Ubuntu
isc-dhcp package

Multiple domains in domain-search not working after CVE-2011-0997 patch

Bug #777785 reported by Alk
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
isc-dhcp (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

What you expected to happen:
Add domains-search domains from /etc/dhcp/dhclient.conf to search line in /etc/resolv.conf

What happened instead:
After upgrading to natty multiple domain search in /etc/resolv.conf stopped working.

Example entry in /etc/dhcp/dhclient.conf -> append domain-search "subdomain1.company.com subdomain2.company.com company.com";

Error message in /var/log/syslog -> dhclient: suspect value in domain_search option - discarded

Repackaging isc-dhcp without the CVE-2011-0997 solves the domain search issue, but leaves the system with a known security vulnerability.

Version: isc-dhcp-client_4.1.1-P1-15ubuntu9
Arch: amd64

lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04

See original description

CVE References

Alk (allank-bluebottle)
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

That's not the right way to format that option. Try this:

append domain-search "subdomain1.company.com", "subdomain2.company.com", "company.com";

I'm marking this bug as invalid. Please feel free to reopen it if adding the right option doesn't work. Thanks.

Changed in isc-dhcp (Ubuntu):
status: New → Invalid
Revision history for this message
Alk (allank-bluebottle) wrote :

Tried that. Then it is only the last domain in the list that is appended.

The documentation about the format is not clear, but I have used the current format for years.

I think the issue is with the CVE-2011-0997 patch. Maybe that is does not allow white space inside quotes.

Reopened the issue.

Changed in isc-dhcp (Ubuntu):
status: Invalid → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

append domain-search "subdomain1.company.com", "subdomain2.company.com", "company.com"; is the format that works. I get the following in resolv.conf:

search subdomain1.company.com. subdomain2.company.com. company.com.

If I remove the security patch, and use the append line you suggest, I get the following in resolv.conf:

search subdomain1.company.com\032subdomain2.company.com\032company.com.

Which is obviously wrong.

The documentation is pretty clear: option domain-search "example.com", "sales.example.com", "eng.example.com";
See http://manpages.ubuntu.com/manpages/natty/en/man5/dhcp-options.5.html

What release were you using that worked with the append line you've been using for years? What did the resolv.conf file look like?

Changed in isc-dhcp (Ubuntu):
status: New → Incomplete
Revision history for this message
Alk (allank-bluebottle) wrote :

Thanks for the link, was looking at http://manpages.ubuntu.com/manpages/natty/en/man5/dhclient.conf.5.html

In maverick the dhcp client package is: dhcp3-client

After uninstalling and reinstalling the isc-dhcp packages a few times I cannot replicate the issue with the comma separated domains anymore. It now works as expected :)

Closing bug.

Changed in isc-dhcp (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
James E. LaBarre (jamesl-bestweb) wrote :

I tried the setting that Marc Deslauriers suggested above, and DHCP is still not setting my search domains. I restarted NetworkManager, and even rebooted the machine. Still nothing. I made sure /etc/dhcp/dhclient.conf and /etc/dhcp3/dhclient.conf both had the same information, as I don't know which one the system will be reading. Nothing. Still broken.

Revision history for this message
Tilghman Lesher (v-launchpad-net-the-tilghman-com) wrote :

I'm having the same issue. I suspect the problem is that I'm using an older version of dhcpd that does not have the "domain-search" option available. Instead, I'm using the prior notation of:

option domain-name-search code 119 = text;
option domain-name-search "company1.com company2.com company3.com";

This works for all other hosts except Natty, which presents the same error as above. For compatibility reasons, I cannot upgrade the DHCP server on that host. A Natty system should be able to handle the historic specification without errors.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.