mailing list archives
Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH
From: Michael Gilbert <mgilbert () debian org>
Date: Wed, 17 Oct 2012 15:46:55 -0400
On Wed, Oct 17, 2012 at 3:42 PM, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On 10/15/2012 02:50 PM, Raphael Geissert wrote:
Michael Stapelberg, Tollef Fog Heen, and Michael Biebl discovered
that dhclient was setting dhclient-script's PATH to one that
included a subdirectory of the build directory. This issue is
caused by the way isc-dhcp is packaged in Debian.
At least two versions of isc-dhcp for the amd64 (x86_64)
architecture in Debian were found two be setting PATH to a
subdirectory of /home/zero79/, which would allow a user with such
HOME directory to be able to execute code as root.
To clarify the bug report: it is not specific to samba or hooks in
general, PATH is injected in the environment passed to the execve()
call that executes dhclient-script.
Since this issue doesn't affect the stable release, there won't be
a DSA. This email is just a heads up.
Was this software released however?
It was uploaded to and affected Debian testing and unstable. Testing
has not yet been officially "released", but some people use testing as
if it were an official release. Unstable never gets released.