Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 393617 (CVE-2011-4539) - <net-misc/dhcp-4.2.3_p1 : Regular Expressions Denial of Service Vulnerability (CVE-2011-4539)
Summary: <net-misc/dhcp-4.2.3_p1 : Regular Expressions Denial of Service Vulnerability...
Status: RESOLVED FIXED
Alias: CVE-2011-4539
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47153/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-08 14:13 UTC by Agostino Sarubbo
Modified: 2013-01-09 00:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-12-08 14:13:14 UTC
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to an error related to regular expressions, which can be exploited to cause the daemon to crash by sending specially crafted DHCP packets.

Successful exploitation requires that the server is configured to evaluate expressions using regular expressions (e.g. uses the "~~" or "~=" comparison operators).

The vulnerability is reported in versions 4.x prior to versions 4.1-ESV-R4 and 4.2.3-P1.


Solution
Update to versions 4.1-ESV-R4 or 4.2.3-P1.
Comment 1 Agostino Sarubbo gentoo-dev 2011-12-08 14:16:39 UTC
I asked to vapier if is a default for gentoo configuration, if not I'll move to B3
Comment 2 SpanKY gentoo-dev 2011-12-08 15:56:45 UTC
when they say "if that server is configured to evaluate expressions using a regular expression", it isn't clear if they mean "the server has enabled an option in their dhcpd.conf" or if "the server has compiled in support for regular expressions".

for the former, we don't ship any default configs ... the user has to write everything.  for the latter, there's no real way to disable regex support in the server.  it relies on regex.h being available which is pretty much a given.

at any rate, dhcp-4.2.3_p1 now in the tree.
Comment 3 Agostino Sarubbo gentoo-dev 2011-12-08 17:32:29 UTC
Thanks Mike.

Arches, please test and mark stable:
=net-misc/dhcp-4.2.3_p1
Target keywords : "alpha amd64 arm hppa ppc ppc64 s390 sh sparc x86"
Comment 4 Paul B. Henson 2011-12-08 20:09:06 UTC
(In reply to comment #2)
> when they say "if that server is configured to evaluate expressions using a
> regular expression", it isn't clear if they mean "the server has enabled an
> option in their dhcpd.conf" or if "the server has compiled in support for
> regular expressions".

From http://www.isc.org/software/dhcp/advisories/cve-2011-4539 --

"This bug cannot be triggered if you are not using regular expressions in your configuration file."
Comment 5 Agostino Sarubbo gentoo-dev 2011-12-08 20:14:59 UTC
(In reply to comment #4)
> "This bug cannot be triggered if you are not using regular expressions in your
> configuration file."

Thanks, I think that it remains 'A' because there is no default configuration.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-12-09 17:18:55 UTC
Stable for HPPA.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2011-12-09 19:31:51 UTC
Nope, it's C, because only a custom, user-created config is vulnerable.
Comment 8 Agostino Sarubbo gentoo-dev 2011-12-09 21:11:36 UTC
(In reply to comment #7)
> Nope, it's C, because only a custom, user-created config is vulnerable.

as per: http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3

Dhcp is in: Common package (supposed present on at least 1/20 Gentoo installs)	Default	A
Specific B

So, at least it is B3
Comment 9 Agostino Sarubbo gentoo-dev 2011-12-10 14:01:54 UTC
According to lead is B

amd64 ok
Comment 10 Agostino Sarubbo gentoo-dev 2011-12-11 17:31:08 UTC
Stable for AMD64, sorry for extra mailspam.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-12-13 00:01:07 UTC
CVE-2011-4539 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4539):
  dhcpd in ISC DHCP 4.x before 4.2.3-P1 and 4.1-ESV before 4.1-ESV-R4 does not
  properly handle regular expressions in dhcpd.conf, which allows remote
  attackers to cause a denial of service (daemon crash) via a crafted request
  packet.
Comment 12 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-12-14 08:47:34 UTC
x86 stable
Comment 13 Markus Meier gentoo-dev 2011-12-14 23:39:35 UTC
arm stable
Comment 14 Mark Loeser (RETIRED) gentoo-dev 2011-12-22 23:29:17 UTC
ppc/ppc64 done
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2012-01-01 15:05:39 UTC
alpha/s390/sh/sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2012-01-01 16:15:17 UTC
Thanks everyone. @Security, please vote.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2012-01-01 17:44:45 UTC
Thanks, folks. GLSA Vote: yes.
Comment 18 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:17:59 UTC
Added to pending GLSA.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-01-09 00:53:08 UTC
This issue was resolved and addressed in
 GLSA 201301-06 at http://security.gentoo.org/glsa/glsa-201301-06.xml
by GLSA coordinator Stefan Behte (craig).