dhcpcd before 5.2.12 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.

Please find attached a debdiff for maverick based on the patch used for opensuse(linked above). The netbios message related stuff has been omitted.

Thanks for the debdiff, looks good, ACK.

Since we have basically the same version of dhcpcd in lucid-precise, I'll upload your changes to all of them.

Thanks!

Actually, your debdiff doesn't compile.

Could you please fix it, and describe what testing you have done to ensure dhcpcd still works after being patched?

I am unsubscribing ubuntu-security-sponsors for now. Please resubscribe the group once a fixed debdiff has been attached.

Thanks.

My apologies, the patch I had attached were from another testing directory I had and not the final one. Please find attached the correct defdiff file.

As part of testing :-
=> I tried building the deb file "debuild"
=> installing it "dpkg -i <debfile>"
=>I tried running the it as "sudo dhcpcd eth0" and the machine gets configured with an ip address.

I did not have a PoC in my possession, so I could not try it out.

Hope this helps, cheers!

I just attached another debdiff in which I've corrected "maverick" to "maverick-security".

A minor update on the patch, with "maverick" changed to "maverick-security".

ACK on the updated debdiff. I have uploaded the fix to Precise, and will release it as a security update for Lucid-Oneiric.

Thanks!

I've also sent your debdiff to Debian.

This bug was fixed in the package dhcpcd - 1:3.2.3-9ubuntu0.1

---------------
dhcpcd (1:3.2.3-9ubuntu0.1) oneiric-security; urgency=high

    * SECURITY UPDATE: dhcpcd before 5.2.12 allows remote attackers to
      execute arbitrary commands via shell metacharacters in a hostname
      obtained from a DHCP message. (LP: #931036)
      - https://build.opensuse.org/package/view_file?file=dhcpcd-3.2.3-option-checks.diff&package=dhcpcd&project=network%3Adhcp&rev=52442e5c1d803d7c1818a920a0bae7f1
      - above linked patch(without the additional support for NETBIOS type
        messages) has been added.
      - CVE-2011-0996
 -- Zubin Mithra <email address hidden> Mon, 13 Feb 2012 14:27:54 +0530

This bug was fixed in the package dhcpcd - 1:3.2.3-7ubuntu0.11.04.1

---------------
dhcpcd (1:3.2.3-7ubuntu0.11.04.1) natty-security; urgency=high

    * SECURITY UPDATE: dhcpcd before 5.2.12 allows remote attackers to
      execute arbitrary commands via shell metacharacters in a hostname
      obtained from a DHCP message. (LP: #931036)
      - https://build.opensuse.org/package/view_file?file=dhcpcd-3.2.3-option-checks.diff&package=dhcpcd&project=network%3Adhcp&rev=52442e5c1d803d7c1818a920a0bae7f1
      - above linked patch(without the additional support for NETBIOS type
        messages) has been added.
      - CVE-2011-0996
 -- Zubin Mithra <email address hidden> Mon, 13 Feb 2012 14:27:54 +0530

This bug was fixed in the package dhcpcd - 1:3.2.3-7ubuntu0.10.10.1

---------------
dhcpcd (1:3.2.3-7ubuntu0.10.10.1) maverick-security; urgency=high

    * SECURITY UPDATE: dhcpcd before 5.2.12 allows remote attackers to
      execute arbitrary commands via shell metacharacters in a hostname
      obtained from a DHCP message. (LP: #931036)
      - https://build.opensuse.org/package/view_file?file=dhcpcd-3.2.3-option-checks.diff&package=dhcpcd&project=network%3Adhcp&rev=52442e5c1d803d7c1818a920a0bae7f1
      - above linked patch(without the additional support for NETBIOS type
        messages) has been added.
      - CVE-2011-0996
 -- Zubin Mithra <email address hidden> Mon, 13 Feb 2012 14:27:54 +0530

This bug was fixed in the package dhcpcd - 1:3.2.3-5ubuntu0.1

---------------
dhcpcd (1:3.2.3-5ubuntu0.1) lucid-security; urgency=high

    * SECURITY UPDATE: dhcpcd before 5.2.12 allows remote attackers to
      execute arbitrary commands via shell metacharacters in a hostname
      obtained from a DHCP message. (LP: #931036)
      - https://build.opensuse.org/package/view_file?file=dhcpcd-3.2.3-option-checks.diff&package=dhcpcd&project=network%3Adhcp&rev=52442e5c1d803d7c1818a920a0bae7f1
      - above linked patch(without the additional support for NETBIOS type
        messages) has been added.
      - CVE-2011-0996
 -- Zubin Mithra <email address hidden> Mon, 13 Feb 2012 14:27:54 +0530

natty has seen the end of its life and is no longer receiving any updates. Marking the natty task for this ticket as "Won't Fix".