Bug 894580 (CVE-2014-6060) - VUL-0: CVE-2014-6060: dhcpcd: DoS attack via DHO_OPTIONSOVERLOADED
Summary: VUL-0: CVE-2014-6060: dhcpcd: DoS attack via DHO_OPTIONSOVERLOADED
Status: RESOLVED UPSTREAM
Alias: CVE-2014-6060
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Peter Varkoly
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-02 09:08 UTC by Marcus Meissner
Modified: 2014-09-02 09:13 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-02 09:08:29 UTC 
via oss-sec

From: Roy Marples <roy@marples.name>
Subject: [oss-security] CVE Request: dhcpcd DoS attack

Hi

dhcpcd-4.0.0 though to dhcpcd.6.4.2 are vulnerable to a DoS attack.

As reported by Tobias Stoeckmann:
In function get_option, the DHO_OPTIONSOVERLOADED option checks if there
are overloaded options, like bootfile or servername.  It tries to make
sure that it's called only once, BUT overwrites that information after
receiving a DHO_END.  A malicious server could set the option
DHO_OPTIONSOVERLOADED yet another time in the bootfile or servername
section, which will result in another jump -- maybe into the same area.

This has been fixed upstream here:
http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0

I would like to request a CVE for the issue.

dhcpcd-6.4.3 has been released with the above fix.

Thanks

Roy
Comment 1 Marcus Meissner 2014-09-02 09:10:41 UTC 
I think this is the same dhcpcd that we have, but we did the last upgrade to
3.2.3 on May 14 2008(!)
Comment 2 Marcus Meissner 2014-09-02 09:13:17 UTC 
does not affect our code.