FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

isc-dhcp-client -- dhclient does not strip or escape shell meta-characters

Affected packages
isc-dhcp31-client < 3.1.ESV_1,1
isc-dhcp41-client < 4.1.e,2


VuXML ID 7e69f00d-632a-11e0-9f3a-001d092480a4
Discovery 2011-04-05
Entry 2011-04-10

ISC reports:

ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client.


CERT/CC Vulnerability Note 107886
CVE Name CVE-2011-0997