Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 369075 (CVE-2011-1930) - <dev-libs/klibc-1.5.25: Shell command injection via DHCP messages (CVE-2011-1930)
Summary: <dev-libs/klibc-1.5.25: Shell command injection via DHCP messages (CVE-2011-1...
Status: RESOLVED FIXED
Alias: CVE-2011-1930
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.zytor.com/pipermail/klibc/...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-28 18:44 UTC by Tim Sammut (RETIRED)
Modified: 2013-09-27 00:13 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-05-28 18:44:26 UTC
From $URL:

Related to CVE-2011-0997

ipconfig vulnerability for malicious dhcpd if $DNSDOMAIN is later
used unquoted, than proof of concept involves
DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)"

fix:
http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff
will be part of the just to be released klibc-1.5.22
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-14 17:05:14 UTC
@kernel-misc, can we go ahead with stabilization of dev-libs/klibc-1.5.23 ?
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2013-07-11 02:41:37 UTC
Ping?
Comment 3 Sergey Popov gentoo-dev 2013-07-11 15:28:40 UTC
Maintainer timeout, quick test reveals no breakages in stable.

Arches, please test and mark stable =dev-libs/klibc-1.5.23

Target keywords: amd64 ppc x86
Comment 4 Tim Harder gentoo-dev 2013-07-11 17:40:25 UTC
(In reply to Sergey Popov from comment #3)
> Maintainer timeout, quick test reveals no breakages in stable.
> 
> Arches, please test and mark stable =dev-libs/klibc-1.5.23
> 
> Target keywords: amd64 ppc x86

Speaking for kernel-misc, just stabilize the latest 1.5* version,
=dev-libs/klibc-1.5.25
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-12 20:40:32 UTC
amd64 stable
Comment 6 Manuel Rüger (RETIRED) gentoo-dev 2013-07-23 04:28:10 UTC
(In reply to Agostino Sarubbo from comment #5)
> amd64 stable

(In reply to Tim Harder from comment #4)
[..]
> Speaking for kernel-misc, just stabilize the latest 1.5* version,
> =dev-libs/klibc-1.5.25


klibc-1.5.23 went stable, while 1.5.25 was the target. can you please stabilize it also on amd64?
Comment 7 Andreas Schürch gentoo-dev 2013-07-23 17:33:52 UTC
x86 done, thanks
Comment 8 Agostino Sarubbo gentoo-dev 2013-08-24 12:25:04 UTC
marked ~ppc
Comment 9 Sergey Popov gentoo-dev 2013-08-30 11:18:00 UTC
Thanks for your work

New GLSA request filed
Comment 10 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-01 23:41:00 UTC
@maintainers: please clean affected versions.
Comment 11 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-26 23:52:01 UTC
Affected versions removed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-09-27 00:13:41 UTC
This issue was resolved and addressed in
 GLSA 201309-21 at http://security.gentoo.org/glsa/glsa-201309-21.xml
by GLSA coordinator Chris Reffett (creffett).