[pkg-dhcp-devel] Bug#762923: dhclient-script uses bash, allowing remote bash exploits

Yves-Alexis Perez corsac at debian.org
Fri Sep 26 13:53:39 UTC 2014

On Fri, Sep 26, 2014 at 12:47:39PM +0200, Goswin von Brederlow wrote:
> Package: isc-dhcp-client
> Version: 4.2.4-7
> Severity: normal
> File: /sbin/dhclient-script
> Tags: security
> dhclient puts unchecked strings into environment variables for the
> dhclient-script and dhclient-script uses #!/bin/bash. This allows the
> recently found bash bugs to be exploited from remote.

> Given the many eyes now turning towards findings bugs in bash and
> building exploits with them it might be safer to fix those bashisms
> and switch dhclient-script over to #!/bin/sh.
> What do you think?

Actually, if you go that road, you would need to drop anything ever
calling python, perl, ruby or whatever language somehow remotely. Some
scripts might have good reasons to uses bash and bashisms (I'm not
saying that's the case here, but still).

What I find more concerning is to pass unchecked environment variable
directly from remote (or any input, actually).

Yves-Alexis Perez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-dhcp-devel/attachments/20140926/254ba041/attachment.sig>

More information about the pkg-dhcp-devel mailing list