StarlingX

[Debian] CVE: CVE-2022-2928: isc-dhcp : overflow and cause the server to abort

Bug #1997328 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Zhixiong Chi

Bug Description

CVE-2022-2928: https://nvd.nist.gov/vuln/detail/CVE-2022-2928
In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-2928 fixed 7.5 N L N N H

References:
https://security-tracker.debian.org/tracker/CVE-2022-2928

Found during November 2022 CVE scan using vulscan

CVE References

Yue Tao (wrytao)
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → Zhixiong Chi (zhixiongchi)
information type: Public → Public Security
tags: added: stx.8.0 stx.security
Zhixiong Chi (zhixiongchi)
Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to integ (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/integ/+/865278

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/865278
Committed: https://opendev.org/starlingx/integ/commit/84f14b868ebcd8761cbba15e41dc9706c9f6040b
Submitter: "Zuul (22348)"
Branch: master

commit 84f14b868ebcd8761cbba15e41dc9706c9f6040b
Author: Zhixiong Chi <email address hidden>
Date: Tue Nov 22 04:43:27 2022 -0800

    Debian: isc-dhcp: fix CVE-2022-2928

    Backport the source patch from the version 4.4.1-2.3+deb11u1.
    [https://sources.debian.org/src/isc-dhcp/4.4.1-2.3+deb11u1/debian/patches/CVE-2022-2928.patch]

    Refer to:
    https://security-tracker.debian.org/tracker/DSA-5251-1
    It refers to two issues, CVE-2022-2928 and CVE-2022-2928.
    We are not addressing CVE-2022-2929 here.

    Test Plan:
    Pass: build-pkgs -c -p isc-dhcp
    Pass: build-pkgs -a
    Pass: build-image
    Pass: Debian AIO jenkins installation
    Pass: Successfully host-unlock

    Issue is very difficult to reproduce, so we are simply focused on
    making sure that this doesn't break anything.

    Closes-Bug: 1997328

    Signed-off-by: Zhixiong Chi <email address hidden>
    Change-Id: Icd9e07420a0b8be1e3542a861e7f3d95f9bb7772

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.