Bug 1130324 - (CVE-2019-9924) VUL-0: CVE-2019-9924: bash: BASH_CMD is writable in restricted bash shells
(CVE-2019-9924)
VUL-0: CVE-2019-9924: bash: BASH_CMD is writable in restricted bash shells
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/226941/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-25 07:51 UTC by Karol Babioch
Modified: 2019-07-06 06:53 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Karol Babioch 2019-03-25 07:53:31 UTC
Based on the version information in the report, all codestreams, but "SUSE:SLE-15:Update" are affected:

- SUSE:SLE-10-SP3:Update
- SUSE:SLE-11-SP1:Update
- SUSE:SLE-11-SP3:Update
- SUSE:SLE-11-SP4:Update
- SUSE:SLE-12:Update
- SUSE:SLE-12-SP2:Update
Comment 3 Dr. Werner Fink 2019-03-25 08:15:32 UTC
(In reply to Karol Babioch from comment #1)
> Based on the version information in the report, all codestreams, but
> "SUSE:SLE-15:Update" are affected:
> 
> - SUSE:SLE-10-SP3:Update
> - SUSE:SLE-11-SP1:Update
> - SUSE:SLE-11-SP3:Update
> - SUSE:SLE-11-SP4:Update
> - SUSE:SLE-12:Update
> - SUSE:SLE-12-SP2:Update

You do not want an update to bash 4.4 on SLES-10 nor on SLES-11 and IMHO this is the wrong commit, OK mentioned in the CHANGES-4.4, but the change seem to be in https://git.savannah.gnu.org/cgit/bash.git/diff/?h=bash-4.4-testing&id=a4eef1991c25c9d1c55f777952cd522c762c6fc3&id2=690150f9e5e860a4211e71ef4446938bb57ee983 at

diff --git a/variables.c b/variables.c
index a799f50..be2446e 100644
--- a/variables.c
+++ b/variables.c
[...]
@@ -1628,6 +1632,13 @@ assign_hashcmd (self, value, ind, key)
      arrayind_t ind;
      char *key;
 {
+#if defined (RESTRICTED_SHELL)
+  if (restricted && strchr (value, '/'))
+    {
+      sh_restricted (value);
+      return (SHELL_VAR *)NULL;
+    }
+#endif
   phash_insert (key, value, 0, 0);
   return (build_hashcmd (self));
 }

as given in

+variables.c
+	- assign_hashcmd: if the shell is restricted, reject attempts to add
+	  pathnames containing slashes to the hash table, as the hash builtin
+	  does.  Fixes bug reported to savannah by Sylvain Beucler as
+	  https://savannah.gnu.org/support/?108969
+
Comment 15 Swamp Workflow Management 2019-04-02 13:10:25 UTC
SUSE-SU-2019:0838-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1130324
CVE References: CVE-2019-9924
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Server 12-SP4 (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Server 12-SP3 (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    bash-4.3-83.23.1
SUSE CaaS Platform ALL (src):    bash-4.3-83.23.1
SUSE CaaS Platform 3.0 (src):    bash-4.3-83.23.1
OpenStack Cloud Magnum Orchestration 7 (src):    bash-4.3-83.23.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2019-04-08 13:11:04 UTC
SUSE-SU-2019:0898-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1130324
CVE References: CVE-2019-9924
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    bash-4.2-83.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    bash-4.2-83.3.1
SUSE Linux Enterprise Server 12-LTSS (src):    bash-4.2-83.3.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 29 Dr. Werner Fink 2019-04-08 13:29:31 UTC
Out there
Comment 30 Swamp Workflow Management 2019-04-08 22:09:25 UTC
openSUSE-SU-2019:1178-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1130324
CVE References: CVE-2019-9924
Sources used:
openSUSE Leap 42.3 (src):    bash-4.3-83.15.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2019-07-05 22:11:10 UTC
SUSE-SU-2019:0838-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1130324
CVE References: CVE-2019-9924
Sources used:
SUSE OpenStack Cloud 7 (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    bash-4.3-83.23.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    bash-4.3-83.23.1
SUSE Enterprise Storage 4 (src):    bash-4.3-83.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.