Date: Fri, 14 Jul 2000 16:30:09 -0600 From: beck@OPENBSD.ORG Subject: Re: ISC DHCP client v2 hole fixed...or not? To: BUGTRAQ@SECURITYFOCUS.COM > Executive summary: the official fix for the recent ISC DHCP client >vulnerability is not as thorough as it should be. >... >... Unfortunately, when you look at client/dhclient.c, you can see that >not every value is processed with pretty_print_option() or something >similar. Here is an example from script_write_params() OpenBSD released a different fix for the dhclient shipped with OpenBSD, see http://www.openbsd.org/errata.html#dhclient. This was not the fix shipped by ISC. The patch released by OpenBSD is *not* vulnerable to these problems. Our fix did two things: 1) Make dhclient-script safely quote anything it gets from the environment to avoid these problems 2) We pass the variables to dhclient-script by constructing an environment and running dhclient-script with an execve rather than using a temporary shell script. -Bob ------- End of Forwarded Message