[PLDSA 11-1] New dhcpcd packages fix remote command execution
vulnerability
Krzysiek Taraszka
dzimi at pld.org.pl
Thu Jan 30 14:10:08 CET 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 11-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
11 January 2003 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : prior to dhcpcd-1.3.22pl1-15
Vulnerability : remote command execution
Problem-Type : remote
PLD-specific : no
BugTraq ID : 6200
Simon Kelly discovered a vulnerability in dhcpcd, an RFC2131 and
RFC1541 compliant DHCP client daemon, that runs with root privileges
on client machines. A malicious administrator of the regular or an
untrusted DHCP server may execute any command with root privileges on
the DHCP client machine by sending the command enclosed in shell
metacharacters in one of the options provided by the DHCP server.
The above problems have been fixed in version 1.3.22pl4-1 for the
current stable distribution (ra).
We recommend that you upgrade your dhcpcd packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'dhcpcd*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'dhcpcd*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/dhcpcd-1.3.22pl4-1.src.rpm
MD5 checksum: 6fc3326c082b1dbc82b5ec37181d7587
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/dhcpcd-1.3.22pl4-1.i386.rpm
MD5 checksum: 5769cc5052ee3c31a3d85fc47f375df1
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/dhcpcd-1.3.22pl4-1.i586.rpm
MD5 checksum: 31e05b47ea7e4cedbf35765ed92acd14
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/dhcpcd-1.3.22pl4-1.i686.rpm
MD5 checksum: 14a90f4dd6ddfcf174130d4e7db7df83
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/dhcpcd-1.3.22pl4-1.ppc.rpm
MD5 checksum: c0712995dc22a770e69cced69980af88
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list