| Summary: | dash new security issue bdo#58288 / bsc#1178978 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | nicolas.salguero, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | dash-0.5.10.2-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-11-23 20:36:33 CET
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it) Keywords:
(none) =>
Triaged openSUSE has issued an advisory for this on November 27: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VUGWSD4FZGKMRRORAAV75B5DGC4PRY5F/
David Walser
2020-12-27 23:47:59 CET
Assignee:
shlomif =>
pkg-bugs
David Walser
2020-12-28 19:05:09 CET
Status comment:
(none) =>
Patch available from upstream and openSUSE Suggested advisory:
========================
The updated packages fix a security vulnerability:
Code was executed even if noexec ("-n") was specified. (bdo#58288 / bsc#1178978)
References:
https://www.openwall.com/lists/oss-security/2020/11/11/3
https://www.openwall.com/lists/oss-security/2020/11/12/1
https://lists.suse.com/pipermail/sle-security-updates/2020-November/007839.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VUGWSD4FZGKMRRORAAV75B5DGC4PRY5F/
========================
Updated packages in core/updates_testing:
========================
dash-0.5.10.2-1.1.mga7
dash-static-0.5.10.2-1.1.mga7
from SRPM:
dash-0.5.10.2-1.1.mga7.src.rpmCC:
(none) =>
nicolas.salguero mga7, x64 With the two packages installed from Core Release: $ dash -n -c 'echo this should not be executed' this should not be executed Updated both packages. $ dash -n -c 'echo this should not be executed' $ CC:
(none) =>
tarazed25 $ chsh
Changing shell for lcl.
New shell [/bin/bash]
/bin/dash
chsh: "/bin/dash" is not listed in /etc/shells.
Use chsh -l to see list.
$ chsh -l
/bin/bash
/bin/sh
/bin/zsh
/usr/bin/dash
/usr/bin/fish
$ chsh
Changing shell for lcl.
New shell [/bin/bash]
/usr/bin/dash
Password:
Shell changed.
Logged out and in.
Command prompt changed to a bare dollar sign.
No aliases and no default .dashrc. /etc/.profile can be used for general login setups but a local .profile does not seem to work.
Tried editing .profile using vi to set the environment PATH variable but 'source' did not work on it and './.profile' seemed to do nothing.
$ PATH=${PATH}:/home/lcl/bin
That worked.
In another terminal:
Tried altering .profile to show the PATH
$ vi .profile
$ cat .profile
_byobu_sourced=1 . /usr/bin/byobu-launch 2>/dev/null || true
PATH=${PATH}:/home/lcl/bin
echo $PATH
$ ./.profile
$
$ echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:/home/lcl/bin
In another terminal:
$ dash -c export PATH=${PATH}:/home/lcl/bin
$ echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
The Mate desktop functions without problems but shell commands need some research on the part of the user. In a terminal the up/down arrows show control characters. The command line works otherwise.
Letting this go.Whiteboard:
(none) =>
MGA7-64-OK Validating, advisory and packages in Comment 3. Advisory pushed to SVN. CC:
(none) =>
ouaurelien, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0006.html Status:
ASSIGNED =>
RESOLVED |