Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu,  3 Dec 2015 00:18:51 -0500 (EST)
From: cve-assign@...re.org
To: seth.arnold@...onical.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, guidovranken@...il.com
Subject: Re: CVE Request: dhcpcd 3.x, potentially other versions too

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://launchpadlibrarian.net/228152582/dhcp.c.patch

>> I had expected this part of the diff to address the out-of-bounds writes:
>>
>>               if (out && out != start)
>>                       *(out - 1) = ' ';

>>> Ack, looks like heap[-1] OOB write to me.

Use CVE-2012-6698 for the vulnerability in which the possibility of
"out == start" wasn't considered, leading to an out-of-bounds write.


>>> Recalling from my last analyse, I think this is just an OOB read, because
>>> decode_search() is called with out being NULL to count the amount of data
>>> to be copied later. Unless this data is somehow modified the next call
>>> to decode_search() should have sufficient amount of heap allocated for
>>> the memcpy() to be correct. But the loop has an OOB read when counting
>>> the data (and later when copying it and there wasnt already a SIGSEGV).

Use CVE-2012-6699 for this loop error that results in an out-of-bounds read.


>	     case DHCP_DNSSEARCH:
>                     MIN_LENGTH (1);
> -                   free (dhcp->dnssearch);
>                     len = decode_search (p, length, NULL);
>                     if (len > 0) {
> +                           free (dhcp->dnssearch);

Use CVE-2012-6700 for the presence of the free call in an incorrect place.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWX8+7AAoJEL54rhJi8gl5KlMP/08/QI7yfbHAe8VVpuJiOyIN
Df9xi8dVZ0FhzJTbab+RXfHF5BMmLhljj8GGjOWaal3+8nnWHJsC/cwuho+tDWZh
xTJEUFPUHouK341v2HMq6Y2wbi4NHmsZkysFzunsQfWiMp5KhftCG8pxx03CSrIX
nM4xrgb3iiHFsMoLLm2WsUa41tP2kNSHQ7vGmMxhuxUmKIHbTzq24ljnMC1yAMps
GWxMI3xNEcMO6fl5bIJmn5AkjL5vG0dhbC5OQa6hrCpyaqCIAah9xNRFLCIKOfaY
FlfnbRRCqOyFB2ZxNcUKZSEutb2xRJ3QiHtA2+QZiick2nGVdywltbxKSMlnNI41
MFR033IISjE10okoMTaSdjv6nNyFjkhMOlBcqkT2EQqPjB1xFUq/vVtla3gKLzb3
JOCugDG3ZJ/LJHb8/ZSCWDyGoaPJrtkiiJ8WTOksBq9mUTHbOm4LhOyb1yUatgYo
UBW12MVf/8PvkC/La4rAFX4aqbsxsvm0+zMcvDhBXX1AJnEMHRHyi5zX+SjR7E5u
EFapH8sUj92ejG5iXFndgR13MHbAIzvScpFNova4b5e9WwiN/QVjX8elEf/5aZXs
TUfW/Sv6Ldj7I4H0RcANJHhmoq6FI59673RrTNJ6/tnTUNhrR4v7rqazYXJZiW4+
O5Hs/K+vI9HpOyY8JaAo
=bJBu
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ