Bug 9547 - dhcp new security issue CVE-2013-2494
: dhcp new security issue CVE-2013-2494
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-26 23:47 CET by David Walser
Modified: 2013-04-04 23:25 CEST (History)
5 users (show)

See Also:
Source RPM: dhcp
CVE:
Status comment:


Attachments

Description David Walser 2013-03-26 23:47:07 CET
DHCP 4.2.5-P1 has been released to fix CVE-2013-2494:
https://kb.isc.org/article/AA-00880

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-03-28 09:27:26 CET
After looking at this a bit, these are the changes between 4.2.5 and 4.2.5-P1:

--- bind-9.8.4-P1/config.h.in   2012-10-26 06:52:55.000000000 +0200
+++ bind-9.8.4-P2/config.h.in   2013-03-06 17:57:05.000000000 +0100
@@ -286,9 +286,6 @@ int sigwait(const unsigned int *set, int
 /* Define if your OpenSSL version supports GOST. */
 #undef HAVE_OPENSSL_GOST

-/* Define to 1 if you have the <regex.h> header file. */
-#undef HAVE_REGEX_H
-
 /* Define to 1 if you have the `setegid' function. */
 #undef HAVE_SETEGID

--- bind-9.8.4-P1/configure.in  2012-10-26 06:52:55.000000000 +0200
+++ bind-9.8.4-P2/configure.in  2013-03-06 17:57:05.000000000 +0100
@@ -298,7 +298,7 @@ esac

 AC_HEADER_STDC

-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
+AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
 [$ac_includes_default
 #ifdef HAVE_SYS_PARAM_H
 # include <sys/param.h>
Comment 2 Oden Eriksson 2013-03-28 09:33:21 CET
Additionally there is a bogus BR in the dhcp.spec file:

BuildRequires:  bind-devel

This is not nessesary as the bundled bind tar ball is extracted, built and used for certain functions in the dhcp codebase.

FYI. Fedora has fixed this by using their bind-libs-devel (or what it's called), not sure if their dhcp uses a shared bind library though, if not pretty useless...
Comment 3 Oden Eriksson 2013-03-28 10:01:16 CET
4.2.5-P1 has been submitted to mga2/updates_testing
Comment 4 Oden Eriksson 2013-03-28 13:16:55 CET
4.2.5-P1 has been submitted to cauldron.
Comment 5 David Walser 2013-03-28 13:30:06 CET
Assigning to QA.

Advisory:
========================

Updated dhcp packages fix security vulnerability:

Exploitation of a memory exhaustion bug in libdns is theoretically possible in
ISC DHCP before 4.2.5-P1, which uses the library from BIND 9 for Dynamic DNS.
Servers which are targeted by a successful attack will exhaust all memory
available to the server process, which is likely to crash the DHCP server and
may affect other processes running on the same physical machine when system
memory is exhausted (CVE-2013-2494).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2494
https://kb.isc.org/article/AA-00880
https://kb.isc.org/article/AA-00891
========================

Updated packages in core/updates_testing:
========================
dhcp-common-4.2.5P1-1.mga2
dhcp-doc-4.2.5P1-1.mga2
dhcp-server-4.2.5P1-1.mga2
dhcp-client-4.2.5P1-1.mga2
dhcp-relay-4.2.5P1-1.mga2
dhcp-devel-4.2.5P1-1.mga2

from dhcp-4.2.5P1-1.mga2.src.rpm
Comment 6 Bill Wilkinson 2013-03-28 14:45:26 CET
CVE at mitre.org is just a placeholder.  Nothing found on securityfocus.
Comment 7 Dave Hodgins 2013-04-04 22:44:02 CEST
Testing complete on Mageia 2 i586 and x86_64.
Tested using the procedure from
https://bugs.mageia.org/show_bug.cgi?id=4514#c9

Could someone from the sysadmin team push the srpm
dhcp-4.2.5P1-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated dhcp packages fix security vulnerability:

Exploitation of a memory exhaustion bug in libdns is theoretically possible in
ISC DHCP before 4.2.5-P1, which uses the library from BIND 9 for Dynamic DNS.
Servers which are targeted by a successful attack will exhaust all memory
available to the server process, which is likely to crash the DHCP server and
may affect other processes running on the same physical machine when system
memory is exhausted (CVE-2013-2494).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2494
https://kb.isc.org/article/AA-00880
https://kb.isc.org/article/AA-00891

https://bugs.mageia.org/show_bug.cgi?id=9547
Comment 8 Thomas Backlund 2013-04-04 23:25:30 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0106

Note You need to log in before you can comment on or make changes to this bug.