[SECURITY] [DLA 506-1] dhcpcd5 security update

Package : dhcpcd5
Version : 5.5.6-1+deb7u2
CVE ID : CVE-2014-7912 CVE-2014-7913
Debian Bug : N/A

Two vulnerabilities were discovered in dhcpcd5 a DHCP client package.
A remote (on a local network) attacker can possibly execute arbitrary
code or cause a denial of service attack by crafted messages.

CVE-2014-7912

The get_option function does not validate the relationship between
length fields and the amount of data, which allows remote DHCP
servers to execute arbitrary code or cause a denial of service
(memory corruption) via a large length value of an option in a
DHCPACK message.

CVE-2014-7913

The print_option function misinterprets the return value of the
snprintf function, which allows remote DHCP servers to execute
arbitrary code or cause a denial of service (memory corruption)
via a crafted message.

For Debian 7 "Wheezy", these problems have been fixed in version
5.5.6-1+deb7u2.

We recommend that you upgrade your dhcpcd5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

--------------------- Ola Lundqvist ---------------------------
/ [email protected] Folkebogatan 26
| [email protected] 654 68 KARLSTAD |
| http://inguza.com/ +46 (0)70-332 1551 |
\ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F /