Security bug in udhcp applet

Krishna Ram Prakash R krp at gtux.in
Tue Jan 1 15:58:36 UTC 2019


Hi Denys,

A gentle reminder. Did you have any chance to look into this? I tried
looking into it but, I could not determine if the parsed options could
be controlled by an attacker. If it cannot be controlled, it is not a
security issue. Otherwise, this vulnerability could still be exploited.

Regards,
KRP

On 12/20/18 5:53 PM, Krishna Ram Prakash R wrote:
> Hi Denys,
> 
> Thanks for the fix!
> 
> Wouldn't the option parsing loop in fill_envp() in dhcpc.c parse and
> load options without checking for the expected length and still result
> in out-of-bounds read? Any thoughts on that?
> 
> Thanks,
> KRP
> 
> On 12/18/18 12:17 AM, Denys Vlasenko wrote:
>> I committed a fix, see bz
>> On Mon, Dec 17, 2018 at 6:52 AM Krishna Ram Prakash R <krp at gtux.in> wrote:
>>>
>>>
>>> Hi all,
>>>
>>> I reported a security bug in udhcp applet, a few days back in busybox
>>> Bugzilla[1] as I could not find any private disclosure mailing lists.
>>> But, it is not yet assigned and there are no activities in the bug report.
>>>
>>> Just a gentle reminder to the maintainers in case it has been missed.
>>>
>>> Thanks,
>>> KRP
>>>
>>> [1] https://bugs.busybox.net/show_bug.cgi?id=11506
>>>
>>>
>>>
>>> _______________________________________________
>>> busybox mailing list
>>> busybox at busybox.net
>>> http://lists.busybox.net/mailman/listinfo/busybox
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20190101/62c2a094/attachment.asc>


More information about the busybox mailing list