From be946042b4fe11abaac43300d2165e224215d3c9 Mon Sep 17 00:00:00 2001 From: Lars Wendler Date: Tue, 7 May 2019 13:19:21 +0200 Subject: net-misc/dhcpcd: Security bump to version 7.1.1-r3 Bug: https://bugs.gentoo.org/685264 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Lars Wendler --- net-misc/dhcpcd/dhcpcd-7.1.1-r3.ebuild | 154 +++++++++++++++++++++ .../files/dhcpcd-7.1.1-v6_read_overflow.patch | 120 ++++++++++++++++ 2 files changed, 274 insertions(+) create mode 100644 net-misc/dhcpcd/dhcpcd-7.1.1-r3.ebuild create mode 100644 net-misc/dhcpcd/files/dhcpcd-7.1.1-v6_read_overflow.patch (limited to 'net-misc') diff --git a/net-misc/dhcpcd/dhcpcd-7.1.1-r3.ebuild b/net-misc/dhcpcd/dhcpcd-7.1.1-r3.ebuild new file mode 100644 index 000000000000..755eefee08f0 --- /dev/null +++ b/net-misc/dhcpcd/dhcpcd-7.1.1-r3.ebuild @@ -0,0 +1,154 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit systemd toolchain-funcs + +if [[ ${PV} == "9999" ]]; then + inherit git-r3 + EGIT_REPO_URI="https://roy.marples.name/git/dhcpcd.git" +else + MY_P="${P/_alpha/-alpha}" + MY_P="${MY_P/_beta/-beta}" + MY_P="${MY_P/_rc/-rc}" + SRC_URI="https://roy.marples.name/downloads/${PN}/${MY_P}.tar.xz" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux" + S="${WORKDIR}/${MY_P}" +fi + +DESCRIPTION="A fully featured, yet light weight RFC2131 compliant DHCP client" +HOMEPAGE="https://roy.marples.name/projects/dhcpcd" +LICENSE="BSD-2" +SLOT="0" +IUSE="elibc_glibc +embedded ipv6 kernel_linux +udev" + +COMMON_DEPEND="udev? ( virtual/udev )" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" + +PATCHES=( + "${FILESDIR}"/${P}-disable_inet6_fix.patch #677508 + "${FILESDIR}"/${P}-overflows.patch #684430 + "${FILESDIR}"/${P}-v6_read_overflow.patch #685264 +) + +src_configure() { + local dev hooks=() rundir + use udev || dev="--without-dev --without-udev" + hooks=( --with-hook=ntp.conf ) + use elibc_glibc && hooks+=( --with-hook=yp.conf ) + use kernel_linux && rundir="--rundir=${EPREFIX}/run" + local myeconfargs=( + --prefix="${EPREFIX}" + --libexecdir="${EPREFIX}/lib/dhcpcd" + --dbdir="${EPREFIX}/var/lib/dhcpcd" + --localstatedir="${EPREFIX}/var" + ${rundir} + $(use_enable embedded) + $(use_enable ipv6) + ${dev} + CC="$(tc-getCC)" + ${hooks[@]} + ) + econf "${myeconfargs[@]}" +} + +src_install() { + default + keepdir /var/lib/dhcpcd + newinitd "${FILESDIR}"/${PN}.initd ${PN} + systemd_dounit "${FILESDIR}"/${PN}.service +} + +pkg_postinst() { + local dbdir="${EROOT%/}"/var/lib/dhcpcd old_files=() + + local old_old_duid="${EROOT%/}"/var/lib/dhcpcd/dhcpcd.duid + local old_duid="${EROOT%/}"/etc/dhcpcd.duid + local new_duid="${dbdir}"/duid + if [[ -e "${old_old_duid}" ]] ; then + # Upgrade the duid file to the new format if needed + if ! grep -q '..:..:..:..:..:..' "${old_old_duid}"; then + sed -i -e 's/\(..\)/\1:/g; s/:$//g' "${old_old_duid}" + fi + + # Move the duid to /etc, a more sensible location + if [[ ! -e "${old_duid}" ]] ; then + cp -p "${old_old_duid}" "${new_duid}" + fi + old_files+=( "${old_old_duid}" ) + fi + + # dhcpcd-7 moves the files out of /etc + if [[ -e "${old_duid}" ]] ; then + if [[ ! -e "${new_duid}" ]] ; then + cp -p "${old_duid}" "${new_duid}" + fi + old_files+=( "${old_duid}" ) + fi + local old_secret="${EROOT%/}"/etc/dhcpcd.secret + local new_secret="${dbdir}"/secret + if [[ -e "${old_secret}" ]] ; then + if [[ ! -e "${new_secret}" ]] ; then + cp -p "${old_secret}" "${new_secret}" + fi + old_files+=( "${old_secret}" ) + fi + + # dhcpcd-7 renames some files in /var/lib/dhcpcd + local old_rdm="${dbdir}"/dhcpcd-rdm.monotonic + local new_rdm="${dbdir}"/rdm_monotonic + if [[ -e "${old_rdm}" ]] ; then + if [[ ! -e "${new_rdm}" ]] ; then + cp -p "${old_rdm}" "${new_rdm}" + fi + old_files+=( "${old_rdm}" ) + fi + local lease= + for lease in "${dbdir}"/dhcpcd-*.lease*; do + [[ -f "${lease}" ]] || continue + old_files+=( "${lease}" ) + local new_lease=$(basename "${lease}" | sed -e "s/dhcpcd-//") + [[ -e "${dbdir}/${new_lease}" ]] && continue + cp "${lease}" "${dbdir}/${new_lease}" + done + + # Warn about removing stale files + if [[ -n "${old_files[@]}" ]] ; then + elog + elog "dhcpcd-7 has copied dhcpcd.duid and dhcpcd.secret from" + elog "${EROOT%/}/etc to ${dbdir}" + elog "and copied leases in ${dbdir} to new files with the dhcpcd-" + elog "prefix dropped." + elog + elog "You should remove these files if you don't plan on reverting" + elog "to an older version:" + local old_file= + for old_file in ${old_files[@]}; do + elog " ${old_file}" + done + fi + + if [ -z "${REPLACING_VERSIONS}" ]; then + elog + elog "dhcpcd has zeroconf support active by default." + elog "This means it will always obtain an IP address even if no" + elog "DHCP server can be contacted, which will break any existing" + elog "failover support you may have configured in your net configuration." + elog "This behaviour can be controlled with the noipv4ll configuration" + elog "file option or the -L command line switch." + elog "See the dhcpcd and dhcpcd.conf man pages for more details." + + elog + elog "Dhcpcd has duid enabled by default, and this may cause issues" + elog "with some dhcp servers. For more information, see" + elog "https://bugs.gentoo.org/show_bug.cgi?id=477356" + fi + + if ! has_version net-dns/bind-tools; then + elog + elog "If you activate the lookup-hostname hook to look up your hostname" + elog "using the dns, you need to install net-dns/bind-tools." + fi +} diff --git a/net-misc/dhcpcd/files/dhcpcd-7.1.1-v6_read_overflow.patch b/net-misc/dhcpcd/files/dhcpcd-7.1.1-v6_read_overflow.patch new file mode 100644 index 000000000000..54b559fcd87f --- /dev/null +++ b/net-misc/dhcpcd/files/dhcpcd-7.1.1-v6_read_overflow.patch @@ -0,0 +1,120 @@ +From c1ebeaafeb324bac997984abdcee2d4e8b61a8a8 Mon Sep 17 00:00:00 2001 +From: Roy Marples +Date: Fri, 3 May 2019 14:44:06 +0100 +Subject: DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE + +dhcpcd only checks that the prefix length of the exclusion +matches the prefix length of the ia and equals the length of the +data in the option. +This could potentially overrun the in6_addr structure. + +This is fixed by enforcing RFC 6603 section 4.2 option limits +more clearly. + +Thanks to Maxime Villard for finding this. +--- + src/dhcp6.c | 44 +++++++++++++++++++++----------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +diff --git a/src/dhcp6.c b/src/dhcp6.c +index dee8d4b6..583f3b3f 100644 +--- a/src/dhcp6.c ++++ b/src/dhcp6.c +@@ -2166,40 +2166,38 @@ dhcp6_findpd(struct interface *ifp, const uint8_t *iaid, + state->expire = a->prefix_vltime; + i++; + +- o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol); + a->prefix_exclude_len = 0; + memset(&a->prefix_exclude, 0, sizeof(a->prefix_exclude)); +-#if 0 +- if (ex == NULL) { +- struct dhcp6_option *w; +- uint8_t *wp; +- +- w = calloc(1, 128); +- w->len = htons(2); +- wp = D6_OPTION_DATA(w); +- *wp++ = 64; +- *wp++ = 0x78; +- ex = w; +- } +-#endif ++ o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol); + if (o == NULL) + continue; +- if (ol < 2) { +- logerrx("%s: truncated PD Exclude", ifp->name); ++ ++ /* RFC 6603 4.2 says option length MUST be between 2 and 17. ++ * This allows 1 octet for prefix length and 16 for the ++ * subnet ID. */ ++ if (ol < 2 || ol > 17) { ++ logerrx("%s: invalid PD Exclude option", ifp->name); + continue; + } +- a->prefix_exclude_len = *o++; +- ol--; +- if (((a->prefix_exclude_len - a->prefix_len - 1) / NBBY) + 1 +- != ol) +- { ++ ++ /* RFC 6603 4.2 says prefix length MUST be between the ++ * length of the IAPREFIX prefix length + 1 and 128. */ ++ if (*o < a->prefix_len + 1 || *o > 128) { ++ logerrx("%s: invalid PD Exclude length", ifp->name); ++ continue; ++ } ++ ++ /* Check option length matches prefix length. */ ++ if (((*o - a->prefix_len - 1) / NBBY) + 1 != ol) { + logerrx("%s: PD Exclude length mismatch", ifp->name); +- a->prefix_exclude_len = 0; + continue; + } +- nb = a->prefix_len % NBBY; ++ ++ a->prefix_exclude_len = *o++; ++ ol--; + memcpy(&a->prefix_exclude, &a->prefix, + sizeof(a->prefix_exclude)); ++ nb = a->prefix_len % NBBY; + if (nb) + ol--; + pw = a->prefix_exclude.s6_addr + +-- +cgit v1.2.1 + +From 896ef4a54b0578985e5e1360b141593f1d62837b Mon Sep 17 00:00:00 2001 +From: Roy Marples +Date: Sat, 4 May 2019 10:19:02 +0100 +Subject: DHCPv6: Fix exclude prefix length check. + +--- + src/dhcp6.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/dhcp6.c b/src/dhcp6.c +index 583f3b3f..7f26129f 100644 +--- a/src/dhcp6.c ++++ b/src/dhcp6.c +@@ -2187,14 +2187,14 @@ dhcp6_findpd(struct interface *ifp, const uint8_t *iaid, + continue; + } + ++ ol--; + /* Check option length matches prefix length. */ + if (((*o - a->prefix_len - 1) / NBBY) + 1 != ol) { + logerrx("%s: PD Exclude length mismatch", ifp->name); + continue; + } +- + a->prefix_exclude_len = *o++; +- ol--; ++ + memcpy(&a->prefix_exclude, &a->prefix, + sizeof(a->prefix_exclude)); + nb = a->prefix_len % NBBY; +-- +cgit v1.2.1 + -- cgit v1.2.3-65-gdbad