Bugzilla – Bug 1000396
VUL-1: CVE-2016-0634: bash: Arbitrary code execution via malicious hostname
Last modified: 2020-06-14 05:10:58 UTC
rh#1377613 A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded \h in the prompt string. upstream patch: http://openwall.com/lists/oss-security/2016/09/16/18 References: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 https://bugzilla.redhat.com/show_bug.cgi?id=1377613 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0634 http://seclists.org/oss-sec/2016/q3/528 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0634.html
Hmmm ... from https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 Exploit Demo : 1) edit "/etc/hosts" to this : 127.0.0.1 localhost 127.0.1.1 `ls>bug` 2) edit "/etc/hostname" to this : `ls>bug` 3) reboot 4) start a terminal 5) Now a file with the name "bug" will in your home folder ! 6) Change the directory to Downloads with "cd Downloads/" 7) Now a file with the name "bug" is in your Downloads ! 8) Remove the file with "rm bug" 9) The file "bug" is still there ! ... why should root edit /etc/hostname to fool bash user if he is able to attack every person on the system?
Created attachment 693621 [details] prompt-string-comsub.patch The original patch from Chet
The only problem I see are foreign DHCP server ... should this trigger an update for openSUSE 13.2, Leap 42.1 and 42.2 with SLES 12 and SLES12 SP2?
bugbot adjusting priority
(In reply to Dr. Werner Fink from comment #3) Maybe some other vectors using namespaces might be possible, but DHCP is probably the biggest risk. We track this as VUL-1 for now, so we don't need submissions right away. But feel free to submit, we can stage them and you'll get them as a baseline upon the next mbranch
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-047
This is an autogenerated message for OBS integration: This bug (1000396) was mentioned in https://build.opensuse.org/request/show/437124 13.2 / bash
openSUSE-SU-2016:2715-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,976776 CVE References: CVE-2016-0634,CVE-2016-7543 Sources used: openSUSE 13.2 (src): bash-4.2-75.5.1
SUSE-SU-2016:2872-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,1001759,898812,898884 CVE References: CVE-2014-6277,CVE-2014-6278,CVE-2016-0634,CVE-2016-7543 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): bash-4.2-82.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): bash-4.2-82.1 SUSE Linux Enterprise Server 12-SP1 (src): bash-4.2-82.1 SUSE Linux Enterprise Desktop 12-SP1 (src): bash-4.2-82.1
released
openSUSE-SU-2016:2961-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,1001759,898812,898884 CVE References: CVE-2014-6277,CVE-2014-6278,CVE-2016-0634,CVE-2016-7543 Sources used: openSUSE Leap 42.1 (src): bash-4.2-81.1
SUSE-SU-2017:0302-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1000396,1001299,959755,971410 CVE References: CVE-2016-0634,CVE-2016-7543 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): bash-3.2-147.29.1 SUSE Linux Enterprise Server 11-SP4 (src): bash-3.2-147.29.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bash-3.2-147.29.1
SUSE-SU-2018:1398-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,1086247 CVE References: CVE-2016-0634,CVE-2016-7543 Sources used: SUSE OpenStack Cloud 7 (src): bash-4.3-83.10.1 SUSE Linux Enterprise Workstation Extension 12-SP3 (src): bash-4.3-83.10.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): bash-4.3-83.10.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): bash-4.3-83.10.1 SUSE Linux Enterprise Server 12-SP3 (src): bash-4.3-83.10.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): bash-4.3-83.10.1 SUSE Linux Enterprise Desktop 12-SP3 (src): bash-4.3-83.10.1 SUSE Enterprise Storage 4 (src): bash-4.3-83.10.1 SUSE CaaS Platform ALL (src): bash-4.3-83.10.1 OpenStack Cloud Magnum Orchestration 7 (src): bash-4.3-83.10.1
openSUSE-SU-2018:1419-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,1086247 CVE References: CVE-2016-0634,CVE-2016-7543 Sources used: openSUSE Leap 42.3 (src): bash-4.3-83.6.1
SUSE-SU-2018:1398-2: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1000396,1001299,1086247 CVE References: CVE-2016-0634,CVE-2016-7543 Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): bash-4.3-83.10.1