From 21401f48463a8e561b3f124267053da0ff6ba367 Mon Sep 17 00:00:00 2001 From: Juergen Daubert Date: Sat, 27 Sep 2014 11:48:05 +0200 Subject: [PATCH] [notify] dhcpcd: update to 6.4.7 includes the following addition: * Sanitise the following characters using svis(3) with VIS_CTYLE and VIS_OCTAL: | ^ & ; < > ( ) $ ` \ " ' This allows a non buggy unvis(1) to decode it 100% and stays compatible with how dhcpcd used to handle encoding on most platforms. For systems that supply svis(3) there is a code reduction, for systems that do not, a slight code increase. This change mitigates systems affected by bash CVE-2014-6271 and CVE-2014-7169. Obviously the last one is quite important as DHCP/RA is one of the attack vectors the "shellshock" bug. As dhcpcd cannot know if /bin/sh is vulnerable (and as of now, bash is *still* vulnerable), it sanitises all the important shell characters as noted in IEEE Std 1003.1, 2004 Edition, 2. Shell Command Language, 2.2 Quoting with the exception of the space character. Full change log: http://roy.marples.name/archives/dhcpcd-discuss/2014/0811.html --- dhcpcd/.md5sum | 2 +- dhcpcd/Pkgfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dhcpcd/.md5sum b/dhcpcd/.md5sum index 829d52f7..ff0e011f 100644 --- a/dhcpcd/.md5sum +++ b/dhcpcd/.md5sum @@ -1 +1 @@ -4272a7de51bf0ba2b5d4f602e7fa5691 dhcpcd-6.4.5.tar.bz2 +b2289237a5b666a11178a9517c3f1240 dhcpcd-6.4.7.tar.bz2 diff --git a/dhcpcd/Pkgfile b/dhcpcd/Pkgfile index 2dc04d13..ef8a4dde 100644 --- a/dhcpcd/Pkgfile +++ b/dhcpcd/Pkgfile @@ -4,7 +4,7 @@ # Depends on: eudev name=dhcpcd -version=6.4.5 +version=6.4.7 release=1 source=(http://roy.marples.name/downloads/dhcpcd/$name-$version.tar.bz2)