~ubuntu-branches/ubuntu/lucid/dhcp3/lucid-security

Viewing changes to debian/patches/CVE-2011-0997.dpatch

Committer: Bazaar Package Importer
Author(s): Marc Deslauriers
Date: 2011-04-11 08:57:21 UTC
Revision ID: james.westby@ubuntu.com-20110411085721-5obw79petr0y045e

Tags: 3.1.3-2ubuntu3.1

* SECURITY UPDATE: arbitrary code execution via crafted hostname
  - debian/patches/CVE-2011-0997.dpatch: filter strings in
    client/dhclient.c, common/options.c.
  - CVE-2011-0997

files added:
debian/patches/CVE-2011-0997.dpatch

files modified:
debian/changelog

debian/control

debian/patches/00list

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2011-0997.dpatch

#! /bin/sh /usr/share/dpatch/dpatch-run

# Description: fix arbitrary code execution via crafted hostname

# Author: Marius Tomaschewski

# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621099

@DPATCH@

diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' dhcp3-3.1.3~/client/dhclient.c dhcp3-3.1.3/client/dhclient.c

--- dhcp3-3.1.3~/client/dhclient.c 2011-04-11 08:57:02.976060280 -0400

+++ dhcp3-3.1.3/client/dhclient.c 2011-04-11 08:57:16.536060277 -0400

@@ -77,6 +77,11 @@

int quiet=0;

int nowait=0;

+static int check_domain_name(const char *ptr, size_t len, int dots);

+static int check_domain_name_list(const char *ptr, size_t len, int dots);

+static int check_option_values(struct universe *universe, unsigned int opt,

+ const char *ptr, size_t len);

static void usage PROTO ((void));

int main (argc, argv, envp)

@@ -2524,13 +2529,23 @@

if (data.len) {

char name [256];

if (dhcp_option_ev_name (name, sizeof name,

- oc -> option)) {

- client_envadd (es -> client, es -> prefix,

- name, "%s",

- (pretty_print_option

- (oc -> option,

- data.data, data.len,

- 0, 0)));

+ oc->option)) {

+ const char *value;

+ value = pretty_print_option(oc->option,

+ data.data,

+ data.len, 0, 0);

+ size_t length = strlen(value);

+ if (check_option_values(oc->option->universe,

+ oc->option->code,

+ value, length) == 0) {

+ client_envadd(es->client, es->prefix,

+ name, "%s", value);

+ } else {

+ log_error("suspect value in %s "

+ "option - discarded",

+ name);

+ }

data_string_forget (&data, MDL);

}

@@ -2610,12 +2625,32 @@

data_string_forget (&data, MDL);

}

- if (lease -> filename)

- client_envadd (client,

- prefix, "filename", "%s", lease -> filename);

- if (lease -> server_name)

- client_envadd (client, prefix, "server_name",

- "%s", lease -> server_name);

+ if (lease->filename) {

+ if (check_option_values(NULL, DHO_ROOT_PATH,

+ lease->filename,

+ strlen(lease->filename)) == 0) {

+ client_envadd(client, prefix, "filename",

+ "%s", lease->filename);

+ } else {

+ log_error("suspect value in %s "

+ "option - discarded",

+ "filename");

+ }

+ if (lease->server_name) {

+ if (check_option_values(NULL, DHO_HOST_NAME,

+ lease->server_name,

+ strlen(lease->server_name)) == 0 ) {

+ client_envadd (client, prefix, "server_name",

+ "%s", lease->server_name);

+ } else {

+ log_error("suspect value in %s "

+ "option - discarded",

+ "server_name");

+ }

for (i = 0; i < lease -> options -> universe_count; i++) {

option_space_foreach ((struct packet *)0, (struct lease *)0,

@@ -3239,3 +3274,112 @@

data_string_forget (&ddns_dhcid, MDL);

return rcode;

}

+/*

+ * The following routines are used to check that certain

+ * strings are reasonable before we pass them to the scripts.

100

+ * This avoids some problems with scripts treating the strings

101

+ * as commands - see ticket 23722

102

+ * The domain checking code should be done as part of assembling

103

+ * the string but we are doing it here for now due to time

104

+ * constraints.

105

+ */

106

107

+static int check_domain_name(const char *ptr, size_t len, int dots)

108

109

+ const char *p;

110

111

+ /* not empty or complete length not over 255 characters */

112

+ if ((len == 0) || (len > 256))

113

+ return(-1);

114

115

+ /* consists of [[:alnum:]-]+ labels separated by [.] */

116

+ /* a [_] is against RFC but seems to be "widely used"... */

117

+ for (p=ptr; (*p != 0) && (len-- > 0); p++) {

118

+ if ((*p == '-') || (*p == '_')) {

119

+ /* not allowed at begin or end of a label */

120

+ if (((p - ptr) == 0) || (len == 0) || (p[1] == '.'))

121

+ return(-1);

122

+ } else if (*p == '.') {

123

+ /* each label has to be 1-63 characters;

124

+ we allow [.] at the end ('foo.bar.') */

125

+ size_t d = p - ptr;

126

+ if ((d <= 0) || (d >= 64))

127

+ return(-1);

128

+ ptr = p + 1; /* jump to the next label */

129

+ if ((dots > 0) && (len > 0))

130

+ dots--;

131

+ } else if (isalnum((unsigned char)*p) == 0) {

132

+ /* also numbers at the begin are fine */

133

+ return(-1);

134

+ }

135

+ }

136

+ return(dots ? -1 : 0);

137

138

139

+static int check_domain_name_list(const char *ptr, size_t len, int dots)

140

141

+ const char *p;

142

+ int ret = -1; /* at least one needed */

143

144

+ if ((ptr == NULL) || (len == 0))

145

+ return(-1);

146

147

+ for (p=ptr; (*p != 0) && (len > 0); p++, len--) {

148

+ if (*p != ' ')

149

+ continue;

150

+ if (p > ptr) {

151

+ if (check_domain_name(ptr, p - ptr, dots) != 0)

152

+ return(-1);

153

+ ret = 0;

154

+ }

155

+ ptr = p + 1;

156

+ }

157

+ if (p > ptr)

158

+ return(check_domain_name(ptr, p - ptr, dots));

159

+ else

160

+ return(ret);

161

162

163

+static int check_option_values(struct universe *universe,

164

+ unsigned int opt,

165

+ const char *ptr,

166

+ size_t len)

167

168

+ if (ptr == NULL)

169

+ return(-1);

170

171

+ /* just reject options we want to protect, will be escaped anyway */

172

+ if ((universe == NULL) || (universe == &dhcp_universe)) {

173

+ switch(opt) {

174

+ case DHO_HOST_NAME:

175

+ case DHO_NIS_DOMAIN:

176

+ case DHO_NETBIOS_SCOPE:

177

+ return check_domain_name(ptr, len, 0);

178

+ break;

179

+ case DHO_DOMAIN_NAME: /* accept a list for compatibiliy */

180

+ return check_domain_name_list(ptr, len, 0);

181

+ break;

182

+ case DHO_ROOT_PATH:

183

+ if (len == 0)

184

+ return(-1);

185

+ for (; (*ptr != 0) && (len-- > 0); ptr++) {

186

+ if(!(isalnum((unsigned char)*ptr) ||

187

+ *ptr == '#' || *ptr == '%' ||

188

+ *ptr == '+' || *ptr == '-' ||

189

+ *ptr == '_' || *ptr == ':' ||

190

+ *ptr == '.' || *ptr == ',' ||

191

+ *ptr == '@' || *ptr == '~' ||

192

+ *ptr == '\\' || *ptr == '/' ||

193

+ *ptr == '[' || *ptr == ']' ||

194

+ *ptr == '=' || *ptr == ' '))

195

+ return(-1);

196

+ }

197

+ return(0);

198

+ break;

199

+ }

200

+ }

201

202

+ return(0);

203

204

205

diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' dhcp3-3.1.3~/common/options.c dhcp3-3.1.3/common/options.c

206

--- dhcp3-3.1.3~/common/options.c 2011-04-11 08:57:02.966060280 -0400

207

+++ dhcp3-3.1.3/common/options.c 2011-04-11 08:57:16.536060277 -0400

208

@@ -2951,7 +2951,8 @@

209

count += 4;

210

}

211

} else if (**src == '"' || **src == '\'' || **src == '$' ||

212

- **src == '`' || **src == '\\') {

213

+ **src == '`' || **src == '\\' || **src == '|' ||

214

+ **src == '&') {

215

if (*dst + 2 > dend)

216

return -1;

217

Older »