Bug 28937

Summary: bash new security issue CVE-2019-18276
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, ouaurelien, pterjan, smelror, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: bash-4.4-23.1.1.mga7.src.rpm CVE: CVE-2019-18276
Status comment:

Description David Walser 2021-05-18 17:05:14 CEST 
RedHat has issued an advisory today (May 18):
https://access.redhat.com/errata/RHSA-2021:1679

If I'm reading this right, I'm not sure it's a real issue, as Bash shouldn't be setuid.  Regardless, RedHat did patch the same version 4.4 that we have.
Comment 1 Aurelien Oudelet 2021-05-19 15:19:05 CEST 
Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien, pterjan, smelror
CVE: (none) => CVE-2019-18276
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-06-22 00:44:43 CEST 
Advisory:
========================

Updated bash packages fix security vulnerability:

A privilege escalation vulnerability was found in bash in the way it dropped
privileges when started with an effective user id not equal to the real user
id. Bash may be vulnerable to this flaw if the setuid permission is set and
the owner of the bash program itself is a non-root user. A local attacker
could exploit this flaw to escalate their privileges on the system
(CVE-2019-18276).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276
https://access.redhat.com/errata/RHSA-2021:1679
========================

Updated packages in core/updates_testing:
========================
bash-4.4-23.1.2.mga7
bash-doc-4.4-23.1.2.mga7

from bash-4.4-23.1.2.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2021-06-23 15:51:30 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Drawing on previous updates:
# rpm -q --provides bash
/bin/bash
/bin/sh
/usr/bin/bash
/usr/bin/sh
bash = 4.4-23.1.2.mga7
bash(x86-64) = 4.4-23.1.2.mga7
config(bash) = 4.4-23.1.2.mga7

$ pwd
/home/tester7/Pictures/20140119NieuwjaarViaene

$ file IMG_1259.jpg 
IMG_1259.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=10, description=                               , manufacturer=Canon, model=Canon IXUS 240 HS, orientation=upper-left, xresolution=190, yresolution=198, resolutionunit=2, datetime=2014:01:19 14:55:48], baseline, precision 8, 4608x3456, components 3

messed around with mkdir and rmdir, all worked OK.
Expecting others with their own ideas.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-06-28 03:16:18 CEST 
Considering Comment 0, I believe your test is good enough, Herman. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2021-06-28 21:21:24 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-06-28 23:18:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0288.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED