[15802] in bugtraq
Re: ISC DHCP client v2 hole fixed...or not?
daemon@ATHENA.MIT.EDU (beck@OPENBSD.ORG)
Mon Jul 17 15:02:37 2000
Message-Id: <200007142230.e6EMUAH25302@bofh.ucs.ualberta.ca>
Date: Fri, 14 Jul 2000 16:30:09 -0600
Reply-To: beck@OPENBSD.ORG
From: beck@OPENBSD.ORG
X-To: bugtraq@securityfocus.org
To: BUGTRAQ@SECURITYFOCUS.COM
> Executive summary: the official fix for the recent ISC DHCP client
>vulnerability is not as thorough as it should be.
>...
>... Unfortunately, when you look at client/dhclient.c, you can see that
>not every value is processed with pretty_print_option() or something
>similar. Here is an example from script_write_params()
OpenBSD released a different fix for the dhclient shipped with
OpenBSD, see http://www.openbsd.org/errata.html#dhclient. This was not
the fix shipped by ISC.
The patch released by OpenBSD is *not* vulnerable to these problems.
Our fix did two things:
1) Make dhclient-script safely quote anything it gets from the
environment to avoid these problems
2) We pass the variables to dhclient-script by constructing an environment
and running dhclient-script with an execve rather than using a temporary
shell script.
-Bob
------- End of Forwarded Message
