Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 275231 (CVE-2009-1892) - <net-misc/dhcp-3.1.2_p1 dhcpd DoS (CVE-2009-1892)
Summary: <net-misc/dhcp-3.1.2_p1 dhcpd DoS (CVE-2009-1892)
Status: RESOLVED FIXED
Alias: CVE-2009-1892
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-23 23:49 UTC by Robert Buchholz (RETIRED)
Modified: 2009-08-18 21:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
dhcp-3.1.1-CVE-2009-0692.patch (dhcp-3.1.1-CVE-2009-0692.patch,494 bytes, patch)
2009-06-26 11:34 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
dhcp-3.1.1-r1.ebuild (dhcp-3.1.1-r1.ebuild,7.40 KB, patch)
2009-06-26 11:35 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
dhcp-3.1.2-CVE-2009-0692.patch (dhcp-3.1.2-CVE-2009-0692.patch,598 bytes, patch)
2009-07-13 12:34 UTC, Tony Vroon (RETIRED)
no flags Details | Diff
dhcp-3.1.2-r1.ebuild (dhcp-3.1.2-r1.ebuild,7.44 KB, text/plain)
2009-07-13 12:36 UTC, Tony Vroon (RETIRED)
no flags Details
dhcp-3.1.2-CVE-2009-1892.patch (dhcp-3.1.2-CVE-2009-1892.patch,427 bytes, patch)
2009-07-13 13:28 UTC, Tony Vroon (RETIRED)
no flags Details | Diff
dhcp-3.1.2-r1.ebuild (dhcp-3.1.2-r1.ebuild,7.54 KB, text/plain)
2009-07-13 13:31 UTC, Tony Vroon (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-06-23 23:49:10 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

ISC dhclient has a stack overflow vulnerability which makes it
theoretically possible for a rogue DHCP server to execute arbitrary
commands as root on the affected system through stack return
subversion.

...
Fix:
        Upgrade to 4.1.0p1, 4.0.1p1, or 3.1.2p1

        There are no fixes planned for DHCP 3.0 or DHCP 2.0, as those
        release trains have reached End-Of-Life.
...
CVE:    VU#410676, pre-assigned CVE# CVE-2009-0692
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-06-26 11:34:59 UTC
Created attachment 195806 [details, diff]
dhcp-3.1.1-CVE-2009-0692.patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-06-26 11:35:24 UTC
Created attachment 195807 [details, diff]
dhcp-3.1.1-r1.ebuild
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-06-26 11:35:40 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, tester
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : fmccor
     x86 : armin76, maekke

Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-06-26 11:36:33 UTC
The disclosure date has been postponed to July 14, 2009.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-26 11:59:42 UTC
CC'ing Fauli for x86 pretesting.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2009-06-26 15:00:00 UTC
HPPA is OK.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-06-26 15:46:13 UTC
x86 ok via fauli (and i'm his human-proxy)
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-26 19:25:24 UTC
amd64 is fine
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-06-27 10:32:20 UTC
Looks okay on alpha/arm/s390/sh/sparc
Comment 10 Joe Jezak (RETIRED) gentoo-dev 2009-07-02 12:12:53 UTC
Appears fine on ppc/ppc64.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-07-02 14:08:38 UTC
All arches responded postively. Thanks!

Note that the patch is not officially endorsed by upstream. We have not received a patch by ISC as they only distribute patches within the DHCP Forum. I would propose we commit this patch (that has been tested) on the embargo date. The official patch/release can go into the tree at the same or any later time.
Comment 12 Tony Vroon (RETIRED) gentoo-dev 2009-07-09 14:52:24 UTC
It would be worth applying the fix to 3.1.2 instead of 3.1.1; it is a better ebuild with a few long overdue fixes applied. Nothing that would jeopardize the testing that arch teams have done, an extra keepdir statement, chown now recurses in case there is a stale PID file owned by root & the init script now pre-tests the config apache-style.
Hope you all agree, if not, let me know please.
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-09 14:56:03 UTC
I agree with Tony here.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-07-09 15:36:39 UTC
When I attached the ebuild basing it on 3.1.1 seemed like the best idea. Nevertheless, we have a few days left and arches can retry with the latest upstream release, if you attach a new ebuild to this bug.
If a Liaison chooses to not re-test a 3.1.2-r1 ebuild due to time constraints, we can commit both ebuilds on embargo deadline.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-07-09 17:02:22 UTC
Christoph Biedl reported a Denial of Service vulnerability in dchpd under certain conditions. The DoS can be triggered by a DHCP request when the DHCP server has configured host definitions using "dhcp-client-identifier" and "hardware ethernet" for a host that is not reachable via the interface the request is
received from.

Tony will attach a second patch and a new 3.1.2-based ebuild.
Comment 16 Tony Vroon (RETIRED) gentoo-dev 2009-07-13 12:34:01 UTC
Created attachment 197776 [details, diff]
dhcp-3.1.2-CVE-2009-0692.patch
Comment 17 Tony Vroon (RETIRED) gentoo-dev 2009-07-13 12:36:12 UTC
Created attachment 197778 [details]
dhcp-3.1.2-r1.ebuild
Comment 18 Tony Vroon (RETIRED) gentoo-dev 2009-07-13 13:28:44 UTC
Created attachment 197780 [details, diff]
dhcp-3.1.2-CVE-2009-1892.patch
Comment 19 Tony Vroon (RETIRED) gentoo-dev 2009-07-13 13:31:23 UTC
Created attachment 197782 [details]
dhcp-3.1.2-r1.ebuild
Comment 20 Tony Vroon (RETIRED) gentoo-dev 2009-07-13 13:36:36 UTC
AMD64 stable keyword preapproved, tested USE-flag combinations:
[ebuild   R   ] net-misc/dhcp-3.1.2-r1  USE="-doc -minimal (-selinux) -static" 0 kB [1]
[ebuild   R   ] net-misc/dhcp-3.1.2-r1  USE="minimal static -doc (-selinux)" 0 kB [1]
[ebuild   R   ] net-misc/dhcp-3.1.2-r1  USE="doc -minimal (-selinux) -static" 0 kB [1]

System info:
Portage 2.1.6.13 (default/linux/amd64/2008.0/no-multilib, gcc-4.3.3, glibc-2.10.1-r0, 2.6.31-rc2-00257-gc2cc49a x86_64)
=================================================================
System uname: Linux-2.6.31-rc2-00257-gc2cc49a-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T9400_@_2.53GHz-with-gentoo-2.0.1
Timestamp of tree: Unknown
app-shells/bash:     4.0_p24
dev-java/java-config: 1.3.7-r1, 2.1.8-r1
dev-lang/python:     2.4.4-r6, 2.5.4-r2, 2.6.2-r1
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.6.4
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.4.3-r3
sys-apps/sandbox:    2.0
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11
sys-devel/binutils:  2.19.1-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.30
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -mtune=native -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=native -mtune=native -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms sign strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.virginmedia.com"
LANG="en_GB.UTF-8"
LC_ALL="en_GB.UTF-8"
LDFLAGS="-Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/cvs/gentoo-x86"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="cvs://chainsaw@cvs.gentoo.org:/var/cvsroot"
USE="16bit 16bit-indices 7zip S3TC X a52 aac aalib ace acpi adns adplug alac alsa amd64 amr amrnb amrwb animgif aotuv applet archive aspell async asyncns audacious audiofile autoipd avahi bash-completion berkdb binary-drivers binfilter bluetooth bonjour bs2b bzip2 cairo calendar canberra cardbus cdaudio cdda cddb cdparanoia cdr cdrkit cdrom chardet chipcard chm cleartype cli consolekit cpio cracklib crypt css cups curl dbus device-mapper dhcp dhcpcd dirac disk-partition diskio divx djvu dmi dri drm dts dv dvd dvdr dvi ecc eds elf enca encode epiphany erandom exif exiv2 expat fam fat fbcon fbcondecor ffmpeg fftw flac fortran ftp fuse g15 galago gconf gd gdbm gdl gdm gedit gif gimp glib glitz glut gmedia gnome gnome-keyring gnutls gpg gphoto2 gs gsf gsm gstreamer gtk gzip hal hddtemp hdri hfs howl-compat hpn ical icons iconv id3 id3tag idle idn ieee1394 imagemagick imap imlib inkjar inotify ipod ipv6 irda isdnlog jabber java jbig jce john jpeg jpeg2k juju keyring lame laptop lcms ldap libburn libcaca libgcrypt libnotify libsamplerate libsexy libssh2 libwww lilo logrotate lzma lzo mad magic md5sum mdnsresponder-compat midi mikmod mime mjpeg mmap mmx mmxext mng modplug moonlight mp2 mp3 mp4 mpeg mplayer mudflap musepack music nano-syntax nautilus ncurses nemesi neon network-cron networkmanager nls nptl nptlonly nsplugin nss nuv nvidia ogg opengl openmp openssl otr ots pam pango pccts pcmcia pcre pdf perl physfs pidgin plotutils png pnm policykit posix postscript ppds pppd pulseaudio python rar rdesktop readline reflection replytolist resolvconf rss rtc samba scenarios schroedinger screenshot scrobbler sdl session sftp shorten sid smp sms sndfile snmp soup sourceview sox span speex spell spl sqlite srt srv sse sse2 sse3 ssl ssse3 startup-notification subtitles svg svgz sysfs syslog szip t1lib taglib tagwriting tcpd theora thesaurus threads tiff timidity tk tls tordns totem tracker trayicon truetype tta twolame unicode urandom usb v4l2 vcd vnc vorbis vorbis-psy vte wav wavpack webkit wifi wma wmf wmp xcb xcomposite xface xhtml xinerama xml xmp xorg xpm xscreensaver xsettings xslt xulrunner xv xvid xvmc yv12 zeroconf zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="intel"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2009-07-13 13:41:10 UTC
liaisons, please test the =net-misc/dhcp-3.1.2-r1 ebuild that applies both patches. thanks!
Comment 22 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-13 23:03:48 UTC
Splitting off the dhclient issue for CRD tomorrow.
Comment 23 Robert Buchholz (RETIRED) gentoo-dev 2009-07-14 21:59:33 UTC
this is now public
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2009-07-14 22:25:56 UTC
I added the CVE-2009-1892 patch and the 3.1.2p1 release to the tree which carries upstream's CVE-2009-0692 patch (it is equivalent to ours) to the tree.
Tony, I would appreciate you testing it in your setup as well and then we can add arches to this bug.
Comment 25 Tony Vroon (RETIRED) gentoo-dev 2009-07-16 10:40:31 UTC
3.1.2_p1 tested on a production system with ~15 clients active; 
[ebuild   R   ] net-misc/dhcp-3.1.2_p1  USE="-doc -minimal (-selinux) -static" 0 kB

System info:
Portage 2.1.6.13 (hardened/amd64, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.28-hardened-r9 x86_64)
=================================================================
System uname: Linux-2.6.28-hardened-r9-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_2220-with-glibc2.3.2
Timestamp of tree: Wed, 15 Jul 2009 23:15:01 +0000
app-shells/bash:     3.2_p39
dev-lang/python:     2.4.4-r13, 2.5.4-r2
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63
sys-devel/automake:  1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=opteron -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=opteron -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_GB.UTF-8"
LC_ALL="en_GB.UTF-8"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://portage-rsync.linx.net/gentoo-portage"
USE="amd64 bash-completion berkdb cracklib crypt diskio elf hardened hpn ipv6 justify midi ncurses nls no-old-linux nptl nptlonly pam perl pic python readline sse sse2 ssl sysfs unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x 	ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 	trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 intel mach64 	mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis 	sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Robert, please feel free to add arches. When you do I'll keyword AMD64 for you.
Comment 26 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-16 11:18:40 UTC
Arches, please test and mark stable:
=net-misc/dhcp-3.1.2_p1
Target keywords : "alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"
Comment 27 Tony Vroon (RETIRED) gentoo-dev 2009-07-16 11:29:26 UTC
+  16 Jul 2009; <chainsaw@gentoo.org> dhcp-3.1.2_p1.ebuild:
+  Marked stable on AMD64 for security bug #275231; tested on a dual
+  dual-core Opteron 2220 system with ~15 clients spread over two subnets.
Comment 28 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-16 18:14:42 UTC
x86 stable
Comment 29 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-17 13:09:34 UTC
Stable for HPPA.
Comment 30 Tobias Klausmann (RETIRED) gentoo-dev 2009-07-19 16:37:48 UTC
Stable on alpha.
Comment 31 nixnut (RETIRED) gentoo-dev 2009-07-19 17:17:07 UTC
ppc stable
Comment 32 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-20 19:17:27 UTC
CVE-2009-1892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1892):
  dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier
  and hardware ethernet configuration settings are both used, allows
  remote attackers to cause a denial of service (daemon crash) via
  unspecified requests.

Comment 33 Raúl Porcel (RETIRED) gentoo-dev 2009-07-22 14:36:48 UTC
arm/s390/sh/sparc stable
Comment 34 Brent Baude (RETIRED) gentoo-dev 2009-07-26 12:45:28 UTC
ppc64 done
Comment 35 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-18 21:41:49 UTC
GLSA 200908-08