Package: dhcpcd5
Version: any
Severity: serious
Dear Maintainer,
upstream released a new version of dhcpcd5 fixing three security issues. All
versions currently found in Debian (jessie, stretch, buster, sid) are
vulnerable to at least two of these issues, according to the announcement on
upstreams's mailinglist [1].
The fixed issues are (copied from upstream's announcement):
* auth: Use consttime_memequal to avoid latency attack consttime_memequal is
supplied if libc does not support it
dhcpcd >=6.2 <7.2.1 are vulnerable
* DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
dhcpcd >=4 <7.2.1 are vulnerable
* DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
dhcpcd >=7 <7.2.1 are vulnerable
Upstream provides a patch series for version 7 which would be relevant for
buster and sid [2]. In addition, version 6.10.6 was released with backported
fixes for the first two issues [3][4]. These might be useful for backporting to
stretch and wheezy as they ship versions 6.10.1 and 6.0.5.
Please consider applying/backporting those patches to the dhcpcd versions found
in Debian. I have not checked the exploitability of these issues, so the
severity might not be as serious. But I marked it serious anyway to make sure
this issue doesn't fly under the radar.
Thanks and regards,
Timo
[1] https://roy.marples.name/archives/dhcpcd-discuss/0002415.html
[2]
https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68
[3]
https://roy.marples.name/git/dhcpcd.git/patch/?id=3ad25d3b306c890df8a15250f5ded70764075aa8
[4]
https://roy.marples.name/git/dhcpcd.git/patch/?id=b6605465e1ab8f9cb82bf6707c517505991f18a4
