ports/core (3.1): [notify] dhcpcd: update to 6.4.7

crux at crux.nu crux at crux.nu
Sat Sep 27 09:57:35 UTC 2014

commit 21401f48463a8e561b3f124267053da0ff6ba367
Author: Juergen Daubert <jue at jue.li>
Date:   Sat Sep 27 11:48:05 2014 +0200

    [notify] dhcpcd: update to 6.4.7
    includes the following addition:
       *  Sanitise the following characters using svis(3) with VIS_CTYLE and
              | ^ & ; < > ( ) $ ` \ " ' <tab> <newline>
          This allows a non buggy unvis(1) to decode it 100% and stays compatible
          with how dhcpcd used to handle encoding on most platforms.
          For systems that supply svis(3) there is a code reduction, for systems
          that do not, a slight code increase. This change mitigates systems
          affected by bash CVE-2014-6271 and CVE-2014-7169.
    Obviously the last one is quite important as DHCP/RA is one of the attack
    vectors the "shellshock" bug.
    As dhcpcd cannot know if /bin/sh is vulnerable (and as of now, bash is *still*
    vulnerable), it sanitises all the important shell characters as noted in IEEE
    Std 1003.1, 2004 Edition, 2. Shell Command Language, 2.2 Quoting with the
    exception of the space character.
    Full change log:

diff --git a/dhcpcd/.md5sum b/dhcpcd/.md5sum
index 829d52f..ff0e011 100644
--- a/dhcpcd/.md5sum
+++ b/dhcpcd/.md5sum
@@ -1 +1 @@
-4272a7de51bf0ba2b5d4f602e7fa5691  dhcpcd-6.4.5.tar.bz2
+b2289237a5b666a11178a9517c3f1240  dhcpcd-6.4.7.tar.bz2
diff --git a/dhcpcd/Pkgfile b/dhcpcd/Pkgfile
index 2dc04d1..ef8a4dd 100644
--- a/dhcpcd/Pkgfile
+++ b/dhcpcd/Pkgfile
@@ -4,7 +4,7 @@
 # Depends on:  eudev

More information about the CRUX mailing list