Bug 1495411 (CVE-2017-14493)

Summary: CVE-2017-14493 dnsmasq: stack buffer overflow in the DHCPv6 code
Product: [Other] Security Response Reporter: Fabio Olive Leite <fleite>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: apevec, chrisw, code, gmollett, itamar, jjoyce, jschluet, kbasil, laine, lhh, lpeer, markmc, mburns, p, pemensik, rbryant, sclewis, security-response-team, slinaber, srevivo, tdecacqu, thozza, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: dnsmasq 2.78 Doc Type: If docs needed, set a value
Doc Text:
A stack buffer overflow was found in dnsmasq in the DHCPv6 code. An attacker on the local network could send a crafted DHCPv6 request to dnsmasq which would cause it to a crash or, potentially, execute arbitrary code.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-02 18:16:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1495516, 1495517, 1496264, 1496265, 1497691    
Bug Blocks: 1495418    
Description Flags
Upstream commit none

Description Fabio Olive Leite 2017-09-26 01:50:15 UTC
Red Hat Product Security has been made aware of a stack-based buffer overflow affecting the DHCP implementation of dnsmasq.

Comment 1 Doran Moppert 2017-09-26 05:11:57 UTC

Name: Felix Wilhelm (Google Security Team), Fermin J. Serna (Google Security Team), Gabriel Campana (Google Security Team), Kevin Hamacher (Google Security Team), Ron Bowes (Google Security Team)

Comment 2 Doran Moppert 2017-09-26 08:42:36 UTC
Versions of dnsmasq shipped with Red Hat Enterprise Linux 6 and 5 do not include the DHCPv6 code which includes this flaw.

Comment 3 Tomas Hoger 2017-09-26 08:48:05 UTC
Further details from the 2.78 pre-release CHANGELOG:

    Fix stack overflow in DHCPv6 code. An attacker who can send
    a DHCPv6 request to dnsmasq can overflow the stack frame and
    crash or control dnsmasq.
    CVE-2017-14493 applies.
    Credit to Felix Wilhelm, Fermin J. Serna, Gabriel Campana
    and Kevin Hamacher of the Google Security Team for
    finding this.

Comment 5 Tomas Hoger 2017-09-26 10:47:08 UTC
Created attachment 1330991 [details]
Upstream commit

Comment 11 Adam Mariš 2017-10-02 13:19:19 UTC
Created dnsmasq tracking bugs for this issue:

Affects: fedora-all [bug 1497691]

Comment 13 errata-xmlrpc 2017-10-02 16:23:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support
  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:2837 https://access.redhat.com/errata/RHSA-2017:2837

Comment 14 errata-xmlrpc 2017-10-02 17:20:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2836 https://access.redhat.com/errata/RHSA-2017:2836

Comment 15 Garth Mollett 2017-10-03 20:57:20 UTC

Red Hat OpenStack Platform includes the dnsmasq-utils RPM which does not contain this flaw's affected code-paths; Red Hat OpenStack Platform is therefore listed as not affected.

However, because all versions of Red Hat OpenStack Platform are based on Red Hat Enterprise Linux, all Red Hat OpenStack Platform users should absolutely upgrade the dnsmasq RPM from Red Hat Enterprise Linux as a matter of urgency using standard update mechanisms (such as 'yum update' or 'openstack overcloud update').