Your message dated Mon, 11 Feb 2013 21:46:12 -0500
with message-id
<CANTw=MMjTp5fvysO3tNTKssq4o9+Hq=mmQeKDiGWYv=mi0c...@mail.gmail.com>
and subject line Re: [pkg-dhcp-devel] Bug#698597: Bug#698597: isc-dhcp:
CVE-2012-1667 patch (for Wheezy)
has caused the Debian Bug report #698597,
regarding isc-dhcp: CVE-2012-1667 patch (for Wheezy)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
698597: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698597
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: isc-dhcp
Version: 4.2.2.dfsg.1-5+deb70u2
Tags: security, patch
Hi,
This package has a security issue according to security-tracker.
https://security-tracker.debian.org/tracker/CVE-2012-1667
I've made a patch for it (also for sid), taken from bind9 package
(and just built in pbuilder). Please check it and apply if it would
be necessary. If not, please close this bug for tracking issue.
Thanks.
--
Regards,
Hideki Yamane henrich @ debian.or.jp/org
http://wiki.debian.org/HidekiYamane
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/changelog isc-dhcp-4.2.2.dfsg.1/debian/changelog
--- isc-dhcp-4.2.2.dfsg.1/debian/changelog 2012-10-15 07:04:44.000000000 +0900
+++ isc-dhcp-4.2.2.dfsg.1/debian/changelog 2013-01-21 05:42:58.000000000 +0900
@@ -1,3 +1,12 @@
+isc-dhcp (4.2.2.dfsg.1-5+deb70u2.1) testing-proposed-updates; urgency=high
+
+ * Non-maintainer upload.
+ * debian/patches
+ - CVE-2012-1667_from_bind9.patch: fix CVE-2012-1667
+ - apply_fix_CVE-2012-1667.patch: apply above patch
+
+ -- Hideki Yamane <henr...@debian.org> Mon, 21 Jan 2013 05:16:21 +0900
+
isc-dhcp (4.2.2.dfsg.1-5+deb70u2) testing-proposed-updates; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-1667_from_bind9.patch isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-1667_from_bind9.patch
--- isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-1667_from_bind9.patch 1970-01-01 09:00:00.000000000 +0900
+++ isc-dhcp-4.2.2.dfsg.1/debian/patches/CVE-2012-1667_from_bind9.patch 2013-01-21 05:39:57.000000000 +0900
@@ -0,0 +1,67 @@
+diff -urN bind-9.8.3/lib/dns/rdata.c bind-9.8.3.patched/lib/dns/rdata.c
+--- bind-9.8.3/lib/dns/rdata.c 2012-05-10 07:43:18.000000000 +0900
++++ bind-9.8.3.patched/lib/dns/rdata.c 2013-01-21 05:05:36.340751553 +0900
+@@ -329,8 +329,8 @@
+
+ REQUIRE(rdata1 != NULL);
+ REQUIRE(rdata2 != NULL);
+- REQUIRE(rdata1->data != NULL);
+- REQUIRE(rdata2->data != NULL);
++ REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
++ REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+ REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+ REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+
+@@ -360,8 +360,8 @@
+
+ REQUIRE(rdata1 != NULL);
+ REQUIRE(rdata2 != NULL);
+- REQUIRE(rdata1->data != NULL);
+- REQUIRE(rdata2->data != NULL);
++ REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
++ REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+ REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+ REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+
+diff -urN bind-9.8.3/lib/dns/rdataslab.c bind-9.8.3.patched/lib/dns/rdataslab.c
+--- bind-9.8.3/lib/dns/rdataslab.c 2012-05-10 07:43:18.000000000 +0900
++++ bind-9.8.3.patched/lib/dns/rdataslab.c 2013-01-21 05:05:36.340751553 +0900
+@@ -126,6 +126,11 @@
+ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ isc_region_t *region, unsigned int reservelen)
+ {
++ /*
++ * Use &removed as a sentinal pointer for duplicate
++ * rdata as rdata.data == NULL is valid.
++ */
++ static unsigned char removed;
+ struct xrdata *x;
+ unsigned char *rawbuf;
+ #if DNS_RDATASET_FIXED
+@@ -169,6 +174,7 @@
+ INSIST(result == ISC_R_SUCCESS);
+ dns_rdata_init(&x[i].rdata);
+ dns_rdataset_current(rdataset, &x[i].rdata);
++ INSIST(x[i].rdata.data != &removed);
+ #if DNS_RDATASET_FIXED
+ x[i].order = i;
+ #endif
+@@ -201,8 +207,7 @@
+ */
+ for (i = 1; i < nalloc; i++) {
+ if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
+- x[i-1].rdata.data = NULL;
+- x[i-1].rdata.length = 0;
++ x[i-1].rdata.data = &removed;
+ #if DNS_RDATASET_FIXED
+ /*
+ * Preserve the least order so A, B, A -> A, B
+@@ -292,7 +297,7 @@
+ #endif
+
+ for (i = 0; i < nalloc; i++) {
+- if (x[i].rdata.data == NULL)
++ if (x[i].rdata.data == &removed)
+ continue;
+ #if DNS_RDATASET_FIXED
+ offsettable[x[i].order] = rawbuf - offsetbase;
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/patches/apply_fix_CVE-2012-1667.patch isc-dhcp-4.2.2.dfsg.1/debian/patches/apply_fix_CVE-2012-1667.patch
--- isc-dhcp-4.2.2.dfsg.1/debian/patches/apply_fix_CVE-2012-1667.patch 1970-01-01 09:00:00.000000000 +0900
+++ isc-dhcp-4.2.2.dfsg.1/debian/patches/apply_fix_CVE-2012-1667.patch 2013-01-21 05:39:57.000000000 +0900
@@ -0,0 +1,23 @@
+Description: apply fix for CVE-2012-1667
+
+ taken patch from bind9 package (1:9.7.3.dfsg-1~squeeze5).
+ The patch itself cannot be applied to upstream source since it is archived
+ and extract during build. This patch just hooks it.
+
+---
+Origin: vendor
+Forwarded: not-needed
+Last-Update: 2012-01-21
+
+Index: isc-dhcp-4.2.4/bind/Makefile
+===================================================================
+--- isc-dhcp-4.2.4.orig/bind/Makefile 2013-01-21 05:12:28.000000000 +0900
++++ isc-dhcp-4.2.4/bind/Makefile 2013-01-21 05:37:04.172423320 +0900
+@@ -34,6 +34,7 @@
+ echo ${bindsrcdir} already unpacked... ; \
+ else \
+ gunzip -c bind.tar.gz | tar xf - ; \
++ cd ${bindsrcdir} && patch -p1 $(CUDRIR)/debian/patches/CVE-2012-1667_from_bind9.patch ; \
+ fi
+
+ @if test -z "${GMAKE}"; then \
diff -Nru isc-dhcp-4.2.2.dfsg.1/debian/patches/series isc-dhcp-4.2.2.dfsg.1/debian/patches/series
--- isc-dhcp-4.2.2.dfsg.1/debian/patches/series 2012-09-18 06:48:31.000000000 +0900
+++ isc-dhcp-4.2.2.dfsg.1/debian/patches/series 2013-01-21 05:40:22.000000000 +0900
@@ -8,3 +8,4 @@
cve-2012-3571.patch
cve-2012-3954.patch
cve-2012-3955.patch
+apply_fix_CVE-2012-1667.patch
diff -Nru isc-dhcp-4.2.4/debian/changelog isc-dhcp-4.2.4/debian/changelog
--- isc-dhcp-4.2.4/debian/changelog 2012-12-14 12:41:25.000000000 +0900
+++ isc-dhcp-4.2.4/debian/changelog 2013-01-21 05:16:23.000000000 +0900
@@ -1,3 +1,12 @@
+isc-dhcp (4.2.4-4.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * debian/patches
+ - CVE-2012-1667_from_bind9.patch: fix CVE-2012-1667
+ - apply_fix_CVE-2012-1667.patch: apply above patch
+
+ -- Hideki Yamane <henr...@debian.org> Mon, 21 Jan 2013 05:16:21 +0900
+
isc-dhcp (4.2.4-4) unstable; urgency=medium
* Run exit hooks when "dhclient -1" fails (closes: #486520).
diff -Nru isc-dhcp-4.2.4/debian/patches/CVE-2012-1667_from_bind9.patch isc-dhcp-4.2.4/debian/patches/CVE-2012-1667_from_bind9.patch
--- isc-dhcp-4.2.4/debian/patches/CVE-2012-1667_from_bind9.patch 1970-01-01 09:00:00.000000000 +0900
+++ isc-dhcp-4.2.4/debian/patches/CVE-2012-1667_from_bind9.patch 2013-01-21 05:06:38.000000000 +0900
@@ -0,0 +1,67 @@
+diff -urN bind-9.8.3/lib/dns/rdata.c bind-9.8.3.patched/lib/dns/rdata.c
+--- bind-9.8.3/lib/dns/rdata.c 2012-05-10 07:43:18.000000000 +0900
++++ bind-9.8.3.patched/lib/dns/rdata.c 2013-01-21 05:05:36.340751553 +0900
+@@ -329,8 +329,8 @@
+
+ REQUIRE(rdata1 != NULL);
+ REQUIRE(rdata2 != NULL);
+- REQUIRE(rdata1->data != NULL);
+- REQUIRE(rdata2->data != NULL);
++ REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
++ REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+ REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+ REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+
+@@ -360,8 +360,8 @@
+
+ REQUIRE(rdata1 != NULL);
+ REQUIRE(rdata2 != NULL);
+- REQUIRE(rdata1->data != NULL);
+- REQUIRE(rdata2->data != NULL);
++ REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
++ REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+ REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+ REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+
+diff -urN bind-9.8.3/lib/dns/rdataslab.c bind-9.8.3.patched/lib/dns/rdataslab.c
+--- bind-9.8.3/lib/dns/rdataslab.c 2012-05-10 07:43:18.000000000 +0900
++++ bind-9.8.3.patched/lib/dns/rdataslab.c 2013-01-21 05:05:36.340751553 +0900
+@@ -126,6 +126,11 @@
+ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ isc_region_t *region, unsigned int reservelen)
+ {
++ /*
++ * Use &removed as a sentinal pointer for duplicate
++ * rdata as rdata.data == NULL is valid.
++ */
++ static unsigned char removed;
+ struct xrdata *x;
+ unsigned char *rawbuf;
+ #if DNS_RDATASET_FIXED
+@@ -169,6 +174,7 @@
+ INSIST(result == ISC_R_SUCCESS);
+ dns_rdata_init(&x[i].rdata);
+ dns_rdataset_current(rdataset, &x[i].rdata);
++ INSIST(x[i].rdata.data != &removed);
+ #if DNS_RDATASET_FIXED
+ x[i].order = i;
+ #endif
+@@ -201,8 +207,7 @@
+ */
+ for (i = 1; i < nalloc; i++) {
+ if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
+- x[i-1].rdata.data = NULL;
+- x[i-1].rdata.length = 0;
++ x[i-1].rdata.data = &removed;
+ #if DNS_RDATASET_FIXED
+ /*
+ * Preserve the least order so A, B, A -> A, B
+@@ -292,7 +297,7 @@
+ #endif
+
+ for (i = 0; i < nalloc; i++) {
+- if (x[i].rdata.data == NULL)
++ if (x[i].rdata.data == &removed)
+ continue;
+ #if DNS_RDATASET_FIXED
+ offsettable[x[i].order] = rawbuf - offsetbase;
diff -Nru isc-dhcp-4.2.4/debian/patches/apply_fix_CVE-2012-1667.patch isc-dhcp-4.2.4/debian/patches/apply_fix_CVE-2012-1667.patch
--- isc-dhcp-4.2.4/debian/patches/apply_fix_CVE-2012-1667.patch 1970-01-01 09:00:00.000000000 +0900
+++ isc-dhcp-4.2.4/debian/patches/apply_fix_CVE-2012-1667.patch 2013-01-21 05:37:06.000000000 +0900
@@ -0,0 +1,23 @@
+Description: apply fix for CVE-2012-1667
+
+ taken patch from bind9 package (1:9.7.3.dfsg-1~squeeze5).
+ The patch itself cannot be applied to upstream source since it is archived
+ and extract during build. This patch just hooks it.
+
+---
+Origin: vendor
+Forwarded: not-needed
+Last-Update: 2012-01-21
+
+Index: isc-dhcp-4.2.4/bind/Makefile
+===================================================================
+--- isc-dhcp-4.2.4.orig/bind/Makefile 2013-01-21 05:12:28.000000000 +0900
++++ isc-dhcp-4.2.4/bind/Makefile 2013-01-21 05:37:04.172423320 +0900
+@@ -34,6 +34,7 @@
+ echo ${bindsrcdir} already unpacked... ; \
+ else \
+ gunzip -c bind.tar.gz | tar xf - ; \
++ cd ${bindsrcdir} && patch -p1 $(CUDRIR)/debian/patches/CVE-2012-1667_from_bind9.patch ; \
+ fi
+
+ @if test -z "${GMAKE}"; then \
diff -Nru isc-dhcp-4.2.4/debian/patches/series isc-dhcp-4.2.4/debian/patches/series
--- isc-dhcp-4.2.4/debian/patches/series 2012-12-14 12:43:33.000000000 +0900
+++ isc-dhcp-4.2.4/debian/patches/series 2013-01-21 05:12:28.000000000 +0900
@@ -6,3 +6,4 @@
cve-2012-3954.patch
cve-2012-3955.patch
dhclient-exit-hook.patch
+apply_fix_CVE-2012-1667.patch
--- End Message ---
--- Begin Message ---
On Sat, Feb 2, 2013 at 5:57 PM, Michael Gilbert wrote:
> So, the issue with the bind embed is that even though the entire thing
> is built, only a very small part is actually used by dhcp. I don't
> really have the time to look into whether the vulnerable bind code for
> this CVE is traversed or not. Someone needs to do that.
I did some research. This issue doesn't affect dhcp, it only affects
bind's named.
Best wishes,
Mike
--- End Message ---