Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 12988 - net-misc/dhcpd
Summary: net-misc/dhcpd
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All All
: Lowest critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-12-31 12:22 UTC by Daniel Ahlberg (RETIRED)
Modified: 2003-01-04 19:00 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ahlberg (RETIRED) gentoo-dev 2002-12-31 12:22:53 UTC
Debian Security Advisory
DSA-219-1 dhcpcd -- remote command execution
Date Reported: 
31 Dec 2002 
Affected Packages: 
dhcpcd 
Vulnerable: 
Yes 
Security database references: 
In the Bugtraq database (at SecurityFocus): BugTraq ID 6200.

More information: 
Simon Kelly discovered a vulnerability in dhcpcd, an RFC2131 and RFC1541 
compliant DHCP client daemon, that runs with root privileges on client 
machines. A malicious administrator of the regular or an untrusted DHCP server 
may execute any command with root privileges on the DHCP client machine by 
sending the command enclosed in shell metacharacters in one of the options 
provided by the DHCP server.

This problem has been fixed in version 1.3.17pl2-8.1 for the old stable 
distribution (potato) and in version 1.3.22pl2-2 for the testing (sarge) and 
unstable (sid) distributions. The current stable distribution (woody) does not 
contain a dhcpcd package.

We recommend that you upgrade your dhcpcd package (on the client machine).
Comment 1 Daniel Ahlberg (RETIRED) gentoo-dev 2003-01-04 19:00:24 UTC
unmasked and glsa sent.