Debian Bug report logs -
#928105
dhcpcd5: CVE-2019-11577: DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
Reported by: "Timo Sigurdsson" <public_timo.s@silentcreek.de>
Date: Sat, 27 Apr 2019 01:57:01 UTC
Severity: serious
Tags: fixed-upstream, security, upstream
Found in version dhcpcd5/7.1.0-1
Fixed in version dhcpcd5/7.1.0-2
Done: Scott Leggett <scott@sl.id.au>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Scott Leggett <scott@sl.id.au>:
Bug#928056; Package dhcpcd5.
(Sat, 27 Apr 2019 01:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Timo Sigurdsson" <public_timo.s@silentcreek.de>:
New Bug report received and forwarded. Copy sent to Scott Leggett <scott@sl.id.au>.
(Sat, 27 Apr 2019 01:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: dhcpcd5
Version: any
Severity: serious
Dear Maintainer,
upstream released a new version of dhcpcd5 fixing three security issues. All versions currently found in Debian (jessie, stretch, buster, sid) are vulnerable to at least two of these issues, according to the announcement on upstreams's mailinglist [1].
The fixed issues are (copied from upstream's announcement):
* auth: Use consttime_memequal to avoid latency attack consttime_memequal is supplied if libc does not support it
dhcpcd >=6.2 <7.2.1 are vulnerable
* DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
dhcpcd >=4 <7.2.1 are vulnerable
* DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
dhcpcd >=7 <7.2.1 are vulnerable
Upstream provides a patch series for version 7 which would be relevant for buster and sid [2]. In addition, version 6.10.6 was released with backported fixes for the first two issues [3][4]. These might be useful for backporting to stretch and wheezy as they ship versions 6.10.1 and 6.0.5.
Please consider applying/backporting those patches to the dhcpcd versions found in Debian. I have not checked the exploitability of these issues, so the severity might not be as serious. But I marked it serious anyway to make sure this issue doesn't fly under the radar.
Thanks and regards,
Timo
[1] https://roy.marples.name/archives/dhcpcd-discuss/0002415.html
[2] https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68
[3] https://roy.marples.name/git/dhcpcd.git/patch/?id=3ad25d3b306c890df8a15250f5ded70764075aa8
[4] https://roy.marples.name/git/dhcpcd.git/patch/?id=b6605465e1ab8f9cb82bf6707c517505991f18a4
Added tag(s) security.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sat, 27 Apr 2019 06:51:04 GMT) (full text, mbox, link).
Marked as found in versions dhcpcd5/5.2.7-3.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sat, 27 Apr 2019 06:51:05 GMT) (full text, mbox, link).
No longer marked as found in versions any.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sat, 27 Apr 2019 06:51:05 GMT) (full text, mbox, link).
Marked as found in versions dhcpcd5/7.1.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 27 Apr 2019 06:57:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#928056; Package dhcpcd5.
(Sat, 27 Apr 2019 14:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Leggett <scott@sl.id.au>:
Extra info received and forwarded to list.
(Sat, 27 Apr 2019 14:15:02 GMT) (full text, mbox, link).
Message #18 received at 928056@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 2019-04-27.03:46, Timo Sigurdsson wrote:
> * auth: Use consttime_memequal to avoid latency attack consttime_memequal is supplied if libc does not support it
> dhcpcd >=6.2 <7.2.1 are vulnerable
>
> * DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
> dhcpcd >=4 <7.2.1 are vulnerable
>
> * DHCPv6: Fix a potential buffer overflow reading NA/TA addresses
> dhcpcd >=7 <7.2.1 are vulnerable
Hi Timo,
Thanks for the heads up, I agree with the severity.
I'll put together some uploads to fix this in the next few days.
--
Regards,
Scott Leggett.
[signature.asc (application/pgp-signature, inline)]
Bug reassigned from package 'dhcpcd5' to 'src:dhcpcd5'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 28 Apr 2019 09:09:03 GMT) (full text, mbox, link).
No longer marked as found in versions dhcpcd5/7.1.0-1 and dhcpcd5/5.2.7-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 28 Apr 2019 09:09:03 GMT) (full text, mbox, link).
Marked as found in versions dhcpcd5/7.1.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 28 Apr 2019 09:09:04 GMT) (full text, mbox, link).
Bug 928056 cloned as bugs 928104, 928105
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 28 Apr 2019 09:09:04 GMT) (full text, mbox, link).
Changed Bug title to 'dhcpcd5: DHCPv6: Fix a potential buffer overflow reading NA/TA addresses' from 'dhcpcd5: Open security issues in dhcpcd5 prior to 7.2.1 affecting all versions found in Debian'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 28 Apr 2019 09:09:08 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 28 Apr 2019 09:09:09 GMT) (full text, mbox, link).
Changed Bug title to 'dhcpcd5: CVE-2019-11577: DHCPv6: Fix a potential buffer overflow reading NA/TA addresses' from 'dhcpcd5: DHCPv6: Fix a potential buffer overflow reading NA/TA addresses'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 28 Apr 2019 17:30:02 GMT) (full text, mbox, link).
Reply sent
to Scott Leggett <scott@sl.id.au>:
You have taken responsibility.
(Tue, 07 May 2019 15:51:08 GMT) (full text, mbox, link).
Notification sent
to "Timo Sigurdsson" <public_timo.s@silentcreek.de>:
Bug acknowledged by developer.
(Tue, 07 May 2019 15:51:08 GMT) (full text, mbox, link).
Message #37 received at 928105-close@bugs.debian.org (full text, mbox, reply):
Source: dhcpcd5
Source-Version: 7.1.0-2
We believe that the bug you reported is fixed in the latest version of
dhcpcd5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928105@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Leggett <scott@sl.id.au> (supplier of updated dhcpcd5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 May 2019 21:55:14 +0800
Source: dhcpcd5
Binary: dhcpcd5 dhcpcd5-dbgsym
Architecture: source amd64
Version: 7.1.0-2
Distribution: unstable
Urgency: high
Maintainer: Scott Leggett <scott@sl.id.au>
Changed-By: Scott Leggett <scott@sl.id.au>
Description:
dhcpcd5 - DHCPv4, IPv6RA and DHCPv6 client with IPv4LL support
Closes: 928056 928104 928105 928440
Changes:
dhcpcd5 (7.1.0-2) unstable; urgency=high
.
* Apply upstream patches to fix potential security vulnerabilities:
CVE-2019-11578, CVE-2019-11579, CVE-2019-11577, and CVE-2019-11766.
(Closes: #928056, #928104, #928105, #928440)
* Add lintian override for upstream patch spelling
Checksums-Sha1:
6d7058d48b9456da69d0fb7370ff27567aa4b83a 1932 dhcpcd5_7.1.0-2.dsc
3a3fd4013fb0a21097319713b3af168190f26ae4 13524 dhcpcd5_7.1.0-2.debian.tar.xz
75f83a28ce2e103a274ae7c8157adaaee1bb362a 425436 dhcpcd5-dbgsym_7.1.0-2_amd64.deb
d64151559e91dc2b36ba530f869d1abbd988b2cf 5500 dhcpcd5_7.1.0-2_amd64.buildinfo
eaeb6d6ac60b03b5578397bfa9978d5570f88993 163448 dhcpcd5_7.1.0-2_amd64.deb
Checksums-Sha256:
6defc54426e666561d850792d903ed3136a435021ed35219883823317f91fbfd 1932 dhcpcd5_7.1.0-2.dsc
5cd77586c7fe16207828ce23df70638f4a0d46040eefe0237299394802d11890 13524 dhcpcd5_7.1.0-2.debian.tar.xz
1387dd61520f487be36a08b540861d97897739842a24933616d83e69279b3089 425436 dhcpcd5-dbgsym_7.1.0-2_amd64.deb
5e69c2fcfb29319364654de3dba1e267d43d0e42fffb3aa1d2a2b05adcf23a01 5500 dhcpcd5_7.1.0-2_amd64.buildinfo
7b7d4dd0416616232df3add2cc4d462adae9206e0e56ac2ee29134fb76d86f24 163448 dhcpcd5_7.1.0-2_amd64.deb
Files:
8f5f652f1a080f00a97909b30f99614a 1932 net optional dhcpcd5_7.1.0-2.dsc
9fd8b0b0731d3b6acd9130559673ce50 13524 net optional dhcpcd5_7.1.0-2.debian.tar.xz
1364ae4b938da32dfbc3aab67eeed050 425436 debug optional dhcpcd5-dbgsym_7.1.0-2_amd64.deb
8de3c768961cda5d1c2cc1f37f872888 5500 net optional dhcpcd5_7.1.0-2_amd64.buildinfo
4914574c4a470c0e4823b440a311e6de 163448 net optional dhcpcd5_7.1.0-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEEQ0m4g1ajFzrQYHfBYJV0Vg0xPN0FAlzRluwPHHNjb3R0QHNs
LmlkLmF1AAoJEGCVdFYNMTzdb0UP/39O9jCsuCcP/lC9QoKmU57u60SvOkyCW+Nf
q2spmiiXX113r9CaFiTFnFJLfMH1mHNvw11sx6SUJOUIzGShf7+6jap6VU2bMjlb
gmUMAknRctfD6jQ0vvncgUwHuIzmLrXcatz6+M0A/G71bT8Eq3P6HHIxqQOUozRH
nQVE+S7dnew1KTfvWAcX8LXiGS4o/h4ark/Efb1uArT7tXkqcZ/6tyinT573A6Zf
Tr/nnBHmyHpgEoTFoOK0g/YrlWrorhMu3bCYoWCO9Dht22dCOHzBaB2oESNCB5KG
sZNrgslD+NE+5IT61lGi0T8rX1XQe6NwABtBR2FORI+GVpnf8W+F6qypZvn4RJLn
kp0RbUoqEmzWsfEI5UjoJ0tWAnhMoBtscYro9cCRu3+ZWi4ZHiAwVCtyg56105v8
Cbta8Gg+SZPiGK0A+Hg40i4yYqzeOE0glN35PnxxXz3n1Rl/HQzRsyraDWOL1oQp
LvXYc5yR9yZPcxd4qsP0fjyc0bsE/Bl01M3/55TRlN8ysgAx8bAgcDKZX20bjKJJ
5EWyFWwRJLhlFm2NEnDaeuGWCF3pPLr3QtaOq+VRAVRMkQ5CEFp5U1NGeDJMd0M+
AweaJGRoq0TijZGEM247ldUMG0uW7TpexQhjxtGcVtwVtsnjkYpK41I+ABbrUCeM
KPukZKaX
=TF9O
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 05 Jun 2019 07:29:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:20:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon