Re: triaging CVE-2016-1503+1504
Hi,
On Tue, Jan 26, 2016 at 07:55:02AM +0000, Mike Gabriel wrote:
> HI Guido,
>
> On Mo 25 Jan 2016 20:44:34 CET, Guido Günther wrote:
>
> >Hi,
> >looking at the above CVEs concerning dhcpcd, you wrote
> >
> ># Remove not-affected tags for squeeze. By simple code inspection we
> ># cannot say that the issue is not present in squeeze's / wheezy's version
> ># of dhcpcd. Further actions: try exploit, ask upstream, second opinion.
> >
> >did you contact upstream about that alread? I don't want to bother them
> >again.
> >Cheers,
> > -- Guido
>
> No, I haven't contacted upstream, yet. Nor have I tried the exploit on
> dhcpcd in Debian squeeze(-lts).
Thanks for the heads up! I had a closer look and think squeeze is not
affected (will have to check wheezy) since dhcpcd doesn't munge embedded
or encapsulated options and marked the package accordingly. I also
contacted the current and former maintainers to double check.
Cheers,
-- Guido
Reply to: