Slackware :: Dhclient Does Not Strip Or Escape Shell Meta-characters
Apr 6, 2011
dhclient does not strip or escape shell meta-characters
Summary: dhclient doesn't strip or escape certain shell meta-characters in dhcpd responses, allowing a rogue server or party with with escalated privileges on the server to cause remote code execution on the client.
CVE:
ISC dhclient did not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client.
CVSS Score:
For more information on CVSS scores, visit [url]
Workarounds:
On SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME="no" in /etc/sysconfig/network/dhcp.
Other systems may add following line to dhclient-script at the beginning of the set_hostname() function:
In environments where filters/acls can be put into place to limit clients to accessing only legitimate dhcp servers, this will protect clients from rogue dhcp servers deliberately trying to exploit this bug.
However, this will not protect from compromised servers.
Active exploits:
Solution:
Upgrade to 3.1-ESV-R1, 4.1-ESV-R2 or 4.2.1-P1. [url]
No patch is available for 4.0.x as it is EOL. Anyone running 4.1.x should upgrade to 4.1-ESV-R2.
Is there tool or a regexp that can convert shell escape characters to HTML code?
As an example, here is a logfile from GNU screen:
Which I would like to convert to something like this:
And send as HTML e-mail to an e-mail address, to archive my work.
Here is a related question, which shows how to convert it to regular text, but it would be nice to convert to HTML and not just throw the escape characters away.
While modifying the definition of my PS1, I saw that "[" and "]" markers should be added to help bash to compute the right display lenght. Many exemples on the web do not use them or even mention them.I searched for a solution to add them automatically, like with sed, but I didn't find any example.Are they still needed and is there a recommandation not to use sed to define PS1?
I have a bunch of files (around 900) that have some special characters. Some of the files contains example, and quoting "[useless] filename (something)"so what I want is just to strip the brackets and parenthesis, some are folders, others are text files
I was trying to use the grep command with -e option to test some regular expressions with it but to surprise not all the meta characters were being recognized by the grep engine, how ever egrep works perfectly fine.
For example : The following egrp command works fine:
Need little advice running this command. watch -d 'ps aux | awk '{print $4" "$11}' | sort | uniq -c | awk '{print $2" "$1" "$3}' | sort -nr | head'
I get this error message from AWK. awk: cmd. line:1: {print awk: cmd. line:1: ^ unexpected newline or end of string
I have tried all the usual by trying to escape the single and double quotes in the command but same result. The end result should be the a listing of memory hungry processes that are scanned every 2 seconds (watch default value).
Is it possible to remove the ESC sequences in GNU Screen's output file? Things such as colours, tabs and other escape characters make their way into the log files and become difficult to decipher.
I've tried Dr. Google & Co. as well as reading the manual, but haven't been able to find anything suitable.Perhaps I've overlooked something?
My question is: what option can I set in vim to see the colouring inside the editor as I would get it in my terminal (and switch off any additional syntax highlighting)?
I am using ubuntu10.04-server 64bit AMD with fluxbox. After I ran Matlab in a shell (without GUI) the shell does not display characters anymore, but will execute any command, I just can't see the characters that I'm typing.. I use aterm and xterm, does anybody know why that is, am I missing a package?
I recently upgraded to a Intel i3 cpu and Intel H55 motherboard. This was from an old P4 machine that was running Slackware 13.0. The machine is a single connection to the internet through a cable modem. I moved the hard drives over, and found that dhcpcd would not work with this board in either Slackware 13.0 or 13.1 (after updating). I tried both the Gigabit onboard Lan, an old PCI ethernet card and installing the most recent version of dhcpcd. No luck. Dhcpcd would negotiate the lease with my cable modem, assign an IP address. But after that the process stalled. The internet was unreachable, and no nameservers were printed in /etc/resolv.conf. Manually killing dhcpcd and entering: "dhclient -4 eth0" got me on the internet without a problem. As this appears to be a lingering problem with dhcpcd, I am going to try to use dhclient permanently. Has anyone else moved over to using dhclient? If you have modified your startup scripts in /etc/rc.d to use dhclient.
Since 13.37 I notice that vi needs the 'home' key to switch from input to command mode. I think this is only when I connect via Putty to the machine. When I am on local console it is still ESCape like it used to be. Does anyone know how to set it so that vi will switch from input to command mode using the ESCAPE key when using Putty?
Another vi question : When you edit htm files, vi goes automagically into some sort of html display mode. Ofcourse I never want that since all I do is edit the html in vi. So I need to go to command mode and type :normal everytime I want to edit html files. Where can you configure that vi (or vim) default to normal mode always?
<I see that vi links to elvis : > # ls -al /usr/bin/vi lrwxrwxrwx 1 root root 5 Oct 3 2009 /usr/bin/vi -> elvis*
I am running Slackware64 v13.0 with XMonad as my window manager and dzen2 as my status bar. Sometimes I do my Spanish homework on this computer, and I would like to know the best way to get accented characters and other symbols. Normally, in desktop environments or proprietary OSs, there is a window I can open to select certain special characters. I don't have any of that on this system, and I need to know if there is a simple, minimal program that displays special characters like this or if there is another way to use them easily. I would prefer something light and without many dependencies (just because I prefer simpler software), but I'm open to other solutions if something like this is not available.
Compaq N600c w/ Slack 13 loaded...it's an older workhorse that began behaving oddly after the user dl'd a background image for her desktop...on login, the laptop would spawn hundreds of terminals once producing a load avg of 40.5 -never seen that before- as well on shutdown and startup I start seeing the appearance of the following characters ^[[[D repeated hundreds if not thousands of times on the screen, boot and shutdown will progress to completion but it's unintended behaviour, therefore suspect in my mind.hd thorough self-test passed and memtest is not showing errors on it's second pass
I use slackware64 13.1. In my root account the terminal have colors for folders, files, etc and characters like appear correct.I create a normal account for me, but specials characters don't appear and terminal have no colors.I read in a lot that I need to configure a .bashrc and a .bash_profile but I don't found this files in my root account to get some guide lines.
Slackware 13.37, tested on 2 different PC; affected: mousepad and tcl/tk applications
I am using mousepad and tcl/tk application to view text files with long lines. Sometimes ago I found that some characters (part of line) in long lines disappear. The problem is shown on a very small video. [URL]
Using Fluxbox, have tried this in XFCE and KDE. Chinese characters display properly in whatever browser I use online. I do need to see some in the file manager and this is not working.
I have installed the following chinese display files from Slack -
Whenever I logout of KDE and go back into console mode, the characters at the console screen become unreadable gibberish. Is anyone else having this problem?
I can ctl+alt+F? to work at another console screen, but the ctl+alt+F1 screen remains unreadable until I reboot.
I'm stuck with the problem of amarok refusing to play songs that have any non-ascii characters in the metadata, which is about 1/3 of my collection.A solution to that problem would be ideal, but if there is a good alternative (like amarok 1.x series) I would probably switch.
What command could I use in terminal to delete all ASCII characters? That is, delete a-z, A-Z, 0-9, and all punctuation? I have a file containing Chinese characters, and I want to remove everything else and leave just the Chinese.
I can use grep to leave only the lines that have Chinese in them, but this still leaves a lot of non-Chinese stuff on those lines. Does anyone know how I could actually remove everything that isn't Chinese?
I'm trying to strip down a 9.10 installation, which is destined to sit in the attic and act as a file/download server. Using Webmin (which is the greatest thing I have seen on Ubuntu, it rocks) I notice that the BIND process is using 5MB of memory, on an idle machine. Do I need this installed on a desktop machine ? Can folks suggest anything else I can disable/uninstall for a machine. I'm using neatx to connect to it, and Vuze as a torrent client.
I have some text based reports in which I would like to strip the "Current Date" from and replace with equivalent number of empty spaces, for every occurrence.For example, here is what I need to strip:
Date: 11/09/09
If I manually run the following SED command, it works great, however I cannot seem to find a way to use the actual "date" command within SED, to get the desired results.
WORKING: sed -i -e 's/Date: 11/09/09/ /' myfile
I've been messing around with various attempts to do this using the "date" command within SED, but I just can seem to get it right. I've also attempted defining variables which call separate "date" commands for day, month, year and inject them via standard variable calling, echoing variable, expanding variable with brackets, etc... Here are a few of the SED command attempts I've tried:
Quote:
sed -i -e 'sate: `date +%D`: :' myfile sed -i -e "s/Date: `date +%d`/`date +%m`/`date +%y`/ /" myfile sed -i -e 's/Date: `date +%d`/`date +%m`/`date +%y`/ /' myfile sed -i -e 's/Date: $(date +%D) / /' myfile
I need to replace it with the equivalent number of spaces, as I'm going to be overlaying a PCL Logo here and need to keep the structure of the rest of the file. Cannot have the remaining portion of the line shifting left.
I have my OpenSuse 11.1 box set up with utf-8, however, every time I try to open a file with utf-8 characters with vi it can't handle those characters properly.
I'm having some difficulties with the comic strip widget that I use to keep me updated on Dilbert. It started out in ok-ish size, a little small, but readable. Now the entire strip takes up 3x3 cm, totally unreadable. Is there anyway to fix that?
I'm currently using mogrify -strip image.jpg to remove unwanted bytes from images, it was suggested I could remove further data by using jpegran from libjpeg, something like:
The problem I'm having - if it even is a problem - is that jpegtran doesn't seem to actually do anything that mogrify isn't already doing. In all my testing the filesize just stays the same. If I remove the mogrify part of my code and replace with jpegtran then it seems to perform the same function.
For example:
image without compression: 300k image with mogrify -strip + jpegtran: 272k image with mogrify -strip only: 272k image with jpegtran only: 272k
I was under the impression though that mogrify just removed image profiles/comments and that jpegtran did this as well as losslessly compressing the image to make it smaller. Am I missing something?
I'm trying to get a minimalCD installation on a flashdrive but the installation never finishes... (i've left the installation runnin overnight for over 12hrs and only 90 percent got completed; whenever trying to retrive packages from the internet the process slows down to a crawl; i've tried ext4, ext3, ext2 and resierfs)normal Desktop insatallation works fine; so I was wondering if there is anyway to strip all the packages off a normal installation to get it to minimal installation, and than start installing the pacakges i need?
