Bug#698597: marked as done (isc-dhcp: CVE-2012-1667 patch (for Wheezy))

Debian Bug Tracking System Mon, 11 Feb 2013 18:48:14 -0800

Your message dated Mon, 11 Feb 2013 21:46:12 -0500
with message-id 
<CANTw=MMjTp5fvysO3tNTKssq4o9+Hq=mmQeKDiGWYv=mi0c...@mail.gmail.com>
and subject line Re: [pkg-dhcp-devel] Bug#698597: Bug#698597: isc-dhcp: 
CVE-2012-1667 patch (for Wheezy)
has caused the Debian Bug report #698597,
regarding isc-dhcp: CVE-2012-1667 patch (for Wheezy)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
698597: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698597
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: isc-dhcp
Version: 4.2.2.dfsg.1-5+deb70u2
Tags: security, patch

Hi,

 This package has a security issue according to security-tracker.
 https://security-tracker.debian.org/tracker/CVE-2012-1667
 
 I've made a patch for it (also for sid), taken from bind9 package 
 (and just built in pbuilder). Please check it and apply if it would
 be necessary. If not, please close this bug for tracking issue.

 Thanks.

-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane

diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/changelog isc-dhcp-4.2.2.dfsg.1/debian/changelog
--- isc-dhcp-4.2.2.dfsg.1/debian/changelog	2012-10-15 07:04:44.000000000 +0900
+++ isc-dhcp-4.2.2.dfsg.1/debian/changelog	2013-01-21 05:42:58.000000000 +0900
@@ -1,3 +1,12 @@
+isc-dhcp (4.2.2.dfsg.1-5+deb70u2.1) testing-proposed-updates; urgency=high
+
+  * Non-maintainer upload.
+  * debian/patches
+    - CVE-2012-1667_from_bind9.patch: fix CVE-2012-1667
+    - apply_fix_CVE-2012-1667.patch: apply above patch
+
+ -- Hideki Yamane <henr...@debian.org>  Mon, 21 Jan 2013 05:16:21 +0900
+
 isc-dhcp (4.2.2.dfsg.1-5+deb70u2) testing-proposed-updates; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-1667_from_bind9.patch isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-1667_from_bind9.patch
--- isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-1667_from_bind9.patch	1970-01-01 09:00:00.000000000 +0900
+++ isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-1667_from_bind9.patch	2013-01-21 05:39:57.000000000 +0900
@@ -0,0 +1,67 @@
+diff -urN bind-9.8.3/lib/dns/rdata.c bind-9.8.3.patched/lib/dns/rdata.c
+--- bind-9.8.3/lib/dns/rdata.c	2012-05-10 07:43:18.000000000 +0900
++++ bind-9.8.3.patched/lib/dns/rdata.c	2013-01-21 05:05:36.340751553 +0900
+@@ -329,8 +329,8 @@
+ 
+ 	REQUIRE(rdata1 != NULL);
+ 	REQUIRE(rdata2 != NULL);
+-	REQUIRE(rdata1->data != NULL);
+-	REQUIRE(rdata2->data != NULL);
++	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
++	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+ 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+ 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+ 
+@@ -360,8 +360,8 @@
+ 
+ 	REQUIRE(rdata1 != NULL);
+ 	REQUIRE(rdata2 != NULL);
+-	REQUIRE(rdata1->data != NULL);
+-	REQUIRE(rdata2->data != NULL);
++	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
++	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+ 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+ 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+ 
+diff -urN bind-9.8.3/lib/dns/rdataslab.c bind-9.8.3.patched/lib/dns/rdataslab.c
+--- bind-9.8.3/lib/dns/rdataslab.c	2012-05-10 07:43:18.000000000 +0900
++++ bind-9.8.3.patched/lib/dns/rdataslab.c	2013-01-21 05:05:36.340751553 +0900
+@@ -126,6 +126,11 @@
+ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 			   isc_region_t *region, unsigned int reservelen)
+ {
++	/*
++	 * Use &removed as a sentinal pointer for duplicate
++	 * rdata as rdata.data == NULL is valid.
++	 */
++	static unsigned char removed;
+ 	struct xrdata  *x;
+ 	unsigned char  *rawbuf;
+ #if DNS_RDATASET_FIXED
+@@ -169,6 +174,7 @@
+ 		INSIST(result == ISC_R_SUCCESS);
+ 		dns_rdata_init(&x[i].rdata);
+ 		dns_rdataset_current(rdataset, &x[i].rdata);
++		INSIST(x[i].rdata.data != &removed);
+ #if DNS_RDATASET_FIXED
+ 		x[i].order = i;
+ #endif
+@@ -201,8 +207,7 @@
+ 	 */
+ 	for (i = 1; i < nalloc; i++) {
+ 		if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
+-			x[i-1].rdata.data = NULL;
+-			x[i-1].rdata.length = 0;
++			x[i-1].rdata.data = &removed;
+ #if DNS_RDATASET_FIXED
+ 			/*
+ 			 * Preserve the least order so A, B, A -> A, B
+@@ -292,7 +297,7 @@
+ #endif
+ 
+ 	for (i = 0; i < nalloc; i++) {
+-		if (x[i].rdata.data == NULL)
++		if (x[i].rdata.data == &removed)
+ 			continue;
+ #if DNS_RDATASET_FIXED
+ 		offsettable[x[i].order] = rawbuf - offsetbase;
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/patches/apply_fix_CVE-2012-1667.patch isc-dhcp-4.2.2.dfsg.1/debian/patches/apply_fix_CVE-2012-1667.patch
--- isc-dhcp-4.2.2.dfsg.1/debian/patches/apply_fix_CVE-2012-1667.patch	1970-01-01 09:00:00.000000000 +0900
+++ isc-dhcp-4.2.2.dfsg.1/debian/patches/apply_fix_CVE-2012-1667.patch	2013-01-21 05:39:57.000000000 +0900
@@ -0,0 +1,23 @@
+Description: apply fix for CVE-2012-1667
+
+ taken patch from bind9 package (1:9.7.3.dfsg-1~squeeze5).
+ The patch itself cannot be applied to upstream source since it is archived
+ and extract during build. This patch just hooks it.
+
+---
+Origin: vendor
+Forwarded: not-needed
+Last-Update: 2012-01-21
+
+Index: isc-dhcp-4.2.4/bind/Makefile
+===================================================================
+--- isc-dhcp-4.2.4.orig/bind/Makefile	2013-01-21 05:12:28.000000000 +0900
++++ isc-dhcp-4.2.4/bind/Makefile	2013-01-21 05:37:04.172423320 +0900
+@@ -34,6 +34,7 @@
+ 		echo ${bindsrcdir} already unpacked... ;    \
+ 	else                                                \
+ 		gunzip -c bind.tar.gz | tar xf - ;          \
++		cd ${bindsrcdir} && patch -p1 $(CUDRIR)/debian/patches/CVE-2012-1667_from_bind9.patch ; \
+ 	fi
+ 
+ 	@if test -z "${GMAKE}"; then                        \
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/patches/series isc-dhcp-4.2.2.dfsg.1/debian/patches/series
--- isc-dhcp-4.2.2.dfsg.1/debian/patches/series	2012-09-18 06:48:31.000000000 +0900
+++ isc-dhcp-4.2.2.dfsg.1/debian/patches/series	2013-01-21 05:40:22.000000000 +0900
@@ -8,3 +8,4 @@
 cve-2012-3571.patch
 cve-2012-3954.patch
 cve-2012-3955.patch
+apply_fix_CVE-2012-1667.patch

diff -Nru isc-dhcp-4.2.4/debian/changelog isc-dhcp-4.2.4/debian/changelog
--- isc-dhcp-4.2.4/debian/changelog	2012-12-14 12:41:25.000000000 +0900
+++ isc-dhcp-4.2.4/debian/changelog	2013-01-21 05:16:23.000000000 +0900
@@ -1,3 +1,12 @@
+isc-dhcp (4.2.4-4.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * debian/patches
+    - CVE-2012-1667_from_bind9.patch: fix CVE-2012-1667
+    - apply_fix_CVE-2012-1667.patch: apply above patch
+
+ -- Hideki Yamane <henr...@debian.org>  Mon, 21 Jan 2013 05:16:21 +0900
+
 isc-dhcp (4.2.4-4) unstable; urgency=medium
 
   * Run exit hooks when "dhclient -1" fails (closes: #486520).
diff -Nru isc-dhcp-4.2.4/debian/patches/CVE-2012-1667_from_bind9.patch isc-dhcp-4.2.4/debian/patches/CVE-2012-1667_from_bind9.patch
--- isc-dhcp-4.2.4/debian/patches/CVE-2012-1667_from_bind9.patch	1970-01-01 09:00:00.000000000 +0900
+++ isc-dhcp-4.2.4/debian/patches/CVE-2012-1667_from_bind9.patch	2013-01-21 05:06:38.000000000 +0900
@@ -0,0 +1,67 @@
+diff -urN bind-9.8.3/lib/dns/rdata.c bind-9.8.3.patched/lib/dns/rdata.c
+--- bind-9.8.3/lib/dns/rdata.c	2012-05-10 07:43:18.000000000 +0900
++++ bind-9.8.3.patched/lib/dns/rdata.c	2013-01-21 05:05:36.340751553 +0900
+@@ -329,8 +329,8 @@
+ 
+ 	REQUIRE(rdata1 != NULL);
+ 	REQUIRE(rdata2 != NULL);
+-	REQUIRE(rdata1->data != NULL);
+-	REQUIRE(rdata2->data != NULL);
++	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
++	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+ 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+ 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+ 
+@@ -360,8 +360,8 @@
+ 
+ 	REQUIRE(rdata1 != NULL);
+ 	REQUIRE(rdata2 != NULL);
+-	REQUIRE(rdata1->data != NULL);
+-	REQUIRE(rdata2->data != NULL);
++	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
++	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+ 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+ 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+ 
+diff -urN bind-9.8.3/lib/dns/rdataslab.c bind-9.8.3.patched/lib/dns/rdataslab.c
+--- bind-9.8.3/lib/dns/rdataslab.c	2012-05-10 07:43:18.000000000 +0900
++++ bind-9.8.3.patched/lib/dns/rdataslab.c	2013-01-21 05:05:36.340751553 +0900
+@@ -126,6 +126,11 @@
+ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 			   isc_region_t *region, unsigned int reservelen)
+ {
++	/*
++	 * Use &removed as a sentinal pointer for duplicate
++	 * rdata as rdata.data == NULL is valid.
++	 */
++	static unsigned char removed;
+ 	struct xrdata  *x;
+ 	unsigned char  *rawbuf;
+ #if DNS_RDATASET_FIXED
+@@ -169,6 +174,7 @@
+ 		INSIST(result == ISC_R_SUCCESS);
+ 		dns_rdata_init(&x[i].rdata);
+ 		dns_rdataset_current(rdataset, &x[i].rdata);
++		INSIST(x[i].rdata.data != &removed);
+ #if DNS_RDATASET_FIXED
+ 		x[i].order = i;
+ #endif
+@@ -201,8 +207,7 @@
+ 	 */
+ 	for (i = 1; i < nalloc; i++) {
+ 		if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
+-			x[i-1].rdata.data = NULL;
+-			x[i-1].rdata.length = 0;
++			x[i-1].rdata.data = &removed;
+ #if DNS_RDATASET_FIXED
+ 			/*
+ 			 * Preserve the least order so A, B, A -> A, B
+@@ -292,7 +297,7 @@
+ #endif
+ 
+ 	for (i = 0; i < nalloc; i++) {
+-		if (x[i].rdata.data == NULL)
++		if (x[i].rdata.data == &removed)
+ 			continue;
+ #if DNS_RDATASET_FIXED
+ 		offsettable[x[i].order] = rawbuf - offsetbase;
diff -Nru isc-dhcp-4.2.4/debian/patches/apply_fix_CVE-2012-1667.patch isc-dhcp-4.2.4/debian/patches/apply_fix_CVE-2012-1667.patch
--- isc-dhcp-4.2.4/debian/patches/apply_fix_CVE-2012-1667.patch	1970-01-01 09:00:00.000000000 +0900
+++ isc-dhcp-4.2.4/debian/patches/apply_fix_CVE-2012-1667.patch	2013-01-21 05:37:06.000000000 +0900
@@ -0,0 +1,23 @@
+Description: apply fix for CVE-2012-1667
+
+ taken patch from bind9 package (1:9.7.3.dfsg-1~squeeze5).
+ The patch itself cannot be applied to upstream source since it is archived
+ and extract during build. This patch just hooks it.
+
+---
+Origin: vendor
+Forwarded: not-needed
+Last-Update: 2012-01-21
+
+Index: isc-dhcp-4.2.4/bind/Makefile
+===================================================================
+--- isc-dhcp-4.2.4.orig/bind/Makefile	2013-01-21 05:12:28.000000000 +0900
++++ isc-dhcp-4.2.4/bind/Makefile	2013-01-21 05:37:04.172423320 +0900
+@@ -34,6 +34,7 @@
+ 		echo ${bindsrcdir} already unpacked... ;    \
+ 	else                                                \
+ 		gunzip -c bind.tar.gz | tar xf - ;          \
++		cd ${bindsrcdir} && patch -p1 $(CUDRIR)/debian/patches/CVE-2012-1667_from_bind9.patch ; \
+ 	fi
+ 
+ 	@if test -z "${GMAKE}"; then                        \
diff -Nru isc-dhcp-4.2.4/debian/patches/series isc-dhcp-4.2.4/debian/patches/series
--- isc-dhcp-4.2.4/debian/patches/series	2012-12-14 12:43:33.000000000 +0900
+++ isc-dhcp-4.2.4/debian/patches/series	2013-01-21 05:12:28.000000000 +0900
@@ -6,3 +6,4 @@
 cve-2012-3954.patch
 cve-2012-3955.patch
 dhclient-exit-hook.patch
+apply_fix_CVE-2012-1667.patch

--- End Message ---

--- Begin Message ---

On Sat, Feb 2, 2013 at 5:57 PM, Michael Gilbert wrote:
> So, the issue with the bind embed is that even though the entire thing
> is built, only a very small part is actually used by dhcp.  I don't
> really have the time to look into whether the vulnerable bind code for
> this CVE is traversed or not.  Someone needs to do that.

I did some research.  This issue doesn't affect dhcp, it only affects
bind's named.

Best wishes,
Mike

--- End Message ---

Bug#698597: marked as done (isc-dhcp: CVE-2012-1667 patch (for Wheezy))

Reply via email to