Your message dated Mon, 04 Dec 2006 16:02:03 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#380273: fixed in dhcp 2.0pl5-19.5 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: dhcp Version: 2.0pl5-19.1 There is a bug in ISC DHCP server version 2 that causes the server to unexpectedly exit when it receieves a DHCPOFFER packet with a client-identifier option which is exactly 32 bytes long. A malicious user could use this as a sort of denial of service attack on a version 2 dhcp server. This does not appear to be a problem with the dhcp version 3 server. Explanation of the bug: The DHCP server has a lease struct which contains a buffer (uid_buf) which is 32 bytes long. If it needs more space, it simply malloc's new storage. There is an edge condition in supersede_lease() from memory.c that causes a 32 byte client-identifier to be mistakenly interpreted as a corrupt uid, and so the server exits with the message "corrupt lease uid." To reproduce: You can use the dhclient included in the dhcp package. Set up a "send dhcp-client-identifier" directive to send a 32 byte client-identifier, and then activate dhclient. The dhcp server will exit as soon as it recieves the DHCPDISCOVER packet. More info: This is not a stack overflow issue. There does not seem to be any possibility of remote compromise from this issue. Windows clients generally do not send client-identifier options greater than 6 bytes, but it looks like Mac OS X uses a longer string. That is how we originally noticed the issue. The short patch below resolves the issue. Andrew Steets Wayport Software Engineering [EMAIL PROTECTED] (512) 519-6061 *** common/memory.c 1999-05-27 12:47:43.000000000 -0500 --- ../fixed/dhcp-2.0pl5/common/memory.c 2006-07-28 14:25:32.796953968 -0500 *************** *** 528,534 **** /* Copy the data files, but not the linkages. */ comp -> starts = lease -> starts; if (lease -> uid) { ! if (lease -> uid_len < sizeof (lease -> uid_buf)) { memcpy (comp -> uid_buf, lease -> uid, lease -> uid_len); comp -> uid = &comp -> uid_buf [0]; --- 528,534 ---- /* Copy the data files, but not the linkages. */ comp -> starts = lease -> starts; if (lease -> uid) { ! if (lease -> uid_len <= sizeof (lease -> uid_buf)) { memcpy (comp -> uid_buf, lease -> uid, lease -> uid_len); comp -> uid = &comp -> uid_buf [0];
--- End Message ---
--- Begin Message ---Source: dhcp Source-Version: 2.0pl5-19.5 We believe that the bug you reported is fixed in the latest version of dhcp, which is due to be installed in the Debian FTP archive: dhcp-client-udeb_2.0pl5-19.5_amd64.udeb to pool/main/d/dhcp/dhcp-client-udeb_2.0pl5-19.5_amd64.udeb dhcp-client_2.0pl5-19.5_amd64.deb to pool/main/d/dhcp/dhcp-client_2.0pl5-19.5_amd64.deb dhcp-relay_2.0pl5-19.5_amd64.deb to pool/main/d/dhcp/dhcp-relay_2.0pl5-19.5_amd64.deb dhcp_2.0pl5-19.5.diff.gz to pool/main/d/dhcp/dhcp_2.0pl5-19.5.diff.gz dhcp_2.0pl5-19.5.dsc to pool/main/d/dhcp/dhcp_2.0pl5-19.5.dsc dhcp_2.0pl5-19.5_amd64.deb to pool/main/d/dhcp/dhcp_2.0pl5-19.5_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Barth <[EMAIL PROTECTED]> (supplier of updated dhcp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 4 Dec 2006 15:15:00 +0000 Source: dhcp Binary: dhcp dhcp-client dhcp-client-udeb dhcp-relay Architecture: source amd64 Version: 2.0pl5-19.5 Distribution: unstable Urgency: low Maintainer: Eloy A. Paris <[EMAIL PROTECTED]> Changed-By: Andreas Barth <[EMAIL PROTECTED]> Description: dhcp - DHCP server for automatic IP address assignment dhcp-client - DHCP Client dhcp-client-udeb - DHCP Client for debian-installer (udeb) dhcp-relay - DHCP Relay Closes: 322860 380273 Changes: dhcp (2.0pl5-19.5) unstable; urgency=low . * Non-maintainer upload. * Add 117_fix_CVE-2006-3122 to fix remote DOS, CVE-2006-3122. Thanks to Andrew Steets for detecting and the patch. Closes: #380273 * Update 202_script_resolvconf-support to not break resolv.conf even if domain_name is empty/undefined. Closes: #322860 Files: 4fc6878de216c3b1582643b20067371d 673 net optional dhcp_2.0pl5-19.5.dsc f9960cf650f06455f075cec2d891c196 107816 net optional dhcp_2.0pl5-19.5.diff.gz 11687932b23aac23b90df0abc6e421c2 116272 net optional dhcp_2.0pl5-19.5_amd64.deb 424ccc154ef05cad98fbc1bfcbcbc046 108866 net optional dhcp-client_2.0pl5-19.5_amd64.deb 4124757171094499c4af9a60e046248c 76236 net optional dhcp-relay_2.0pl5-19.5_amd64.deb 0619527015f1fdd4bb2eb6d881159c6f 46746 debian-installer optional dhcp-client-udeb_2.0pl5-19.5_amd64.udeb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFdEMpmdOZoew2oYURAiMwAJ9ZRjcQkNgGQQN/Q1mKv88IOL/DnQCgk/ie DdkEubWEhTmE97AkdKCMlS4= =vKv0 -----END PGP SIGNATURE-----
--- End Message ---
