Bug#635548: CVE-2011-2716

[Michael Tokarev <mjt@tls.msk.ru>]

On 03.06.2012 13:43, Thijs Kinkhorst wrote:
> Hi all,
> 
> Reading the bug about CVE-2011-2716, I think the only question left is this:
> 
>>> So, in all cases the variable is enclosed in double quotes.
>>
>> Yes this look secure. What about the udeb script?
>> /debian/tree/busybox-udeb/usr/share/udhcpc/default.script:
>> do_resolv_conf() {
>>         local cfg=/etc/resolv.conf
>>
>>         if [ -n "$domain" ] || [ -n "$dns" ]; then
>>                 echo -n > $cfg
>>                 if [ -n "$domain" ]; then
>>                         echo search $domain >> $cfg
>>                 fi
>>
>>                 for i in $dns ; do
>>                         echo nameserver $i >> $cfg
>>                 done
>>         fi
>> }
>>
>> Not quoted in thsi case.
> 
> Does this still need to be fixed? If it is fixed then I think we can
> consider this issue done.

The version of busybox currently in experimental verifies
all the strings returned by dhcpd and if any bad char is
found, it replaces the whole thing with literal string
"bad" when exporting the variable to the script.  So
there should be no need to quote anything anymore.

I haven't closed this bug becaue I merely forgot about it,
and because I also wanted to recheck all open bugs when
finally uploading busybox 1.20 to unstable.  My current
changelog contains mentions of closing of this bug, too.

Thank you for the reminder, this means these serious issues
weren't forgotten!  And indeed they weren't!.. :)

/mjt