On Fri, Sep 26, 2014 at 03:53:39PM +0200, Yves-Alexis Perez wrote: > On Fri, Sep 26, 2014 at 12:47:39PM +0200, Goswin von Brederlow wrote: > > Package: isc-dhcp-client > > Version: 4.2.4-7 > > Severity: normal > > File: /sbin/dhclient-script > > Tags: security > > > > dhclient puts unchecked strings into environment variables for the > > dhclient-script and dhclient-script uses #!/bin/bash. This allows the > > recently found bash bugs to be exploited from remote. > > > [snip] > > > Given the many eyes now turning towards findings bugs in bash and > > building exploits with them it might be safer to fix those bashisms > > and switch dhclient-script over to #!/bin/sh. > > > > What do you think? > > > > Actually, if you go that road, you would need to drop anything ever > calling python, perl, ruby or whatever language somehow remotely. Some > scripts might have good reasons to uses bash and bashisms (I'm not > saying that's the case here, but still). > > What I find more concerning is to pass unchecked environment variable > directly from remote (or any input, actually). > > Regards, > -- > Yves-Alexis Perez
Feel free to patch dhclient to sanitize the stgrings before passing them to the dhclient-script. MfG Goswin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org