dhcpcd5: CVE-2014-6060: Denial of Service

Debian Bug report logs - #770043
dhcpcd5: CVE-2014-6060: Denial of Service

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Pierre Schweitzer <pierre@reactos.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Denial of Service in dhcpd5: CVE-2014-6060

Date: Tue, 18 Nov 2014 15:58:45 +0100

[Message part 1 (text/plain, inline)]

Package: dhcpcd5
Severity: important
Tags: security patch

dhcpd5 is vulnerable to the CVE-2014-6060 which can cause a denial of service:
https://security-tracker.debian.org/tracker/CVE-2014-6060

Please find attached the debdiff & dsc for NMU upload which fixes the
vulnerability in unstable.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)

[dhcpcd5_6.0.5-1.2.dsc (text/plain, attachment)]

[dhcpcd5_CVE-2014-6060.diff.gz (application/gzip, attachment)]

Message #14 received at 770043@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Pierre Schweitzer <pierre@reactos.org>, 770043@bugs.debian.org

Subject: Re: Bug#770043: Denial of Service in dhcpd5: CVE-2014-6060

Date: Tue, 18 Nov 2014 17:47:32 +0100

Hi Pierre,

On Tue, Nov 18, 2014 at 03:58:45PM +0100, Pierre Schweitzer wrote:
> Package: dhcpcd5
> Severity: important
> Tags: security patch
> 
> dhcpd5 is vulnerable to the CVE-2014-6060 which can cause a denial of service:
> https://security-tracker.debian.org/tracker/CVE-2014-6060
> 
> Please find attached the debdiff & dsc for NMU upload which fixes the
> vulnerability in unstable.

(disclaimer: not the maintainer here).

Thank you for the debdiff. I have looked at it the patch itself look
good. I have some small remarks, also in the light if an unblock for
jessie might be wanted:

The changelog only says:

  * Fix CVE-2014-6060 in dhcpcd5

Could you (now that the bugnumber is known) please also add the Closes
marker for the bug #770043. Additionally "Fix CVE-2014-6060 in
dhcpcd5" will probably not make the release team too happy when
requesting the unblock for jessie ;-). I would at least add that it
fixes a denial of service vulnerability. See [1] for the freeze
policy.

For the patch itself a suggestion: Could you add more patch headers
e.g. as per DEP3[2].

I would happily sponsor the upload then if still required (uploading
to a delayed queue, just in case we hear from Roy).

 [1] https://release.debian.org/jessie/freeze_policy.html
 [2] http://dep.debian.net/deps/dep3/

Regards,
Salvatore

Message #21 received at 770043@bugs.debian.org (full text, mbox, reply):

From: Roy Marples <roy@marples.name>

To: Salvatore Bonaccorso <carnil@debian.org>, 770043@bugs.debian.org, Pierre Schweitzer <pierre@reactos.org>

Subject: Re: Bug#770043: Denial of Service in dhcpd5: CVE-2014-6060

Date: Tue, 18 Nov 2014 16:58:39 +0000

On 18/11/2014 16:47, Salvatore Bonaccorso wrote:
> just in case we hear from Roy

I've made this known to quite a few Debian developers - I don't want
anything more to do with the Debian project. It takes me more time to
look after the Debian package than it does for the other distro's I
regularly contribute to combined. Maybe I'm doing it wrong but, frankly,
I find the whole process tedious and I'd much rather someone else deal
with this. So again, I'll say for about the 5th time in the strongest
possible way.

I NO LONGER WISH TO MAINTAIN ANY PACKAGE IN DEBIAN.
I also don't have a Debian machine anymore, it's since been re-purposed
for something else.

I still develop my software on numerous platforms and am happy to
address issues with it in Debian, just not the package itself.
If anyone wants to take it up, fine. Just subcribe to
dhcpcd-discuss@marples.name where I make release announcements or just
use the deb-watch foo which worked the last time I looked at it.

Thanks

Roy

Message #26 received at 770043@bugs.debian.org (full text, mbox, reply):

From: Pierre Schweitzer <pierre@reactos.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 770043@bugs.debian.org

Subject: Re: Bug#770043: Denial of Service in dhcpd5: CVE-2014-6060

Date: Tue, 18 Nov 2014 18:06:35 +0100

[Message part 1 (text/plain, inline)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Salvatore,

Thanks for your feedback.

Here are the fixed files, taking into account your comments.

Cheers,
Pierre

On 11/18/2014 05:47 PM, Salvatore Bonaccorso wrote:
> Hi Pierre,
> 
> On Tue, Nov 18, 2014 at 03:58:45PM +0100, Pierre Schweitzer wrote:
>> Package: dhcpcd5 Severity: important Tags: security patch
>> 
>> dhcpd5 is vulnerable to the CVE-2014-6060 which can cause a
>> denial of service: 
>> https://security-tracker.debian.org/tracker/CVE-2014-6060
>> 
>> Please find attached the debdiff & dsc for NMU upload which fixes
>> the vulnerability in unstable.
> 
> (disclaimer: not the maintainer here).
> 
> Thank you for the debdiff. I have looked at it the patch itself
> look good. I have some small remarks, also in the light if an
> unblock for jessie might be wanted:
> 
> The changelog only says:
> 
> * Fix CVE-2014-6060 in dhcpcd5
> 
> Could you (now that the bugnumber is known) please also add the
> Closes marker for the bug #770043. Additionally "Fix CVE-2014-6060
> in dhcpcd5" will probably not make the release team too happy when 
> requesting the unblock for jessie ;-). I would at least add that
> it fixes a denial of service vulnerability. See [1] for the freeze 
> policy.
> 
> For the patch itself a suggestion: Could you add more patch
> headers e.g. as per DEP3[2].
> 
> I would happily sponsor the upload then if still required
> (uploading to a delayed queue, just in case we hear from Roy).
> 
> [1] https://release.debian.org/jessie/freeze_policy.html [2]
> http://dep.debian.net/deps/dep3/
> 
> Regards, Salvatore
> 


- -- 
Pierre Schweitzer <pierre@reactos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUa3ybAAoJEHVFVWw9WFsLMEUQAJ+17MCquM8xP6hPHPjYTpU8
W2wsG3H5xZPsSHzbcYJ8/4CFE9qY+KkntP+z1ZV6GBK9ZgkgQ6nsC8sZGbyms+7p
Kq07zO642q3+Ab8pXV6e3C0uTIgIgLemK982GCRzCY4Vn8mxu7BjY2T0xSqZt6Yc
AnejkJigiPu0NrQBsaJqRoO9Iw8aiDidlqLQ9etm6Bu8OamGvNXwoYs0CfmD5gtI
w4l0v7Ra9xVUcAa28JNhwHD4zcIL3zcO2ad65ksGxKKCTgfVvvMUw+lywNRuVMDF
d+bJKv98wWfCZYX1eAPHBkGIwtpaAtJiFHXqYb2ePLQWJRFlcw39DiCNmllbYlKk
VxX3wVjnzJMyEhmtZ2VJqvss+Kl8Mmtr6tj/GYxP0rdBy7ozrBiaqZ8X2k39AsPe
3Bi4KoV1moRuckfgrpD3YbgPWxZr4ExnkeXhyVliARvve+duiqLhNA1NwEwvNYNB
ft/uwQaA+26AcyDh6fsOyrPbjFfRN2Wytdew+SkvMB1w7wMvh0FZEwNCeZYtCVcq
2rDS/bx7ZRnx1tYBMcfiOLn3AB6xnjc9qy6dtHR4z3kwsGcOw4d4S5C5ZJ/ekKuV
dD1LDg85hGXoaXg5BKAp4qP/z/RM5FnvZM4l6uMDbvzTIBWItBdZVNYhbnEeOtyQ
jfuH5/+MjSN9z2aPC/8q
=kLcF
-----END PGP SIGNATURE-----

[dhcpcd5_CVE-2014-6060.diff.gz (application/gzip, attachment)]

[dhcpcd5_6.0.5-1.2.dsc (text/plain, attachment)]

Message #31 received at 770043@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Roy Marples <roy@marples.name>

Cc: 770043@bugs.debian.org, Pierre Schweitzer <pierre@reactos.org>

Subject: Re: Bug#770043: Denial of Service in dhcpd5: CVE-2014-6060

Date: Tue, 18 Nov 2014 18:23:49 +0100

[Message part 1 (text/plain, inline)]

Hi Roy,

On Tue, Nov 18, 2014 at 04:58:39PM +0000, Roy Marples wrote:
> On 18/11/2014 16:47, Salvatore Bonaccorso wrote:
> > just in case we hear from Roy
> 
> I've made this known to quite a few Debian developers - I don't want
> anything more to do with the Debian project. It takes me more time to
> look after the Debian package than it does for the other distro's I
> regularly contribute to combined. Maybe I'm doing it wrong but, frankly,
> I find the whole process tedious and I'd much rather someone else deal
> with this. So again, I'll say for about the 5th time in the strongest
> possible way.
> 
> I NO LONGER WISH TO MAINTAIN ANY PACKAGE IN DEBIAN.
> I also don't have a Debian machine anymore, it's since been re-purposed
> for something else.
> 
> I still develop my software on numerous platforms and am happy to
> address issues with it in Debian, just not the package itself.
> If anyone wants to take it up, fine. Just subcribe to
> dhcpcd-discuss@marples.name where I make release announcements or just
> use the deb-watch foo which worked the last time I looked at it.

First of all thanks for your that quick feedback, I certainly wasn't
aware of that and feel sad that was such a tedious process for you. In
any case thanks for the work on the Debian package itself you did so
far!

Given the above also, can you orphan the packages properly, see
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#orphaning
such that other might be aware that the packages are up to adoption?

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 770043@bugs.debian.org (full text, mbox, reply):

From: Roy Marples <roy@marples.name>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 770043@bugs.debian.org, Pierre Schweitzer <pierre@reactos.org>

Subject: Re: Bug#770043: Denial of Service in dhcpd5: CVE-2014-6060

Date: Tue, 18 Nov 2014 17:47:19 +0000

[Message part 1 (text/plain, inline)]

Hi Salvatore

On 18/11/2014 17:23, Salvatore Bonaccorso wrote:
> On Tue, Nov 18, 2014 at 04:58:39PM +0000, Roy Marples wrote:
>> On 18/11/2014 16:47, Salvatore Bonaccorso wrote:
>>> just in case we hear from Roy
>>
>> I've made this known to quite a few Debian developers - I don't want
>> anything more to do with the Debian project. It takes me more time to
>> look after the Debian package than it does for the other distro's I
>> regularly contribute to combined. Maybe I'm doing it wrong but, frankly,
>> I find the whole process tedious and I'd much rather someone else deal
>> with this. So again, I'll say for about the 5th time in the strongest
>> possible way.
>>
>> I NO LONGER WISH TO MAINTAIN ANY PACKAGE IN DEBIAN.
>> I also don't have a Debian machine anymore, it's since been re-purposed
>> for something else.
>>
>> I still develop my software on numerous platforms and am happy to
>> address issues with it in Debian, just not the package itself.
>> If anyone wants to take it up, fine. Just subcribe to
>> dhcpcd-discuss@marples.name where I make release announcements or just
>> use the deb-watch foo which worked the last time I looked at it.
> 
> First of all thanks for your that quick feedback, I certainly wasn't
> aware of that and feel sad that was such a tedious process for you. In
> any case thanks for the work on the Debian package itself you did so
> far!
> 
> Given the above also, can you orphan the packages properly, see
> https://www.debian.org/doc/manuals/developers-reference/pkgs.html#orphaning
> such that other might be aware that the packages are up to adoption?

And this is the problem
I read the paragraph and see that I have to file a bug per package.
I then started reading this:
https://www.debian.org/Bugs/Reporting

As I no longer have a Debian box, I no longer have reportbug.
So that leaves me having to write custom email headers, which none of my
email clients I use support, or at least it's not obvious to me the end
user.

This is too complicated and too time consuming for a distribution I no
longer have a direct interest in supporting, especially for someone who
has never been a Debian developer.
Sorry, but even NetBSD's archaic bug handling system is easier to use
than this method, by sheer virtue of a web interface to submit bugs.

Why is this so hard?
With other distributions I just email an active $random developer and
ask them to remove me from the package. Normally job done at this point.
What possible motivation is there have to many checks in place in an
overly complicated system?

I really regret ever putting my name on the Debian packages at this
point. Please just remove it from them with my thanks.

Thanks

Roy

[signature.asc (application/pgp-signature, attachment)]

Message #41 received at 770043-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 770043-close@bugs.debian.org

Subject: Bug#770043: fixed in dhcpcd5 6.0.5-2

Date: Wed, 19 Nov 2014 19:03:58 +0000

Source: dhcpcd5
Source-Version: 6.0.5-2

We believe that the bug you reported is fixed in the latest version of
dhcpcd5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 770043@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated dhcpcd5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 19 Nov 2014 17:08:30 +0100
Source: dhcpcd5
Binary: dhcpcd5
Architecture: source amd64
Version: 6.0.5-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 dhcpcd5    - DHCPv4, IPv6RA and DHCPv6 client with IPv4LL support
Closes: 770043
Changes:
 dhcpcd5 (6.0.5-2) unstable; urgency=medium
 .
   * QA upload.
 .
   [ Pierre Schweitzer ]
   * Fix denial of service (CVE-2014-6060) in dhcpcd5. (Closes: #770043).
 .
   [ Salvatore Bonaccorso ]
   * Refresh CVE-2014-6060.patch (offset)
   * Update patch headers for CVE-2014-6060.patch.
     Wrap long lines in fields and use Description field.
     Add Applied-Upstream value.
   * Set Maintainer to Debian QA Group (cf. #770082)
Checksums-Sha1:
 9cb9500ffe349e2ad66f9bb97456a97daade0fea 1699 dhcpcd5_6.0.5-2.dsc
 7dd89b13f283a3c8be076c9c9d7a725928247b05 4156 dhcpcd5_6.0.5-2.debian.tar.xz
Checksums-Sha256:
 ef6e7f33f8ffe81e81f7c313dc7e2c716fcffce43d5c67cc5294b694068ec473 1699 dhcpcd5_6.0.5-2.dsc
 1f8a41b0176f06bb26cfe0428937a1df5d19a2af547847cade0d672cdbd67c72 4156 dhcpcd5_6.0.5-2.debian.tar.xz
Files:
 08ffeab2fe4b6591ca43e0b1fb08ff7c 1699 net optional dhcpcd5_6.0.5-2.dsc
 d5be97808852e490ddb0b3abb9abbd38 4156 net optional dhcpcd5_6.0.5-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUbObjAAoJEAVMuPMTQ89E6PIP/j2w5XgyI4/x8Pp78vnIC1yY
TWlkeL0nxpW6t6yY4cWFrT56GJonZFyCw5nCTOOt1rU6787A2koJcRb3ij/LytKg
2L3cIo248vcEgAEENPAE4qnPmZ6/Sk9Tqlo+HdomGun+MzZno2Tru9zox4ZckPwE
s+y6trIPJUGdmRp0c/k59lk/xr59kiQ1TO2IbRFOOHKywvuC/DyvLWsOUmjg6Suz
XhwNgZX6hhu8pu3b2C3/edu70qkTq96NtDQNjvVq+2WuLwMUKnDSWxlsbqs8EOvj
IgkXYJud8yY510XfM3z3A6qCS1jYnloCdG0hdT3jS4knDUIsJclwHrebNOYjscsJ
YIufnn2zuEX+gGqAhX8S6VQqTmaqVfq7lxhdzBbLV2eTTItUHoQ0cXeBGn15enOv
crASttBB/VXvA+jozNhrn8mBJlatod0LuvNeMt16TBinW3L2TjPmSDVJMbftOG3G
bAJIh6VnvuOECKN9nwjCOpSwhFmEabwubXKNPdX0sEjza9QeNZyC0aXRQQwH6n3Y
lLjflJoCSn9x6VR/141jJdvv4dbr4ZQi4e/4d4rY1qW0zteSpE/B2UAZ9vuvEw5m
xUDXInvM1ykq1lMOaDEA9b+4Xx69OQNa1pj7usxMwJn36GsDhjICplUnkgfuEb4M
qH1FW78pBQ4SchEu3pdz
=GmE9
-----END PGP SIGNATURE-----

Message #46 received at 770043-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 770043-close@bugs.debian.org

Subject: Bug#770043: fixed in dhcpcd5 5.5.6-1+deb7u1

Date: Tue, 25 Nov 2014 21:47:07 +0000

Source: dhcpcd5
Source-Version: 5.5.6-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
dhcpcd5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 770043@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated dhcpcd5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 20 Nov 2014 13:29:49 +0100
Source: dhcpcd5
Binary: dhcpcd5
Architecture: source amd64
Version: 5.5.6-1+deb7u1
Distribution: stable
Urgency: medium
Maintainer: Roy Marples <roy@marples.name>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 dhcpcd5    - RFC2131 compliant DHCP client with IPv4LL support
Closes: 770043
Changes: 
 dhcpcd5 (5.5.6-1+deb7u1) stable; urgency=medium
 .
   * Non-maintainer upload by the Security Team.
   * Fix denial of service (CVE-2014-6060) in dhcpcd5:
     - backport fix from debian unstable dhcpcd5/6.0.5-2
     (Closes: #770043)
Checksums-Sha1: 
 a530a0055923afc383f139df355b018ebc63a57e 1730 dhcpcd5_5.5.6-1+deb7u1.dsc
 7cdd668d27b64509d078204f2a5e94e8914d5a13 3763 dhcpcd5_5.5.6-1+deb7u1.debian.tar.gz
 fb77bceafc8d7250591ebdb1c75a2783494fbf33 75402 dhcpcd5_5.5.6-1+deb7u1_amd64.deb
Checksums-Sha256: 
 bd07adf030233129ab34412b09823a7a1068dbb050e976104de82847e2316fd0 1730 dhcpcd5_5.5.6-1+deb7u1.dsc
 a82658bd3275b78481037360f46121612bcaa64c00aff1f0e196e3b5f9644579 3763 dhcpcd5_5.5.6-1+deb7u1.debian.tar.gz
 b0104a5a0f127fa383e6f26ae1f224a01dd1f4ccf84aeacedb65b1d584d3ae0a 75402 dhcpcd5_5.5.6-1+deb7u1_amd64.deb
Files: 
 0d2c93468aad4c39e5cc9825ae9b7cdd 1730 net optional dhcpcd5_5.5.6-1+deb7u1.dsc
 c0b966395f45a1b65087cfce1153cb8a 3763 net optional dhcpcd5_5.5.6-1+deb7u1.debian.tar.gz
 48670d00c201710ee4e76241e47161fb 75402 net optional dhcpcd5_5.5.6-1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJUbz09AAoJEAVMuPMTQ89EI0UP/3voIFD08I/yBDVEp9OM08H+
ewUbYtDrl4tD4unqOnKuDbHYAAiNcOHhAfVw77WjdiAgPUi29OhjiPd78TLN55rW
J+ugrIG6/rq0k3J8iLvi84FTUFH2qdyK8ED5BIk44UOPpVeh6wYDSphF6yb2Mcke
JxIq+Q0d5vaSRhrfrmMBxBh4LwYclBw8pHf7aXzNI9d378H/gkVrLac+lPyNpisV
3X+Inb1PcsIfMlCjs327lIC8h+acVZ7cZcc0psn1JxPV9CFmLopR/lhlSYymVLGQ
cYlZ967FRQFpNPyb2ZQpyPLCG4X7UVZ/y/8Q9do+LbVV6OaTxj+zbs4jcTp0Oz6t
qeB2CVuL+cEXp6xJ02UUc80QS64XGpAOACsiS7H1D9lJZHFTs5ZKNVtTjKTMRPGJ
Mvm09F3x1zCZbXOwGGx8velwrsy+/pI42q5hPRPMNtrMzuQHiwqgB7PL9P2Q5UgV
F1G9J1vCeBiiCx5T6uw7K3QArVy/vljfmfFV86YI0Or/eW0TG1fWwY3INXi3oSpQ
ltbbfa6K7+hefv5hWrLMpXOzQmmpwjns3i1t7+eg9zUwDkuYkhucwb4ZRzVeOzxs
36w0LLeRwRJVtSRdiQD9+oj5j+td+GNwy3UwkpNmic6gCvKUJP8BQbuIt+NQJjeS
zlD15m0ImhDG2f/Rxa/w
=Ge/g
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.