Date: Fri, 16 Sep 2016 17:16:06 +0100 From: John Haxby <john.haxby@...cle.com> To: oss-security@...ts.openwall.com Cc: chet.ramey@...e.edu Subject: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Hello All, A little while ago, one of our users discovered that by setting the hostname to $(something unpleasant), bash would run "something unpleasant" when it expanded \h in the prompt string. We informed Chet (cc'd) and this has been fixed in the recently announced bash-4.4. I believe the fix in parse.y is this (Chet, please correct me if I'm wrong): -------------------- @@ -5569,9 +5703,17 @@ decode_prompt_string (string) case 'h': case 'H': - temp = savestring (current_host_name); - if (c == 'h' && (t = (char *)strchr (temp, '.'))) + t_host = savestring (current_host_name); + if (c == 'h' && (t = (char *)strchr (t_host, '.'))) *t = '\0'; + if (promptvars || posixly_correct) + /* Make sure that expand_prompt_string is called with a + second argument of Q_DOUBLE_QUOTES if we use this + function here. */ + temp = sh_backslash_quote_for_double_quotes (t_host); + else + temp = savestring (t_host); + free (t_host); goto add_string; case '#': -------------------- There is a related fix (but not one necessarily covered by CVE-2016-0634): -------------------- @@ -5479,7 +5609,11 @@ decode_prompt_string (string) case 's': temp = base_pathname (shell_name); - temp = savestring (temp); + /* Try to quote anything the user can set in the file system */ + if (promptvars || posixly_correct) + temp = sh_backslash_quote_for_double_quotes (temp); + else + temp = savestring (temp); goto add_string; case 'v': -------------------- I appreciate that it's relatively difficult to set the hostname to a string of your choosing but there are plenty of helpful agents that will call sethostname(2) on your behalf. jch
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ