Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 523900 - net-misc/dhcpcd-6.4.7 fast stable request
Summary: net-misc/dhcpcd-6.4.7 fast stable request
Status: RESOLVED DUPLICATE of bug 538418
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Keywording and Stabilization (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: William Hubbs
Depends on:
Reported: 2014-09-27 19:44 UTC by William Hubbs
Modified: 2015-02-12 22:00 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description William Hubbs gentoo-dev 2014-09-27 19:44:01 UTC
Dhcpcd-6.4.7 contains a fix related to the shellshock issue. The
following is how Roy explained the fix to me:

> Sanitise the following characters using svis(3) with VIS_CTYLE and
> | ^ & ; < > ( ) $ ` \ " ' <tab> <newline>
> This allows a non buggy unvis(1) to decode it 100% and stays
> compatible with how dhcpcd used to handle encoding on most >
> platforms.
> For systems that supply svis(3) there is a code reduction, for systems
> that do not, a slight code increase.
> This change mitigates systems affected by bash CVE-2014-6271 and
> CVE-2014-7169.
> Sadly glibc provides neither svis(3) or unvis(3) and no unvis(1)
> exists on Linux I know of.
> Luckily dhcpcd provides a small shim

The way I read Roy's Explanation, this doesn't affect us on Linux.
However, we need to fast stable dhcpcd-6.4.7 so I can remove older
versions from the tree since it does affect our *bsd users.
Comment 1 William Hubbs gentoo-dev 2014-09-27 19:50:33 UTC
Arch teams, please put this on the fast track for stabilization. I will
handle amd64.


Comment 2 William Hubbs gentoo-dev 2014-09-27 20:01:22 UTC

Can you confirm whether this affects older dhcpcd versions on Linux
since dhcpcd provides the shims for svis(3) and unvis(3) in that case?


Comment 3 William Hubbs gentoo-dev 2014-09-27 20:16:06 UTC
Stable on amd64.
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-09-27 21:49:54 UTC
x86 stable
Comment 5 Roy Marples 2014-09-28 07:23:24 UTC
All older versions are affected in portage are affected.
dhcpcd only has a shim for svis(3).

It relies on the OS providing unvis(1). However, it should be noted that dhcpcd has always escaped the data in this manner, it's just escaping more now.

svis(3) and unvis(1) are generally found on NetBSD and newer FreeBSD systems, not on Linux.

The issue as a whole ONLY affects users whose /bin/sh is BASH, which is of course Linux only.
Comment 6 Agostino Sarubbo gentoo-dev 2014-09-28 07:38:58 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-09-28 07:39:54 UTC
ppc64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-09-28 09:54:17 UTC
Stable for HPPA.
Comment 9 Markus Meier gentoo-dev 2014-10-10 20:11:43 UTC
arm stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2015-01-10 21:07:04 UTC
Stable on alpha.
Comment 11 William Hubbs gentoo-dev 2015-02-12 22:00:02 UTC

*** This bug has been marked as a duplicate of bug 538418 ***