RE: GNU Bash profile code execution vulnerability enquiry

2020-10-29 Thread Rachel Alderman 
Thanks Chet and Greg for your swift replies. I'll park it as a 
non-vulnerability.

Regards
Rachel

Rachel Alderman
IBM Cloud Kubernetes Security Compliance 
IBM United Kingdom Limited,
Mailpoint 211, Hursley,
Winchester, SO21 2JN.
Email: rachel_alder...@uk.ibm.com

I work part-time and my working days are Wednesday, Thursday and Friday.

IBM United Kingdom Limited 
Registered in England and Wales with number 741598 
Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU 



From:   Chet Ramey 
To: Rachel Alderman , bug-bash@gnu.org
Cc: chet.ra...@case.edu
Date:   28/10/2020 18:21
Subject:[EXTERNAL] Re: GNU Bash profile code execution 
vulnerability enquiry



On 10/28/20 1:11 PM, Rachel Alderman wrote:
> Hi Bash Maintainers,
> 
> I've been made aware of a GNU Bash profile code execution vulnerability 
> 
https://urldefense.proofpoint.com/v2/url?u=https-3A__exchange.xforce.ibmcloud.com_vulnerabilities_173116=DwICaQ=jf_iaSHvJObTbx-siA1ZOg=n8y5uKM5g4nhsINWSXY-6PahOH6ZD7tHCCCT1n2Jwds=dD-fw0FFUuB8yk2vU9EDQMfpw9sR_9KXp1y1wqryDuI=exih7GRA372ne8AH5dBECaDKdYkAJ0DaOWfwxMExcFc=
 
 reported last 
> December (2019-12-16)
> Description: GNU Bash could allow a remote attacker to execute arbitrary 

> code on the system, caused by improper access control by the Bash 
profile. 
> By persuading a victim to open the Bash terminal, an attacker could 
> exploit this vulnerability to execute arbitrary code on the system. 

Hi, Rachel. Thanks for the report. This does not describe a bash
vulnerability. Executing a profile file at shell startup is a standard
shell feature. If an  attacker has write access to a user's profile file,
they can modify it to include potentially malicious commands, but this 
does
not constitute a bash vulnerability.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
  ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.edu
https://urldefense.proofpoint.com/v2/url?u=http-3A__tiswww.cwru.edu_-7Echet_=DwICaQ=jf_iaSHvJObTbx-siA1ZOg=n8y5uKM5g4nhsINWSXY-6PahOH6ZD7tHCCCT1n2Jwds=dD-fw0FFUuB8yk2vU9EDQMfpw9sR_9KXp1y1wqryDuI=NRtTflYJyUK8VIImivppfYCSpSg7Nt65PYReNZRAiI0=
 





Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU



smime.p7s
Description: S/MIME Cryptographic Signature

GNU Bash profile code execution vulnerability enquiry

2020-10-28 Thread Rachel Alderman 
Hi Bash Maintainers,

I've been made aware of a GNU Bash profile code execution vulnerability 
https://exchange.xforce.ibmcloud.com/vulnerabilities/173116 reported last 
December (2019-12-16)
Description: GNU Bash could allow a remote attacker to execute arbitrary 
code on the system, caused by improper access control by the Bash profile. 
By persuading a victim to open the Bash terminal, an attacker could 
exploit this vulnerability to execute arbitrary code on the system. 
https://packetstormsecurity.com/files/155687
CVSS Base Score: 8.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
There is no CVE identifier associated with the vulnerability and I've been 
unable to determine whether there is a remediation available. Is anyone 
aware of this vulnerability and where it may be tracked in Gnu Bash?

Many Thanks
Rachel

Rachel Alderman
IBM Cloud Kubernetes Security Compliance 
IBM United Kingdom Limited,
Mailpoint 211, Hursley,
Winchester, SO21 2JN.
Email: rachel_alder...@uk.ibm.com

I work part-time and my working days are Wednesday, Thursday and Friday.

IBM United Kingdom Limited 
Registered in England and Wales with number 741598 
Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU 
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU



smime.p7s
Description: S/MIME Cryptographic Signature