CVE-2009-0692 (retired)

Priority
Description
Stack-based buffer overflow in the script_write_params method in
client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before
4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to
execute arbitrary code via a crafted subnet-mask option.
Assigned-to
jdstrand
Notes
jdstrandrequires connecting to a malicious dhcp v4 server. Assigning
high priority due to widespread use and frequency of roaming users connecting
to untrusted dhcp servers
CERT VU#410676
this is only a DoS on Intrepid and later due to FORTIFY_SOURCE and
can be considered 'low'. Jaunty also has an AppArmor profile that fully
mitigates arbitrary code execution.
dhcp v2 is not affected because it checks that lease -> options
[DHO_SUBNET_MASK].len < sizeof lease -> address.iabuf. address.iabuf is
the same size as netmask.iabuf. Furthermore, subnet_number() and
broadcast_addr() (further below) properly check/use the length of netmask
Package
Source: dhcp (LP Ubuntu Debian)
Upstream:needs-triage
Package
Source: dhcp3 (LP Ubuntu Debian)
Upstream:not-affected (3.1.2p1)
More Information

Updated: 2019-10-09 07:15:00 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)