beckOPENBSD.ORG

• Next message: gregory duchemin: "nasty bug in wingate server, potential DOS."
• Previous message: Vin McLellan: "Re: RSA Aceserver UDP Flood Vulnerability"
• Maybe in reply to: Pavel Kankovsky: "ISC DHCP client v2 hole fixed...or not?"
• Next in thread: Pavel Kankovsky: "Re: ISC DHCP client v2 hole fixed...or not?"
• Maybe reply: beckOPENBSD.ORG: "Re: ISC DHCP client v2 hole fixed...or not?"
• Reply: Pavel Kankovsky: "Re: ISC DHCP client v2 hole fixed...or not?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Executive summary: the official fix for the recent ISC DHCP client
>vulnerability is not as thorough as it should be.
>...
>... Unfortunately, when you look at client/dhclient.c, you can see that
>not every value is processed with pretty_print_option() or something
>similar. Here is an example from script_write_params()

  OpenBSD released a different fix for the dhclient shipped with
OpenBSD, see http://www.openbsd.org/errata.html#dhclient. This was not
the fix shipped by ISC.

  The patch released by OpenBSD is *not* vulnerable to these problems.
Our fix did two things:

  1) Make dhclient-script safely quote anything it gets from the
environment to avoid these problems

  2) We pass the variables to dhclient-script by constructing an environment
and running dhclient-script with an execve rather than using a temporary
shell script.

  -Bob

------- End of Forwarded Message

• Next message: gregory duchemin: "nasty bug in wingate server, potential DOS."
• Previous message: Vin McLellan: "Re: RSA Aceserver UDP Flood Vulnerability"
• Maybe in reply to: Pavel Kankovsky: "ISC DHCP client v2 hole fixed...or not?"
• Next in thread: Pavel Kankovsky: "Re: ISC DHCP client v2 hole fixed...or not?"
• Maybe reply: beckOPENBSD.ORG: "Re: ISC DHCP client v2 hole fixed...or not?"
• Reply: Pavel Kankovsky: "Re: ISC DHCP client v2 hole fixed...or not?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]