CVE-2009-0692
Published: 14 July 2009
Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
Notes
Author | Note |
---|---|
jdstrand | requires connecting to a malicious dhcp v4 server. Assigning high priority due to widespread use and frequency of roaming users connecting to untrusted dhcp servers CERT VU#410676 this is only a DoS on Intrepid and later due to FORTIFY_SOURCE and can be considered 'low'. Jaunty also has an AppArmor profile that fully mitigates arbitrary code execution. dhcp v2 is not affected because it checks that lease -> options [DHO_SUBNET_MASK].len < sizeof lease -> address.iabuf. address.iabuf is the same size as netmask.iabuf. Furthermore, subnet_number() and broadcast_addr() (further below) properly check/use the length of netmask |
Priority
Status
Package | Release | Status |
---|---|---|
dhcp3 Launchpad, Ubuntu, Debian |
upstream |
Not vulnerable
(3.1.2p1)
|
dapper |
Released
(3.0.3-6ubuntu7.1)
|
|
hardy |
Released
(3.0.6.dfsg-1ubuntu9.1)
|
|
intrepid |
Released
(3.1.1-1ubuntu2.2)
|
|
jaunty |
Released
(3.1.1-5ubuntu8.2)
|
|
karmic |
Released
(3.1.2-1ubuntu7.1)
|
|
dhcp Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
dapper |
Not vulnerable
|
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|