isc-dhcp: CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient

Debian Bug report logs - #989157
isc-dhcp: CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: isc-dhcp: CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient

Date: Thu, 27 May 2021 06:39:50 +0200

Source: isc-dhcp
Version: 4.4.1-2.2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 4.4.1-2

Hi,

The following vulnerability was published for isc-dhcp.

CVE-2021-25217[0]:
| In ISC DHCP 4.1-ESV-R1 -&gt; 4.1-ESV-R16, ISC DHCP 4.4.0 -&gt; 4.4.2
| (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or
| lower and releases in the 4.3.x series) are beyond their End-of-Life
| (EOL) and no longer supported by ISC. From inspection it is clear that
| the defect is also present in releases from those series, but they
| have not been officially tested for the vulnerability), The outcome of
| encountering the defect while reading a lease that will trigger it
| varies, according to: the component being affected (i.e., dhclient or
| dhcpd) whether the package was built as a 32-bit or 64-bit binary
| whether the compiler flag -fstack-protection-strong was used when
| compiling In dhclient, ISC has not successfully reproduced the error
| on a 64-bit system. However, on a 32-bit system it is possible to
| cause dhclient to crash when reading an improper lease, which could
| cause network connectivity problems for an affected system due to the
| absence of a running DHCP client process. In dhcpd, when run in DHCPv4
| or DHCPv6 mode: if the dhcpd server binary was built for a 32-bit
| architecture AND the -fstack-protection-strong flag was specified to
| the compiler, dhcpd may exit while parsing a lease file containing an
| objectionable lease, resulting in lack of service to clients.
| Additionally, the offending lease and the lease immediately following
| it in the lease database may be improperly deleted. if the dhcpd
| server binary was built for a 64-bit architecture OR if the -fstack-
| protection-strong compiler flag was NOT specified, the crash will not
| occur, but it is possible for the offending lease and the lease which
| immediately followed it to be improperly deleted.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-25217
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25217
[1] https://kb.isc.org/docs/cve-2021-25217
[2] https://www.openwall.com/lists/oss-security/2021/05/26/6

Regards,
Salvatore

Message #12 received at 989157@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 989157@bugs.debian.org

Subject: isc-dhcp: diff for NMU version 4.4.1-2.3

Date: Thu, 27 May 2021 07:25:29 +0200

[Message part 1 (text/plain, inline)]

Control: tags 989157 + patch
Control: tags 989157 + pending


Dear maintainer,

I've prepared an NMU for isc-dhcp (versioned as 4.4.1-2.3) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer (or even if fine with the NMU and want me to
reschedule).

Regards,
Salvatore

[isc-dhcp-4.4.1-2.3-nmu.diff (text/x-diff, attachment)]

Message #21 received at 989157-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 989157-close@bugs.debian.org

Subject: Bug#989157: fixed in isc-dhcp 4.4.1-2.3

Date: Sat, 29 May 2021 05:48:29 +0000

Source: isc-dhcp
Source-Version: 4.4.1-2.3
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
isc-dhcp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 989157@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated isc-dhcp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 27 May 2021 06:59:48 +0200
Source: isc-dhcp
Architecture: source
Version: 4.4.1-2.3
Distribution: unstable
Urgency: high
Maintainer: Debian ISC DHCP Maintainers <isc-dhcp@packages.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 989157
Changes:
 isc-dhcp (4.4.1-2.3) unstable; urgency=high
 .
   * Non-maintainer upload.
   * A buffer overrun in lease file parsing code can be used to exploit a
     common vulnerability shared by dhcpd and dhclient (CVE-2021-25217)
     (Closes: #989157)
Checksums-Sha1: 
 579f74424ab16b808f3d3c0f16ffab0e7a1d2c2d 2684 isc-dhcp_4.4.1-2.3.dsc
 aad326e51276efeb3d6d64b23f274eaaa329a737 88136 isc-dhcp_4.4.1-2.3.debian.tar.xz
Checksums-Sha256: 
 19d41e1708456a03e91cefb5c8367904104504ab09515f9863f11f076534c47a 2684 isc-dhcp_4.4.1-2.3.dsc
 8396ddc072a5f1d1863f95ba8f95cb4d6f0de3928615038eeaa8897d966dcd35 88136 isc-dhcp_4.4.1-2.3.debian.tar.xz
Files: 
 ff46d1b27970c3648701be4c20a5128a 2684 net important isc-dhcp_4.4.1-2.3.dsc
 72af4f677ebb88970bdcae0f73f2d9e8 88136 net important isc-dhcp_4.4.1-2.3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmCvLJhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E2CIQAIjP259cXP7kRxm6A9sdCZMP5zuwb4Bk
6sq1qTC/laBr7k+sp6AJNVz3rNYtTStJe8ObKECqcMW7yCtQ3B15eyW/uTBlXIoX
8H9suKx8M9mV5U+QO/1oE0ikLM2y6npCR20Byw5c65wd5UsK6GbaNkTMlCITR/Vo
QsRSggMHxv9fvbErQaOOXFBgD7lzpAOWSW4LFor0WBGyXJNuPhp6BNX6cIkmqZet
Yf96KClpO3iIH5eFQlUNrA7vpiaC9n9DbzeLgJBjGfjol4HgwNcaeEwyw4r8l1sZ
BIHGVf0Y3d8f2P7yswCxtCku34ejZNSA9nkCxltH5vsGXcs86DySpkh4deQ+rCxJ
ffvYlxGkrutIg+A9qzWkXjUL4c+z86AQWo3LoH0ymAM/D4l1CpTewycQz4JCOQUq
t00rDawBpo5radhJqIMSziGrAFB7JVXvGW0sdS0pKYjuj2s9sLtqOGDsTwzdHSgS
kcB4kxld71V+Re/yXOQHJMiO2YEtRUscFe3wqAE/0pix3c+Cjg4c4kEjQAQkSx1u
DElnG0Q3fZ0VHkyCzyFYW96Ad4EI8ug4nXoicUbd8BfWCgWwNjSBddGz34X78Ewp
Rxb0HPWcb29b0JKgkIjcObCod3JWddZ0/zbOJwZF/MB3JTIZ7Et1eTZjUd6rabUY
oFWMaXVADqNJ
=z8aa
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.