Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 594496 (CVE-2016-0634) - <app-shells/bash-4.3_p46-r1: Arbitrary code execution via malicious hostname
Summary: <app-shells/bash-4.3_p46-r1: Arbitrary code execution via malicious hostname
Status: RESOLVED FIXED
Alias: CVE-2016-0634
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-20 10:55 UTC by Agostino Sarubbo
Modified: 2017-01-01 13:55 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-20 10:55:37 UTC
From ${URL} :

A vulnerability was found in a way bash expands the $HOSTNAME. Injecting the hostname with malicious code would cause it to run each time bash expanded 
\h in the prompt string.

References:

http://seclists.org/oss-sec/2016/q3/528

Ubuntu bug:

https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2016-09-20 11:12:58 UTC
IMHO bash-4.4 is way too new to start stabilization process anytime soon.
bash-4.4/readline-7.0 are even masked for testing right now.
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2016-09-20 15:02:29 UTC
commit 7722e02ff41d7e30b1e2226d0cabd4458cd6567c
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Tue Sep 20 16:59:44 2016

    app-shells/bash: Revbump to fix CVE-2016-0634 (bug #594496).
    
    Package-Manager: portage-2.3.1
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


This should be fixed with =app-shells/bash-4.3_p46-r1
I gonna call stabilization tomorrow.
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2016-09-21 10:29:26 UTC
Arches please test and mark stable =app-shells/bash-4.3_p46-r1 with target KEYWORDS:

alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 4 Tobias Klausmann gentoo-dev 2016-09-21 11:30:31 UTC
Stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2016-09-21 13:18:28 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-22 13:00:55 UTC
Stable for HPPA PPC64.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2016-09-23 02:45:21 UTC
New GLSA Request filed.
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 09:07:49 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 09:23:11 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-09-29 12:39:20 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-09-29 13:15:11 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-09-29 13:31:45 UTC
ia64 stable
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-12 13:07:37 UTC
Removing unstable arches.  

@maintainer(s), please cleanup.
Comment 14 Thomas Deutschmann gentoo-dev Security 2016-12-12 19:10:53 UTC
@ Maintainer(s): Please tell us how you want to proceed with previous versions. At least our CI project found no issues when I tried to remove previous versions, see https://github.com/gentoo/gentoo/pull/3100
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 06:53:37 UTC
This issue was resolved and addressed in
 GLSA 201612-39 at https://security.gentoo.org/glsa/201612-39
by GLSA coordinator Aaron Bauman (b-man).
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-13 06:54:11 UTC
Reopened for cleanup...
Comment 17 Thomas Deutschmann gentoo-dev Security 2017-01-01 13:55:45 UTC
Cleanup request moved to bug 600174.