Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-506-1 dhcpcd5

Debian Security Advisory

DLA-506-1 dhcpcd5 -- LTS security update

Date Reported:

06 Jun 2016

Affected Packages:

dhcpcd5

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-7912, CVE-2014-7913.

More information:

Two vulnerabilities were discovered in dhcpcd5 a DHCP client package. A remote (on a local network) attacker can possibly execute arbitrary code or cause a denial of service attack by crafted messages.

• CVE-2014-7912

  The get_option function does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message.

• CVE-2014-7913

  The print_option function misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted message.

For Debian 7 Wheezy, these problems have been fixed in version 5.5.6-1+deb7u2.

We recommend that you upgrade your dhcpcd5 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS