Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-misc
diff options
context:
space:
mode:
authorLars Wendler <polynomial-c@gentoo.org>2019-05-07 13:19:21 +0200
committerLars Wendler <polynomial-c@gentoo.org>2019-05-07 13:19:47 +0200
commitbe946042b4fe11abaac43300d2165e224215d3c9 (patch)
tree315b9eaeea444ba3227ad5fff4c1dde3fec3d6c5 /net-misc
parentros-meta/roscpp_core: Bump to 0.6.12. (diff)
downloadgentoo-be946042b4fe11abaac43300d2165e224215d3c9.tar.gz
gentoo-be946042b4fe11abaac43300d2165e224215d3c9.tar.bz2
gentoo-be946042b4fe11abaac43300d2165e224215d3c9.zip
net-misc/dhcpcd: Security bump to version 7.1.1-r3
Bug: https://bugs.gentoo.org/685264 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Diffstat (limited to 'net-misc')
-rw-r--r--net-misc/dhcpcd/dhcpcd-7.1.1-r3.ebuild154
-rw-r--r--net-misc/dhcpcd/files/dhcpcd-7.1.1-v6_read_overflow.patch120
2 files changed, 274 insertions, 0 deletions
diff --git a/net-misc/dhcpcd/dhcpcd-7.1.1-r3.ebuild b/net-misc/dhcpcd/dhcpcd-7.1.1-r3.ebuild
new file mode 100644
index 000000000000..755eefee08f0
--- /dev/null
+++ b/net-misc/dhcpcd/dhcpcd-7.1.1-r3.ebuild
@@ -0,0 +1,154 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit systemd toolchain-funcs
+
+if [[ ${PV} == "9999" ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="https://roy.marples.name/git/dhcpcd.git"
+else
+ MY_P="${P/_alpha/-alpha}"
+ MY_P="${MY_P/_beta/-beta}"
+ MY_P="${MY_P/_rc/-rc}"
+ SRC_URI="https://roy.marples.name/downloads/${PN}/${MY_P}.tar.xz"
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux"
+ S="${WORKDIR}/${MY_P}"
+fi
+
+DESCRIPTION="A fully featured, yet light weight RFC2131 compliant DHCP client"
+HOMEPAGE="https://roy.marples.name/projects/dhcpcd"
+LICENSE="BSD-2"
+SLOT="0"
+IUSE="elibc_glibc +embedded ipv6 kernel_linux +udev"
+
+COMMON_DEPEND="udev? ( virtual/udev )"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+
+PATCHES=(
+ "${FILESDIR}"/${P}-disable_inet6_fix.patch #677508
+ "${FILESDIR}"/${P}-overflows.patch #684430
+ "${FILESDIR}"/${P}-v6_read_overflow.patch #685264
+)
+
+src_configure() {
+ local dev hooks=() rundir
+ use udev || dev="--without-dev --without-udev"
+ hooks=( --with-hook=ntp.conf )
+ use elibc_glibc && hooks+=( --with-hook=yp.conf )
+ use kernel_linux && rundir="--rundir=${EPREFIX}/run"
+ local myeconfargs=(
+ --prefix="${EPREFIX}"
+ --libexecdir="${EPREFIX}/lib/dhcpcd"
+ --dbdir="${EPREFIX}/var/lib/dhcpcd"
+ --localstatedir="${EPREFIX}/var"
+ ${rundir}
+ $(use_enable embedded)
+ $(use_enable ipv6)
+ ${dev}
+ CC="$(tc-getCC)"
+ ${hooks[@]}
+ )
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+ keepdir /var/lib/dhcpcd
+ newinitd "${FILESDIR}"/${PN}.initd ${PN}
+ systemd_dounit "${FILESDIR}"/${PN}.service
+}
+
+pkg_postinst() {
+ local dbdir="${EROOT%/}"/var/lib/dhcpcd old_files=()
+
+ local old_old_duid="${EROOT%/}"/var/lib/dhcpcd/dhcpcd.duid
+ local old_duid="${EROOT%/}"/etc/dhcpcd.duid
+ local new_duid="${dbdir}"/duid
+ if [[ -e "${old_old_duid}" ]] ; then
+ # Upgrade the duid file to the new format if needed
+ if ! grep -q '..:..:..:..:..:..' "${old_old_duid}"; then
+ sed -i -e 's/\(..\)/\1:/g; s/:$//g' "${old_old_duid}"
+ fi
+
+ # Move the duid to /etc, a more sensible location
+ if [[ ! -e "${old_duid}" ]] ; then
+ cp -p "${old_old_duid}" "${new_duid}"
+ fi
+ old_files+=( "${old_old_duid}" )
+ fi
+
+ # dhcpcd-7 moves the files out of /etc
+ if [[ -e "${old_duid}" ]] ; then
+ if [[ ! -e "${new_duid}" ]] ; then
+ cp -p "${old_duid}" "${new_duid}"
+ fi
+ old_files+=( "${old_duid}" )
+ fi
+ local old_secret="${EROOT%/}"/etc/dhcpcd.secret
+ local new_secret="${dbdir}"/secret
+ if [[ -e "${old_secret}" ]] ; then
+ if [[ ! -e "${new_secret}" ]] ; then
+ cp -p "${old_secret}" "${new_secret}"
+ fi
+ old_files+=( "${old_secret}" )
+ fi
+
+ # dhcpcd-7 renames some files in /var/lib/dhcpcd
+ local old_rdm="${dbdir}"/dhcpcd-rdm.monotonic
+ local new_rdm="${dbdir}"/rdm_monotonic
+ if [[ -e "${old_rdm}" ]] ; then
+ if [[ ! -e "${new_rdm}" ]] ; then
+ cp -p "${old_rdm}" "${new_rdm}"
+ fi
+ old_files+=( "${old_rdm}" )
+ fi
+ local lease=
+ for lease in "${dbdir}"/dhcpcd-*.lease*; do
+ [[ -f "${lease}" ]] || continue
+ old_files+=( "${lease}" )
+ local new_lease=$(basename "${lease}" | sed -e "s/dhcpcd-//")
+ [[ -e "${dbdir}/${new_lease}" ]] && continue
+ cp "${lease}" "${dbdir}/${new_lease}"
+ done
+
+ # Warn about removing stale files
+ if [[ -n "${old_files[@]}" ]] ; then
+ elog
+ elog "dhcpcd-7 has copied dhcpcd.duid and dhcpcd.secret from"
+ elog "${EROOT%/}/etc to ${dbdir}"
+ elog "and copied leases in ${dbdir} to new files with the dhcpcd-"
+ elog "prefix dropped."
+ elog
+ elog "You should remove these files if you don't plan on reverting"
+ elog "to an older version:"
+ local old_file=
+ for old_file in ${old_files[@]}; do
+ elog " ${old_file}"
+ done
+ fi
+
+ if [ -z "${REPLACING_VERSIONS}" ]; then
+ elog
+ elog "dhcpcd has zeroconf support active by default."
+ elog "This means it will always obtain an IP address even if no"
+ elog "DHCP server can be contacted, which will break any existing"
+ elog "failover support you may have configured in your net configuration."
+ elog "This behaviour can be controlled with the noipv4ll configuration"
+ elog "file option or the -L command line switch."
+ elog "See the dhcpcd and dhcpcd.conf man pages for more details."
+
+ elog
+ elog "Dhcpcd has duid enabled by default, and this may cause issues"
+ elog "with some dhcp servers. For more information, see"
+ elog "https://bugs.gentoo.org/show_bug.cgi?id=477356"
+ fi
+
+ if ! has_version net-dns/bind-tools; then
+ elog
+ elog "If you activate the lookup-hostname hook to look up your hostname"
+ elog "using the dns, you need to install net-dns/bind-tools."
+ fi
+}
diff --git a/net-misc/dhcpcd/files/dhcpcd-7.1.1-v6_read_overflow.patch b/net-misc/dhcpcd/files/dhcpcd-7.1.1-v6_read_overflow.patch
new file mode 100644
index 000000000000..54b559fcd87f
--- /dev/null
+++ b/net-misc/dhcpcd/files/dhcpcd-7.1.1-v6_read_overflow.patch
@@ -0,0 +1,120 @@
+From c1ebeaafeb324bac997984abdcee2d4e8b61a8a8 Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Fri, 3 May 2019 14:44:06 +0100
+Subject: DHCPv6: Fix a potential read overflow with D6_OPTION_PD_EXCLUDE
+
+dhcpcd only checks that the prefix length of the exclusion
+matches the prefix length of the ia and equals the length of the
+data in the option.
+This could potentially overrun the in6_addr structure.
+
+This is fixed by enforcing RFC 6603 section 4.2 option limits
+more clearly.
+
+Thanks to Maxime Villard <max@m00nbsd.net> for finding this.
+---
+ src/dhcp6.c | 44 +++++++++++++++++++++-----------------------
+ 1 file changed, 21 insertions(+), 23 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index dee8d4b6..583f3b3f 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2166,40 +2166,38 @@ dhcp6_findpd(struct interface *ifp, const uint8_t *iaid,
+ state->expire = a->prefix_vltime;
+ i++;
+
+- o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
+ a->prefix_exclude_len = 0;
+ memset(&a->prefix_exclude, 0, sizeof(a->prefix_exclude));
+-#if 0
+- if (ex == NULL) {
+- struct dhcp6_option *w;
+- uint8_t *wp;
+-
+- w = calloc(1, 128);
+- w->len = htons(2);
+- wp = D6_OPTION_DATA(w);
+- *wp++ = 64;
+- *wp++ = 0x78;
+- ex = w;
+- }
+-#endif
++ o = dhcp6_findoption(o, ol, D6_OPTION_PD_EXCLUDE, &ol);
+ if (o == NULL)
+ continue;
+- if (ol < 2) {
+- logerrx("%s: truncated PD Exclude", ifp->name);
++
++ /* RFC 6603 4.2 says option length MUST be between 2 and 17.
++ * This allows 1 octet for prefix length and 16 for the
++ * subnet ID. */
++ if (ol < 2 || ol > 17) {
++ logerrx("%s: invalid PD Exclude option", ifp->name);
+ continue;
+ }
+- a->prefix_exclude_len = *o++;
+- ol--;
+- if (((a->prefix_exclude_len - a->prefix_len - 1) / NBBY) + 1
+- != ol)
+- {
++
++ /* RFC 6603 4.2 says prefix length MUST be between the
++ * length of the IAPREFIX prefix length + 1 and 128. */
++ if (*o < a->prefix_len + 1 || *o > 128) {
++ logerrx("%s: invalid PD Exclude length", ifp->name);
++ continue;
++ }
++
++ /* Check option length matches prefix length. */
++ if (((*o - a->prefix_len - 1) / NBBY) + 1 != ol) {
+ logerrx("%s: PD Exclude length mismatch", ifp->name);
+- a->prefix_exclude_len = 0;
+ continue;
+ }
+- nb = a->prefix_len % NBBY;
++
++ a->prefix_exclude_len = *o++;
++ ol--;
+ memcpy(&a->prefix_exclude, &a->prefix,
+ sizeof(a->prefix_exclude));
++ nb = a->prefix_len % NBBY;
+ if (nb)
+ ol--;
+ pw = a->prefix_exclude.s6_addr +
+--
+cgit v1.2.1
+
+From 896ef4a54b0578985e5e1360b141593f1d62837b Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Sat, 4 May 2019 10:19:02 +0100
+Subject: DHCPv6: Fix exclude prefix length check.
+
+---
+ src/dhcp6.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 583f3b3f..7f26129f 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2187,14 +2187,14 @@ dhcp6_findpd(struct interface *ifp, const uint8_t *iaid,
+ continue;
+ }
+
++ ol--;
+ /* Check option length matches prefix length. */
+ if (((*o - a->prefix_len - 1) / NBBY) + 1 != ol) {
+ logerrx("%s: PD Exclude length mismatch", ifp->name);
+ continue;
+ }
+-
+ a->prefix_exclude_len = *o++;
+- ol--;
++
+ memcpy(&a->prefix_exclude, &a->prefix,
+ sizeof(a->prefix_exclude));
+ nb = a->prefix_len % NBBY;
+--
+cgit v1.2.1
+