Bug#770463: marked as done (unblock: dhcpcd5/6.0.5-2)

Fri, 21 Nov 2014 11:33:48 -0800 

Your message dated Fri, 21 Nov 2014 20:30:37 +0100
with message-id <[email protected]>
and subject line Re: Bug#770463: unblock: dhcpcd5/6.0.5-2
has caused the Debian Bug report #770463,
regarding unblock: dhcpcd5/6.0.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
770463: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770463
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Hi Release Team,

Please unblock package dhcpcd5, which fixed as denial-of-service vulnerability
(CVE-2014-6060). Relevant bug in the BTS is #770043.  Additionally to the patch
I have updated the maintainer field to Debian QA group as previous maintainer
orphaned the package. Full changelog is as follows:

dhcpcd5 (6.0.5-2) unstable; urgency=medium

  * QA upload.

  [ Pierre Schweitzer ]
  * Fix denial of service (CVE-2014-6060) in dhcpcd5. (Closes: #770043).

  [ Salvatore Bonaccorso ]
  * Refresh CVE-2014-6060.patch (offset)
  * Update patch headers for CVE-2014-6060.patch.
    Wrap long lines in fields and use Description field.
    Add Applied-Upstream value.
  * Set Maintainer to Debian QA Group (cf. #770082)

 -- Salvatore Bonaccorso <[email protected]>  Wed, 19 Nov 2014 17:08:30 +0100

Attached is also the full debdiff.

Could you thus

unblock dhcpcd5/6.0.5-2

Many thanks in advance!

Regards,
Salvatore

diff -Nru dhcpcd5-6.0.5/debian/changelog dhcpcd5-6.0.5/debian/changelog
--- dhcpcd5-6.0.5/debian/changelog	2013-12-04 14:49:45.000000000 +0100
+++ dhcpcd5-6.0.5/debian/changelog	2014-11-19 19:50:28.000000000 +0100
@@ -1,3 +1,19 @@
+dhcpcd5 (6.0.5-2) unstable; urgency=medium
+
+  * QA upload.
+
+  [ Pierre Schweitzer ]
+  * Fix denial of service (CVE-2014-6060) in dhcpcd5. (Closes: #770043).
+
+  [ Salvatore Bonaccorso ]
+  * Refresh CVE-2014-6060.patch (offset)
+  * Update patch headers for CVE-2014-6060.patch.
+    Wrap long lines in fields and use Description field.
+    Add Applied-Upstream value.
+  * Set Maintainer to Debian QA Group (cf. #770082)
+
+ -- Salvatore Bonaccorso <[email protected]>  Wed, 19 Nov 2014 17:08:30 +0100
+
 dhcpcd5 (6.0.5-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru dhcpcd5-6.0.5/debian/control dhcpcd5-6.0.5/debian/control
--- dhcpcd5-6.0.5/debian/control	2013-06-25 15:47:59.000000000 +0200
+++ dhcpcd5-6.0.5/debian/control	2014-11-19 19:50:28.000000000 +0100
@@ -1,7 +1,7 @@
 Source: dhcpcd5
 Section: net
 Priority: optional
-Maintainer: Roy Marples <[email protected]>
+Maintainer: Debian QA Group <[email protected]>
 Build-Depends: debhelper (>= 9)
 Standards-Version: 3.9.4.0
 Homepage: http://roy.marples.name/projects/dhcpcd
diff -Nru dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch
--- dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch	1970-01-01 01:00:00.000000000 +0100
+++ dhcpcd5-6.0.5/debian/patches/CVE-2014-6060.patch	2014-11-19 19:50:28.000000000 +0100
@@ -0,0 +1,27 @@
+Description: Fix CVE-2014-6060
+ Only bits 1 and 2 are used in the DHCP overload option, so when we
+ encounter the option set the last bit as well to ensure servername and
+ bootfile are only checked once as their check unsets bits 1 and 2.
+ Thanks to Tobias Stoeckmann.
+Origin: upstream, http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0
+Bug-Debian: https://bugs.debian.org/770043
+From: Roy Marples <[email protected]>
+Applied-Upstream: 6.4.3
+
+--- a/dhcp.c
++++ b/dhcp.c
+@@ -343,9 +343,12 @@ get_option(const struct dhcp_message *dh
+ 				goto exit;
+ 			break;
+ 		case DHO_OPTIONSOVERLOADED:
+-			/* Ensure we only get this option once */
++			/* Ensure we only get this option once by setting
++			 * the last bit as well as the value.
++			 * This is valid because only the first two bits
++			 * actually mean anything in RFC2132 Section 9.3 */
+ 			if (!overl)
+-				overl = p[1];
++				overl = 0x80 | p[1];
+ 			break;
+ 		}
+ 		l = *p++;
diff -Nru dhcpcd5-6.0.5/debian/patches/series dhcpcd5-6.0.5/debian/patches/series
--- dhcpcd5-6.0.5/debian/patches/series	2013-12-04 14:52:31.000000000 +0100
+++ dhcpcd5-6.0.5/debian/patches/series	2014-11-19 19:50:28.000000000 +0100
@@ -1 +1,2 @@
 kfreebsd.diff
+CVE-2014-6060.patch

--- End Message ---
--- Begin Message --- 
On 2014-11-21 14:56, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
> 
> Hi Release Team,
> 
> Please unblock package dhcpcd5, which fixed as denial-of-service vulnerability
> (CVE-2014-6060). Relevant bug in the BTS is #770043.  Additionally to the 
> patch
> I have updated the maintainer field to Debian QA group as previous maintainer
> orphaned the package. Full changelog is as follows:
> 
> [...]
> 
> unblock dhcpcd5/6.0.5-2
> 
> Many thanks in advance!
> 
> Regards,
> Salvatore
> 

Unblocked, thanks.

~Niels

--- End Message ---

Reply via email to