[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#840379: marked as done (jessie-pu: package bash/4.3-11+deb8u1)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #840379,
regarding jessie-pu: package bash/4.3-11+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
840379: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840379
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Stable release managers,

X-Debbugs-CC Matthias Klose <doko@debian.org> if he agrees, or would
me to drop in case he would like to do the upload himself.

bash in Stable is affected by

CVE-2016-0634: Arbitrary code execution via malicious hostname

and

CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows
command substitution

which both are considered no-dsa (actually the first one unimportant,
thus it's not tagged no-dsa in the security tracker). I have prepared
an update for bash picking the two upstream patches for th 4.3 branch.
Attached is the debdiff.

Would it be acceptable for the/an upcoming Jessie point release?

Regards,
Salvatore

diff -Nru bash-4.3/debian/changelog bash-4.3/debian/changelog
--- bash-4.3/debian/changelog	2014-10-07 16:22:00.000000000 +0200
+++ bash-4.3/debian/changelog	2016-10-09 17:35:21.000000000 +0200
@@ -1,3 +1,12 @@
+bash (4.3-11+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-0634: Arbitrary code execution via malicious hostname
+  * CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows command
+    substitution
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 09 Oct 2016 17:35:21 +0200
+
 bash (4.3-11) unstable; urgency=medium
 
   * Apply upstream patches 028 - 030.
diff -Nru bash-4.3/debian/patches/CVE-2016-0634.diff bash-4.3/debian/patches/CVE-2016-0634.diff
--- bash-4.3/debian/patches/CVE-2016-0634.diff	1970-01-01 01:00:00.000000000 +0100
+++ bash-4.3/debian/patches/CVE-2016-0634.diff	2016-10-09 17:35:21.000000000 +0200
@@ -0,0 +1,109 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-047
+
+Bug-Reported-by:	Bernd Dietzel
+Bug-Reference-ID:
+Bug-Reference-URL:	https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
+
+Bug-Description:
+
+Bash performs word expansions on the prompt strings after the special
+escape sequences are expanded.  If a malicious user can modify the system
+hostname or change the name of the bash executable and coerce a user into
+executing it, and the new name contains word expansions (including
+command substitution), bash will expand them in prompt strings containing
+the \h or \H and \s escape sequences, respectively.
+
+Patch (apply with `patch -p0'):
+
+--- a/parse.y
++++ b/parse.y
+@@ -5251,7 +5251,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+   int result_size, result_index;
+   int c, n, i;
+-  char *temp, octal_string[4];
++  char *temp, *t_host, octal_string[4];
+   struct tm *tm;  
+   time_t the_time;
+   char timebuf[128];
+@@ -5399,7 +5399,11 @@ decode_prompt_string (string)
+ 
+ 	    case 's':
+ 	      temp = base_pathname (shell_name);
+-	      temp = savestring (temp);
++	      /* Try to quote anything the user can set in the file system */
++	      if (promptvars || posixly_correct)
++		temp = sh_backslash_quote_for_double_quotes (temp);
++	      else
++		temp = savestring (temp);
+ 	      goto add_string;
+ 
+ 	    case 'v':
+@@ -5489,9 +5493,17 @@ decode_prompt_string (string)
+ 
+ 	    case 'h':
+ 	    case 'H':
+-	      temp = savestring (current_host_name);
+-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
++	      t_host = savestring (current_host_name);
++	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ 		*t = '\0';
++	      if (promptvars || posixly_correct)
++		/* Make sure that expand_prompt_string is called with a
++		   second argument of Q_DOUBLE_QUOTES if we use this
++		   function here. */
++		temp = sh_backslash_quote_for_double_quotes (t_host);
++	      else
++		temp = savestring (t_host);
++	      free (t_host);
+ 	      goto add_string;
+ 
+ 	    case '#':
+--- a/y.tab.c
++++ b/y.tab.c
+@@ -7563,7 +7563,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+   int result_size, result_index;
+   int c, n, i;
+-  char *temp, octal_string[4];
++  char *temp, *t_host, octal_string[4];
+   struct tm *tm;  
+   time_t the_time;
+   char timebuf[128];
+@@ -7711,7 +7711,11 @@ decode_prompt_string (string)
+ 
+ 	    case 's':
+ 	      temp = base_pathname (shell_name);
+-	      temp = savestring (temp);
++	      /* Try to quote anything the user can set in the file system */
++	      if (promptvars || posixly_correct)
++		temp = sh_backslash_quote_for_double_quotes (temp);
++	      else
++		temp = savestring (temp);
+ 	      goto add_string;
+ 
+ 	    case 'v':
+@@ -7801,9 +7805,17 @@ decode_prompt_string (string)
+ 
+ 	    case 'h':
+ 	    case 'H':
+-	      temp = savestring (current_host_name);
+-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
++	      t_host = savestring (current_host_name);
++	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ 		*t = '\0';
++	      if (promptvars || posixly_correct)
++		/* Make sure that expand_prompt_string is called with a
++		   second argument of Q_DOUBLE_QUOTES if we use this
++		   function here. */
++		temp = sh_backslash_quote_for_double_quotes (t_host);
++	      else
++		temp = savestring (t_host);
++	      free (t_host);
+ 	      goto add_string;
+ 
+ 	    case '#':
diff -Nru bash-4.3/debian/patches/CVE-2016-7543.diff bash-4.3/debian/patches/CVE-2016-7543.diff
--- bash-4.3/debian/patches/CVE-2016-7543.diff	1970-01-01 01:00:00.000000000 +0100
+++ bash-4.3/debian/patches/CVE-2016-7543.diff	2016-10-09 17:35:21.000000000 +0200
@@ -0,0 +1,34 @@
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	4.3
+Patch-ID:	bash43-048
+
+Bug-Reported-by:	up201407890@alunos.dcc.fc.up.pt
+Bug-Reference-ID:	<20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt>
+Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html
+
+Bug-Description:
+
+If a malicious user can inject a value of $SHELLOPTS containing `xtrace'
+and a value for $PS4 that includes a command substitution into a shell
+running as root, bash will expand the command substitution as part of
+expanding $PS4 when it executes a traced command.
+
+Patch (apply with `patch -p0'):
+
+--- a/variables.c
++++ b/variables.c
+@@ -495,7 +495,11 @@ initialize_shell_variables (env, privmod
+ #endif
+       set_if_not ("PS2", secondary_prompt);
+     }
+-  set_if_not ("PS4", "+ ");
++
++  if (current_user.euid == 0)
++    bind_variable ("PS4", "+ ", 0);
++  else
++    set_if_not ("PS4", "+ ");
+ 
+   /* Don't allow IFS to be imported from the environment. */
+   temp_var = bind_variable ("IFS", " \t\n", 0);
diff -Nru bash-4.3/debian/patches/series bash-4.3/debian/patches/series
--- bash-4.3/debian/patches/series	2014-10-07 16:22:08.000000000 +0200
+++ bash-4.3/debian/patches/series	2016-10-09 17:35:21.000000000 +0200
@@ -49,3 +49,5 @@
 # no-brk-caching.diff
 use-system-texi2html.diff
 bzero.diff
+CVE-2016-0634.diff
+CVE-2016-7543.diff

--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: