Bugtraq: Re: ISC DHCP client v2 hole fixed...or not?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: ISC DHCP client v2 hole fixed...or not?

From: beck () OPENBSD ORG (beck () OPENBSD ORG)
Date: Fri, 14 Jul 2000 16:30:09 -0600

Executive summary: the official fix for the recent ISC DHCP client
vulnerability is not as thorough as it should be.
...
... Unfortunately, when you look at client/dhclient.c, you can see that
not every value is processed with pretty_print_option() or something
similar. Here is an example from script_write_params()


  OpenBSD released a different fix for the dhclient shipped with
OpenBSD, see http://www.openbsd.org/errata.html#dhclient. This was not
the fix shipped by ISC.

  The patch released by OpenBSD is *not* vulnerable to these problems.
Our fix did two things:

  1) Make dhclient-script safely quote anything it gets from the
environment to avoid these problems

  2) We pass the variables to dhclient-script by constructing an environment
and running dhclient-script with an execve rather than using a temporary
shell script.

  -Bob

------- End of Forwarded Message

By Date By Thread

Current thread:

Re: ISC DHCP client v2 hole fixed...or not? beck () OPENBSD ORG (Jul 14)
- Re: ISC DHCP client v2 hole fixed...or not? Pavel Kankovsky (Jul 17)
- [Debian] New version of cvsweb released Aleph One (Jul 17)