Dhcpcd-6.4.7 contains a fix related to the shellshock issue. The following is how Roy explained the fix to me: > Sanitise the following characters using svis(3) with VIS_CTYLE and > VIS_OCTAL: > > | ^ & ; < > ( ) $ ` \ " ' <tab> <newline> > > This allows a non buggy unvis(1) to decode it 100% and stays > compatible with how dhcpcd used to handle encoding on most > > platforms. > > For systems that supply svis(3) there is a code reduction, for systems > that do not, a slight code increase. > > This change mitigates systems affected by bash CVE-2014-6271 and > CVE-2014-7169. > > Sadly glibc provides neither svis(3) or unvis(3) and no unvis(1) > exists on Linux I know of. > Luckily dhcpcd provides a small shim The way I read Roy's Explanation, this doesn't affect us on Linux. However, we need to fast stable dhcpcd-6.4.7 so I can remove older versions from the tree since it does affect our *bsd users.
Arch teams, please put this on the fast track for stabilization. I will handle amd64. Thanks, William
Roy, Can you confirm whether this affects older dhcpcd versions on Linux since dhcpcd provides the shims for svis(3) and unvis(3) in that case? Thanks, William
Stable on amd64.
x86 stable
All older versions are affected in portage are affected. dhcpcd only has a shim for svis(3). It relies on the OS providing unvis(1). However, it should be noted that dhcpcd has always escaped the data in this manner, it's just escaping more now. svis(3) and unvis(1) are generally found on NetBSD and newer FreeBSD systems, not on Linux. The issue as a whole ONLY affects users whose /bin/sh is BASH, which is of course Linux only.
ppc stable
ppc64 stable
Stable for HPPA.
arm stable
Stable on alpha.
*** This bug has been marked as a duplicate of bug 538418 ***
