Hello community, here is the log from the commit of package dhcp for openSUSE:Factory checked in at 2016-01-30 11:34:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dhcp (Old) and /work/SRC/openSUSE:Factory/.dhcp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "dhcp" Changes: -------- --- /work/SRC/openSUSE:Factory/dhcp/dhcp.changes 2015-10-17 16:36:41.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.dhcp.new/dhcp.changes 2016-01-30 11:34:35.000000000 +0100 @@ -1,0 +2,14 @@ +Tue Jan 26 17:16:45 CET 2016 - ndas@suse.de + +- Update to dhcp-4.3.3-P1 correcting bounds checking when + receiving a packet (bsc#961305,CVE-2015-8605,ISC-Bugs#41267). +- adjusted interval check. + [*0019-dhcp-4.2.4-P1-interval.patch] +- Fixed improper lease duration checking. Also added fixes for integer + overflows in the date and time handling code(bsc#936923, bsc#880984). + [+0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch] +- fixed service files to start dhcpd after slapd (bsc#956159) +- dhclient-script: complain in the log about conflicts, added + a see log messages to the dhclient log message (bsc#960506) + [* 0018-client-fail-on-script-pre-init-error-bsc-912098.patch] +------------------------------------------------------------------- Old: ---- dhcp-4.3.3.tar.gz dhcp-4.3.3.tar.gz.asc New: ---- 0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch dhcp-4.3.3-P1.tar.gz dhcp-4.3.3-P1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dhcp.spec ++++++ --- /var/tmp/diff_new_pack.FAsUde/_old 2016-01-30 11:34:37.000000000 +0100 +++ /var/tmp/diff_new_pack.FAsUde/_new 2016-01-30 11:34:37.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package dhcp # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,7 +16,7 @@ # -%define isc_version 4.3.3 +%define isc_version 4.3.3-P1 %define susefw2dir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %define omc_prefix /usr/share/omc %define omc_svcdir %{omc_prefix}/svcinfo.d @@ -41,7 +41,7 @@ %endif BuildRequires: dos2unix BuildRequires: libtool -Version: 4.3.3 +Version: 4.3.3.P1 Release: 0 Summary: Common Files Used by ISC DHCP Software License: BSD-3-Clause @@ -118,6 +118,7 @@ Patch18: 0018-client-fail-on-script-pre-init-error-bsc-912098.patch # PATCH-FIX-SLE dhcp-4.2.4-P1-interval bsc#947780 Patch19: 0019-dhcp-4.2.4-P1-interval.patch +Patch20: 0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -249,6 +250,7 @@ %patch17 -p1 %patch18 -p1 %patch19 -p1 +%patch20 -p1 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/* ++++++ 0018-client-fail-on-script-pre-init-error-bsc-912098.patch ++++++ --- /var/tmp/diff_new_pack.FAsUde/_old 2016-01-30 11:34:37.000000000 +0100 +++ /var/tmp/diff_new_pack.FAsUde/_new 2016-01-30 11:34:37.000000000 +0100 @@ -40,7 +40,7 @@ + } + } + if (failed) { -+ log_fatal("%s: unable to pre-init requested interfaces", ++ log_fatal("%s: unable to pre-init requested interfaces -- see log messages", + path_dhclient_script); } } ++++++ 0019-dhcp-4.2.4-P1-interval.patch ++++++ --- /var/tmp/diff_new_pack.FAsUde/_old 2016-01-30 11:34:37.000000000 +0100 +++ /var/tmp/diff_new_pack.FAsUde/_new 2016-01-30 11:34:37.000000000 +0100 @@ -4,7 +4,7 @@ isc_time_nowplusinterval() is not safe with 64-bit time_t (#662254, #789601) -References: bsc#947780 +References: bsc#947780, bsc#880984 Index: dhcp-4.2.4-P2/common/dispatch.c =================================================================== --- dhcp-4.2.4-P2.orig/common/dispatch.c @@ -31,3 +31,20 @@ status = isc_time_nowplusinterval(&expires, &interval); if (status != ISC_R_SUCCESS) { /* +From: Nirmoy Das <ndas@suse.de> +Date: Tue, 26 Jan 2016 13:36:28 +0100 +Subject: [PATCH] adjusted interval check + +Index: dhcp-4.3.3/common/dispatch.c +=================================================================== +--- dhcp-4.3.3.orig/common/dispatch.c ++++ dhcp-4.3.3/common/dispatch.c +@@ -349,7 +349,7 @@ void add_timeout (when, where, what, ref + * gone by since the last call to gettimeofday() and the one in + * isc_time_nowplusinterval(). + */ +- if (sec > TIME_MAX) ++ if (sec > TIME_MAX - 9) + sec = TIME_MAX - 9; + + isc_interval_set(&interval, sec, usec * 1000); ++++++ 0020-dhcp-4.x.x-fixed-improper-lease-duration-checking.patch ++++++ From: Marius Tomaschewski <mt@suse.de> Date: Tue, 12 Jan 2016 15:42:22 +0100 Subject: [PATCH] fixed improper lease duration checking. References: bsc#936923, bsc#880984 year 2038 is EOT only for 32 bit machine. This patch checks wordsize and do a proper EOT checking on lease duration. It also fixes integer overflows in the date and time handling code. diff --git a/common/parse.c b/common/parse.c index 22e7d58..e9e53a4 100644 --- a/common/parse.c +++ b/common/parse.c @@ -939,7 +939,7 @@ TIME parse_date_core(cfile) struct parse *cfile; { - int guess; + long guess; int tzoff, year, mon, mday, hour, min, sec; const char *val; enum dhcp_token token; @@ -966,7 +966,7 @@ parse_date_core(cfile) } skip_token(&val, NULL, cfile); /* consume number */ - guess = atoi(val); + guess = atol(val); return((TIME)guess); } @@ -1113,11 +1113,22 @@ parse_date_core(cfile) * overflow issues. We could try and be more precise but there * doesn't seem to be a good reason to worry about it and waste * the cpu looking at the rest of the date. */ - if (year >= 138) - return(MAX_TIME); - + if (sizeof(time_t) == 8) { + /* 2038 is not an issue on 64bit. time calculations + * start to fail at almost INT_MAX (- some guard) */ + if (year > 0x7fff0000) + return(MAX_TIME); + } else { + /* assume 32bit with end in 2038 */ + if (year >= 138) + return(MAX_TIME); + } + /* I don't think we need to care about lease starts before 1900 */ + if (year < 0) + return((TIME)0); + /* Guess the time value... */ - guess = ((((((365 * (year - 70) + /* Days in years since '70 */ + guess = ((((((365 * ((long)year - 70) + /* Days in years since '70 */ (year - 69) / 4 + /* Leap days since '70 */ (mon /* Days in months this year */ ? months [mon - 1] diff --git a/includes/dhcpd.h b/includes/dhcpd.h index 4270edc..1af4c5b 100644 --- a/includes/dhcpd.h +++ b/includes/dhcpd.h @@ -1561,7 +1561,7 @@ typedef unsigned char option_mask [16]; #define DHCPD_LOG_FACILITY LOG_DAEMON #endif -#define MAX_TIME 0x7fffffff +#define MAX_TIME LONG_MAX #define MIN_TIME 0 #ifdef USE_LOG_PID ++++++ dhclient-script ++++++ --- /var/tmp/diff_new_pack.FAsUde/_old 2016-01-30 11:34:37.000000000 +0100 +++ /var/tmp/diff_new_pack.FAsUde/_new 2016-01-30 11:34:37.000000000 +0100 @@ -73,14 +73,26 @@ { local _id=`/usr/bin/systemctl --no-pager -p Id show network.service 2>/dev/null` case "${_id#Id=}" in - # wicked is using an another dhcp client - wicked.service) return 1 ;; + # wicked is using an another dhcp client - dhclient + # is not supported with enabled wicked and disabled. + wicked.service) + logger -t "${0##*/}" -p daemon.error -- \ + "dhclient conflicts with enabled ${_id#Id=} and disabled" + return 1 + ;; - # NetworkManager is using another script - #NetworkManager.service) return 1 ;; + # NetworkManager is using an another script + # [disarmed except maintainer requests it] + #NetworkManager.service) + # logger -t "${0##*/}" -p daemon.error -- \ + # "dhclient-script conflicts with enabled ${_id#Id=} script and disabled" + # return 1 + #;; - # sysconfig network were using it, other? - network.service|*) return 0 ;; + # sysconfig network [gone] were using it, other? + network.service|*) + return 0 + ;; esac } ++++++ dhcpd.service ++++++ --- /var/tmp/diff_new_pack.FAsUde/_old 2016-01-30 11:34:37.000000000 +0100 +++ /var/tmp/diff_new_pack.FAsUde/_new 2016-01-30 11:34:37.000000000 +0100 @@ -1,7 +1,7 @@ [Unit] Description=ISC DHCPv4 Server Before=multi-user.target -After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service +After=remote-fs.target network.target nss-lookup.target time-sync.target slapd.service sssd.service ndsd.service [Service] Type=forking ++++++ dhcpd6.service ++++++ --- /var/tmp/diff_new_pack.FAsUde/_old 2016-01-30 11:34:37.000000000 +0100 +++ /var/tmp/diff_new_pack.FAsUde/_new 2016-01-30 11:34:37.000000000 +0100 @@ -1,7 +1,7 @@ [Unit] Description=ISC DHCPv6 Server Before=multi-user.target -After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service +After=remote-fs.target network.target nss-lookup.target time-sync.target slapd.service sssd.service ndsd.service [Service] Type=forking