[Bug 727837] Re: dhcp3-server fails to drop privileges properly
Launchpad Bug Tracker
727837 at bugs.launchpad.net
Tue Jul 3 14:35:17 UTC 2012
This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu1
---------------
isc-dhcp (4.2.4-1ubuntu1) quantal; urgency=low
* Merge from Debian. Remaining changes:
(LP: #768171, LP: #841182, LP: #881558, LP: #872929, LP: #616809)
- Use upstart jobs for isc-dhcp-server and isc-dhcp-relay.
- Add IPv6 support to udeb dhclient-script (forwarded as Debian #635897).
- Add an apport hook to isc-dhcp-client and isc-dhcp-server.
- Add an apparmor profile to isc-dhcp-client and isc-dhcp-server.
- Update default dhclient.conf to ask for IPv6 configuration.
- Patches:
+ dhclient-fix-backoff
+ dhclient-more-debug
+ dhclient-onetry-call-clientscript
+ dhclient-safer-timeout
+ dhcpd.conf-subnet-examples
+ multi-ip-addr-per-if
+ onetry_retry_after_initial_success
+ revert-next-server
* Set fqdn.fqdn to the result of gethostname(); (LP: #991360)
* Replace old droppriv and deroot patches by use of --enable-paranoia
and matching -user and -group parameters to dhcpd. (LP: #727837)
* Allow read access to /etc/dhcp/ddns-keys/* for ddns. (LP: #341817)
It's expected that people generate one key per zone and have it stored
in both /etc/bind9 and /etc/dhcp/ddns-keys/ for security reason.
* Fix apport hook to work with python3.
isc-dhcp (4.2.4-1) unstable; urgency=low
* New upstream release
* debian/control: reformatted Uploaders so that dch doesn't think I'm making
NMUs
* debian/rules: do a clean between the LDAP-enabled build and the
non-LDAP-enabled one, so that no LDAP-related artefacts are accidently
incorporated into the non-LDAP build
* debian/dhclient-script.*: conditionalise the chown/chmod of the new
resolv.conf on the existence of the old one (closes: #595400)
* debian/dhclient-script.linux: comply with RFC 3442 and ignore
the routers option if the rfc3442-classless-static-routes option is present
(closes: #592735)
* debian/dhclient-script.kfreebsd: fix subnet mask handling (closes: #677985)
isc-dhcp (4.2.2.dfsg.1-5) unstable; urgency=medium
[ Andrew Pollock ]
* debian/dhclient.conf: send the hostname (closes: #151820)
[ Michael Gilbert ]
* Fix cve-2011-4868: error in DDNS handling with IPv6 (closes: #655746)
* Fix cve-2011-4539: error in regular expression handling
(closes: #652259)
* Make dependencies diff-able
* Add myself to uploaders
* Remove all automatically generated files in clean rule
* Medium urgency for security updates
isc-dhcp (4.2.2.dfsg.1-4) unstable; urgency=low
* The "Zoe woke up at 4am and I couldn't get back to sleep so I had some
extra time to work on this" release
* patch the Makefile for the embedded BIND libraries so that autoconf is run
so that the modification to configure.in to fix the FTBFS on kFreeBSD
actually does something useful (closes: #643569)
isc-dhcp (4.2.2.dfsg.1-3) unstable; urgency=low
* debian/control: remove transitional packages
* debian/rules: apply the intent of Pierre Chifflier's patch to enable
hardening options (closes: #644413)
* debian/control: also add inetutils-ping to the dependencies for
isc-dhcp-client on hurd (closes: #648140)
* Convert to 3.0 (quilt) source format:
- debian/control: remove build-dep on dpatch
- debian/rules: stop including dpatch.make
- debian/rules: remove dpatch-related target dependencies
- convert patches from dpatch to pure quilt
- remove debian/README.source
* debian/rules: cleaned up the target names a bit to reflect the lack of
patching going on now
* repack bind.tar.gz in upstream source tarball to patch configure.in for
FTBFS on kFreeBSD and remove RFCs (closes: #643569, #645760)
* debian/watch: add dversionmangle to deal with dfsg upstream tarball
* Updated Dutch debconf template translation (closes: #651396)
* Added Polish debconf template translation (closes: #659372)
* Updated Brazilian Portugeuse debconf template translation (closes: #663494)
* debian/control: bumped Standards-Version (no changes)
isc-dhcp (4.2.2-2) unstable; urgency=low
* debian/rules: use dpkg-buildflags to set CFLAGS, and export CFLAGS (closes:
#643470)
* debian/dhclient.conf: revert hostname setting behaviour to something
equivalent to what upstream ships to avoid surprising people with unwanted
hostname changes when changing networks (closes: #648676)
* debian/dhclient-script.kfreebsd: apply patch from Robert Millan to resync
dhclient-script with FreeBSD version (closes: #645502)
* debian/control: add inetutils-ping to the dependencies for isc-dhcp-client
on kfreebsd (closes: #648140)
* Updated German debconf template translation (closes: #641843)
* added harding-wrapper to build dependencies and invoke it in debian/rules
(closes: #611192)
isc-dhcp (4.2.2-1) unstable; urgency=low
* New upstream release, includes security fixes for CVE-2011-2748 and
CVE-2011-2749 (closes: #638404)
* Remove obsolete patches, refit remaining patches
* Remove LDAP patch, it's finally upstream now (yay!)
* debian/rules: adjust double build for the non-existence of the LDAP patch
* debian/isc-dhcp-server-ldap.docs: update for new location of documentation
* debian/rules: added build-arch and build-indep targets
* debian/rules: applied patch from Kees Cook to call dh_link (closes: #614992)
* debian/dhclient-script.linux: applied patch from Colin Watson to make
dhclient-script support stateless DHCPv6 (closes: #632888)
* debian/dhclient-script.linux: fix regression for MTU <= 576 handling
(closes: #638267)
* Apply patch from Peter Marschall to split the rfc3442-classless-routes hook
into a Linux and a kFreeBSD variant, so that the Linux one can use iproute
(closes: #630519)
* debian/isc-dhcp-server.postinst: apply patch from Peter Marschall to
document new variables in /etc/default/isc-dhcp-server
* debian/isc-dhcp-server.init.d: apply patch from Peter Marschall to
- make the name of the default file configurable
- make the name of the server configuration file configurable (closes:
#590158, #565650)
- allow passing additional options to dhcpd (closes: #613734)
- read PID from config file
* Add Catalan debconf template translation (closes: #628372)
* debian/isc-dhcp-client,dhcp3-client}.links: apply patch from Peter
Marschall to move old compatibility links to the old compatibility package
(closes: #614992)
* debian/isc-dhcp-server.postinst: apply patch from Peter Marschall to fix
comment in /etc/default/isc-dhcp-server (closes: #616417)
* debian/control: apply patch from Peter Marschall to add a Provides:
dhcp-client to isc-dhcp-client (closes: #236001)
* debian/dhclient-script.{linux,kfreebsd}: apply patch from Peter Marschall
to fix metric calculation (closes: #629632)
* debian/dhclient-script.linux: apply patches from Peter Marschall to support
IPv6 link-local resolvers
* debian/dhclient-script.{linux,kfreebsd}: applied patch from Peter Marschall
to factor out the hostname setting to a separate function
* debian/dhclient-script.{linux,kfreebsd}: applied patch from Peter Marschall
to harmonize the logic for setting the hostname (closes: #246155)
* apply patch from Peter Marschall to use one common script for the debug
hooks
* debian/rfc3442-classless-routes.{linux,kfreebsd}: applied patch from Peter
Marschall to take care of link-local routes (closes: #521024)
* debian/dhclient-script.*: apply patch from Peter Marschall to use alternate
value expansion
* debian/isc-dhcp-server.postinst: eliminate an error message from sed if no
interfaces are provided
-- Stephane Graber <stgraber at ubuntu.com> Tue, 03 Jul 2012 09:54:00 -0400
** Changed in: isc-dhcp (Ubuntu Quantal)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2748
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2749
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/727837
Title:
dhcp3-server fails to drop privileges properly
Status in “dhcp3” package in Ubuntu:
Confirmed
Status in “isc-dhcp” package in Ubuntu:
Fix Released
Status in “dhcp3” source package in Lucid:
Confirmed
Status in “isc-dhcp” source package in Natty:
Confirmed
Status in “isc-dhcp” source package in Oneiric:
New
Status in “isc-dhcp” source package in Precise:
New
Status in “isc-dhcp” source package in Quantal:
Fix Released
Status in “dhcp3” source package in Hardy:
Confirmed
Bug description:
Binary package hint: dhcp3-server
In debian/patches/droppriv.dpatch there is some privilege dropping
code in function drop_privileges(). This fails to drop privileges of
root-group and does not initialize the groups properly.
One can test this by adding:
on commit {
execute("/usr/local/bin/dhcp_group_test");
}
to /etc/dhcp3/dhcpd.conf, and then write
/usr/local/bin/dhcp_group_test to log the output of "id" to some file.
(You may wish to turn apparmor off for this test, but it can be done
with it as well). The output should read:
uid=112(dhcpd) gid=120(dhcpd) groups=0(root)
This means that dhcp will retain the root-group privileges and is
missing other groups that a user may have possibly defined for it.
The fix would be to use either initgroups() or setgroups() function
properly in drop_privileges(). Doing this should also fix this bug:
https://bugs.launchpad.net/ubuntu/+source/dhcp3/+bug/341817
This is:
Description: Ubuntu 10.04.1 LTS
Release: 10.04
dhcp3-server:
Installed: 3.1.3-2ubuntu3
Candidate: 3.1.3-2ubuntu3
Version table:
*** 3.1.3-2ubuntu3 0
500 http://mirror.opinsys.fi/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dhcp3/+bug/727837/+subscriptions
More information about the foundations-bugs
mailing list