!102 IAID is output has hexe if it contains '\' or '"'

From: @renmingshuai 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan

IAID-is-output-has-hexe-if-it-contains-or.patch

@@ -0,0 +1,46 @@
+From fb971ee6b5403c21e64fa66c8711f688f763518c Mon Sep 17 00:00:00 2001
+From: renmingshuai <renmingshuai@huawei.com>
+Date: Sat, 20 Jan 2024 02:51:53 +0000
+Subject: [PATCH] IAID is output has hexe if it contains '\' or '"'
+
+Signed-off-by: renmingshuai <renmingshuai@huawei.com>
+---
+ client/dhclient.conf.5 | 6 +++---
+ common/print.c         | 4 +++-
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/client/dhclient.conf.5 b/client/dhclient.conf.5
+index 566a881..2e2dc56 100644
+--- a/client/dhclient.conf.5
++++ b/client/dhclient.conf.5
+@@ -617,9 +617,9 @@ pairs, separated by colons.
+ Currently, the values written out based on lease-id-format are the default-duid
+ and the IAID value (DHCPv6 only).  The client automatically reads the values
+ in either format.  Note that when the format is octal, rather than as an octal
+-string, IAID is output as hex if it contains no printable characters or as a
+-string if contains only printable characters. This is done to maintain backward
+-compatibility.
++string, IAID is output as hex if it contains special character '"', '\' or
++no printable characters, or as a string if contains only printable characters.
++This is done to maintain backward compatibility.
+ .PP
+  \fBreject \fIcidr-ip-address\fR [\fB,\fR \fI...\fB \fIcidr-ip-address\fR ] \fB;\fR
+ .PP
+diff --git a/common/print.c b/common/print.c
+index b42e7bc..6835eb1 100644
+--- a/common/print.c
++++ b/common/print.c
+@@ -427,7 +427,9 @@ void print_hex_or_string (len, data, limit, buf)
+ 		return;
+ 
+ 	for (i = 0; (i < (limit - 3)) && (i < len); i++) {
+-		if (!isascii(data[i]) || !isprint(data[i])) {
++		/* print as hex if the characters contain '"' or '\' */
++		if (!isascii(data[i]) || !isprint(data[i]) ||
++		    (data[i] == '"' || data[i] == '\\')) {
+ 			print_hex_only(len, data, limit, buf);
+ 			return;
+ 		}
+-- 
+2.33.0
+

Revert-correcting-the-logic-in-dhclient.patch

@@ -0,0 +1,67 @@
+From dbb9d0302f7f5009a871844d6648ea131a3df6b4 Mon Sep 17 00:00:00 2001
+From: renmingshuai <renmingshuai@huawei.com>
+Date: Thu, 29 Jun 2023 10:04:49 +0800
+Subject: [PATCH] revert the correction about the logic in dhclient
+
+Reference:https://gitlab.isc.org/isc-projects/dhcp/-/commit/33e517615f8467a005de2ca2633f52bad323ec2b
+          https://gitlab.isc.org/isc-projects/dhcp/-/commit/e180ae075ecc989b6b75202d58363f96a8ce0167
+---
+ RELNOTES          |  4 ----
+ client/dhclient.c | 19 +++++--------------
+ 2 files changed, 5 insertions(+), 18 deletions(-)
+
+diff --git a/RELNOTES b/RELNOTES
+index 64d45b2..54ad022 100644
+--- a/RELNOTES
++++ b/RELNOTES
+@@ -51,10 +51,6 @@ by Eric Young (eay@cryptsoft.com).
+ - Minor corrections were made to allow compilation under gcc 10.
+   [GitLab #117]
+ 
+-- The logic in dhclient that causes it to decline DHCPv4 leases if the
+-  client script exits abnormally (i.e. crashes) has been corrected.
+-  [GitLab #123]
+-
+ - The limit on the size of a lease file that can be loaded at startup
+   is now only enforced on 32-bit systems.
+   [GitLab #92]
+diff --git a/client/dhclient.c b/client/dhclient.c
+index d20ba66..d39cb5c 100644
+--- a/client/dhclient.c
++++ b/client/dhclient.c
+@@ -2106,12 +2106,9 @@ void bind_lease (client)
+ 		script_write_params(client, "alias_", client->alias);
+ 
+ 	/* If the BOUND/RENEW code detects another machine using the
+-	   offered address, then per our man page it should exit with
+-       a non-zero status, to which we send a DHCPDECLINE and toss
+-       the lease. A return value of less than zero indicates
+-       the script crashed (e.g. segfault) which script_go will log
+-       but we will ignore here. */
+-	if (script_go(client) > 0)  {
++          offered address, it exits nonzero. We need to send a
++          DHCPDECLINE and toss the lease. */
++	if (script_go(client))  {
+ 		make_decline(client, client->new);
+ 		send_decline(client);
+ 		destroy_client_lease(client->new);
+@@ -5184,14 +5181,8 @@ int script_go(struct client_state *client)
+ 	}
+ 	dfree (envp, MDL);
+ 	gettimeofday(&cur_tv, NULL);
+-
+-    if (!WIFEXITED(wstatus)) {
+-        int sigval = WTERMSIG(wstatus);
+-        log_error ("script_go script: %s was terminated by signal %d", scriptName, sigval);
+-        return  (-sigval);
+-    }
+-
+-    return (WEXITSTATUS(wstatus));
++    return (WIFEXITED (wstatus) ?
++            WEXITSTATUS (wstatus) : -WTERMSIG (wstatus));
+ }
+ 
+ void client_envadd (struct client_state *client,
+-- 
+2.23.0
+

backport-0001-change-bug-url.patch

@@ -1,79 +0,0 @@
-Reference: https://src.fedoraproject.org/rpms/dhcp/blob/rawhide/f/0001-change-bug-url.patch
-From 23dfbc560028bf7429196db1a3826f8b80c19d3e Mon Sep 17 00:00:00 2001
-From: Pavel Zhukov <pzhukov@redhat.com>
-Date: Thu, 21 Feb 2019 10:09:57 +0100
-Subject: [PATCH 01/26] change bug url
-Cc: pzhukov@redhat.com
-
----
- omapip/errwarn.c | 47 ++++++++++++++++++++++++++++++++++++++++++-----
- 1 file changed, 42 insertions(+), 5 deletions(-)
-
-diff --git a/omapip/errwarn.c b/omapip/errwarn.c
-index e30f8a0..09a3004 100644
---- a/omapip/errwarn.c
-+++ b/omapip/errwarn.c
-@@ -48,6 +48,41 @@ void (*log_cleanup) (void);
- static char mbuf [CVT_BUF_MAX + 1];
- static char fbuf [CVT_BUF_MAX + 1];
- 
-+// get BUG_REPORT_URL from /etc/os-release
-+char * bug_report_url(void) {
-+    FILE * file = fopen("/etc/os-release", "r");
-+    size_t len;
-+    char * line = NULL;
-+    char * url = NULL;
-+    size_t url_len = 256;
-+
-+    url = (char *) malloc(url_len * sizeof(char));
-+    strcpy(url, "https://bugzilla.redhat.com/");
-+
-+    if (!file)
-+        return url;
-+
-+    while ((getline(&line, &len, file)) != -1) {
-+        if (strstr(line, "BUG_REPORT_URL") != NULL) {
-+            char * start = strchr(line, '=');
-+            char * rquotes = strrchr(line, '"');
-+
-+            if (rquotes != NULL) {
-+                *rquotes = '\0';
-+                strncpy(url, start+2, url_len);
-+            } else {
-+                strncpy(url, start+1, url_len);
-+            }
-+            url[url_len-1] = '\0';
-+            fclose(file);
-+            return url;
-+        }
-+    }
-+    fclose(file);
-+    return url;
-+}
-+
-+
- /* Log an error message, then exit... */
- 
- void log_fatal (const char * fmt, ... )
-@@ -74,11 +109,13 @@ void log_fatal (const char * fmt, ... )
-   }
- 
-   log_error ("%s", "");
--  log_error ("If you think you have received this message due to a bug rather");
--  log_error ("than a configuration issue please read the section on submitting");
--  log_error ("bugs on either our web page at www.isc.org or in the README file");
--  log_error ("before submitting a bug.  These pages explain the proper");
--  log_error ("process and the information we find helpful for debugging.");
-+  log_error ("This version of ISC DHCP is based on the release available");
-+  log_error ("on ftp.isc.org. Features have been added and other changes");
-+  log_error ("have been made to the base software release in order to make");
-+  log_error ("it work better with this distribution.");
-+  log_error ("%s", "");
-+  log_error ("Please report issues with this software via: ");
-+  log_error ("%s", bug_report_url());
-   log_error ("%s", "");
-   log_error ("exiting.");
- 
--- 
-2.14.5
-

backport-CVE-2022-2795.patch

@@ -0,0 +1,39 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0001-CVE-2022-2795.patch
+
+diff --git a/bind/bind-9.11.36/lib/dns/resolver.c b/bind/bind-9.11.36/lib/dns/resolver.c
+index d2cf14bbc8b..73a0ee9f779 100644
+--- a/bind/bind-9.11.36/lib/dns/resolver.c
++++ b/bind/bind-9.11.36/lib/dns/resolver.c
+@@ -195,6 +195,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
++/*
++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
++ * any NS RRset encountered, to avoid excessive resource use while processing
++ * large delegations.
++ */
++#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 	bool need_alternate = false;
+ 	bool all_spilled = true;
+ 	unsigned int no_addresses = 0;
++	unsigned int ns_processed = 0;
+ 
+ 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3902,6 +3909,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+ 		dns_rdata_reset(&rdata);
+ 		dns_rdata_freestruct(&ns);
++
++		if (++ns_processed >= NS_PROCESSING_LIMIT) {
++			result = ISC_R_NOMORE;
++			break;
++		}
+ 	}
+ 	if (result != ISC_R_NOMORE) {
+ 		return (result);

backport-CVE-2022-38177.patch

@@ -0,0 +1,21 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0003-CVE-2022-38177.patch
+---
+ bind/bind-9.11.36/lib/dns/opensslecdsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c b/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
+index 83b5b51..7576e04 100644
+--- a/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
++++ b/bind/bind-9.11.36/lib/dns/opensslecdsa_link.c
+@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ECDSA384SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+ 		DST_RET (dst__openssl_toresult3(dctx->category,
+-- 
+2.33.0
+

backport-CVE-2022-38178.patch

@@ -0,0 +1,21 @@
+Reference:http://downloads.isc.org/isc/bind/9.16.33/patches/0004-CVE-2022-38178.patch
+---
+ bind/bind-9.11.36/lib/dns/openssleddsa_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bind/bind-9.11.36/lib/dns/openssleddsa_link.c b/bind/bind-9.11.36/lib/dns/openssleddsa_link.c
+index 8b115ec..4f3c2a8 100644
+--- a/bind/bind-9.11.36/lib/dns/openssleddsa_link.c
++++ b/bind/bind-9.11.36/lib/dns/openssleddsa_link.c
+@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 		siglen = DNS_SIG_ED448SIZE;
+ 
+ 	if (sig->length != siglen)
+-		return (DST_R_VERIFYFAILURE);
++		DST_RET(DST_R_VERIFYFAILURE);
+ 
+ 	isc_buffer_usedregion(buf, &tbsreg);
+ 
+-- 
+2.33.0
+

bugfix-error-message-display.patch

@@ -1,12 +0,0 @@
-diff -ruNa dhcp-4.4.2-org/omapip/errwarn.c dhcp-4.4.2/omapip/errwarn.c
---- dhcp-4.4.2-org/omapip/errwarn.c 16:51:13.626927174 +0800
-+++ dhcp-4.4.2/omapip/errwarn.c 16:55:40.477496361 +0800
-@@ -57,7 +57,7 @@
-     size_t url_len = 256;
- 
-     url = (char *) malloc(url_len * sizeof(char));
--    strcpy(url, "https://bugzilla.redhat.com/");
-+    strcpy(url, "https://gitee.com/src-openeuler/dhcp/issues");
- 
-     if (!file)
-         return url;

dhcp.spec

@@ -3,7 +3,7 @@
 
 Name:      dhcp
 Version:   4.4.3
-Release:   1
+Release:   6
 Summary:   Dynamic host configuration protocol software
 #Please don't change the epoch on this package
 Epoch:     12
@@ -18,7 +18,6 @@ Source6:  dhcpd.service
 Source7:  dhcpd6.service
 Source8:  dhcrelay.service
 
-Patch1: backport-0001-change-bug-url.patch
 Patch2: backport-0002-additional-dhclient-options.patch
 Patch3: backport-0003-Handle-releasing-interfaces-requested-by-sbin-ifup.patch
 Patch4: backport-0004-Support-unicast-BOOTP-for-IBM-pSeries-systems-and-ma.patch
@@ -54,10 +53,14 @@ Patch33: bugfix-dhcp-64-bit-lease-parse.patch
 Patch34: fix-coredump-when-client-active-is-NULL.patch
 Patch35: feature-lease-time-config-ipv6.patch
 Patch36: add-a-test-case-to-parse-code93-in-option_unittest.patch
-Patch37: bugfix-error-message-display.patch
 Patch38: backport-Fix-CVE-2021-25220.patch
 Patch39: backport-Fix-CVE-2022-2928.patch
 Patch40: backport-Fix-CVE-2022-2929.patch
+Patch41: Revert-correcting-the-logic-in-dhclient.patch
+Patch42: backport-CVE-2022-2795.patch
+Patch43: backport-CVE-2022-38177.patch
+Patch44: backport-CVE-2022-38178.patch
+Patch45: IAID-is-output-has-hexe-if-it-contains-or.patch
 
 BuildRequires: gcc autoconf automake libtool openldap-devel krb5-devel libcap-ng-devel
 BuildRequires: systemd systemd-devel
@@ -306,9 +309,39 @@ exit 0
 %{_mandir}/man3/omapi.3.gz
 
 %changelog
+* Sat Jan 20 2024 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-6
+- Type:bugfix
+- ID:
+- SUG:restart
+- DESC:IAID is output has hexe if it contains '\' or '"'
+
+* Thu Jan 4 2024 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-5
+- Type:CVE
+- ID:CVE-2022-2795,CVE-2022-38177,CVE-2022-38178
+- SUG:restart
+- DESC:fix CVE-2022-2795,CVE-2022-38177 and CVE-2022-38178
+
+* Fri Nov 24 2023 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-4
+- Type:bugfix
+- ID:
+- SUG:restart
+- DESC:delete report url added by other upstream patch to keep pace with DHCP
+
+* Thu Jun 29 2023 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-3
+- Type:bugfix
+- ID:
+- SUG:restart
+- DESC:revert the correction about the logic in dhclient
+
+* Sat May 27 2023 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-2
+- Type:bugfix
+- ID:NA
+- SUG:restart
+- DESC:add Restart in dhcpd.service
+
 * Tue Nov 1 2022 renmingshuai <renmingshuai@huawei.com> - 12:4.4.3-1
 - Type:requirement
-- ID:
+- ID:NA
 - SUG:restart
 - DESC:update to 4.4.3
 

dhcpd.service

@@ -10,6 +10,7 @@ Type=notify
 EnvironmentFile=-/etc/sysconfig/dhcpd
 ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid $DHCPDARGS
 StandardError=null
+Restart=on-failure
 
 [Install]
 WantedBy=multi-user.target