Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Sep 2016 09:29:55 +0100
From: John Haxby <john.haxby@...cle.com>
To: oss-security@...ts.openwall.com
Cc: Jan Schaumann <jschauma@...meister.org>,
        "chet.ramey" <chet.ramey@...e.edu>
Subject: Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME


> On 19 Sep 2016, at 19:32, Seth Arnold <seth.arnold@...onical.com> wrote:
> 
> On Sun, Sep 18, 2016 at 08:06:57PM +0100, John Haxby wrote:
>>>>> A little while ago, one of our users discovered that by setting the
>>>>> hostname to $(something unpleasant), bash would run "something
>>>>> unpleasant" when it expanded \h in the prompt string.
>>> 
>>> This issue has been public since October, 2015 in Ubuntu's bug tracking
>>> system.
>>> 
>> 
>> Yes, the message was more to let people know that CVE-2016-0634  had
>> been assigned for this issue.   Do you have a link to the Ubuntu issue
>> and a different CVE number?
> 
> Hello John; we did not assign a CVE number for this issue.
> 
> Bernd Dietzel reported it at:
> https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025

Thanks.   CVE-2016-0634 can stand then.

[The internal process we follow for acquiring CVEs is heavily oriented towards closed source so my apologies for not bringing this forward sooner.]

jch

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ