Merge lp:~davewalker/ubuntu/natty/isc-dhcp/lp_720729 into lp:ubuntu/natty/isc-dhcp

Proposed by Dave Walker on 2011-02-17
Status: Merged
Merged at revision: 16
Proposed branch: lp:~davewalker/ubuntu/natty/isc-dhcp/lp_720729
Merge into: lp:ubuntu/natty/isc-dhcp
Diff against target: 99 lines (+76/-0)
3 files modified
debian/changelog (+12/-0)
debian/patches/00list (+2/-0)
debian/patches/CVE-2011-0413.dpatch (+62/-0)
To merge this branch: bzr merge lp:~davewalker/ubuntu/natty/isc-dhcp/lp_720729
Reviewer Review Type Date Requested Status
Ubuntu Security Sponsors Team 2011-02-17 Pending
Ubuntu Sponsors Team 2011-02-17 Pending
Review via email: mp+50195@code.launchpad.net
To post a comment you must log in.
17. By Dave Walker on 2011-02-17

Adjusted spacing on debian/patches/CVE-2011-0413.dpatch

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2010-12-09 11:21:53 +0000
3+++ debian/changelog 2011-02-17 17:44:59 +0000
4@@ -1,3 +1,15 @@
5+isc-dhcp (4.1.1-P1-15ubuntu3) natty; urgency=low
6+
7+ * SECURITY UPDATE: denial of service via processing of message from an address
8+ that was previously declined, causing assert failure. (LP: #720729)
9+ - debian/patches/CVE-2011-0413.dpatch: Reclaim the previously abandoned
10+ address in isc-dhcp/server/mdb6.c, by retagging the lease and adding
11+ a sane expiration value. Based on changes between upstream releases
12+ 4.1.2 and 4.1.2-P1
13+ - CVE-2011-0413
14+
15+ -- Dave Walker (Daviey) <DaveWalker@ubuntu.com> Thu, 17 Feb 2011 16:24:57 +0000
16+
17 isc-dhcp (4.1.1-P1-15ubuntu2) natty; urgency=low
18
19 * debian/apparmor-profile.dhcpd: allow read access to @{PROC}/[0-9]*/net/dev
20
21=== modified file 'debian/patches/00list'
22--- debian/patches/00list 2010-12-06 14:23:12 +0000
23+++ debian/patches/00list 2011-02-17 17:44:59 +0000
24@@ -11,6 +11,8 @@
25
26 # Backported from 4.1.2
27 CVE-2010-3611
28+# Ported from 4.1-ESV
29+CVE-2011-0413
30
31 # Ubuntu patches (see patch headers)
32 # emailed upstream
33
34=== added file 'debian/patches/CVE-2011-0413.dpatch'
35--- debian/patches/CVE-2011-0413.dpatch 1970-01-01 00:00:00 +0000
36+++ debian/patches/CVE-2011-0413.dpatch 2011-02-17 17:44:59 +0000
37@@ -0,0 +1,62 @@
38+#! /bin/sh /usr/share/dpatch/dpatch-run
39+# Description: When the DHCPv6 server code processed a message for an address
40+# that was previously declined and internally tagged as abandoned it could
41+# trigger an assert failure resulting in the server crashing. This could have
42+# been used to crash DHCPv6 servers remotely. This issue only affected DHCPv6
43+# servers. DHCPv4 servers were unaffected. Patch is based on diff between
44+# upstream releases 4.1.2 and 4.1.2-P1, constructed to apply by Raphael
45+# Geissert. (CVE-2011-0413)
46+# Origin: upstream
47+# Author: Raphael Geissert <geissert@debian.org>
48+# Bug-Ubuntu: https://launchpad.net/bugs/720729
49+# Bug-Debian: http://bugs.debian.org/611217
50+# Last-Update: 2011-02-17
51+
52+@DPATCH@
53+diff -urNad isc-dhcp~/server/mdb6.c isc-dhcp/server/mdb6.c
54+--- isc-dhcp~/server/mdb6.c 2008-10-22 04:41:58.000000000 -0700
55++++ isc-dhcp/server/mdb6.c 2011-02-03 22:18:27.000000000 -0800
56+@@ -1006,7 +1006,7 @@
57+ * Renew an lease in the pool.
58+ *
59+ * To do this, first set the new hard_lifetime_end_time for the resource,
60+- * and then invoke renew_lease() on it.
61++ * and then invoke renew_lease6() on it.
62+ *
63+ * WARNING: lease times must only be extended, never reduced!!!
64+ */
65+@@ -1016,12 +1016,24 @@
66+ * If we're already active, then we can just move our expiration
67+ * time down the heap.
68+ *
69++ * If we're abandoned then we are already on the active list
70++ * but we need to retag the lease and move our expiration
71++ * from infinite to the current value
72++ *
73+ * Otherwise, we have to move from the inactive heap to the
74+ * active heap.
75+ */
76+ if (lease->state == FTS_ACTIVE) {
77+ isc_heap_decreased(pool->active_timeouts, lease->heap_index);
78+ return ISC_R_SUCCESS;
79++ } else if (lease->state == FTS_ABANDONED) {
80++ char tmp_addr[INET6_ADDRSTRLEN];
81++ lease->state = FTS_ACTIVE;
82++ isc_heap_increased(pool->active_timeouts, lease->heap_index);
83++ log_info("Reclaiming previously abandoned address %s",
84++ inet_ntop(AF_INET6, &(lease->addr), tmp_addr,
85++ sizeof(tmp_addr)));
86++ return ISC_R_SUCCESS;
87+ } else {
88+ return move_lease_to_active(pool, lease);
89+ }
90+@@ -1109,7 +1121,8 @@
91+ decline_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
92+ isc_result_t result;
93+
94+- if (lease->state != FTS_ACTIVE) {
95++ if ((lease->state != FTS_ACTIVE) &&
96++ (lease->state != FTS_ABANDONED)) {
97+ result = move_lease_to_active(pool, lease);
98+ if (result != ISC_R_SUCCESS) {
99+ return result;

Subscribers

People subscribed via source and target branches