diff options
Diffstat (limited to 'meta/recipes-connectivity/dhcp')
4 files changed, 229 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch new file mode 100644 index 0000000000..91aaf83a77 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001 | ||
2 | From: Minjae Kim <flowergom@gmail.com> | ||
3 | Date: Thu, 8 Jul 2021 00:08:25 +0000 | ||
4 | Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP | ||
5 | (CVE-2021-25217) | ||
6 | |||
7 | On May 26, 2021, we (Internet Systems Consortium) disclosed a | ||
8 | vulnerability affecting our ISC DHCP software: | ||
9 | |||
10 | CVE-2021-25217: A buffer overrun in lease file parsing code can be | ||
11 | used to exploit a common vulnerability shared by dhcpd and dhclient | ||
12 | https://kb.isc.org/docs/cve-2021-25217 | ||
13 | |||
14 | New versions of ISC DHCP are available from https://www.isc.org/downloads | ||
15 | |||
16 | Operators and package maintainers who prefer to apply patches selectively can | ||
17 | find individual vulnerability-specific patches in the "patches" subdirectory | ||
18 | of the release directories for our two stable release branches (4.4 and 4.1-ESV) | ||
19 | |||
20 | https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches | ||
21 | https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches | ||
22 | |||
23 | With the public announcement of this vulnerability, the embargo | ||
24 | period is ended and any updated software packages that have been | ||
25 | prepared may be released. | ||
26 | |||
27 | Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6] | ||
28 | CVE: CVE-2021-25217 | ||
29 | Signed-off-by: Minjae Kim <flowergom@gmail.com> | ||
30 | --- | ||
31 | common/parse.c | 7 ++++--- | ||
32 | 1 file changed, 4 insertions(+), 3 deletions(-) | ||
33 | |||
34 | diff --git a/common/parse.c b/common/parse.c | ||
35 | index 386a632..fc7b39c 100644 | ||
36 | --- a/common/parse.c | ||
37 | +++ b/common/parse.c | ||
38 | @@ -3,7 +3,7 @@ | ||
39 | Common parser code for dhcpd and dhclient. */ | ||
40 | |||
41 | /* | ||
42 | - * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC") | ||
43 | + * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC") | ||
44 | * Copyright (c) 1995-2003 by Internet Software Consortium | ||
45 | * | ||
46 | * This Source Code Form is subject to the terms of the Mozilla Public | ||
47 | @@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max) | ||
48 | skip_to_semi (cfile); | ||
49 | return 0; | ||
50 | } | ||
51 | - convert_num (cfile, &buf [len], val, 16, 8); | ||
52 | - if (len++ > max) { | ||
53 | + if (len >= max) { | ||
54 | parse_warn (cfile, | ||
55 | "hexadecimal constant too long."); | ||
56 | skip_to_semi (cfile); | ||
57 | return 0; | ||
58 | } | ||
59 | + convert_num (cfile, &buf [len], val, 16, 8); | ||
60 | + len++; | ||
61 | token = peek_token (&val, (unsigned *)0, cfile); | ||
62 | if (token == COLON) | ||
63 | token = next_token (&val, | ||
64 | -- | ||
65 | 2.17.1 | ||
66 | |||
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch new file mode 100644 index 0000000000..11f162cbda --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2928.patch | |||
@@ -0,0 +1,120 @@ | |||
1 | From 8a5d739eea10ee6e193f053b1662142d5657cbc6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 6 Oct 2022 09:39:18 +0530 | ||
4 | Subject: [PATCH] CVE-2022-2928 | ||
5 | |||
6 | Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/] | ||
7 | CVE: CVE-2022-2928 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | common/options.c | 7 +++++ | ||
11 | common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++ | ||
12 | 2 files changed, 61 insertions(+) | ||
13 | |||
14 | diff --git a/common/options.c b/common/options.c | ||
15 | index a7ed84c..4e53bb4 100644 | ||
16 | --- a/common/options.c | ||
17 | +++ b/common/options.c | ||
18 | @@ -4452,6 +4452,8 @@ add_option(struct option_state *options, | ||
19 | if (!option_cache_allocate(&oc, MDL)) { | ||
20 | log_error("No memory for option cache adding %s (option %d).", | ||
21 | option->name, option_num); | ||
22 | + /* Get rid of reference created during hash lookup. */ | ||
23 | + option_dereference(&option, MDL); | ||
24 | return 0; | ||
25 | } | ||
26 | |||
27 | @@ -4463,6 +4465,8 @@ add_option(struct option_state *options, | ||
28 | MDL)) { | ||
29 | log_error("No memory for constant data adding %s (option %d).", | ||
30 | option->name, option_num); | ||
31 | + /* Get rid of reference created during hash lookup. */ | ||
32 | + option_dereference(&option, MDL); | ||
33 | option_cache_dereference(&oc, MDL); | ||
34 | return 0; | ||
35 | } | ||
36 | @@ -4471,6 +4475,9 @@ add_option(struct option_state *options, | ||
37 | save_option(&dhcp_universe, options, oc); | ||
38 | option_cache_dereference(&oc, MDL); | ||
39 | |||
40 | + /* Get rid of reference created during hash lookup. */ | ||
41 | + option_dereference(&option, MDL); | ||
42 | + | ||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c | ||
47 | index cd52cfb..690704d 100644 | ||
48 | --- a/common/tests/option_unittest.c | ||
49 | +++ b/common/tests/option_unittest.c | ||
50 | @@ -130,6 +130,59 @@ ATF_TC_BODY(pretty_print_option, tc) | ||
51 | } | ||
52 | |||
53 | |||
54 | +ATF_TC(add_option_ref_cnt); | ||
55 | + | ||
56 | +ATF_TC_HEAD(add_option_ref_cnt, tc) | ||
57 | +{ | ||
58 | + atf_tc_set_md_var(tc, "descr", | ||
59 | + "Verify add_option() does not leak option ref counts."); | ||
60 | +} | ||
61 | + | ||
62 | +ATF_TC_BODY(add_option_ref_cnt, tc) | ||
63 | +{ | ||
64 | + struct option_state *options = NULL; | ||
65 | + struct option *option = NULL; | ||
66 | + unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER; | ||
67 | + char *cid_str = "1234"; | ||
68 | + int refcnt_before = 0; | ||
69 | + | ||
70 | + // Look up the option we're going to add. | ||
71 | + initialize_common_option_spaces(); | ||
72 | + if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, | ||
73 | + &cid_code, 0, MDL)) { | ||
74 | + atf_tc_fail("cannot find option definition?"); | ||
75 | + } | ||
76 | + | ||
77 | + // Get the option's reference count before we call add_options. | ||
78 | + refcnt_before = option->refcnt; | ||
79 | + | ||
80 | + // Allocate a option_state to which to add an option. | ||
81 | + if (!option_state_allocate(&options, MDL)) { | ||
82 | + atf_tc_fail("cannot allocat options state"); | ||
83 | + } | ||
84 | + | ||
85 | + // Call add_option() to add the option to the option state. | ||
86 | + if (!add_option(options, cid_code, cid_str, strlen(cid_str))) { | ||
87 | + atf_tc_fail("add_option returned 0"); | ||
88 | + } | ||
89 | + | ||
90 | + // Verify that calling add_option() only adds 1 to the option ref count. | ||
91 | + if (option->refcnt != (refcnt_before + 1)) { | ||
92 | + atf_tc_fail("after add_option(), count is wrong, before %d, after: %d", | ||
93 | + refcnt_before, option->refcnt); | ||
94 | + } | ||
95 | + | ||
96 | + // Derefrence the option_state, this should reduce the ref count to | ||
97 | + // it's starting value. | ||
98 | + option_state_dereference(&options, MDL); | ||
99 | + | ||
100 | + // Verify that dereferencing option_state restores option ref count. | ||
101 | + if (option->refcnt != refcnt_before) { | ||
102 | + atf_tc_fail("after state deref, count is wrong, before %d, after: %d", | ||
103 | + refcnt_before, option->refcnt); | ||
104 | + } | ||
105 | +} | ||
106 | + | ||
107 | /* This macro defines main() method that will call specified | ||
108 | test cases. tp and simple_test_case names can be whatever you want | ||
109 | as long as it is a valid variable identifier. */ | ||
110 | @@ -137,6 +190,7 @@ ATF_TP_ADD_TCS(tp) | ||
111 | { | ||
112 | ATF_TP_ADD_TC(tp, option_refcnt); | ||
113 | ATF_TP_ADD_TC(tp, pretty_print_option); | ||
114 | + ATF_TP_ADD_TC(tp, add_option_ref_cnt); | ||
115 | |||
116 | return (atf_no_error()); | ||
117 | } | ||
118 | -- | ||
119 | 2.25.1 | ||
120 | |||
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch new file mode 100644 index 0000000000..d605204f89 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2022-2929.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 5c959166ebee7605e2048de573f2475b4d731ff7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Thu, 6 Oct 2022 09:42:59 +0530 | ||
4 | Subject: [PATCH] CVE-2022-2929 | ||
5 | |||
6 | Upstream-Status: Backport [https://downloads.isc.org/isc/dhcp/4.4.3-P1/patches/] | ||
7 | CVE: CVE-2022-2929 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | common/options.c | 8 ++++---- | ||
11 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
12 | |||
13 | diff --git a/common/options.c b/common/options.c | ||
14 | index 4e53bb4..28800fc 100644 | ||
15 | --- a/common/options.c | ||
16 | +++ b/common/options.c | ||
17 | @@ -454,16 +454,16 @@ int fqdn_universe_decode (struct option_state *options, | ||
18 | while (s < &bp -> data[0] + length + 2) { | ||
19 | len = *s; | ||
20 | if (len > 63) { | ||
21 | - log_info ("fancy bits in fqdn option"); | ||
22 | - return 0; | ||
23 | + log_info ("label length exceeds 63 in fqdn option"); | ||
24 | + goto bad; | ||
25 | } | ||
26 | if (len == 0) { | ||
27 | terminated = 1; | ||
28 | break; | ||
29 | } | ||
30 | if (s + len > &bp -> data [0] + length + 3) { | ||
31 | - log_info ("fqdn tag longer than buffer"); | ||
32 | - return 0; | ||
33 | + log_info ("fqdn label longer than buffer"); | ||
34 | + goto bad; | ||
35 | } | ||
36 | |||
37 | if (first_len == 0) { | ||
38 | -- | ||
39 | 2.25.1 | ||
40 | |||
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb index b56a204821..d3c87d0d07 100644 --- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb +++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb | |||
@@ -10,6 +10,9 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat | |||
10 | file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \ | 10 | file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \ |
11 | file://0013-fixup_use_libbind.patch \ | 11 | file://0013-fixup_use_libbind.patch \ |
12 | file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \ | 12 | file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \ |
13 | file://CVE-2021-25217.patch \ | ||
14 | file://CVE-2022-2928.patch \ | ||
15 | file://CVE-2022-2929.patch \ | ||
13 | " | 16 | " |
14 | 17 | ||
15 | SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1" | 18 | SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1" |