dhclient and CVE-2007-0062

David W. Hankins David_Hankins at isc.org
Thu Feb 19 20:12:21 UTC 2009 

I noticed today that SuSe has put out a 'security patch' for their
dhcp-3.0.6 dhclient.  Backporting the CVE-2007-0062 fix from 3.0.7
into their package.  I don't know about others.

I want to make it clear that CVE-2007-0062 contains no advsiory for
the client.  There are two potential bugs fixed from a client point
of view;

If you entered a huge 'send option ...;' command in dhclient.conf,
it could crash.  The crash can not be tickled externally, it is not
a DOS, and the only code that can be executed is code you entered
yourself into dhclient.conf.

If you use the FILENAME field, the code from CVE-2007-0062 fixes the
run length of a loop that finds a NULL terminator to size a malloc to
copy the data, ultimately presenting it as an environment variable in
dhclient-script.  This loop was set to '64', rather than the #define
for the FILENAME field size, which ultimately is 128, so a value
longer than 64 could be truncated.

So your FILENAME contents might be truncated to 64 bytes, but only
if your operator actually configured a FILENAME longer than 64 bytes,
and this only matters if your dhclient-script actually uses it (I
don't know of any that do).

This is simple maintenance, a bugfix anyone would have tracked if
they'd adopted 3.0.7 final, along with a score of other bugfixes.
It might be a security issue for the /server/, but only if you had
configured enough large options in dhcpd.conf so as to permit a
client to tickle it.

I want to say that I applaud that SuSe is tracking maintenance!
Even that their base package is based on 3.0.6 is good news so far
as I am concerned; at least it isn't 3.0.1rc9!

I'm just confused at how this maintenance is being called a
security event, and I wonder what I need to change to alleviate
the need for these kinds of distribution channels to backport
rather than just adopt the latest maintenance.

-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20090219/41a44afb/attachment.bin>

More information about the dhcp-users mailing list