Hello community, here is the log from the commit of package radvd for openSUSE:11.4 checked in at Fri Oct 21 15:02:22 CEST 2011.
-------- --- old-versions/11.4/all/radvd/radvd.changes 2009-07-29 12:03:33.000000000 +0200 +++ 11.4/radvd/radvd.changes 2011-10-20 11:52:23.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Oct 19 17:28:13 CEST 2011 - [email protected] + +- fixed several security problems - bnc#721968 + CVE-2011-3602, CVE-2011-3603, CVE-2011-3604, CVE-2011-3605 + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/radvd Destination is old-versions/11.4/UPDATES/all/radvd calling whatdependson for 11.4-i586 New: ---- bnc721968_2.patch bnc721968_3.patch bnc721968_4.patch bnc721968_5.patch bnc721968_6.patch bnc721968_7.patch bnc721968_8.patch bnc721968_9.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ radvd.spec ++++++ --- /var/tmp/diff_new_pack.5JOdBe/_old 2011-10-21 15:01:56.000000000 +0200 +++ /var/tmp/diff_new_pack.5JOdBe/_new 2011-10-21 15:01:56.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package radvd (Version 1.3) +# spec file for package radvd # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,10 +26,18 @@ AutoReqProv: on Summary: Router ADVertisement Daemon for IPv6 Version: 1.3 -Release: 1 +Release: 9.<RELEASE10> Source0: %{name}-%{version}.tar.bz2 Source1: radvd.init Source2: sysconfig.radvd +Patch0: bnc721968_2.patch +Patch1: bnc721968_3.patch +Patch2: bnc721968_4.patch +Patch3: bnc721968_5.patch +Patch4: bnc721968_6.patch +Patch5: bnc721968_7.patch +Patch6: bnc721968_8.patch +Patch7: bnc721968_9.patch Url: http://v6web.litech.org/radvd BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -41,6 +49,14 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build autoreconf -fi ++++++ bnc721968_2.patch ++++++ References: CVE-2011-3602, bnc#721968 commit 92e22ca23e52066da2258df8c76a2dca8a428bcc Author: Vasiliy Kulikov <[email protected]> Date: Tue Oct 4 00:33:15 2011 -0700 set_interface_var() doesn't check interface name and blindly does fopen(path "/" ifname, "w") on it. As "ifname" is an untrusted input, it should be checked for ".." and/or "/" in it. Otherwise, an infected unprivileged daemon may overwrite contents of file named "mtu", "hoplimit", etc. in arbitrary location with arbitrary 32-bit value in decimal representation ("%d"). If an attacker has a local account or may create arbitrary symlinks with these names in any location (e.g. /tmp), any file may be overwritten with a decimal value. commit 7a1471b62da88373e8f4209d503307c5d841b81f Author: Vasiliy Kulikov <[email protected]> Date: Sat Oct 8 09:26:58 2011 -0700 checking iface name more carefully modified: device-linux.c Index: radvd-1.3/device-linux.c =================================================================== --- radvd-1.3.orig/device-linux.c 2008-01-24 18:08:46.000000000 +0100 +++ radvd-1.3/device-linux.c 2011-10-19 12:17:33.000000000 +0200 @@ -237,6 +237,10 @@ set_interface_var(const char *iface, if (snprintf(spath, sizeof(spath), var, iface) >= sizeof(spath)) return -1; + /* No path traversal */ + if (!iface[0] || !strcmp(iface, ".") || !strcmp(iface, "..") || strchr(iface, '/')) + return -1; + if (access(spath, F_OK) != 0) return -1; ++++++ bnc721968_3.patch ++++++ References: CVE-2011-3603, bnc#721968 commit 2c50375043186e133f15135f4c93ca964238ee60 Author: Vasiliy Kulikov <[email protected]> Date: Tue Oct 4 00:35:20 2011 -0700 main() must fail on privsep_init() errors, it must not run without privilege separation as privsep is expected. commit 7dc53cc3b792775369bf0b2f053a3f4ed5d87e3d Author: Vasiliy Kulikov <[email protected]> Date: Tue Oct 4 18:12:26 2011 +0400 Really exit on privsep init failure. Index: radvd-1.3/radvd.c =================================================================== --- radvd-1.3.orig/radvd.c 2009-06-19 09:37:11.000000000 +0200 +++ radvd-1.3/radvd.c 2011-10-19 12:18:57.000000000 +0200 @@ -223,8 +223,10 @@ main(int argc, char *argv[]) if (username) { if (!singleprocess) { dlog(LOG_DEBUG, 3, "Initializing privsep"); - if (privsep_init() < 0) - flog(LOG_WARNING, "Failed to initialize privsep."); + if (privsep_init() < 0) { + perror("Failed to initialize privsep."); + exit(1); + } } if (drop_root_privileges(username) < 0) ++++++ bnc721968_4.patch ++++++ References: CVE-2011-3604, bnc#721968 commit 7de1b9abf87b747ee2611c0d2a94dfeee79878b4 Author: Vasiliy Kulikov <[email protected]> Date: Tue Oct 4 00:35:57 2011 -0700 process_ra() has numerous missed len checks. It leads to buffer overreads. Index: radvd-1.3/process.c =================================================================== --- radvd-1.3.orig/process.c 2011-10-19 12:17:27.000000000 +0200 +++ radvd-1.3/process.c 2011-10-19 12:20:31.000000000 +0200 @@ -308,6 +308,8 @@ process_ra(struct Interface *iface, unsi { case ND_OPT_MTU: mtu = (struct nd_opt_mtu *)opt_str; + if (len < sizeof(*mtu)) + return; if (iface->AdvLinkMTU && (ntohl(mtu->nd_opt_mtu_mtu) != iface->AdvLinkMTU)) { @@ -317,6 +319,8 @@ process_ra(struct Interface *iface, unsi break; case ND_OPT_PREFIX_INFORMATION: pinfo = (struct nd_opt_prefix_info *) opt_str; + if (len < sizeof(*pinfo)) + return; preferred = ntohl(pinfo->nd_opt_pi_preferred_time); valid = ntohl(pinfo->nd_opt_pi_valid_time); @@ -371,6 +375,8 @@ process_ra(struct Interface *iface, unsi break; case ND_OPT_RDNSS_INFORMATION: rdnssinfo = (struct nd_opt_rdnss_info_local *) opt_str; + if (len < sizeof(*rdnssinfo)) + return; count = rdnssinfo->nd_opt_rdnssi_len; /* Check the RNDSS addresses received */ ++++++ bnc721968_5.patch ++++++ References: CVE-2011-3605, bnc#721968 commit 2591d0189257caeaae2057dfed0a260310497a61 Author: Reuben Hawkins <[email protected]> Date: Tue Oct 4 13:18:47 2011 -0700 removing mdelay in unicast only case Index: radvd-1.3/process.c =================================================================== --- radvd-1.3.orig/process.c 2011-10-19 12:20:31.000000000 +0200 +++ radvd-1.3/process.c 2011-10-19 12:23:34.000000000 +0200 @@ -191,7 +191,6 @@ process_rs(int sock, struct Interface *i dlog(LOG_DEBUG, 3, "random mdelay for %s: %.2f", iface->Name, delay); if (iface->UnicastOnly) { - mdelay(delay); send_ra_forall(sock, iface, &addr->sin6_addr); } else if ((tv.tv_sec + tv.tv_usec / 1000000.0) - (iface->last_multicast_sec + ++++++ bnc721968_6.patch ++++++ References: bnc#721968 commit 35c0b9e6355905901672f3eb15eaa40bf8ef0683 Author: Reuben Hawkins <[email protected]> Date: Tue Oct 4 13:33:04 2011 -0700 removing debugging output from signal handlers modified: radvd.c Index: radvd-1.3/radvd.c =================================================================== --- radvd-1.3.orig/radvd.c 2011-10-19 12:18:57.000000000 +0200 +++ radvd-1.3/radvd.c 2011-10-19 14:47:46.000000000 +0200 @@ -502,8 +502,6 @@ sighup_handler(int sig) /* Linux has "one-shot" signals, reinstall the signal handler */ signal(SIGHUP, sighup_handler); - dlog(LOG_DEBUG, 4, "sighup_handler called"); - sighup_received = 1; } @@ -513,8 +511,6 @@ sigterm_handler(int sig) /* Linux has "one-shot" signals, reinstall the signal handler */ signal(SIGTERM, sigterm_handler); - dlog(LOG_DEBUG, 4, "sigterm_handler called"); - sigterm_received = 1; } @@ -524,8 +520,6 @@ sigint_handler(int sig) /* Linux has "one-shot" signals, reinstall the signal handler */ signal(SIGINT, sigint_handler); - dlog(LOG_DEBUG, 4, "sigint_handler called"); - sigint_received = 1; } ++++++ bnc721968_7.patch ++++++ References: bnc#721968 commit 5cd9c1cdced25c496ef8f635d80b49f321d6ce64 Author: Vasiliy Kulikov <[email protected]> Date: Tue Oct 4 00:41:49 2011 -0700 check_allrouters_membership() should propagate setup_allrouters_membership() return code. Index: radvd-1.3/device-linux.c =================================================================== --- radvd-1.3.orig/device-linux.c 2011-10-19 12:17:33.000000000 +0200 +++ radvd-1.3/device-linux.c 2011-10-19 14:49:44.000000000 +0200 @@ -220,7 +220,7 @@ int check_allrouters_membership(int sock if (!allrouters_ok) { flog(LOG_WARNING, "resetting ipv6-allrouters membership on %s", iface->Name); - setup_allrouters_membership(sock, iface); + return setup_allrouters_membership(sock, iface); } return(0); ++++++ bnc721968_8.patch ++++++ References: bnc#721968 commit 074816cd0b37aac7b3209987e6e998f0a847b275 Author: Vasiliy Kulikov <[email protected]> Date: Tue Oct 4 00:43:20 2011 -0700 privsep_read_loop() should return on unprivileged daemon death / socket close(), not loop forever with polling read() getting -1. Index: radvd-1.3/privsep-linux.c =================================================================== --- radvd-1.3.orig/privsep-linux.c 2008-01-24 18:08:46.000000000 +0100 +++ radvd-1.3/privsep-linux.c 2011-10-19 14:49:53.000000000 +0200 @@ -57,7 +57,7 @@ privsep_read_loop(void) } if (ret != sizeof(cmd)) { /* Short read, ignore */ - continue; + return; } cmd.iface[IFNAMSIZ-1] = '\0'; ++++++ bnc721968_9.patch ++++++ References: bnc#721968 commit dd8fdaa88643056ce41f6fc68228ac1471f7ce05 Author: Reuben Hawkins <[email protected]> Date: Thu Oct 6 08:37:09 2011 -0700 properly tracking buffer usage in rdnss commit 812ade3a8dde2cd9afba4d9f744222ad4c128f33 Author: Reuben Hawkins <[email protected]> Date: Thu Oct 6 08:44:07 2011 -0700 starting off buffer usage tracking using send_ra_inc_len commit 0dac8110263c11b1e27c25aa868e2bd8ca3e728c Author: Reuben Hawkins <[email protected]> Date: Thu Oct 6 08:40:30 2011 -0700 properly tracking buffer usage in prefix commit 37ab5a5fa784836d9e8440fc8f36addf2ca5676b Author: Reuben Hawkins <[email protected]> Date: Thu Oct 6 08:39:43 2011 -0700 properly tracking buffer usage in route Index: radvd-1.3/send.c =================================================================== --- radvd-1.3.orig/send.c 2011-10-19 16:44:44.000000000 +0200 +++ radvd-1.3/send.c 2011-10-19 17:38:18.000000000 +0200 @@ -67,6 +67,17 @@ send_ra_forall(int sock, struct Interfac dlog(LOG_DEBUG, 5, "Not answering request from %s, not configured", address_text); } +static void +send_ra_inc_len(size_t *len, int add) +{ + *len += add; + if(*len >= MSG_SIZE) + { + flog(LOG_ERR, "Too many prefixes, routes, rdnss or dnssl to fit in buffer. Exiting."); + exit(1); + } +} + void send_ra(int sock, struct Interface *iface, struct in6_addr *dest) { @@ -131,6 +142,8 @@ send_ra(int sock, struct Interface *ifac memset(&buff, 0, sizeof(buff)); radvert = (struct nd_router_advert *) buff; + send_ra_inc_len(&len, sizeof(struct nd_router_advert)); + radvert->nd_ra_type = ND_ROUTER_ADVERT; radvert->nd_ra_code = 0; radvert->nd_ra_cksum = 0; @@ -152,8 +165,6 @@ send_ra(int sock, struct Interface *ifac radvert->nd_ra_reachable = htonl(iface->AdvReachableTime); radvert->nd_ra_retransmit = htonl(iface->AdvRetransTimer); - len = sizeof(struct nd_router_advert); - prefix = iface->AdvPrefixList; /* @@ -168,6 +179,8 @@ send_ra(int sock, struct Interface *ifac pinfo = (struct nd_opt_prefix_info *) (buff + len); + send_ra_inc_len(&len, sizeof(*pinfo)); + pinfo->nd_opt_pi_type = ND_OPT_PREFIX_INFORMATION; pinfo->nd_opt_pi_len = 4; pinfo->nd_opt_pi_prefix_len = prefix->PrefixLen; @@ -187,7 +200,6 @@ send_ra(int sock, struct Interface *ifac memcpy(&pinfo->nd_opt_pi_prefix, &prefix->Prefix, sizeof(struct in6_addr)); - len += sizeof(*pinfo); } prefix = prefix->next; @@ -205,6 +217,8 @@ send_ra(int sock, struct Interface *ifac rinfo = (struct nd_opt_route_info_local *) (buff + len); + send_ra_inc_len(&len, sizeof(*rinfo)); + rinfo->nd_opt_ri_type = ND_OPT_ROUTE_INFORMATION; /* XXX: the prefixes are allowed to be sent in smaller chunks as well */ rinfo->nd_opt_ri_len = 3; @@ -216,7 +230,6 @@ send_ra(int sock, struct Interface *ifac memcpy(&rinfo->nd_opt_ri_prefix, &route->Prefix, sizeof(struct in6_addr)); - len += sizeof(*rinfo); route = route->next; } @@ -233,6 +246,8 @@ send_ra(int sock, struct Interface *ifac rdnssinfo = (struct nd_opt_rdnss_info_local *) (buff + len); + send_ra_inc_len(&len, sizeof(*rdnssinfo) - (3-rdnss->AdvRDNSSNumber)*sizeof(struct in6_addr)); + rdnssinfo->nd_opt_rdnssi_type = ND_OPT_RDNSS_INFORMATION; rdnssinfo->nd_opt_rdnssi_len = 1 + 2*rdnss->AdvRDNSSNumber; rdnssinfo->nd_opt_rdnssi_pref_flag_reserved = @@ -248,7 +263,6 @@ send_ra(int sock, struct Interface *ifac sizeof(struct in6_addr)); memcpy(&rdnssinfo->nd_opt_rdnssi_addr3, &rdnss->AdvRDNSSAddr3, sizeof(struct in6_addr)); - len += sizeof(*rdnssinfo) - (3-rdnss->AdvRDNSSNumber)*sizeof(struct in6_addr); rdnss = rdnss->next; } continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
