On Thu, 19 May 2011, Adam D. Barratt wrote: > On Wed, 2011-05-18 at 15:41 +0000, maximilian attems wrote: > > * [klibc] ipconfig: comment new escape function > > security fix for CVE-2011-0997 type vulnerability > > corresponding cve requested but not yet given out. > > http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff > > As mentioned on oss-sec, it would be nice if this didn't write to a > predictable filename. From the stable update point-of-view though, I > realise that's not a regression relative to the current lenny / squeeze > versions.
It is not of relevance for current pre-init usage, as you don't have unpriviliged users there, but it will get fixed upstream, by making the used dir an optional switch. > > * [klibc] ipconfig: Only peek and discard packets from specified device. > > This fixes netbooting on boxes with several connected network dev. > > (the commit is on the largeish size, but got tested together with 1.5.20) > > http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c > > > > > > concerning oldstable only the first one should be fixed. > > ipconfig has deeper troubles there. > > > > if acked by SRM I'd upload a klibc-1.5.20-2 with just the 2 aboves fixes > > for stable and a 1.5.12-3 for oldstable with just the first fix? > > It's conventional to use e.g. -1+squeeze1, but afaics the above versions > have not been previously uploaded to Debian so could be used if you > wish. ok cool, used the "conventional" numbering. > I'd appreciate debdiffs for a final check before the uploads, but the > above sounds good; thanks. do you mean belows output of debdiff on the dsc files? belows is for stable, oldstable will follow once this is acked. thank you -- maks diff -Nru klibc-1.5.20/debian/changelog klibc-1.5.20/debian/changelog --- klibc-1.5.20/debian/changelog 2010-08-28 13:07:23.000000000 +0200 +++ klibc-1.5.20/debian/changelog 2011-05-30 17:20:39.000000000 +0200 @@ -1,3 +1,10 @@ +klibc (1.5.20-1+squeeze1) stable; urgency=low + + * ipconfig: handle multiple connected network dev. (closes: #621065) + * ipconfig: Escape DHCP options. (CVE-2011-1930) + + -- maximilian attems <m...@debian.org> Mon, 30 May 2011 17:17:18 +0200 + klibc (1.5.20-1) unstable; urgency=high * New upstream release diff -Nru klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 --- klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 2010-08-28 13:09:43.000000000 +0200 +++ klibc-1.5.20/debian/patches/debian-changes-1.5.20-1 1970-01-01 01:00:00.000000000 +0100 @@ -1,54 +0,0 @@ -Description: Upstream changes introduced in version 1.5.20-1 - This patch has been created by dpkg-source during the package build. - Here's the last changelog entry, hopefully it gives details on why - those changes were made: - . - klibc (1.5.20-1) unstable; urgency=high - . - * New upstream release - - ipconfig: fix infinite loop. (closes: #552554) - - ipconfig: fix multiple dns domains. (closes: #594208) - * klibc-utils.postinst: Nuke non empty dirs too. (closes: #594651) - . - The person named in the Author field signed this changelog entry. -Author: maximilian attems <m...@debian.org> -Bug-Debian: http://bugs.debian.org/552554 -Bug-Debian: http://bugs.debian.org/594208 -Bug-Debian: http://bugs.debian.org/594651 - ---- -The information above should follow the Patch Tagging Guidelines, please -checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here -are templates for supplementary fields that you might want to add: - -Origin: <vendor|upstream|other>, <url of original patch> -Bug: <url in upstream bugtracker> -Bug-Debian: http://bugs.debian.org/<bugnumber> -Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> -Forwarded: <no|not-needed|url proving that it has been forwarded> -Reviewed-By: <name and email of someone who approved the patch> -Last-Update: <YYYY-MM-DD> - ---- /dev/null -+++ klibc-1.5.20/maketar.sh -@@ -0,0 +1,20 @@ -+#!/bin/bash -xe -+# -+# Make a tarball from the current git repository -+# -+ -+[ -z "$tmpdir" ] && tmpdir=/var/tmp -+ -+tmp=$tmpdir/klibc.$$ -+rm -rf $tmp -+cg-export $tmp -+cd $tmp -+make release -+version=`cat usr/klibc/version` -+rm -rf $tmpdir/klibc-$version -+mv $tmp $tmpdir/klibc-$version -+cd .. -+rm -f klibc-$version.tar* -+tar cvvf klibc-$version.tar klibc-$version -+gzip -9 klibc-$version.tar -+rm -rf klibc-$version diff -Nru klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 --- klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 1970-01-01 01:00:00.000000000 +0100 +++ klibc-1.5.20/debian/patches/debian-changes-1.5.20-1+squeeze1 2011-05-30 17:27:42.000000000 +0200 @@ -0,0 +1,50 @@ +Description: Upstream changes introduced in version 1.5.20-1+squeeze1 + This patch has been created by dpkg-source during the package build. + Here's the last changelog entry, hopefully it gives details on why + those changes were made: + . + klibc (1.5.20-1+squeeze1) stable; urgency=low + . + * ipconfig: handle multiple connected network dev. (closes: #621065) + * ipconfig: Escape DHCP options. (CVE-2011-1930) + . + The person named in the Author field signed this changelog entry. +Author: maximilian attems <m...@debian.org> +Bug-Debian: http://bugs.debian.org/621065 + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: <vendor|upstream|other>, <url of original patch> +Bug: <url in upstream bugtracker> +Bug-Debian: http://bugs.debian.org/<bugnumber> +Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> +Forwarded: <no|not-needed|url proving that it has been forwarded> +Reviewed-By: <name and email of someone who approved the patch> +Last-Update: <YYYY-MM-DD> + +--- /dev/null ++++ klibc-1.5.20/maketar.sh +@@ -0,0 +1,20 @@ ++#!/bin/bash -xe ++# ++# Make a tarball from the current git repository ++# ++ ++[ -z "$tmpdir" ] && tmpdir=/var/tmp ++ ++tmp=$tmpdir/klibc.$$ ++rm -rf $tmp ++cg-export $tmp ++cd $tmp ++make release ++version=`cat usr/klibc/version` ++rm -rf $tmpdir/klibc-$version ++mv $tmp $tmpdir/klibc-$version ++cd .. ++rm -f klibc-$version.tar* ++tar cvvf klibc-$version.tar klibc-$version ++gzip -9 klibc-$version.tar ++rm -rf klibc-$version diff -Nru klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch --- klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch 1970-01-01 01:00:00.000000000 +0100 +++ klibc-1.5.20/debian/patches/ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch 2011-05-30 17:15:37.000000000 +0200 @@ -0,0 +1,97 @@ +From 46a0f831582629612f0ff9707ad1292887f26bff Mon Sep 17 00:00:00 2001 +From: Ulrich Dangel <u...@spamt.net> +Date: Fri, 15 Apr 2011 18:22:08 +0200 +Subject: [PATCH] [klibc] ipconfig: Escape DHCP options written to + /tmp/net-$DEVCICE.conf + +DHCP options like domain-name or hostname are written to +/tmp/net-$DEVICE.conf which is typically later used by other scripts to +determine the network configuration. This is done by sourcing the +/tmp/net-$DEVICE.conf file to get all defined variables. + +This patch escapes the DHCP options written to /tmp/net-$DEVICE.conf +to prevent arbitrary code execution. + +Signed-off-by: Ulrich Dangel <u...@spamt.net> +Reviewed-by: H. Peter Anvin <h...@zytor.com> +Signed-off-by: maximilian attems <m...@stro.at> +--- + usr/kinit/ipconfig/main.c | 55 +++++++++++++++++++++++++++++++------------- + 1 files changed, 39 insertions(+), 16 deletions(-) + +diff --git a/usr/kinit/ipconfig/main.c b/usr/kinit/ipconfig/main.c +index 76708a9..a577b2d 100644 +--- a/usr/kinit/ipconfig/main.c ++++ b/usr/kinit/ipconfig/main.c +@@ -95,6 +95,25 @@ static void configure_device(struct netdev *dev) + dev->hostname, dev->name); + } + ++static void write_option(FILE* f, const char* name, const char* chr) ++{ ++ ++ fprintf(f, "%s='", name); ++ while (*chr) { ++ switch (*chr) { ++ case '!': ++ case '\'': ++ fprintf(f, "'\\%c'", *chr); ++ break; ++ default: ++ fprintf(f, "%c", *chr); ++ break; ++ } ++ ++chr; ++ } ++ fprintf(f, "'\n"); ++} ++ + static void dump_device_config(struct netdev *dev) + { + char fn[40]; +@@ -103,22 +122,26 @@ static void dump_device_config(struct netdev *dev) + snprintf(fn, sizeof(fn), "/tmp/net-%s.conf", dev->name); + f = fopen(fn, "w"); + if (f) { +- fprintf(f, "DEVICE=%s\n", dev->name); +- fprintf(f, "IPV4ADDR=%s\n", my_inet_ntoa(dev->ip_addr)); +- fprintf(f, "IPV4BROADCAST=%s\n", +- my_inet_ntoa(dev->ip_broadcast)); +- fprintf(f, "IPV4NETMASK=%s\n", my_inet_ntoa(dev->ip_netmask)); +- fprintf(f, "IPV4GATEWAY=%s\n", my_inet_ntoa(dev->ip_gateway)); +- fprintf(f, "IPV4DNS0=%s\n", +- my_inet_ntoa(dev->ip_nameserver[0])); +- fprintf(f, "IPV4DNS1=%s\n", +- my_inet_ntoa(dev->ip_nameserver[1])); +- fprintf(f, "HOSTNAME=%s\n", dev->hostname); +- fprintf(f, "DNSDOMAIN=\"%s\"\n", dev->dnsdomainname); +- fprintf(f, "NISDOMAIN=%s\n", dev->nisdomainname); +- fprintf(f, "ROOTSERVER=%s\n", my_inet_ntoa(dev->ip_server)); +- fprintf(f, "ROOTPATH=%s\n", dev->bootpath); +- fprintf(f, "filename=\"%s\"\n", dev->filename); ++ write_option(f, "DEVICE", dev->name); ++ write_option(f, "IPV4ADDR", ++ my_inet_ntoa(dev->ip_addr)); ++ write_option(f, "IPV4BROADCAST", ++ my_inet_ntoa(dev->ip_broadcast)); ++ write_option(f, "IPV4NETMASK", ++ my_inet_ntoa(dev->ip_netmask)); ++ write_option(f, "IPV4GATEWAY", ++ my_inet_ntoa(dev->ip_gateway)); ++ write_option(f, "IPV4DNS0", ++ my_inet_ntoa(dev->ip_nameserver[0])); ++ write_option(f, "IPV4DNS1", ++ my_inet_ntoa(dev->ip_nameserver[1])); ++ write_option(f, "HOSTNAME", dev->hostname); ++ write_option(f, "DNSDOMAIN", dev->dnsdomainname); ++ write_option(f, "NISDOMAIN", dev->nisdomainname); ++ write_option(f, "ROOTSERVER", ++ my_inet_ntoa(dev->ip_server)); ++ write_option(f, "ROOTPATH", dev->bootpath); ++ write_option(f, "filename", dev->filename); + fclose(f); + } + } +-- +1.7.4.4 + diff -Nru klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch --- klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch 1970-01-01 01:00:00.000000000 +0100 +++ klibc-1.5.20/debian/patches/ipconfig-Only-peek-and-discard-packets-from-sp.patch 2011-05-30 17:16:25.000000000 +0200 @@ -0,0 +1,173 @@ +From 92823d1a78a8a6f3e7a7cc36f949ca6379c4e77c Mon Sep 17 00:00:00 2001 +From: Ulrich Dangel <u...@spamt.net> +Date: Mon, 28 Mar 2011 18:59:34 +0200 +Subject: [PATCH] [klibc] ipconfig: Only peek and discard packets from + specified device. + +This patch fixes a bug on systems with multiple connected network devices. +As packet_peek uses all devices to receive data instead of a specific +device. As the return value was never reset it was possible that packets +from other devices were returned by packet_peek. That means that the +ifindex did not match any ifindex of the specified devices the packet was +never removed and packets for the correct device were never processed. + +This patch enhance packet_peek and packet_discard to only work on packages +for the specified device instead of all packets. + +Signed-off-by: Ulrich Dangel <u...@spamt.net> +Signed-off-by: maximilian attems <m...@stro.at> +--- + usr/kinit/ipconfig/bootp_proto.c | 2 +- + usr/kinit/ipconfig/dhcp_proto.c | 2 +- + usr/kinit/ipconfig/main.c | 16 ++++++---------- + usr/kinit/ipconfig/packet.c | 16 +++++++++------- + usr/kinit/ipconfig/packet.h | 6 +++--- + 5 files changed, 20 insertions(+), 22 deletions(-) + +diff --git a/usr/kinit/ipconfig/bootp_proto.c b/usr/kinit/ipconfig/bootp_proto.c +index baf9d3e..f2cc90c 100644 +--- a/usr/kinit/ipconfig/bootp_proto.c ++++ b/usr/kinit/ipconfig/bootp_proto.c +@@ -169,7 +169,7 @@ int bootp_recv_reply(struct netdev *dev) + }; + int ret; + +- ret = packet_recv(iov, 3); ++ ret = packet_recv(dev, iov, 3); + if (ret <= 0) + return ret; + +diff --git a/usr/kinit/ipconfig/dhcp_proto.c b/usr/kinit/ipconfig/dhcp_proto.c +index fc0494d..993db52 100644 +--- a/usr/kinit/ipconfig/dhcp_proto.c ++++ b/usr/kinit/ipconfig/dhcp_proto.c +@@ -147,7 +147,7 @@ static int dhcp_recv(struct netdev *dev) + }; + int ret; + +- ret = packet_recv(iov, 3); ++ ret = packet_recv(dev, iov, 3); + if (ret <= 0) + return ret; + +diff --git a/usr/kinit/ipconfig/main.c b/usr/kinit/ipconfig/main.c +index d501bec..1e48083 100644 +--- a/usr/kinit/ipconfig/main.c ++++ b/usr/kinit/ipconfig/main.c +@@ -304,23 +304,19 @@ struct netdev *ifaces; + */ + static int do_pkt_recv(int pkt_fd, time_t now) + { +- int ifindex, ret; ++ int ret = 0; + struct state *s; + +- ret = packet_peek(&ifindex); +- if (ret == 0) +- return ret; +- + for (s = slist; s; s = s->next) { +- if (s->dev->ifindex == ifindex) { ++ ret = packet_peek(s->dev); ++ if (ret) { + ret = process_receive_event(s, now); ++ if (ret == 0) { ++ packet_discard(s->dev); ++ } + break; + } + } +- +- if (ret == 0) +- packet_discard(); +- + return ret; + } + +diff --git a/usr/kinit/ipconfig/packet.c b/usr/kinit/ipconfig/packet.c +index 84267b7..993a2fa 100644 +--- a/usr/kinit/ipconfig/packet.c ++++ b/usr/kinit/ipconfig/packet.c +@@ -167,17 +167,18 @@ int packet_send(struct netdev *dev, struct iovec *iov, int iov_len) + } + + /* +- * Fetches a bootp packet, but doesn't remove it. ++ * Fetches a bootp packet from specified device, but doesn't remove it. + * Returns: + * 0 = Error + * >0 = A packet of size "ret" is available for interface ifindex + */ +-int packet_peek(int *ifindex) ++int packet_peek(struct netdev *dev) + { + struct sockaddr_ll sll; + struct iphdr iph; + int ret, sllen = sizeof(struct sockaddr_ll); + ++ sll.sll_ifindex = dev->ifindex; + /* + * Peek at the IP header. + */ +@@ -192,21 +193,22 @@ int packet_peek(int *ifindex) + if (iph.ihl < 5 || iph.version != IPVERSION) + goto discard_pkt; + +- *ifindex = sll.sll_ifindex; + + return ret; + + discard_pkt: +- packet_discard(); ++ packet_discard(dev); + return 0; + } + +-void packet_discard(void) ++void packet_discard(struct netdev *dev) + { + struct iphdr iph; + struct sockaddr_ll sll; + socklen_t sllen = sizeof(sll); + ++ sll.sll_ifindex = dev->ifindex; ++ + recvfrom(pkt_fd, &iph, sizeof(iph), 0, + (struct sockaddr *)&sll, &sllen); + } +@@ -219,7 +221,7 @@ void packet_discard(void) + * 0 = Discarded packet (non-DHCP/BOOTP traffic) + * >0 = Size of packet + */ +-int packet_recv(struct iovec *iov, int iov_len) ++int packet_recv(struct netdev* dev, struct iovec *iov, int iov_len) + { + struct iphdr *ip, iph; + struct udphdr *udp; +@@ -293,6 +295,6 @@ free_pkt: + + discard_pkt: + dprintf("discarded\n"); +- packet_discard(); ++ packet_discard(dev); + return 0; + } +diff --git a/usr/kinit/ipconfig/packet.h b/usr/kinit/ipconfig/packet.h +index 627d282..524f393 100644 +--- a/usr/kinit/ipconfig/packet.h ++++ b/usr/kinit/ipconfig/packet.h +@@ -6,8 +6,8 @@ struct iovec; + int packet_open(void); + void packet_close(void); + int packet_send(struct netdev *dev, struct iovec *iov, int iov_len); +-int packet_peek(int *ifindex); +-void packet_discard(void); +-int packet_recv(struct iovec *iov, int iov_len); ++int packet_peek(struct netdev *dev); ++void packet_discard(struct netdev *dev); ++int packet_recv(struct netdev *dev, struct iovec *iov, int iov_len); + + #endif /* IPCONFIG_PACKET_H */ +-- +1.7.4.4 + diff -Nru klibc-1.5.20/debian/patches/series klibc-1.5.20/debian/patches/series --- klibc-1.5.20/debian/patches/series 2010-08-28 13:09:43.000000000 +0200 +++ klibc-1.5.20/debian/patches/series 2011-05-30 17:27:42.000000000 +0200 @@ -1,4 +1,6 @@ ia64-static klibc-linux-libc-dev +ipconfig-Escape-DHCP-options-written-to-tmp-ne.patch +ipconfig-Only-peek-and-discard-packets-from-sp.patch insmod -debian-changes-1.5.20-1 +debian-changes-1.5.20-1+squeeze1 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110530153502.ga16...@stro.at