Bug 327781 (CVE-2007-5365)

Summary: CVE-2007-5365 dhcpd stack-based buffer overlow
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dcantrell, kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5365
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-23 13:22:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 332691    
Bug Blocks:    
Attachments:
Description Flags
mms checking code backported from dhcp-3.x none

Description Tomas Hoger 2007-10-11 15:23:30 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5365 to the following vulnerability:

Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2 allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.

References:

http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1962
http://www.openbsd.org/errata42.html#001_dhcpd
http://secunia.com/advisories/27160
http://www.securityfocus.com/bid/25984
Comment 1 Tomas Hoger 2007-10-11 15:33:47 UTC 
OpenBSD's dhcpd is based on ISC dhcpd 2.x.  We ship dhcpd 2.0pl5 in Red Hat
Enterprise Linux 2.1, which seems to be affected by this issue.

ISC dhcpd version 3.x checks "maximum message size" value provided by dhcp
client.  Versions of dhcpd in Red Hat Enterprise Linux 3, 4 and 5 are based on
3.x ISC dhcp branch and are not vulnerable.

Patch applied by OpenBSD:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/options.c.diff?r1=1.8&r2=1.9&f=h


Note: This issue is reported to be one of three issues discovered by ISS X-Force
and fixed in dhcpd bundled with VMWare products (which is based on ISC dhcp
2.x).  Those issues have CVE ids CVE-2007-0061, CVE-2007-0062 and CVE-2007-0063,
but we currently do not have any details about those vulnerabilities.
Comment 5 Tomas Hoger 2007-10-22 17:49:04 UTC 
Created attachment 234291 [details]
mms checking code backported from dhcp-3.x

Original OpenBSD patch was incomplete.	They've already noticed that and
updated their version to use code more similar to dhcp-3.x version:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/options.c.diff?r1=1.16&r2=1.17&f=h
Comment 8 Tomas Hoger 2007-10-23 13:22:10 UTC 
Issue was addressed by errata:

https://rhn.redhat.com/errata/RHSA-2007-0970.html