Control: retitle -1 unblock dhcpcd5/7.1.0-2 On 2019-05-02.18:38, Paul Gevers wrote: > We very much prefer you to try and cherry-pick at this point of the > release cycle.
Hi Paul,
Please unblock package dhcpcd5.
See attached for the debdiff between the version of dhcpcd5 currently in
testing and unstable (7.1.0-1), and my proposed update (7.1.0-2).
The changes cherry-pick patches from upstream to address four security
issues disclosed in the last week or so.
The changelog entry is:
dhcpcd5 (7.1.0-2) unstable; urgency=high
* Apply upstream patches to fix potential security vulnerabilities
(Closes: #928056, #928104, #928105, #928440)
* Add lintian override for upstream patch spelling
-- Scott Leggett <sc...@sl.id.au> Sun, 05 May 2019 21:55:14 +0800
--
Regards,
Scott Leggett.
diff -Nru dhcpcd5-7.1.0/debian/changelog dhcpcd5-7.1.0/debian/changelog
--- dhcpcd5-7.1.0/debian/changelog 2019-02-07 05:54:56.000000000 +0800
+++ dhcpcd5-7.1.0/debian/changelog 2019-05-05 21:55:14.000000000 +0800
@@ -1,3 +1,11 @@
+dhcpcd5 (7.1.0-2) unstable; urgency=high
+
+ * Apply upstream patches to fix potential security vulnerabilities
+ (Closes: #928056, #928104, #928105, #928440)
+ * Add lintian override for upstream patch spelling
+
+ -- Scott Leggett <sc...@sl.id.au> Sun, 05 May 2019 21:55:14 +0800
+
dhcpcd5 (7.1.0-1) unstable; urgency=low
* Upstream release 7.1.0
diff -Nru dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch
dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch
--- dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch 2019-02-07
05:54:56.000000000 +0800
+++ dhcpcd5-7.1.0/debian/patches/0001-Fix-typo-in-manpage.patch 2019-05-05
21:54:20.000000000 +0800
@@ -7,7 +7,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/dhcpcd.conf.5.in b/src/dhcpcd.conf.5.in
-index c3e01d6..98a038a 100644
+index f792b15..b950fa0 100644
--- a/src/dhcpcd.conf.5.in
+++ b/src/dhcpcd.conf.5.in
@@ -83,7 +83,7 @@ is
diff -Nru
dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
---
dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
1970-01-01 08:00:00.000000000 +0800
+++
dhcpcd5-7.1.0/debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
2019-05-05 21:54:20.000000000 +0800
@@ -0,0 +1,33 @@
+From: Roy Marples <r...@marples.name>
+Date: Fri, 19 Apr 2019 09:45:02 +0100
+Subject: DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
+
+Only copy upto the size of the address option rather than the
+option length.
+
+Found by Maxime Villard <m...@m00nbsd.net>
+
+(cherry picked from commit 8d11b33f6c60e2db257130fa383ba76b6018bcf6)
+---
+ src/dhcp6.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 6fef989..26db219 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2016,12 +2016,12 @@ dhcp6_findna(struct interface *ifp, uint16_t ot, const
uint8_t *iaid,
+ nd = o + ol;
+ l -= (size_t)(nd - d);
+ d = nd;
+- if (ol < 24) {
++ if (ol < sizeof(ia)) {
+ errno = EINVAL;
+ logerrx("%s: IA Address option truncated", ifp->name);
+ continue;
+ }
+- memcpy(&ia, o, ol);
++ memcpy(&ia, o, sizeof(ia));
+ ia.pltime = ntohl(ia.pltime);
+ ia.vltime = ntohl(ia.vltime);
+ /* RFC 3315 22.6 */
diff -Nru
dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
---
dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
1970-01-01 08:00:00.000000000 +0800
+++
dhcpcd5-7.1.0/debian/patches/0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
2019-05-05 21:54:20.000000000 +0800
@@ -0,0 +1,42 @@
+From: Roy Marples <r...@marples.name>
+Date: Fri, 19 Apr 2019 21:00:19 +0100
+Subject: DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
+
+This fix basically moves the option length check up and also
+corrects an off by one error with it.
+
+Thanks to Maxime Villard <m...@m00nbsd.net>
+
+(cherry picked from commit 4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8)
+---
+ src/dhcp.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/dhcp.c b/src/dhcp.c
+index 1816034..502c592 100644
+--- a/src/dhcp.c
++++ b/src/dhcp.c
+@@ -212,6 +212,12 @@ get_option(struct dhcpcd_ctx *ctx,
+ }
+ l = *p++;
+
++ /* Check we can read the option data, if present */
++ if (p + l > e) {
++ errno = EINVAL;
++ return NULL;
++ }
++
+ if (o == DHO_OPTSOVERLOADED) {
+ /* Ensure we only get this option once by setting
+ * the last bit as well as the value.
+@@ -246,10 +252,6 @@ get_option(struct dhcpcd_ctx *ctx,
+ bp += ol;
+ }
+ ol = l;
+- if (p + ol >= e) {
+- errno = EINVAL;
+- return NULL;
+- }
+ op = p;
+ bl += ol;
+ }
diff -Nru
dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
---
dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
1970-01-01 08:00:00.000000000 +0800
+++
dhcpcd5-7.1.0/debian/patches/0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
2019-05-05 21:54:20.000000000 +0800
@@ -0,0 +1,113 @@
+From: Roy Marples <r...@marples.name>
+Date: Fri, 19 Apr 2019 21:40:14 +0100
+Subject: auth: Use consttime_memequal(3) to compare hashes
+
+This stops any attacker from trying to infer secrets from latency.
+
+Thanks to Maxime Villard <m...@m00nbsd.net>
+
+(cherry picked from commit 7121040790b611ca3fbc400a1bbcd4364ef57233)
+
+compat: Provide consttime_memequal if not in libc
+
+Public domain version by Matthias Drochner <droch...@netbsd.org>
+
+(cherry picked from commit cfde89ab66cb4e5957b1c4b68ad6a9449e2784da)
+
+Really add consttime_memequal
+
+(cherry picked from commit aee631aadeef4283c8a749c1caf77823304acf5e)
+---
+ compat/consttime_memequal.h | 28 ++++++++++++++++++++++++++++
+ configure | 22 ++++++++++++++++++++++
+ src/auth.c | 2 +-
+ 3 files changed, 51 insertions(+), 1 deletion(-)
+ create mode 100644 compat/consttime_memequal.h
+
+diff --git a/compat/consttime_memequal.h b/compat/consttime_memequal.h
+new file mode 100644
+index 0000000..9830648
+--- /dev/null
++++ b/compat/consttime_memequal.h
+@@ -0,0 +1,28 @@
++/*
++ * Written by Matthias Drochner <droch...@netbsd.org>.
++ * Public domain.
++ */
++
++#ifndef CONSTTIME_MEMEQUAL_H
++#define CONSTTIME_MEMEQUAL_H
++inline static int
++consttime_memequal(const void *b1, const void *b2, size_t len)
++{
++ const unsigned char *c1 = b1, *c2 = b2;
++ unsigned int res = 0;
++
++ while (len--)
++ res |= *c1++ ^ *c2++;
++
++ /*
++ * Map 0 to 1 and [1, 256) to 0 using only constant-time
++ * arithmetic.
++ *
++ * This is not simply `!res' because although many CPUs support
++ * branchless conditional moves and many compilers will take
++ * advantage of them, certain compilers generate branches on
++ * certain CPUs for `!res'.
++ */
++ return (1 & ((res - 1) >> 8));
++}
++#endif /* CONSTTIME_MEMEQUAL_H */
+diff --git a/configure b/configure
+index d0a80ba..0dce3bd 100755
+--- a/configure
++++ b/configure
+@@ -13,6 +13,7 @@ IPV4LL=
+ INET6=
+ ARC4RANDOM=
+ CLOSEFROM=
++CONSTTIME_MEMEQUAL=
+ STRLCPY=
+ UDEV=
+ OS=
+@@ -846,6 +847,27 @@ if [ "$STRTOI" = no ]; then
+ echo "#include \"compat/strtoi.h\"" >>$CONFIG_H
+ fi
+
++if [ -z "$CONSTTIME_MEMEQUAL" ]; then
++ printf "Testing for consttime_memequal ... "
++ cat <<EOF >_consttime_memequal.c
++#include <string.h>
++int main(void) {
++ return consttime_memequal("deadbeef", "deadbeef", 8);
++}
++EOF
++ if $XCC _consttime_memequal.c -o _consttime_memequal 2>&3; then
++ CONSTTIME_MEMEQUAL=yes
++ else
++ CONSTTIME_MEMEQUAL=no
++ fi
++ echo "$CONSTTIME_MEMEQUAL"
++ rm -f _consttime_memequal.c _consttime_memequal
++fi
++if [ "$CONSTTIME_MEMEQUAL" = no ]; then
++ echo "#include \"compat/consttime_memequal.h\"" \
++ >>$CONFIG_H
++fi
++
+ if [ -z "$DPRINTF" ]; then
+ printf "Testing for dprintf ... "
+ cat <<EOF >_dprintf.c
+diff --git a/src/auth.c b/src/auth.c
+index 9e24998..ce97051 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -354,7 +354,7 @@ gottoken:
+ }
+
+ free(mm);
+- if (memcmp(d, &hmac_code, dlen)) {
++ if (!consttime_memequal(d, &hmac_code, dlen)) {
+ errno = EPERM;
+ return NULL;
+ }
diff -Nru
dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
---
dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
1970-01-01 08:00:00.000000000 +0800
+++
dhcpcd5-7.1.0/debian/patches/0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
2019-05-05 21:54:20.000000000 +0800
@@ -0,0 +1,88 @@
+From: Roy Marples <r...@marples.name>
+Date: Fri, 3 May 2019 14:44:06 +0100
+Subject: DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE
+
+dhcpcd only checks that the prefix length of the exclusion
+matches the prefix length of the ia and equals the length of the
+data in the option.
+This could potentially overrun the in6_addr structure.
+
+This is fixed by enforcing RFC 6603 section 4.2 option limits
+more clearly.
+
+Thanks to Maxime Villard <m...@m00nbsd.net> for finding this.
+
+(cherry picked from commit c1ebeaafeb324bac997984abdcee2d4e8b61a8a8)
+
+DHCPv6: Fix exclude prefix length check.
+
+(cherry picked from commit 896ef4a54b0578985e5e1360b141593f1d62837b)
+---
+ src/dhcp6.c | 42 ++++++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 26db219..92e6c90 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2153,40 +2153,38 @@ dhcp6_findpd(struct interface *ifp, const uint8_t
*iaid,
+ state->expire = a->prefix_vltime;
+ i++;
+
+- o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
+ a->prefix_exclude_len = 0;
+ memset(&a->prefix_exclude, 0, sizeof(a->prefix_exclude));
+-#if 0
+- if (ex == NULL) {
+- struct dhcp6_option *w;
+- uint8_t *wp;
+-
+- w = calloc(1, 128);
+- w->len = htons(2);
+- wp = D6_OPTION_DATA(w);
+- *wp++ = 64;
+- *wp++ = 0x78;
+- ex = w;
+- }
+-#endif
++ o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
+ if (o == NULL)
+ continue;
+- if (ol < 2) {
+- logerrx("%s: truncated PD Exclude", ifp->name);
++
++ /* RFC 6603 4.2 says option length MUST be between 2 and 17.
++ * This allows 1 octet for prefix length and 16 for the
++ * subnet ID. */
++ if (ol < 2 || ol > 17) {
++ logerrx("%s: invalid PD Exclude option", ifp->name);
+ continue;
+ }
+- a->prefix_exclude_len = *o++;
++
++ /* RFC 6603 4.2 says prefix length MUST be between the
++ * length of the IAPREFIX prefix length + 1 and 128. */
++ if (*o < a->prefix_len + 1 || *o > 128) {
++ logerrx("%s: invalid PD Exclude length", ifp->name);
++ continue;
++ }
++
+ ol--;
+- if (((a->prefix_exclude_len - a->prefix_len - 1) / NBBY) + 1
+- != ol)
+- {
++ /* Check option length matches prefix length. */
++ if (((*o - a->prefix_len - 1) / NBBY) + 1 != ol) {
+ logerrx("%s: PD Exclude length mismatch", ifp->name);
+- a->prefix_exclude_len = 0;
+ continue;
+ }
+- nb = a->prefix_len % NBBY;
++ a->prefix_exclude_len = *o++;
++
+ memcpy(&a->prefix_exclude, &a->prefix,
+ sizeof(a->prefix_exclude));
++ nb = a->prefix_len % NBBY;
+ if (nb)
+ ol--;
+ pw = a->prefix_exclude.s6_addr +
diff -Nru dhcpcd5-7.1.0/debian/patches/series
dhcpcd5-7.1.0/debian/patches/series
--- dhcpcd5-7.1.0/debian/patches/series 2019-02-07 05:54:56.000000000 +0800
+++ dhcpcd5-7.1.0/debian/patches/series 2019-05-05 21:54:20.000000000 +0800
@@ -1 +1,5 @@
0001-Fix-typo-in-manpage.patch
+0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
+0003-DHCP-Fix-a-potential-1-byte-read-overflow-with-DHO_O.patch
+0004-auth-Use-consttime_memequal-3-to-compare-hashes.patch
+0005-DHCPv6-Fix-a-potential-read-overflow-with-D6_OPTION_.patch
diff -Nru dhcpcd5-7.1.0/debian/source/lintian-overrides
dhcpcd5-7.1.0/debian/source/lintian-overrides
--- dhcpcd5-7.1.0/debian/source/lintian-overrides 1970-01-01
08:00:00.000000000 +0800
+++ dhcpcd5-7.1.0/debian/source/lintian-overrides 2019-05-05
21:54:59.000000000 +0800
@@ -0,0 +1,2 @@
+# This commit is cherry-picked directly from upstream - spelling included.
+dhcpcd5 source: spelling-error-in-patch-description
debian/patches/0002-DHCPv6-Fix-a-potential-buffer-overflow-reading-NA-TA.patch
upto up to
signature.asc
Description: PGP signature
