Bug 725364 (CVE-2011-2716) - CVE-2011-2716 busybox: udhcpc insufficient checking of DHCP options
Summary: CVE-2011-2716 busybox: udhcpc insufficient checking of DHCP options
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 731347 768083 772473 790335 800293 802089
Blocks: 722974 742493 784298
TreeView+ depends on / blocked
 
Reported: 2011-07-25 10:12 UTC by Tomas Hoger
Modified: 2021-02-24 15:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 10:07:09 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 635548 0 None None None Never
Novell 708527 0 None None None Never
Red Hat Product Errata RHSA-2012:0308 0 normal SHIPPED_LIVE Low: busybox security and bug fix update 2012-02-21 07:24:58 UTC
Red Hat Product Errata RHSA-2012:0810 0 normal SHIPPED_LIVE Low: busybox security and bug fix update 2012-06-19 19:29:23 UTC

Description Tomas Hoger 2011-07-25 10:12:14 UTC
A missing DHCP option checking / sanitization flaw was reported for multiple DHCP clients.  This flaw may allow DHCP server to trick DHCP clients to set e.g. system hostname to a specially crafted value containing shell special characters.  Various scripts assume that hostname is trusted, which may lead to code execution when hostname is specially crafted.

This issue was tracked in bug #689832 for ISC dhclient (CVE-2011-0997), which also discussed few other affected clients.  This bug is created to track busybox's udhcpc separately.

Upstream bug report:
https://bugs.busybox.net/show_bug.cgi?id=3979

The busybox version in Red Hat Enterprise Linux 4 is not compiled with support for udhcpc.  Version shipped with Red Hat Enterprise Linux 5 and 6 include udhcpc and are affected.  However, udhcpc is not used in Red Hat Enterprise Linux.

Comment 1 Tomas Hoger 2011-07-27 11:32:31 UTC
(In reply to comment #0)

> Version shipped with Red Hat Enterprise Linux 5 and 6 include udhcpc and are
> affected.

To clarify the "affected" part...  udhcpc makes DHCP options supplied by the DHCP server available to the external script via environment variables.  The script can then configure DHCP options on the system in a platform specific way.  Red Hat Enterprise Linux busybox packages do not provide any such script. Example scripts that are part of the upstream busybox source tarball (examples/udhcp) do not set DHCP hostname on the system.

Comment 2 Tomas Hoger 2011-07-27 11:33:33 UTC
Statement:

(none)

Comment 3 Tomas Hoger 2011-08-17 12:11:44 UTC
Created busybox tracking bugs for this issue

Affects: fedora-all [bug 731347]

Comment 4 Jan Lieskovsky 2011-12-13 13:08:59 UTC
Upstream patch:
[2] http://git.busybox.net/busybox/commit/?id=7280d2017d8075267a12e469983e38277dcf0374

Comment 9 errata-xmlrpc 2012-02-21 03:21:01 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0308 https://rhn.redhat.com/errata/RHSA-2012-0308.html

Comment 11 errata-xmlrpc 2012-06-20 07:16:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0810 https://rhn.redhat.com/errata/RHSA-2012-0810.html


Note You need to log in before you can comment on or make changes to this bug.