A security issue fixed in bash 4.4 has been announced: http://www.openwall.com/lists/oss-security/2016/09/26/9 The patch to fix the issue was not identified. Mageia 5 is also affected. This is another case of bash expanding and executing something in the prompt, like Bug 19387. I suppose it's more conceivable for an attacker to control $PS4 than the hostname.
Whiteboard: (none) => MGA5TOO
Fedora has issued an advisory for this on October 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OU3C756YPHDAAPFX76UGZBAQQQ5UMHS5/ Fedora patch added in Cauldron.
URL: (none) => http://lwn.net/Vulnerabilities/702475/Version: Cauldron => 5Depends on: (none) => 19387Whiteboard: MGA5TOO => (none)
Severity: normal => major
Blocks: (none) => 19808
available on updates_testingbash-4.3-48.2.mga5
CC: (none) => mageiaAssignee: shlomif => qa-bugs
Advisory: ======================== Updated bash packages fix security vulnerabilities: A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string (CVE-2016-0634). Shells running as root inherited PS4 from the environment, allowing PS4 expansion performing command substitution. Local attacker could gain arbitrary code execution via bogus setuid binaries using system()/popen() by specially crafting SHELLOPTS+PS4 environment variables (CVE-2016-7543). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7543 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5GRFMCTX4O7RTLZX5CI45KC7GGM6XIIY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OU3C756YPHDAAPFX76UGZBAQQQ5UMHS5/ ======================== Updated packages in core/updates_testing: ======================== bash-4.3-48.2.mga5 bash-doc-4.3-48.2.mga5 from bash-4.3-48.2.mga5.src.rpm
I couldn't get the poc from https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 working, but regular bash testing is working ok. Validating the update.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0393.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Re comment 4. I tried the PoC as well just now Dave and it did not work for me either. sddm said "Welcome to lsbug". I am wondering if the backticks needed to be escaped (\). Len
CC: (none) => tarazed25
Blocks: (none) => 19387Depends on: 19387 => (none)