oss-sec mailing list archives

Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 17 Oct 2012 13:42:34 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/15/2012 02:50 PM, Raphael Geissert wrote:

Hi,

Michael Stapelberg, Tollef Fog Heen, and Michael Biebl discovered
that dhclient was setting dhclient-script's PATH to one that
included a subdirectory of the build directory[1]. This issue is
caused by the way isc-dhcp is packaged in Debian.

At least two versions of isc-dhcp for the amd64 (x86_64)
architecture in Debian were found two be setting PATH to a
subdirectory of /home/zero79/, which would allow a user with such
HOME directory to be able to execute code as root.

To clarify the bug report: it is not specific to samba or hooks in
general, PATH is injected in the environment passed to the execve()
call that executes dhclient-script.

Since this issue doesn't affect the stable release, there won't be
a DSA. This email is just a heads up.

[1]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690532

Cheers,


Was this software released however?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQfwoqAAoJEBYNRVNeJnmTFa4P/iUGrMc3zt23oqMySqzacrkN
hzj/zw3xJEFOFZMeTXg2ZUlS3KrUaqolZh6Btlku9EUWVUp+6GudqSE4p/Cr4cL5
fHj2UoTf7X3RjDv8lyqRNbvtJc6eqRBc5iL2UPwXkTFOBA4dHhIV3/PcxoLNLol/
uLYnH7Q6oAa8bJdJYWPo6rh2aMGxR6b2ewXqnVWckOCdrcQD6tfNDHgYji1NC/oh
wcdD3AxvYhxlKiI6+mWy548LG8fJ0bYpx020rkYYldJUre0Frn8TjogoxmEDyyWF
2Ohhnl3EmjlxM2l0FyKSmUZxsb4aRLkLHqNAmk6b33U5czoti1zsHqmzvMjAAb+d
g9IjNkZu/SSTt1ma8MZHd1LDRcM+6gqydTXcdXeuehTcELE5zKUPo4nUQXVKXnxg
CrQDLxRqX0/a6fyc1pLpdWrO0XAHJbCoGdL4nAkI/LlQzQM9K8j9gxkZ4hrWfUwZ
6tbUBqAnglKLVwUhmRmEeKuFSkuoGq2TZeJEbivbqytxyvcmYUzbb+pDdKydnA4o
bIFxQ+lMmouQAIGZB+MwrKQ2PGcAPi5DqHaW/ko0o42xlkyhzVy22fFVNh0AgD7y
NlUZp181WwBrwg4tRKlFHSG0CYq9aKMXIDZL4EAq9cEV8B0WOf/EsVUT3lrXh0dZ
1JSFcLEl9rje9PawjOfD
=xqMN
-----END PGP SIGNATURE-----

Current thread:

CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Raphael Geissert (Oct 15)
- Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Kurt Seifried (Oct 17)
  - Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Michael Gilbert (Oct 17)
    - Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Kurt Seifried (Oct 17)
    - Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Michael Gilbert (Oct 17)
    - Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Kurt Seifried (Oct 17)
    - Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Michael Gilbert (Oct 18)
    - Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Kurt Seifried (Oct 18)
    - Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Michael Gilbert (Oct 18)
    - Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Henri Salo (Oct 18)
    - Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Moritz Muehlenhoff (Oct 18)
    - Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH Tim Brown (Oct 20)