Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 684430 - <net-misc/dhcpcd-7.1.1-r2 - multiple vulnerabilities
Summary: <net-misc/dhcpcd-7.1.1-r2 - multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://roy.marples.name/archives/dhc...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-26 15:06 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified: 2019-05-05 00:41 UTC (History)
3 users (show)

See Also:
Package list:
net-misc/dhcpcd-7.1.1-r2
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-04-26 15:06:13 UTC 
From URL:

These security issues are also addressed:
  *  auth: Use consttime_memequal to avoid latency attack
     consttime_memequal is supplied if libc does not support it
     dhcpcd >=6.2 <7.2.1 are vulnerable

  *  DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
     dhcpcd >=4 <7.2.1 are vulnerable

  *  DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
     dhcpcd >=7 <7.2.1 are vulnerable
Comment 1 Larry the Git Cow gentoo-dev 2019-04-26 15:07:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9b5b1738178ec8da65c5371a1a9977d593a459d

commit e9b5b1738178ec8da65c5371a1a9977d593a459d
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-04-26 15:01:47 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-04-26 15:07:21 +0000

    net-misc/dhcpcd: Security bump to versions 7.1.1-r2 and 7.2.1
    
    Bug: https://bugs.gentoo.org/684430
    Package-Manager: Portage-2.3.65, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-misc/dhcpcd/Manifest                           |   1 +
 net-misc/dhcpcd/dhcpcd-7.1.1-r2.ebuild             | 153 +++++++++++++++
 net-misc/dhcpcd/dhcpcd-7.2.1.ebuild                | 148 ++++++++++++++
 net-misc/dhcpcd/files/dhcpcd-7.1.1-overflows.patch | 213 +++++++++++++++++++++
 4 files changed, 515 insertions(+)
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-04-26 15:09:04 UTC 
Roy provided a patch that fixes 7.1.1 release. So I suggest we aim for =net-misc/dhcpcd-7.1.1-r2 stabilization.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-04-26 19:48:30 UTC 
arm64 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-26 20:34:03 UTC 
amd64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-27 16:35:06 UTC 
ia64 stable
Comment 6 Rolf Eike Beer archtester 2019-04-27 17:47:48 UTC 
sparc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 07:47:05 UTC 
ppc stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-28 13:11:52 UTC 
ppc64 stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-28 20:28:33 UTC 
s390 stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-28 20:35:19 UTC 
x86 stable
Comment 11 Matt Turner gentoo-dev 2019-05-02 06:41:46 UTC 
hppa stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-03 13:10:57 UTC 
alpha stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-03 13:11:15 UTC 
arm stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-05-03 13:11:33 UTC 
sh stable
Comment 15 Larry the Git Cow gentoo-dev 2019-05-03 13:14:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb12d2245f1dbc1579209a8c60903d3163a72419

commit cb12d2245f1dbc1579209a8c60903d3163a72419
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2019-05-03 13:13:02 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2019-05-03 13:13:02 +0000

    net-misc/dhcpcd: Security cleanup
    
    Bug: https://bugs.gentoo.org/684430
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 net-misc/dhcpcd/dhcpcd-7.1.1-r1.ebuild | 152 ---------------------------------
 1 file changed, 152 deletions(-)