Hello community, here is the log from the commit of package dhcp for openSUSE:11.3 checked in at Fri Dec 9 16:36:06 CET 2011.
-------- --- old-versions/11.3/UPDATES/all/dhcp/dhcp.changes 2011-08-30 10:35:54.000000000 +0200 +++ 11.3/dhcp/dhcp.changes 2011-12-09 14:22:11.000000000 +0100 @@ -1,0 +2,10 @@ +Fri Dec 9 13:20:44 UTC 2011 - [email protected] + +- Applied security fix for a DoS due to processing certain regular + expressions, extracted from 4.2.3-P1 (bnc#735610, CVE-2011-4539): + * Add a check for a null pointer before calling the regexec function. + Without out this check we could, under some circumstances, pass + a null pointer to the regexec function causing it to segfault. + Thanks to a report from BlueCat Networks. [ISC-Bugs #26704] + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- dhcp-4.2.2-CVE-2011-4539-regex-DoS.bnc735610.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dhcp.spec ++++++ --- /var/tmp/diff_new_pack.oQpTVW/_old 2011-12-09 16:34:15.000000000 +0100 +++ /var/tmp/diff_new_pack.oQpTVW/_new 2011-12-09 16:34:15.000000000 +0100 @@ -33,7 +33,7 @@ Group: Productivity/Networking/Boot/Servers AutoReqProv: on Version: 4.1.2.ESV.1 -Release: 0.<RELEASE10> +Release: 0.<RELEASE12> Summary: Common Files Used by ISC DHCP Software Url: http://www.isc.org/software/dhcp Source0: dhcp-%{isc_version}.tar.bz2 @@ -85,6 +85,7 @@ Patch43: dhcp-4.1-ESV-R1-xen-checksum.patch Patch44: dhcp-4.1-ESV-R1-CVE-2011-2748_2749.diff Patch45: dhcp-4.2.2-quiet-dhclient.bnc711420.diff +Patch46: dhcp-4.2.2-CVE-2011-4539-regex-DoS.bnc735610.diff ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -211,6 +212,7 @@ %patch43 -p1 %patch44 -p1 %patch45 -p1 +%patch46 -p1 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/* ++++++ dhcp-4.2.2-CVE-2011-4539-regex-DoS.bnc735610.diff ++++++ >From 34f5e08fd3265f950b460dd5886d15984e69a765 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <[email protected]> Date: Fri, 9 Dec 2011 13:45:53 +0100 Subject: [PATCH] CVE-2011-4539 regex DoS Extracted from 4.2.3-P1: Add a check for a null pointer before calling the regexec function. Without out this check we could, under some circumstances, pass a null pointer to the regexec function causing it to segfault. Thanks to a report from BlueCat Networks. [ISC-Bugs #26704]. Signed-off-by: Marius Tomaschewski <[email protected]> --- common/dhcp-eval.5 | 4 ++-- common/tree.c | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/common/dhcp-eval.5 b/common/dhcp-eval.5 index 7228929..55765d4 100644 --- a/common/dhcp-eval.5 +++ b/common/dhcp-eval.5 @@ -133,8 +133,8 @@ extended regex(7) matching of the values of two data expressions, returning true if \fIdata-expression-1\fR matches against the regular expression evaluated by \fIdata-expression-2\fR, or false if it does not match or encounters some error. If either the left-hand side or the right-hand side -are null, the result is also false. The \fB~~\fR operator differs from the -\fB~=\fR operator in that it is case-insensitive. +are null or empty strings, the result is also false. The \fB~~\fR operator +differs from the \fB~=\fR operator in that it is case-insensitive. .RE .PP .I boolean-expression-1 \fBand\fR \fIboolean-expression-2\fR diff --git a/common/tree.c b/common/tree.c index d09107b..3c978b0 100644 --- a/common/tree.c +++ b/common/tree.c @@ -1120,6 +1120,7 @@ int evaluate_boolean_expression (result, packet, lease, client_state, *result = 0; memset(&re, 0, sizeof(re)); if (bleft && bright && + (left.data != NULL) && (right.data != NULL) && (regcomp(&re, (char *)right.data, regflags) == 0) && (regexec(&re, (char *)left.data, (size_t)0, NULL, 0) == 0)) *result = 1; -- 1.7.3.4 continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
