[adding debian-lts@lists.debian.org to CC for visibility]

Hi dhcpcd developers,

I'm trying to backport two recent CVEs to the dhcpcd 6.0.5 (!)
codebase as part of the Debian LTS [0] and I was just checking-in to
get your response to a few thoughts of mine.

The first is about CVE-2019-11579 regarding the 1-byte read overflow
with the handling of  DHO_OPTSOVERLOADED. The diff in question [1]
that remedies this essentially just moves some code out of the case
handling, but this code is not part of dhcpcd 6.0.5 which only has:

                case DHO_OPTIONSOVERLOADED:
                        /* Ensure we only get this option once by setting
                         * the last bit as well as the value.
                         * This is valid because only the first two bits
                         * actually mean anything in RFC2132 Section 9.3 */
                        if (!overl)
                                overl = 0x80 | p[1];
                        break;

… as part of the case statement. Does this mean that 6.0.5 is not
vulnerable to CVE-2019-11579 or that it *is* because it lacks the
underlying check? 

Secondly, I am looking at CVE-2019-11766 which is regarding the buffer
over-read in D6_OPTION_PD_EXCLUDE, but I don't think support for DHCP
prefix lengths was even implemented in 6.0.5. The two diffs that
address this issue [2][3] appear to confirm this by referencing code
that is not part of that version.

Very much looking forward to hearing your input on these.

  [0] https://wiki.debian.org/LTS/
  [1] 
https://roy.marples.name/cgit/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8
  [2] 
https://roy.marples.name/cgit/dhcpcd.git/commit/?&id=c1ebeaafeb324bac997984abdcee2d4e8b61a8a8
  [3] 
https://roy.marples.name/cgit/dhcpcd.git/commit/?&id=896ef4a54b0578985e5e1360b141593f1d62837b


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org 🍥 chris-lamb.co.uk
       `-

Reply via email to