--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package bash/4.3-11+deb8u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Tue, 11 Oct 2016 07:02:39 +0200
- Message-id: <147616215955.16880.11621560027419433970.reportbug@lorien.valinor.li>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Stable release managers,
X-Debbugs-CC Matthias Klose <doko@debian.org> if he agrees, or would
me to drop in case he would like to do the upload himself.
bash in Stable is affected by
CVE-2016-0634: Arbitrary code execution via malicious hostname
and
CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows
command substitution
which both are considered no-dsa (actually the first one unimportant,
thus it's not tagged no-dsa in the security tracker). I have prepared
an update for bash picking the two upstream patches for th 4.3 branch.
Attached is the debdiff.
Would it be acceptable for the/an upcoming Jessie point release?
Regards,
Salvatore
diff -Nru bash-4.3/debian/changelog bash-4.3/debian/changelog
--- bash-4.3/debian/changelog 2014-10-07 16:22:00.000000000 +0200
+++ bash-4.3/debian/changelog 2016-10-09 17:35:21.000000000 +0200
@@ -1,3 +1,12 @@
+bash (4.3-11+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2016-0634: Arbitrary code execution via malicious hostname
+ * CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows command
+ substitution
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 09 Oct 2016 17:35:21 +0200
+
bash (4.3-11) unstable; urgency=medium
* Apply upstream patches 028 - 030.
diff -Nru bash-4.3/debian/patches/CVE-2016-0634.diff bash-4.3/debian/patches/CVE-2016-0634.diff
--- bash-4.3/debian/patches/CVE-2016-0634.diff 1970-01-01 01:00:00.000000000 +0100
+++ bash-4.3/debian/patches/CVE-2016-0634.diff 2016-10-09 17:35:21.000000000 +0200
@@ -0,0 +1,109 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.3
+Patch-ID: bash43-047
+
+Bug-Reported-by: Bernd Dietzel
+Bug-Reference-ID:
+Bug-Reference-URL: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
+
+Bug-Description:
+
+Bash performs word expansions on the prompt strings after the special
+escape sequences are expanded. If a malicious user can modify the system
+hostname or change the name of the bash executable and coerce a user into
+executing it, and the new name contains word expansions (including
+command substitution), bash will expand them in prompt strings containing
+the \h or \H and \s escape sequences, respectively.
+
+Patch (apply with `patch -p0'):
+
+--- a/parse.y
++++ b/parse.y
+@@ -5251,7 +5251,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+ int result_size, result_index;
+ int c, n, i;
+- char *temp, octal_string[4];
++ char *temp, *t_host, octal_string[4];
+ struct tm *tm;
+ time_t the_time;
+ char timebuf[128];
+@@ -5399,7 +5399,11 @@ decode_prompt_string (string)
+
+ case 's':
+ temp = base_pathname (shell_name);
+- temp = savestring (temp);
++ /* Try to quote anything the user can set in the file system */
++ if (promptvars || posixly_correct)
++ temp = sh_backslash_quote_for_double_quotes (temp);
++ else
++ temp = savestring (temp);
+ goto add_string;
+
+ case 'v':
+@@ -5489,9 +5493,17 @@ decode_prompt_string (string)
+
+ case 'h':
+ case 'H':
+- temp = savestring (current_host_name);
+- if (c == 'h' && (t = (char *)strchr (temp, '.')))
++ t_host = savestring (current_host_name);
++ if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ *t = '\0';
++ if (promptvars || posixly_correct)
++ /* Make sure that expand_prompt_string is called with a
++ second argument of Q_DOUBLE_QUOTES if we use this
++ function here. */
++ temp = sh_backslash_quote_for_double_quotes (t_host);
++ else
++ temp = savestring (t_host);
++ free (t_host);
+ goto add_string;
+
+ case '#':
+--- a/y.tab.c
++++ b/y.tab.c
+@@ -7563,7 +7563,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+ int result_size, result_index;
+ int c, n, i;
+- char *temp, octal_string[4];
++ char *temp, *t_host, octal_string[4];
+ struct tm *tm;
+ time_t the_time;
+ char timebuf[128];
+@@ -7711,7 +7711,11 @@ decode_prompt_string (string)
+
+ case 's':
+ temp = base_pathname (shell_name);
+- temp = savestring (temp);
++ /* Try to quote anything the user can set in the file system */
++ if (promptvars || posixly_correct)
++ temp = sh_backslash_quote_for_double_quotes (temp);
++ else
++ temp = savestring (temp);
+ goto add_string;
+
+ case 'v':
+@@ -7801,9 +7805,17 @@ decode_prompt_string (string)
+
+ case 'h':
+ case 'H':
+- temp = savestring (current_host_name);
+- if (c == 'h' && (t = (char *)strchr (temp, '.')))
++ t_host = savestring (current_host_name);
++ if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ *t = '\0';
++ if (promptvars || posixly_correct)
++ /* Make sure that expand_prompt_string is called with a
++ second argument of Q_DOUBLE_QUOTES if we use this
++ function here. */
++ temp = sh_backslash_quote_for_double_quotes (t_host);
++ else
++ temp = savestring (t_host);
++ free (t_host);
+ goto add_string;
+
+ case '#':
diff -Nru bash-4.3/debian/patches/CVE-2016-7543.diff bash-4.3/debian/patches/CVE-2016-7543.diff
--- bash-4.3/debian/patches/CVE-2016-7543.diff 1970-01-01 01:00:00.000000000 +0100
+++ bash-4.3/debian/patches/CVE-2016-7543.diff 2016-10-09 17:35:21.000000000 +0200
@@ -0,0 +1,34 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.3
+Patch-ID: bash43-048
+
+Bug-Reported-by: up201407890@alunos.dcc.fc.up.pt
+Bug-Reference-ID: <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt>
+Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html
+
+Bug-Description:
+
+If a malicious user can inject a value of $SHELLOPTS containing `xtrace'
+and a value for $PS4 that includes a command substitution into a shell
+running as root, bash will expand the command substitution as part of
+expanding $PS4 when it executes a traced command.
+
+Patch (apply with `patch -p0'):
+
+--- a/variables.c
++++ b/variables.c
+@@ -495,7 +495,11 @@ initialize_shell_variables (env, privmod
+ #endif
+ set_if_not ("PS2", secondary_prompt);
+ }
+- set_if_not ("PS4", "+ ");
++
++ if (current_user.euid == 0)
++ bind_variable ("PS4", "+ ", 0);
++ else
++ set_if_not ("PS4", "+ ");
+
+ /* Don't allow IFS to be imported from the environment. */
+ temp_var = bind_variable ("IFS", " \t\n", 0);
diff -Nru bash-4.3/debian/patches/series bash-4.3/debian/patches/series
--- bash-4.3/debian/patches/series 2014-10-07 16:22:08.000000000 +0200
+++ bash-4.3/debian/patches/series 2016-10-09 17:35:21.000000000 +0200
@@ -49,3 +49,5 @@
# no-brk-caching.diff
use-system-texi2html.diff
bzero.diff
+CVE-2016-0634.diff
+CVE-2016-7543.diff
--- End Message ---