The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers
to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME,
(2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.
@embedded: Please punt vulnerable versions.
17:58 <@ago> blueness: could I remove <1.20.1 as requested in bug 426504 ?
17:59 <@blueness> ago, i would say yes, but busybox is very much vapier's thing. ping him a few times and if you get no answer, ping me again and i'll look into this more carefully
@Mike, what's your mind?
(In reply to Agostino Sarubbo from comment #1)
feel free to cull old busybox ebuilds all you like
Cleanup done, @security go ahead with the glsa.
Thanks for your work
Added to existing GLSA draft
(In reply to Agostino Sarubbo from comment #3)
you need to look at unused files in $FILESDIR too. there's a number of patches left behind that are dead now.
This issue was resolved and addressed in
GLSA 201312-02 at http://security.gentoo.org/glsa/glsa-201312-02.xml
by GLSA coordinator Chris Reffett (creffett).