Bug 571152 (CVE-2016-1503)

Comment 1 William Hubbs 2016-01-07 20:53:07 UTC

@security:
6.10.0 is in ~arch. Do we need a fast stable for this?

Comment 2 Mikle Kolyada (RETIRED) 2016-01-07 20:54:08 UTC

(In reply to William Hubbs from comment #1)
> @security:
> 6.10.0 is in ~arch. Do we need a fast stable for this?

yes we do

WARNING about fast stabling this version:
some hooks were moved from the hook directory to an example directory, one of which was the hook to start wpa_supplicant if correctly configured.
Some users *may* be using this for handling the hotplugging of interfaces, such as a USB wireless stick. I know I did.

Comment 4 William Hubbs 2016-01-08 17:43:28 UTC

A news item is now published for this.
Please proceed with fast stabilization.

Thanks,

William

Comment 5 Mikle Kolyada (RETIRED) 2016-01-08 18:39:28 UTC

Arches. please proceed. I've handled amd64 by myself

Comment 6 Rick Farina (Zero_Chaos) 2016-01-10 18:32:16 UTC

arm stable

I did not get the news with emerge now using git for sync. Of course I would have found the example hooks at doc: /usr/share/doc/dhcpcd-6.10.0/hooks-examples

? Why the place for a documentory purpose at /usr/share/dhcpcd/hooks

? There is no proper place under /etc to place them, 
like other software would offer e.g: /etc/dhcpcd/hooks.d

(In reply to Ulenrich from comment #7)
> I did not get the news with emerge now using git for sync. Of course I would
> have found the example hooks at doc:
> /usr/share/doc/dhcpcd-6.10.0/hooks-examples
> 
> ? Why the place for a documentory purpose at /usr/share/dhcpcd/hooks
> 
> ? There is no proper place under /etc to place them, 
> like other software would offer e.g: /etc/dhcpcd/hooks.d

Why not use the appropriate USE flags instead of urging the user to manually copy those files?

There are:
https://packages.gentoo.org/useflags/wifi
https://packages.gentoo.org/useflags/timezone
https://packages.gentoo.org/useflags/hostname

(In reply to charles17 from comment #8)
> Why not use the appropriate USE flags instead of urging the user to manually
> copy those files?
> 
> There are:
> https://packages.gentoo.org/useflags/wifi

Wifi is too generic a term.
wpa_supplicant is more specific as the hook only handles starting/stopping wpa_supplicant in specific scenarios.

For BSD at least I am working on a patchset for wpa_supplicant so it work with interface arrival/departures.

Comment 10 Jeroen Roovers (RETIRED) 2016-01-12 06:47:35 UTC

Stable for HPPA PPC64.

Comment 11 Andreas Schürch 2016-01-15 13:43:14 UTC

x86 done

Comment 12 Tobias Klausmann (RETIRED) 2016-01-17 16:03:58 UTC

Stable on alpha.

Comment 13 Agostino Sarubbo 2016-01-17 17:08:01 UTC

ppc stable

Comment 14 William Hubbs 2016-01-25 18:49:35 UTC

Arch teams,

Can we get this version stabilized everywhere so I can remove the
vulnerable versions?

Thanks,

William

Comment 15 William Hubbs 2016-01-28 18:48:18 UTC

Why is this major security bug not stabilized everywhere yet?
Is there something I can do to get more movement on it?

Thanks,

William

Comment 16 SpanKY 2016-01-28 19:44:12 UTC

the rest are done now

Comment 17 SpanKY 2016-01-28 19:44:13 UTC

the rest are done now

Comment 18 William Hubbs 2016-01-29 14:53:58 UTC

@vapier:
Thanks much, it is appreciated.

All,

All versions <dhcpcd-6.10.0 have been removed from the tree.

Comment 19 Kristian Fiskerstrand (RETIRED) 2016-02-08 20:32:59 UTC

New GLSA request filed

Comment 20 GLSAMaker/CVETool Bot 2016-03-13 12:33:17 UTC

CVE-2016-1504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1504):
  dhcpcd is susceptible to an invalid read/crash via malformed DHCP responses.

CVE-2016-1503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1503):
  dhcpcd contains a heap overflow via malformed dhcp responses in print_option
  (via dhcp_envoption1) due to incorrect option length values.

Comment 21 GLSAMaker/CVETool Bot 2016-06-18 17:02:37 UTC

This issue was resolved and addressed in
 GLSA 201606-07 at https://security.gentoo.org/glsa/201606-07
by GLSA coordinator Kristian Fiskerstrand (K_F).