FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- dhclient heap overflow

Affected packages
12.1 <= FreeBSD < 12.1_9
11.4 <= FreeBSD < 11.4_3
11.3 <= FreeBSD < 11.3_13


VuXML ID 762b7d4a-ec19-11ea-88f8-901b0ef719ab
Discovery 2020-09-02
Entry 2020-09-02

Problem Description:

When parsing option 119 data, dhclient(8) computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow when the uncompressed list is copied into in inadequately sized buffer.


The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit. However, it is possible the bug could be combined with other vulnerabilities to escape the sandbox.


CVE Name CVE-2020-7461
FreeBSD Advisory SA-20:26.dhclient