Bug 761265 (CVE-2011-4539)

Summary: CVE-2011-4539 dhcp: DoS due to processing certain regular expressions
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jpopelka, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-14 19:25:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 765681, 765682, 765683    
Bug Blocks: 761271    
Attachments:
Description Flags
diff from 4.2.3 and 4.2.3-P1 none

Description Vincent Danen 2011-12-07 22:33:29 UTC 
It was reported [1] that ISC dhcpd suffered from a bug related to processing an evaluated regular expression.  If an attacker were able to send a DHCP Request packet, either directly or through a relay, they could remotely crash dhcpd if that server was configured to evaluate expressions using a regular expression (such as "~=" or "~~" comparison operators).  No further details have been released as of yet.

Upstream indicates that 4.0.x and higher, including all EOL versions back to 4.0, 4.1-ESV, and 4.2.x, are affected and is corrected in 4.1-ESV-R4 and 4.2.3-P1.

This flaw cannot be triggered if regular expressions are not used in the server's configuration files.

[1] http://www.isc.org/software/dhcp/advisories/cve-2011-4539
Comment 1 Vincent Danen 2011-12-07 22:52:19 UTC 
Created attachment 542241 [details]
diff from 4.2.3 and 4.2.3-P1

Diff from 4.2.3 and 4.2.3-P1 with the following changelog comments:

                       Changes since 4.2.3

! Add a check for a null pointer before calling the regexec function.
  Without out this check we could, under some circumstances, pass
  a null pointer to the regexec function causing it to segfault.
  Thanks to a report from BlueCat Networks.
  [ISC-Bugs #26704].
  CVE: CVE-2011-4539
Comment 4 Huzaifa S. Sidhpurwala 2011-12-09 05:07:41 UTC 
Created dhcp tracking bugs for this issue

Affects: fedora-all [bug 765681]
Comment 6 Huzaifa S. Sidhpurwala 2011-12-09 05:12:29 UTC 
This issue does not affect the version of dhcp package as shipped with Red Hat Enterprise Linux 4 and 5.

This issue affects the version of dhcp package as shipped with Red Hat Enterprise Linux 6.
Comment 7 Vincent Danen 2011-12-14 18:27:42 UTC 
Statement:

This issue did not affect the versions of dhcp as shipped with Red Hat Enterprise Linux 4 and 5.
Comment 8 errata-xmlrpc 2011-12-14 19:06:27 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1819 https://rhn.redhat.com/errata/RHSA-2011-1819.html
Comment 9 Fedora Update System 2011-12-14 23:32:21 UTC 
dhcp-4.2.3-4.P1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-01-02 21:49:12 UTC 
dhcp-4.2.1-14.P1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.