Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 426504 (CVE-2011-2716) - <sys-apps/busybox-1.20.1: improper sanitization of DHCP options (CVE-2011-2716)
Summary: <sys-apps/busybox-1.20.1: improper sanitization of DHCP options (CVE-2011-2716)
Alias: CVE-2011-2716
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2012-07-14 00:32 UTC by GLSAMaker/CVETool Bot
Modified: 2013-12-03 04:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-14 00:32:43 UTC
CVE-2011-2716 (
  The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers
  to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME,
  (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.

@embedded: Please punt vulnerable versions.
Comment 1 Agostino Sarubbo gentoo-dev 2013-08-29 16:02:46 UTC
17:58 <@ago> blueness: could I remove <1.20.1 as requested in bug 426504 ?
17:59 <@blueness> ago, i would say yes, but busybox is very much vapier's thing.  ping him a few times and if you get no answer, ping me again and i'll look into this more carefully

@Mike, what's your mind?
Comment 2 SpanKY gentoo-dev 2013-09-05 05:20:42 UTC
(In reply to Agostino Sarubbo from comment #1)

feel free to cull old busybox ebuilds all you like
Comment 3 Agostino Sarubbo gentoo-dev 2013-09-05 15:37:47 UTC
Cleanup done, @security go ahead with the glsa.
Comment 4 Sergey Popov gentoo-dev 2013-09-06 10:50:14 UTC
Thanks for your work

Added to existing GLSA draft
Comment 5 SpanKY gentoo-dev 2013-09-12 04:01:10 UTC
(In reply to Agostino Sarubbo from comment #3)

you need to look at unused files in $FILESDIR too.  there's a number of patches left behind that are dead now.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:18:18 UTC
This issue was resolved and addressed in
 GLSA 201312-02 at
by GLSA coordinator Chris Reffett (creffett).