Date: Wed, 8 Feb 2017 00:00:24 +0100 From: Jens Heyens <jens.heyens@...pa.saarland> To: oss-security@...ts.openwall.com Cc: Ben Stock <stock@...uni-saarland.de> Subject: CVE Request - Code execution vulnerability in GNU/bash v4.4 autocompletion Hi, we would like to request a CVE ID for a vulnerability in GNU/bash version 4.4, discovered on 2017-01-17. The issue has been fixed. A detailed description can be found in our report (available at https://github.com/jheyens/bash_completion_vuln | direct link https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf ). In short: We can create a file with a specially crafted file name. A user trying to use bash' path completion feature ('TAB-completion') on this file will execute shell code without any additional actions taken. The issue has been reported on 2017-01-17, a fix has been added to the git's master branch on 2017-01-20 by GNU/bash maintainer Chet Ramey (Commit ID 4f747edc625815f449048579f6e65869914dd715, available at http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715 ). Sincerely, Jens Heyens CISPA Additional information as requested on the disclosure wiki: 1. Email address of requester (so we can contact them) jens.heyens@...pa.saarland, stock@...uni-saarland.de 2. Software name and optionally vendor name GNU/bash 3. At least one of (to determine is this a security issue): - Type of vulnerability arbitrary code execution - Exploitation vectors local, drive-by downloads, anything able to name files anywhere - Attack outcome system compromised? 4. For Open Source at least one of: - Link to vulnerable source code or fix Fix: http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715 - Link to source code change log N/A - Link to security advisory Original report: https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf - Link to bug entry in GNU/Savannah, but it's a non-public issue - Request comes from project member (a.k.a. “trust me, it's a problem”) No. 5. Affected version(s) (3.2.4, 3.x, current version, all current releases, something) >4.3, <4.4-patch7 6. Whether or not this has been previously requested (i.e. on OSS-Sec or to cve-assign) Yes, but we did not receive any information at all for three weeks. Full story (and the advice to write to this list) here: https://www.reddit.com/r/security/comments/5slvtu/how_do_i_request_a_cve_id_for_a_gnubash/ 7. Is this an Open Source or commercial software request Yes, GPLed 8. Is this an embargoed issue (if yes and commercial: send to cve-assign, if yes and open source: send to distros@?) I wouldn't think so 9. If multiple issues are listed please list affected versions for each issue and/or who reported them (so we can determine CVE split/merge). No Download attachment "signature.asc" of type "application/pgp-signature" (871 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ