Re: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection

To: tech-security%netbsd.org@localhost
Subject: Re: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection
From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
Date: Tue, 26 Apr 2011 15:00:56 -0500 (CDT)

On Tue, 26 Apr 2011, NetBSD Security Officer wrote:

> $old_ip_address are IP addresses), one should either patch dhclient
> to sanitize all variables or add the following line to
> /sbin/dhclient-script at the beginning of the set_hostname()
> function:

I wish I reviewed the advisory first (for ISC and for NetBSD). That 
set_hostname is not part of ISC's nor NetBSD's script.

So maybe put workaround near top of script.

> new_host_name="$(echo "${new_host_name}" | sed -e 's/[^a-zA-Z0-9-]*//g')"

At least the BASHism wasn't copied to this advisory :)

Prev by Date: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection
Next by Date: Re: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection
Previous by Thread: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection
Next by Thread: Re: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection
Indexes:

Home | Main Index | Thread Index | Old Index