Bug 28937 - bash new security issue CVE-2019-18276
Summary: bash new security issue CVE-2019-18276
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-18 17:05 CEST by David Walser
Modified: 2021-06-28 23:18 CEST (History)
6 users (show)

See Also:
Source RPM: bash-4.4-23.1.1.mga7.src.rpm
CVE: CVE-2019-18276
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-05-18 17:05:14 CEST 
RedHat has issued an advisory today (May 18):
https://access.redhat.com/errata/RHSA-2021:1679

If I'm reading this right, I'm not sure it's a real issue, as Bash shouldn't be setuid.  Regardless, RedHat did patch the same version 4.4 that we have.
Comment 1 Aurelien Oudelet 2021-05-19 15:19:05 CEST 
Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien, pterjan, smelror
CVE: (none) => CVE-2019-18276
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-06-22 00:44:43 CEST 
Advisory:
========================

Updated bash packages fix security vulnerability:

A privilege escalation vulnerability was found in bash in the way it dropped
privileges when started with an effective user id not equal to the real user
id. Bash may be vulnerable to this flaw if the setuid permission is set and
the owner of the bash program itself is a non-root user. A local attacker
could exploit this flaw to escalate their privileges on the system
(CVE-2019-18276).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18276
https://access.redhat.com/errata/RHSA-2021:1679
========================

Updated packages in core/updates_testing:
========================
bash-4.4-23.1.2.mga7
bash-doc-4.4-23.1.2.mga7

from bash-4.4-23.1.2.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2021-06-23 15:51:30 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Drawing on previous updates:
# rpm -q --provides bash
/bin/bash
/bin/sh
/usr/bin/bash
/usr/bin/sh
bash = 4.4-23.1.2.mga7
bash(x86-64) = 4.4-23.1.2.mga7
config(bash) = 4.4-23.1.2.mga7

$ pwd
/home/tester7/Pictures/20140119NieuwjaarViaene

$ file IMG_1259.jpg 
IMG_1259.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=10, description=                               , manufacturer=Canon, model=Canon IXUS 240 HS, orientation=upper-left, xresolution=190, yresolution=198, resolutionunit=2, datetime=2014:01:19 14:55:48], baseline, precision 8, 4608x3456, components 3

messed around with mkdir and rmdir, all worked OK.
Expecting others with their own ideas.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-06-28 03:16:18 CEST 
Considering Comment 0, I believe your test is good enough, Herman. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2021-06-28 21:21:24 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-06-28 23:18:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0288.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.