Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2012 01:46 PM, Michael Gilbert wrote:
> On Wed, Oct 17, 2012 at 3:42 PM, Kurt Seifried wrote:
> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >
> > On 10/15/2012 02:50 PM, Raphael Geissert wrote:
> > > Hi,
> > >
> > > Michael Stapelberg, Tollef Fog Heen, and Michael Biebl
> > > discovered that dhclient was setting dhclient-script's PATH to
> > > one that included a subdirectory of the build directory[1].
> > > This issue is caused by the way isc-dhcp is packaged in
> > > Debian.
> > >
> > > At least two versions of isc-dhcp for the amd64 (x86_64) 
> > > architecture in Debian were found two be setting PATH to a 
> > > subdirectory of /home/zero79/, which would allow a user with
> > > such HOME directory to be able to execute code as root.
> > >
> > > To clarify the bug report: it is not specific to samba or hooks
> > > in general, PATH is injected in the environment passed to the
> > > execve() call that executes dhclient-script.
> > >
> > > Since this issue doesn't affect the stable release, there won't
> > > be a DSA. This email is just a heads up.
> > >
> > > [1]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690532
> > >
> > > Cheers,
> >
> > Was this software released however?
>
> It was uploaded to and affected Debian testing and unstable.
> Testing has not yet been officially "released", but some people use
> testing as if it were an official release.  Unstable never gets
> released.

When I say released I meant in the sense of made available for
download, not in the sense of software engineering and doing a proper
"release".

Release information here:

http://lists.alioth.debian.org/pipermail/pkg-dhcp-devel/2012-April/001275.html

Any ways as you can see it's had a CVE assigned:

So for Debian Bug report logs - #690532
CVE-2012-2248: build system paths used in -DCLIENT_PATH

So my work here is done =).

> Best wishes, Mike




- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQf1AoAAoJEBYNRVNeJnmT3SoQAJqW5UirPGOUzSb5NStJD9Se
GSImky2n+78NyPLwlzSLqB3QRjyEwjbJ01RNXzFU/Z4h4nlmfVVrBrszlWk0T6Fv
cBXKB3cFGmCxDPYErm4Uh8WmSeD3aFUTe2iibXMUhOAlfoVwUadL5FMpBBjszFo+
NBqddySqX1TpAm3CHZnHi29U7kj9/7p/JVkdsqHyF7rMW9lXEp2OG2mfLHTDJQ3W
FcfsqneJQIuEZ3I59OTopKyXrPSaAyvGWCK3yDq6mRyiXDGtv9cb/jCUCUBE130z
OOyQI6hQrOe1xw6y8Uw9s8WRIMF5khuQzk057ddzSxlWf8KZHOL5mUVMWsP57zsy
9HSUxve0Cc+1J52ChjFnP/cTGylWht5vLe9ZnmWPq8Sz3HGpoLJaWChMJeU0ODSL
6BOGi0dtcJFx47nHdzxpiG6hrWRF4qHc1VYUghv3Mli12NSXpMp/eCrepBy+R99I
/W9ScwS51C7cpSju3Dz6iXOrROMu8USjP5a8FY0TpNKDh7P9qHbN9SIQizxnxqtT
dbfCcnQ4lHL0W+AFNIXYfMnHt0LkSmTmfZcW8o0g5Ptw++KrtJNr/+SlRycYLSpM
cn8uW0GyWAxJPdYftw3eZrgQdj0Q5dBj940CtsIguwf3PfboEBHes7MamHt7GMg/
s3Wo3oTF3tYSCLjvxbe/
=hjvB
-----END PGP SIGNATURE-----