Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue,  1 Dec 2015 23:58:47 -0500 (EST)
From: cve-assign@...re.org
To: seth.arnold@...onical.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, guidovranken@...il.com
Subject: Re: CVE Request: dhcpcd 3.x, potentially other versions too

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Guido included a patch along with AFL-discovered inputs to trigger the
> issues:
> 
> https://launchpadlibrarian.net/228152582/dhcp.c.patch
> 
> Roy Marples has already addressed these issues in upstream dhcpcd
> packages; I believe these issues may require 2012-era CVE identifiers:
> 
> http://roy.marples.name/projects/dhcpcd/finfo?name=dhcp.c&ci=27a92c6a825d6e74
> 
> I believe this represents three distinct flaws: out of bounds reads beyond
> the end of the supplied packet, out of bounds write before the start of
> the 'out' parameter, and a use-after-free.

MITRE will assign CVE IDs. Do the above references mean that most of
the changed code lines in dhcp.c.patch correspond to out-of-bounds
reads shown in the
http://roy.marples.name/projects/dhcpcd/fdiff?sbs=1&v1=63689c50411b0920&v2=dad877391ea5b128
diff, the change from "(l = *q++)" to "(l = *q++) && q - p < len"
corresponds to an out-of-bounds write, the deletion of "free
(dhcp->dnssearch)" corresponds to a use-after-free, and nothing else
in the 2012 part of the http://roy.marples.name reference is a new
vulnerability? (This is just a guess.)

The reason we're asking this and not immediately sending three CVE IDs
is that someone at MITRE will ultimately use, or at least consider
using, both https://launchpadlibrarian.net/228152582/dhcp.c.patch and
http://roy.marples.name/projects/dhcpcd/finfo?name=dhcp.c&ci=27a92c6a825d6e74
to describe what the CVEs mean. If there's already information about
the equivalences between these references, that will make this process
easier, and also further confirm that three IDs is the right number.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWXnlaAAoJEL54rhJi8gl5Q/0QAJzOV3xnzo16eq+p9b8MJSC1
ZLSo7294EIeH1CzEDI4oQ2xS131awBKe8vBZl3zkp/LAaRyX6RJlIaaryAXKY6/v
UleGiE/PoEewBUzrP1CkavScF+u8u/xq3lhSWA21v7p5QQrTal90S/aOxkEErNNJ
OEnS8PEFBJLq3bI5K/jlUz0rlc3WA1yjIMws0rRjPwqJ+ZvHMKhfXRG8/pYgIyYi
UEvVF4IBZ015GQVuomkidtPJFB2R3a9YkAT2Kv7HER0Ub071uLU/J2+HeOV79KBu
Dg36gKbJDgXXBLP/UombCVgXZWURwPH/tUg62Ilq8J9GSJAaHuLStjdWXMwhFyJJ
bVTX6BJ5pM9qkZ3V0alTBBILVvqBNR6Pc/uMIsxVF38nr3aa2daUUXhAaMvKLgE0
1X+5oAvQE3GHn6i2aLCBziKNMx3y5n5kNdDfcmzEPSWnciOAcmWDxXjgh6I2X51r
/KmD/An5wkriQqCbzGAzB5lUw/OIYN5YrJIpkvJNC5aCWZOT/e7W1eswEvf0falx
Q1ZRmDU5HulEtyA5mKGenaNWfxs5BsDwhwwkTEvn9+Gi4gx9LoyNeGDTg7THzcdB
vOKOldjBEEgmr4Z5bFJulCMa38SZUw2Idiv2CR30i/YGFYZX2L8s1NOuG9W3J7YK
r8NaHJ5vFJeH+sNqOhZf
=jJ31
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.