TUCoPS :: Unix :: General :: iscdhc~2.txt

COMMAND
 ISC DHCP
SYSTEMS AFFECTED
 ISC DHCP prior to 2.0pl1
PROBLEM
 Ted Lemon posted following. Somebody at OpenBSD discovered a
 possible root exploit in the ISC DHCP client. This exploit is
 present in all versions of the ISC DHCP client prior to 2.0pl1
 and 3.0b1pl14.
 That somebody at OpenBSD who found it was Todd T. Fries. He
 tried following:
 shared-network LOCAL-NET {
 option domain-name "my.`echo hi > /tmp/oops`.domain";
 option domain-name-servers 192.168.1.3, 192.168.1.5;
 subnet 192.168.1.0 netmask 255.255.255.0 {
 option routers 192.168.1.1;
 range 192.168.1.32 192.168.1.127;
 }
 }
 ... and when dhclient finished running I had a nice little present
 in /tmp/ named 'oops' that contained the string 'hi' ..
 The versions of the ISC DHCP client in debian 2.1 (slink) and
 debian 2.2 (potato) are vulnerable to a root exploit.
 Conectiva Linux does not ship dhcp with the client part in the
 binary package. It is explicitly disabled during the RPM package
 building process.
SOLUTION
 Anybody who is using versions of the ISC DHCP client other than
 mentioned above is strongly urged to upgrade. Please visit
 http://www.openbsd.org/errata.hml#dhclient
 for links to the patches for OpenBSD.
 The reported vulnerability is fixed for Debian users in the
 package dhcp-client-beta 2.0b1pl6-0.3 for the current stable
 release (debian 2.1) and in dhcp-client 2.0-3potato1 for the
 frozen pre-release (debian 2.2). The dhcp server and relay agents
 are built from the same source as the client; however, the
 server and relay agents are not vulnerable to this issue and do
 not need to be upgraded.
 For Mandrake Linux please upgrade to:
 6.0/RPMS/dhcp-3.0b1pl12-6mdk.i586.rpm
 6.0/RPMS/dhcp-client-3.0b1pl12-6mdk.i586.rpm
 src: 6.0/SRPMS/dhcp-3.0b1pl12-6mdk.src.rpm
 6.1/RPMS/dhcp-3.0b1pl12-6mdk.i586.rpm
 6.1/RPMS/dhcp-client-3.0b1pl12-6mdk.i586.rpm
 src: 6.1/SRPMS/dhcp-3.0b1pl12-6mdk.src.rpm
 7.0/RPMS/dhcp-3.0b1pl12-6mdk.i586.rpm
 7.0/RPMS/dhcp-client-3.0b1pl12-6mdk.i586.rpm
 src: 7.0/SRPMS/dhcp-3.0b1pl12-6mdk.src.rpm
 7.1/RPMS/dhcp-3.0b1pl12-6mdk.i586.rpm
 7.1/RPMS/dhcp-client-3.0b1pl12-6mdk.i586.rpm
 src: 7.1/SRPMS/dhcp-3.0b1pl12-6mdk.src.rpm
 For NetBSD dhclient are vulnerable all releases before 2000年07月10日.
 Systems running formal releases of NetBSD-1.4.2 and prior may be
 vulnerable. Systems running versions of NetBSD prior to 1.4
 should be upgraded to NetBSD 1.4.2 before applying the fixes
 described here. If your system does not and will never run the
 "/sbin/dhclient" daemon to dynamically obtain an IP address, your
 system is not vulnerable to this problem. If you are running any
 NetBSD 1.4.x release, you should download the patch listed below,
 and apply it to src/usr.sbin/dhcp/client/options.c using the
 patch(1) command. If you are running NetBSD-current or
 NetBSD-release, you should update your source tree (with either
 sup or anonymous CVS) to a version containing the fix. The
 problem was corrected on the NetBSD-current mainline on
 2000年06月24日, on the netbsd-1-4 release branch on 2000年06月29日, and
 on the netbsd-1-5 release branch on 2000年07月10日. In all cases you
 should then rebuild and reinstall DHCP:
 % cd src/usr.sbin/dhcp
 % make all
 # make install
 You should then kill off and restart any existing dhclient
 processes. Patch for all releases of 1.4.x:
 ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000708-dhclient
 For SuSE Linux:
 AXP: ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/dhclient-2.0pl2-3.alpha.rpm
 ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/dhclient-2.0pl2-3.alpha.rpm
 i386: ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/dhclient-2.0pl2-3.i386.rpm
 ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/dhclient-2.0pl2-3.i386.rpm
 ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/dhclient-2.0pl2-3.i386.rpm
 ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/dhclient-2.0pl2-3.i386.rpm
 PPC: ftp://ftp.suse.com/pub/suse/ppc/update/6.3/n1/dhclient-2.0pl2-3.ppc.rpm
 ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/dhclient-2.0pl2-3.ppc.rpm