RedHat has issued an advisory today (May 18): https://access.redhat.com/errata/RHSA-2021:1679 If I'm reading this right, I'm not sure it's a real issue, as Bash shouldn't be setuid. Regardless, RedHat did patch the same version 4.4 that we have.
Hi, thanks for reporting this. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
CC: (none) => ouaurelien, pterjan, smelrorCVE: (none) => CVE-2019-18276Assignee: bugsquad => pkg-bugs
Advisory: ======================== Updated bash packages fix security vulnerability: A privilege escalation vulnerability was found in bash in the way it dropped privileges when started with an effective user id not equal to the real user id. Bash may be vulnerable to this flaw if the setuid permission is set and the owner of the bash program itself is a non-root user. A local attacker could exploit this flaw to escalate their privileges on the system (CVE-2019-18276). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276 https://access.redhat.com/errata/RHSA-2021:1679 ======================== Updated packages in core/updates_testing: ======================== bash-4.4-23.1.2.mga7 bash-doc-4.4-23.1.2.mga7 from bash-4.4-23.1.2.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Drawing on previous updates: # rpm -q --provides bash /bin/bash /bin/sh /usr/bin/bash /usr/bin/sh bash = 4.4-23.1.2.mga7 bash(x86-64) = 4.4-23.1.2.mga7 config(bash) = 4.4-23.1.2.mga7 $ pwd /home/tester7/Pictures/20140119NieuwjaarViaene $ file IMG_1259.jpg IMG_1259.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=10, description= , manufacturer=Canon, model=Canon IXUS 240 HS, orientation=upper-left, xresolution=190, yresolution=198, resolutionunit=2, datetime=2014:01:19 14:55:48], baseline, precision 8, 4608x3456, components 3 messed around with mkdir and rmdir, all worked OK. Expecting others with their own ideas.
CC: (none) => herman.viaene
Considering Comment 0, I believe your test is good enough, Herman. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0288.html
Status: NEW => RESOLVEDResolution: (none) => FIXED