Bug 426504 (CVE-2011-2716)

Summary:	<sys-apps/busybox-1.20.1: improper sanitization of DHCP options (CVE-2011-2716)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	embedded, vapier
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A2 [glsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2012-07-14 00:32:43 UTC

CVE-2011-2716 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2716):
  The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers
  to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME,
  (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.


@embedded: Please punt vulnerable versions.

Comment 1 Agostino Sarubbo gentoo-dev

2013-08-29 16:02:46 UTC

17:58 <@ago> blueness: could I remove <1.20.1 as requested in bug 426504 ?
17:59 <@blueness> ago, i would say yes, but busybox is very much vapier's thing.  ping him a few times and if you get no answer, ping me again and i'll look into this more carefully

@Mike, what's your mind?

Comment 2 SpanKY gentoo-dev

2013-09-05 05:20:42 UTC

(In reply to Agostino Sarubbo from comment #1)

feel free to cull old busybox ebuilds all you like

Comment 3 Agostino Sarubbo gentoo-dev

2013-09-05 15:37:47 UTC

Cleanup done, @security go ahead with the glsa.

Comment 4 Sergey Popov gentoo-dev

2013-09-06 10:50:14 UTC

Thanks for your work

Added to existing GLSA draft

Comment 5 SpanKY gentoo-dev

2013-09-12 04:01:10 UTC

(In reply to Agostino Sarubbo from comment #3)

you need to look at unused files in $FILESDIR too.  there's a number of patches left behind that are dead now.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2013-12-03 04:18:18 UTC

This issue was resolved and addressed in
 GLSA 201312-02 at http://security.gentoo.org/glsa/glsa-201312-02.xml
by GLSA coordinator Chris Reffett (creffett).