Bug#635548: marked as done (CVE-2011-2716 udhcpc insufficient checking of DHCP options)

To: Michael Tokarev <mjt@tls.msk.ru>
Subject: Bug#635548: marked as done (CVE-2011-2716 udhcpc insufficient checking of DHCP options)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 12 Jun 2012 11:06:12 +0000
Message-id: <[🔎] handler.635548.D635548.13394989552196.ackdone@bugs.debian.org>
References: <E1SeOri-00036L-Ck@franck.debian.org> <20110726205200.423.62819.reportbug@pisco.westfalen.local>

Your message dated Tue, 12 Jun 2012 11:02:26 +0000
with message-id <E1SeOri-00036L-Ck@franck.debian.org>
and subject line Bug#635548: fixed in busybox 1:1.20.0-3
has caused the Debian Bug report #635548,
regarding CVE-2011-2716 udhcpc insufficient checking of DHCP options
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
635548: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635548
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Affected by variant of CVE-2011-0097

From: Moritz Muehlenhoff <jmm@debian.org>

Date: Tue, 26 Jul 2011 22:52:00 +0200

Message-id: <20110726205200.423.62819.reportbug@pisco.westfalen.local>
Package: udhcpc
Severity: grave
Tags: security

Dear Busybox maintainers,
it was discovered that busybox's udhcpc is also affected by 
https://www.isc.org/software/dhcp/advisories/cve-2011-0997 

This has been assigned CVE-2011-2716.

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---

--- Begin Message ---

To: 635548-close@bugs.debian.org
Subject: Bug#635548: fixed in busybox 1:1.20.0-3
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Tue, 12 Jun 2012 11:02:26 +0000
Message-id: <E1SeOri-00036L-Ck@franck.debian.org>

Source: busybox
Source-Version: 1:1.20.0-3

We believe that the bug you reported is fixed in the latest version of
busybox, which is due to be installed in the Debian FTP archive:

busybox-static_1.20.0-3_i386.deb
  to main/b/busybox/busybox-static_1.20.0-3_i386.deb
busybox-syslogd_1.20.0-3_all.deb
  to main/b/busybox/busybox-syslogd_1.20.0-3_all.deb
busybox-udeb_1.20.0-3_i386.udeb
  to main/b/busybox/busybox-udeb_1.20.0-3_i386.udeb
busybox_1.20.0-3.debian.tar.gz
  to main/b/busybox/busybox_1.20.0-3.debian.tar.gz
busybox_1.20.0-3.dsc
  to main/b/busybox/busybox_1.20.0-3.dsc
busybox_1.20.0-3_i386.deb
  to main/b/busybox/busybox_1.20.0-3_i386.deb
udhcpc_1.20.0-3_i386.deb
  to main/b/busybox/udhcpc_1.20.0-3_i386.deb
udhcpd_1.20.0-3_i386.deb
  to main/b/busybox/udhcpd_1.20.0-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 635548@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated busybox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 02 Jun 2012 14:54:04 +0400
Source: busybox
Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd
Architecture: source all i386
Version: 1:1.20.0-3
Distribution: unstable
Urgency: low
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description: 
 busybox    - Tiny utilities for small and embedded systems
 busybox-static - Standalone rescue shell with tons of builtin utilities
 busybox-syslogd - Provides syslogd and klogd using busybox
 busybox-udeb - Tiny utilities for the debian-installer (udeb)
 udhcpc     - Provides the busybox DHCP client implementation
 udhcpd     - Provides the busybox DHCP server implementation
Closes: 635370 635548
Changes: 
 busybox (1:1.20.0-3) unstable; urgency=low
 .
   * 1.20 had a few fixes which I forgot to mention:
     - integer overflow in expression on big endian (Closes: #635370)
       (I dislike the fix since it makes use of 64bit integers
       instead of using unsigned 32bit, but this is how upstream
       fixed it)
     - CVE-2011-2716 udhcpc insufficient checking of DHCP options (Closes: #635548)
       busybox dhcpd now replaces values of HOST_NAME, DOMAIN_NAME,
       NIS_DOMAIN, TFTP_SERVER_NAME with the literal string "bad"
       if these contains any bad characters.
   * applied stable patches from upstream (ash, man, ifupdown, tar)
Checksums-Sha1: 
 60eeeebaa9063717370174713a4409fdf4990933 1610 busybox_1.20.0-3.dsc
 20bd5adcbfb32bac41a7eb963cba80b1fcad3ae1 51184 busybox_1.20.0-3.debian.tar.gz
 31eb0e1882901dad5b50e6ad218c28aebfc93bda 19356 busybox-syslogd_1.20.0-3_all.deb
 488f5a0b1d0637eb6abfbc34de7a84bd6e0cefec 876936 busybox-static_1.20.0-3_i386.deb
 d06d577af0abc7c8bfbd01fd1c413c3fb45857da 439684 busybox_1.20.0-3_i386.deb
 81829b2a3d7e6fb47d46e5db9d06fd6feef2708e 17018 udhcpc_1.20.0-3_i386.deb
 10569b7d28e824c66d96a874a24e31198addda69 20324 udhcpd_1.20.0-3_i386.deb
 7a8555d042c945faa7e193e185f23932eaabf1fe 202436 busybox-udeb_1.20.0-3_i386.udeb
Checksums-Sha256: 
 fd70216c557d46c231d9d93c0dcb80d7ccf3275867031386a38d5298327101ee 1610 busybox_1.20.0-3.dsc
 435bb91ded64e074970496ba1da6cbe1bbaf7708780adbc43bcf378d31c5e843 51184 busybox_1.20.0-3.debian.tar.gz
 a2ad958a1fa02e8440a26319c06952ea3c08928a6f4e16174ef21c01dc1c2b04 19356 busybox-syslogd_1.20.0-3_all.deb
 e1cab2095e871c921c0d312985c280edb4b51b4a5f0b06a384f39d98434d223c 876936 busybox-static_1.20.0-3_i386.deb
 dfe0701e61071ee42a77f4683bfa13f8c04f2485198ec8ccadc4a01997e49c07 439684 busybox_1.20.0-3_i386.deb
 902815928b6158766d304673389003ef444c702cae4b1b73a101b1e6d5c05ae4 17018 udhcpc_1.20.0-3_i386.deb
 5407d304ab7d0605aa7390d72b9d77bf56e7b76c7a24b8786e70c917ba8a3fb9 20324 udhcpd_1.20.0-3_i386.deb
 d04c402a94477bd4d891c7ad28bf7f3ff303cc0770a0c93ba317f98e8f1dbc71 202436 busybox-udeb_1.20.0-3_i386.udeb
Files: 
 9512e17e0b1105f7a8c14a21ed30b1d6 1610 utils optional busybox_1.20.0-3.dsc
 e9640d24fc54a4bc8909bd6c228f3e6c 51184 utils optional busybox_1.20.0-3.debian.tar.gz
 300214c269a3dedc63e2d790b8a3ad9c 19356 utils optional busybox-syslogd_1.20.0-3_all.deb
 62dca991bfbf4b4a10e4b7bd19834684 876936 shells extra busybox-static_1.20.0-3_i386.deb
 7aaa4659813e6cde9123ed8d51981dc8 439684 utils optional busybox_1.20.0-3_i386.deb
 3fdec9a078bee1da61ac28ae6d543ece 17018 net optional udhcpc_1.20.0-3_i386.deb
 104d66badb26a1ecfd8b6f7614a1441a 20324 net optional udhcpd_1.20.0-3_i386.deb
 49722875a87faf8577c8bec8ea0a59e0 202436 debian-installer extra busybox-udeb_1.20.0-3_i386.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iJwEAQECAAYFAk/XHqgACgkQUlPFrXTwyDhIdQP7BQLVktj88/Znt/8/Dm7Ab26l
Tg1WUM7BS8VpzpJTSL59xt5XWINdz9J/ubCLmULO+FEUpur4H4EwvONq+J6M4iLr
7XAhY4707rQuxvq+hn5m6qW+OvKqREVx+ThQG3mzZUC1Fl7ESuM3MOL3mr1H7aWG
xt6jbdKGCvIH7MXLV7g=
=e637
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#635370: marked as done (busybox: integer overflow in expression on big endian)
Next by Date: Processing of busybox_1.20.0-3_i386.changes
Previous by thread: Bug#635370: marked as done (busybox: integer overflow in expression on big endian)
Next by thread: Processing of busybox_1.20.0-3_i386.changes
Index(es):
- Date
- Thread