aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMinjae Kim <flowergom@gmail.com>2021-07-08 22:22:40 +0900
committerSteve Sakoman <steve@sakoman.com>2021-07-11 06:19:43 -1000
commit58fa175702f0cd8f00dc5e7938fb55108921d324 (patch)
tree6b71e32f85c6f389efe079ccc42890917fbda4d4
parent42098fd740fe3de68a221fcc9c44ead545757461 (diff)
downloadopenembedded-core-contrib-58fa175702f0cd8f00dc5e7938fb55108921d324.tar.gz
openembedded-core-contrib-58fa175702f0cd8f00dc5e7938fb55108921d324.tar.bz2
openembedded-core-contrib-58fa175702f0cd8f00dc5e7938fb55108921d324.zip
dhcp: fix CVE-2021-25217
A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient. reference: https://www.openwall.com/lists/oss-security/2021/05/26/6 https://kb.isc.org/docs/cve-2021-25217 Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch66
-rw-r--r--meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb1
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
new file mode 100644
index 0000000000..91aaf83a77
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch
@@ -0,0 +1,66 @@
+From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Thu, 8 Jul 2021 00:08:25 +0000
+Subject: [PATCH] ISC has disclosed a vulnerability in ISC DHCP
+ (CVE-2021-25217)
+
+On May 26, 2021, we (Internet Systems Consortium) disclosed a
+vulnerability affecting our ISC DHCP software:
+
+ CVE-2021-25217: A buffer overrun in lease file parsing code can be
+ used to exploit a common vulnerability shared by dhcpd and dhclient
+ https://kb.isc.org/docs/cve-2021-25217
+
+New versions of ISC DHCP are available from https://www.isc.org/downloads
+
+Operators and package maintainers who prefer to apply patches selectively can
+find individual vulnerability-specific patches in the "patches" subdirectory
+of the release directories for our two stable release branches (4.4 and 4.1-ESV)
+
+ https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches
+ https://downloads.isc.org/isc/dhcp/4.1-ESV-R16-P1/patches
+
+With the public announcement of this vulnerability, the embargo
+period is ended and any updated software packages that have been
+prepared may be released.
+
+Upstream-Status: Accepted [https://www.openwall.com/lists/oss-security/2021/05/26/6]
+CVE: CVE-2021-25217
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ common/parse.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/common/parse.c b/common/parse.c
+index 386a632..fc7b39c 100644
+--- a/common/parse.c
++++ b/common/parse.c
+@@ -3,7 +3,7 @@
+ Common parser code for dhcpd and dhclient. */
+
+ /*
+- * Copyright (c) 2004-2019 by Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (c) 2004-2021 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-2003 by Internet Software Consortium
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+@@ -5556,13 +5556,14 @@ int parse_X (cfile, buf, max)
+ skip_to_semi (cfile);
+ return 0;
+ }
+- convert_num (cfile, &buf [len], val, 16, 8);
+- if (len++ > max) {
++ if (len >= max) {
+ parse_warn (cfile,
+ "hexadecimal constant too long.");
+ skip_to_semi (cfile);
+ return 0;
+ }
++ convert_num (cfile, &buf [len], val, 16, 8);
++ len++;
+ token = peek_token (&val, (unsigned *)0, cfile);
+ if (token == COLON)
+ token = next_token (&val,
+--
+2.17.1
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
index b56a204821..5609a350cc 100644
--- a/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
+++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.2.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
file://0013-fixup_use_libbind.patch \
file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \
+ file://CVE-2021-25217.patch \
"
SRC_URI[md5sum] = "2afdaf8498dc1edaf3012efdd589b3e1"