| Summary: | bash new security issue CVE-2019-9924 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, herman.viaene, mageia, marja11, shlomif, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | bash-4.3-48.3.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | hello_ls.bsh | ||
|
Description
David Walser
2019-05-03 20:37:58 CEST
Assigning to our registered bash maintainer. Assignee:
bugsquad =>
shlomif Patched package uploaded for Mageia 6 by Shlomi. Advisory: ======================== Updated bash package fixes security vulnerability: A vulnerability in which shell did not prevent user BASH_CMDS, allowing the user to execute any command with the permissions of the shell (CVE-2019-9924). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924 https://lists.opensuse.org/opensuse-updates/2019-04/msg00093.html ======================== Updated packages in core/updates_testing: ======================== bash-4.3-48.4.mga6 bash-doc-4.3-48.4.mga6 from bash-4.3-48.4.mga6.src.rpm CC:
(none) =>
shlomif MGA6-64 Plasma on Lenovo B50 No installation issues. Exercised pwd, cd, fle, ls, mkdir, rmdir, su commands with autocompletion where possible, seems OK. Out of precaution waiting for OK from other testers with more/other ideas. CC:
(none) =>
herman.viaene The following 2 packages are going to be installed: - bash-4.3-48.4.mga6.i586 - bash-doc-4.3-48.4.mga6.i586 $ rbash --version rbash --version GNU bash, version 4.3.48(1)-release (i586-mageia-linux-gnu) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. __vte_prompt_command __vte_osc7 __vte_urlencode "${PWD}" ran a dumb script I wrote quickly. hello_ls.bsh $ rbash hello_ls.bsh It went through commands and did them, including what should have happened properly, this worked in old version too: hello_ls.bsh: line 9: cd: restricted set -o allowed functions to be set up, did this in both versions Allowed me to reach into folders up the base (both versions) From what I can tell it is working. (I'll attach teh script) CC:
(none) =>
brtians1 Created attachment 10984 [details]
hello_ls.bsh
You've got to chmod the file u+x before executing it.
echos "Hello World"
ls -la on current folder
ls ./Music
tries a couple of commands
then execute mplayer against a file in my music folder, you'll need to rename that it you want to hear/see something.
Installed and tested without issues. System: Mageia 6, x86_64, Intel CPU. Tested normal (unrestricted) bash usage without issues. Tested restricted bash usage (all those mentioned in the man page) and all resulted in a "restricted" message and the command not being executed, so no issues as well. $ uname -a Linux marte 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 08:34:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q bash bash-4.3-48.4.mga6 $ echo $0 rbash $ cd tmp rbash: cd: restricted $ exec ls rbash: exec: restricted <SNIP> CC:
(none) =>
mageia Using cli approach with argument passing, for x86_64. Modified some local scripts to be called: #!/bin/bash # syncpad # Make copy of a named directory rsync -r /data/$1 /data/clone/ #count lines in a file by running a bash one-liner lines ~/.bashrc # Clean up filenames in . using a ruby script to remove spaces and unwanted characters. shrink #end bash script ------------------------------------------ #!/bin/bash # lines cat $1 | wc -l ------------------------------------------ Updated bash. $ rbash --version GNU bash, version 4.3.48(1)-release (x86_64-mageia-linux-gnu) Copyright (C) 2013 Free Software Foundation, Inc. $ touch file "This(is a) File&name with[Junk]Characters" $ syncpad pad 46 $ ll This* -rw-r--r-- 1 lcl lcl 0 May 8 16:58 ThisisaFilenamewithJunkCharacters $ cat .bashrc | wc -l 46 $ ls /data/clone pad/ Used Brian's approach, which worked equally well. $ rm ThisisaFilenamewithJunkCharacters rm: remove regular empty file 'ThisisaFilenamewithJunkCharacters'? $ rbash syncpad astro 46 $ ls /data/clone astro/ pad/ Good enough. Leaving Herman or Brian to set the 32-bit OK. Thanks PC LX for testing the restrictions. CC:
(none) =>
tarazed25 Umm. Not sure what is going on here: $ rbash $ syncpad bin 46 $ ls /data/clone astro/ bin/ pad/ $ echo $0 rbash Expected the ls command to fail on the /'s. Whiteboard:
(none) =>
MGA6-64-OK Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-05-12 09:57:23 CEST
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0163.html Resolution:
(none) =>
FIXED |