Created attachment 24990 [details] Patch to add string escaping At boot, init typically configures networking by running ipconfig and sourcing /tmp/net-*.conf right after it. An (intentionally) misconfigured DHCP server can send arbitrary commands to be executed in the sourcing (tested on Ubuntu Karmic Koala kernel 2.6.31-14) because no escaping is applied to the strings. For example, a DHCP server passing a filename of "test$(cat /init)" makes the boot sequence display the content of the init file.
nothing to do with kernel
(In reply to comment #1) > nothing to do with kernel I posted the report here since klibc development tree (http://git.kernel.org/?p=libs/klibc/klibc.git) is managed by kernel.org Is there a more appropriate bug tracker to use for klibc?
Created attachment 25028 [details] Patch to do correct string escaping Escaping in the previous patch was incorrect. Escaping rewritten following the specification http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html
Created attachment 25029 [details] Patch to do correct string escaping (2) Oops! The previous patch contained a typo.
Created attachment 25030 [details] Patch to do correct string escaping (3) The previous patch compiles, but contains a thinko (it outputs "'" both escaped and unescaped). Sorry. I hope this one is fine.