Bug 963550 (CVE-2016-1503) - VUL-0: CVE-2016-1503: dhcpcd: heap overflow via malformed dhcp responses in print_option (viadhcp_envoption1) due to incorrect op...
Summary: VUL-0: CVE-2016-1503: dhcpcd: heap overflow via malformed dhcp responses in p...
Status: RESOLVED INVALID
Alias: CVE-2016-1503
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Major
Target Milestone: ---
Assignee: Peter Varkoly
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/160417/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-26 09:30 UTC by Marcus Meissner
Modified: 2016-01-26 09:32 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-01-26 09:30:27 UTC 
CVE-2016-1503

http://roy.marples.name/projects/dhcpcd/info/76a1609352263bd9def1300d7ba990679571fa30

    dhcp_optlen now returns the length of the data we can sanely work on
    given the option definition and data length. Call dhcp_optlen in
    dhcp_envoption1 to take into ensure these bounds are not overstepped.
    Fixes an issue reported by Nico Golde where extra undersized data was
    present in the option. An example of this would be an array of
    uint16's with a trailing byte.


        can lead to a heap overflow via malformed dhcp responses later in
        print_option (via dhcp_envoption1) due to incorrect option length
        values


References:
http://seclists.org/oss-sec/2016/q1/38
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1503.html
Comment 1 Marcus Meissner 2016-01-26 09:32:21 UTC 
Our dhcpcd 3.2.3 code in SLE11 does not contain the affected/fixed pieces of code, which were added in a later dhcpcd rewrite.

Our products are not affected.