CVEs have been assigned for some restricted shell breakout issues in lshell: http://openwall.com/lists/oss-security/2016/08/22/17
Whiteboard: (none) => MGA5TOO
I'm following #147. Hopefully there will be new version soon. If not then I'm going to work on a patch for these issues.
fixed in cauldron
CC: (none) => mageiaWhiteboard: MGA5TOO => (none)Version: Cauldron => 5
pushed in updates_testing src.rpm: python-lshell-0.9.18-2.mga5
Assignee: mageia => qa-bugs
Advisory: ======================== Updated python-lshell packages fix security vulnerabilities: Shell outbreak due to bad syntax parse (CVE-2016-6902). Shell outbreak with multiline commands (CVE-2016-6903). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6902 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6903 http://openwall.com/lists/oss-security/2016/08/22/17 ======================== Updated packages in core/updates_testing: ======================== python-lshell-0.9.18-2.mga5 from python-lshell-0.9.18-2.mga5.src.rpm
Looking at this but it won't be quick.
CC: (none) => tarazed25
MGA5-32 on Asus A6000VM Xfce No installation issues. Googled and found some explanation on https://tecadmin.net/how-to-limit-user-access-with-lshell-limited-shell/# Found that with the existing /etc/lshell.conf user:~$ cd / *** forbidden path: / exiting and added following to /etc/lshell.conf [user] path : - ['/home/user/Afbeeldingen'] Afbeeldingen = Pictures for the poor people that do not understand Dutch and then at the CLI: user:~$ ls Afbeeldingen Bureaublad Documenten Downloads Muziek Sjablonen test.kdbx tmp Video's user:~$ cd Afbeeldingen *** forbidden path: /home/user/Afbeeldingen/ user:~$ cd Documenten user:~/Documenten$ ls audacious.txt lspcidrake.txt.pdf shortreport.gz testnetpbm2 wiresharktest libarchive.txt lspcidrake.txt.ps tcpdump.pcap testnetpbm3.png wiresharktest50 libevent.txt reisverslag.odt testnet.jpg testnet.ppm wiresharktest.pcapng lspcidrake.txt shortreport testnetpbm1.fig vnc.txt Looks OK to me.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
x86_64 real hardware. Thanks Herman. Analyses in the backtrail show exploits corresponding to the two CVEs. One such link: http://www.openwall.com/lists/oss-security/2016/08/22/17 [CVE-2016-6902] [lcl@belexeuli ~]$ lshell You are in a limited shell. Type '?' or 'help' to get the list of allowed commands lcl:~$ ? cd clear echo exit help history ll lpath ls lsudo lcl:~$ echo "$(bash 1>&2)" [lcl@belexeuli ~]$ which bash /bin/bash [lcl@belexeuli ~]$ ps PID TTY TIME CMD 20244 pts/1 00:00:00 lshell 20317 pts/1 00:00:00 sh 20318 pts/1 00:00:00 sh 20319 pts/1 00:00:00 bash 20505 pts/1 00:00:00 ps 20559 pts/1 00:00:00 tcsh [lcl@belexeuli ~]$ ? bash: ?: command not found [CVE-2016-6903] [lcl@belexeuli ~]$ lshell You are in a limited shell. Type '?' or 'help' to get the list of allowed commands lcl:~$ ll no-such-dir || 'bash' ls: cannot access no-such-dir: No such file or directory [lcl@belexeuli ~]$ ps axf 20559 pts/1 Ss 0:00 | \_ -csh 20244 pts/1 S 0:00 | | \_ /usr/bin/python /bin/lshell 20317 pts/1 S 0:00 | | \_ sh -c set -m; echo "$(bash 1>&2)" 20318 pts/1 S 0:00 | | \_ sh -c set -m; echo "$(bash 1>&2)" 20319 pts/1 S 0:00 | | \_ bash 20843 pts/1 S 0:00 | | \_ /usr/bin/python /bin/lshell 20980 pts/1 S 0:00 | | \_ sh -c set -m; ls -l no-such-dir || 'bash' 20982 pts/1 S 0:00 | | \_ bash 21404 pts/1 R+ 0:00 | | \_ ps axf 20564 pts/2 Ss+ 0:00 | \_ -csh These are pre-update tests.
x86_64: installed the update [CVE-2016-6902] [lcl@belexeuli ~]$ lshell You are in a limited shell. Type '?' or 'help' to get the list of allowed commands lcl:~$ echo "$(bash 1>&2)" *** forbidden syntax: echo "$(bash 1>&2)" lcl:~$ which bash *** forbidden command: which lcl:~$ exit [lcl@belexeuli ~]$ [CVE-2016-6903] lcl:~$ ll no-such-dir || 'bash' *** forbidden command: 'bash' lcl:~$ echo `/1.sh` *** forbidden syntax: echo `/1.sh` lcl:~$ ll no-such-dir || 'bash' *** forbidden command: 'bash' lcl:~$ exit [lcl@belexeuli ~]$ ps af PID TTY STAT TIME COMMAND 20564 pts/2 Ss+ 0:00 -csh 20559 pts/1 Ss 0:00 -csh 20244 pts/1 S 0:00 \_ /usr/bin/python /bin/lshell 20317 pts/1 S 0:00 \_ sh -c set -m; echo "$(bash 1>&2)" 20318 pts/1 S 0:00 \_ sh -c set -m; echo "$(bash 1>&2)" 20319 pts/1 S 0:00 \_ bash 20843 pts/1 S 0:00 \_ /usr/bin/python /bin/lshell 20980 pts/1 S 0:00 \_ sh -c set -m; ls -l no-such-d 20982 pts/1 S+ 0:00 \_ bash 22128 pts/6 Ss 0:00 -csh The responses to the forbidden commands is what is expected but I don't know what to make of the ps output. above [lcl@belexeuli ~]$ lshell You are in a limited shell. Type '?' or 'help' to get the list of allowed commands lcl:~$ w *** forbidden command: w lcl:~$ anything *** forbidden command: anything lcl:~$ abc *** forbidden command: abc lcl:~$ Note also that there is no error countdown leading to automatic logout. However, the bugfix appears to work fine.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
Advisoried & validated.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0126.html
Status: NEW => RESOLVEDResolution: (none) => FIXED