Package: release.debian.org Severity: normal Tags: security patch User: release.debian....@packages.debian.org Usertags: pu
Dear all, A denial of service issues was fixed upstream. It received the CVE-2014-6060. The fix commit got cherrypicked into unstable recently. So now, I'm getting this down to stable. You'll find attached the debdiff & the dsc of the package against stable. Cheers, Pierre -- System Information: Debian Release: 7.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Format: 3.0 (quilt) Source: dhcpcd5 Binary: dhcpcd5 Architecture: any Version: 5.5.6-1+deb7u1 Maintainer: Roy Marples <r...@marples.name> Homepage: http://roy.marples.name/projects/dhcpcd Standards-Version: 3.9.3 Build-Depends: debhelper (>= 7.0.50~) Package-List: dhcpcd5 deb net optional Checksums-Sha1: 7f9ca207bce051252c0acb6a6cae3de22babcb20 78185 dhcpcd5_5.5.6.orig.tar.bz2 390a24ca7ef446b1381946ba116923e74652c4e3 3767 dhcpcd5_5.5.6-1+deb7u1.debian.tar.gz Checksums-Sha256: 657f10dc7de48cba9f7170b593bf0e11987d06bd12378e3f4cd01b9e99b1e8e7 78185 dhcpcd5_5.5.6.orig.tar.bz2 c0ed72a70c907198582d9ba8c7f4d25fccdc0f38f6f9b8247afb034a2e2718cb 3767 dhcpcd5_5.5.6-1+deb7u1.debian.tar.gz Files: a5c0e43b4e836cfc003437329f6b7982 78185 dhcpcd5_5.5.6.orig.tar.bz2 e69abe2b74159b6bf6cba8fc3463379a 3767 dhcpcd5_5.5.6-1+deb7u1.debian.tar.gz
diff -Nru dhcpcd5-5.5.6/debian/changelog dhcpcd5-5.5.6/debian/changelog --- dhcpcd5-5.5.6/debian/changelog 2012-04-01 11:25:26.000000000 +0200 +++ dhcpcd5-5.5.6/debian/changelog 2014-11-20 13:32:23.000000000 +0100 @@ -1,3 +1,11 @@ +dhcpcd5 (5.5.6-1+deb7u1) stable; urgency=medium + + * Non-maintainer upload by the Security Team. + * Fix denial of service (CVE-2014-6060) in dhcpcd5: + - backport fix from debian unstable dhcpcd5/6.0.5-2 + + -- Pierre Schweitzer <pie...@reactos.org> Thu, 20 Nov 2014 13:29:49 +0100 + dhcpcd5 (5.5.6-1) unstable; urgency=medium * New upstream release diff -Nru dhcpcd5-5.5.6/debian/patches/CVE-2014-6060.patch dhcpcd5-5.5.6/debian/patches/CVE-2014-6060.patch --- dhcpcd5-5.5.6/debian/patches/CVE-2014-6060.patch 1970-01-01 01:00:00.000000000 +0100 +++ dhcpcd5-5.5.6/debian/patches/CVE-2014-6060.patch 2014-11-20 13:25:21.000000000 +0100 @@ -0,0 +1,27 @@ +Description: Fix CVE-2014-6060 + Only bits 1 and 2 are used in the DHCP overload option, so when we + encounter the option set the last bit as well to ensure servername and + bootfile are only checked once as their check unsets bits 1 and 2. + Thanks to Tobias Stoeckmann. +Origin: upstream, http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0 +Bug-Debian: https://bugs.debian.org/770043 +From: Roy Marples <r...@marples.name> +Applied-Upstream: 6.4.3 + +--- a/dhcp.c ++++ b/dhcp.c +@@ -343,9 +343,12 @@ get_option(const struct dhcp_message *dh + goto exit; + break; + case DHO_OPTIONSOVERLOADED: +- /* Ensure we only get this option once */ ++ /* Ensure we only get this option once by setting ++ * the last bit as well as the value. ++ * This is valid because only the first two bits ++ * actually mean anything in RFC2132 Section 9.3 */ + if (!overl) +- overl = p[1]; ++ overl = 0x80 | p[1]; + break; + } + l = *p++; diff -Nru dhcpcd5-5.5.6/debian/patches/series dhcpcd5-5.5.6/debian/patches/series --- dhcpcd5-5.5.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ dhcpcd5-5.5.6/debian/patches/series 2014-11-14 21:20:39.000000000 +0100 @@ -0,0 +1 @@ +CVE-2014-6060.patch