Bug 94547 (CVE-2005-1848)

Summary: VUL-0: CVE-2005-1848: dhcp client denial-of-service
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1848: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: dhcpcd_1.3.22pl4-21sarge1.diff.gz
the actual patch

Description Thomas Biege 2005-06-29 11:49:40 UTC 
Hi,
Peter this reaches us via vendor-sec.

From: Michael Stone <mstone@debian.org>
To: vendor-sec@lst.de
Mail-Followup-To: vendor-sec@lst.de
Old-Content-type: text/plain; charset=us-ascii; format=flowed
User-Agent: Mutt/1.5.9i
Subject: [vendor-sec] [srk@sanger.ac.uk: dhpcd DOS security bug.]
Errors-To: vendor-sec-admin@lst.de
Date: Tue, 28 Jun 2005 21:48:06 -0400

Verbatim.

----- Forwarded message from Simon Kelley <srk@sanger.ac.uk> -----

From: Simon Kelley <srk@sanger.ac.uk>
To: team@security.debian.org
Subject: dhpcd DOS security bug.

Hello securiteam,

I've had notification of a security hole in dhcpcd: A malformed DHCP
packet can make the code read beyond the end of a buffer and therefore
potentially crash. There's no root execution exposure.

Original report follows:
 > Hi, did a quick audit of the client and found this problem marked
with > the /* HOLE */ comment:
 >
 >  while ( p < end )
 >    switch ( *p )
 >      {
 >        case endOption: goto swend;
 >        case padOption: p++; break;
 >        default:
 >      if ( p[1] )
 >        {
 >            /* FIX */
 >            if(p + 2 + p[1] >= end)
 >                do_bad_packet();
 >            /* FIX */
 >          if ( DhcpOptions.len[*p] == p[1] )
 >            memcpy(DhcpOptions.val[*p],p+2,p[1]);
 >          else
 >            {
 >          DhcpOptions.len[*p] = p[1];
 >              if ( DhcpOptions.val[*p] )
 >                free(DhcpOptions.val[*p]);
 >              else
 >            DhcpOptions.num++;
 >              DhcpOptions.val[*p] = malloc(p[1]+1);
 >          memset(DhcpOptions.val[*p],0,p[1]+1);
 >          memcpy(DhcpOptions.val[*p],p+2,p[1]); /* HOLE read past
 > packet */
 >             }
 >        }
 >      p+=p[1]+2;
 >      }
 >
 > The code between /* FIX */ is what I added to fix the problem marked
 > HOLE.  At worst this could DOS the client if out of bounds memory is
 > accessed.  Slightly annoying I suppose if you have some obnoxious ****
 >  on the local >network (though I assume there are even more annoying
 > things one can do by abusing the protocol itself...).




This affects dhcpcd_1.3.22pl4-21 in Sarge and unstable/testing, there's
no dhcpcd package in Woody.

I'll upload dhcpcd_1.3.22pl4-22 into unstable in the next few hours,
which fixes this and has a few other changes.

I've prepared  dhcpcd_1.3.22pl4-21sarge1 which has just the security fix
for Sarge. I followed
http://www.debian.org/doc/developers-reference/ch-pkgs#s-bug-security-building
carefully in making that. diff.gz and .dsc file attached.

The guy who spotted this tried to notify upstream, but upstream is MIA.
As far as I know, he's not told anyone else and no CVE, buqtraq etc
activity has happened yet.

Cheers,

Simon.


[-- PGP Ausgabe folgt (aktuelle Zeit: Mi 29 Jun 2005 13:45:48 CEST) --]
gpg: Unterschrift vom Di 28 Jun 2005 22:17:31 CEST, DSA SchlÃŒssel ID DF6807BE
gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden

[-- Ende der PGP-Ausgabe --]

[-- BEGIN PGP SIGNED MESSAGE --]

Format: 1.0
Source: dhcpcd
Version: 1:1.3.22pl4-21sarge1
Binary: dhcpcd
Maintainer: Simon Kelley <simon@thekelleys.org.uk>
Architecture: any
Standards-Version: 3.5.6.0
Build-Depends: debhelper (>>2.0.0)
Files:
 59669a4110a2061f05c1c6fa6171bed2 148273 dhcpcd_1.3.22pl4.orig.tar.gz
 684f8a7443548254ffad57e8c1541cbc 53081 dhcpcd_1.3.22pl4-21sarge1.diff.gz


[-- END PGP SIGNED MESSAGE --]


----- End forwarded message -----
_______________________________________________
Vendor Security mailing list
Comment 1 Peter Poeml 2005-06-29 12:15:08 UTC 
Upstream is indeed unreachable since quite some time.
Comment 2 Thomas Biege 2005-06-30 06:10:35 UTC 
Created attachment 40517 [details]
dhcpcd_1.3.22pl4-21sarge1.diff.gz
Comment 3 Peter Poeml 2005-06-30 14:54:18 UTC 
Created attachment 40664 [details]
the actual patch
Comment 4 Thomas Biege 2005-06-30 15:03:34 UTC 
SM-Tracker-1673
Comment 5 Peter Poeml 2005-06-30 15:13:59 UTC 
I submitted packages with the fix to
/work/SRC/old-versions/8.1/UL/all/dhcpcd -> /work/src/done/SLES8
/work/SRC/old-versions/8.2/all/dhcpcd -> /work/src/done/8.2
/work/SRC/old-versions/9.0/all/dhcpcd -> /work/src/done/9.0
/work/SRC/old-versions/9.1/SLES/all/dhcpcd -> /work/src/done/9.1
/work/SRC/old-versions/9.2/all/dhcpcd -> /work/src/done/9.2
/work/SRC/old-versions/9.3/all/dhcpcd -> /work/src/done/9.3
Comment 6 Thomas Biege 2005-06-30 15:39:20 UTC 
Thanks... submitting pinfo files.
Comment 7 Marcus Meissner 2005-07-06 14:59:12 UTC 
CAN-2005-1848.
Comment 8 Thomas Biege 2005-07-08 13:50:05 UTC 
approving packages
Comment 9 Thomas Biege 2009-10-13 21:29:52 UTC 
CVE-2005-1848: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)