[15815] in bugtraq
Re: ISC DHCP client v2 hole fixed...or not?
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Tue Jul 18 02:53:39 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <20000717214034.7FBF.0@argo.troja.mff.cuni.cz>
Date: Mon, 17 Jul 2000 21:54:21 +0200
Reply-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
From: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
X-To: beck@OPENBSD.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200007142230.e6EMUAH25302@bofh.ucs.ualberta.ca>
On Fri, 14 Jul 2000 beck@OPENBSD.ORG wrote:
> OpenBSD released a different fix for the dhclient shipped with
> OpenBSD, see http://www.openbsd.org/errata.html#dhclient. This was not
> the fix shipped by ISC.
...
> The patch released by OpenBSD is *not* vulnerable to these problems.
> Our fix did two things:
...
I know and I think this is a good thing (passing data via an intermediate
shell script is very awkward and error prone, and I fail to understand why
they do it). Nevertheless, you should look at write_client_lease() (which
is not affected by your fix) as well. It might be a mere annoyance rather
than a real vulnerability when someone puts some arbitrary (raw) data into
your dhclient.lease but...
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
