oss-sec mailing list archives

Re: CVE request for dnsmasq DoS

From: Josh Bressers <bressers () redhat com>
Date: Wed, 23 Jul 2008 15:20:48 -0400

On 8 July 2008, Jamie Strandboge wrote:


I finally had time to develop a PoC and confirm this on my own. A client
need only send a DHCPREQUEST for an IP address not on the same network
as dnsmasq. Eg:

1. dnsmasq listening on and giving IP addresses for 192.168.122.0/24
2. client requests IP address on another network, such as 192.168.0.1
3. dnsmasq 2.25 (and presumably earlier) crashes


It seems there is also a problem with newer dnsmasq that is very similar to
this:
http://bugs.gentoo.org/show_bug.cgi?id=232523

That problem appears to be pretty much the same thing, but affecting
versions 2.43 - 2.45

Did this ever get a CVE id?

I presume this new flaw will need one as well.

Thanks.

-- 
    JB

Current thread:

Re: CVE request for dnsmasq DoS Steven M. Christey (Jul 01)
- Re: CVE request for dnsmasq DoS Nico Golde (Jul 02)
- Re: CVE request for dnsmasq DoS Jamie Strandboge (Jul 03)
  - Re: CVE request for dnsmasq DoS Jamie Strandboge (Jul 08)
    - Re: CVE request for dnsmasq DoS Josh Bressers (Jul 23)
    - Re: CVE request for dnsmasq DoS Robert Buchholz (Jul 23)
    - Re: CVE request for dnsmasq DoS Robert Buchholz (Jul 23)
  - Re: CVE request for dnsmasq DoS Jamie Strandboge (Jul 12)