Re: Backporting two dchpcd security patches to 6.0.5

Roy Marples

Sat May 11 17:06:20 2019

Hi Chris!

On 11/05/2019 01:48, Chris Lamb wrote:
[adding debian-lts@xxxxxxxxxxxxxxxx to CC for visibility]

Hi dhcpcd developers,

I'm trying to backport two recent CVEs to the dhcpcd 6.0.5 (!)

I don't officially support dhcpcd-6 anymore - it just gets the latest security fix to the last release.

codebase as part of the Debian LTS [0] and I was just checking-in to
get your response to a few thoughts of mine.

The first is about CVE-2019-11579 regarding the 1-byte read overflow
with the handling of  DHO_OPTSOVERLOADED. The diff in question [1]
that remedies this essentially just moves some code out of the case
handling, but this code is not part of dhcpcd 6.0.5 which only has:

			/* Ensure we only get this option once by setting
			 * the last bit as well as the value.
			 * This is valid because only the first two bits
			 * actually mean anything in RFC2132 Section 9.3 */
			if (!overl)
				overl = 0x80 | p[1];

… as part of the case statement. Does this mean that 6.0.5 is not
vulnerable to CVE-2019-11579 or that it *is* because it lacks the
underlying check?

It is vulnerable because it looks at p[1].
At this point we've not checked option length OR if it's inside the buffer.

Secondly, I am looking at CVE-2019-11766 which is regarding the buffer
over-read in D6_OPTION_PD_EXCLUDE, but I don't think support for DHCP
prefix lengths was even implemented in 6.0.5. The two diffs that
address this issue [2][3] appear to confirm this by referencing code
that is not part of that version.

Correct, there is no support for D6_OPTION_PD_EXCLUDE in dhcpcd-6.0.5


Re: Backporting two dchpcd security patches to 6.0.5Chris Lamb
Backporting two dchpcd security patches to 6.0.5Chris Lamb
Archive administrator: postmaster@marples.name