Gentoo Archives: gentoo-announce

From: Kristian Fiskerstrand <k_f@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201606-07 ] dhcpcd: Multiple vulnerabilities
Date: Sat, 18 Jun 2016 16:28:48
Message-Id: 1105dbac-720a-ad77-b426-1cb6f6b0796d@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201606-07
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: dhcpcd: Multiple vulnerabilities
9 Date: June 18, 2016
10 Bugs: #571152
11 ID: 201606-07
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in dhcpcd allowing remote
19 attackers to possibly execute arbitrary code or cause a Denial of
20 Service.
21
22 Background
23 ==========
24
25 A fully featured, yet light weight RFC2131 compliant DHCP client
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-misc/dhcpcd < 6.10.0 >= 6.10.0
34
35 Description
36 ===========
37
38 A heap overflow can be trigged via malformed DHCP responses in the
39 print_option (via dhcp_envoption1) due to incorrect option length
40 values. These vulnerabilities could also allow remote attackers to
41 trigger an invalid read/crash via malformed DHCP responses.
42
43 Impact
44 ======
45
46 Remote attackers could possibly execute arbitrary code with the
47 privileges of the process or cause Denial of Service.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All dhcpcd users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=net-misc/dhcpcd-6.10.0”
61
62 References
63 ==========
64
65 [ 1 ] CVE-2016-1503
66 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1503
67 [ 2 ] CVE-2016-1504
68 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1504
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 https://security.gentoo.org/glsa/201606-07
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users' machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 https://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2016 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature