Bug 725349 (CVE-2011-2717)
Summary: | CVE-2011-2717 dhcpv6: insufficient checking of DHCP options | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | dcantrell, jpopelka |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-06 11:58:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 722974 |
Description
Tomas Hoger
2011-07-25 09:23:45 UTC
Proposed patch adding check for the domain-search option is attached in the previously mentioned bug #689832: https://bugzilla.redhat.com/show_bug.cgi?id=689832#c2 (In reply to comment #0) > The impact for DHCPv6 clients is significantly lower than impact for DHCPv4 > clients, as DHCPv6 does not allow passing hostname in the DHCP reply. DNS > domain name search is provided in the DHCPv6 replies. There are currently no known good ways to take advantage of the specially-crafted domain name noted as "search" option value in /etc/resolv.conf. We have inspected various scripts that update resolv.conf file, none of them process existing search value insecurely. The only problematic use that was identified was in shtool's sh.echo script. This script may possibly use search value as part of the replacement argument to the sed's substitution command. Special crafted value can result in the sed command execution, which may lead to file overwrite or direct code execution (GNU sed). This would require shtool's echo to be used with "%d" construct to request expansion to host's domain. Additionally, domain name extracted from hostname (only when '%h' is used too) or domain value from resolv.conf take precedence over the search value. |