Red Hat Bugzilla – Bug 327781
CVE-2007-5365 dhcpd stack-based buffer overlow
Last modified: 2007-10-23 09:22:10 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5365 to the following vulnerability:
Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2 allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU.
OpenBSD's dhcpd is based on ISC dhcpd 2.x. We ship dhcpd 2.0pl5 in Red Hat
Enterprise Linux 2.1, which seems to be affected by this issue.
ISC dhcpd version 3.x checks "maximum message size" value provided by dhcp
client. Versions of dhcpd in Red Hat Enterprise Linux 3, 4 and 5 are based on
3.x ISC dhcp branch and are not vulnerable.
Patch applied by OpenBSD:
Note: This issue is reported to be one of three issues discovered by ISS X-Force
and fixed in dhcpd bundled with VMWare products (which is based on ISC dhcp
2.x). Those issues have CVE ids CVE-2007-0061, CVE-2007-0062 and CVE-2007-0063,
but we currently do not have any details about those vulnerabilities.
Created attachment 234291 [details]
mms checking code backported from dhcp-3.x
Original OpenBSD patch was incomplete. They've already noticed that and
updated their version to use code more similar to dhcp-3.x version:
Issue was addressed by errata: