4 files changed, 229 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
new file mode 100644
index 0000000000..91aaf83a77
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
@@ -0,0 +1,66 @@
+From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Thu, 8 Jul 2021 00:08:25 +0000
+Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP
+ (CVE-2021-25217)
+On May 26, 2021, we (Internet Systems Consortium) disclosed a
+vulnerability affecting our ISC DHCP software:
+    CVE-2021-25217: A buffer overrun in lease file parsing code can be
+    used to exploit a common vulnerability shared by dhcpd and dhclient
+    https://kb.isc.org/docs/cve-2021-25217
+New versions of ISC DHCP are available from https://www.isc.org/downloads
+Operators and package maintainers who prefer to apply patches selectively can
+find individual vulnerability-specific patches in the "patches" subdirectory
+of the release directories for our two stable release branches (4.4 and 4.1-ESV)
+   https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches
+   https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches
+With the public announcement of this vulnerability, the embargo
+period is ended and any updated software packages that have been
+prepared may be released.
+Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6]
+CVE: CVE-2021-25217
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ common/parse.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+diff --git a/common/parse.c b/common/parse.c
+index 386a632..fc7b39c 100644
+--- a/common/parse.c
+++ b/common/parse.c
+@@ -3,7 +3,7 @@
+    Common parser code for dhcpd and dhclient. */
+ 
+ /*
+- * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC")
+  * Copyright (c) 1995-2003 by Internet Software Consortium
+  *
+  * This Source Code Form is subject to the terms of the Mozilla Public
+@@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max)
+                                skip_to_semi (cfile);
+                                return 0;
+                        }
+-                       convert_num (cfile, &buf [len], val, 16, 8);
+-                       if (len++ > max) {
+                       if (len >= max) {
+                                parse_warn (cfile,
+                                            "hexadecimal constant too long.");
+                                skip_to_semi (cfile);
+                                return 0;
+                        }
+                       convert_num (cfile, &buf [len], val, 16, 8);
+                       len++;
+                        token = peek_token (&val, (unsigned *)0, cfile);
+                        if (token == COLON)
+                                token = next_token (&val,
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch
new file mode 100644
index 0000000000..11f162cbda
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch
@@ -0,0 +1,120 @@
+From 8a5d739eea10ee6e193f053b1662142d5657cbc6 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 6 Oct 2022 09:39:18 +0530
+Subject: [PATCH] CVE-2022-2928
+Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
+CVE: CVE-2022-2928
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common/options.c               |  7 +++++
+ common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+)
+diff --git a/common/options.c b/common/options.c
+index a7ed84c..4e53bb4 100644
+--- a/common/options.c
+++ b/common/options.c
+@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
+        if (!option_cache_allocate(&oc, MDL)) {
+                log_error("No memory for option cache adding %s (option %d).",
+                          option->name, option_num);
+               /* Get rid of reference created during hash lookup. */
+               option_dereference(&option, MDL);
+                return 0;
+        }
+ 
+@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
+                             MDL)) {
+                log_error("No memory for constant data adding %s (option %d).",
+                          option->name, option_num);
+               /* Get rid of reference created during hash lookup. */
+               option_dereference(&option, MDL);
+                option_cache_dereference(&oc, MDL);
+                return 0;
+        }
+@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
+        save_option(&dhcp_universe, options, oc);
+        option_cache_dereference(&oc, MDL);
+ 
+       /* Get rid of reference created during hash lookup. */
+       option_dereference(&option, MDL);
+
+        return 1;
+ }
+ 
+diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
+index cd52cfb..690704d 100644
+--- a/common/tests/option_unittest.c
+++ b/common/tests/option_unittest.c
+@@ -130,6 +130,59 @@ ATF_TC_BODY(pretty_print_option, tc)
+ }
+ 
+ 
+ATF_TC(add_option_ref_cnt);
+
+ATF_TC_HEAD(add_option_ref_cnt, tc)
+{
+    atf_tc_set_md_var(tc, "descr",
+        "Verify add_option() does not leak option ref counts.");
+}
+
+ATF_TC_BODY(add_option_ref_cnt, tc)
+{
+    struct option_state *options = NULL;
+    struct option *option = NULL;
+    unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
+    char *cid_str = "1234";
+    int refcnt_before = 0;
+
+    // Look up the option we're going to add.
+    initialize_common_option_spaces();
+    if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
+                                 &cid_code, 0, MDL)) {
+        atf_tc_fail("cannot find option definition?");
+    }
+
+    // Get the option's reference count before we call add_options.
+    refcnt_before = option->refcnt;
+
+    // Allocate a option_state to which to add an option.
+    if (!option_state_allocate(&options, MDL)) {
+           atf_tc_fail("cannot allocat options state");
+    }
+
+    // Call add_option() to add the option to the option state.
+    if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
+           atf_tc_fail("add_option returned 0");
+    }
+
+    // Verify that calling add_option() only adds 1 to the option ref count.
+    if (option->refcnt != (refcnt_before + 1)) {
+        atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
+                    refcnt_before, option->refcnt);
+    }
+
+    // Derefrence the option_state, this should reduce the ref count to
+    // it's starting value.
+    option_state_dereference(&options, MDL);
+
+    // Verify that dereferencing option_state restores option ref count.
+    if (option->refcnt != refcnt_before) {
+        atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
+                    refcnt_before, option->refcnt);
+    }
+}
+
+ /* This macro defines main() method that will call specified
+    test cases. tp and simple_test_case names can be whatever you want
+    as long as it is a valid variable identifier. */
+@@ -137,6 +190,7 @@ ATF_TP_ADD_TCS(tp)
+ {
+     ATF_TP_ADD_TC(tp, option_refcnt);
+     ATF_TP_ADD_TC(tp, pretty_print_option);
+    ATF_TP_ADD_TC(tp, add_option_ref_cnt);
+ 
+     return (atf_no_error());
+ }
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch
new file mode 100644
index 0000000000..d605204f89
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch
@@ -0,0 +1,40 @@
+From 5c959166ebee7605e2048de573f2475b4d731ff7 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Thu, 6 Oct 2022 09:42:59 +0530
+Subject: [PATCH] CVE-2022-2929
+Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
+CVE: CVE-2022-2929
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ common/options.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/common/options.c b/common/options.c
+index 4e53bb4..28800fc 100644
+--- a/common/options.c
+++ b/common/options.c
+@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
+                while (s < &bp -> data[0] + length + 2) {
+                        len = *s;
+                        if (len > 63) {
+-                               log_info ("fancy bits in fqdn option");
+-                               return 0;
+                               log_info ("label length exceeds 63 in fqdn option");
+                               goto bad;
+                        }
+                        if (len == 0) {
+                                terminated = 1;
+                                break;
+                        }
+                        if (s + len > &bp -> data [0] + length + 3) {
+-                               log_info ("fqdn tag longer than buffer");
+-                               return 0;
+                               log_info ("fqdn label longer than buffer");
+                               goto bad;
+                        }
+ 
+                        if (first_len == 0) {
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
index b56a204821..d3c87d0d07 100644
--- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
+++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
@@ -10,6 +10,9 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
            file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
            file://0013-fixup_use_libbind.patch \
            file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \
+            file://CVE-2021-25217.patch \
+            file://CVE-2022-2928.patch \
+            file://CVE-2022-2929.patch \
 "
 SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"

diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch new file mode 100644 index 0000000000..91aaf83a77 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
@@ -0,0 +1,66 @@
		1	From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001
		2	From: Minjae Kim <flowergom@gmail.com>
		3	Date: Thu, 8 Jul 2021 00:08:25 +0000
		4	Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP
		5	(CVE-2021-25217)
		6
		7	On May 26, 2021, we (Internet Systems Consortium) disclosed a
		8	vulnerability affecting our ISC DHCP software:
		9
		10	CVE-2021-25217: A buffer overrun in lease file parsing code can be
		11	used to exploit a common vulnerability shared by dhcpd and dhclient
		12	https://kb.isc.org/docs/cve-2021-25217
		13
		14	New versions of ISC DHCP are available from https://www.isc.org/downloads
		15
		16	Operators and package maintainers who prefer to apply patches selectively can
		17	find individual vulnerability-specific patches in the "patches" subdirectory
		18	of the release directories for our two stable release branches (4.4 and 4.1-ESV)
		19
		20	https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches
		21	https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches
		22
		23	With the public announcement of this vulnerability, the embargo
		24	period is ended and any updated software packages that have been
		25	prepared may be released.
		26
		27	Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6]
		28	CVE: CVE-2021-25217
		29	Signed-off-by: Minjae Kim <flowergom@gmail.com>
		30	---
		31	common/parse.c \| 7 ++++---
		32	1 file changed, 4 insertions(+), 3 deletions(-)
		33
		34	diff --git a/common/parse.c b/common/parse.c
		35	index 386a632..fc7b39c 100644
		36	--- a/common/parse.c
		37	+++ b/common/parse.c
		38	@@ -3,7 +3,7 @@
		39	Common parser code for dhcpd and dhclient. */
		40
		41	/*
		42	- * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC")
		43	+ * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC")
		44	* Copyright (c) 1995-2003 by Internet Software Consortium
		45	*
		46	* This Source Code Form is subject to the terms of the Mozilla Public
		47	@@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max)
		48	skip_to_semi (cfile);
		49	return 0;
		50	}
		51	- convert_num (cfile, &buf [len], val, 16, 8);
		52	- if (len++ > max) {
		53	+ if (len >= max) {
		54	parse_warn (cfile,
		55	"hexadecimal constant too long.");
		56	skip_to_semi (cfile);
		57	return 0;
		58	}
		59	+ convert_num (cfile, &buf [len], val, 16, 8);
		60	+ len++;
		61	token = peek_token (&val, (unsigned *)0, cfile);
		62	if (token == COLON)
		63	token = next_token (&val,
		64	--
		65	2.17.1
		66


diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch new file mode 100644 index 0000000000..11f162cbda --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch
@@ -0,0 +1,120 @@
		1	From 8a5d739eea10ee6e193f053b1662142d5657cbc6 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Thu, 6 Oct 2022 09:39:18 +0530
		4	Subject: [PATCH] CVE-2022-2928
		5
		6	Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
		7	CVE: CVE-2022-2928
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	common/options.c \| 7 +++++
		11	common/tests/option_unittest.c \| 54 ++++++++++++++++++++++++++++++++++
		12	2 files changed, 61 insertions(+)
		13
		14	diff --git a/common/options.c b/common/options.c
		15	index a7ed84c..4e53bb4 100644
		16	--- a/common/options.c
		17	+++ b/common/options.c
		18	@@ -4452,6 +4452,8 @@ add_option(struct option_state *options,
		19	if (!option_cache_allocate(&oc, MDL)) {
		20	log_error("No memory for option cache adding %s (option %d).",
		21	option->name, option_num);
		22	+ /* Get rid of reference created during hash lookup. */
		23	+ option_dereference(&option, MDL);
		24	return 0;
		25	}
		26
		27	@@ -4463,6 +4465,8 @@ add_option(struct option_state *options,
		28	MDL)) {
		29	log_error("No memory for constant data adding %s (option %d).",
		30	option->name, option_num);
		31	+ /* Get rid of reference created during hash lookup. */
		32	+ option_dereference(&option, MDL);
		33	option_cache_dereference(&oc, MDL);
		34	return 0;
		35	}
		36	@@ -4471,6 +4475,9 @@ add_option(struct option_state *options,
		37	save_option(&dhcp_universe, options, oc);
		38	option_cache_dereference(&oc, MDL);
		39
		40	+ /* Get rid of reference created during hash lookup. */
		41	+ option_dereference(&option, MDL);
		42	+
		43	return 1;
		44	}
		45
		46	diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
		47	index cd52cfb..690704d 100644
		48	--- a/common/tests/option_unittest.c
		49	+++ b/common/tests/option_unittest.c
		50	@@ -130,6 +130,59 @@ ATF_TC_BODY(pretty_print_option, tc)
		51	}
		52
		53
		54	+ATF_TC(add_option_ref_cnt);
		55	+
		56	+ATF_TC_HEAD(add_option_ref_cnt, tc)
		57	+{
		58	+ atf_tc_set_md_var(tc, "descr",
		59	+ "Verify add_option() does not leak option ref counts.");
		60	+}
		61	+
		62	+ATF_TC_BODY(add_option_ref_cnt, tc)
		63	+{
		64	+ struct option_state *options = NULL;
		65	+ struct option *option = NULL;
		66	+ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
		67	+ char *cid_str = "1234";
		68	+ int refcnt_before = 0;
		69	+
		70	+ // Look up the option we're going to add.
		71	+ initialize_common_option_spaces();
		72	+ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
		73	+ &cid_code, 0, MDL)) {
		74	+ atf_tc_fail("cannot find option definition?");
		75	+ }
		76	+
		77	+ // Get the option's reference count before we call add_options.
		78	+ refcnt_before = option->refcnt;
		79	+
		80	+ // Allocate a option_state to which to add an option.
		81	+ if (!option_state_allocate(&options, MDL)) {
		82	+ atf_tc_fail("cannot allocat options state");
		83	+ }
		84	+
		85	+ // Call add_option() to add the option to the option state.
		86	+ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
		87	+ atf_tc_fail("add_option returned 0");
		88	+ }
		89	+
		90	+ // Verify that calling add_option() only adds 1 to the option ref count.
		91	+ if (option->refcnt != (refcnt_before + 1)) {
		92	+ atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
		93	+ refcnt_before, option->refcnt);
		94	+ }
		95	+
		96	+ // Derefrence the option_state, this should reduce the ref count to
		97	+ // it's starting value.
		98	+ option_state_dereference(&options, MDL);
		99	+
		100	+ // Verify that dereferencing option_state restores option ref count.
		101	+ if (option->refcnt != refcnt_before) {
		102	+ atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
		103	+ refcnt_before, option->refcnt);
		104	+ }
		105	+}
		106	+
		107	/* This macro defines main() method that will call specified
		108	test cases. tp and simple_test_case names can be whatever you want
		109	as long as it is a valid variable identifier. */
		110	@@ -137,6 +190,7 @@ ATF_TP_ADD_TCS(tp)
		111	{
		112	ATF_TP_ADD_TC(tp, option_refcnt);
		113	ATF_TP_ADD_TC(tp, pretty_print_option);
		114	+ ATF_TP_ADD_TC(tp, add_option_ref_cnt);
		115
		116	return (atf_no_error());
		117	}
		118	--
		119	2.25.1
		120


diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch new file mode 100644 index 0000000000..d605204f89 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch
@@ -0,0 +1,40 @@
		1	From 5c959166ebee7605e2048de573f2475b4d731ff7 Mon Sep 17 00:00:00 2001
		2	From: Hitendra Prajapati <hprajapati@mvista.com>
		3	Date: Thu, 6 Oct 2022 09:42:59 +0530
		4	Subject: [PATCH] CVE-2022-2929
		5
		6	Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/]
		7	CVE: CVE-2022-2929
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	common/options.c \| 8 ++++----
		11	1 file changed, 4 insertions(+), 4 deletions(-)
		12
		13	diff --git a/common/options.c b/common/options.c
		14	index 4e53bb4..28800fc 100644
		15	--- a/common/options.c
		16	+++ b/common/options.c
		17	@@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options,
		18	while (s < &bp -> data[0] + length + 2) {
		19	len = *s;
		20	if (len > 63) {
		21	- log_info ("fancy bits in fqdn option");
		22	- return 0;
		23	+ log_info ("label length exceeds 63 in fqdn option");
		24	+ goto bad;
		25	}
		26	if (len == 0) {
		27	terminated = 1;
		28	break;
		29	}
		30	if (s + len > &bp -> data [0] + length + 3) {
		31	- log_info ("fqdn tag longer than buffer");
		32	- return 0;
		33	+ log_info ("fqdn label longer than buffer");
		34	+ goto bad;
		35	}
		36
		37	if (first_len == 0) {
		38	--
		39	2.25.1
		40


diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb index b56a204821..d3c87d0d07 100644 --- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb +++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
@@ -10,6 +10,9 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
10	file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \	10	file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
11	file://0013-fixup_use_libbind.patch \	11	file://0013-fixup_use_libbind.patch \
12	file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \	12	file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \
		13	file://CVE-2021-25217.patch \
		14	file://CVE-2022-2928.patch \
		15	file://CVE-2022-2929.patch \
13	"	16	"
14		17
15	SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"	18	SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"