Backporting two dchpcd security patches to 6.0.5
Chris LambSat May 11 00:47:48 2019
[adding debian-lts@xxxxxxxxxxxxxxxx to CC for visibility]
Hi dhcpcd developers,
I'm trying to backport two recent CVEs to the dhcpcd 6.0.5 (!)
codebase as part of the Debian LTS  and I was just checking-in to
get your response to a few thoughts of mine.
The first is about CVE-2019-11579 regarding the 1-byte read overflow
with the handling of DHO_OPTSOVERLOADED. The diff in question 
that remedies this essentially just moves some code out of the case
handling, but this code is not part of dhcpcd 6.0.5 which only has:
/* Ensure we only get this option once by setting
* the last bit as well as the value.
* This is valid because only the first two bits
* actually mean anything in RFC2132 Section 9.3 */
overl = 0x80 | p;
… as part of the case statement. Does this mean that 6.0.5 is not
vulnerable to CVE-2019-11579 or that it *is* because it lacks the
Secondly, I am looking at CVE-2019-11766 which is regarding the buffer
over-read in D6_OPTION_PD_EXCLUDE, but I don't think support for DHCP
prefix lengths was even implemented in 6.0.5. The two diffs that
address this issue  appear to confirm this by referencing code
that is not part of that version.
Very much looking forward to hearing your input on these.
: :' : Chris Lamb
`. `'` lamby@xxxxxxxxxx 🍥 chris-lamb.co.uk
Archive administrator: email@example.com