Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Andreas Barth <aba@not.so.argh.org>: Bug#446354; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
Package: dhcp
Severity: grave
Tags: security
Justification: user security hole
Hi
The following CVE[0] has been issued against dhcp.
CVE-2007-5365:
Stack-based buffer overflow in the cons_options function in options.c in
dhcpd in OpenBSD 4.0 through 4.2 allows remote attackers to execute
arbitrary code or cause a denial of service (daemon crash) via a DHCP
request specifying a maximum message size smaller than the minimum IP
MTU.
A patch is attached below. Please tell me, if you want to take care of
it or if i should upload.
Cheers
Steffen
[0]: http://ve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5365
diff -u dhcp-2.0pl5dfsg1/debian/changelog dhcp-2.0pl5dfsg1/debian/changelog
--- dhcp-2.0pl5dfsg1/debian/changelog
+++ dhcp-2.0pl5dfsg1/debian/changelog
@@ -1,3 +1,12 @@
+dhcp (2.0pl5dfsg1-20.1) unstable; urgency=high
+
+ * Non-maintainer upload by the testing-security team
+ * Fix stack-based buffer overflow in options.c, which allows arbitrary
+ code execution or cause of a DoS through remote attackers
+ Fixes: CVE-2007-5365
+
+ -- Steffen Joeris <white@debian.org> Fri, 12 Oct 2007 12:33:17 +0000
+
dhcp (2.0pl5dfsg1-20) unstable; urgency=medium
* Taking over unmaintained package.
only in patch2:
unchanged:
--- dhcp-2.0pl5dfsg1.orig/debian/patches/305_CVE-2007-5365.patch
+++ dhcp-2.0pl5dfsg1/debian/patches/305_CVE-2007-5365.patch
@@ -0,0 +1,16 @@
+--- options.c.orig 2007-10-12 12:22:41.000000000 +0000
++++ dhcp-2.0pl5dfsg1/common/options.c 2007-10-12 12:23:42.000000000 +0000
+@@ -188,9 +188,12 @@
+ inpacket &&
+ inpacket -> options [DHO_DHCP_MAX_MESSAGE_SIZE].data &&
+ (inpacket -> options [DHO_DHCP_MAX_MESSAGE_SIZE].len >=
+- sizeof (u_int16_t)))
++ sizeof (u_int16_t))){
+ mms = getUShort (inpacket -> options
+ [DHO_DHCP_MAX_MESSAGE_SIZE].data);
++ if (mms < 576)
++ mms = 576; /* mms must be >= minimum IP MTU */
++ }
+
+ /* If the client has provided a maximum DHCP message size,
+ use that; otherwise, if it's BOOTP, only 64 bytes; otherwise
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Fri, 12 Oct 2007 12:57:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>: Bug#446354; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
On Fri Oct 12, 2007 at 22:51:24 +1000, Steffen Joeris wrote:
> A patch is attached below. Please tell me, if you want to take care of
> it or if i should upload.
Thanks for the patch, I will upload with it.
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>: Bug#446354; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
Hi Steve,
any news about the upload? Ping me if you don't have the
time and need an NMU.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>: Bug#446354; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
Hi,
Uploading a 0-day NMU based on Steffens patch since Steffen
is away at this weekend and noone else seems to do it :)
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>: Bug#446354; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
# Automatically generated email from bts, devscripts version 2.10.9
# adding fix as the bug number was missing in the changelog
fixed 446354 2.0pl5dfsg1-20.1
Bug marked as fixed in version 2.0pl5dfsg1-20.1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 28 Oct 2007 00:39:02 GMT) (full text, mbox, link).
Bug marked as found in version 2.0pl5-19.1sarge3.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 28 Oct 2007 14:36:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>: Bug#446354; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Tomas Hoger <thoger@redhat.com>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
Subject: OpenBSD patch for CVE-2007-5365 is insufficient
Date: Mon, 29 Oct 2007 19:33:17 +0100
Hi!
During testing of our updated dhcp packages, we have found out that
patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was
still possible to crash dhcpd. Your dhcp packages released in DSA
1388-1 also seem affected. You can find better patch based on dhcp-3.x
code here:
https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5
Note: security@d.o was notified on 2007-10-23.
Updated DSA 1388-3 released on 2007-10-29.
--
Tomas Hoger
Red Hat Security Response Team
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>: Bug#446354; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
Subject: Re: OpenBSD patch for CVE-2007-5365 is insufficient
Date: Mon, 29 Oct 2007 20:47:32 +0000
On Mon Oct 29, 2007 at 19:33:17 +0100, Tomas Hoger wrote:
> During testing of our updated dhcp packages, we have found out that
> patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was
> still possible to crash dhcpd. Your dhcp packages released in DSA
> 1388-1 also seem affected. You can find better patch based on dhcp-3.x
> code here:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5
>
> Note: security@d.o was notified on 2007-10-23.
> Updated DSA 1388-3 released on 2007-10-29.
Thanks, we have a built package already. I'm not sure who is
releasing it - I guess I should since I did the previous one.
I'll chase it tomorrow/wednesday.
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>: Bug#446354; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
# Automatically generated email from bts, devscripts version 2.10.9
# marking as found since upstream fix was incomplete
found 446354 2.0pl5dfsg1-20.1
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>: Bug#446354; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
Hi Steve,
* Steve Kemp <skx@debian.org> [2007-10-29 21:59]:
> On Mon Oct 29, 2007 at 19:33:17 +0100, Tomas Hoger wrote:
>
> > During testing of our updated dhcp packages, we have found out that
> > patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was
> > still possible to crash dhcpd. Your dhcp packages released in DSA
> > 1388-1 also seem affected. You can find better patch based on dhcp-3.x
> > code here:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5
> >
> > Note: security@d.o was notified on 2007-10-23.
> > Updated DSA 1388-3 released on 2007-10-29.
>
> Thanks, we have a built package already. I'm not sure who is
> releasing it - I guess I should since I did the previous one.
> I'll chase it tomorrow/wednesday.
I'll reupload the NMU for unstable to fix this.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Bug marked as found in version 2.0pl5dfsg1-20.1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 29 Oct 2007 21:27:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>: Bug#446354; Package dhcp.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>.
(full text, mbox, link).
Hi,
* Nico Golde <nion@debian.org> [2007-10-29 22:30]:
> * Steve Kemp <skx@debian.org> [2007-10-29 21:59]:
> > On Mon Oct 29, 2007 at 19:33:17 +0100, Tomas Hoger wrote:
> >
> > > During testing of our updated dhcp packages, we have found out that
> > > patch for CVE-2007-5365 used by OpenBSD was not sufficient and it was
> > > still possible to crash dhcpd. Your dhcp packages released in DSA
> > > 1388-1 also seem affected. You can find better patch based on dhcp-3.x
> > > code here:
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=327781#c5
> > >
> > > Note: security@d.o was notified on 2007-10-23.
> > > Updated DSA 1388-3 released on 2007-10-29.
> >
> > Thanks, we have a built package already. I'm not sure who is
> > releasing it - I guess I should since I did the previous one.
> > I'll chase it tomorrow/wednesday.
>
> I'll reupload the NMU for unstable to fix this.
Attached is the patch for this, I am uploading it now.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Subject: Bug#446354: fixed in dhcp 2.0pl5dfsg1-20.2
Date: Mon, 29 Oct 2007 22:02:02 +0000
Source: dhcp
Source-Version: 2.0pl5dfsg1-20.2
We believe that the bug you reported is fixed in the latest version of
dhcp, which is due to be installed in the Debian FTP archive:
dhcp-client-udeb_2.0pl5dfsg1-20.2_i386.udeb
to pool/main/d/dhcp/dhcp-client-udeb_2.0pl5dfsg1-20.2_i386.udeb
dhcp-client_2.0pl5dfsg1-20.2_i386.deb
to pool/main/d/dhcp/dhcp-client_2.0pl5dfsg1-20.2_i386.deb
dhcp-relay_2.0pl5dfsg1-20.2_i386.deb
to pool/main/d/dhcp/dhcp-relay_2.0pl5dfsg1-20.2_i386.deb
dhcp_2.0pl5dfsg1-20.2.diff.gz
to pool/main/d/dhcp/dhcp_2.0pl5dfsg1-20.2.diff.gz
dhcp_2.0pl5dfsg1-20.2.dsc
to pool/main/d/dhcp/dhcp_2.0pl5dfsg1-20.2.dsc
dhcp_2.0pl5dfsg1-20.2_i386.deb
to pool/main/d/dhcp/dhcp_2.0pl5dfsg1-20.2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 446354@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated dhcp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 29 Oct 2007 22:40:21 +0100
Source: dhcp
Binary: dhcp dhcp-client dhcp-client-udeb dhcp-relay
Architecture: source i386
Version: 2.0pl5dfsg1-20.2
Distribution: unstable
Urgency: high
Maintainer: Andreas Barth <aba@not.so.argh.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
dhcp - DHCP server for automatic IP address assignment
dhcp-client - DHCP Client
dhcp-client-udeb - DHCP Client for debian-installer (udeb)
dhcp-relay - DHCP Relay
Closes: 446354
Changes:
dhcp (2.0pl5dfsg1-20.2) unstable; urgency=high
.
* Non-maintainer upload by testing-security team.
* Updated 305_CVE-2007-5365.patch to fix incomplete
upstream patch for CVE-2007-5365 (Closes: #446354).
Files:
e0ac8b9214247ed5d788f1acdc5f28ea 645 net optional dhcp_2.0pl5dfsg1-20.2.dsc
551bf1a80a3cc86e73b85458f731fd0f 58279 net optional dhcp_2.0pl5dfsg1-20.2.diff.gz
58d5d91aa6310c034b31f653fad168b5 110374 net optional dhcp_2.0pl5dfsg1-20.2_i386.deb
df243d5d1aa2e68c3d83593d021f47c1 103004 net extra dhcp-client_2.0pl5dfsg1-20.2_i386.deb
0424e791315327491754385e94ce7727 72022 net extra dhcp-relay_2.0pl5dfsg1-20.2_i386.deb
f83b550b9c0b9cc11f98c3552c474907 40412 debian-installer extra dhcp-client-udeb_2.0pl5dfsg1-20.2_i386.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHJldSHYflSXNkfP8RAhFsAJ9oEToGldwXNo/WNSY5zRLynDpQewCgoKBi
EtN194gqxKQrscQJHlbqEO8=
=KGEW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 17 Dec 2007 07:45:25 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.