Bug#840379: jessie-pu: package bash/4.3-11+deb8u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#840379: jessie-pu: package bash/4.3-11+deb8u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 11 Oct 2016 07:02:39 +0200
Message-id: <[🔎] 147616215955.16880.11621560027419433970.reportbug@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 840379@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable release managers,

X-Debbugs-CC Matthias Klose <doko@debian.org> if he agrees, or would
me to drop in case he would like to do the upload himself.

bash in Stable is affected by

CVE-2016-0634: Arbitrary code execution via malicious hostname

and

CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows
command substitution

which both are considered no-dsa (actually the first one unimportant,
thus it's not tagged no-dsa in the security tracker). I have prepared
an update for bash picking the two upstream patches for th 4.3 branch.
Attached is the debdiff.

Would it be acceptable for the/an upcoming Jessie point release?

Regards,
Salvatore

diff -Nru bash-4.3/debian/changelog bash-4.3/debian/changelog
--- bash-4.3/debian/changelog	2014-10-07 16:22:00.000000000 +0200
+++ bash-4.3/debian/changelog	2016-10-09 17:35:21.000000000 +0200
@@ -1,3 +1,12 @@
+bash (4.3-11+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-0634: Arbitrary code execution via malicious hostname
+  * CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows command
+    substitution
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 09 Oct 2016 17:35:21 +0200
+
 bash (4.3-11) unstable; urgency=medium
 
   * Apply upstream patches 028 - 030.
diff -Nru bash-4.3/debian/patches/CVE-2016-0634.diff bash-4.3/debian/patches/CVE-2016-0634.diff
--- bash-4.3/debian/patches/CVE-2016-0634.diff	1970-01-01 01:00:00.000000000 +0100
+++ bash-4.3/debian/patches/CVE-2016-0634.diff	2016-10-09 17:35:21.000000000 +0200
@@ -0,0 +1,109 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-047
+
+Bug-Reported-by:	Bernd Dietzel
+Bug-Reference-ID:
+Bug-Reference-URL:	https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
+
+Bug-Description:
+
+Bash performs word expansions on the prompt strings after the special
+escape sequences are expanded.  If a malicious user can modify the system
+hostname or change the name of the bash executable and coerce a user into
+executing it, and the new name contains word expansions (including
+command substitution), bash will expand them in prompt strings containing
+the \h or \H and \s escape sequences, respectively.
+
+Patch (apply with `patch -p0'):
+
+--- a/parse.y
++++ b/parse.y
+@@ -5251,7 +5251,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+   int result_size, result_index;
+   int c, n, i;
+-  char *temp, octal_string[4];
++  char *temp, *t_host, octal_string[4];
+   struct tm *tm;  
+   time_t the_time;
+   char timebuf[128];
+@@ -5399,7 +5399,11 @@ decode_prompt_string (string)
+ 
+ 	    case 's':
+ 	      temp = base_pathname (shell_name);
+-	      temp = savestring (temp);
++	      /* Try to quote anything the user can set in the file system */
++	      if (promptvars || posixly_correct)
++		temp = sh_backslash_quote_for_double_quotes (temp);
++	      else
++		temp = savestring (temp);
+ 	      goto add_string;
+ 
+ 	    case 'v':
+@@ -5489,9 +5493,17 @@ decode_prompt_string (string)
+ 
+ 	    case 'h':
+ 	    case 'H':
+-	      temp = savestring (current_host_name);
+-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
++	      t_host = savestring (current_host_name);
++	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ 		*t = '\0';
++	      if (promptvars || posixly_correct)
++		/* Make sure that expand_prompt_string is called with a
++		   second argument of Q_DOUBLE_QUOTES if we use this
++		   function here. */
++		temp = sh_backslash_quote_for_double_quotes (t_host);
++	      else
++		temp = savestring (t_host);
++	      free (t_host);
+ 	      goto add_string;
+ 
+ 	    case '#':
+--- a/y.tab.c
++++ b/y.tab.c
+@@ -7563,7 +7563,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+   int result_size, result_index;
+   int c, n, i;
+-  char *temp, octal_string[4];
++  char *temp, *t_host, octal_string[4];
+   struct tm *tm;  
+   time_t the_time;
+   char timebuf[128];
+@@ -7711,7 +7711,11 @@ decode_prompt_string (string)
+ 
+ 	    case 's':
+ 	      temp = base_pathname (shell_name);
+-	      temp = savestring (temp);
++	      /* Try to quote anything the user can set in the file system */
++	      if (promptvars || posixly_correct)
++		temp = sh_backslash_quote_for_double_quotes (temp);
++	      else
++		temp = savestring (temp);
+ 	      goto add_string;
+ 
+ 	    case 'v':
+@@ -7801,9 +7805,17 @@ decode_prompt_string (string)
+ 
+ 	    case 'h':
+ 	    case 'H':
+-	      temp = savestring (current_host_name);
+-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
++	      t_host = savestring (current_host_name);
++	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ 		*t = '\0';
++	      if (promptvars || posixly_correct)
++		/* Make sure that expand_prompt_string is called with a
++		   second argument of Q_DOUBLE_QUOTES if we use this
++		   function here. */
++		temp = sh_backslash_quote_for_double_quotes (t_host);
++	      else
++		temp = savestring (t_host);
++	      free (t_host);
+ 	      goto add_string;
+ 
+ 	    case '#':
diff -Nru bash-4.3/debian/patches/CVE-2016-7543.diff bash-4.3/debian/patches/CVE-2016-7543.diff
--- bash-4.3/debian/patches/CVE-2016-7543.diff	1970-01-01 01:00:00.000000000 +0100
+++ bash-4.3/debian/patches/CVE-2016-7543.diff	2016-10-09 17:35:21.000000000 +0200
@@ -0,0 +1,34 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-048
+
+Bug-Reported-by:	up201407890@alunos.dcc.fc.up.pt
+Bug-Reference-ID:	<20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html
+
+Bug-Description:
+
+If a malicious user can inject a value of $SHELLOPTS containing `xtrace'
+and a value for $PS4 that includes a command substitution into a shell
+running as root, bash will expand the command substitution as part of
+expanding $PS4 when it executes a traced command.
+
+Patch (apply with `patch -p0'):
+
+--- a/variables.c
++++ b/variables.c
+@@ -495,7 +495,11 @@ initialize_shell_variables (env, privmod
+ #endif
+       set_if_not ("PS2", secondary_prompt);
+     }
+-  set_if_not ("PS4", "+ ");
++
++  if (current_user.euid == 0)
++    bind_variable ("PS4", "+ ", 0);
++  else
++    set_if_not ("PS4", "+ ");
+ 
+   /* Don't allow IFS to be imported from the environment. */
+   temp_var = bind_variable ("IFS", " \t\n", 0);
diff -Nru bash-4.3/debian/patches/series bash-4.3/debian/patches/series
--- bash-4.3/debian/patches/series	2014-10-07 16:22:08.000000000 +0200
+++ bash-4.3/debian/patches/series	2016-10-09 17:35:21.000000000 +0200
@@ -49,3 +49,5 @@
 # no-brk-caching.diff
 use-system-texi2html.diff
 bzero.diff
+CVE-2016-0634.diff
+CVE-2016-7543.diff

Reply to:

Follow-Ups:
- Bug#840379: jessie-pu: package bash/4.3-11+deb8u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#840379: jessie-pu: package bash/4.3-11+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#840378: jessie-pu: package openbox/3.5.2-8+deb8u1
Next by Date: Re: Bug#840369: libgnome-autoar-0-0: should have versioned dependency on libarchive13 v3.2+
Previous by thread: Bug#840378: jessie-pu: package openbox/3.5.2-8+deb8u1
Next by thread: Bug#840379: jessie-pu: package bash/4.3-11+deb8u1
Index(es):
- Date
- Thread