Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** ISC dhclient has a stack overflow vulnerability which makes it theoretically possible for a rogue DHCP server to execute arbitrary commands as root on the affected system through stack return subversion. ... Fix: Upgrade to 4.1.0p1, 4.0.1p1, or 3.1.2p1 There are no fixes planned for DHCP 3.0 or DHCP 2.0, as those release trains have reached End-Of-Life. ... CVE: VU#410676, pre-assigned CVE# CVE-2009-0692
Created an attachment (id=195806) [details] dhcp-3.1.1-CVE-2009-0692.patch
Created an attachment (id=195807) [details] dhcp-3.1.1-r1.ebuild
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : fmccor x86 : armin76, maekke
The disclosure date has been postponed to July 14, 2009.
CC'ing Fauli for x86 pretesting.
HPPA is OK.
x86 ok via fauli (and i'm his human-proxy)
amd64 is fine
Looks okay on alpha/arm/s390/sh/sparc
Appears fine on ppc/ppc64.
All arches responded postively. Thanks! Note that the patch is not officially endorsed by upstream. We have not received a patch by ISC as they only distribute patches within the DHCP Forum. I would propose we commit this patch (that has been tested) on the embargo date. The official patch/release can go into the tree at the same or any later time.
It would be worth applying the fix to 3.1.2 instead of 3.1.1; it is a better ebuild with a few long overdue fixes applied. Nothing that would jeopardize the testing that arch teams have done, an extra keepdir statement, chown now recurses in case there is a stale PID file owned by root & the init script now pre-tests the config apache-style. Hope you all agree, if not, let me know please.
I agree with Tony here.
When I attached the ebuild basing it on 3.1.1 seemed like the best idea. Nevertheless, we have a few days left and arches can retry with the latest upstream release, if you attach a new ebuild to this bug. If a Liaison chooses to not re-test a 3.1.2-r1 ebuild due to time constraints, we can commit both ebuilds on embargo deadline.
Christoph Biedl reported a Denial of Service vulnerability in dchpd under certain conditions. The DoS can be triggered by a DHCP request when the DHCP server has configured host definitions using "dhcp-client-identifier" and "hardware ethernet" for a host that is not reachable via the interface the request is received from. Tony will attach a second patch and a new 3.1.2-based ebuild.
Created an attachment (id=197776) [details] dhcp-3.1.2-CVE-2009-0692.patch
Created an attachment (id=197778) [details] dhcp-3.1.2-r1.ebuild
Created an attachment (id=197780) [details] dhcp-3.1.2-CVE-2009-1892.patch
Created an attachment (id=197782) [details] dhcp-3.1.2-r1.ebuild
AMD64 stable keyword preapproved, tested USE-flag combinations: [ebuild R ] net-misc/dhcp-3.1.2-r1 USE="-doc -minimal (-selinux) -static" 0 kB [1] [ebuild R ] net-misc/dhcp-3.1.2-r1 USE="minimal static -doc (-selinux)" 0 kB [1] [ebuild R ] net-misc/dhcp-3.1.2-r1 USE="doc -minimal (-selinux) -static" 0 kB [1] System info: Portage 2.1.6.13 (default/linux/amd64/2008.0/no-multilib, gcc-4.3.3, glibc-2.10.1-r0, 2.6.31-rc2-00257-gc2cc49a x86_64) ================================================================= System uname: Linux-2.6.31-rc2-00257-gc2cc49a-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T9400_@_2.53GHz-with-gentoo-2.0.1 Timestamp of tree: Unknown app-shells/bash: 4.0_p24 dev-java/java-config: 1.3.7-r1, 2.1.8-r1 dev-lang/python: 2.4.4-r6, 2.5.4-r2, 2.6.2-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.4 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.4.3-r3 sys-apps/sandbox: 2.0 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.30 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -mtune=native -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -march=native -mtune=native -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms sign strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.virginmedia.com" LANG="en_GB.UTF-8" LC_ALL="en_GB.UTF-8" LDFLAGS="-Wl,--as-needed" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/cvs/gentoo-x86" PORTDIR_OVERLAY="/usr/local/portage" SYNC="cvs://chainsaw@cvs.gentoo.org:/var/cvsroot" USE="16bit 16bit-indices 7zip S3TC X a52 aac aalib ace acpi adns adplug alac alsa amd64 amr amrnb amrwb animgif aotuv applet archive aspell async asyncns audacious audiofile autoipd avahi bash-completion berkdb binary-drivers binfilter bluetooth bonjour bs2b bzip2 cairo calendar canberra cardbus cdaudio cdda cddb cdparanoia cdr cdrkit cdrom chardet chipcard chm cleartype cli consolekit cpio cracklib crypt css cups curl dbus device-mapper dhcp dhcpcd dirac disk-partition diskio divx djvu dmi dri drm dts dv dvd dvdr dvi ecc eds elf enca encode epiphany erandom exif exiv2 expat fam fat fbcon fbcondecor ffmpeg fftw flac fortran ftp fuse g15 galago gconf gd gdbm gdl gdm gedit gif gimp glib glitz glut gmedia gnome gnome-keyring gnutls gpg gphoto2 gs gsf gsm gstreamer gtk gzip hal hddtemp hdri hfs howl-compat hpn ical icons iconv id3 id3tag idle idn ieee1394 imagemagick imap imlib inkjar inotify ipod ipv6 irda isdnlog jabber java jbig jce john jpeg jpeg2k juju keyring lame laptop lcms ldap libburn libcaca libgcrypt libnotify libsamplerate libsexy libssh2 libwww lilo logrotate lzma lzo mad magic md5sum mdnsresponder-compat midi mikmod mime mjpeg mmap mmx mmxext mng modplug moonlight mp2 mp3 mp4 mpeg mplayer mudflap musepack music nano-syntax nautilus ncurses nemesi neon network-cron networkmanager nls nptl nptlonly nsplugin nss nuv nvidia ogg opengl openmp openssl otr ots pam pango pccts pcmcia pcre pdf perl physfs pidgin plotutils png pnm policykit posix postscript ppds pppd pulseaudio python rar rdesktop readline reflection replytolist resolvconf rss rtc samba scenarios schroedinger screenshot scrobbler sdl session sftp shorten sid smp sms sndfile snmp soup sourceview sox span speex spell spl sqlite srt srv sse sse2 sse3 ssl ssse3 startup-notification subtitles svg svgz sysfs syslog szip t1lib taglib tagwriting tcpd theora thesaurus threads tiff timidity tk tls tordns totem tracker trayicon truetype tta twolame unicode urandom usb v4l2 vcd vnc vorbis vorbis-psy vte wav wavpack webkit wifi wma wmf wmp xcb xcomposite xface xhtml xinerama xml xmp xorg xpm xscreensaver xsettings xslt xulrunner xv xvid xvmc yv12 zeroconf zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="intel" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
liaisons, please test the =net-misc/dhcp-3.1.2-r1 ebuild that applies both patches. thanks!
Splitting off the dhclient issue for CRD tomorrow.
this is now public
I added the CVE-2009-1892 patch and the 3.1.2p1 release to the tree which carries upstream's CVE-2009-0692 patch (it is equivalent to ours) to the tree. Tony, I would appreciate you testing it in your setup as well and then we can add arches to this bug.
3.1.2_p1 tested on a production system with ~15 clients active; [ebuild R ] net-misc/dhcp-3.1.2_p1 USE="-doc -minimal (-selinux) -static" 0 kB System info: Portage 2.1.6.13 (hardened/amd64, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 x86_64) ================================================================= System uname: Linux-2.6.28-hardened-r9-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_2220-with-glibc2.3.2 Timestamp of tree: Wed, 15 Jul 2009 23:15:01 +0000 app-shells/bash: 3.2_p39 dev-lang/python: 2.4.4-r13, 2.5.4-r2 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.63 sys-devel/automake: 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=opteron -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=opteron -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_GB.UTF-8" LC_ALL="en_GB.UTF-8" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://portage-rsync.linx.net/gentoo-portage" USE="amd64 bash-completion berkdb cracklib crypt diskio elf hardened hpn ipv6 justify midi ncurses nls no-old-linux nptl nptlonly pam perl pic python readline sse sse2 ssl sysfs unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 intel mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY Robert, please feel free to add arches. When you do I'll keyword AMD64 for you.
Arches, please test and mark stable: =net-misc/dhcp-3.1.2_p1 Target keywords : "alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"
+ 16 Jul 2009; <chainsaw@gentoo.org> dhcp-3.1.2_p1.ebuild: + Marked stable on AMD64 for security bug #275231; tested on a dual + dual-core Opteron 2220 system with ~15 clients spread over two subnets.
x86 stable
Stable for HPPA.
Stable on alpha.
ppc stable
CVE-2009-1892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1892): dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier and hardware ethernet configuration settings are both used, allows remote attackers to cause a denial of service (daemon crash) via unspecified requests.
arm/s390/sh/sparc stable
ppc64 done
GLSA 200908-08
