Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Sep 2016 17:16:06 +0100
From: John Haxby <john.haxby@...cle.com>
To: oss-security@...ts.openwall.com
Cc: chet.ramey@...e.edu
Subject: CVE-2016-0634 -- bash prompt expanding $HOSTNAME

Hello All,

A little while ago, one of our users discovered that by setting the
hostname to $(something unpleasant), bash would run "something
unpleasant" when it expanded \h in the prompt string.

We informed Chet (cc'd) and this has been fixed in the recently
announced bash-4.4.

I believe the fix in parse.y is this (Chet, please correct me if I'm wrong):

--------------------
@@ -5569,9 +5703,17 @@ decode_prompt_string (string)

 	    case 'h':
 	    case 'H':
-	      temp = savestring (current_host_name);
-	      if (c == 'h' && (t = (char *)strchr (temp, '.')))
+	      t_host = savestring (current_host_name);
+	      if (c == 'h' && (t = (char *)strchr (t_host, '.')))
 		*t = '\0';
+	      if (promptvars || posixly_correct)
+		/* Make sure that expand_prompt_string is called with a
+		   second argument of Q_DOUBLE_QUOTES if we use this
+		   function here. */
+		temp = sh_backslash_quote_for_double_quotes (t_host);
+	      else
+		temp = savestring (t_host);
+	      free (t_host);
 	      goto add_string;

 	    case '#':
--------------------

There is a related fix (but not one necessarily covered by CVE-2016-0634):

--------------------
@@ -5479,7 +5609,11 @@ decode_prompt_string (string)

 	    case 's':
 	      temp = base_pathname (shell_name);
-	      temp = savestring (temp);
+	      /* Try to quote anything the user can set in the file system */
+	      if (promptvars || posixly_correct)
+		temp = sh_backslash_quote_for_double_quotes (temp);
+	      else
+		temp = savestring (temp);
 	      goto add_string;

 	    case 'v':
--------------------

I appreciate that it's relatively difficult to set the hostname to a
string of your choosing but there are plenty of helpful agents that will
call sethostname(2) on your behalf.

jch

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ