Vincent Lefevre
2010-May-23 18:09 UTC
[Secure-testing-team] Bug#582798: dhcp3-client: dhclient changed the permissions of /etc/resolv.conf to -rw-rw-rw-
Package: dhcp3-client Version: 3.1.3-2 Severity: critical Tags: security Justification: root security hole I''ve just seen: $ ll /etc/resolv.conf -rw-rw-rw- 1 root root 23 2010-05-23 08:40:05 /etc/resolv.conf allowing modification by any user. /etc/resolv.conf was last modified by dhclient, and AFAIK, it is the only one that modifies this file. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, ''unstable''), (500, ''testing''), (500, ''stable''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages dhcp3-client depends on: ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy ii debianutils 3.2.3 Miscellaneous utilities specific t ii dhcp3-common 3.1.3-2 common files used by all the dhcp3 ii libc6 2.10.2-9 Embedded GNU C Library: Shared lib dhcp3-client recommends no packages. Versions of packages dhcp3-client suggests: ii avahi-autoipd 0.6.25-3 Avahi IPv4LL network address confi pn resolvconf <none> (no description available) -- Configuration Files: /etc/dhcp3/dhclient.conf changed: option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; prepend domain-name-servers 127.0.0.1; request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, domain-search, host-name, netbios-name-servers, netbios-scope, interface-mtu, rfc3442-classless-static-routes, ntp-servers; -- debconf information: dhcp3-client/dhclient-needs-restarting: dhcp3-client/dhclient-script_moved: