Ubuntu

Multiple domains in domain-search not working after CVE-2011-0997 patch

Reported by Alk on 2011-05-05
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Undecided
Unassigned

Bug Description

What you expected to happen:
Add domains-search domains from /etc/dhcp/dhclient.conf to search line in /etc/resolv.conf

What happened instead:
After upgrading to natty multiple domain search in /etc/resolv.conf stopped working.

Example entry in /etc/dhcp/dhclient.conf -> append domain-search "subdomain1.company.com subdomain2.company.com company.com";

Error message in /var/log/syslog -> dhclient: suspect value in domain_search option - discarded

Repackaging isc-dhcp without the CVE-2011-0997 solves the domain search issue, but leaves the system with a known security vulnerability.

Version: isc-dhcp-client_4.1.1-P1-15ubuntu9
Arch: amd64

lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04

CVE References

Alk (allank-bluebottle) on 2011-05-05
description: updated
Marc Deslauriers (mdeslaur) wrote :

That's not the right way to format that option. Try this:

append domain-search "subdomain1.company.com", "subdomain2.company.com", "company.com";

I'm marking this bug as invalid. Please feel free to reopen it if adding the right option doesn't work. Thanks.

Changed in isc-dhcp (Ubuntu):
status: New → Invalid
Alk (allank-bluebottle) wrote :

Tried that. Then it is only the last domain in the list that is appended.

The documentation about the format is not clear, but I have used the current format for years.

I think the issue is with the CVE-2011-0997 patch. Maybe that is does not allow white space inside quotes.

Reopened the issue.

Changed in isc-dhcp (Ubuntu):
status: Invalid → New
Marc Deslauriers (mdeslaur) wrote :

append domain-search "subdomain1.company.com", "subdomain2.company.com", "company.com"; is the format that works. I get the following in resolv.conf:

search subdomain1.company.com. subdomain2.company.com. company.com.

If I remove the security patch, and use the append line you suggest, I get the following in resolv.conf:

search subdomain1.company.com\032subdomain2.company.com\032company.com.

Which is obviously wrong.

The documentation is pretty clear: option domain-search "example.com", "sales.example.com", "eng.example.com";
See http://manpages.ubuntu.com/manpages/natty/en/man5/dhcp-options.5.html

What release were you using that worked with the append line you've been using for years? What did the resolv.conf file look like?

Changed in isc-dhcp (Ubuntu):
status: New → Incomplete
Alk (allank-bluebottle) wrote :

Thanks for the link, was looking at http://manpages.ubuntu.com/manpages/natty/en/man5/dhclient.conf.5.html

In maverick the dhcp client package is: dhcp3-client

After uninstalling and reinstalling the isc-dhcp packages a few times I cannot replicate the issue with the comma separated domains anymore. It now works as expected :)

Closing bug.

Changed in isc-dhcp (Ubuntu):
status: Incomplete → Invalid

I tried the setting that Marc Deslauriers suggested above, and DHCP is still not setting my search domains. I restarted NetworkManager, and even rebooted the machine. Still nothing. I made sure /etc/dhcp/dhclient.conf and /etc/dhcp3/dhclient.conf both had the same information, as I don't know which one the system will be reading. Nothing. Still broken.

I'm having the same issue. I suspect the problem is that I'm using an older version of dhcpd that does not have the "domain-search" option available. Instead, I'm using the prior notation of:

option domain-name-search code 119 = text;
option domain-name-search "company1.com company2.com company3.com";

This works for all other hosts except Natty, which presents the same error as above. For compatibility reasons, I cannot upgrade the DHCP server on that host. A Natty system should be able to handle the historic specification without errors.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers