Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue,  1 Dec 2015 23:58:47 -0500 (EST)
From: cve-assign@...re.org
To: seth.arnold@...onical.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, guidovranken@...il.com
Subject: Re: CVE Request: dhcpcd 3.x, potentially other versions too

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Guido included a patch along with AFL-discovered inputs to trigger the
> issues:
> 
> https://launchpadlibrarian.net/228152582/dhcp.c.patch
> 
> Roy Marples has already addressed these issues in upstream dhcpcd
> packages; I believe these issues may require 2012-era CVE identifiers:
> 
> http://roy.marples.name/projects/dhcpcd/finfo?name=dhcp.c&ci=27a92c6a825d6e74
> 
> I believe this represents three distinct flaws: out of bounds reads beyond
> the end of the supplied packet, out of bounds write before the start of
> the 'out' parameter, and a use-after-free.

MITRE will assign CVE IDs. Do the above references mean that most of
the changed code lines in dhcp.c.patch correspond to out-of-bounds
reads shown in the
http://roy.marples.name/projects/dhcpcd/fdiff?sbs=1&v1=63689c50411b0920&v2=dad877391ea5b128
diff, the change from "(l = *q++)" to "(l = *q++) && q - p < len"
corresponds to an out-of-bounds write, the deletion of "free
(dhcp->dnssearch)" corresponds to a use-after-free, and nothing else
in the 2012 part of the http://roy.marples.name reference is a new
vulnerability? (This is just a guess.)

The reason we're asking this and not immediately sending three CVE IDs
is that someone at MITRE will ultimately use, or at least consider
using, both https://launchpadlibrarian.net/228152582/dhcp.c.patch and
http://roy.marples.name/projects/dhcpcd/finfo?name=dhcp.c&ci=27a92c6a825d6e74
to describe what the CVEs mean. If there's already information about
the equivalences between these references, that will make this process
easier, and also further confirm that three IDs is the right number.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWXnlaAAoJEL54rhJi8gl5Q/0QAJzOV3xnzo16eq+p9b8MJSC1
ZLSo7294EIeH1CzEDI4oQ2xS131awBKe8vBZl3zkp/LAaRyX6RJlIaaryAXKY6/v
UleGiE/PoEewBUzrP1CkavScF+u8u/xq3lhSWA21v7p5QQrTal90S/aOxkEErNNJ
OEnS8PEFBJLq3bI5K/jlUz0rlc3WA1yjIMws0rRjPwqJ+ZvHMKhfXRG8/pYgIyYi
UEvVF4IBZ015GQVuomkidtPJFB2R3a9YkAT2Kv7HER0Ub071uLU/J2+HeOV79KBu
Dg36gKbJDgXXBLP/UombCVgXZWURwPH/tUg62Ilq8J9GSJAaHuLStjdWXMwhFyJJ
bVTX6BJ5pM9qkZ3V0alTBBILVvqBNR6Pc/uMIsxVF38nr3aa2daUUXhAaMvKLgE0
1X+5oAvQE3GHn6i2aLCBziKNMx3y5n5kNdDfcmzEPSWnciOAcmWDxXjgh6I2X51r
/KmD/An5wkriQqCbzGAzB5lUw/OIYN5YrJIpkvJNC5aCWZOT/e7W1eswEvf0falx
Q1ZRmDU5HulEtyA5mKGenaNWfxs5BsDwhwwkTEvn9+Gi4gx9LoyNeGDTg7THzcdB
vOKOldjBEEgmr4Z5bFJulCMa38SZUw2Idiv2CR30i/YGFYZX2L8s1NOuG9W3J7YK
r8NaHJ5vFJeH+sNqOhZf
=jJ31
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ