Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 362459 - <net-misc/dhcpcd-5.2.12: Hostname sanitation failure (CVE-2011-{0996,0997})
Summary: <net-misc/dhcpcd-5.2.12: Hostname sanitation failure (CVE-2011-{0996,0997})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://roy.marples.name/projects/dhcp...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-04-07 15:37 UTC by Alex Legler (RETIRED)
Modified: 2013-01-09 00:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2011-04-07 15:37:51 UTC
+++ This bug was initially created as a clone of Bug #362453 +++

From redhat, see original bug for source:
Sebastian Krahmer of the SUSE security team noticed that DHCP clients fail to
sanitize certain values supplied by DHCP servers during the DHCP communication.
 The example of such value is hostname configured on the DHCP client.  Various
scripts assume hostname is trusted and do not sufficiently escape or quote it. 
Malicious DHCP server can use this to execute arbitrary code on the DHCP client
by supplying a specially-crafted hostname.

This issue affects dhcpcd as well, fixed in 5.2.12.
Upstream links a 'CVE-2011-966', not sure if this was a typo or if two identifiers were assigned for dhcpcd and ISC separately.
Comment 1 William Hubbs gentoo-dev 2011-04-07 16:09:50 UTC
Dhcpcd  5.2.12 is in the tree.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-04-07 17:47:05 UTC
(In reply to comment #1)
> Dhcpcd  5.2.12 is in the tree.

Thank you.

Arches, please test and mark stable:
=net-misc/dhcpcd-5.2.12
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-04-07 20:18:36 UTC
for me:

if i launch dhcpcd eth0 it assign me an address but when i verify with ifconfig eth0 i see the previous address.
If i modify my /etc/conf.d/net at startup dhcpcd works
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2011-04-08 16:09:10 UTC
Stable for HPPA.
Comment 5 Thomas Kahle (RETIRED) gentoo-dev 2011-04-08 19:09:15 UTC
x86 stable. Thanks
Comment 6 Markus Meier gentoo-dev 2011-04-09 12:22:45 UTC
arm stable
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-04-10 10:04:25 UTC
amd64 done
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2011-04-10 11:43:21 UTC
alpha/ia64/s390/sh/sparc stable
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2011-04-11 04:06:58 UTC
Marked ppc stable.
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-04-11 17:45:24 UTC
ppc64 stable, last arch done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-04-11 18:38:34 UTC
Thanks, everyone. GLSA request filed.
Comment 12 William Hubbs gentoo-dev 2011-04-11 19:15:00 UTC
Security,

should I remove all older versions of dhcpcd?

Thanks,

William
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-04-11 19:21:43 UTC
(In reply to comment #12)
> Security,
> 
> should I remove all older versions of dhcpcd?
> 

Yes, please, thank you.
Comment 14 William Hubbs gentoo-dev 2011-04-12 06:24:22 UTC
All versions of dhcpcd < 5.2.12 have been removed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:02:47 UTC
CVE-2011-0997 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0997):
  dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before
  3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute
  arbitrary commands via shell metacharacters in a hostname obtained from a
  DHCP message, as demonstrated by a hostname that is provided to
  dhclient-script.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-01-09 00:49:47 UTC
This issue was resolved and addressed in
 GLSA 201301-04 at http://security.gentoo.org/glsa/glsa-201301-04.xml
by GLSA coordinator Stefan Behte (craig).
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-01-09 00:49:57 UTC
This issue was resolved and addressed in
 GLSA 201301-04 at http://security.gentoo.org/glsa/glsa-201301-04.xml
by GLSA coordinator Stefan Behte (craig).