Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Feb 2017 00:00:24 +0100
From: Jens Heyens <jens.heyens@...pa.saarland>
To: oss-security@...ts.openwall.com
Cc: Ben Stock <stock@...uni-saarland.de>
Subject: CVE Request - Code execution vulnerability in GNU/bash v4.4
 autocompletion

Hi,

we would like to request a CVE ID for a vulnerability in GNU/bash
version 4.4, discovered on 2017-01-17. The issue has been fixed.
A detailed description can be found in our report (available at
https://github.com/jheyens/bash_completion_vuln | direct link
https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf
).

In short: We can create a file with a specially crafted file name. A
user trying to use bash' path completion feature ('TAB-completion') on
this file will execute shell code without any additional actions taken.

The issue has been reported on 2017-01-17, a fix has been added to the
git's master branch on 2017-01-20 by GNU/bash maintainer Chet Ramey
(Commit ID 4f747edc625815f449048579f6e65869914dd715, available at
http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715
).


Sincerely,

Jens Heyens
CISPA

Additional information as requested on the disclosure wiki:

1. Email address of requester (so we can contact them)
	jens.heyens@...pa.saarland,  stock@...uni-saarland.de
2. Software name and optionally vendor name
	GNU/bash
3. At least one of (to determine is this a security issue):
  -  Type of vulnerability
	arbitrary code execution
  -  Exploitation vectors
	local, drive-by downloads, anything able to name files anywhere
  -  Attack outcome
	system compromised?
4. For Open Source at least one of:
  -  Link to vulnerable source code or fix
	Fix:
http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715
  -  Link to source code change log
	N/A
  -  Link to security advisory
	Original report:
https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf
  -  Link to bug entry
	in GNU/Savannah, but it's a non-public issue
  -  Request comes from project member (a.k.a. “trust me, it's a problem”)
	No.
5. Affected version(s) (3.2.4, 3.x, current version, all current
releases, something)
	>4.3, <4.4-patch7
6. Whether or not this has been previously requested (i.e. on OSS-Sec or
to cve-assign)
	Yes, but we did not receive any information at all for three weeks.
Full story (and the advice to write to this list) here:
https://www.reddit.com/r/security/comments/5slvtu/how_do_i_request_a_cve_id_for_a_gnubash/
7. Is this an Open Source or commercial software request
	Yes, GPLed
8. Is this an embargoed issue (if yes and commercial: send to
cve-assign, if yes and open source: send to distros@?)
	I wouldn't think so
9. If multiple issues are listed please list affected versions for each
issue and/or who reported them (so we can determine CVE split/merge).
	No







[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ