On 15/02/12 14:30, Marc Deslauriers wrote:
Package: dhcpcd
Version: 1:3.2.3-9
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch
*** /tmp/tmpYPCJL7/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: dhcpcd before 5.2.12 allows remote attackers to
execute arbitrary commands via shell metacharacters in a hostname
obtained from a DHCP message. (LP: #931036)
-
https://build.opensuse.org/package/view_file?file=dhcpcd-3.2.3-option-checks.diff&package=dhcpcd&project=network%3Adhcp&rev=52442e5c1d803d7c1818a920a0bae7f1
- above linked patch(without the additional support for NETBIOS type
messages) has been added.
- CVE-2011-0996
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500,
'precise-proposed'), (500, 'precise')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
I plan to keep this very old dhcpcd version around for wheezy, to give a
one-release overlap with the current, but incompatible, dhcpcd5.
These changes should probably go into wheezy, but I'm inclined to think
that this isn't a security issue for squeeze
The dhcpcd.sh script that's included in the Debian package doesn't
(AFAIK) make any unsafe use of the variables which may have unsafe
characters, and it contains a very explicit warning for anyone who is
modifying it.
# This script sources /var/lib/dhcpc/dhcpcd-<interface>.info which defines
# a set of variables.
# NOTE THAT THE DATA IN SOME OF THESE VARIABLES COME FROM
# UNTRUSTED SOURCES AND ARE UNCHECKED.
# The variables in question are HOSTNAME, DOMAIN, NISDOMAIN,
# ROOTPATH DNSSEARCH and DHCPSNAME. Enough quoting is done to ensure that
# execution of this script is safe, but beware if you pass the value of
any of
# these variables to another shell or perl script - there is nothing to
# stop an attacker putting dangerous characters in these variables.
#
# This is important: if noglob not set a filename expansion metachar may be
# included in one of the variables set in the info file and executed
# if that variable is used.
# Try this to see the effect:
# TEST='*'; echo $TEST
set -o noglob
Comments from Debian security people?
Cheers,
Simon.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
