Bugzilla – Attachment 21196 Details for
Bug 56975
VUL-0: CVE-2004-0461: dhcp: remote buffer overfow
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
more information about vnsprintf bug
2004-06-14_1.txt (text/plain), 2.72 KB, created by
Thomas Biege
on 2004-06-15 19:31:21 UTC
(
hide
)
Description:
more information about vnsprintf bug
Filename:
MIME Type:
Creator:
Thomas Biege
Created:
2004-06-15 19:31:21 UTC
Size:
2.72 KB
patch
obsolete
> >Hello, > >The tarball containing the patches and updates should arrive to us this >evening. We are pushing the release date back to Thursday June 16 at 2pm >EST in order to provide vendors with time to patch and test. > > >Note the following updates and information: > >1. Again, the release date has been moved to Thursday June 16 at 2pm EST >in order to provide vendors with time to patch and test. > >The tarball should be sent out to you this evening or tomorrow morning >(EST) at the latest. > > >2. With regard to VU#317350, after closer analysis it appears that only >ISC DHCP 3.0.1rc12 and 3.0.1rc13 are vulnerable. Versions prior to this >contain the flaw, but are not exploitable because prior versions of ISC >DCHP only include the last hostname option provided by the client, >limiting the size to 255 bytes, with is not enough to overflow the buffer. > > >3. The details of VU#654390 are that several operating system specific >builds have a C include that overrides the vsnprintf function to vsprintf. >Therefore, anywhere that the developers thought they were using vsnprintf >to restrict bounds, they actually weren't being restricted at all. The >operating systems that are affected by this are as follows: > >aix.h:#define NO_SNPRINTF >alphaosf.h:#define NO_SNPRINTF >cygwin32.h:#define NO_SNPRINTF >hpux.h:#define NO_SNPRINTF >irix.h:#define NO_SNPRINTF >linux.h:#define NO_SNPRINTF >nextstep.h:#define NO_SNPRINTF >qnx.h:# define NO_SNPRINTF >sco.h:#define NO_SNPRINTF >sunos4.h:#define NO_SNPRINTF >sunos5-5.h:#define NO_SNPRINTF >ultrix.h:#define NO_SNPRINTF > >According to ISC: > > "of these, alphaosf, hpux, linux, and sunos5-5 have had these config >directives removed, so they will link to the v/snprintf() functions >that are present in those systems' libc's in the new version of >software. i have confirmed they will build, but have only confirmed >function on the linux binary." > >The resolution for other systems is to remove all of the insecure #defines >and use the codebase from Bind 9 to implement a bounded printf() function >for systems that do not support v/snprintf(). This is because the DHCP >libraries will not link if they do not believe that they are linking to a >bounded function. > > >4. We have assigned CVE numbers as follows: > > CAN-2004-0460 VU#317350 ISC DHCPD contains a stack buffer overflow > vulnerability in handling log lines containing ASCII characters only > > CAN-2004-0461 VU#654390 ISC DHCP contains C includes that define > "vsnprintf" to "vsprintf" creating potential buffer overflow conditions > >Note that the numbers are assign and will not change, but the titles are >working titles and may change. > > >Thank you for your patience and feedback. If you have any other feedback, >or new information, please let us know. Thanks again for all of your >coordination on this. >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=21196">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 56975
:
21118
|
21119
|
21120
|
21122
|
21123
|
21124
|
21126
|
21160
| 21196 |
21254
|
21301
|
21307
|
21354
|
21425
|
21634
|
21635
|
21636