dhclient and CVE-2007-0062 today...

Can openSuSe just track 3.0.7 completely rather than backporting bugfixes piecemeal please?

Let me be clear - CVE-2007-0062 affects transmit time only. It must be entered by dhcpd.conf, and a contrived client that requests enough data to send enough of the admin-configured values out. A complete non-issue for most DHCP server operators already; very few people push packet limits. Conceivably you could get a dhclient to crash as well by again writing huge options to send into dhclient.conf (“send” configurations, an external agent can not tickle this at all unlike the server).

The point is, not many people do either of these things on purpose! The worst is they’d notice it doesn’t work. This is why CVE-2007-0062 went by without a fire drill.

The only other client changes included in CVE-2007-0062’s patch are to two loop run lengths, a no-op (cosmetic change, 64->64), and a straight bugfix (64->128). To actually present itself as a bug to anyone, it requires:

  1. Your server sent FILENAME contents as a straight text string (not option overloading).

  2. The FILENAME sent was longer than 64 octets.

  3. You actually use the FILENAME in your dhclient-script (hint: most people don’t, it’s only really used by net-boot ROMs).

If all three of those conditions are true, then your FILENAME would only carry the first 64 bytes.

Is this really something we need an emergency security patch for? No. But it’s good to track maintenance! You would have gotten this and other bugs fixed by just tracking 3.0.7 final when it was released in May of 2008.

I applaud tracking maintenance releases, I’m just dismayed there have to be false security concerns to press the issue.