diff --git a/dnsmasq-2.48-tftp-server-vulnerabilities.patch b/dnsmasq-2.48-tftp-server-vulnerabilities.patch new file mode 100644 index 0000000..71b5f4f --- /dev/null +++ b/dnsmasq-2.48-tftp-server-vulnerabilities.patch @@ -0,0 +1,69 @@ +diff -up dnsmasq-2.48/src/tftp.c.tftp-server-vulnerabilities dnsmasq-2.48/src/tftp.c +--- dnsmasq-2.48/src/tftp.c.tftp-server-vulnerabilities 2009-10-05 11:15:10.104555320 +0100 ++++ dnsmasq-2.48/src/tftp.c 2009-10-05 11:15:12.104564277 +0100 +@@ -192,20 +192,21 @@ void tftp_request(struct listener *liste + + while ((opt = next(&p, end))) + { +- if (strcasecmp(opt, "blksize") == 0 && +- (opt = next(&p, end)) && +- !(daemon->options & OPT_TFTP_NOBLOCK)) ++ if (strcasecmp(opt, "blksize") == 0) + { +- transfer->blocksize = atoi(opt); +- if (transfer->blocksize < 1) +- transfer->blocksize = 1; +- if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4) +- transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4; +- transfer->opt_blocksize = 1; +- transfer->block = 0; ++ if ((opt = next(&p, end)) && ++ !(daemon->options & OPT_TFTP_NOBLOCK)) ++ { ++ transfer->blocksize = atoi(opt); ++ if (transfer->blocksize < 1) ++ transfer->blocksize = 1; ++ if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4) ++ transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4; ++ transfer->opt_blocksize = 1; ++ transfer->block = 0; ++ } + } +- +- if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii) ++ else if (strcasecmp(opt, "tsize") == 0 && next(&p, end) && !transfer->netascii) + { + transfer->opt_transize = 1; + transfer->block = 0; +@@ -217,17 +218,17 @@ void tftp_request(struct listener *liste + { + if (daemon->tftp_prefix[0] == '/') + daemon->namebuff[0] = 0; +- strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME); ++ strncat(daemon->namebuff, daemon->tftp_prefix, (MAXDNAME-1) - strlen(daemon->namebuff)); + if (daemon->tftp_prefix[strlen(daemon->tftp_prefix)-1] != '/') +- strncat(daemon->namebuff, "/", MAXDNAME); ++ strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff)); + + if (daemon->options & OPT_TFTP_APREF) + { + size_t oldlen = strlen(daemon->namebuff); + struct stat statbuf; + +- strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), MAXDNAME); +- strncat(daemon->namebuff, "/", MAXDNAME); ++ strncat(daemon->namebuff, inet_ntoa(peer.sin_addr), (MAXDNAME-1) - strlen(daemon->namebuff)); ++ strncat(daemon->namebuff, "/", (MAXDNAME-1) - strlen(daemon->namebuff)); + + /* remove unique-directory if it doesn't exist */ + if (stat(daemon->namebuff, &statbuf) == -1 || !S_ISDIR(statbuf.st_mode)) +@@ -245,8 +246,7 @@ void tftp_request(struct listener *liste + } + else if (filename[0] == '/') + daemon->namebuff[0] = 0; +- strncat(daemon->namebuff, filename, MAXDNAME); +- daemon->namebuff[MAXDNAME-1] = 0; ++ strncat(daemon->namebuff, filename, (MAXDNAME-1) - strlen(daemon->namebuff)); + + /* check permissions and open file */ + if ((transfer->file = check_tftp_fileperm(&len))) diff --git a/dnsmasq.spec b/dnsmasq.spec index 3a217c7..f3cdd8d 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -11,7 +11,7 @@ Name: dnsmasq Version: 2.48 -Release: 3%{?extraversion}%{?dist} +Release: 4%{?extraversion}%{?dist} Summary: A lightweight DHCP/caching DNS server Group: System Environment/Daemons @@ -20,6 +20,7 @@ URL: http://www.thekelleys.org.uk/dnsmasq/ Source0: http://www.thekelleys.org.uk/dnsmasq/%{?extrapath}%{name}-%{version}%{?extraversion}.tar.lzma Patch0: %{name}-2.33-initscript.patch Patch1: %{name}-configuration.patch +Patch2: %{name}-2.48-tftp-server-vulnerabilities.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: dbus-devel @@ -46,6 +47,7 @@ machines. %setup -q -n %{name}-%{version}%{?extraversion} %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build make %{?_smp_mflags} @@ -109,6 +111,9 @@ fi %changelog +* Mon Oct 5 2009 Mark McLoughlin - 2.48-4 +- Fix multiple TFTP server vulnerabilities (CVE-2009-2957, CVE-2009-2958) + * Wed Aug 12 2009 Ville Skyttä - 2.48-3 - Use lzma compressed upstream tarball.