Bug#446354: dhcp: stack-based buffer overflow (CVE-2007-5365)

Fri, 12 Oct 2007 05:52:41 -0700 

Package: dhcp
Severity: grave
Tags: security
Justification: user security hole

Hi

The following CVE[0] has been issued against dhcp.

CVE-2007-5365:

Stack-based buffer overflow in the cons_options function in options.c in
dhcpd in OpenBSD 4.0 through 4.2 allows remote attackers to execute
arbitrary code or cause a denial of service (daemon crash) via a DHCP
request specifying a maximum message size smaller than the minimum IP
MTU.

A patch is attached below. Please tell me, if you want to take care of
it or if i should upload.

Cheers
Steffen

[0]: http://ve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5365

diff -u dhcp-2.0pl5dfsg1/debian/changelog dhcp-2.0pl5dfsg1/debian/changelog
--- dhcp-2.0pl5dfsg1/debian/changelog
+++ dhcp-2.0pl5dfsg1/debian/changelog
@@ -1,3 +1,12 @@
+dhcp (2.0pl5dfsg1-20.1) unstable; urgency=high
+
+  * Non-maintainer upload by the testing-security team
+  * Fix stack-based buffer overflow in options.c, which allows arbitrary
+    code execution or cause of a DoS through remote attackers
+    Fixes: CVE-2007-5365
+
+ -- Steffen Joeris <[EMAIL PROTECTED]>  Fri, 12 Oct 2007 12:33:17 +0000
+
 dhcp (2.0pl5dfsg1-20) unstable; urgency=medium

   * Taking over unmaintained package.
only in patch2:
unchanged:
--- dhcp-2.0pl5dfsg1.orig/debian/patches/305_CVE-2007-5365.patch
+++ dhcp-2.0pl5dfsg1/debian/patches/305_CVE-2007-5365.patch
@@ -0,0 +1,16 @@
+--- options.c.orig     2007-10-12 12:22:41.000000000 +0000
++++ dhcp-2.0pl5dfsg1/common/options.c  2007-10-12 12:23:42.000000000 +0000
+@@ -188,9 +188,12 @@
+           inpacket &&
+           inpacket -> options [DHO_DHCP_MAX_MESSAGE_SIZE].data &&
+           (inpacket -> options [DHO_DHCP_MAX_MESSAGE_SIZE].len >=
+-           sizeof (u_int16_t)))
++           sizeof (u_int16_t))){
+               mms = getUShort (inpacket -> options
+                                [DHO_DHCP_MAX_MESSAGE_SIZE].data);
++               if (mms < 576)
++                              mms = 576;        /* mms must be >= minimum IP 
MTU */
++              }
+
+       /* If the client has provided a maximum DHCP message size,
+          use that; otherwise, if it's BOOTP, only 64 bytes; otherwise



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to