char *p; + + /* not empty or complete length not over 255 characters */ + if ((len == 0) || (len >= 256)) + return(-1); + + /* consists of [[:alnum:]-]+ labels separated by [.] */ + /* a [_] is against RFC but seems to be "widely used"... */ + for (p=ptr; (*p != 0) && (len-- > 0); p++) { + if ((*p == '-') || (*p == '_')) { + /* not allowed at begin or end of a label */ + if (((p - ptr) == 0) || (len == 0) || (p[1] == '.')) + return(-1); + } else if (*p == '.') { + /* each label has to be 1-63 characters; + we allow [.] at the end ('foo.bar.') */ + size_t d = p - ptr; + if ((d <= 0) || (d >= 64)) + return(-1); + ptr = p + 1; /* jump to the next label */ + if ((dots > 0) && (len > 0)) + dots--; + } else if (isalnum((unsigned char)*p) == 0) { + /* also numbers at the begin are fine */ + return(-1); + } + } + return(dots ? -1 : 0); +} + +static int check_domain_name_list(const char *ptr, size_t len, int dots) +{ + const char *p; + int ret = -1; /* at least one needed */ + + if ((ptr == NULL) || (len == 0)) + return(-1); + + for (p=ptr; (*p != 0) && (len > 0); p++, len--) { + if (*p != ' ') + continue; + if (p > ptr) { + if (check_domain_name(ptr, p - ptr, dots) != 0) + return(-1); + ret = 0; + } + ptr = p + 1; + } + if (p > ptr) + return(check_domain_name(ptr, p - ptr, dots)); + else + return(ret); +} + +static int check_option_values(struct universe *universe, + unsigned int opt, + const char *ptr, + size_t len) +{ + if (ptr == NULL) + return(-1); + + /* just reject options we want to protect, will be escaped anyway */ + if ((universe == NULL) || (universe == &dhcp_universe)) { + switch(opt) { + case DHO_HOST_NAME: + case DHO_DOMAIN_NAME: + case DHO_NIS_DOMAIN: + case DHO_NETBIOS_SCOPE: + return check_domain_name(ptr, len, 0); + break; + case DHO_DOMAIN_SEARCH: + return check_domain_name_list(ptr, len, 0); + break; + case DHO_ROOT_PATH: + if (len == 0) + return(-1); + for (; (*ptr != 0) && (len-- > 0); ptr++) { + if(!(isalnum((unsigned char)*ptr) || + *ptr == '#' || *ptr == '%' || + *ptr == '+' || *ptr == '-' || + *ptr == '_' || *ptr == ':' || + *ptr == '.' || *ptr == ',' || + *ptr == '@' || *ptr == '~' || + *ptr == '\\' || *ptr == '/' || + *ptr == '[' || *ptr == ']' || + *ptr == '=' || *ptr == ' ')) + return(-1); + } + return(0); + break; + } + } + +#ifdef DHCPv6 + if (universe == &dhcpv6_universe) { + switch(opt) { + case D6O_SIP_SERVERS_DNS: + case D6O_DOMAIN_SEARCH: + case D6O_NIS_DOMAIN_NAME: + case D6O_NISP_DOMAIN_NAME: + return check_domain_name_list(ptr, len, 0); + break; + } + } +#endif + + return(0); +} + + + diff --git a/common/options.c b/common/options.c index 28c36e6..3a6cb33 100644 --- a/common/options.c +++ b/common/options.c @@ -3915,7 +3915,8 @@ pretty_escape(char **dst, char *dend, const unsigned char **src, count += 4; } } else if (**src == '"' || **src == '\'' || **src == '$' || - **src == '`' || **src == '\\') { + **src == '`' || **src == '\\' || **src == '|' || + **src == '&' || **src == ';') { if (*dst + 2 > dend) return -1; -- 1.7.3.4 ++++++ dhcp-4.2.0-P1-dhclient-send-hostname-rml.diff -> dhcp-4.2.1-dhclient-send-hostname-rml.diff ++++++ --- dhcp/dhcp-4.2.0-P1-dhclient-send-hostname-rml.diff 2010-11-26 15:57:08.000000000 +0100 +++ /mounts/work_src_done/STABLE/dhcp/dhcp-4.2.1-dhclient-send-hostname-rml.diff 2011-03-30 17:57:23.000000000 +0200 @@ -1,34 +1,34 @@ diff --git a/client/dhclient.8 b/client/dhclient.8 -index b805528..d31fa8d 100644 +index 7a3c154..e284210 100644 --- a/client/dhclient.8 +++ b/client/dhclient.8 -@@ -60,6 +60,9 @@ dhclient - Dynamic Host Configuration Protocol Client +@@ -64,6 +64,10 @@ dhclient - Dynamic Host Configuration Protocol Client .I port ] [ -+.B -H hostname ++.B -H ++.I hostname +] +[ .B -d ] [ -@@ -227,6 +230,11 @@ If a different port is specified for the client to listen on and - transmit on, the client will also use a different destination port - +@@ -305,6 +309,10 @@ If a different port is specified on which the client should listen and + transmit, the client will also use a different destination port - one less than the specified port. - .PP -+The -+.B -H -+flag may be used to specify a client hostname that should be sent to + .TP ++.BI \-H \ hostname ++This flag may be used to specify a client hostname that should be sent to +the DHCP server. Note, that this option is a SUSE/Novell extension. -+.PP - The DHCP client normally transmits any protocol messages it sends - before acquiring an IP address to, 255.255.255.255, the IP limited - broadcast address. For debugging purposes, it may be useful to have ++.TP + .BI \-s \ server + Specify the server IP address or fully qualified domain name to use as + a destination for DHCP protocol messages before diff --git a/client/dhclient.c b/client/dhclient.c -index 15c31a5..65e9c23 100644 +index dc19e8b..bd02cc9 100644 --- a/client/dhclient.c +++ b/client/dhclient.c -@@ -108,6 +108,7 @@ main(int argc, char **argv) { +@@ -110,6 +110,7 @@ main(int argc, char **argv) { int no_dhclient_db = 0; int no_dhclient_pid = 0; int no_dhclient_script = 0; @@ -36,7 +36,7 @@ #ifdef DHCPv6 int local_family_set = 0; #endif /* DHCPv6 */ -@@ -212,6 +213,16 @@ main(int argc, char **argv) { +@@ -220,6 +221,16 @@ main(int argc, char **argv) { if (++i == argc) usage(); mockup_relay = argv[i]; @@ -53,7 +53,7 @@ } else if (!strcmp(argv[i], "-nw")) { nowait = 1; } else if (!strcmp(argv[i], "-n")) { -@@ -445,6 +456,32 @@ main(int argc, char **argv) { +@@ -468,6 +479,32 @@ main(int argc, char **argv) { /* Parse the dhclient.conf file. */ read_client_conf(); @@ -86,7 +86,7 @@ /* Parse the lease database. */ read_client_leases(); -@@ -674,12 +711,12 @@ static void usage() +@@ -676,12 +713,12 @@ static void usage() log_error("Usage: dhclient %s %s", #ifdef DHCPv6 ++++++ dhcp-4.2.0-P1-ldap-patch-mt01.diff.bz2 -> dhcp-4.2.1-ldap-patch-mt01.diff.bz2 ++++++ Files dhcp/dhcp-4.2.0-P1-ldap-patch-mt01.diff.bz2 and /mounts/work_src_done/STABLE/dhcp/dhcp-4.2.1-ldap-patch-mt01.diff.bz2 differ ++++++ dhcp-4.2.0-P2.tar.bz2 -> dhcp-4.2.1.tar.bz2 ++++++ dhcp/dhcp-4.2.0-P2.tar.bz2 /mounts/work_src_done/STABLE/dhcp/dhcp-4.2.1.tar.bz2 differ: char 11, line 1 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
