Bug 24751 - bash new security issue CVE-2019-9924
Summary: bash new security issue CVE-2019-9924
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-05-03 20:37 CEST by David Walser
Modified: 2019-05-12 11:37 CEST (History)
9 users (show)

See Also:
Source RPM: bash-4.3-48.3.mga6.src.rpm
CVE:
Status comment:


Attachments
hello_ls.bsh (117 bytes, text/plain)
2019-05-06 15:52 CEST, Brian Rockwell
Details

Description David Walser 2019-05-03 20:37:58 CEST
openSUSE has issued an advisory on April 9:
https://lists.opensuse.org/opensuse-updates/2019-04/msg00093.html
Comment 1 Marja Van Waes 2019-05-03 21:12:24 CEST
Assigning to our registered bash maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 David Walser 2019-05-04 23:03:20 CEST
Patched package uploaded for Mageia 6 by Shlomi.

Advisory:
========================

Updated bash package fixes security vulnerability:

A vulnerability in which shell did not prevent user BASH_CMDS, allowing the
user to execute any command with the permissions of the shell (CVE-2019-9924).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924
https://lists.opensuse.org/opensuse-updates/2019-04/msg00093.html
========================

Updated packages in core/updates_testing:
========================
bash-4.3-48.4.mga6
bash-doc-4.3-48.4.mga6

from bash-4.3-48.4.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 3 Herman Viaene 2019-05-05 16:03:52 CEST
MGA6-64 Plasma on Lenovo B50
No installation issues.
Exercised pwd, cd, fle, ls, mkdir, rmdir, su commands with autocompletion where possible, seems OK.
Out of precaution waiting for OK from other testers with more/other ideas.

CC: (none) => herman.viaene

Comment 4 Brian Rockwell 2019-05-06 15:49:31 CEST
The following 2 packages are going to be installed:

- bash-4.3-48.4.mga6.i586
- bash-doc-4.3-48.4.mga6.i586


$ rbash --version
rbash --version
GNU bash, version 4.3.48(1)-release (i586-mageia-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
__vte_prompt_command
__vte_osc7
__vte_urlencode "${PWD}"


ran a dumb script I wrote quickly.  hello_ls.bsh

$ rbash hello_ls.bsh

It went through commands and did them, including what should have happened properly, this worked in old version too:
hello_ls.bsh: line 9: cd: restricted
set -o allowed functions to be set up, did this in both versions

Allowed me to reach into folders up the base (both versions)

From what I can tell it is working.  (I'll attach teh script)

CC: (none) => brtians1

Comment 5 Brian Rockwell 2019-05-06 15:52:05 CEST
Created attachment 10984 [details]
hello_ls.bsh

You've got to chmod the file u+x before executing it.

echos "Hello World"

ls -la on current folder

ls ./Music

tries a couple of commands

then execute mplayer against a file in my music folder, you'll need to rename that it you want to hear/see something.
Comment 6 PC LX 2019-05-08 17:56:50 CEST
Installed and tested without issues.

System: Mageia 6, x86_64, Intel CPU.

Tested normal (unrestricted) bash usage without issues.
Tested restricted bash usage (all those mentioned in the man page) and all resulted in a "restricted" message and the command not being executed, so no issues as well.

$ uname -a
Linux marte 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 08:34:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q bash
bash-4.3-48.4.mga6
$ echo $0
rbash
$ cd tmp
rbash: cd: restricted
$ exec ls
rbash: exec: restricted
<SNIP>

CC: (none) => mageia

Comment 7 Len Lawrence 2019-05-08 18:32:49 CEST
Using cli approach with argument passing, for x86_64.

Modified some local scripts to be called:
#!/bin/bash
# syncpad
# Make copy of a named directory
rsync -r /data/$1 /data/clone/
#count lines in a file by running a bash one-liner 
lines ~/.bashrc
# Clean up filenames in . using a ruby script to remove spaces and unwanted characters.
shrink
#end bash script
------------------------------------------
#!/bin/bash
# lines
cat $1 | wc -l
------------------------------------------

Updated bash.
$ rbash --version
GNU bash, version 4.3.48(1)-release (x86_64-mageia-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.

$ touch file "This(is a) File&name with[Junk]Characters"

$ syncpad pad
46

$ ll This*
-rw-r--r-- 1 lcl lcl 0 May  8 16:58 ThisisaFilenamewithJunkCharacters
$ cat .bashrc | wc -l
46
$ ls /data/clone
pad/

Used Brian's approach, which worked equally well.
$ rm ThisisaFilenamewithJunkCharacters
rm: remove regular empty file 'ThisisaFilenamewithJunkCharacters'? 
$ rbash syncpad astro
46
$ ls /data/clone
astro/  pad/

Good enough.
Leaving Herman or Brian to set the 32-bit OK.
Thanks PC LX for testing the restrictions.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2019-05-08 18:49:38 CEST
Umm.  Not sure what is going on here:

$ rbash
$ syncpad bin
46
$ ls /data/clone
astro/  bin/  pad/
$ echo $0
rbash

Expected the ls command to fail on the /'s.

Whiteboard: (none) => MGA6-64-OK

Comment 9 Thomas Andrews 2019-05-10 01:24:17 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-05-12 09:57:23 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 10 Mageia Robot 2019-05-12 11:37:10 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0163.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.