Re: CVE-2012-2248: isc-dhcp, Debian-specific: build path included in PATH

[Michael Gilbert <mgilbert () debian org>]

On Wed, Oct 17, 2012 at 3:42 PM, Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/15/2012 02:50 PM, Raphael Geissert wrote:
> > Hi,
> >
> > Michael Stapelberg, Tollef Fog Heen, and Michael Biebl discovered
> > that dhclient was setting dhclient-script's PATH to one that
> > included a subdirectory of the build directory[1]. This issue is
> > caused by the way isc-dhcp is packaged in Debian.
> >
> > At least two versions of isc-dhcp for the amd64 (x86_64)
> > architecture in Debian were found two be setting PATH to a
> > subdirectory of /home/zero79/, which would allow a user with such
> > HOME directory to be able to execute code as root.
> >
> > To clarify the bug report: it is not specific to samba or hooks in
> > general, PATH is injected in the environment passed to the execve()
> > call that executes dhclient-script.
> >
> > Since this issue doesn't affect the stable release, there won't be
> > a DSA. This email is just a heads up.
> >
> > [1]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690532
> >
> > Cheers,
>
> Was this software released however?

It was uploaded to and affected Debian testing and unstable.  Testing
has not yet been officially "released", but some people use testing as
if it were an official release.  Unstable never gets released.

Best wishes,
Mike