Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Oct 2012 15:46:55 -0400
From: Michael Gilbert <mgilbert@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2012-2248: isc-dhcp, Debian-specific: build
 path included in PATH

On Wed, Oct 17, 2012 at 3:42 PM, Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/15/2012 02:50 PM, Raphael Geissert wrote:
>> Hi,
>>
>> Michael Stapelberg, Tollef Fog Heen, and Michael Biebl discovered
>> that dhclient was setting dhclient-script's PATH to one that
>> included a subdirectory of the build directory[1]. This issue is
>> caused by the way isc-dhcp is packaged in Debian.
>>
>> At least two versions of isc-dhcp for the amd64 (x86_64)
>> architecture in Debian were found two be setting PATH to a
>> subdirectory of /home/zero79/, which would allow a user with such
>> HOME directory to be able to execute code as root.
>>
>> To clarify the bug report: it is not specific to samba or hooks in
>> general, PATH is injected in the environment passed to the execve()
>> call that executes dhclient-script.
>>
>> Since this issue doesn't affect the stable release, there won't be
>> a DSA. This email is just a heads up.
>>
>> [1]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690532
>>
>> Cheers,
>>
>
> Was this software released however?

It was uploaded to and affected Debian testing and unstable.  Testing
has not yet been officially "released", but some people use testing as
if it were an official release.  Unstable never gets released.

Best wishes,
Mike

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.