dhcp: fix CVE-2021-25217

A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient. reference: https://www.openwall.com/lists/oss-security/2021/05/26/6 https://kb.isc.org/docs/cve-2021-25217 (From OE-Core rev: 58fa175702f0cd8f00dc5e7938fb55108921d324) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Minjae Kim <flowergom@gmail.com> 2021-07-08 22:22:40 +0900
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-07-15 15:27:49 +0100
commit: e643a5b966756f383e71c138944e4e1c65c8cd46 (patch)
tree: 5f843ae8bd2a1c8fe2dbbb81b39205ca3ecc7c28
parent: 1fe2f91cf39dd43661c7e229a48ec50cdc28b7bc (diff)
download: poky-e643a5b966756f383e71c138944e4e1c65c8cd46.tar.gz
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
new file mode 100644
index 0000000000..91aaf83a77
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
@@ -0,0 +1,66 @@
+From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Thu, 8 Jul 2021 00:08:25 +0000
+Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP
+ (CVE-2021-25217)
+On May 26, 2021, we (Internet Systems Consortium) disclosed a
+vulnerability affecting our ISC DHCP software:
+    CVE-2021-25217: A buffer overrun in lease file parsing code can be
+    used to exploit a common vulnerability shared by dhcpd and dhclient
+    https://kb.isc.org/docs/cve-2021-25217
+New versions of ISC DHCP are available from https://www.isc.org/downloads
+Operators and package maintainers who prefer to apply patches selectively can
+find individual vulnerability-specific patches in the "patches" subdirectory
+of the release directories for our two stable release branches (4.4 and 4.1-ESV)
+   https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches
+   https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches
+With the public announcement of this vulnerability, the embargo
+period is ended and any updated software packages that have been
+prepared may be released.
+Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6]
+CVE: CVE-2021-25217
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ common/parse.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+diff --git a/common/parse.c b/common/parse.c
+index 386a632..fc7b39c 100644
+--- a/common/parse.c
+++ b/common/parse.c
+@@ -3,7 +3,7 @@
+    Common parser code for dhcpd and dhclient. */
+ 
+ /*
+- * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC")
+  * Copyright (c) 1995-2003 by Internet Software Consortium
+  *
+  * This Source Code Form is subject to the terms of the Mozilla Public
+@@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max)
+                                skip_to_semi (cfile);
+                                return 0;
+                        }
+-                       convert_num (cfile, &buf [len], val, 16, 8);
+-                       if (len++ > max) {
+                       if (len >= max) {
+                                parse_warn (cfile,
+                                            "hexadecimal constant too long.");
+                                skip_to_semi (cfile);
+                                return 0;
+                        }
+                       convert_num (cfile, &buf [len], val, 16, 8);
+                       len++;
+                        token = peek_token (&val, (unsigned *)0, cfile);
+                        if (token == COLON)
+                                token = next_token (&val,
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
index b56a204821..5609a350cc 100644
--- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
+++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
            file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
            file://0013-fixup_use_libbind.patch \
            file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \
+            file://CVE-2021-25217.patch \
 "
 SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"
author	Minjae Kim <flowergom@gmail.com>	2021-07-08 22:22:40 +0900
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-07-15 15:27:49 +0100
commit	e643a5b966756f383e71c138944e4e1c65c8cd46 (patch)
tree	5f843ae8bd2a1c8fe2dbbb81b39205ca3ecc7c28
parent	1fe2f91cf39dd43661c7e229a48ec50cdc28b7bc (diff)
download	poky-e643a5b966756f383e71c138944e4e1c65c8cd46.tar.gz

diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch new file mode 100644 index 0000000000..91aaf83a77 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
@@ -0,0 +1,66 @@
		1	From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001
		2	From: Minjae Kim <flowergom@gmail.com>
		3	Date: Thu, 8 Jul 2021 00:08:25 +0000
		4	Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP
		5	(CVE-2021-25217)
		6
		7	On May 26, 2021, we (Internet Systems Consortium) disclosed a
		8	vulnerability affecting our ISC DHCP software:
		9
		10	CVE-2021-25217: A buffer overrun in lease file parsing code can be
		11	used to exploit a common vulnerability shared by dhcpd and dhclient
		12	https://kb.isc.org/docs/cve-2021-25217
		13
		14	New versions of ISC DHCP are available from https://www.isc.org/downloads
		15
		16	Operators and package maintainers who prefer to apply patches selectively can
		17	find individual vulnerability-specific patches in the "patches" subdirectory
		18	of the release directories for our two stable release branches (4.4 and 4.1-ESV)
		19
		20	https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches
		21	https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches
		22
		23	With the public announcement of this vulnerability, the embargo
		24	period is ended and any updated software packages that have been
		25	prepared may be released.
		26
		27	Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6]
		28	CVE: CVE-2021-25217
		29	Signed-off-by: Minjae Kim <flowergom@gmail.com>
		30	---
		31	common/parse.c \| 7 ++++---
		32	1 file changed, 4 insertions(+), 3 deletions(-)
		33
		34	diff --git a/common/parse.c b/common/parse.c
		35	index 386a632..fc7b39c 100644
		36	--- a/common/parse.c
		37	+++ b/common/parse.c
		38	@@ -3,7 +3,7 @@
		39	Common parser code for dhcpd and dhclient. */
		40
		41	/*
		42	- * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC")
		43	+ * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC")
		44	* Copyright (c) 1995-2003 by Internet Software Consortium
		45	*
		46	* This Source Code Form is subject to the terms of the Mozilla Public
		47	@@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max)
		48	skip_to_semi (cfile);
		49	return 0;
		50	}
		51	- convert_num (cfile, &buf [len], val, 16, 8);
		52	- if (len++ > max) {
		53	+ if (len >= max) {
		54	parse_warn (cfile,
		55	"hexadecimal constant too long.");
		56	skip_to_semi (cfile);
		57	return 0;
		58	}
		59	+ convert_num (cfile, &buf [len], val, 16, 8);
		60	+ len++;
		61	token = peek_token (&val, (unsigned *)0, cfile);
		62	if (token == COLON)
		63	token = next_token (&val,
		64	--
		65	2.17.1
		66


diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb index b56a204821..5609a350cc 100644 --- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb +++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
10	file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \	10	file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
11	file://0013-fixup_use_libbind.patch \	11	file://0013-fixup_use_libbind.patch \
12	file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \	12	file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \
		13	file://CVE-2021-25217.patch \
13	"	14	"
14		15
15	SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"	16	SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"