Bug 24751 - bash new security issue CVE-2019-9924
Summary: bash new security issue CVE-2019-9924
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-05-03 20:37 CEST by David Walser
Modified: 2019-05-12 11:37 CEST (History)
9 users (show)

See Also:
Source RPM: bash-4.3-48.3.mga6.src.rpm
Status comment:

hello_ls.bsh (117 bytes, text/plain)
2019-05-06 15:52 CEST, Brian Rockwell

Description David Walser 2019-05-03 20:37:58 CEST
openSUSE has issued an advisory on April 9:
Comment 1 Marja Van Waes 2019-05-03 21:12:24 CEST
Assigning to our registered bash maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2019-05-04 23:03:20 CEST
Patched package uploaded for Mageia 6 by Shlomi.


Updated bash package fixes security vulnerability:

A vulnerability in which shell did not prevent user BASH_CMDS, allowing the
user to execute any command with the permissions of the shell (CVE-2019-9924).


Updated packages in core/updates_testing:

from bash-4.3-48.4.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 3 Herman Viaene 2019-05-05 16:03:52 CEST
MGA6-64 Plasma on Lenovo B50
No installation issues.
Exercised pwd, cd, fle, ls, mkdir, rmdir, su commands with autocompletion where possible, seems OK.
Out of precaution waiting for OK from other testers with more/other ideas.

CC: (none) => herman.viaene

Comment 4 Brian Rockwell 2019-05-06 15:49:31 CEST
The following 2 packages are going to be installed:

- bash-4.3-48.4.mga6.i586
- bash-doc-4.3-48.4.mga6.i586

$ rbash --version
rbash --version
GNU bash, version 4.3.48(1)-release (i586-mageia-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
__vte_urlencode "${PWD}"

ran a dumb script I wrote quickly.  hello_ls.bsh

$ rbash hello_ls.bsh

It went through commands and did them, including what should have happened properly, this worked in old version too:
hello_ls.bsh: line 9: cd: restricted
set -o allowed functions to be set up, did this in both versions

Allowed me to reach into folders up the base (both versions)

From what I can tell it is working.  (I'll attach teh script)

CC: (none) => brtians1

Comment 5 Brian Rockwell 2019-05-06 15:52:05 CEST
Created attachment 10984 [details]

You've got to chmod the file u+x before executing it.

echos "Hello World"

ls -la on current folder

ls ./Music

tries a couple of commands

then execute mplayer against a file in my music folder, you'll need to rename that it you want to hear/see something.
Comment 6 PC LX 2019-05-08 17:56:50 CEST
Installed and tested without issues.

System: Mageia 6, x86_64, Intel CPU.

Tested normal (unrestricted) bash usage without issues.
Tested restricted bash usage (all those mentioned in the man page) and all resulted in a "restricted" message and the command not being executed, so no issues as well.

$ uname -a
Linux marte 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 08:34:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q bash
$ echo $0
$ cd tmp
rbash: cd: restricted
$ exec ls
rbash: exec: restricted

CC: (none) => mageia

Comment 7 Len Lawrence 2019-05-08 18:32:49 CEST
Using cli approach with argument passing, for x86_64.

Modified some local scripts to be called:
# syncpad
# Make copy of a named directory
rsync -r /data/$1 /data/clone/
#count lines in a file by running a bash one-liner 
lines ~/.bashrc
# Clean up filenames in . using a ruby script to remove spaces and unwanted characters.
#end bash script
# lines
cat $1 | wc -l

Updated bash.
$ rbash --version
GNU bash, version 4.3.48(1)-release (x86_64-mageia-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.

$ touch file "This(is a) File&name with[Junk]Characters"

$ syncpad pad

$ ll This*
-rw-r--r-- 1 lcl lcl 0 May  8 16:58 ThisisaFilenamewithJunkCharacters
$ cat .bashrc | wc -l
$ ls /data/clone

Used Brian's approach, which worked equally well.
$ rm ThisisaFilenamewithJunkCharacters
rm: remove regular empty file 'ThisisaFilenamewithJunkCharacters'? 
$ rbash syncpad astro
$ ls /data/clone
astro/  pad/

Good enough.
Leaving Herman or Brian to set the 32-bit OK.
Thanks PC LX for testing the restrictions.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2019-05-08 18:49:38 CEST
Umm.  Not sure what is going on here:

$ rbash
$ syncpad bin
$ ls /data/clone
astro/  bin/  pad/
$ echo $0

Expected the ls command to fail on the /'s.

Whiteboard: (none) => MGA6-64-OK

Comment 9 Thomas Andrews 2019-05-10 01:24:17 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-05-12 09:57:23 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 10 Mageia Robot 2019-05-12 11:37:10 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.