On Tue, 29 Aug 2023 13:17:51 +0200 Nicolas Cavallari <nicolas.cavall...@green-communications.fr> wrote: > Package: dhcpcd-base > Version: 9.4.1-22 > Severity: critical > Tags: security > Justification: breaks unrelated software > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > When the dhcpcd DHCPv4 client receives a zero-length UDP packet on port > 68, the "network proxy" dhcpcd process exits with status 0. dhcpcd then > stops all network activity: It does not renew leases and eventually expires > the current lease (unless it has infinite duration) and removes the IP > address, leaving the system without networking. > > This bug can be triggered remotely over the internet from any UDP port > and is critical on an internet-facing system that needs DHCP to get > an IP address, such as a gateway, a dedicated server or a VM. > > This affects version 9.4.1-22 (stable) and 1:9.4.1-24~deb12u2 > (stable proposed update) but not 1:10.0.2-4 (testing/unstable) as > upstream fixed it in 10.0.2: > > Upstream Bug report: https://github.com/NetworkConfiguration/dhcpcd/issues/179 > Upstream Fix: > https://github.com/NetworkConfiguration/dhcpcd/commit/8b29c0ddf026c1c5647c3b8c6cfe21699c4056ae > > This patch does not apply cleanly to 9.4.1 because the privsep > structure changed in 10.0.2. It's likely that only the src/privsep.c > hunks about len == 0 and eloop_exit() needs to be backported, the other > changes are just here to avoid compiler warnings about unused > parameters.
Upstream got around releasing a backport of this for branch 9 as commits 53e2f6de4ba87d0534c89cae674e6c1a48724ef0 and 6e127eac6903524d401b31893167e4529b8ab111 respectively. You are hereby invited to test and report whether this fixes it for Stable. Martin-Éric
