Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 571152 (CVE-2016-1503) - <net-misc/dhcpcd-6.10.0: two vulnerabilities (CVE-2016-{1503,1504})
Summary: <net-misc/dhcpcd-6.10.0: two vulnerabilities (CVE-2016-{1503,1504})
Status: RESOLVED FIXED
Alias: CVE-2016-1503
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-07 11:23 UTC by Agostino Sarubbo
Modified: 2016-06-18 17:02 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-07 11:23:35 UTC
From ${URL} :

dhcpcd recently fixed two security issues. Can you assign CVE ids to these?

http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9
can lead to a heap overflow via malformed dhcp responses later in print_option (via dhcp_envoption1) due to incorrect option length values. exploitation is non-trivial, but i'd love to be proven wrong.

http://roy.marples.name/projects/dhcpcd/info/595883e2a431f65d
can lead to an invalid read/crash via malformed dhcp responses. not exploitable beyond DoS as far as I can judge.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 William Hubbs gentoo-dev 2016-01-07 20:53:07 UTC
@security:
6.10.0 is in ~arch. Do we need a fast stable for this?
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2016-01-07 20:54:08 UTC
(In reply to William Hubbs from comment #1)
> @security:
> 6.10.0 is in ~arch. Do we need a fast stable for this?

yes we do
Comment 3 Roy Marples 2016-01-07 22:16:35 UTC
WARNING about fast stabling this version:
some hooks were moved from the hook directory to an example directory, one of which was the hook to start wpa_supplicant if correctly configured.
Some users *may* be using this for handling the hotplugging of interfaces, such as a USB wireless stick. I know I did.
Comment 4 William Hubbs gentoo-dev 2016-01-08 17:43:28 UTC
A news item is now published for this.
Please proceed with fast stabilization.

Thanks,

William
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2016-01-08 18:39:28 UTC
Arches. please proceed. I've handled amd64 by myself
Comment 6 Rick Farina (Zero_Chaos) gentoo-dev 2016-01-10 18:32:16 UTC
arm stable
Comment 7 Ulenrich 2016-01-11 00:38:18 UTC
I did not get the news with emerge now using git for sync. Of course I would have found the example hooks at doc: /usr/share/doc/dhcpcd-6.10.0/hooks-examples

? Why the place for a documentory purpose at /usr/share/dhcpcd/hooks

? There is no proper place under /etc to place them, 
like other software would offer e.g: /etc/dhcpcd/hooks.d
Comment 8 charles17 2016-01-11 11:24:39 UTC
(In reply to Ulenrich from comment #7)
> I did not get the news with emerge now using git for sync. Of course I would
> have found the example hooks at doc:
> /usr/share/doc/dhcpcd-6.10.0/hooks-examples
> 
> ? Why the place for a documentory purpose at /usr/share/dhcpcd/hooks
> 
> ? There is no proper place under /etc to place them, 
> like other software would offer e.g: /etc/dhcpcd/hooks.d

Why not use the appropriate USE flags instead of urging the user to manually copy those files?

There are:
https://packages.gentoo.org/useflags/wifi
https://packages.gentoo.org/useflags/timezone
https://packages.gentoo.org/useflags/hostname
Comment 9 Roy Marples 2016-01-11 11:46:00 UTC
(In reply to charles17 from comment #8)
> Why not use the appropriate USE flags instead of urging the user to manually
> copy those files?
> 
> There are:
> https://packages.gentoo.org/useflags/wifi

Wifi is too generic a term.
wpa_supplicant is more specific as the hook only handles starting/stopping wpa_supplicant in specific scenarios.

For BSD at least I am working on a patchset for wpa_supplicant so it work with interface arrival/departures.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2016-01-12 06:47:35 UTC
Stable for HPPA PPC64.
Comment 11 Andreas Schürch gentoo-dev 2016-01-15 13:43:14 UTC
x86 done
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2016-01-17 16:03:58 UTC
Stable on alpha.
Comment 13 Agostino Sarubbo gentoo-dev 2016-01-17 17:08:01 UTC
ppc stable
Comment 14 William Hubbs gentoo-dev 2016-01-25 18:49:35 UTC
Arch teams,

Can we get this version stabilized everywhere so I can remove the
vulnerable versions?

Thanks,

William
Comment 15 William Hubbs gentoo-dev 2016-01-28 18:48:18 UTC
Why is this major security bug not stabilized everywhere yet?
Is there something I can do to get more movement on it?

Thanks,

William
Comment 16 SpanKY gentoo-dev 2016-01-28 19:44:12 UTC
the rest are done now
Comment 17 SpanKY gentoo-dev 2016-01-28 19:44:13 UTC
the rest are done now
Comment 18 William Hubbs gentoo-dev 2016-01-29 14:53:58 UTC
@vapier:
Thanks much, it is appreciated.

All,

All versions <dhcpcd-6.10.0 have been removed from the tree.
Comment 19 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-08 20:32:59 UTC
New GLSA request filed
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2016-03-13 12:33:17 UTC
CVE-2016-1504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1504):
  dhcpcd is susceptible to an invalid read/crash via malformed DHCP responses.

CVE-2016-1503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1503):
  dhcpcd contains a heap overflow via malformed dhcp responses in print_option
  (via dhcp_envoption1) due to incorrect option length values.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2016-06-18 17:02:37 UTC
This issue was resolved and addressed in
 GLSA 201606-07 at https://security.gentoo.org/glsa/201606-07
by GLSA coordinator Kristian Fiskerstrand (K_F).