Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2009-0692

Published: 14 July 2009

Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.

Notes

AuthorNote
jdstrand
requires connecting to a malicious dhcp v4 server. Assigning
high priority due to widespread use and frequency of roaming users connecting
to untrusted dhcp servers
CERT VU#410676
this is only a DoS on Intrepid and later due to FORTIFY_SOURCE and
can be considered 'low'. Jaunty also has an AppArmor profile that fully
mitigates arbitrary code execution.
dhcp v2 is not affected because it checks that lease -> options
[DHO_SUBNET_MASK].len < sizeof lease -> address.iabuf. address.iabuf is
the same size as netmask.iabuf. Furthermore, subnet_number() and
broadcast_addr() (further below) properly check/use the length of netmask

Priority

High

Status

Package Release Status
dhcp3
Launchpad, Ubuntu, Debian
upstream Not vulnerable
(3.1.2p1)
dapper
Released (3.0.3-6ubuntu7.1)
hardy
Released (3.0.6.dfsg-1ubuntu9.1)
intrepid
Released (3.1.1-1ubuntu2.2)
jaunty
Released (3.1.1-5ubuntu8.2)
karmic
Released (3.1.2-1ubuntu7.1)
dhcp
Launchpad, Ubuntu, Debian
upstream Needs triage

dapper Not vulnerable

hardy Does not exist

intrepid Does not exist

jaunty Does not exist