Bugzilla – Bug 94547
VUL-0: CVE-2005-1848: dhcp client denial-of-service
Last modified: 2021-11-21 15:35:31 UTC
Hi, Peter this reaches us via vendor-sec. From: Michael Stone <mstone@debian.org> To: vendor-sec@lst.de Mail-Followup-To: vendor-sec@lst.de Old-Content-type: text/plain; charset=us-ascii; format=flowed User-Agent: Mutt/1.5.9i Subject: [vendor-sec] [srk@sanger.ac.uk: dhpcd DOS security bug.] Errors-To: vendor-sec-admin@lst.de Date: Tue, 28 Jun 2005 21:48:06 -0400 Verbatim. ----- Forwarded message from Simon Kelley <srk@sanger.ac.uk> ----- From: Simon Kelley <srk@sanger.ac.uk> To: team@security.debian.org Subject: dhpcd DOS security bug. Hello securiteam, I've had notification of a security hole in dhcpcd: A malformed DHCP packet can make the code read beyond the end of a buffer and therefore potentially crash. There's no root execution exposure. Original report follows: > Hi, did a quick audit of the client and found this problem marked with > the /* HOLE */ comment: > > while ( p < end ) > switch ( *p ) > { > case endOption: goto swend; > case padOption: p++; break; > default: > if ( p[1] ) > { > /* FIX */ > if(p + 2 + p[1] >= end) > do_bad_packet(); > /* FIX */ > if ( DhcpOptions.len[*p] == p[1] ) > memcpy(DhcpOptions.val[*p],p+2,p[1]); > else > { > DhcpOptions.len[*p] = p[1]; > if ( DhcpOptions.val[*p] ) > free(DhcpOptions.val[*p]); > else > DhcpOptions.num++; > DhcpOptions.val[*p] = malloc(p[1]+1); > memset(DhcpOptions.val[*p],0,p[1]+1); > memcpy(DhcpOptions.val[*p],p+2,p[1]); /* HOLE read past > packet */ > } > } > p+=p[1]+2; > } > > The code between /* FIX */ is what I added to fix the problem marked > HOLE. At worst this could DOS the client if out of bounds memory is > accessed. Slightly annoying I suppose if you have some obnoxious **** > on the local >network (though I assume there are even more annoying > things one can do by abusing the protocol itself...). This affects dhcpcd_1.3.22pl4-21 in Sarge and unstable/testing, there's no dhcpcd package in Woody. I'll upload dhcpcd_1.3.22pl4-22 into unstable in the next few hours, which fixes this and has a few other changes. I've prepared dhcpcd_1.3.22pl4-21sarge1 which has just the security fix for Sarge. I followed http://www.debian.org/doc/developers-reference/ch-pkgs#s-bug-security-building carefully in making that. diff.gz and .dsc file attached. The guy who spotted this tried to notify upstream, but upstream is MIA. As far as I know, he's not told anyone else and no CVE, buqtraq etc activity has happened yet. Cheers, Simon. [-- PGP Ausgabe folgt (aktuelle Zeit: Mi 29 Jun 2005 13:45:48 CEST) --] gpg: Unterschrift vom Di 28 Jun 2005 22:17:31 CEST, DSA SchlÃŒssel ID DF6807BE gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden [-- Ende der PGP-Ausgabe --] [-- BEGIN PGP SIGNED MESSAGE --] Format: 1.0 Source: dhcpcd Version: 1:1.3.22pl4-21sarge1 Binary: dhcpcd Maintainer: Simon Kelley <simon@thekelleys.org.uk> Architecture: any Standards-Version: 3.5.6.0 Build-Depends: debhelper (>>2.0.0) Files: 59669a4110a2061f05c1c6fa6171bed2 148273 dhcpcd_1.3.22pl4.orig.tar.gz 684f8a7443548254ffad57e8c1541cbc 53081 dhcpcd_1.3.22pl4-21sarge1.diff.gz [-- END PGP SIGNED MESSAGE --] ----- End forwarded message ----- _______________________________________________ Vendor Security mailing list
Upstream is indeed unreachable since quite some time.
Created attachment 40517 [details] dhcpcd_1.3.22pl4-21sarge1.diff.gz
Created attachment 40664 [details] the actual patch
SM-Tracker-1673
I submitted packages with the fix to /work/SRC/old-versions/8.1/UL/all/dhcpcd -> /work/src/done/SLES8 /work/SRC/old-versions/8.2/all/dhcpcd -> /work/src/done/8.2 /work/SRC/old-versions/9.0/all/dhcpcd -> /work/src/done/9.0 /work/SRC/old-versions/9.1/SLES/all/dhcpcd -> /work/src/done/9.1 /work/SRC/old-versions/9.2/all/dhcpcd -> /work/src/done/9.2 /work/SRC/old-versions/9.3/all/dhcpcd -> /work/src/done/9.3
Thanks... submitting pinfo files.
CAN-2005-1848.
approving packages
CVE-2005-1848: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)