Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 369075 (CVE-2011-1930)

Summary: <dev-libs/klibc-1.5.25: Shell command injection via DHCP messages (CVE-2011-1930)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alexanderyt, kernel-misc, mrueg
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.zytor.com/pipermail/klibc/2011-May/002907.html
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-05-28 18:44:26 UTC 
From $URL:

Related to CVE-2011-0997

ipconfig vulnerability for malicious dhcpd if $DNSDOMAIN is later
used unquoted, than proof of concept involves
DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)"

fix:
http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff
will be part of the just to be released klibc-1.5.22
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-14 17:05:14 UTC 
@kernel-misc, can we go ahead with stabilization of dev-libs/klibc-1.5.23 ?
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2013-07-11 02:41:37 UTC 
Ping?
Comment 3 Sergey Popov (RETIRED) gentoo-dev 2013-07-11 15:28:40 UTC 
Maintainer timeout, quick test reveals no breakages in stable.

Arches, please test and mark stable =dev-libs/klibc-1.5.23

Target keywords: amd64 ppc x86
Comment 4 Tim Harder gentoo-dev 2013-07-11 17:40:25 UTC 
(In reply to Sergey Popov from comment #3)
> Maintainer timeout, quick test reveals no breakages in stable.
> 
> Arches, please test and mark stable =dev-libs/klibc-1.5.23
> 
> Target keywords: amd64 ppc x86

Speaking for kernel-misc, just stabilize the latest 1.5* version,
=dev-libs/klibc-1.5.25
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-12 20:40:32 UTC 
amd64 stable
Comment 6 Manuel Rüger (RETIRED) gentoo-dev 2013-07-23 04:28:10 UTC 
(In reply to Agostino Sarubbo from comment #5)
> amd64 stable

(In reply to Tim Harder from comment #4)
[..]
> Speaking for kernel-misc, just stabilize the latest 1.5* version,
> =dev-libs/klibc-1.5.25


klibc-1.5.23 went stable, while 1.5.25 was the target. can you please stabilize it also on amd64?
Comment 7 Andreas Schürch gentoo-dev 2013-07-23 17:33:52 UTC 
x86 done, thanks
Comment 8 Agostino Sarubbo gentoo-dev 2013-08-24 12:25:04 UTC 
marked ~ppc
Comment 9 Sergey Popov (RETIRED) gentoo-dev 2013-08-30 11:18:00 UTC 
Thanks for your work

New GLSA request filed
Comment 10 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-01 23:41:00 UTC 
@maintainers: please clean affected versions.
Comment 11 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-26 23:52:01 UTC 
Affected versions removed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-09-27 00:13:41 UTC 
This issue was resolved and addressed in
 GLSA 201309-21 at http://security.gentoo.org/glsa/glsa-201309-21.xml
by GLSA coordinator Chris Reffett (creffett).