On 11/05/2019 01:48, Chris Lamb wrote:
[adding firstname.lastname@example.org to CC for visibility]
Hi dhcpcd developers,
I'm trying to backport two recent CVEs to the dhcpcd 6.0.5 (!)
I don't officially support dhcpcd-6 anymore - it just gets the latest
security fix to the last release.
codebase as part of the Debian LTS  and I was just checking-in to
get your response to a few thoughts of mine.
The first is about CVE-2019-11579 regarding the 1-byte read overflow
with the handling of DHO_OPTSOVERLOADED. The diff in question 
that remedies this essentially just moves some code out of the case
handling, but this code is not part of dhcpcd 6.0.5 which only has:
/* Ensure we only get this option once by setting
* the last bit as well as the value.
* This is valid because only the first two bits
* actually mean anything in RFC2132 Section 9.3 */
overl = 0x80 | p;
… as part of the case statement. Does this mean that 6.0.5 is not
vulnerable to CVE-2019-11579 or that it *is* because it lacks the
It is vulnerable because it looks at p.
At this point we've not checked option length OR if it's inside the buffer.
Secondly, I am looking at CVE-2019-11766 which is regarding the buffer
over-read in D6_OPTION_PD_EXCLUDE, but I don't think support for DHCP
prefix lengths was even implemented in 6.0.5. The two diffs that
address this issue  appear to confirm this by referencing code
that is not part of that version.
Correct, there is no support for D6_OPTION_PD_EXCLUDE in dhcpcd-6.0.5