From patchwork Sat Mar 3 19:43:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Baruch Siach X-Patchwork-Id: 881084 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=tkos.co.il Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3ztxSr5sdGz9s3R for ; Sun, 4 Mar 2018 06:44:28 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 1653187008; Sat, 3 Mar 2018 19:44:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jajys3y-kwuQ; Sat, 3 Mar 2018 19:44:23 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id D7BB486EB7; Sat, 3 Mar 2018 19:44:23 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 0D5DE1CEFFC for ; Sat, 3 Mar 2018 19:44:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 081E9880F2 for ; Sat, 3 Mar 2018 19:44:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kPLG8LXT0w9D for ; Sat, 3 Mar 2018 19:44:20 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx.tkos.co.il (guitar.tcltek.co.il [192.115.133.116]) by whitealder.osuosl.org (Postfix) with ESMTPS id 8679981E6F for ; Sat, 3 Mar 2018 19:44:19 +0000 (UTC) Received: from tarshish.tkos.co.il (unknown [10.0.8.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx.tkos.co.il (Postfix) with ESMTPSA id 1A71444052E; Sat, 3 Mar 2018 21:43:57 +0200 (IST) From: Baruch Siach To: buildroot@busybox.net Date: Sat, 3 Mar 2018 21:43:56 +0200 Message-Id: <93f778684109325d734bfccd28ffa23485c95cfc.1520106236.git.baruch@tkos.co.il> X-Mailer: git-send-email 2.16.1 Subject: [Buildroot] [PATCH master] dhcp: add upstream security fixes X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.24 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" CVE-2018-5732: The DHCP client incorrectly handled certain malformed responses. A remote attacker could use this issue to cause the DHCP client to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the dhclient AppArmor profile. CVE-2018-5733: The DHCP server incorrectly handled reference counting. A remote attacker could possibly use this issue to cause the DHCP server to crash, resulting in a denial of service. Both issues are fixed in version 4.4.1. But we are close to release, so backport the fixes instead of bumping version. Signed-off-by: Baruch Siach --- ...ect-buffer-overrun-in-pretty_print_option.patch | 59 ++++++++++++++++++++++ ...4-Corrected-refcnt-loss-in-option-parsing.patch | 40 +++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 package/dhcp/0003-Correct-buffer-overrun-in-pretty_print_option.patch create mode 100644 package/dhcp/0004-Corrected-refcnt-loss-in-option-parsing.patch diff --git a/package/dhcp/0003-Correct-buffer-overrun-in-pretty_print_option.patch b/package/dhcp/0003-Correct-buffer-overrun-in-pretty_print_option.patch new file mode 100644 index 000000000000..aad20ff93f90 --- /dev/null +++ b/package/dhcp/0003-Correct-buffer-overrun-in-pretty_print_option.patch @@ -0,0 +1,59 @@ +From b8c29336bd5401a5f962bc6ddfa4ebb6f0274f3c Mon Sep 17 00:00:00 2001 +From: Thomas Markwalder +Date: Sat, 10 Feb 2018 12:15:27 -0500 +Subject: [PATCH 1/2] Correct buffer overrun in pretty_print_option + + Merges in rt47139. + +[baruch: drop RELNOTES and test; address CVE-2018-5732] +Signed-off-by: Baruch Siach +--- +Upstream status: backported from commit c5931725b48 +--- + common/options.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/common/options.c b/common/options.c +index 5547287fb6e5..2ed6b16c6412 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -1758,7 +1758,8 @@ format_min_length(format, oc) + + + /* Format the specified option so that a human can easily read it. */ +- ++/* Maximum pretty printed size */ ++#define MAX_OUTPUT_SIZE 32*1024 + const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + struct option *option; + const unsigned char *data; +@@ -1766,8 +1767,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + int emit_commas; + int emit_quotes; + { +- static char optbuf [32768]; /* XXX */ +- static char *endbuf = &optbuf[sizeof(optbuf)]; ++ /* We add 128 byte pad so we don't have to add checks everywhere. */ ++ static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */ ++ static char *endbuf = optbuf + MAX_OUTPUT_SIZE; + int hunksize = 0; + int opthunk = 0; + int hunkinc = 0; +@@ -2193,7 +2195,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + log_error ("Unexpected format code %c", + fmtbuf [j]); + } ++ + op += strlen (op); ++ if (op >= endbuf) { ++ log_error ("Option data exceeds" ++ " maximum size %d", MAX_OUTPUT_SIZE); ++ return (""); ++ } ++ + if (dp == data + len) + break; + if (j + 1 < numelem && comma != ':') +-- +2.16.1 + diff --git a/package/dhcp/0004-Corrected-refcnt-loss-in-option-parsing.patch b/package/dhcp/0004-Corrected-refcnt-loss-in-option-parsing.patch new file mode 100644 index 000000000000..c79bbc7f8219 --- /dev/null +++ b/package/dhcp/0004-Corrected-refcnt-loss-in-option-parsing.patch @@ -0,0 +1,40 @@ +From 93b5b67dd31b9efcbfaabc2df1e1d9d164a5e04a Mon Sep 17 00:00:00 2001 +From: Thomas Markwalder +Date: Fri, 9 Feb 2018 14:46:08 -0500 +Subject: [PATCH 2/2] Corrected refcnt loss in option parsing + + Merges in 47140. + +[baruch: drop RELNOTES and tests; address CVE-2018-5733] +Signed-off-by: Baruch Siach +--- +Upstream status: backported from commit 197b26f25309 +--- + common/options.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/common/options.c b/common/options.c +index 2ed6b16c6412..25b29a6be7bb 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -3,7 +3,7 @@ + DHCP options parsing and reassembly. */ + + /* +- * Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2004-2018 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 1995-2003 by Internet Software Consortium + * + * Permission to use, copy, modify, and distribute this software for any +@@ -177,6 +177,8 @@ int parse_option_buffer (options, buffer, length, universe) + + /* If the length is outrageous, the options are bad. */ + if (offset + len > length) { ++ /* Avoid reference count overflow */ ++ option_dereference(&option, MDL); + reason = "option length exceeds option buffer length"; + bogus: + log_error("parse_option_buffer: malformed option " +-- +2.16.1 +