Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package dhcp for openSUSE:Factory checked in
at 2022-10-10 18:44:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dhcp (Old)
and /work/SRC/openSUSE:Factory/.dhcp.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dhcp"
Mon Oct 10 18:44:16 2022 rev:135 rq:1008224 version:4.4.2.P1
Changes:
--------
--- /work/SRC/openSUSE:Factory/dhcp/dhcp.changes 2022-04-28
23:07:08.068632984 +0200
+++ /work/SRC/openSUSE:Factory/.dhcp.new.2275/dhcp.changes 2022-10-10
18:44:42.086886593 +0200
@@ -1,0 +2,8 @@
+Wed Oct 5 14:01:47 UTC 2022 - Reinhard Max <m...@suse.com>
+
+- bsc#1203988, CVE-2022-2928, dhcp-CVE-2022-2928.patch:
+ An option refcount overflow exists in dhcpd
+- bsc#1203989, CVE-2022-2929, dhcp-CVE-2022-2929.patch:
+ DHCP memory leak
+
+-------------------------------------------------------------------
New:
----
dhcp-CVE-2022-2928.patch
dhcp-CVE-2022-2929.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dhcp.spec ++++++
--- /var/tmp/diff_new_pack.8zVhJ3/_old 2022-10-10 18:44:43.854890399 +0200
+++ /var/tmp/diff_new_pack.8zVhJ3/_new 2022-10-10 18:44:43.858890407 +0200
@@ -96,6 +96,8 @@
# PATCH-FIX-SLE dhcp-4.2.4-P1-interval bsc#947780
Patch20: 0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch
Patch21: 0021-dhcp-ip-family-symlinks.patch
+Patch22: dhcp-CVE-2022-2928.patch
+Patch23: dhcp-CVE-2022-2929.patch
BuildRequires: automake
BuildRequires: dos2unix
BuildRequires: libtool
@@ -209,6 +211,8 @@
%patch18 -p1
%patch20
%patch21
+%patch22
+%patch23
##
find . -type f -name \*.cat\* -exec rm -f {} \;
dos2unix contrib/ms2isc/*
++++++ dhcp-CVE-2022-2928.patch ++++++
--- common/options.c.orig
+++ common/options.c
@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
if (!option_cache_allocate(&oc, MDL)) {
log_error("No memory for option cache adding %s (option %d).",
option->name, option_num);
+ /* Get rid of reference created during hash lookup. */
+ option_dereference(&option, MDL);
return 0;
}
@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
MDL)) {
log_error("No memory for constant data adding %s (option %d).",
option->name, option_num);
+ /* Get rid of reference created during hash lookup. */
+ option_dereference(&option, MDL);
option_cache_dereference(&oc, MDL);
return 0;
}
@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
save_option(&dhcp_universe, options, oc);
option_cache_dereference(&oc, MDL);
+ /* Get rid of reference created during hash lookup. */
+ option_dereference(&option, MDL);
+
return 1;
}
--- common/tests/option_unittest.c.orig
+++ common/tests/option_unittest.c
@@ -213,6 +213,59 @@ ATF_TC_BODY(parse_X, tc)
}
}
+ATF_TC(add_option_ref_cnt);
+
+ATF_TC_HEAD(add_option_ref_cnt, tc)
+{
+ atf_tc_set_md_var(tc, "descr",
+ "Verify add_option() does not leak option ref counts.");
+}
+
+ATF_TC_BODY(add_option_ref_cnt, tc)
+{
+ struct option_state *options = NULL;
+ struct option *option = NULL;
+ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
+ char *cid_str = "1234";
+ int refcnt_before = 0;
+
+ // Look up the option we're going to add.
+ initialize_common_option_spaces();
+ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
+ &cid_code, 0, MDL)) {
+ atf_tc_fail("cannot find option definition?");
+ }
+
+ // Get the option's reference count before we call add_options.
+ refcnt_before = option->refcnt;
+
+ // Allocate a option_state to which to add an option.
+ if (!option_state_allocate(&options, MDL)) {
+ atf_tc_fail("cannot allocat options state");
+ }
+
+ // Call add_option() to add the option to the option state.
+ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
+ atf_tc_fail("add_option returned 0");
+ }
+
+ // Verify that calling add_option() only adds 1 to the option ref count.
+ if (option->refcnt != (refcnt_before + 1)) {
+ atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
+ refcnt_before, option->refcnt);
+ }
+
+ // Derefrence the option_state, this should reduce the ref count to
+ // it's starting value.
+ option_state_dereference(&options, MDL);
+
+ // Verify that dereferencing option_state restores option ref count.
+ if (option->refcnt != refcnt_before) {
+ atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
+ refcnt_before, option->refcnt);
+ }
+}
+
/* This macro defines main() method that will call specified
test cases. tp and simple_test_case names can be whatever you want
as long as it is a valid variable identifier. */
@@ -221,6 +274,7 @@ ATF_TP_ADD_TCS(tp)
ATF_TP_ADD_TC(tp, option_refcnt);
ATF_TP_ADD_TC(tp, pretty_print_option);
ATF_TP_ADD_TC(tp, parse_X);
+ ATF_TP_ADD_TC(tp, add_option_ref_cnt);
return (atf_no_error());
}
++++++ dhcp-CVE-2022-2929.patch ++++++
--- common/options.c.orig
+++ common/options.c
@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_
while (s < &bp -> data[0] + length + 2) {
len = *s;
if (len > 63) {
- log_info ("fancy bits in fqdn option");
- return 0;
+ log_info ("label length exceeds 63 in fqdn
option");
+ goto bad;
}
if (len == 0) {
terminated = 1;
break;
}
if (s + len > &bp -> data [0] + length + 3) {
- log_info ("fqdn tag longer than buffer");
- return 0;
+ log_info ("fqdn label longer than buffer");
+ goto bad;
}
if (first_len == 0) {
