dhcpcd: DHO_OPTIONSOVERLOADED option related issue (CVE-2014-6060)
As reported by Tobias Stoeckmann:
In function get_option, the DHO_OPTIONSOVERLOADED option checks if
there are overloaded options, like bootfile or servername. It tries to
make sure that it’s called only once, BUT overwrites that information
after receiving a DHO_END. A malicious server could set the option
DHO_OPTIONSOVERLOADED yet another time in the bootfile or servername
section, which will result in another jump — maybe into the same area.
dhcpcd-4.0.0 through 6.4.2 are vulnerable. dhcpcd-6.4.3 has been released with the above fix.
References:
CONFIRM: http://seclists.org/oss-sec/2014/q3/483
COMMIT:
http://roy.marples.name/projects/dhcpcd/ci/1d2b93aa5ce25a8a710082fe2d36a6bf7f5794d5?sbs=0
(from redmine: issue id 3356, created on 2014-09-05, closed on 2014-09-24)
- Relations:
- child #3357 (closed)
- child #3358 (closed)
- child #3359 (closed)
- child #3360 (closed)