On Tue, 31 May 2011, Adam D. Barratt wrote: > Something very much like that, yes. :-) Please go ahead with the stable > upload; thanks. (Ugh at the debian-changes auto-patch, but that's not > a regression from the current squeeze package, so never mind.) thanks, stable klibc-1.5.20-1+squeeze1 uploaded. sorry for the debian-changes auto-patch, no idea how that happens. (looks wrong to me too) for oldstable the upload would only target the outstanding ipconfig security issue, see belows debdiff. -- maks diff -Nru klibc-1.5.12/debian/changelog klibc-1.5.12/debian/changelog --- klibc-1.5.12/debian/changelog 2011-06-01 10:33:42.000000000 +0200 +++ klibc-1.5.12/debian/changelog 2011-06-01 10:33:42.000000000 +0200 @@ -1,3 +1,9 @@ +klibc (1.5.12-2lenny1) oldstable; urgency=low + + * ipconfig: Escape DHCP options. (CVE-2011-1930) + + -- maximilian attems <maks@debian.org> Wed, 01 Jun 2011 10:20:28 +0200 + klibc (1.5.12-2) unstable; urgency=medium * Add backport 11_klibc-Default-signal-3-to-bsd_signal-3.patch. diff -Nru klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch --- klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch 1970-01-01 01:00:00.000000000 +0100 +++ klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch 2011-06-01 10:33:42.000000000 +0200 @@ -0,0 +1,97 @@ +From 881498e5141db5bc694522de0622553dc2a6e7bf Mon Sep 17 00:00:00 2001 +From: Maximilian Attems <mattems@hep.itp.tuwien.ac.at> +Date: Wed, 1 Jun 2011 10:29:01 +0200 +Subject: [PATCH] [klibc] ipconfig: Escape DHCP options written to /tmp/net-$DEVCICE.conf + +DHCP options like domain-name or hostname are written to +/tmp/net-$DEVICE.conf which is typically later used by other scripts to +determine the network configuration. This is done by sourcing the +/tmp/net-$DEVICE.conf file to get all defined variables. + +This patch escapes the DHCP options written to /tmp/net-$DEVICE.conf +to prevent arbitrary code execution. + +Signed-off-by: Ulrich Dangel <uli@spamt.net> +Reviewed-by: H. Peter Anvin <hpa@zytor.com> +[ trivial backport to 1.5.12 -maks ] +Signed-off-by: maximilian attems <max@stro.at> +--- + usr/kinit/ipconfig/main.c | 55 +++++++++++++++++++++++++++++++------------- + 1 files changed, 39 insertions(+), 16 deletions(-) + +diff --git a/usr/kinit/ipconfig/main.c b/usr/kinit/ipconfig/main.c +index 2ded0f3..3e7f9a7 100644 +--- a/usr/kinit/ipconfig/main.c ++++ b/usr/kinit/ipconfig/main.c +@@ -96,6 +96,25 @@ static void configure_device(struct netdev *dev) + dev->hostname, dev->name); + } + ++static void write_option(FILE* f, const char* name, const char* chr) ++{ ++ ++ fprintf(f, "%s='", name); ++ while (*chr) { ++ switch (*chr) { ++ case '!': ++ case '\'': ++ fprintf(f, "'\\%c'", *chr); ++ break; ++ default: ++ fprintf(f, "%c", *chr); ++ break; ++ } ++ ++chr; ++ } ++ fprintf(f, "'\n"); ++} ++ + static void dump_device_config(struct netdev *dev) + { + char fn[40]; +@@ -104,22 +123,26 @@ static void dump_device_config(struct netdev *dev) + snprintf(fn, sizeof(fn), "/tmp/net-%s.conf", dev->name); + f = fopen(fn, "w"); + if (f) { +- fprintf(f, "DEVICE=%s\n", dev->name); +- fprintf(f, "IPV4ADDR=%s\n", my_inet_ntoa(dev->ip_addr)); +- fprintf(f, "IPV4BROADCAST=%s\n", +- my_inet_ntoa(dev->ip_broadcast)); +- fprintf(f, "IPV4NETMASK=%s\n", my_inet_ntoa(dev->ip_netmask)); +- fprintf(f, "IPV4GATEWAY=%s\n", my_inet_ntoa(dev->ip_gateway)); +- fprintf(f, "IPV4DNS0=%s\n", +- my_inet_ntoa(dev->ip_nameserver[0])); +- fprintf(f, "IPV4DNS1=%s\n", +- my_inet_ntoa(dev->ip_nameserver[1])); +- fprintf(f, "HOSTNAME=%s\n", dev->hostname); +- fprintf(f, "DNSDOMAIN=%s\n", dev->dnsdomainname); +- fprintf(f, "NISDOMAIN=%s\n", dev->nisdomainname); +- fprintf(f, "ROOTSERVER=%s\n", my_inet_ntoa(dev->ip_server)); +- fprintf(f, "ROOTPATH=%s\n", dev->bootpath); +- fprintf(f, "filename=\"%s\"\n", dev->filename); ++ write_option(f, "DEVICE", dev->name); ++ write_option(f, "IPV4ADDR", ++ my_inet_ntoa(dev->ip_addr)); ++ write_option(f, "IPV4BROADCAST", ++ my_inet_ntoa(dev->ip_broadcast)); ++ write_option(f, "IPV4NETMASK", ++ my_inet_ntoa(dev->ip_netmask)); ++ write_option(f, "IPV4GATEWAY", ++ my_inet_ntoa(dev->ip_gateway)); ++ write_option(f, "IPV4DNS0", ++ my_inet_ntoa(dev->ip_nameserver[0])); ++ write_option(f, "IPV4DNS1", ++ my_inet_ntoa(dev->ip_nameserver[1])); ++ write_option(f, "HOSTNAME", dev->hostname); ++ write_option(f, "DNSDOMAIN", dev->dnsdomainname); ++ write_option(f, "NISDOMAIN", dev->nisdomainname); ++ write_option(f, "ROOTSERVER", ++ my_inet_ntoa(dev->ip_server)); ++ write_option(f, "ROOTPATH", dev->bootpath); ++ write_option(f, "filename", dev->filename); + fclose(f); + } + } +-- +1.5.6.5 +
Attachment:
signature.asc
Description: Digital signature