[Dnsmasq-discuss] Shellshock.
Lonnie Abelbeck
lists at lonnie.abelbeck.com
Sat Sep 27 14:35:08 BST 2014
On Sep 27, 2014, at 7:01 AM, Matthias Andree <matthias.andree at gmx.de> wrote:
> Am 27.09.2014 um 12:01 schrieb Roy Marples:
>> On Friday 26 Sep 2014 21:14:20 Simon Kelley wrote:
>>> This is just a heads-up that if you're using the --dhcp-script option in
>>> dnsmasq, and the script you're calling is being interpreted by bash,
>>> then you're affected by the shellshock bug.
>>>
>>> The bug allows execution of arbitrary code contained in the values of
>>> environment variables, and there are several variables in the
>>> environment inherited by the DHCP script whose values can be set
>>> directly by a DHCP client, so any DHCP client on your network (or
>>> elsewhere, if your firewall allows) can execute arbitrary shellcode,
>>> probably as root, with a simple DHCP request.
>>>
>>> The fix, of course, is to update bash.
>>
>> What's your reason for not sanitising the variables?
>
> This isn't dnsmasq's fault - what's bash's reason for parsing or
> executing environment variables as though they were functions?
> This is a stupid design decision.
Christos Zoulas from NetBSD has a simple patch to bash to disable importing functions by default:
http://www.openwall.com/lists/oss-security/2014/09/26/22
FreeBSD has done the same:
http://www.openwall.com/lists/oss-security/2014/09/26/33
It seems to me this is the only secure approach for the time being, and for many situations a long term solution.
Lonnie
More information about the Dnsmasq-discuss
mailing list