Bugzilla – Bug 955762
VUL-0: CVE-2012-6698, CVE-2012-6699, CVE-2012-6700: dhcpcd: network-accessible bugs in the ancient 3.2.3 dhcpcd
Last modified: 2018-02-23 09:38:23 UTC
is public discussed on the oss-sec mailinglist. http://seclists.org/oss-sec/2015/q4/412 From: Seth Arnold <seth.arnold () canonical com> Date: Tue, 1 Dec 2015 17:51:46 -0800 Hello MITRE, all. Guido Vranken reported several flaws to Ubuntu's launchpad bugtracker in the dhcpcd3 package that is shipped in Ubuntu, Debian, and potentially other distributions. https://bugs.launchpad.net/ubuntu/+source/dhcpcd/+bug/1517226 Guido included a patch along with AFL-discovered inputs to trigger the issues: https://launchpadlibrarian.net/228152582/dhcp.c.patch https://bugs.launchpad.net/ubuntu/+source/dhcpcd/+bug/1517226/+attachment/4520925/+files/patch-payloads-dhcpcd.c.tar.xz Roy Marples has already addressed these issues in upstream dhcpcd packages; I believe these issues may require 2012-era CVE identifiers: http://roy.marples.name/projects/dhcpcd/finfo?name=dhcp.c&ci=27a92c6a825d6e74 I believe this represents three distinct flaws: out of bounds reads beyond the end of the supplied packet, out of bounds write before the start of the 'out' parameter, and a use-after-free. I brought this issue to the distros list on Wed, 18 Nov 2015.
SUSE-SU-2015:2174-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 955762 CVE References: Sources used: SUSE Linux Enterprise Server for VMWare 11-SP3 (src): dhcpcd-3.2.3-44.32.2 SUSE Linux Enterprise Server 11-SP4 (src): dhcpcd-3.2.3-44.32.2 SUSE Linux Enterprise Server 11-SP3 (src): dhcpcd-3.2.3-44.32.2 SUSE Linux Enterprise Server 11-SP2-LTSS (src): dhcpcd-3.2.3-44.32.2 SUSE Linux Enterprise Desktop 11-SP4 (src): dhcpcd-3.2.3-44.32.2 SUSE Linux Enterprise Desktop 11-SP3 (src): dhcpcd-3.2.3-44.32.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): dhcpcd-3.2.3-44.32.2 SUSE Linux Enterprise Debuginfo 11-SP3 (src): dhcpcd-3.2.3-44.32.2 SUSE Linux Enterprise Debuginfo 11-SP2 (src): dhcpcd-3.2.3-44.32.2
From Mitre: > https://launchpadlibrarian.net/228152582/dhcp.c.patch >> I had expected this part of the diff to address the out-of-bounds writes: >> >> if (out && out != start) >> *(out - 1) = ' '; >>> Ack, looks like heap[-1] OOB write to me. Use CVE-2012-6698 for the vulnerability in which the possibility of "out == start" wasn't considered, leading to an out-of-bounds write. >>> Recalling from my last analyse, I think this is just an OOB read, because >>> decode_search() is called with out being NULL to count the amount of data >>> to be copied later. Unless this data is somehow modified the next call >>> to decode_search() should have sufficient amount of heap allocated for >>> the memcpy() to be correct. But the loop has an OOB read when counting >>> the data (and later when copying it and there wasnt already a SIGSEGV). Use CVE-2012-6699 for this loop error that results in an out-of-bounds read. > case DHCP_DNSSEARCH: > MIN_LENGTH (1); > - free (dhcp->dnssearch); > len = decode_search (p, length, NULL); > if (len > 0) { > + free (dhcp->dnssearch); Use CVE-2012-6700 for the presence of the free call in an incorrect place.
rereleased with corrected cve list