Re: klibc 1.5.20 stable/oldstable update

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: debian-release@lists.debian.org
Subject: Re: klibc 1.5.20 stable/oldstable update
From: maximilian attems <max@stro.at>
Date: Wed, 1 Jun 2011 10:43:59 +0200
Message-id: <[🔎] 20110601084359.GG5391@stro.at>
In-reply-to: <1306868080.3872.102.camel@hathi.jungle.funky-badger.org>
References: <20110518154150.GN17786@vostochny.stro.at> <1305832031.3338.218.camel@hathi.jungle.funky-badger.org> <20110530153502.GA16345@stro.at> <1306868080.3872.102.camel@hathi.jungle.funky-badger.org>

On Tue, 31 May 2011, Adam D. Barratt wrote:

> Something very much like that, yes. :-)  Please go ahead with the stable
> upload; thanks.   (Ugh at the debian-changes auto-patch, but that's not
> a regression from the current squeeze package, so never mind.)

thanks, stable klibc-1.5.20-1+squeeze1 uploaded.
sorry for the debian-changes auto-patch, no idea how that happens.
(looks wrong to me too)

for oldstable the upload would only target the outstanding ipconfig
security issue, see belows debdiff.
 
-- 
maks


diff -Nru klibc-1.5.12/debian/changelog klibc-1.5.12/debian/changelog
--- klibc-1.5.12/debian/changelog	2011-06-01 10:33:42.000000000 +0200
+++ klibc-1.5.12/debian/changelog	2011-06-01 10:33:42.000000000 +0200
@@ -1,3 +1,9 @@
+klibc (1.5.12-2lenny1) oldstable; urgency=low
+
+  * ipconfig: Escape DHCP options. (CVE-2011-1930)
+
+ -- maximilian attems <maks@debian.org>  Wed, 01 Jun 2011 10:20:28 +0200
+
 klibc (1.5.12-2) unstable; urgency=medium
 
   * Add backport 11_klibc-Default-signal-3-to-bsd_signal-3.patch.
diff -Nru klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch
--- klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-1.5.12/debian/patches/12_ipconfig-Escape-DHCP-options-written-to-tm.patch	2011-06-01 10:33:42.000000000 +0200
@@ -0,0 +1,97 @@
+From 881498e5141db5bc694522de0622553dc2a6e7bf Mon Sep 17 00:00:00 2001
+From: Maximilian Attems <mattems@hep.itp.tuwien.ac.at>
+Date: Wed, 1 Jun 2011 10:29:01 +0200
+Subject: [PATCH] [klibc] ipconfig: Escape DHCP options written to /tmp/net-$DEVCICE.conf
+
+DHCP options like domain-name or hostname are written to
+/tmp/net-$DEVICE.conf which is typically later used by other scripts to
+determine the network configuration. This is done by sourcing the
+/tmp/net-$DEVICE.conf file to get all defined variables.
+
+This patch escapes the DHCP options written to /tmp/net-$DEVICE.conf
+to prevent arbitrary code execution.
+
+Signed-off-by: Ulrich Dangel <uli@spamt.net>
+Reviewed-by: H. Peter Anvin <hpa@zytor.com>
+[ trivial backport to 1.5.12 -maks ]
+Signed-off-by: maximilian attems <max@stro.at>
+---
+ usr/kinit/ipconfig/main.c |   55 +++++++++++++++++++++++++++++++-------------
+ 1 files changed, 39 insertions(+), 16 deletions(-)
+
+diff --git a/usr/kinit/ipconfig/main.c b/usr/kinit/ipconfig/main.c
+index 2ded0f3..3e7f9a7 100644
+--- a/usr/kinit/ipconfig/main.c
++++ b/usr/kinit/ipconfig/main.c
+@@ -96,6 +96,25 @@ static void configure_device(struct netdev *dev)
+ 			dev->hostname, dev->name);
+ }
+ 
++static void write_option(FILE* f, const char* name, const char* chr)
++{
++
++	fprintf(f, "%s='", name);
++	while (*chr) {
++		switch (*chr) {
++			case '!':
++			case '\'':
++				fprintf(f, "'\\%c'", *chr);
++				break;
++			default:
++				fprintf(f, "%c", *chr);
++				break;
++		}
++		++chr;
++	}
++	fprintf(f, "'\n");
++}
++
+ static void dump_device_config(struct netdev *dev)
+ {
+ 	char fn[40];
+@@ -104,22 +123,26 @@ static void dump_device_config(struct netdev *dev)
+ 	snprintf(fn, sizeof(fn), "/tmp/net-%s.conf", dev->name);
+ 	f = fopen(fn, "w");
+ 	if (f) {
+-		fprintf(f, "DEVICE=%s\n", dev->name);
+-		fprintf(f, "IPV4ADDR=%s\n", my_inet_ntoa(dev->ip_addr));
+-		fprintf(f, "IPV4BROADCAST=%s\n",
+-			my_inet_ntoa(dev->ip_broadcast));
+-		fprintf(f, "IPV4NETMASK=%s\n", my_inet_ntoa(dev->ip_netmask));
+-		fprintf(f, "IPV4GATEWAY=%s\n", my_inet_ntoa(dev->ip_gateway));
+-		fprintf(f, "IPV4DNS0=%s\n",
+-			my_inet_ntoa(dev->ip_nameserver[0]));
+-		fprintf(f, "IPV4DNS1=%s\n",
+-			my_inet_ntoa(dev->ip_nameserver[1]));
+-		fprintf(f, "HOSTNAME=%s\n", dev->hostname);
+-		fprintf(f, "DNSDOMAIN=%s\n", dev->dnsdomainname);
+-		fprintf(f, "NISDOMAIN=%s\n", dev->nisdomainname);
+-		fprintf(f, "ROOTSERVER=%s\n", my_inet_ntoa(dev->ip_server));
+-		fprintf(f, "ROOTPATH=%s\n", dev->bootpath);
+-		fprintf(f, "filename=\"%s\"\n", dev->filename);
++		write_option(f, "DEVICE", dev->name);
++		write_option(f, "IPV4ADDR",
++				my_inet_ntoa(dev->ip_addr));
++		write_option(f, "IPV4BROADCAST",
++				my_inet_ntoa(dev->ip_broadcast));
++		write_option(f, "IPV4NETMASK",
++				my_inet_ntoa(dev->ip_netmask));
++		write_option(f, "IPV4GATEWAY",
++				my_inet_ntoa(dev->ip_gateway));
++		write_option(f, "IPV4DNS0",
++				my_inet_ntoa(dev->ip_nameserver[0]));
++		write_option(f, "IPV4DNS1",
++				my_inet_ntoa(dev->ip_nameserver[1]));
++		write_option(f, "HOSTNAME",  dev->hostname);
++		write_option(f, "DNSDOMAIN", dev->dnsdomainname);
++		write_option(f, "NISDOMAIN", dev->nisdomainname);
++		write_option(f, "ROOTSERVER",
++				my_inet_ntoa(dev->ip_server));
++		write_option(f, "ROOTPATH", dev->bootpath);
++		write_option(f, "filename", dev->filename);
+ 		fclose(f);
+ 	}
+ }
+-- 
+1.5.6.5
+

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: klibc 1.5.20 stable/oldstable update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: NEW changes in oldproposedupdates
Next by Date: Re: Please binNMU adplay and ocp against updated libadplug
Previous by thread: NEW changes in oldproposedupdates
Next by thread: Re: klibc 1.5.20 stable/oldstable update
Index(es):
- Date
- Thread