Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 198252

Summary: net-misc/dhcpcd-3.1.7 logging DoS
Product: Gentoo Security Reporter: Duncan <1i5t5.duncan>
Component: VulnerabilitiesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal CC: lkundrak, roy, uberlord
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments:
Description Flags
clear signals when read none

Description Duncan 2007-11-06 10:22:24 UTC 
Using dhcpcd -n, to send SIGALRM to the daemon and get it to renew its lease (as in the manpage) results in an infinite loop, filling up the log with the following repeated message:

dhcpcd[pid]: eth0: received SIGALRM, renewing lease

This used to work, and I use it occasionally to renew my lease after resetting my VoIP-device/router.  However, earlier this morning I tried it, and quickly ran out of space on my log device as the messages log grew to gigs in size (from <200 lines, when I invoked the command)!

The DOS aspects of this are obvious.

I've just remerged world after upgrading to a new pair of Opteron 290s and adding -msse3 to my CFLAGS accordingly.  Thus the following emerge --info should be valid for the entire system, dhcpcd and glibc included, save for the occasional /etc/portage/env/* or the like alteration where necessary.

$emerge --info
Portage 2.1.3.17 (default-linux/amd64/2007.0/no-multilib, gcc-4.2.2, glibc-2.6.1-r0, 2.6.23.1 x86_64)
=================================================================
System uname: 2.6.23.1 x86_64 Dual Core AMD Opteron(tm) Processor 290
Timestamp of tree: Tue, 06 Nov 2007 08:30:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.5.1-r3
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
dev-util/confcache:  0.4.2-r1
sys-apps/baselayout: 2.0.0_rc6
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18.50.0.1, 2.18.50.0.2
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -O2 -pipe -frename-registers -fweb -ftree-vectorize -freorder-blocks-and-partition -combine -fgcse-sm -fgcse-las -fgcse-after-reload -fmerge-all-constants"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /lib64/rcscripts/addons /mnt /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /usr/share/mc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=k8 -msse3 -O2 -pipe -frename-registers -fweb -ftree-vectorize -fgcse-sm -fgcse-las -fgcse-after-reload -fmerge-all-constants"
DISTDIR="/p/src"
EMERGE_DEFAULT_OPTS="--with-bdeps=y --nospinner"
FEATURES="buildpkg ccache distlocks fixpackages parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://open-systems.ufl.edu/mirrors/gentoo http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ http://gentoo.mirrors.easynews.com/linux/gentoo/ http://cudlug.cudenver.edu/gentoo/ http://gentoo.chem.wisc.edu/gentoo/ http://gentoo.arcticnetwork.ca/"
LANG="en_US"
LDFLAGS="-Wl,-z,now -Wl,--as-needed"
LINGUAS="en"
MAKEOPTS="-j"
PKGDIR="/pkg"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from='/etc/portage/make.conf/rsync.exclude' --timeout=50 --prune-empty-dirs"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/tmp"
PORTDIR="/p"
PORTDIR_OVERLAY="/p/layman/kde /p/layman/sunrise /l/p"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext 7zip X a52 aac acpi aiglx alsa amd64 amr apm arts asf audiofile avi bash-completion berkdb bitmap-fonts bzip2 cairo caps cdparanoia cdr cli cracklib crypt css cups curl dbus dga divx4linux dlloader dri dts dv dvd dvdr dvdread encode expat extrafilters fam fame ffmpeg flac font-server foomaticdb gdbm geoip gif glibc-omitfp gpm hal iconv idn ilbc imagemagick imlib isdnlog ithreads jp2 jpeg jpeg2k kde kdeenablefinal kdehiddenvisibility lcms libwww linuxthreads-tls lm_sensors logitech-mouse logrotate lzo lzw lzw-tiff mad maildir midi mikmod mjpeg mmx mmxext mng motif mp3 mp4 mpeg mudflap musicbrainz ncurses network no-old-linux nolvm1 nomirrors nptl nptlonly nsplugin offensive ogg openexr opengl openmp oss pam pcre pdf pic png ppds pppd profile python qt3 quicktime radeon readline reflection restrict-javascript scanner session slang smime speex spell spl sse sse2 ssl svg tcltk theora threads tiff truetype truetype-fonts type1 type1-fonts unicode usb userlocales vcd visualization vorbis x264 xcb xcomposite xine xinerama xml xml2 xorg xosd xpm xrandr xv xvid yv12 zlib zrtp" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Comment 1 Lubomir Rintel 2007-11-06 16:11:43 UTC 
Thanks for your report.
In my opinion this is not a security issue.

Extensive logging is not anything that would be considered a DoS, as a logging can be triggered remotely arbitrairily -- via http request, ftp transfer, logging in and out, etc.

The fact that the daemon no longer server its purpose has no security implications as it can not be triggered by anyone (dhcpcd is not setuid, right?), just by an authenticated user with privileges to send the daemon process a signal (superuser). Furthermore he notices what has happened as the lease does not get renewed and problem is logged.
Comment 2 Roy Marples (RETIRED) gentoo-dev 2007-11-06 18:20:59 UTC 
Created attachment 135354 [details, diff]
clear signals when read

This patch should fix this. I also disagree with it being a security issue.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-06 19:02:33 UTC 
agreed, we do not consider client DoS as a security issue. Reassigning to maintainer (base-system).
Comment 4 Roy Marples (RETIRED) gentoo-dev 2007-11-26 22:36:51 UTC 
dhcpcd-3.1.8 - hopefully in the tree now - aleviates this a little. It should only report the address being added each time.