Date: Tue, 20 Sep 2016 09:29:55 +0100 From: John Haxby <john.haxby@...cle.com> To: oss-security@...ts.openwall.com Cc: Jan Schaumann <jschauma@...meister.org>, "chet.ramey" <chet.ramey@...e.edu> Subject: Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME > On 19 Sep 2016, at 19:32, Seth Arnold <seth.arnold@...onical.com> wrote: > > On Sun, Sep 18, 2016 at 08:06:57PM +0100, John Haxby wrote: >>>>> A little while ago, one of our users discovered that by setting the >>>>> hostname to $(something unpleasant), bash would run "something >>>>> unpleasant" when it expanded \h in the prompt string. >>> >>> This issue has been public since October, 2015 in Ubuntu's bug tracking >>> system. >>> >> >> Yes, the message was more to let people know that CVE-2016-0634 had >> been assigned for this issue. Do you have a link to the Ubuntu issue >> and a different CVE number? > > Hello John; we did not assign a CVE number for this issue. > > Bernd Dietzel reported it at: > https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 Thanks. CVE-2016-0634 can stand then. [The internal process we follow for acquiring CVEs is heavily oriented towards closed source so my apologies for not bringing this forward sooner.] jch Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ