On 2014-09-29 20:17, Simon Kelley wrote:
On 27/09/14 11:01, Roy Marples wrote:
On Friday 26 Sep 2014 21:14:20 Simon Kelley wrote:
This is just a heads-up that if you're using the --dhcp-script option
in
dnsmasq, and the script you're calling is being interpreted by bash,
then you're affected
Hi Simon
On Monday 29 Sep 2014 20:17:56 Simon Kelley wrote:
There's no definition of what is allowed in those DHCP options, so it's
quite possible that a shell metacharacter would be encountered.
Sanitising the strings would therefore change what gets passed to the
script, ie it would be an
On Sep 30, 2014, at 1:05 AM, Roy Marples r...@marples.name wrote:
Of course, the shell isn't supposed to interpret metacharacters in the
value of shell variables unless explicitly told to: so sanitising
shouldn't be required (though I concede it would mitigate a lot of
common shell-script
The problem is that there seems to be no standard for what characters have
special meaning in environment variables (other than the usual none do
which bash is violating here). Without that, or at least a guarantee that
certain character AREN'T special, it's not possible to sanitize.
On Tue, Sep
On 2014-09-30 13:33, Nicholas Weaver wrote:
Although, to be honest, although the DHCP vector is trivial to exploit
[1], if the attacker can give you a bogus DHCP reply you've lost
already.
At this point, the attacker already has a full man-in-the-middle of
all network traffic, and can easily
On 27/09/14 11:01, Roy Marples wrote:
On Friday 26 Sep 2014 21:14:20 Simon Kelley wrote:
This is just a heads-up that if you're using the --dhcp-script option in
dnsmasq, and the script you're calling is being interpreted by bash,
then you're affected by the shellshock bug.
The bug allows
On 26/09/14 22:45, richardvo...@gmail.com wrote:
I know this could be found in the code, and my own systems have busybox not
bash, but I thought I'd ask for general interest:
Is this a matter only of the shebang line in the script, or does dnsmasq
use `system()` to run it, meaning that
Am 27.09.2014 um 12:01 schrieb Roy Marples:
On Friday 26 Sep 2014 21:14:20 Simon Kelley wrote:
This is just a heads-up that if you're using the --dhcp-script option in
dnsmasq, and the script you're calling is being interpreted by bash,
then you're affected by the shellshock bug.
The bug
On Sep 27, 2014, at 7:01 AM, Matthias Andree matthias.and...@gmx.de wrote:
Am 27.09.2014 um 12:01 schrieb Roy Marples:
On Friday 26 Sep 2014 21:14:20 Simon Kelley wrote:
This is just a heads-up that if you're using the --dhcp-script option in
dnsmasq, and the script you're calling is being
This is just a heads-up that if you're using the --dhcp-script option in
dnsmasq, and the script you're calling is being interpreted by bash,
then you're affected by the shellshock bug.
The bug allows execution of arbitrary code contained in the values of
environment variables, and there are
I know this could be found in the code, and my own systems have busybox not
bash, but I thought I'd ask for general interest:
Is this a matter only of the shebang line in the script, or does dnsmasq
use `system()` to run it, meaning that control passes through the user's
login shell before
11 matches
Mail list logo
