Changeset 2197

Oct 3, 2012, 10:22:45 AM (7 years ago)

busybox/udhcpc: Fix potential shell injection.

The DHCP client provided by busybox did not properly validate various
DHCP options received from the DHCP server. These options were
subsequently used in scripts, which could lead to shell injection and
remote command execution.

This bug can only be triggered when a rogue DHCP server is sending out
specially crafted DHCP lease messages, so this should only be an issue
when running in an untrusted network.

This fixes CVE-2011-2716.

1 added

Note: See TracChangeset for help on using the changeset viewer.