Re: Re: CVE Request: dhcpcd 3.x, potentially other versions too

[Seth Arnold <seth.arnold () canonical com>]

On Tue, Dec 01, 2015 at 11:58:47PM -0500, cve-assign () mitre org wrote:
> MITRE will assign CVE IDs. Do the above references mean that most of
> the changed code lines in dhcp.c.patch correspond to out-of-bounds
> reads shown in the
> http://roy.marples.name/projects/dhcpcd/fdiff?sbs=1&v1=63689c50411b0920&v2=dad877391ea5b128
> diff,

I had expected this part of the diff to address the out-of-bounds writes:

                if (out && out != start)
                        *(out - 1) = ' ';

> the change from "(l = *q++)" to "(l = *q++) && q - p < len"
> corresponds to an out-of-bounds write,

I must confess that I skimmed the protected code block quickly when coming
to the conclusion that this was out-of-bounds reads -- it's intricate and
involved and the q - p < len check looked correct. But the memcpy(out,...)
call does look like it'd also perform out-of-bounds writes.

> the deletion of "free
> (dhcp->dnssearch)" corresponds to a use-after-free, and nothing else
> in the 2012 part of the http://roy.marples.name reference is a new
> vulnerability? (This is just a guess.)

I should point out that it's my summary that it's a use-after-free --
Guido said in his report that it is a double-free.

> The reason we're asking this and not immediately sending three CVE IDs
> is that someone at MITRE will ultimately use, or at least consider
> using, both https://launchpadlibrarian.net/228152582/dhcp.c.patch and
> http://roy.marples.name/projects/dhcpcd/finfo?name=dhcp.c&ci=27a92c6a825d6e74
> to describe what the CVEs mean. If there's already information about
> the equivalences between these references, that will make this process
> easier, and also further confirm that three IDs is the right number.

I'm afraid the MITRE crew has a more difficult task than we do.

Thanks

Attachment: signature.asc
Description: Digital signature