diff options
author | Tony Vroon <chainsaw@gentoo.org> | 2009-07-14 17:35:55 +0000 |
---|---|---|
committer | Tony Vroon <chainsaw@gentoo.org> | 2009-07-14 17:35:55 +0000 |
commit | d731c78b17cefd4c42acac126d779ac37a8527c2 (patch) | |
tree | e8430f18bd4f8d5ae6312a89b8d5086821b67a3a /net-misc | |
parent | Remove old version. (diff) | |
download | gentoo-2-d731c78b17cefd4c42acac126d779ac37a8527c2.tar.gz gentoo-2-d731c78b17cefd4c42acac126d779ac37a8527c2.tar.bz2 gentoo-2-d731c78b17cefd4c42acac126d779ac37a8527c2.zip |
Version bump for CVE-2009-0692 (dhclient stack-based buffer overflow); security bug #277729. Stable keywords approved by arch liaisons.
(Portage version: 2.1.6.13/cvs/Linux x86_64, RepoMan options: --force)
Diffstat (limited to 'net-misc')
-rw-r--r-- | net-misc/dhcp/ChangeLog | 9 | ||||
-rw-r--r-- | net-misc/dhcp/dhcp-3.1.1-r1.ebuild | 242 | ||||
-rw-r--r-- | net-misc/dhcp/files/dhcp-3.1.1-CVE-2009-0692.patch | 14 |
3 files changed, 264 insertions, 1 deletions
diff --git a/net-misc/dhcp/ChangeLog b/net-misc/dhcp/ChangeLog index 27c02bf10764..027da3d4ee57 100644 --- a/net-misc/dhcp/ChangeLog +++ b/net-misc/dhcp/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for net-misc/dhcp # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/dhcp/ChangeLog,v 1.155 2009/07/09 14:45:21 chainsaw Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/dhcp/ChangeLog,v 1.156 2009/07/14 17:35:54 chainsaw Exp $ + +*dhcp-3.1.1-r1 (14 Jul 2009) + + 14 Jul 2009; <chainsaw@gentoo.org> +dhcp-3.1.1-r1.ebuild, + +files/dhcp-3.1.1-CVE-2009-0692.patch: + Version bump for CVE-2009-0692 (dhclient stack-based buffer overflow); + security bug #277729. Stable keywords approved by arch liaisons. *dhcp-4.1.0 (09 Jul 2009) *dhcp-3.1.2 (09 Jul 2009) diff --git a/net-misc/dhcp/dhcp-3.1.1-r1.ebuild b/net-misc/dhcp/dhcp-3.1.1-r1.ebuild new file mode 100644 index 000000000000..0dc23e575243 --- /dev/null +++ b/net-misc/dhcp/dhcp-3.1.1-r1.ebuild @@ -0,0 +1,242 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/dhcp/dhcp-3.1.1-r1.ebuild,v 1.1 2009/07/14 17:35:54 chainsaw Exp $ + +inherit eutils flag-o-matic multilib toolchain-funcs + +MY_PV="${PV//_alpha/a}" +MY_PV="${MY_PV//_beta/b}" +MY_PV="${MY_PV//_rc/rc}" +MY_P="${PN}-${MY_PV}" +DESCRIPTION="ISC Dynamic Host Configuration Protocol" +HOMEPAGE="http://www.isc.org/products/DHCP" +SRC_URI="ftp://ftp.isc.org/isc/dhcp/${MY_P}.tar.gz" + +LICENSE="isc-dhcp" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" +IUSE="doc minimal static selinux kernel_linux" + +DEPEND="selinux? ( sec-policy/selinux-dhcp ) + kernel_linux? ( sys-apps/net-tools )" + +PROVIDE="virtual/dhcpc" + +S="${WORKDIR}/${MY_P}" + +src_unpack() { + unpack ${A} + cd "${S}" + + # Gentoo patches - these will probably never be accepted upstream + # Enable chroot support + epatch "${FILESDIR}/${PN}"-3.0-paranoia.patch + # Fix some permission issues + epatch "${FILESDIR}/${PN}"-3.0-fix-perms.patch + # Enable dhclient to equery NTP servers + epatch "${FILESDIR}/${PN}"-3.0.3-dhclient-ntp.patch + # resolvconf support in dhclient-script + epatch "${FILESDIR}/${PN}"-3.1.0a1-dhclient-resolvconf.patch + # Fix setting hostnames on Linux + epatch "${FILESDIR}/${PN}"-3.0.3-dhclient-hostname.patch + # Allow mtu settings + epatch "${FILESDIR}/${PN}"-3.0.3-dhclient-mtu.patch + # Allow dhclient to use IF_METRIC to set route metrics + epatch "${FILESDIR}/${PN}"-3.0.3-dhclient-metric.patch + # Stop downing the interface on Linux as that breaks link dameons + # such as wpa_supplicant and netplug + epatch "${FILESDIR}/${PN}"-3.0.3-dhclient-no-down.patch + # Quiet the isc blurb + epatch "${FILESDIR}/${PN}"-3.0.3-no_isc_blurb.patch + # Enable dhclient to get extra configuration from stdin + epatch "${FILESDIR}/${PN}"-3.0.4-dhclient-stdin-conf.patch + # Disable fallback interfaces when using BPF + # This allows more than one dhclient instance on the BSD's + epatch "${FILESDIR}/${PN}"-3.0.5-bpf-nofallback.patch + + # General fixes which will probably be accepted upstream eventually + # Install libdst, #75544 + epatch "${FILESDIR}/${PN}"-3.0.3-libdst.patch + # Fix building on Gentoo/FreeBSD + epatch "${FILESDIR}/${PN}"-3.0.2-gmake.patch + + # NetworkManager support patches + # If they fail to apply to future versions they will be dropped + # Add dbus support to dhclient + epatch "${FILESDIR}/${PN}"-3.0.3-dhclient-dbus.patch + + # CVE-2009-0692: script_write_params() Stack-based buffer overflow in dhclient + # bug 275231 + epatch "${FILESDIR}/${PN}"-3.1.1-CVE-2009-0692.patch + + # Brand the version with Gentoo + # include revision if >0 + local newver="${MY_PV}-Gentoo" + [[ ${PR} != "r0" ]] && newver="${newver}-${PR}" + sed -i '/^#define DHCP_VERSION[ \t]\+/ s/'"${MY_PV}/${newver}/g" \ + includes/version.h || die + + # Change the hook script locations of the scripts + sed -i -e 's,/etc/dhclient-exit-hooks,/etc/dhcp/dhclient-exit-hooks,g' \ + -e 's,/etc/dhclient-enter-hooks,/etc/dhcp/dhclient-enter-hooks,g' \ + client/scripts/* || die + + # No need for the linux script to force bash, #158540. + sed -i -e 's,#!/bin/bash,#!/bin/sh,' client/scripts/linux || die + + # Quiet the freebsd logger a little + sed -i -e '/LOGGER=/ s/-s -p user.notice //g' client/scripts/freebsd || die + + # Remove these options from the sample config + sed -i -e "/\(script\|host-name\|domain-name\) / d" \ + client/dhclient.conf || die + + # Build sed man pages as we don't ever support BSD 4.4 and older, #130251. + local x= + for x in Makefile.dist $(ls */Makefile.dist) ; do + sed -i -e 's/$(CATMANPAGES)/$(SEDMANPAGES)/g' "${x}" || die + done + + # Only install different man pages if we don't have en + if [[ " ${LINGUAS} " != *" en "* ]]; then + # Install Japanese man pages + if [[ " ${LINGUAS} " == *" ja "* && -d doc/ja_JP.eucJP ]]; then + einfo "Installing Japanese documention" + cp doc/ja_JP.eucJP/dhclient* client + cp doc/ja_JP.eucJP/dhcp* common + fi + fi + + # Now remove the non-english docs so there are no errors later + [[ -d doc/ja_JP.eucJP ]] && rm -rf doc/ja_JP.eucJP +} + +src_compile() { + use static && append-ldflags -static + + cat <<-END >> includes/site.h + #define _PATH_DHCPD_CONF "/etc/dhcp/dhcpd.conf" + #define _PATH_DHCPD_PID "/var/run/dhcp/dhcpd.pid" + #define _PATH_DHCPD_DB "/var/lib/dhcp/dhcpd.leases" + #define _PATH_DHCLIENT_CONF "/etc/dhcp/dhclient.conf" + #define _PATH_DHCLIENT_DB "/var/lib/dhcp/dhclient.leases" + #define _PATH_DHCLIENT_PID "/var/run/dhcp/dhclient.pid" + #define DHCPD_LOG_FACILITY LOG_LOCAL1 + END + + cat <<-END > site.conf + CC = $(tc-getCC) + LFLAGS = ${LDFLAGS} + LIBDIR = /usr/$(get_libdir) + INCDIR = /usr/include + ETC = /etc/dhcp + VARDB = /var/lib/dhcp + VARRUN = /var/run/dhcp + ADMMANDIR = /usr/share/man/man8 + ADMMANEXT = .8 + FFMANDIR = /usr/share/man/man5 + FFMANEXT = .5 + LIBMANDIR = /usr/share/man/man3 + LIBMANEXT = .3 + USRMANDIR = /usr/share/man/man1 + USRMANEXT = .1 + MANCAT = man + END + + ./configure --copts "-DPARANOIA -DEARLY_CHROOT ${CFLAGS}" \ + || die "configure failed" + + # Remove server support from the Makefile + # We still install some extra crud though + if use minimal ; then + sed -i -e 's/\(server\|relay\|dhcpctl\)/ /g' work.*/Makefile || die + fi + emake || die "compile problem" +} + +src_install() { + make install DESTDIR="${D}" || die + use doc && dodoc README RELNOTES doc/* + + insinto /etc/dhcp + newins client/dhclient.conf dhclient.conf.sample + keepdir /var/{lib,run}/dhcp + + # Install our server files + if ! use minimal ; then + insinto /etc/dhcp + newins server/dhcpd.conf dhcpd.conf.sample + newinitd "${FILESDIR}"/dhcpd.init dhcpd + newinitd "${FILESDIR}"/dhcrelay.init dhcrelay + newconfd "${FILESDIR}"/dhcpd.conf dhcpd + newconfd "${FILESDIR}"/dhcrelay.conf dhcrelay + + # We never want portage to own this file + rm -f "${D}"/var/lib/dhcp/dhcpd.leases + fi +} + +pkg_preinst() { + if ! use minimal ; then + enewgroup dhcp + enewuser dhcp -1 -1 /var/lib/dhcp dhcp + fi +} + +pkg_postinst() { + use minimal && return + + chown dhcp:dhcp "${ROOT}"/var/{lib,run}/dhcp + + if [[ -e "${ROOT}"/etc/init.d/dhcp ]] ; then + ewarn + ewarn "WARNING: The dhcp init script has been renamed to dhcpd" + ewarn "/etc/init.d/dhcp and /etc/conf.d/dhcp need to be removed and" + ewarn "and dhcp should be removed from the default runlevel" + ewarn + fi + + einfo "You can edit /etc/conf.d/dhcpd to customize dhcp settings." + einfo + einfo "If you would like to run dhcpd in a chroot, simply configure the" + einfo "DHCPD_CHROOT directory in /etc/conf.d/dhcpd and then run:" + einfo " emerge --config =${PF}" +} + +pkg_config() { + if use minimal ; then + eerror "${PN} has not been compiled for server support" + eerror "emerge ${PN} without the minimal USE flag to use dhcp sever" + return 1 + fi + + local CHROOT="$( + sed -n -e 's/^[[:blank:]]\?DHCPD_CHROOT="*\([^#"]\+\)"*/\1/p' \ + "${ROOT}"/etc/conf.d/dhcpd + )" + + if [[ -z ${CHROOT} ]]; then + eerror "CHROOT not defined in /etc/conf.d/dhcpd" + return 1 + fi + + CHROOT="${ROOT}/${CHROOT}" + + if [[ -d ${CHROOT} ]] ; then + ewarn "${CHROOT} already exists - aborting" + return 0 + fi + + ebegin "Setting up the chroot directory" + mkdir -m 0755 -p "${CHROOT}/"{dev,etc,var/lib,var/run/dhcp} + cp /etc/{localtime,resolv.conf} "${CHROOT}"/etc + cp -R /etc/dhcp "${CHROOT}"/etc + cp -R /var/lib/dhcp "${CHROOT}"/var/lib + ln -s ../../var/lib/dhcp "${CHROOT}"/etc/dhcp/lib + chown -R dhcp:dhcp "${CHROOT}"/var/{lib,run}/dhcp + eend 0 + + local logger="$(best_version virtual/logger)" + einfo "To enable logging from the dhcpd server, configure your" + einfo "logger (${logger}) to listen on ${CHROOT}/dev/log" +} diff --git a/net-misc/dhcp/files/dhcp-3.1.1-CVE-2009-0692.patch b/net-misc/dhcp/files/dhcp-3.1.1-CVE-2009-0692.patch new file mode 100644 index 000000000000..b12a616deafd --- /dev/null +++ b/net-misc/dhcp/files/dhcp-3.1.1-CVE-2009-0692.patch @@ -0,0 +1,14 @@ +--- dhcp-3.1.1.orig/client/dhclient.c ++++ dhcp-3.1.1/client/dhclient.c +@@ -2547,8 +2547,9 @@ void script_write_params (client, prefix + (struct option_state *)0, + lease -> options, + &global_scope, oc, MDL)) { +- if (data.len > 3) { +- struct iaddr netmask, subnet, broadcast; ++ struct iaddr netmask; ++ if (data.len > 3 && data.len <= sizeof(netmask.iabuf)) { ++ struct iaddr subnet, broadcast; + + memcpy (netmask.iabuf, data.data, data.len); + netmask.len = data.len; |