CVE-2009-0692

Publication date 14 July 2009

Last updated 24 July 2024


Ubuntu priority

Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.

Read the notes from the security team

Status

Package Ubuntu Release Status
dhcp 9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper
Not affected
dhcp3 9.10 karmic
Fixed 3.1.2-1ubuntu7.1
9.04 jaunty
Fixed 3.1.1-5ubuntu8.2
8.10 intrepid
Fixed 3.1.1-1ubuntu2.2
8.04 LTS hardy
Fixed 3.0.6.dfsg-1ubuntu9.1
6.06 LTS dapper
Fixed 3.0.3-6ubuntu7.1

Notes


jdstrand

requires connecting to a malicious dhcp v4 server. Assigning high priority due to widespread use and frequency of roaming users connecting to untrusted dhcp servers CERT VU#410676 this is only a DoS on Intrepid and later due to FORTIFY_SOURCE and can be considered 'low'. Jaunty also has an AppArmor profile that fully mitigates arbitrary code execution. dhcp v2 is not affected because it checks that lease -> options [DHO_SUBNET_MASK].len < sizeof lease -> address.iabuf. address.iabuf is the same size as netmask.iabuf. Furthermore, subnet_number() and broadcast_addr() (further below) properly check/use the length of netmask

References

Related Ubuntu Security Notices (USN)

Other references