Bug#635548: CVE-2011-2716
Hi all,
Reading the bug about CVE-2011-2716, I think the only question left is this:
> > So, in all cases the variable is enclosed in double quotes.
>
> Yes this look secure. What about the udeb script?
> /debian/tree/busybox-udeb/usr/share/udhcpc/default.script:
> do_resolv_conf() {
> local cfg=/etc/resolv.conf
>
> if [ -n "$domain" ] || [ -n "$dns" ]; then
> echo -n > $cfg
> if [ -n "$domain" ]; then
> echo search $domain >> $cfg
> fi
>
> for i in $dns ; do
> echo nameserver $i >> $cfg
> done
> fi
> }
>
> Not quoted in thsi case.
Does this still need to be fixed? If it is fixed then I think we can
consider this issue done.
Cheers,
Thijs
Reply to: