Re: triaging CVE-2016-1503+1504

To: Mike Gabriel <sunweaver@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: triaging CVE-2016-1503+1504
From: Guido Günther <agx@sigxcpu.org>
Date: Sat, 30 Jan 2016 12:11:30 +0100
Message-id: <[🔎] 20160130111130.GA5970@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Mike Gabriel <sunweaver@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20160126075502.Horde.OWG_3ZNM447pACC6_xaghLI@mail.das-netzwerkteam.de>
References: <[🔎] 20160125194434.GA7536@bogon.m.sigxcpu.org> <[🔎] 20160126075502.Horde.OWG_3ZNM447pACC6_xaghLI@mail.das-netzwerkteam.de>

Hi,
On Tue, Jan 26, 2016 at 07:55:02AM +0000, Mike Gabriel wrote:
> HI Guido,
> 
> On  Mo 25 Jan 2016 20:44:34 CET, Guido Günther wrote:
> 
> >Hi,
> >looking at the above CVEs concerning dhcpcd, you wrote
> >
> ># Remove not-affected tags for squeeze. By simple code inspection we
> ># cannot say that the issue is not present in squeeze's / wheezy's version
> ># of dhcpcd. Further actions: try exploit, ask upstream, second opinion.
> >
> >did you contact upstream about that alread? I don't want to bother them
> >again.
> >Cheers,
> > -- Guido
> 
> No, I haven't contacted upstream, yet. Nor have I tried the exploit on
> dhcpcd in Debian squeeze(-lts).

Thanks for the heads up! I had a closer look and think squeeze is not
affected (will have to check wheezy) since dhcpcd doesn't munge embedded
or encapsulated options and marked the package accordingly. I also
contacted the current and former maintainers to double check.
Cheers,
 -- Guido

Reply to:

References:
- triaging CVE-2016-1503+1504
  - From: Guido Günther <agx@sigxcpu.org>
- Re: triaging CVE-2016-1503+1504
  - From: Mike Gabriel <sunweaver@debian.org>

Prev by Date: Re: Fixing CVE-2014-9674 (freetype) in wheezy
Next by Date: Re: Fixing CVE-2014-9674 (freetype) in wheezy
Previous by thread: Re: triaging CVE-2016-1503+1504
Next by thread: imagemagick
Index(es):
- Date
- Thread