Bug 19235

I'm following #147. Hopefully there will be new version soon. If not then I'm going to work on a patch for these issues.

fixed in cauldron

CC: (none) => mageia
Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

pushed in updates_testing

src.rpm:   python-lshell-0.9.18-2.mga5

Assignee: mageia => qa-bugs

Advisory:
========================

Updated python-lshell packages fix security vulnerabilities:

Shell outbreak due to bad syntax parse (CVE-2016-6902).

Shell outbreak with multiline commands (CVE-2016-6903).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6902
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6903
http://openwall.com/lists/oss-security/2016/08/22/17
========================

Updated packages in core/updates_testing:
========================
python-lshell-0.9.18-2.mga5

from python-lshell-0.9.18-2.mga5.src.rpm

Looking at this but it won't be quick.

CC: (none) => tarazed25

MGA5-32 on Asus A6000VM Xfce
No installation issues.
Googled and found some explanation on https://tecadmin.net/how-to-limit-user-access-with-lshell-limited-shell/#
Found that with the existing /etc/lshell.conf
user:~$ cd /
*** forbidden path: /
exiting and added following to /etc/lshell.conf
[user]
path            : - ['/home/user/Afbeeldingen']

Afbeeldingen = Pictures for the poor people that do not understand Dutch
and then at the CLI:

user:~$ ls
Afbeeldingen  Bureaublad  Documenten  Downloads  Muziek  Sjablonen  test.kdbx  tmp  Video's
user:~$ cd Afbeeldingen
*** forbidden path: /home/user/Afbeeldingen/
user:~$ cd Documenten
user:~/Documenten$ ls
audacious.txt	lspcidrake.txt.pdf  shortreport.gz   testnetpbm2      wiresharktest
libarchive.txt	lspcidrake.txt.ps   tcpdump.pcap     testnetpbm3.png  wiresharktest50
libevent.txt	reisverslag.odt     testnet.jpg      testnet.ppm      wiresharktest.pcapng
lspcidrake.txt	shortreport	    testnetpbm1.fig  vnc.txt

Looks OK to me.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

x86_64 real hardware.

Thanks Herman.
Analyses in the backtrail show exploits corresponding to the two CVEs.
One such link: http://www.openwall.com/lists/oss-security/2016/08/22/17

[CVE-2016-6902]

[lcl@belexeuli ~]$ lshell
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
lcl:~$ ?
cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo
lcl:~$  echo "$(bash 1>&2)"
[lcl@belexeuli ~]$ which bash
/bin/bash
[lcl@belexeuli ~]$ ps
  PID TTY          TIME CMD
20244 pts/1    00:00:00 lshell
20317 pts/1    00:00:00 sh
20318 pts/1    00:00:00 sh
20319 pts/1    00:00:00 bash
20505 pts/1    00:00:00 ps
20559 pts/1    00:00:00 tcsh
[lcl@belexeuli ~]$ ?
bash: ?: command not found

[CVE-2016-6903]

[lcl@belexeuli ~]$ lshell
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
lcl:~$ ll no-such-dir || 'bash'
ls: cannot access no-such-dir: No such file or directory
[lcl@belexeuli ~]$ ps axf 
20559 pts/1    Ss     0:00   |   \_ -csh
20244 pts/1    S      0:00   |   |   \_ /usr/bin/python /bin/lshell
20317 pts/1    S      0:00   |   |       \_ sh -c set -m; echo "$(bash 1>&2)"
20318 pts/1    S      0:00   |   |           \_ sh -c set -m; echo "$(bash 1>&2)"
20319 pts/1    S      0:00   |   |               \_ bash
20843 pts/1    S      0:00   |   |                   \_ /usr/bin/python /bin/lshell
20980 pts/1    S      0:00   |   |                       \_ sh -c set -m; ls -l no-such-dir || 'bash'
20982 pts/1    S      0:00   |   |                           \_ bash
21404 pts/1    R+     0:00   |   |                               \_ ps axf
20564 pts/2    Ss+    0:00   |   \_ -csh

These are pre-update tests.

x86_64: installed the update

[CVE-2016-6902]

[lcl@belexeuli ~]$ lshell
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
lcl:~$ echo "$(bash 1>&2)"
*** forbidden syntax: echo "$(bash 1>&2)"
lcl:~$ which bash
*** forbidden command: which
lcl:~$ exit
[lcl@belexeuli ~]$ 

[CVE-2016-6903]

lcl:~$ ll no-such-dir || 'bash'
*** forbidden command: 'bash'
lcl:~$ echo `/1.sh`
*** forbidden syntax: echo `/1.sh`
lcl:~$ ll no-such-dir || 'bash'
*** forbidden command: 'bash'
lcl:~$ exit
[lcl@belexeuli ~]$ ps af
  PID TTY      STAT   TIME COMMAND
20564 pts/2    Ss+    0:00 -csh
20559 pts/1    Ss     0:00 -csh
20244 pts/1    S      0:00  \_ /usr/bin/python /bin/lshell
20317 pts/1    S      0:00      \_ sh -c set -m; echo "$(bash 1>&2)"
20318 pts/1    S      0:00          \_ sh -c set -m; echo "$(bash 1>&2)"
20319 pts/1    S      0:00              \_ bash
20843 pts/1    S      0:00                  \_ /usr/bin/python /bin/lshell
20980 pts/1    S      0:00                      \_ sh -c set -m; ls -l no-such-d
20982 pts/1    S+     0:00                          \_ bash
22128 pts/6    Ss     0:00 -csh

The responses to the forbidden commands is what is expected but I don't know what to make of the ps output. above

[lcl@belexeuli ~]$ lshell
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
lcl:~$ w
*** forbidden command: w
lcl:~$ anything
*** forbidden command: anything
lcl:~$ abc
*** forbidden command: abc
lcl:~$ 

Note also that there is no error countdown leading to automatic logout.  However, the bugfix appears to work fine.

Advisoried & validated.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0126.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED