[pkg-dhcp-devel] Bug#698597: Bug#698597: isc-dhcp: CVE-2012-1667 patch (for Wheezy)

Michael Gilbert mgilbert at debian.org
Sat Feb 2 22:57:56 UTC 2013

control: severity -1 serious

On Sun, Jan 20, 2013 at 3:50 PM, Hideki Yamane wrote:
>  This package has a security issue according to security-tracker.
>  https://security-tracker.debian.org/tracker/CVE-2012-1667
>  I've made a patch for it (also for sid), taken from bind9 package
>  (and just built in pbuilder). Please check it and apply if it would
>  be necessary. If not, please close this bug for tracking issue.

So, the issue with the bind embed is that even though the entire thing
is built, only a very small part is actually used by dhcp.  I don't
really have the time to look into whether the vulnerable bind code for
this CVE is traversed or not.  Someone needs to do that.

With that said, I assume pretty much anyone with interest in this
package also has limited time and isn't interested in that particular
kind of study, so I'm not opposed to blindly fixing security issues in
the embedded code just to ensure we're taking the safe path.  If that
is the way to go, then there are like 6 other bind CVEs that also need
to be fixed at the same time.

I suppose its a tradeoff between sufficiently studying the code vs.
spending a ton of work fixing the large number of bind issues that
come up every year.

Until the study is done, I'm going to assume the issue valid, and thus
Increasing severity for now.  Either way some kind of discussion needs
to happen.

Best wishes,

More information about the pkg-dhcp-devel mailing list