Bug 327781 - (CVE-2007-5365) CVE-2007-5365 dhcpd stack-based buffer overlow
CVE-2007-5365 dhcpd stack-based buffer overlow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20071011,public=2...
: Security
Depends On: 332691
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-11 11:23 EDT by Tomas Hoger
Modified: 2007-10-23 09:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-23 09:22:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
mms checking code backported from dhcp-3.x (763 bytes, patch)
2007-10-22 13:49 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2007-10-11 11:23:30 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5365 to the following vulnerability:

Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2 allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.

References:

http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=1962
http://www.openbsd.org/errata42.html#001_dhcpd
http://secunia.com/advisories/27160
http://www.securityfocus.com/bid/25984
Comment 1 Tomas Hoger 2007-10-11 11:33:47 EDT
OpenBSD's dhcpd is based on ISC dhcpd 2.x.  We ship dhcpd 2.0pl5 in Red Hat
Enterprise Linux 2.1, which seems to be affected by this issue.

ISC dhcpd version 3.x checks "maximum message size" value provided by dhcp
client.  Versions of dhcpd in Red Hat Enterprise Linux 3, 4 and 5 are based on
3.x ISC dhcp branch and are not vulnerable.

Patch applied by OpenBSD:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/options.c.diff?r1=1.8&r2=1.9&f=h


Note: This issue is reported to be one of three issues discovered by ISS X-Force
and fixed in dhcpd bundled with VMWare products (which is based on ISC dhcp
2.x).  Those issues have CVE ids CVE-2007-0061, CVE-2007-0062 and CVE-2007-0063,
but we currently do not have any details about those vulnerabilities.
Comment 5 Tomas Hoger 2007-10-22 13:49:04 EDT
Created attachment 234291 [details]
mms checking code backported from dhcp-3.x

Original OpenBSD patch was incomplete.	They've already noticed that and
updated their version to use code more similar to dhcp-3.x version:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/options.c.diff?r1=1.16&r2=1.17&f=h
Comment 8 Tomas Hoger 2007-10-23 09:22:10 EDT
Issue was addressed by errata:

https://rhn.redhat.com/errata/RHSA-2007-0970.html

Note You need to log in before you can comment on or make changes to this bug.