Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 428120 (CVE-2012-3570) - <net-misc/dhcp-4.2.4_p1: Multiple DoS vulnerabilities (CVE-2012-{3570,3571,3954})
Summary: <net-misc/dhcp-4.2.4_p1: Multiple DoS vulnerabilities (CVE-2012-{3570,3571,39...
Status: RESOLVED FIXED
Alias: CVE-2012-3570
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-26 00:40 UTC by GLSAMaker/CVETool Bot
Modified: 2013-01-09 00:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-26 00:40:23 UTC
CVE-2012-3954 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3954):
  Multiple memory leaks in ISC DHCP 4.1.x and 4.2.x before 4.2.4-P1 and
  4.1-ESV before 4.1-ESV-R6 allow remote attackers to cause a denial of
  service (memory consumption) by sending many requests.

CVE-2012-3571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3571):
  ISC DHCP 4.1.2 through 4.2.4 and 4.1-ESV before 4.1-ESV-R6 allows remote
  attackers to cause a denial of service (infinite loop and CPU consumption)
  via a malformed client identifier.

CVE-2012-3570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3570):
  Buffer overflow in ISC DHCP 4.2.x before 4.2.4-P1, when DHCPv6 mode is
  enabled, allows remote attackers to cause a denial of service (segmentation
  fault and daemon exit) via a crafted client identifier parameter.
Comment 1 Tony Vroon gentoo-dev 2012-07-26 07:53:45 UTC
+*dhcp-4.2.4_p1 (26 Jul 2012)
+
+  26 Jul 2012; Tony Vroon <chainsaw@gentoo.org> +dhcp-4.2.4_p1.ebuild:
+  Security upgrade addressing an IPv6-only buffer overflow (CVE-2012-3570),
+  remotely triggerable infinite loop (CVE-2012-3571) and remotely triggerable
+  memory leaks (CVE-2012-3954).

Arches, please test and mark stable. 
Target KEYWORDS="alpha amd64 arm hppa ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd"
Comment 2 Richard Freeman gentoo-dev 2012-07-26 15:20:00 UTC
amd64 stable
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2012-07-26 15:27:31 UTC
x86: ok

compile: everything fine (with specific USE flags also without problems)
repoman: no complaints for this version
run: ok ( i have dhcp setting in my net file, and my net.eth0 interface start without problem)
Please mark stable for x86.
Comment 4 Johannes Huber gentoo-dev 2012-07-26 17:06:39 UTC
x86 stable. Thanks Mikle.
Comment 5 Jeroen Roovers gentoo-dev 2012-07-26 17:07:19 UTC
Arch teams, please test and mark stable:
=net-misc/dhcp-4.2.4_p1
Comment 6 Jeroen Roovers gentoo-dev 2012-07-26 19:19:34 UTC
Stable for HPPA.
Comment 7 Markus Meier gentoo-dev 2012-08-02 20:55:33 UTC
arm stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2012-08-09 18:25:47 UTC
ppc done
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-08-26 14:11:06 UTC
alpha/s390/sh/sparc stable
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-20 13:29:08 UTC
ppc64 stable, last arch done
Comment 11 Sean Amoss gentoo-dev Security 2012-09-20 13:33:07 UTC
Thanks, everyone. 

Already on existing GLSA draft.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-01-09 00:53:12 UTC
This issue was resolved and addressed in
 GLSA 201301-06 at http://security.gentoo.org/glsa/glsa-201301-06.xml
by GLSA coordinator Stefan Behte (craig).