Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <[email protected]>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #840379,
regarding jessie-pu: package bash/4.3-11+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
840379: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840379
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hi Stable release managers,
X-Debbugs-CC Matthias Klose <[email protected]> if he agrees, or would
me to drop in case he would like to do the upload himself.
bash in Stable is affected by
CVE-2016-0634: Arbitrary code execution via malicious hostname
and
CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows
command substitution
which both are considered no-dsa (actually the first one unimportant,
thus it's not tagged no-dsa in the security tracker). I have prepared
an update for bash picking the two upstream patches for th 4.3 branch.
Attached is the debdiff.
Would it be acceptable for the/an upcoming Jessie point release?
Regards,
Salvatore
diff -Nru bash-4.3/debian/changelog bash-4.3/debian/changelog
--- bash-4.3/debian/changelog 2014-10-07 16:22:00.000000000 +0200
+++ bash-4.3/debian/changelog 2016-10-09 17:35:21.000000000 +0200
@@ -1,3 +1,12 @@
+bash (4.3-11+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2016-0634: Arbitrary code execution via malicious hostname
+ * CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows command
+ substitution
+
+ -- Salvatore Bonaccorso <[email protected]> Sun, 09 Oct 2016 17:35:21 +0200
+
bash (4.3-11) unstable; urgency=medium
* Apply upstream patches 028 - 030.
diff -Nru bash-4.3/debian/patches/CVE-2016-0634.diff bash-4.3/debian/patches/CVE-2016-0634.diff
--- bash-4.3/debian/patches/CVE-2016-0634.diff 1970-01-01 01:00:00.000000000 +0100
+++ bash-4.3/debian/patches/CVE-2016-0634.diff 2016-10-09 17:35:21.000000000 +0200
@@ -0,0 +1,109 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.3
+Patch-ID: bash43-047
+
+Bug-Reported-by: Bernd Dietzel
+Bug-Reference-ID:
+Bug-Reference-URL: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025
+
+Bug-Description:
+
+Bash performs word expansions on the prompt strings after the special
+escape sequences are expanded. If a malicious user can modify the system
+hostname or change the name of the bash executable and coerce a user into
+executing it, and the new name contains word expansions (including
+command substitution), bash will expand them in prompt strings containing
+the \h or \H and \s escape sequences, respectively.
+
+Patch (apply with `patch -p0'):
+
+--- a/parse.y
++++ b/parse.y
+@@ -5251,7 +5251,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+ int result_size, result_index;
+ int c, n, i;
+- char *temp, octal_string[4];
++ char *temp, *t_host, octal_string[4];
+ struct tm *tm;
+ time_t the_time;
+ char timebuf[128];
+@@ -5399,7 +5399,11 @@ decode_prompt_string (string)
+
+ case 's':
+ temp = base_pathname (shell_name);
+- temp = savestring (temp);
++ /* Try to quote anything the user can set in the file system */
++ if (promptvars || posixly_correct)
++ temp = sh_backslash_quote_for_double_quotes (temp);
++ else
++ temp = savestring (temp);
+ goto add_string;
+
+ case 'v':
+@@ -5489,9 +5493,17 @@ decode_prompt_string (string)
+
+ case 'h':
+ case 'H':
+- temp = savestring (current_host_name);
+- if (c == 'h' && (t = (char *)strchr (temp, '.')))
++ t_host = savestring (current_host_name);
++ if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ *t = '\0';
++ if (promptvars || posixly_correct)
++ /* Make sure that expand_prompt_string is called with a
++ second argument of Q_DOUBLE_QUOTES if we use this
++ function here. */
++ temp = sh_backslash_quote_for_double_quotes (t_host);
++ else
++ temp = savestring (t_host);
++ free (t_host);
+ goto add_string;
+
+ case '#':
+--- a/y.tab.c
++++ b/y.tab.c
+@@ -7563,7 +7563,7 @@ decode_prompt_string (string)
+ #if defined (PROMPT_STRING_DECODE)
+ int result_size, result_index;
+ int c, n, i;
+- char *temp, octal_string[4];
++ char *temp, *t_host, octal_string[4];
+ struct tm *tm;
+ time_t the_time;
+ char timebuf[128];
+@@ -7711,7 +7711,11 @@ decode_prompt_string (string)
+
+ case 's':
+ temp = base_pathname (shell_name);
+- temp = savestring (temp);
++ /* Try to quote anything the user can set in the file system */
++ if (promptvars || posixly_correct)
++ temp = sh_backslash_quote_for_double_quotes (temp);
++ else
++ temp = savestring (temp);
+ goto add_string;
+
+ case 'v':
+@@ -7801,9 +7805,17 @@ decode_prompt_string (string)
+
+ case 'h':
+ case 'H':
+- temp = savestring (current_host_name);
+- if (c == 'h' && (t = (char *)strchr (temp, '.')))
++ t_host = savestring (current_host_name);
++ if (c == 'h' && (t = (char *)strchr (t_host, '.')))
+ *t = '\0';
++ if (promptvars || posixly_correct)
++ /* Make sure that expand_prompt_string is called with a
++ second argument of Q_DOUBLE_QUOTES if we use this
++ function here. */
++ temp = sh_backslash_quote_for_double_quotes (t_host);
++ else
++ temp = savestring (t_host);
++ free (t_host);
+ goto add_string;
+
+ case '#':
diff -Nru bash-4.3/debian/patches/CVE-2016-7543.diff bash-4.3/debian/patches/CVE-2016-7543.diff
--- bash-4.3/debian/patches/CVE-2016-7543.diff 1970-01-01 01:00:00.000000000 +0100
+++ bash-4.3/debian/patches/CVE-2016-7543.diff 2016-10-09 17:35:21.000000000 +0200
@@ -0,0 +1,34 @@
+ BASH PATCH REPORT
+ =================
+
+Bash-Release: 4.3
+Patch-ID: bash43-048
+
+Bug-Reported-by: [email protected]
+Bug-Reference-ID: <[email protected]>
+Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html
+
+Bug-Description:
+
+If a malicious user can inject a value of $SHELLOPTS containing `xtrace'
+and a value for $PS4 that includes a command substitution into a shell
+running as root, bash will expand the command substitution as part of
+expanding $PS4 when it executes a traced command.
+
+Patch (apply with `patch -p0'):
+
+--- a/variables.c
++++ b/variables.c
+@@ -495,7 +495,11 @@ initialize_shell_variables (env, privmod
+ #endif
+ set_if_not ("PS2", secondary_prompt);
+ }
+- set_if_not ("PS4", "+ ");
++
++ if (current_user.euid == 0)
++ bind_variable ("PS4", "+ ", 0);
++ else
++ set_if_not ("PS4", "+ ");
+
+ /* Don't allow IFS to be imported from the environment. */
+ temp_var = bind_variable ("IFS", " \t\n", 0);
diff -Nru bash-4.3/debian/patches/series bash-4.3/debian/patches/series
--- bash-4.3/debian/patches/series 2014-10-07 16:22:08.000000000 +0200
+++ bash-4.3/debian/patches/series 2016-10-09 17:35:21.000000000 +0200
@@ -49,3 +49,5 @@
# no-brk-caching.diff
use-system-texi2html.diff
bzero.diff
+CVE-2016-0634.diff
+CVE-2016-7543.diff
--- End Message ---
--- Begin Message ---
Version: 8.7
Hi,
Each of these bugs refers to an update that was included in today's 8.7
point release.
Regards,
Adam
--- End Message ---
