diff --git a/debian/changelog b/debian/changelog
index 0010f0fb5902664a6f03a0ba149e2852034dbfaf..a76399eea38db85c01ae0411f07a20ff521e0849 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+isc-dhcp (4.3.3-7) unstable; urgency=medium
+
+ * Migrate to dbgsym debug packages.
+ * Fix spelling error in changelog entry.
+ * Include LDFLAGS in all calls to configure.
+ * Fix relaying return packets (closes: #648401).
+ - Thanks to Steinar H. Gunderson.
+ * Fix cross-architecture building (closes: #812525).
+ - Thanks to Helmut Grohne.
+ * Initialize exit status in dhclient-script (closes: #800914).
+ * Fix CVE-2015-8605: maliciously crafted IPv4 packet can cause any of the
+ running DHCP applications to crash (closes: #810875).
+
+ -- Michael Gilbert <mgilbert@debian.org> Sun, 31 Jan 2016 01:31:59 +0000
+
isc-dhcp (4.3.3-6) experimental; urgency=medium
* Fix missing build flags from the last upload.
@@ -15,7 +30,7 @@ isc-dhcp (4.3.3-5) unstable; urgency=medium
* Add diversions for isc-dhcp-client-ddns (closes: #800749).
* Fix directory output by the debug script (closes: #794770).
* Fix exit code handling in dhclient-script (closes: #692846).
- * Escape parantheses in init script sed command (closes: #771530).
+ * Escape parentheses in init script sed command (closes: #771530).
* Add more IP address detail to dhclient output (closes: #486611).
* Add dhcp6.fqdn and dhcp6.sntp-servers to the default request options.
* Avoid infinite loop caused by misconfigured rfc3442-classless-static-routes
@@ -263,7 +278,7 @@ isc-dhcp (4.2.4-1) unstable; urgency=low
isc-dhcp (4.2.2.dfsg.1-5) unstable; urgency=medium
[ Andrew Pollock ]
- * debian/dhclient.conf: send the hostname (closes: #151820)
+ * debian/dhclient.conf: send the hostname (closes: #151820)
[ Michael Gilbert ]
* Fix cve-2011-4868: error in DDNS handling with IPv6 (closes: #655746)
@@ -339,7 +354,7 @@ isc-dhcp (4.2.2-1) unstable; urgency=low
* debian/rules: added build-arch and build-indep targets
* debian/rules: applied patch from Kees Cook to call dh_link (closes: #614992)
* debian/dhclient-script.linux: applied patch from Colin Watson to make
- dhclient-script support stateless DHCPv6 (closes: #632888)
+ dhclient-script support stateless DHCPv6 (closes: #632888)
* debian/dhclient-script.linux: fix regression for MTU <= 576 handling
(closes: #638267)
* Apply patch from Peter Marschall to split the rfc3442-classless-routes hook
@@ -376,7 +391,7 @@ isc-dhcp (4.2.2-1) unstable; urgency=low
* debian/dhclient-script.*: apply patch from Peter Marschall to use alternate
value expansion
* debian/isc-dhcp-server.postinst: eliminate an error message from sed if no
- interfaces are provided
+ interfaces are provided
-- Andrew Pollock <apollock@debian.org> Sun, 28 Aug 2011 22:12:21 -0700
@@ -391,7 +406,7 @@ isc-dhcp (4.1.1-P1-17) unstable; urgency=low
* Incorporate and acknowledge NMU
* Apply a multitude of patches from Peter Marschall (closes: #609408)
- - fix domain_name in domain_search check in dhclient-script
+ - fix domain_name in domain_search check in dhclient-script
(closes: #567141)
- fix indentation in dhclient-script to improve readability
- remove bashisms from dhclient-script
diff --git a/debian/control b/debian/control
index 87e4d6f4f092952f21af60324fed8cd73952a69b..deaa8c3b441f47bc37fbdf9354223a86c8fdc5ce 100644
--- a/debian/control
+++ b/debian/control
@@ -7,15 +7,15 @@ Vcs-Git: git://anonscm.debian.org/pkg-dhcp/isc-dhcp.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-dhcp/isc-dhcp.git;a=summary
Homepage: http://www.isc.org
Build-Depends:
+ dpkg-dev (>= 1.13.2),
+ debhelper (>= 9.20151220),
+ dh-autoreconf,
groff,
pkg-config,
po-debconf,
libssl-dev,
libldap2-dev,
libbind-export-dev (>= 1:9.9.5.dfsg-4.3),
- dh-autoreconf,
- debhelper (>= 9),
- dpkg-dev (>= 1.13.2),
Standards-Version: 3.9.6
Package: isc-dhcp-server
@@ -48,24 +48,6 @@ Description: ISC DHCP server for automatic IP address assignment
.
This server can handle multiple ethernet interfaces.
-Package: isc-dhcp-dbg
-Section: debug
-Priority: extra
-Architecture: any
-Depends:
- ${misc:Depends},
- debianutils (>= 2.8.2),
- lsb-base,
- isc-dhcp-client (= ${binary:Version}) | isc-dhcp-server (= ${binary:Version}) | isc-dhcp-relay (= ${binary:Version}),
-Replaces:
- isc-dhcp-client-dbg (<< 4.3.0a1),
- isc-dhcp-server-dbg (<< 4.3.0a1),
- isc-dhcp-relay-dbg (<< 4.3.0a1),
-Description: ISC DHCP server for automatic IP address assignment (debuging symbols)
- This are debugging symbols for the Internet Software Consortium's DHCP tools.
- .
- This package contains the debugging symbols for isc-dhcp.
-
Package: isc-dhcp-server-ldap
Priority: optional
Architecture: any
diff --git a/debian/dhclient-script.linux b/debian/dhclient-script.linux
index 1e71f96cab5690685a302649c6f3b0d138a548e1..4eabdd5737287ca5266c6573552159ba558383df 100644
--- a/debian/dhclient-script.linux
+++ b/debian/dhclient-script.linux
@@ -126,9 +126,8 @@ run_hook() {
# run scripts in given directory
run_hookdir() {
- local dir
- local exit_status
- dir="$1"
+ local dir="$1"
+ local exit_status=0
if [ -d "$dir" ]; then
for script in $(run-parts --list $dir); do
diff --git a/debian/patches/CVE-2015-8605.patch b/debian/patches/CVE-2015-8605.patch
new file mode 100644
index 0000000000000000000000000000000000000000..53ba221cb70727116d1c3f9061a90811d5133066
--- /dev/null
+++ b/debian/patches/CVE-2015-8605.patch
@@ -0,0 +1,91 @@
+description: fix remotely triggered crash
+author: ISC
+
+--- a/common/packet.c
++++ b/common/packet.c
+@@ -220,7 +220,28 @@ ssize_t decode_hw_header (interface, buf
+ }
+ }
+
+-/* UDP header and IP header decoded together for convenience. */
++/*!
++ *
++ * \brief UDP header and IP header decoded together for convenience.
++ *
++ * Attempt to decode the UDP and IP headers and, if necessary, checksum
++ * the packet.
++ *
++ * \param inteface - the interface on which the packet was recevied
++ * \param buf - a pointer to the buffer for the received packet
++ * \param bufix - where to start processing the buffer, previous
++ * routines may have processed parts of the buffer already
++ * \param from - space to return the address of the packet sender
++ * \param buflen - remaining length of the buffer, this will have been
++ * decremented by bufix by the caller
++ * \param rbuflen - space to return the length of the payload from the udp
++ * header
++ * \param csum_ready - indication if the checksum is valid for use
++ * non-zero indicates the checksum should be validated
++ *
++ * \return - the index to the first byte of the udp payload (that is the
++ * start of the DHCP packet
++ */
+
+ ssize_t
+ decode_udp_ip_header(struct interface_info *interface,
+@@ -231,7 +252,7 @@ decode_udp_ip_header(struct interface_in
+ unsigned char *data;
+ struct ip ip;
+ struct udphdr udp;
+- unsigned char *upp, *endbuf;
++ unsigned char *upp;
+ u_int32_t ip_len, ulen, pkt_len;
+ static unsigned int ip_packets_seen = 0;
+ static unsigned int ip_packets_bad_checksum = 0;
+@@ -241,11 +262,8 @@ decode_udp_ip_header(struct interface_in
+ static unsigned int udp_packets_length_overflow = 0;
+ unsigned len;
+
+- /* Designate the end of the input buffer for bounds checks. */
+- endbuf = buf + bufix + buflen;
+-
+ /* Assure there is at least an IP header there. */
+- if ((buf + bufix + sizeof(ip)) > endbuf)
++ if (sizeof(ip) > buflen)
+ return -1;
+
+ /* Copy the IP header into a stack aligned structure for inspection.
+@@ -257,13 +275,17 @@ decode_udp_ip_header(struct interface_in
+ ip_len = (*upp & 0x0f) << 2;
+ upp += ip_len;
+
+- /* Check the IP packet length. */
++ /* Check packet lengths are within the buffer:
++ * first the ip header (ip_len)
++ * then the packet length from the ip header (pkt_len)
++ * then the udp header (ip_len + sizeof(udp)
++ * We are liberal in what we accept, the udp payload should fit within
++ * pkt_len, but we only check against the full buffer size.
++ */
+ pkt_len = ntohs(ip.ip_len);
+- if (pkt_len > buflen)
+- return -1;
+-
+- /* Assure after ip_len bytes that there is enough room for a UDP header. */
+- if ((upp + sizeof(udp)) > endbuf)
++ if ((ip_len > buflen) ||
++ (pkt_len > buflen) ||
++ ((ip_len + sizeof(udp)) > buflen))
+ return -1;
+
+ /* Copy the UDP header into a stack aligned structure for inspection. */
+@@ -284,7 +306,8 @@ decode_udp_ip_header(struct interface_in
+ return -1;
+
+ udp_packets_length_checked++;
+- if ((upp + ulen) > endbuf) {
++ /* verify that the payload length from the udp packet fits in the buffer */
++ if ((ip_len + ulen) > buflen) {
+ udp_packets_length_overflow++;
+ if (((udp_packets_length_checked > 4) &&
+ (udp_packets_length_overflow != 0)) &&
diff --git a/debian/patches/dhcrelay-listen.patch b/debian/patches/dhcrelay-listen.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7495cd8f789bd16df74f4df2bf65ae07291ebbc6
--- /dev/null
+++ b/debian/patches/dhcrelay-listen.patch
@@ -0,0 +1,31 @@
+description: fix relaying of return packets
+author: Steinar H. Gunderson <sgunderson@bigfoot.com>
+
+--- a/common/discover.c
++++ b/common/discover.c
+@@ -1102,9 +1102,9 @@ discover_interfaces(int state) {
+ INTERFACE_REQUESTED);
+
+ #ifdef DHCPv6
+- if (!(tmp->flags & INTERFACE_REQUESTED)) {
++ if (!(tmp->flags & INTERFACE_REQUESTED) && state != DISCOVER_RELAY) {
+ #else
+- if (!tmp -> ifp || !(tmp -> flags & INTERFACE_REQUESTED)) {
++ if (!tmp -> ifp || (!(tmp -> flags & INTERFACE_REQUESTED) && state != DISCOVER_RELAY)) {
+ #endif /* DHCPv6 */
+ if ((tmp -> flags & INTERFACE_REQUESTED) != ir)
+ log_fatal ("%s: not found", tmp -> name);
+--- a/relay/dhcrelay.c
++++ b/relay/dhcrelay.c
+@@ -705,6 +705,11 @@ do_relay4(struct interface_info *ip, str
+ if (out)
+ return;
+
++ /* If this is not a BOOTREPLY, and it is not on a requested interface,
++ * drop it. */
++ if (!(ip->flags & INTERFACE_REQUESTED))
++ return;
++
+ /* Add relay agent options if indicated. If something goes wrong,
+ drop the packet. */
+ if (!(length = add_relay_agent_options(ip, packet, length,
diff --git a/debian/patches/series b/debian/patches/series
index 6e54a4d6e0ff29b836594a31bae580826869178c..745727380b4216c3f16c6fbadeb66f6ca211d17c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,6 +3,7 @@ dhclient-exit-hook.patch
dhclient-dividebyzero.patch
dhclient-64bit-time.patch
dhclient-more-detail.patch
+dhcrelay-listen.patch
fix-exit-hook-manpage.patch
spelling-error.patch
@@ -11,3 +12,5 @@ manpage-hyphens.patch
disable-nsupdate.patch
system-bind.patch
+
+CVE-2015-8605.patch
diff --git a/debian/rules b/debian/rules
index 418471647d163e3890a641fb78ccb332bf87292b..6c4480a1764304b7a6e7f04772e0d8e4cdb5a82b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -27,9 +27,7 @@ CONFFLAGS=--prefix=/usr --enable-log-pid --enable-paranoia
# cross-architecture building
ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE))
-CROSS=CC=$(DEB_HOST_GNU_TYPE)-gcc
-else
-CROSS=
+CONFFLAGS+=--build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE)
endif
# hurd support
@@ -46,18 +44,18 @@ override_dh_auto_configure:
override_dh_auto_build:
# ldap-enabled build
test -f Makefile && $(MAKE) distclean || true
- ./configure --with-ldap --with-ldapcrypto CFLAGS="$(CFLAGS) -DNSUPDATE" LDFLAGS="-lirs-export" $(CONFFLAGS)
- $(MAKE) $(CROSS)
+ ./configure --with-ldap --with-ldapcrypto CFLAGS="$(CFLAGS) -DNSUPDATE" LDFLAGS="-lirs-export $(LDFLAGS)" $(CONFFLAGS)
+ $(MAKE)
mv server/dhcpd dhcpd
# ddns-disabled build
test -f Makefile && $(MAKE) distclean || true
./configure CFLAGS="$(CFLAGS)" $(CONFFLAGS)
- $(MAKE) $(CROSS)
+ $(MAKE)
mv client/dhclient dhclient
# ldap-disabled build
test -f Makefile && $(MAKE) distclean || true
- ./configure CFLAGS="$(CFLAGS) -DNSUPDATE" LDFLAGS="-lirs-export" $(CONFFLAGS)
- $(MAKE) $(CROSS)
+ ./configure CFLAGS="$(CFLAGS) -DNSUPDATE" LDFLAGS="-lirs-export $(LDFLAGS)" $(CONFFLAGS)
+ $(MAKE)
override_dh_install:
dh_install
@@ -82,4 +80,5 @@ override_dh_installinit:
dh_installinit -pisc-dhcp-server --error-handler=true
override_dh_strip:
- dh_strip --dbg-package=isc-dhcp-dbg
+ # this can be removed once stretch is released
+ dh_strip --ddeb-migration='isc-dhcp-dbg (<< 4.3.3-7~)'