[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request - dhcp clients
From: Sebastian Krahmer <krahmer () suse ! de>
Date: 2011-07-27 9:43:20
Message-ID: 20110727094320.GD16080 () suse ! de
[Download RAW message or body]
Ah ok, so the delivered scripts actually do this. Thanks
for the pointer.
Sebastian
On Wed, Jul 27, 2011 at 11:26:13AM +0200, Tomas Hoger wrote:
> On Wed, 27 Jul 2011 10:57:39 +0200 Sebastian Krahmer wrote:
>
> > Can you point us to the exact version and location in code where
> > the vulnerability is?
>
> I've not previously looked at the code more closely to find the exact
> spot to be fixed. However, I have successfully reproduced the issue
> with busybox 1.15.1 at least, not sure if I looked at any older
> version too. It should be trivial to reproduce by running udhcpc -s
> <script>, where script just dumps whole env. You should see
> server-provided options exported (hostname, domain).
>
> > I remember to have checked udhcpc at that time and neither I found it
> > setting a hostname or parsing the options for a hostname.
>
> Looks like fill_envp is the place:
> http://git.busybox.net/busybox/tree/networking/udhcp/dhcpc.c#n341
>
> The logic was little different in older versions:
> http://git.busybox.net/busybox/tree/networking/udhcp/dhcpc.c?id=9ac5596a#n336
>
> When I talked to upstream, they did see the issue and opened the bug:
> https://bugs.busybox.net/show_bug.cgi?id=3979
>
> --
> Tomas Hoger / Red Hat Security Response Team
--
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@suse.de - SuSE Security Team
---
SUSE LINUX Products GmbH,
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg
Germany
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic