klibc - May 2011 - CVE request: klibc: ipconfig sh script with unescaped DHCP options

Related to CVE-2011-0997

ipconfig vulnerability for malicious dhcpd if $DNSDOMAIN is later
used unquoted, than proof of concept involves
DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)"

fix:
http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff
will be part of the just to be released klibc-1.5.22


-- 
maks

Might it be worth fixing the insecure temporary file usage?

122         snprintf(fn, sizeof(fn), "/tmp/net-%s.conf",
dev->name);
123         f = fopen(fn, "w");

What if someone else has already created that file, or put a symlink
or hard link there?  What if someone overwrites your string with
command injection characters despite your stripping?

-Dan

On Wed, May 18, 2011 at 4:44 AM, maximilian attems <max at stro.at>
wrote:
> Related to CVE-2011-0997
>
> ipconfig vulnerability for malicious dhcpd if $DNSDOMAIN is later
> used unquoted, than proof of concept involves
> DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)"
>
> fix:
>
http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff
> will be part of the just to be released klibc-1.5.22
>
>
> --
> maks
>
> _______________________________________________
> klibc mailing list
> klibc at zytor.com
> http://www.zytor.com/mailman/listinfo/klibc
>

----- Original Message -----
> Related to CVE-2011-0997
> 
> ipconfig vulnerability for malicious dhcpd if $DNSDOMAIN is later
> used unquoted, than proof of concept involves
> DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)"
> 
> fix:
>
http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff
> will be part of the just to be released klibc-1.5.22
> 
Please use CVE-2011-1930.

Thanks.

-- 
    JB