includes the following addition:
* Sanitise the following characters using svis(3) with VIS_CTYLE and
VIS_OCTAL:
| ^ & ; < > ( ) $ ` \ " ' <tab> <newline>
This allows a non buggy unvis(1) to decode it 100% and stays compatible
with how dhcpcd used to handle encoding on most platforms.
For systems that supply svis(3) there is a code reduction, for systems
that do not, a slight code increase. This change mitigates systems
affected by bash CVE-2014-6271 and CVE-2014-7169.
Obviously the last one is quite important as DHCP/RA is one of the attack
vectors the "shellshock" bug.
As dhcpcd cannot know if /bin/sh is vulnerable (and as of now, bash is *still*
vulnerable), it sanitises all the important shell characters as noted in IEEE
Std 1003.1, 2004 Edition, 2. Shell Command Language, 2.2 Quoting with the
exception of the space character.
Full change log:
http://roy.marples.name/archives/dhcpcd-discuss/2014/0811.html
Juergen Daubert
21401f4846