Debian Bug report logs - #446354
dhcp: stack-based buffer overflow (CVE-2007-5365)

version graph

Package: dhcp; Maintainer for dhcp is (unknown);

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Fri, 12 Oct 2007 12:45:05 UTC

Severity: grave

Tags: patch, security

Found in versions dhcp/2.0pl5-19.1sarge3, dhcp/2.0pl5dfsg1-20.1

Fixed in version dhcp/2.0pl5dfsg1-20.2

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Andreas Barth <aba@not.so.argh.org>:
Bug#446354; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dhcp: stack-based buffer overflow (CVE-2007-5365)
Date: Fri, 12 Oct 2007 22:51:24 +1000
Package: dhcp
Severity: grave
Tags: security
Justification: user security hole

Hi

The following CVE[0] has been issued against dhcp.

CVE-2007-5365:

Stack-based buffer overflow in the cons_options function in options.c in
dhcpd in OpenBSD 4.0 through 4.2 allows remote attackers to execute
arbitrary code or cause a denial of service (daemon crash) via a DHCP
request specifying a maximum message size smaller than the minimum IP
MTU.

A patch is attached below. Please tell me, if you want to take care of
it or if i should upload.

Cheers
Steffen

[0]: http://ve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5365

diff -u dhcp-2.0pl5dfsg1/debian/changelog dhcp-2.0pl5dfsg1/debian/changelog
--- dhcp-2.0pl5dfsg1/debian/changelog
+++ dhcp-2.0pl5dfsg1/debian/changelog
@@ -1,3 +1,12 @@
+dhcp (2.0pl5dfsg1-20.1) unstable; urgency=high
+
+  * Non-maintainer upload by the testing-security team
+  * Fix stack-based buffer overflow in options.c, which allows arbitrary
+    code execution or cause of a DoS through remote attackers
+    Fixes: CVE-2007-5365
+
+ -- Steffen Joeris <white@debian.org>  Fri, 12 Oct 2007 12:33:17 +0000
+
 dhcp (2.0pl5dfsg1-20) unstable; urgency=medium

   * Taking over unmaintained package.
only in patch2:
unchanged:
--- dhcp-2.0pl5dfsg1.orig/debian/patches/305_CVE-2007-5365.patch
+++ dhcp-2.0pl5dfsg1/debian/patches/305_CVE-2007-5365.patch
@@ -0,0 +1,16 @@
+--- options.c.orig     2007-10-12 12:22:41.000000000 +0000
++++ dhcp-2.0pl5dfsg1/common/options.c  2007-10-12 12:23:42.000000000 +0000
+@@ -188,9 +188,12 @@
+           inpacket &&
+           inpacket -> options [DHO_DHCP_MAX_MESSAGE_SIZE].data &&
+           (inpacket -> options [DHO_DHCP_MAX_MESSAGE_SIZE].len >=
+-           sizeof (u_int16_t)))
++           sizeof (u_int16_t))){
+               mms = getUShort (inpacket -> options
+                                [DHO_DHCP_MAX_MESSAGE_SIZE].data);
++               if (mms < 576)
++                              mms = 576;        /* mms must be >= minimum IP MTU */
++              }
+
+       /* If the client has provided a maximum DHCP message size,
+          use that; otherwise, if it's BOOTP, only 64 bytes; otherwise




Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Fri, 12 Oct 2007 12:57:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#446354; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #12 received at 446354@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 446354@bugs.debian.org
Subject: Re: Bug#446354: dhcp: stack-based buffer overflow (CVE-2007-5365)
Date: Mon, 15 Oct 2007 21:16:18 +0100
On Fri Oct 12, 2007 at 22:51:24 +1000, Steffen Joeris wrote:

> A patch is attached below. Please tell me, if you want to take care of
> it or if i should upload.

  Thanks for the patch, I will upload with it.

Steve
-- 




Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#446354; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #17 received at 446354@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 446354@bugs.debian.org
Subject: Re: Bug#446354: dhcp: stack-based buffer overflow (CVE-2007-5365)
Date: Fri, 26 Oct 2007 15:16:39 +0200
[Message part 1 (text/plain, inline)]
Hi Steve,
any news about the upload? Ping me if you don't have the 
time and need an NMU.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#446354; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #22 received at 446354@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 446354@bugs.debian.org
Subject: Re: dhcp: stack-based buffer overflow (CVE-2007-5365)
Date: Sat, 27 Oct 2007 16:16:51 +0200
[Message part 1 (text/plain, inline)]
Hi,
Uploading a 0-day NMU based on Steffens patch since Steffen 
is away at this weekend and noone else seems to do it :)
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[dhcp-2.0pl5dfsg1-20_2.0pl5dfsg1-20.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#446354; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #27 received at 446354@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: control@bugs.debian.org
Cc: 446354@bugs.debian.org
Subject: fixed 446354 in 2.0pl5dfsg1-20.1
Date: Sun, 28 Oct 2007 02:36:58 +0200
# Automatically generated email from bts, devscripts version 2.10.9
# adding fix as the bug number was missing in the changelog
fixed 446354 2.0pl5dfsg1-20.1





Bug marked as fixed in version 2.0pl5dfsg1-20.1. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 28 Oct 2007 00:39:02 GMT) Full text and rfc822 format available.

Bug marked as found in version 2.0pl5-19.1sarge3. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 28 Oct 2007 14:36:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#446354; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Tomas Hoger <thoger@redhat.com>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #36 received at 446354@bugs.debian.org (full text, mbox):

From: Tomas Hoger <thoger@redhat.com>
To: 446354@bugs.debian.org
Cc: skx@debian.org, steffen.joeris@skolelinux.de, nion@debian.org
Subject: OpenBSD patch for CVE-2007-5365 is insufficient
Date: Mon, 29 Oct 2007 19:33:17 +0100
Hi!

During testing of our updated dhcp packages, we have found out that
patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was
still possible to crash dhcpd.  Your dhcp packages released in DSA
1388-1 also seem affected. You can find better patch based on dhcp-3.x
code here:

  https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5

Note: security@d.o was notified on 2007-10-23.
    Updated DSA 1388-3 released on 2007-10-29.

-- 
Tomas Hoger
Red Hat Security Response Team




Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#446354; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #41 received at 446354@bugs.debian.org (full text, mbox):

From: Steve Kemp <skx@debian.org>
To: Tomas Hoger <thoger@redhat.com>
Cc: 446354@bugs.debian.org, skx@debian.org, steffen.joeris@skolelinux.de, nion@debian.org
Subject: Re: OpenBSD patch for CVE-2007-5365 is insufficient
Date: Mon, 29 Oct 2007 20:47:32 +0000
On Mon Oct 29, 2007 at 19:33:17 +0100, Tomas Hoger wrote:

> During testing of our updated dhcp packages, we have found out that
> patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was
> still possible to crash dhcpd.  Your dhcp packages released in DSA
> 1388-1 also seem affected. You can find better patch based on dhcp-3.x
> code here:
> 
>   https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5
> 
> Note: security@d.o was notified on 2007-10-23.
>     Updated DSA 1388-3 released on 2007-10-29.

  Thanks, we have a built package already.  I'm not sure who is
  releasing it - I guess I should since I did the previous one.
  I'll chase it tomorrow/wednesday.

Steve
-- 




Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#446354; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #46 received at 446354@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: control@bugs.debian.org
Cc: 446354@bugs.debian.org
Subject: found 446354 in 2.0pl5dfsg1-20.1
Date: Mon, 29 Oct 2007 22:25:43 +0100
# Automatically generated email from bts, devscripts version 2.10.9
# marking as found since upstream fix was incomplete
found 446354 2.0pl5dfsg1-20.1





Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#446354; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #51 received at 446354@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Steve Kemp <skx@debian.org>, 446354@bugs.debian.org
Cc: Tomas Hoger <thoger@redhat.com>, steffen.joeris@skolelinux.de
Subject: Re: Bug#446354: OpenBSD patch for CVE-2007-5365 is insufficient
Date: Mon, 29 Oct 2007 22:26:03 +0100
[Message part 1 (text/plain, inline)]
Hi Steve,
* Steve Kemp <skx@debian.org> [2007-10-29 21:59]:
> On Mon Oct 29, 2007 at 19:33:17 +0100, Tomas Hoger wrote:
> 
> > During testing of our updated dhcp packages, we have found out that
> > patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was
> > still possible to crash dhcpd.  Your dhcp packages released in DSA
> > 1388-1 also seem affected. You can find better patch based on dhcp-3.x
> > code here:
> > 
> >   https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5
> > 
> > Note: security@d.o was notified on 2007-10-23.
> >     Updated DSA 1388-3 released on 2007-10-29.
> 
>   Thanks, we have a built package already.  I'm not sure who is
>   releasing it - I guess I should since I did the previous one.
>   I'll chase it tomorrow/wednesday.

I'll reupload the NMU for unstable to fix this.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug marked as found in version 2.0pl5dfsg1-20.1. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 29 Oct 2007 21:27:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#446354; Package dhcp. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #58 received at 446354@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Steve Kemp <skx@debian.org>, 446354@bugs.debian.org
Cc: Tomas Hoger <thoger@redhat.com>, steffen.joeris@skolelinux.de
Subject: Re: Bug#446354: OpenBSD patch for CVE-2007-5365 is insufficient
Date: Mon, 29 Oct 2007 22:57:19 +0100
[Message part 1 (text/plain, inline)]
Hi,
* Nico Golde <nion@debian.org> [2007-10-29 22:30]:
> * Steve Kemp <skx@debian.org> [2007-10-29 21:59]:
> > On Mon Oct 29, 2007 at 19:33:17 +0100, Tomas Hoger wrote:
> > 
> > > During testing of our updated dhcp packages, we have found out that
> > > patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was
> > > still possible to crash dhcpd.  Your dhcp packages released in DSA
> > > 1388-1 also seem affected. You can find better patch based on dhcp-3.x
> > > code here:
> > > 
> > >   https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5
> > > 
> > > Note: security@d.o was notified on 2007-10-23.
> > >     Updated DSA 1388-3 released on 2007-10-29.
> > 
> >   Thanks, we have a built package already.  I'm not sure who is
> >   releasing it - I guess I should since I did the previous one.
> >   I'll chase it tomorrow/wednesday.
> 
> I'll reupload the NMU for unstable to fix this.

Attached is the patch for this, I am uploading it now.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[dhcp-2.0pl5dfsg1-20.1_2.0pl5dfsg1-20.2.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #63 received at 446354-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 446354-close@bugs.debian.org
Subject: Bug#446354: fixed in dhcp 2.0pl5dfsg1-20.2
Date: Mon, 29 Oct 2007 22:02:02 +0000
Source: dhcp
Source-Version: 2.0pl5dfsg1-20.2

We believe that the bug you reported is fixed in the latest version of
dhcp, which is due to be installed in the Debian FTP archive:

dhcp-client-udeb_2.0pl5dfsg1-20.2_i386.udeb
  to pool/main/d/dhcp/dhcp-client-udeb_2.0pl5dfsg1-20.2_i386.udeb
dhcp-client_2.0pl5dfsg1-20.2_i386.deb
  to pool/main/d/dhcp/dhcp-client_2.0pl5dfsg1-20.2_i386.deb
dhcp-relay_2.0pl5dfsg1-20.2_i386.deb
  to pool/main/d/dhcp/dhcp-relay_2.0pl5dfsg1-20.2_i386.deb
dhcp_2.0pl5dfsg1-20.2.diff.gz
  to pool/main/d/dhcp/dhcp_2.0pl5dfsg1-20.2.diff.gz
dhcp_2.0pl5dfsg1-20.2.dsc
  to pool/main/d/dhcp/dhcp_2.0pl5dfsg1-20.2.dsc
dhcp_2.0pl5dfsg1-20.2_i386.deb
  to pool/main/d/dhcp/dhcp_2.0pl5dfsg1-20.2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 446354@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated dhcp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 29 Oct 2007 22:40:21 +0100
Source: dhcp
Binary: dhcp dhcp-client dhcp-client-udeb dhcp-relay
Architecture: source i386
Version: 2.0pl5dfsg1-20.2
Distribution: unstable
Urgency: high
Maintainer: Andreas Barth <aba@not.so.argh.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 dhcp       - DHCP server for automatic IP address assignment
 dhcp-client - DHCP Client
 dhcp-client-udeb - DHCP Client for debian-installer (udeb)
 dhcp-relay - DHCP Relay
Closes: 446354
Changes: 
 dhcp (2.0pl5dfsg1-20.2) unstable; urgency=high
 .
   * Non-maintainer upload by testing-security team.
   * Updated 305_CVE-2007-5365.patch to fix incomplete
     upstream patch for CVE-2007-5365 (Closes: #446354).
Files: 
 e0ac8b9214247ed5d788f1acdc5f28ea 645 net optional dhcp_2.0pl5dfsg1-20.2.dsc
 551bf1a80a3cc86e73b85458f731fd0f 58279 net optional dhcp_2.0pl5dfsg1-20.2.diff.gz
 58d5d91aa6310c034b31f653fad168b5 110374 net optional dhcp_2.0pl5dfsg1-20.2_i386.deb
 df243d5d1aa2e68c3d83593d021f47c1 103004 net extra dhcp-client_2.0pl5dfsg1-20.2_i386.deb
 0424e791315327491754385e94ce7727 72022 net extra dhcp-relay_2.0pl5dfsg1-20.2_i386.deb
 f83b550b9c0b9cc11f98c3552c474907 40412 debian-installer extra dhcp-client-udeb_2.0pl5dfsg1-20.2_i386.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHJldSHYflSXNkfP8RAhFsAJ9oEToGldwXNo/WNSY5zRLynDpQewCgoKBi
EtN194gqxKQrscQJHlbqEO8=
=KGEW
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 17 Dec 2007 07:45:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:25:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.