The Internet Software Consortium reported to us via CERT on Jun10 a flaw in hostname logging that affects all versions of DHCP 3. A malicious client could send carefully crafted hostname options to a server which would lead to a stack buffer overflow. In order to exploit this flaw an attacker would need to be able to send UDP packets to the targetted system which limits the attack to the local network or via routed topology. A sucessful attack could lead to remote arbitrary code execution. This issue is under embargo until Jun15 at 1400EST.
(Red Hat Enterprise Linux 2.1 is based on version 2 of DHCP, and is therefore not vulnerable to this issue).
Embargo moved to Jun17 at 1400EST to accomodate second issue, CAN-2004-0461: "Several operating system specific builds have a C include that overrides the vsnprintf function to vsprintf. Therefore, anywhere that the developers thought they were using vsnprintf to restrict bounds, they actually weren't being restricted at all"
ISC have reported "after closer analysis it appears that only ISC DHCP 3.0.1rc12 and 3.0.1rc13 are vulnerable. Versions prior to this contain the flaw, but are not exploitable because prior versions of ISC DCHP only include the last hostname option provided by the client, limiting the size to 255 bytes, with is not enough to overflow the buffer.". Therefore CAN-2004-0460 does not affect Red Hat Enterprise Linux (but does affect Fedora Core 2 only).
A second issue was found, CAN-2004-0461 which we have also confirmed does not affect Red Hat Enterprise Linux; therefore no update required. An update for Fedora Core 2 is required and will be released when the embargo is lifted later today.
Public; removing embargo http://www.us-cert.gov/cas/techalerts/TA04-174A.html
According to link: http://www.us-cert.gov/cas/techalerts/TA04-174A.html : "These issues have been resolved in ISC DHCP 3.0.1rc14." FC3 / rawhide now uses dhcp-3.0.1 (gold) which fixes this issue. dhcp-3.0.1 was also submitted to fc2-updates . I tried to submit dhcp-3.0.1(gold) to RHEL-3.0-U3, but my request was denied - hence RHEL-3.0-U3, which still uses dhcp-3.0pl2, is still vulnerable to this issue.
Actually only 3.0.1rc12 and 3.0.1rc13 can be exploited; 3.0pl2 is not vulnerable to this issue.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-566.html