diff -Nru isc-dhcp-4.3.3/debian/changelog isc-dhcp-4.3.3/debian/changelog --- isc-dhcp-4.3.3/debian/changelog 2017-05-24 13:50:10.000000000 +0000 +++ isc-dhcp-4.3.3/debian/changelog 2018-03-01 13:23:07.000000000 +0000 @@ -1,3 +1,27 @@ +isc-dhcp (4.3.3-5ubuntu12.9) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS via concurrent TCP sessions + - debian/patches/CVE-2016-2774.patch: limit number of connections in + includes/site.h, omapip/listener.c. + - CVE-2016-2774 + * SECURITY UPDATE: DoS via omapi + - debian/patches/CVE-2018-573x.patch: fix socket descriptor leak in + omapip/buffer.c, omapip/message.c. + - CVE-2017-3144 + * SECURITY UPDATE: buffer overflow in dhclient + - debian/patches/CVE-2018-573x.patch: check option data size in + common/options.c, add tests to common/tests/Makefile.am, + common/tests/option_unittest.c. + - CVE-2018-5732 + * SECURITY UPDATE: reference counter overflow in dhcpd + - debian/patches/CVE-2018-573x.patch: avoid overflow in + common/options.c. + - CVE-2018-5733 + * This package does _not_ contain the changes from 4.3.3-5ubuntu12.8 in + xenial-proposed. + + -- Marc Deslauriers Thu, 01 Mar 2018 08:20:48 -0500 + isc-dhcp (4.3.3-5ubuntu12.7) xenial; urgency=medium * debian/control : Add "Replaces:" option for package isc-dhcp-client diff -Nru isc-dhcp-4.3.3/debian/patches/CVE-2016-2774.patch isc-dhcp-4.3.3/debian/patches/CVE-2016-2774.patch --- isc-dhcp-4.3.3/debian/patches/CVE-2016-2774.patch 1970-01-01 00:00:00.000000000 +0000 +++ isc-dhcp-4.3.3/debian/patches/CVE-2016-2774.patch 2018-03-01 13:19:31.000000000 +0000 @@ -0,0 +1,64 @@ +From 0b209ea5cc333255e055113fa2ad636dda681a21 Mon Sep 17 00:00:00 2001 +From: Shawn Routhier +Date: Fri, 4 Mar 2016 12:16:52 -0800 +Subject: [PATCH] [master] Add patch to limit the value of an fd we accept for + a connection. + +By limiting the highest value we accept for an fd we limit the number +of connections. +--- + RELNOTES | 4 ++++ + includes/site.h | 6 ++++++ + omapip/listener.c | 9 +++++++-- + 3 files changed, 17 insertions(+), 2 deletions(-) + +#diff --git a/RELNOTES b/RELNOTES +#index 84fcc49d..47e30303 100644 +#--- a/RELNOTES +#+++ b/RELNOTES +#@@ -254,6 +254,10 @@ by Eric Young (eay@cryptsoft.com). +# escapes, and hex - unquoted, colon separated hex digits. +# [ISC-Busg #26378] +# +#+! Add an option in site.h to limit the number of failover and control +#+ connections the server will accept. By default this is 200. +#+ [ISC-Bugs #41845] +#+ +# Changes since 4.3.3b1 +# +# - None +Index: isc-dhcp-4.3.3/includes/site.h +=================================================================== +--- isc-dhcp-4.3.3.orig/includes/site.h 2018-03-01 08:19:29.244780958 -0500 ++++ isc-dhcp-4.3.3/includes/site.h 2018-03-01 08:19:29.240780960 -0500 +@@ -292,6 +292,12 @@ + this option will be removed at some time. */ + /* #define INCLUDE_OLD_DHCP_ISC_ERROR_CODES */ + ++/* Limit the value of a file descriptor the serve will use ++ when accepting a connecting request. This can be used to ++ limit the number of TCP connections that the server will ++ allow at one time. A value of 0 means there is no limit.*/ ++#define MAX_FD_VALUE 200 ++ + /* Include definitions for various options. In general these + should be left as is, but if you have already defined one + of these and prefer your definition you can comment the +Index: isc-dhcp-4.3.3/omapip/listener.c +=================================================================== +--- isc-dhcp-4.3.3.orig/omapip/listener.c 2018-03-01 08:19:29.244780958 -0500 ++++ isc-dhcp-4.3.3/omapip/listener.c 2018-03-01 08:19:29.240780960 -0500 +@@ -233,7 +233,12 @@ isc_result_t omapi_accept (omapi_object_ + return ISC_R_NORESOURCES; + return ISC_R_UNEXPECTED; + } +- ++ ++ if ((MAX_FD_VALUE != 0) && (socket > MAX_FD_VALUE)) { ++ close(socket); ++ return (ISC_R_NORESOURCES); ++ } ++ + #if defined (TRACING) + /* If we're recording a trace, remember the connection. */ + if (trace_record ()) { diff -Nru isc-dhcp-4.3.3/debian/patches/CVE-2018-573x.patch isc-dhcp-4.3.3/debian/patches/CVE-2018-573x.patch --- isc-dhcp-4.3.3/debian/patches/CVE-2018-573x.patch 1970-01-01 00:00:00.000000000 +0000 +++ isc-dhcp-4.3.3/debian/patches/CVE-2018-573x.patch 2018-03-01 13:20:12.000000000 +0000 @@ -0,0 +1,324 @@ +From 99a25aedea02d9c259cb8fabf4be700fb32571a3 Mon Sep 17 00:00:00 2001 +From: Thomas Markwalder +Date: Fri, 16 Feb 2018 13:51:42 -0500 +Subject: [PATCH] [v4_3_6_p1] Added fixes for CVE-2018-5732, CVE-2018-5733, and + #46767 + + Added patches and unit tests +--- + .gitignore | 1 + + RELNOTES | 23 ++++++- + common/options.c | 18 ++++-- + common/tests/Makefile.am | 9 ++- + common/tests/option_unittest.c | 142 +++++++++++++++++++++++++++++++++++++++++ + omapip/buffer.c | 9 +++ + omapip/message.c | 2 +- + 7 files changed, 196 insertions(+), 8 deletions(-) + create mode 100644 common/tests/option_unittest.c + +#diff --git a/.gitignore b/.gitignore +#index 80d7da00..b4647e3c 100644 +#--- a/.gitignore +#+++ b/.gitignore +#@@ -11,6 +11,7 @@ common/tests/alloc_unittest +# common/tests/dns_unittest +# common/tests/misc_unittest +# common/tests/ns_name_unittest +#+common/tests/option_unittest +# config.log +# config.report +# config.status +#diff --git a/RELNOTES b/RELNOTES +#index dd40aaf4..752c483f 100644 +#--- a/RELNOTES +#+++ b/RELNOTES +#@@ -1,6 +1,6 @@ +# Internet Systems Consortium DHCP Distribution +#- Version 4.3.6 +#- 31 July 2017 +#+ Version 4.3.6-P1 +#+ 28 February 2018 +# +# Release Notes +# +#@@ -66,6 +66,25 @@ We welcome comments from DHCP users, about this or anything else we do. +# Email Vicky Risk, Product Manager at vicky@isc.org or discuss on +# dhcp-users@lists.isc.org. +# +#+ Changes since 4.3.6 +#+ +#+!- Plugged a socket descriptor leak in OMAPI, that can occur when there is +#+ data pending to be written to an OMAPI connection, when the connection +#+ is closed by the reader. +#+ [ISc-Bugs #46767] +#+ +#+! Corrected an issue where large sized 'X/x' format options were causing +#+ option handling logic to overwrite memory when expanding them to human +#+ readable form. Reported by Felix Wilhelm, Google Security Team. +#+ [ISC-Bugs #47139] +#+ CVE: CVE-2018-5732 +#+ +#+! Option reference count was not correctly decremented in error path +#+ when parsing buffer for options. Reported by Felix Wilhelm, Google +#+ Security Team. +#+ [ISC-Bugs #47140] +#+ CVE: CVE-2018-xxxx +#+ +# Changes since 4.3.6b1 +# +# - None +Index: isc-dhcp-4.3.3/common/options.c +=================================================================== +--- isc-dhcp-4.3.3.orig/common/options.c 2018-03-01 08:20:09.776769809 -0500 ++++ isc-dhcp-4.3.3/common/options.c 2018-03-01 08:20:09.772769810 -0500 +@@ -177,6 +177,8 @@ int parse_option_buffer (options, buffer + + /* If the length is outrageous, the options are bad. */ + if (offset + len > length) { ++ /* Avoid reference count overflow */ ++ option_dereference(&option, MDL); + reason = "option length exceeds option buffer length"; + bogus: + log_error("parse_option_buffer: malformed option " +@@ -1668,7 +1670,8 @@ format_min_length(format, oc) + + + /* Format the specified option so that a human can easily read it. */ +- ++/* Maximum pretty printed size */ ++#define MAX_OUTPUT_SIZE 32*1024 + const char *pretty_print_option (option, data, len, emit_commas, emit_quotes) + struct option *option; + const unsigned char *data; +@@ -1676,8 +1679,9 @@ const char *pretty_print_option (option, + int emit_commas; + int emit_quotes; + { +- static char optbuf [32768]; /* XXX */ +- static char *endbuf = &optbuf[sizeof(optbuf)]; ++ /* We add 128 byte pad so we don't have to add checks everywhere. */ ++ static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */ ++ static char *endbuf = optbuf + MAX_OUTPUT_SIZE; + int hunksize = 0; + int opthunk = 0; + int hunkinc = 0; +@@ -2104,6 +2108,12 @@ const char *pretty_print_option (option, + fmtbuf [j]); + } + op += strlen (op); ++ if (op >= endbuf) { ++ log_error ("Option data exceeds" ++ " maximum size %d", MAX_OUTPUT_SIZE); ++ return (""); ++ } ++ + if (dp == data + len) + break; + if (j + 1 < numelem && comma != ':') +Index: isc-dhcp-4.3.3/common/tests/Makefile.am +=================================================================== +--- isc-dhcp-4.3.3.orig/common/tests/Makefile.am 2018-03-01 08:20:09.776769809 -0500 ++++ isc-dhcp-4.3.3/common/tests/Makefile.am 2018-03-01 08:20:09.772769810 -0500 +@@ -8,7 +8,8 @@ ATF_TESTS = + + if HAVE_ATF + +-ATF_TESTS += alloc_unittest dns_unittest misc_unittest ns_name_unittest ++ATF_TESTS += alloc_unittest dns_unittest misc_unittest ns_name_unittest \ ++ option_unittest + + alloc_unittest_SOURCES = test_alloc.c $(top_srcdir)/tests/t_api_dhcp.c + alloc_unittest_LDADD = $(ATF_LDFLAGS) +@@ -34,6 +35,12 @@ ns_name_unittest_LDADD += ../libdhcp.a + ../../omapip/libomapi.a ../../bind/lib/libirs.a \ + ../../bind/lib/libdns.a ../../bind/lib/libisccfg.a ../../bind/lib/libisc.a + ++option_unittest_SOURCES = option_unittest.c $(top_srcdir)/tests/t_api_dhcp.c ++option_unittest_LDADD = $(ATF_LDFLAGS) ++option_unittest_LDADD += ../libdhcp.a \ ++ ../../omapip/libomapi.a $(BINDLIBDIR)/libirs.a \ ++ $(BINDLIBDIR)/libdns.a $(BINDLIBDIR)/libisccfg.a $(BINDLIBDIR)/libisc.a ++ + check: $(ATF_TESTS) + sh ${top_srcdir}/tests/unittest.sh + +Index: isc-dhcp-4.3.3/common/tests/option_unittest.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ isc-dhcp-4.3.3/common/tests/option_unittest.c 2018-03-01 08:20:09.776769809 -0500 +@@ -0,0 +1,142 @@ ++/* ++ * Copyright (C) 2018 Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH ++ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY ++ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, ++ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM ++ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE ++ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ++ * PERFORMANCE OF THIS SOFTWARE. ++ */ ++ ++#include ++#include ++#include "dhcpd.h" ++ ++ATF_TC(option_refcnt); ++ ++ATF_TC_HEAD(option_refcnt, tc) ++{ ++ atf_tc_set_md_var(tc, "descr", ++ "Verify option reference count does not overflow."); ++} ++ ++/* This test does a simple check to see if option reference count is ++ * decremented even an error path exiting parse_option_buffer() ++ */ ++ATF_TC_BODY(option_refcnt, tc) ++{ ++ struct option_state *options; ++ struct option *option; ++ unsigned code; ++ int refcnt; ++ unsigned char buffer[3] = { 15, 255, 0 }; ++ ++ initialize_common_option_spaces(); ++ ++ options = NULL; ++ if (!option_state_allocate(&options, MDL)) { ++ atf_tc_fail("can't allocate option state"); ++ } ++ ++ option = NULL; ++ code = 15; /* domain-name */ ++ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, ++ &code, 0, MDL)) { ++ atf_tc_fail("can't find option 15"); ++ } ++ if (option == NULL) { ++ atf_tc_fail("option is NULL"); ++ } ++ refcnt = option->refcnt; ++ ++ buffer[0] = 15; ++ buffer[1] = 255; /* invalid */ ++ buffer[2] = 0; ++ ++ if (parse_option_buffer(options, buffer, 3, &dhcp_universe)) { ++ atf_tc_fail("parse_option_buffer is expected to fail"); ++ } ++ ++ if (refcnt != option->refcnt) { ++ atf_tc_fail("refcnt changed from %d to %d", refcnt, option->refcnt); ++ } ++} ++ ++ATF_TC(pretty_print_option); ++ ++ATF_TC_HEAD(pretty_print_option, tc) ++{ ++ atf_tc_set_md_var(tc, "descr", ++ "Verify pretty_print_option does not overrun its buffer."); ++} ++ ++ ++/* ++ * This test verifies that pretty_print_option() will not overrun its ++ * internal, static buffer when given large 'x/X' format options. ++ * ++ */ ++ATF_TC_BODY(pretty_print_option, tc) ++{ ++ struct option *option; ++ unsigned code; ++ unsigned char bad_data[32*1024]; ++ unsigned char good_data[] = { 1,2,3,4,5,6 }; ++ int emit_commas = 1; ++ int emit_quotes = 1; ++ const char *output_buf; ++ ++ /* Initialize whole thing to non-printable chars */ ++ memset(bad_data, 0x1f, sizeof(bad_data)); ++ ++ initialize_common_option_spaces(); ++ ++ /* We'll use dhcp_client_identitifer because it happens to be format X */ ++ code = 61; ++ option = NULL; ++ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, ++ &code, 0, MDL)) { ++ atf_tc_fail("can't find option %d", code); ++ } ++ ++ if (option == NULL) { ++ atf_tc_fail("option is NULL"); ++ } ++ ++ /* First we will try a good value we know should fit. */ ++ output_buf = pretty_print_option (option, good_data, sizeof(good_data), ++ emit_commas, emit_quotes); ++ ++ /* Make sure we get what we expect */ ++ if (!output_buf || strcmp(output_buf, "1:2:3:4:5:6")) { ++ atf_tc_fail("pretty_print_option did not return \"\""); ++ } ++ ++ ++ /* Now we'll try a data value that's too large */ ++ output_buf = pretty_print_option (option, bad_data, sizeof(bad_data), ++ emit_commas, emit_quotes); ++ ++ /* Make sure we safely get an error */ ++ if (!output_buf || strcmp(output_buf, "")) { ++ atf_tc_fail("pretty_print_option did not return \"\""); ++ } ++} ++ ++ ++/* This macro defines main() method that will call specified ++ test cases. tp and simple_test_case names can be whatever you want ++ as long as it is a valid variable identifier. */ ++ATF_TP_ADD_TCS(tp) ++{ ++ ATF_TP_ADD_TC(tp, option_refcnt); ++ ATF_TP_ADD_TC(tp, pretty_print_option); ++ ++ return (atf_no_error()); ++} +Index: isc-dhcp-4.3.3/omapip/buffer.c +=================================================================== +--- isc-dhcp-4.3.3.orig/omapip/buffer.c 2018-03-01 08:20:09.776769809 -0500 ++++ isc-dhcp-4.3.3/omapip/buffer.c 2018-03-01 08:20:09.776769809 -0500 +@@ -566,6 +566,15 @@ isc_result_t omapi_connection_writer (om + omapi_buffer_dereference (&buffer, MDL); + } + } ++ ++ /* If we had data left to write when we're told to disconnect, ++ * we need recall disconnect, now that we're done writing. ++ * See rt46767. */ ++ if (c->out_bytes == 0 && c->state == omapi_connection_disconnecting) { ++ omapi_disconnect (h, 1); ++ return ISC_R_SHUTTINGDOWN; ++ } ++ + return ISC_R_SUCCESS; + } + +Index: isc-dhcp-4.3.3/omapip/message.c +=================================================================== +--- isc-dhcp-4.3.3.orig/omapip/message.c 2018-03-01 08:20:09.776769809 -0500 ++++ isc-dhcp-4.3.3/omapip/message.c 2018-03-01 08:20:09.776769809 -0500 +@@ -339,7 +339,7 @@ isc_result_t omapi_message_unregister (o + } + + #ifdef DEBUG_PROTOCOL +-static const char *omapi_message_op_name(int op) { ++const char *omapi_message_op_name(int op) { + switch (op) { + case OMAPI_OP_OPEN: return "OMAPI_OP_OPEN"; + case OMAPI_OP_REFRESH: return "OMAPI_OP_REFRESH"; diff -Nru isc-dhcp-4.3.3/debian/patches/series isc-dhcp-4.3.3/debian/patches/series --- isc-dhcp-4.3.3/debian/patches/series 2016-12-09 17:45:11.000000000 +0000 +++ isc-dhcp-4.3.3/debian/patches/series 2018-03-01 13:20:08.000000000 +0000 @@ -25,3 +25,5 @@ dhcp-improved-xid-correct-byte-order.patch CVE-2015-8605.patch dhcp-4.2.4-dhclient-options-changed.patch +CVE-2016-2774.patch +CVE-2018-573x.patch