Bug 30942 - dhcp new security issues CVE-2022-292[89]
Summary: dhcp new security issues CVE-2022-292[89]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-10-06 13:46 CEST by David Walser
Modified: 2022-10-19 01:16 CEST (History)
5 users (show)

See Also:
Source RPM: dhcp-4.4.2-10.1.mga8.src.rpm
CVE: CVE-2022-2928, CVE-2022-2929
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-10-06 13:46:03 CEST 
ISC has issued advisories on October 5:
https://kb.isc.org/docs/cve-2022-2928
https://kb.isc.org/docs/cve-2022-2929

The issues are fixed upstream in 4.4.3-P1, and there are patches available:
https://www.openwall.com/lists/oss-security/2022/10/05/1
David Walser 2022-10-06 14:23:11 CEST

Status comment: (none) => Fixed upstream in 4.4.3-P1

Comment 1 David Walser 2022-10-06 14:32:44 CEST 
Ubuntu has issued an advisory for this on October 5:
https://ubuntu.com/security/notices/USN-5658-1
Comment 2 Lewis Smith 2022-10-06 21:22:16 CEST 
David has already put the new version in Cauldron.
Note that this is for M8, and bug 30938 is about dropping dhcp from M9.

Assigning globally as no particular packager evident.

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2022-10-07 08:58:02 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort. (CVE-2022-2928)

In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory. (CVE-2022-2929)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2929
https://kb.isc.org/docs/cve-2022-2928
https://kb.isc.org/docs/cve-2022-2929
https://www.openwall.com/lists/oss-security/2022/10/05/1
https://ubuntu.com/security/notices/USN-5658-1
========================

Updated packages in core/updates_testing:
========================
dhcp-client-4.4.2-10.2.mga8
dhcp-common-4.4.2-10.2.mga8
dhcp-devel-4.4.2-10.2.mga8
dhcp-doc-4.4.2-10.2.mga8
dhcp-relay-4.4.2-10.2.mga8
dhcp-server-4.4.2-10.2.mga8

from SRPM:
dhcp-4.4.2-10.2.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 4.4.3-P1 => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-2928, CVE-2022-2929
Status: NEW => ASSIGNED

Comment 4 Mauricio Andrés Bustamante Viveros 2022-10-08 00:14:05 CEST 
Installed over a working DHCPD server in the MGA8 VM

● dhcpd.service - DHCPv4 Server Daemon
     Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2022-10-07 16:51:43 -05; 20min ago
       Docs: man:dhcpd(8)
             man:dhcpd.conf(5)
   Main PID: 2197 (dhcpd)
     Status: "Dispatching packets..."
      Tasks: 1 (limit: 4796)
        CPU: 47ms
     CGroup: /system.slice/dhcpd.service
             └─2197 /usr/sbin/dhcpd -f -cf /etc/dhcpd.conf -lf /var/lib/dhcpd/dhcpd.leases -user dhcpd -group dhcpd --no-pid -q

oct 07 16:51:42 controldeacceso dhcpd[2197]: Wrote 1 leases to leases file.
oct 07 16:51:43 controldeacceso dhcpd[2197]: 
oct 07 16:51:43 controldeacceso dhcpd[2197]: No subnet declaration for enp0s3 (192.168.0.7).
oct 07 16:51:43 controldeacceso dhcpd[2197]: ** Ignoring requests on enp0s3.  If this is not what
oct 07 16:51:43 controldeacceso systemd[1]: Started DHCPv4 Server Daemon.
oct 07 16:51:43 controldeacceso dhcpd[2197]:    you want, please write a subnet declaration
oct 07 16:51:43 controldeacceso dhcpd[2197]:    in your dhcpd.conf file for the network segment
oct 07 16:51:43 controldeacceso dhcpd[2197]:    to which interface enp0s3 is attached. **
oct 07 16:51:43 controldeacceso dhcpd[2197]: 
oct 07 16:51:43 controldeacceso dhcpd[2197]: Server starting service.


The no subnet declaration is normal because i am not serving dhcp request over that if

Working for my setup

CC: (none) => neoser10

Comment 5 Thomas Andrews 2022-10-13 21:52:46 CEST 
Maurico, with most update candidates, if you are satisfied with a test you have done, you can put "MGA8-64-OK" or "MGA8-32-OK" (whichever is appropriate) in the Whiteboard box near the top of this page. Exceptions are for updates that should be tested on a wide range of hardware, like kernels.

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2022-10-15 16:06:30 CEST 
OKing and validating, based on Comment 4. Advisory in Comment 3.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2022-10-18 23:34:19 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-10-19 01:16:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0374.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.