Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge branch 'IZh/systemd-jb43667'
[systemd] Fix for CVE-2018-15688 in DHCP6 client. Fixes JB#43667

See merge request 14
  • Loading branch information
Marko Kenttälä committed Jan 8, 2019
2 parents 38ff544 + 76d635e commit 073f3b7
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 0 deletions.
32 changes: 32 additions & 0 deletions rpm/systemd-239-dhcp6-client-CVE-2018-15688-fix.patch
@@ -0,0 +1,32 @@
From 4dac5eaba4e419b29c97da38a8b1f82336c2c892 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 19 Oct 2018 12:12:33 +0200
Subject: [PATCH] dhcp6: make sure we have enough space for the DHCP6 option
header

Fixes a vulnerability originally discovered by Felix Wilhelm from
Google.

CVE-2018-15688
LP: #1795921
https://bugzilla.redhat.com/show_bug.cgi?id=1639067
---
src/libsystemd-network/dhcp6-option.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c
index cbd4bc7..2806415 100644
--- a/src/libsystemd-network/dhcp6-option.c
+++ b/src/libsystemd-network/dhcp6-option.c
@@ -106,7 +106,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, const DHCP6IA *ia) {
return -EINVAL;
}

- if (*buflen < len)
+ if (*buflen < offsetof(DHCP6Option, data) + len)
return -ENOBUFS;

ia_hdr = *buf;
--
2.1.4

3 changes: 3 additions & 0 deletions rpm/systemd.spec
Expand Up @@ -42,6 +42,7 @@ Patch28: systemd-backport-when-deserializing-always-use-read_line.patch
Patch29: systemd-backport-enforce-a-limit-on-status-texts-recvd-from-services.patch
Patch30: systemd-backport-fix-deserialization-of-dev_t.patch
Patch31: systemd-backport-rework-serialization.patch
Patch32: systemd-239-dhcp6-client-CVE-2018-15688-fix.patch

BuildRequires: libcap-devel
BuildRequires: libmount-devel
Expand Down Expand Up @@ -210,6 +211,8 @@ This package includes tests for systemd.
%patch29 -p1
%patch30 -p1
%patch31 -p1
# DHCP6 client CVE-2018-15688 fix
%patch32 -p1

%build
./autogen.sh
Expand Down

0 comments on commit 073f3b7

Please sign in to comment.