Bug 19462

Summary: bash new security issue CVE-2016-7543
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, mageia, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/702475/
Whiteboard: MGA5-64-OK advisory
Source RPM: bash-4.3-46.2.mga6.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 19387, 19808    

Description David Walser 2016-09-26 19:49:01 CEST 
A security issue fixed in bash 4.4 has been announced:
http://www.openwall.com/lists/oss-security/2016/09/26/9

The patch to fix the issue was not identified.

Mageia 5 is also affected.

This is another case of bash expanding and executing something in the prompt, like Bug 19387.  I suppose it's more conceivable for an attacker to control $PS4 than the hostname.
David Walser 2016-09-26 19:49:08 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-10-04 14:01:25 CEST 
Fedora has issued an advisory for this on October 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OU3C756YPHDAAPFX76UGZBAQQQ5UMHS5/

Fedora patch added in Cauldron.

URL: (none) => http://lwn.net/Vulnerabilities/702475/
Version: Cauldron => 5
Depends on: (none) => 19387
Whiteboard: MGA5TOO => (none)

David Walser 2016-10-04 14:01:47 CEST

Severity: normal => major

David Walser 2016-11-18 00:32:30 CET

Blocks: (none) => 19808

Comment 2 Nicolas Lécureuil 2016-11-18 01:28:43 CET 
available on updates_testingbash-4.3-48.2.mga5

CC: (none) => mageia
Assignee: shlomif => qa-bugs

Comment 3 David Walser 2016-11-18 01:35:35 CET 
Advisory:
========================

Updated bash packages fix security vulnerabilities:

A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string (CVE-2016-0634).

Shells running as root inherited PS4 from the environment, allowing PS4 expansion performing command substitution. Local attacker could gain arbitrary code execution via bogus setuid binaries using system()/popen() by specially crafting SHELLOPTS+PS4 environment variables (CVE-2016-7543).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7543
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5GRFMCTX4O7RTLZX5CI45KC7GGM6XIIY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OU3C756YPHDAAPFX76UGZBAQQQ5UMHS5/
========================

Updated packages in core/updates_testing:
========================
bash-4.3-48.2.mga5
bash-doc-4.3-48.2.mga5

from bash-4.3-48.2.mga5.src.rpm
Comment 4 Dave Hodgins 2016-11-21 19:20:41 CET 
I couldn't get the poc from
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
working, but regular bash testing is working ok. Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 5 Mageia Robot 2016-11-21 23:18:48 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0393.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 Len Lawrence 2016-11-21 23:24:38 CET 
Re comment 4.  I tried the PoC as well just now Dave and it did not work for me either.  sddm said "Welcome to lsbug".  I am wondering if the backticks needed to be escaped (\).

Len

CC: (none) => tarazed25

David Walser 2016-11-21 23:56:36 CET

Blocks: (none) => 19387
Depends on: 19387 => (none)