Security bug in udhcp applet

Krishna Ram Prakash R krp at
Tue Jan 1 15:58:36 UTC 2019

Hi Denys,

A gentle reminder. Did you have any chance to look into this? I tried
looking into it but, I could not determine if the parsed options could
be controlled by an attacker. If it cannot be controlled, it is not a
security issue. Otherwise, this vulnerability could still be exploited.


On 12/20/18 5:53 PM, Krishna Ram Prakash R wrote:
> Hi Denys,
> Thanks for the fix!
> Wouldn't the option parsing loop in fill_envp() in dhcpc.c parse and
> load options without checking for the expected length and still result
> in out-of-bounds read? Any thoughts on that?
> Thanks,
> On 12/18/18 12:17 AM, Denys Vlasenko wrote:
>> I committed a fix, see bz
>> On Mon, Dec 17, 2018 at 6:52 AM Krishna Ram Prakash R <krp at> wrote:
>>> Hi all,
>>> I reported a security bug in udhcp applet, a few days back in busybox
>>> Bugzilla[1] as I could not find any private disclosure mailing lists.
>>> But, it is not yet assigned and there are no activities in the bug report.
>>> Just a gentle reminder to the maintainers in case it has been missed.
>>> Thanks,
>>> KRP
>>> [1]
>>> _______________________________________________
>>> busybox mailing list
>>> busybox at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the busybox mailing list