tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD Security Advisory 2011-005: ISC dhclient hostname field shell metacharacter injection

On Tue, 26 Apr 2011, NetBSD Security Officer wrote:

> $old_ip_address are IP addresses), one should either patch dhclient
> to sanitize all variables or add the following line to
> /sbin/dhclient-script at the beginning of the set_hostname()
> function:

I wish I reviewed the advisory first (for ISC and for NetBSD). That 
set_hostname is not part of ISC's nor NetBSD's script.

So maybe put workaround near top of script.

> new_host_name="$(echo "${new_host_name}" | sed -e 's/[^a-zA-Z0-9-]*//g')"

At least the BASHism wasn't copied to this advisory :)

Home | Main Index | Thread Index | Old Index