dhclient and CVE-2007-0062

David W. Hankins David_Hankins at isc.org
Thu Feb 19 20:12:21 UTC 2009

I noticed today that SuSe has put out a 'security patch' for their
dhcp-3.0.6 dhclient.  Backporting the CVE-2007-0062 fix from 3.0.7
into their package.  I don't know about others.

I want to make it clear that CVE-2007-0062 contains no advsiory for
the client.  There are two potential bugs fixed from a client point
of view;

If you entered a huge 'send option ...;' command in dhclient.conf,
it could crash.  The crash can not be tickled externally, it is not
a DOS, and the only code that can be executed is code you entered
yourself into dhclient.conf.

If you use the FILENAME field, the code from CVE-2007-0062 fixes the
run length of a loop that finds a NULL terminator to size a malloc to
copy the data, ultimately presenting it as an environment variable in
dhclient-script.  This loop was set to '64', rather than the #define
for the FILENAME field size, which ultimately is 128, so a value
longer than 64 could be truncated.

So your FILENAME contents might be truncated to 64 bytes, but only
if your operator actually configured a FILENAME longer than 64 bytes,
and this only matters if your dhclient-script actually uses it (I
don't know of any that do).

This is simple maintenance, a bugfix anyone would have tracked if
they'd adopted 3.0.7 final, along with a score of other bugfixes.
It might be a security issue for the /server/, but only if you had
configured enough large options in dhcpd.conf so as to permit a
client to tickle it.

I want to say that I applaud that SuSe is tracking maintenance!
Even that their base package is based on 3.0.6 is good news so far
as I am concerned; at least it isn't 3.0.1rc9!

I'm just confused at how this maintenance is being called a
security event, and I wonder what I need to change to alleviate
the need for these kinds of distribution channels to backport
rather than just adopt the latest maintenance.

David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20090219/41a44afb/attachment.bin>

More information about the dhcp-users mailing list