dhcp losing its syslog socket

David W. Hankins David_Hankins at isc.org
Mon Aug 28 15:08:08 UTC 2006

On Sun, Aug 27, 2006 at 10:23:19PM -0500, John Hascall wrote:
> Has anyone else seen dhcpd (running 3.0.1rc13 here)


                        Changes since 3.0.1rc13

! CAN-2004-0460 - CERT VU#317350: Five stack overflow exploits were closed
  in logging messages with excessively long hostnames provided by the
  clients.  It is highly probable that these could have been used by
  attackers to gain arbitrary root access on systems using ISC DHCP 3.0.1
  release candidates 12 or 13.  Special thanks to Gregory Duchemin for
  both finding and solving the problem.

! CAN-2004-0461 - CERT VU#654390: Once the above was closed, an opening
  in log_*() functions was evidented, on some specific platforms where
  vsnprintf() was not believed to be available and calls were wrapped to
  sprintf() instead.  Again, credit goes to Gregory Duchemin for finding
  the problem.  Calls to snprintf() are now linked to a distribution-local
  snprintf implementation, only in those cases where the architecture is
  not known to provide one (see includes/cf/[arch].h).  If you experience
  linking problems with snprintf/vsnprintf or 'isc_print_' functions, this
  is where to look.  This vulnerability did not exist in any previously
  published version of ISC DHCP.

Upgrade to 3.0.4 minimally.  I wouldn't mind more eyeballs on
3.0.5rc1, or better yet wait a few days and try 3.0.5rc2 when I
announce it soon.

ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DDNS & DHCP.  Email training at isc.org.
David W. Hankins	"If you don't do it right the first time,
Software Engineer		you'll just have to do it again."
Internet Systems Consortium, Inc.	-- Jack T. Hankins

More information about the dhcp-users mailing list