Bug 275231 (CVE-2009-1892)

Comment 1 Robert Buchholz (RETIRED) 2009-06-26 11:34:59 UTC

Created attachment 195806 [details, diff]
dhcp-3.1.1-CVE-2009-0692.patch

Comment 2 Robert Buchholz (RETIRED) 2009-06-26 11:35:24 UTC

Created attachment 195807 [details, diff]
dhcp-3.1.1-r1.ebuild

Comment 3 Robert Buchholz (RETIRED) 2009-06-26 11:35:40 UTC

Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, tester
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : fmccor
     x86 : armin76, maekke

Comment 4 Robert Buchholz (RETIRED) 2009-06-26 11:36:33 UTC

The disclosure date has been postponed to July 14, 2009.

Comment 5 Alex Legler (RETIRED) 2009-06-26 11:59:42 UTC

CC'ing Fauli for x86 pretesting.

Comment 6 Jeroen Roovers (RETIRED) 2009-06-26 15:00:00 UTC

HPPA is OK.

Comment 7 Robert Buchholz (RETIRED) 2009-06-26 15:46:13 UTC

x86 ok via fauli (and i'm his human-proxy)

Comment 8 Tobias Heinlein (RETIRED) 2009-06-26 19:25:24 UTC

amd64 is fine

Comment 9 Raúl Porcel (RETIRED) 2009-06-27 10:32:20 UTC

Looks okay on alpha/arm/s390/sh/sparc

Comment 10 Joe Jezak (RETIRED) 2009-07-02 12:12:53 UTC

Appears fine on ppc/ppc64.

Comment 11 Robert Buchholz (RETIRED) 2009-07-02 14:08:38 UTC

All arches responded postively. Thanks!

Note that the patch is not officially endorsed by upstream. We have not received a patch by ISC as they only distribute patches within the DHCP Forum. I would propose we commit this patch (that has been tested) on the embargo date. The official patch/release can go into the tree at the same or any later time.

Comment 12 Tony Vroon (RETIRED) 2009-07-09 14:52:24 UTC

It would be worth applying the fix to 3.1.2 instead of 3.1.1; it is a better ebuild with a few long overdue fixes applied. Nothing that would jeopardize the testing that arch teams have done, an extra keepdir statement, chown now recurses in case there is a stale PID file owned by root & the init script now pre-tests the config apache-style.
Hope you all agree, if not, let me know please.

Comment 13 Christian Faulhammer (RETIRED) 2009-07-09 14:56:03 UTC

I agree with Tony here.

Comment 14 Robert Buchholz (RETIRED) 2009-07-09 15:36:39 UTC

When I attached the ebuild basing it on 3.1.1 seemed like the best idea. Nevertheless, we have a few days left and arches can retry with the latest upstream release, if you attach a new ebuild to this bug.
If a Liaison chooses to not re-test a 3.1.2-r1 ebuild due to time constraints, we can commit both ebuilds on embargo deadline.

Comment 15 Robert Buchholz (RETIRED) 2009-07-09 17:02:22 UTC

Christoph Biedl reported a Denial of Service vulnerability in dchpd under certain conditions. The DoS can be triggered by a DHCP request when the DHCP server has configured host definitions using "dhcp-client-identifier" and "hardware ethernet" for a host that is not reachable via the interface the request is
received from.

Tony will attach a second patch and a new 3.1.2-based ebuild.

Comment 16 Tony Vroon (RETIRED) 2009-07-13 12:34:01 UTC

Created attachment 197776 [details, diff]
dhcp-3.1.2-CVE-2009-0692.patch

Comment 17 Tony Vroon (RETIRED) 2009-07-13 12:36:12 UTC

Created attachment 197778 [details]
dhcp-3.1.2-r1.ebuild

Comment 18 Tony Vroon (RETIRED) 2009-07-13 13:28:44 UTC

Created attachment 197780 [details, diff]
dhcp-3.1.2-CVE-2009-1892.patch

Comment 19 Tony Vroon (RETIRED) 2009-07-13 13:31:23 UTC

Created attachment 197782 [details]
dhcp-3.1.2-r1.ebuild

Comment 20 Tony Vroon (RETIRED) 2009-07-13 13:36:36 UTC

AMD64 stable keyword preapproved, tested USE-flag combinations:
[ebuild   R   ] net-misc/dhcp-3.1.2-r1  USE="-doc -minimal (-selinux) -static" 0 kB [1]
[ebuild   R   ] net-misc/dhcp-3.1.2-r1  USE="minimal static -doc (-selinux)" 0 kB [1]
[ebuild   R   ] net-misc/dhcp-3.1.2-r1  USE="doc -minimal (-selinux) -static" 0 kB [1]

System info:
Portage 2.1.6.13 (default/linux/amd64/2008.0/no-multilib, gcc-4.3.3, glibc-2.10.1-r0, 2.6.31-rc2-00257-gc2cc49a x86_64)
=================================================================
System uname: Linux-2.6.31-rc2-00257-gc2cc49a-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T9400_@_2.53GHz-with-gentoo-2.0.1
Timestamp of tree: Unknown
app-shells/bash:     4.0_p24
dev-java/java-config: 1.3.7-r1, 2.1.8-r1
dev-lang/python:     2.4.4-r6, 2.5.4-r2, 2.6.2-r1
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.6.4
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.4.3-r3
sys-apps/sandbox:    2.0
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11
sys-devel/binutils:  2.19.1-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.30
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -mtune=native -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=native -mtune=native -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms sign strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.virginmedia.com"
LANG="en_GB.UTF-8"
LC_ALL="en_GB.UTF-8"
LDFLAGS="-Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/cvs/gentoo-x86"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="cvs://chainsaw@cvs.gentoo.org:/var/cvsroot"
USE="16bit 16bit-indices 7zip S3TC X a52 aac aalib ace acpi adns adplug alac alsa amd64 amr amrnb amrwb animgif aotuv applet archive aspell async asyncns audacious audiofile autoipd avahi bash-completion berkdb binary-drivers binfilter bluetooth bonjour bs2b bzip2 cairo calendar canberra cardbus cdaudio cdda cddb cdparanoia cdr cdrkit cdrom chardet chipcard chm cleartype cli consolekit cpio cracklib crypt css cups curl dbus device-mapper dhcp dhcpcd dirac disk-partition diskio divx djvu dmi dri drm dts dv dvd dvdr dvi ecc eds elf enca encode epiphany erandom exif exiv2 expat fam fat fbcon fbcondecor ffmpeg fftw flac fortran ftp fuse g15 galago gconf gd gdbm gdl gdm gedit gif gimp glib glitz glut gmedia gnome gnome-keyring gnutls gpg gphoto2 gs gsf gsm gstreamer gtk gzip hal hddtemp hdri hfs howl-compat hpn ical icons iconv id3 id3tag idle idn ieee1394 imagemagick imap imlib inkjar inotify ipod ipv6 irda isdnlog jabber java jbig jce john jpeg jpeg2k juju keyring lame laptop lcms ldap libburn libcaca libgcrypt libnotify libsamplerate libsexy libssh2 libwww lilo logrotate lzma lzo mad magic md5sum mdnsresponder-compat midi mikmod mime mjpeg mmap mmx mmxext mng modplug moonlight mp2 mp3 mp4 mpeg mplayer mudflap musepack music nano-syntax nautilus ncurses nemesi neon network-cron networkmanager nls nptl nptlonly nsplugin nss nuv nvidia ogg opengl openmp openssl otr ots pam pango pccts pcmcia pcre pdf perl physfs pidgin plotutils png pnm policykit posix postscript ppds pppd pulseaudio python rar rdesktop readline reflection replytolist resolvconf rss rtc samba scenarios schroedinger screenshot scrobbler sdl session sftp shorten sid smp sms sndfile snmp soup sourceview sox span speex spell spl sqlite srt srv sse sse2 sse3 ssl ssse3 startup-notification subtitles svg svgz sysfs syslog szip t1lib taglib tagwriting tcpd theora thesaurus threads tiff timidity tk tls tordns totem tracker trayicon truetype tta twolame unicode urandom usb v4l2 vcd vnc vorbis vorbis-psy vte wav wavpack webkit wifi wma wmf wmp xcb xcomposite xface xhtml xinerama xml xmp xorg xpm xscreensaver xsettings xslt xulrunner xv xvid xvmc yv12 zeroconf zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="intel"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 21 Robert Buchholz (RETIRED) 2009-07-13 13:41:10 UTC

liaisons, please test the =net-misc/dhcp-3.1.2-r1 ebuild that applies both patches. thanks!

Comment 22 Alex Legler (RETIRED) 2009-07-13 23:03:48 UTC

Splitting off the dhclient issue for CRD tomorrow.

Comment 23 Robert Buchholz (RETIRED) 2009-07-14 21:59:33 UTC

this is now public

Comment 24 Robert Buchholz (RETIRED) 2009-07-14 22:25:56 UTC

I added the CVE-2009-1892 patch and the 3.1.2p1 release to the tree which carries upstream's CVE-2009-0692 patch (it is equivalent to ours) to the tree.
Tony, I would appreciate you testing it in your setup as well and then we can add arches to this bug.

Comment 25 Tony Vroon (RETIRED) 2009-07-16 10:40:31 UTC

3.1.2_p1 tested on a production system with ~15 clients active; 
[ebuild   R   ] net-misc/dhcp-3.1.2_p1  USE="-doc -minimal (-selinux) -static" 0 kB

System info:
Portage 2.1.6.13 (hardened/amd64, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 x86_64)
=================================================================
System uname: Linux-2.6.28-hardened-r9-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_2220-with-glibc2.3.2
Timestamp of tree: Wed, 15 Jul 2009 23:15:01 +0000
app-shells/bash:     3.2_p39
dev-lang/python:     2.4.4-r13, 2.5.4-r2
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63
sys-devel/automake:  1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=opteron -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=opteron -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_GB.UTF-8"
LC_ALL="en_GB.UTF-8"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://portage-rsync.linx.net/gentoo-portage"
USE="amd64 bash-completion berkdb cracklib crypt diskio elf hardened hpn ipv6 justify midi ncurses nls no-old-linux nptl nptlonly pam perl pic python readline sse sse2 ssl sysfs unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x 	ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 	trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 intel mach64 	mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis 	sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Robert, please feel free to add arches. When you do I'll keyword AMD64 for you.

Comment 26 Alex Legler (RETIRED) 2009-07-16 11:18:40 UTC

Arches, please test and mark stable:
=net-misc/dhcp-3.1.2_p1
Target keywords : "alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"

Comment 27 Tony Vroon (RETIRED) 2009-07-16 11:29:26 UTC

+  16 Jul 2009; <chainsaw@gentoo.org> dhcp-3.1.2_p1.ebuild:
+  Marked stable on AMD64 for security bug #275231; tested on a dual
+  dual-core Opteron 2220 system with ~15 clients spread over two subnets.

Comment 28 Christian Faulhammer (RETIRED) 2009-07-16 18:14:42 UTC

x86 stable

Comment 29 Jeroen Roovers (RETIRED) 2009-07-17 13:09:34 UTC

Stable for HPPA.

Comment 30 Tobias Klausmann (RETIRED) 2009-07-19 16:37:48 UTC

Stable on alpha.

Comment 31 nixnut (RETIRED) 2009-07-19 17:17:07 UTC

ppc stable

Comment 32 Alex Legler (RETIRED) 2009-07-20 19:17:27 UTC

CVE-2009-1892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1892):
  dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier
  and hardware ethernet configuration settings are both used, allows
  remote attackers to cause a denial of service (daemon crash) via
  unspecified requests.

Comment 33 Raúl Porcel (RETIRED) 2009-07-22 14:36:48 UTC

arm/s390/sh/sparc stable

Comment 34 Brent Baude (RETIRED) 2009-07-26 12:45:28 UTC

ppc64 done

Comment 35 Alex Legler (RETIRED) 2009-08-18 21:41:49 UTC

GLSA 200908-08