https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c1 --- Comment #1 from L. A. Walsh 2013-03-08 18:00:06 PST --- This is a security bug and needs to be fixed. I don't see how to mark this bug as a security bug and have it closed off to the public though, so am not sure I should explain the details, but they are rocket science... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c2 --- Comment #2 from L. A. Walsh 2013-03-08 18:10:33 PST --- oops.. insert 'not' as 3rd word to the end of last comment ;-) see bug #808499 for me details. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c4 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com, | |security-team@suse.de AssignedTo|security-team@suse.de |werner@suse.com --- Comment #4 from Marcus Meissner 2013-03-09 13:49:50 UTC --- This does not look like a security bug, more a question of shell standard compliance. Lets ask Werner. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c6 --- Comment #6 from L. A. Walsh 2013-03-09 06:25:29 PST --- Since the bug marked as non-public was closed, I'll copy the parts that make this security relevant here. f a user has shell 'rbash', and has any means to create a file and execute it, The following script in a file will give them an unrestricted shell. (not root, but if the intent was to restrict the user, this patch breaks it). I would strongly suggest not including the patch in the bash-rpm sources called "bash-3.2-longjmp.dif" that patches bash source file execute_cmd.c to ignore the shell the user started with and execute any new, script source that doesn't start with "#!...", under /bin/sh. This elevates restricted users to a non restricted shell. ----script------ # see what we can do w/suse's patch echo in script, 0=$0, exec /bin/bash -i -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c8 --- Comment #8 from L. A. Walsh 2013-03-11 02:39:53 PDT --- Werner, if the user's shell is a restricted shell like rbash, you claim that elevating them to a non-restricted shell is not a security issue? You want me to ask around on the BASH list for you? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c10 --- Comment #10 from L. A. Walsh 2013-03-11 02:57:30 PDT --- Werner said: "Otherwise tcsh users or users with any other shell not identical with the bash will run into trouble." I'm a bash user and I'm running into trouble because you are NOT running bash. If you had run BASH I wouldn't have noticed the problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c12 --- Comment #12 from L. A. Walsh 2013-03-11 09:54:27 PDT --- Why is there a pressing need to maintain a 5 year old patch against a new version where it is no longer applicable. The patch **admittedly** was to fix a problem that only occurred on SuSE linux where a hang or SEGV happened. One has to ask, why was this a problem only on SuSE?? The likely answer is some other SuSE-only patch, possibly in a linked library, where Suse has changed the normal behavior. This isn't the first time I've seen a suse patch change standard behavior based on the developer's whimsy. It happens often enough, that when I first mentioned this problem on the Bash list, a response indicated that I shouldn't be surprised by non-standard behavior given that I was running Suse. The justification for adding the patch was a suse-only bug. Then the first justification for not removing it 5 years later, was that even though the bug was no longer present in the current version, the code might protect against future problems of the same type -- a horrible reason to patch an upstream product and a good reason to never get rid of any patches and end up with code that acts nothing like people expect upstream products to behave. Now it's being justified that it should be kept on the specious claim that it doesn't strictly go against POSIX requirements -- ignoring the fact that it shouldn't have been necessary in the first place, and the fact that it is no longer needed. Adding injury to malpractice, if the user is running under rsh or rbash, and excutes a header script, their shell is reset. allowing them access to an unrestricted shell. What research is needed to verify that other than trying it with a simple test case, I don't know, but as Werner and others don't think it's a problem, maybe he's right, and escalation of privilege out of a restricted shell isn't regarded as a security problem. I'll have to ask around... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c14 Sebastian Krahmer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #14 from Sebastian Krahmer 2013-03-18 08:46:40 UTC --- Security team has have reviewed the rbash vector and consider it not relevant. rbash is not really a security protection anyway (think perl -e 'system("./a.out");') Also werner has submitted a bash that disables the patch for openSUSE Factory. closing -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c16 --- Comment #16 from Bernhard Wiedemann 2013-03-21 14:01:03 CET --- This is an autogenerated message for OBS integration: This bug (806628) was mentioned in https://build.opensuse.org/request/show/160437 Factory / bash -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c18 --- Comment #18 from Swamp Workflow Management 2013-07-29 13:06:32 UTC --- openSUSE-RU-2013:1271-1: An update that has 7 recommended fixes can now be installed. Category: recommended (low) Bug References: 382214,763591,793536,804551,806628,820149,828877 CVE References: Sources used: openSUSE 12.2 (src): bash-4.2-51.13.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.