[pkg-dhcp-devel] Bug#762923: dhclient-script uses bash, allowing remote bash exploits
Goswin von Brederlow
goswin-v-b at web.de
Fri Sep 26 16:06:50 UTC 2014
On Fri, Sep 26, 2014 at 03:53:39PM +0200, Yves-Alexis Perez wrote:
> On Fri, Sep 26, 2014 at 12:47:39PM +0200, Goswin von Brederlow wrote:
> > Package: isc-dhcp-client
> > Version: 4.2.4-7
> > Severity: normal
> > File: /sbin/dhclient-script
> > Tags: security
> >
> > dhclient puts unchecked strings into environment variables for the
> > dhclient-script and dhclient-script uses #!/bin/bash. This allows the
> > recently found bash bugs to be exploited from remote.
> >
> [snip]
>
> > Given the many eyes now turning towards findings bugs in bash and
> > building exploits with them it might be safer to fix those bashisms
> > and switch dhclient-script over to #!/bin/sh.
> >
> > What do you think?
> >
>
> Actually, if you go that road, you would need to drop anything ever
> calling python, perl, ruby or whatever language somehow remotely. Some
> scripts might have good reasons to uses bash and bashisms (I'm not
> saying that's the case here, but still).
>
> What I find more concerning is to pass unchecked environment variable
> directly from remote (or any input, actually).
>
> Regards,
> --
> Yves-Alexis Perez
Feel free to patch dhclient to sanitize the stgrings before passing
them to the dhclient-script.
MfG
Goswin
More information about the pkg-dhcp-devel
mailing list