Bug 208840 - net/dhcpcd: Add VuXML entry for CVE-2014-7912 and CVE-2014-7913
Summary: net/dhcpcd: Add VuXML entry for CVE-2014-7912 and CVE-2014-7913
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Jason Unovitch
URL: https://android.googlesource.com/plat...
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-04-16 19:52 UTC by Ben Woods
Modified: 2016-04-17 20:09 UTC (History)
3 users (show)

See Also:
roy: maintainer-feedback+

Attachments
Patch to add VuXML entry for net/dhcpcd for CVE-2014-7912 and CVE-2014-7913 (2.03 KB, patch)
2016-04-16 19:52 UTC, Ben Woods 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ben Woods freebsd_committer freebsd_triage 2016-04-16 19:52:27 UTC 
Created attachment 169377 [details]
Patch to add VuXML entry for net/dhcpcd for CVE-2014-7912 and CVE-2014-7913

Add VuXML entries for net/dhcpcd for CVE-2014-7912 and CVE-2014-7913.
Note that CVE-2014-7913 was recently fixed by the update of net/dhcpcd to 6.10.2 in ports/413437.
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-04-17 01:16:35 UTC 
A commit references this bug:

Author: junovitch
Date: Sun Apr 17 01:16:23 UTC 2016
New revision: 413486
URL: https://svnweb.freebsd.org/changeset/ports/413486

Log:
  Document dhcpcd security remote execution/denial of service

  PR:		208840
  Submitted by:	Ben Woods <woodsb02@gmail.com>
  Security:	CVE-2014-7913
  Security:	https://vuxml.FreeBSD.org/freebsd/6ec9f210-0404-11e6-9aee-bc5ff4fb5ea1.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2016-04-17 01:20:26 UTC 
It would appear the Android version of dhcpcd is still version 5.x [1].  I've modified the submission as I see the mention of CVE-2014-7913 being fixed in dhcpd-6.10.2 but I didn't see any mention of CVE-2014-7912.

Did I miss anything?  I can amend the entry.

[1] https://android.googlesource.com/platform/external/dhcpcd/+/73c09dd8067250734511d955d8f792b41c7213f0/defs.h
Comment 3 roy 2016-04-17 07:00:53 UTC 
I've been asked this question a bit so I edited the check-in comment to dhcpcd which fixes CVE-2014-7912 before I knew it even existed.

http://roy.marples.name/projects/dhcpcd/info/d71cfd8aa203bffe

This was fixed in dhcpcd-6.9.1
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-04-17 20:07:58 UTC 
A commit references this bug:

Author: junovitch
Date: Sun Apr 17 20:07:36 UTC 2016
New revision: 413540
URL: https://svnweb.freebsd.org/changeset/ports/413540

Log:
  Document earlier dhcpcd security issue that has been fixed in an earlier
  version before the security implications were reported.

  PR:		208840
  Submitted by:	Ben Woods <woodsb02@gmail.com>
  Submitted by:	Roy Marples <roy@marples.name>
  Security:	CVE-2014-7912
  Security:	https://vuxml.FreeBSD.org/freebsd/092156c9-04d7-11e6-b1ce-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 5 Jason Unovitch freebsd_committer freebsd_triage 2016-04-17 20:09:41 UTC 
(In reply to roy from comment #3)
Thank you for the clarification.  Verbosity is always helpful. :)

Both issues have been documented and the most recent dhcpcd is in head and quarterly.

Roy, thanks for your efforts keeping dhcpcd up to date.

Ben, thanks for catching this in the commit logs and making the report.