Bug 46963 (CVE-2003-0039)

Summary: VUL-0: CVE-2003-0039: dhcrelay: DoS against ISC dhcrelay (VU#149953)
Product: [Novell Products] SUSE Security Incidents Reporter: Peter Poeml <poeml>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2003-0039: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Peter Poeml 2003-10-02 17:57:36 UTC 
There is a vulnerability in the ISC DHCP relay, that has been fixed only
in 8.2 upwards. The vulnerability and the fix appeared shortly before
8.2 and we did decide to not fix old distribution at the time. The problem did
not seem critical, and the available patch not entirely satisfiable. 

see http://www.kb.cert.org/vuls/id/149953

* Mon Mar 03 2003 - poeml@suse.de
[...]
- dhcrelay: add patch from Florian Lohoff (slightly modified),
  that makes the maximal hop count of forwarded packages
  configurable (-c maxcount), sets the default to 4, and rejects
  packages with a hop count higher than maxcount (CAN-2003-0039,
  http://www.kb.cert.org/vuls/id/149953). Add a variable to
  /etc/sysconfig/dhcrelay to pass such additional options.


The ISC itself has issued an update containing the patch only some weeks ago:


* Mon Sep 08 2003 - poeml@suse.de
- update to 3.0.1rc12
[...]
- dhcp-3.0.1rc10-dhcrelay-limit-hopcount.dif included upstreams


We now think that we can safely add the patch to SLES8, and possibly
other old distros.

Apart from adding the patch, it seems useful to add the additional
variable to /etc/sysconfig/dhcrelay to make the hop count configurable,
just in case someone does need a higher hop count than what is the
default after applying the patch.
Comment 1 Peter Poeml 2003-10-02 17:57:36 UTC 
<!-- SBZ_reproduce  -->
refer to above
Comment 2 Roman Drahtmueller 2003-10-13 21:26:56 UTC 
Please let us know (here) if there are any news with this.
Comment 3 Peter Poeml 2003-11-18 00:42:47 UTC 
List of affected packages:

dhcp-relay subpackage:
8.0-i386          /work/SRC/old-versions/8.0/all/                    dhcp 3.0.1rc6
8.1-i386          /work/SRC/old-versions/8.1/UL/all/                 dhcp 3.0.1rc9
sles8-beta-s390   /work/SRC/old-versions/8.1/BETA/arch/s390/         dhcp 3.0.1rc9

dhcrelay subpackage:
sles7-i386        /work/SRC/old-versions/7.2/all/                    dhcp 3.0rc4
sles7-i386        /work/SRC/old-versions/7.2/arch/sles-i386/         dhcp 3.0rc12
7.3-i386          /work/SRC/old-versions/7.3/all/                    dhcp 3.0rc12

I think /work/SRC/old-versions/7.2/arch/sles-i386/ needs a fix, since two
products are based on it:

% is_maintained dhcrelay
Package is on CD email-server-III-1.i386
        Distribution: sles7-i386
        Distributionstring: SuSE-Linux-eMail-Server-i386
        Marketing-Name: SuSE eMail Server 3.1
Package is on CD email-server-III.i386
        Distribution: sles7-i386
        Distributionstring: SuSE-Linux-eMail-Server-i386
        Marketing-Name: SuSE eMail Server III
Comment 4 Peter Poeml 2003-11-18 03:57:54 UTC 
All Packages submitted. putonftp files included. patchinfo files to be
written.
Comment 5 Peter Poeml 2003-11-18 04:07:48 UTC 
patchinfo files submitted as well. re-assigning to security-team for
final handling/closure.
Comment 6 Thomas Biege 2003-11-27 20:40:38 UTC 
packages are approved
Comment 7 Thomas Biege 2009-10-13 19:39:45 UTC 
CVE-2003-0039: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)