Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Feb 2017 00:00:24 +0100
From: Jens Heyens <>
Cc: Ben Stock <>
Subject: CVE Request - Code execution vulnerability in GNU/bash v4.4


we would like to request a CVE ID for a vulnerability in GNU/bash
version 4.4, discovered on 2017-01-17. The issue has been fixed.
A detailed description can be found in our report (available at | direct link

In short: We can create a file with a specially crafted file name. A
user trying to use bash' path completion feature ('TAB-completion') on
this file will execute shell code without any additional actions taken.

The issue has been reported on 2017-01-17, a fix has been added to the
git's master branch on 2017-01-20 by GNU/bash maintainer Chet Ramey
(Commit ID 4f747edc625815f449048579f6e65869914dd715, available at


Jens Heyens

Additional information as requested on the disclosure wiki:

1. Email address of requester (so we can contact them),
2. Software name and optionally vendor name
3. At least one of (to determine is this a security issue):
  -  Type of vulnerability
	arbitrary code execution
  -  Exploitation vectors
	local, drive-by downloads, anything able to name files anywhere
  -  Attack outcome
	system compromised?
4. For Open Source at least one of:
  -  Link to vulnerable source code or fix
  -  Link to source code change log
  -  Link to security advisory
	Original report:
  -  Link to bug entry
	in GNU/Savannah, but it's a non-public issue
  -  Request comes from project member (a.k.a. “trust me, it's a problem”)
5. Affected version(s) (3.2.4, 3.x, current version, all current
releases, something)
	>4.3, <4.4-patch7
6. Whether or not this has been previously requested (i.e. on OSS-Sec or
to cve-assign)
	Yes, but we did not receive any information at all for three weeks.
Full story (and the advice to write to this list) here:
7. Is this an Open Source or commercial software request
	Yes, GPLed
8. Is this an embargoed issue (if yes and commercial: send to
cve-assign, if yes and open source: send to distros@?)
	I wouldn't think so
9. If multiple issues are listed please list affected versions for each
issue and/or who reported them (so we can determine CVE split/merge).

Download attachment "signature.asc" of type "application/pgp-signature" (871 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ