On 02/10/14 15:28, Roy Marples wrote: > On 2014-09-29 20:17, Simon Kelley wrote: >> On 27/09/14 11:01, Roy Marples wrote: >>> On Friday 26 Sep 2014 21:14:20 Simon Kelley wrote: >>>> This is just a heads-up that if you're using the --dhcp-script >>>> option in >>>> dnsmasq, and the script you're calling is being interpreted by bash, >>>> then you're affected by the shellshock bug. >>>> >>>> The bug allows execution of arbitrary code contained in the values of >>>> environment variables, and there are several variables in the >>>> environment inherited by the DHCP script whose values can be set >>>> directly by a DHCP client, so any DHCP client on your network (or >>>> elsewhere, if your firewall allows) can execute arbitrary shellcode, >>>> probably as root, with a simple DHCP request. >>>> >>>> The fix, of course, is to update bash. >>> >>> What's your reason for not sanitising the variables? >>> >>> I just released dhcpcd-6.4.7 which fixes this exact issue. I changed >>> from >>> using my custom sanitiser to svis(3) with VIS_CSTYLE | VIS_OCTAL and the >>> output can be decoded using unvis(1). >>> Oddly enough this encoding matches the style dhcpcd was using >>> previously which >>> is a nice win for me. > > In the cold light day after shellshock I've come to the conclusion that > you're right am I'm wrong. > Admittedly I was swayed by a SUSE security report which dealt with badly > quoted shell scripts which addressed the issue by introducing some > sanistisation into dhcpcd and I went from there. > > Now, dhcpcd just sanistises according to the option encoding. So as most > string options specify ASCII NVT dhcpcd will ensure that's what you get, > stopping at the first invalid or non printable character. There are > other encoding types such as domain, ascii, raw and binhex which will > satisfy everything hopefully. > No more shell sanitising! >
I think that's probably the right approach. If I could revisit this, I probably would, but changing how (eg) the client-id is passed to the DHCP script, would break existing scripts. Cheers, Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
