Hello community, here is the log from the commit of package radvd for openSUSE:Factory checked in at 2011-11-22 17:49:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/radvd (Old) and /work/SRC/openSUSE:Factory/.radvd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "radvd", Maintainer is "jbo...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/radvd/radvd.changes 2011-10-21 16:35:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.radvd.new/radvd.changes 2011-11-22 17:49:37.000000000 +0100 @@ -1,0 +2,7 @@ +Wed Nov 16 14:23:54 UTC 2011 - dims...@opensuse.org + +- Update to version 1.8.3: + + proper tracking of buffer usage in send_ra +- Drop diff_release_1_8_2..44ee01c7.patch: fixed upstream. + +------------------------------------------------------------------- Old: ---- diff_release_1_8_2..44ee01c7.patch radvd-1.8.2.tar.gz New: ---- radvd-1.8.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ radvd.spec ++++++ --- /var/tmp/diff_new_pack.GiBAqv/_old 2011-11-22 17:49:39.000000000 +0100 +++ /var/tmp/diff_new_pack.GiBAqv/_new 2011-11-22 17:49:39.000000000 +0100 @@ -18,7 +18,7 @@ Name: radvd -Version: 1.8.2 +Version: 1.8.3 Release: 1 License: BSD 3-clause (or similar) Summary: Router ADVertisement Daemon for IPv6 @@ -27,7 +27,6 @@ Source0: http://www.litech.org/radvd/dist/%{name}-%{version}.tar.gz Source1: radvd.init Source2: sysconfig.radvd -Patch0: diff_release_1_8_2..44ee01c7.patch Patch1: 0001-run-as-user-radvd-by-default.diff BuildRequires: bison BuildRequires: flex @@ -42,7 +41,6 @@ %prep %setup -q -%patch0 -p1 %patch1 -p1 %build ++++++ 0001-run-as-user-radvd-by-default.diff ++++++ --- /var/tmp/diff_new_pack.GiBAqv/_old 2011-11-22 17:49:39.000000000 +0100 +++ /var/tmp/diff_new_pack.GiBAqv/_new 2011-11-22 17:49:39.000000000 +0100 @@ -7,11 +7,11 @@ radvd.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) -diff --git a/radvd.c b/radvd.c -index a84793e..90acc88 100644 ---- a/radvd.c -+++ b/radvd.c -@@ -172,6 +172,9 @@ main(int argc, char *argv[]) +Index: radvd-1.8.3/radvd.c +=================================================================== +--- radvd-1.8.3.orig/radvd.c ++++ radvd-1.8.3/radvd.c +@@ -200,6 +200,9 @@ main(int argc, char *argv[]) } } @@ -21,6 +21,3 @@ if (chrootdir) { if (!username) { fprintf(stderr, "Chroot as root is not safe, exiting\n"); --- -1.7.3.4 - ++++++ radvd-1.8.2.tar.gz -> radvd-1.8.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/radvd-1.8.2/CHANGES new/radvd-1.8.3/CHANGES --- old/radvd-1.8.2/CHANGES 2011-10-06 12:52:20.000000000 +0200 +++ new/radvd-1.8.3/CHANGES 2011-10-14 15:48:06.000000000 +0200 @@ -1,3 +1,10 @@ +14/08/2011 1.8.3 release + +08/10/2011 More careful checking of iface name + +06/10/2011 Updating buffer usage tracking in send_ra to track buffer usage BEFORE + the buffer is used rather than after in order to prevent buffer overflow + 06/10/2011 1.8.2 release 04/10/2011 1) A privilege escalation flaw was found in radvd, due to a buffer overflow diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/radvd-1.8.2/VERSION new/radvd-1.8.3/VERSION --- old/radvd-1.8.2/VERSION 2011-10-06 12:52:20.000000000 +0200 +++ new/radvd-1.8.3/VERSION 2011-10-11 18:42:03.000000000 +0200 @@ -3,4 +3,4 @@ # # this file is automatically processed by configure # -1.8.2 +1.8.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/radvd-1.8.2/defaults.h new/radvd-1.8.3/defaults.h --- old/radvd-1.8.2/defaults.h 2011-10-06 12:52:20.000000000 +0200 +++ new/radvd-1.8.3/defaults.h 2011-10-06 17:32:36.000000000 +0200 @@ -200,7 +200,7 @@ uint8_t nd_opt_dnssli_len; uint16_t nd_opt_dnssli_reserved; uint32_t nd_opt_dnssli_lifetime; - char nd_opt_dnssli_suffixes[]; + unsigned char nd_opt_dnssli_suffixes[]; }; /* Flags */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/radvd-1.8.2/device-linux.c new/radvd-1.8.3/device-linux.c --- old/radvd-1.8.2/device-linux.c 2011-10-06 12:52:20.000000000 +0200 +++ new/radvd-1.8.3/device-linux.c 2011-10-08 18:25:59.000000000 +0200 @@ -244,7 +244,7 @@ return -1; /* No path traversal */ - if (strstr(name, "..") || strchr(name, '/')) + if (!iface[0] || !strcmp(iface, ".") || !strcmp(iface, "..") || strchr(iface, '/')) return -1; if (access(spath, F_OK) != 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/radvd-1.8.2/process.c new/radvd-1.8.3/process.c --- old/radvd-1.8.2/process.c 2011-10-06 12:52:20.000000000 +0200 +++ new/radvd-1.8.3/process.c 2011-10-06 17:32:36.000000000 +0200 @@ -423,7 +423,7 @@ suffix[0] = '\0'; for (offset = 0; offset < (dnsslinfo->nd_opt_dnssli_len-1)*8;) { - if (&dnsslinfo->nd_opt_dnssli_suffixes[offset] - (char*)opt_str >= len) + if (&dnsslinfo->nd_opt_dnssli_suffixes[offset] - opt_str >= len) return; label_len = dnsslinfo->nd_opt_dnssli_suffixes[offset++]; @@ -450,7 +450,7 @@ */ if ((sizeof(suffix) - strlen(suffix)) < (label_len + 2) || label_len > label_len + 2 || - &dnsslinfo->nd_opt_dnssli_suffixes[offset+label_len] - (char*)opt_str >= len || + &dnsslinfo->nd_opt_dnssli_suffixes[offset+label_len] - opt_str >= len || offset + label_len < offset) { flog(LOG_ERR, "oversized suffix in DNSSL option on %s from %s", iface->Name, addr_str); @@ -459,7 +459,7 @@ if (suffix[0] != '\0') strcat(suffix, "."); - strncat(suffix, &dnsslinfo->nd_opt_dnssli_suffixes[offset], label_len); + strncat(suffix, (char*)&dnsslinfo->nd_opt_dnssli_suffixes[offset], label_len); offset += label_len; } break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/radvd-1.8.2/radvdump.c new/radvd-1.8.3/radvdump.c --- old/radvd-1.8.2/radvdump.c 2011-10-06 12:52:20.000000000 +0200 +++ new/radvd-1.8.3/radvdump.c 2011-10-06 17:32:36.000000000 +0200 @@ -463,7 +463,7 @@ if (suffix[0] != '\0') strcat(suffix, "."); - strncat(suffix, &dnssl_info->nd_opt_dnssli_suffixes[offset], label_len); + strncat(suffix, (char*)&dnssl_info->nd_opt_dnssli_suffixes[offset], label_len); offset += label_len; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/radvd-1.8.2/redhat/radvd.spec new/radvd-1.8.3/redhat/radvd.spec --- old/radvd-1.8.2/redhat/radvd.spec 2011-10-06 12:52:20.000000000 +0200 +++ new/radvd-1.8.3/redhat/radvd.spec 2011-10-14 15:49:17.000000000 +0200 @@ -6,7 +6,7 @@ Summary: A Router Advertisement daemon Name: radvd -Version: 1.8.2 +Version: 1.8.3 Release: 1 # The code includes the advertising clause, so it's GPL-incompatible License: BSD with advertising @@ -97,6 +97,10 @@ %{_sbindir}/radvdump %changelog +* Fri Oct 14 2011 Reuben Hawkins <reuben...@gmail.com> 1.8.3-1 +- 1.8.3 +- minor fixes + * Wed Oct 4 2011 Reuben Hawkins <reuben...@gmail.com> 1.8.2-1 - 1.8.2 - Security patches diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/radvd-1.8.2/send.c new/radvd-1.8.3/send.c --- old/radvd-1.8.2/send.c 2011-10-06 12:52:20.000000000 +0200 +++ new/radvd-1.8.3/send.c 2011-10-06 17:43:41.000000000 +0200 @@ -72,7 +72,7 @@ *len += add; if(*len >= MSG_SIZE_SEND) { - flog(LOG_ERR, "Too many prefixes or routes. Exiting."); + flog(LOG_ERR, "Too many prefixes, routes, rdnss or dnssl to fit in buffer. Exiting."); exit(1); } } @@ -187,6 +187,8 @@ memset(buff, 0, sizeof(buff)); radvert = (struct nd_router_advert *) buff; + send_ra_inc_len(&len, sizeof(struct nd_router_advert)); + radvert->nd_ra_type = ND_ROUTER_ADVERT; radvert->nd_ra_code = 0; radvert->nd_ra_cksum = 0; @@ -212,8 +214,6 @@ radvert->nd_ra_reachable = htonl(iface->AdvReachableTime); radvert->nd_ra_retransmit = htonl(iface->AdvRetransTimer); - len = sizeof(struct nd_router_advert); - prefix = iface->AdvPrefixList; /* @@ -228,6 +228,8 @@ pinfo = (struct nd_opt_prefix_info *) (buff + len); + send_ra_inc_len(&len, sizeof(*pinfo)); + pinfo->nd_opt_pi_type = ND_OPT_PREFIX_INFORMATION; pinfo->nd_opt_pi_len = 4; pinfo->nd_opt_pi_prefix_len = prefix->PrefixLen; @@ -260,8 +262,6 @@ } pinfo->nd_opt_pi_reserved2 = 0; - send_ra_inc_len(&len, sizeof(*pinfo)); - memcpy(&pinfo->nd_opt_pi_prefix, &prefix->Prefix, sizeof(struct in6_addr)); } @@ -281,6 +281,8 @@ rinfo = (struct nd_opt_route_info_local *) (buff + len); + send_ra_inc_len(&len, sizeof(*rinfo)); + rinfo->nd_opt_ri_type = ND_OPT_ROUTE_INFORMATION; /* XXX: the prefixes are allowed to be sent in smaller chunks as well */ rinfo->nd_opt_ri_len = 3; @@ -294,8 +296,6 @@ rinfo->nd_opt_ri_lifetime = htonl(route->AdvRouteLifetime); } - send_ra_inc_len(&len, sizeof(*rinfo)); - memcpy(&rinfo->nd_opt_ri_prefix, &route->Prefix, sizeof(struct in6_addr)); @@ -314,6 +314,8 @@ rdnssinfo = (struct nd_opt_rdnss_info_local *) (buff + len); + send_ra_inc_len(&len, sizeof(*rdnssinfo) - (3-rdnss->AdvRDNSSNumber)*sizeof(struct in6_addr)); + rdnssinfo->nd_opt_rdnssi_type = ND_OPT_RDNSS_INFORMATION; rdnssinfo->nd_opt_rdnssi_len = 1 + 2*rdnss->AdvRDNSSNumber; rdnssinfo->nd_opt_rdnssi_pref_flag_reserved = 0; @@ -330,7 +332,6 @@ sizeof(struct in6_addr)); memcpy(&rdnssinfo->nd_opt_rdnssi_addr3, &rdnss->AdvRDNSSAddr3, sizeof(struct in6_addr)); - send_ra_inc_len(&len, sizeof(*rdnssinfo) - (3-rdnss->AdvRDNSSNumber)*sizeof(struct in6_addr)); rdnss = rdnss->next; } @@ -344,13 +345,18 @@ while(dnssl) { struct nd_opt_dnssl_info_local *dnsslinfo; + int const start_len = len; int i; - char *buff_ptr; dnsslinfo = (struct nd_opt_dnssl_info_local *) (buff + len); + send_ra_inc_len(&len, sizeof(dnsslinfo->nd_opt_dnssli_type) + + sizeof(dnsslinfo->nd_opt_dnssli_len) + + sizeof(dnsslinfo->nd_opt_dnssli_reserved) + + sizeof(dnsslinfo->nd_opt_dnssli_lifetime) + ); + dnsslinfo->nd_opt_dnssli_type = ND_OPT_DNSSL_INFORMATION; - dnsslinfo->nd_opt_dnssli_len = 1; /* more further down */ dnsslinfo->nd_opt_dnssli_reserved = 0; if (iface->cease_adv && dnssl->FlushDNSSLFlag) { @@ -359,7 +365,6 @@ dnsslinfo->nd_opt_dnssli_lifetime = htonl(dnssl->AdvDNSSLLifetime); } - buff_ptr = dnsslinfo->nd_opt_dnssli_suffixes; for (i = 0; i < dnssl->AdvDNSSLNumber; i++) { char *label; int label_len; @@ -372,24 +377,32 @@ else label_len = strchr(label, '.') - label; - *buff_ptr++ = label_len; - - memcpy(buff_ptr, label, label_len); - buff_ptr += label_len; + buff_dest = len; + send_ra_inc_len(&len, 1); + buff[buff_dest] = label_len; + + buff_dest = len; + send_ra_inc_len(&len, label_len); + memcpy(buff + buff_dest, label, label_len); label += label_len; if (label[0] == '.') label++; - else - *buff_ptr++ = 0; + else { + buff_dest = len; + send_ra_inc_len(&len, 1); + buff[buff_dest] = 0; + } } } - dnsslinfo->nd_opt_dnssli_len += ((buff_ptr-dnsslinfo->nd_opt_dnssli_suffixes)+7)/8; + dnsslinfo->nd_opt_dnssli_len = (len - start_len) / 8; - /* TODO: If buff will overflow, it's already happened. This needs to be checked BEFORE the overflow. */ - send_ra_inc_len(&len, dnsslinfo->nd_opt_dnssli_len * 8); + if ( (len - start_len) % 8 != 0 ) { + send_ra_inc_len(&len, 8 - (len - start_len) % 8); + ++dnsslinfo->nd_opt_dnssli_len; + } dnssl = dnssl->next; } -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org