Thanks Chet and Greg for your swift replies. I'll park it as a non-vulnerability.
Regards Rachel Rachel Alderman IBM Cloud Kubernetes Security Compliance IBM United Kingdom Limited, Mailpoint 211, Hursley, Winchester, SO21 2JN. Email: rachel_alder...@uk.ibm.com I work part-time and my working days are Wednesday, Thursday and Friday. IBM United Kingdom Limited Registered in England and Wales with number 741598 Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU From: Chet Ramey <chet.ra...@case.edu> To: Rachel Alderman <rachel_alder...@uk.ibm.com>, bug-bash@gnu.org Cc: chet.ra...@case.edu Date: 28/10/2020 18:21 Subject: [EXTERNAL] Re: GNU Bash profile code execution vulnerability enquiry On 10/28/20 1:11 PM, Rachel Alderman wrote: > Hi Bash Maintainers, > > I've been made aware of a GNU Bash profile code execution vulnerability > https://urldefense.proofpoint.com/v2/url?u=https-3A__exchange.xforce.ibmcloud.com_vulnerabilities_173116&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=n8y5uKM5g4nhsINWSXY-6PahOH6ZD7tHCCCT1n2Jwds&m=dD-fw0FFUuB8yk2vU9EDQMfpw9sR_9KXp1y1wqryDuI&s=exih7GRA372ne8AH5dBECaDKdYkAJ0DaOWfwxMExcFc&e= reported last > December (2019-12-16) > Description: GNU Bash could allow a remote attacker to execute arbitrary > code on the system, caused by improper access control by the Bash profile. > By persuading a victim to open the Bash terminal, an attacker could > exploit this vulnerability to execute arbitrary code on the system. Hi, Rachel. Thanks for the report. This does not describe a bash vulnerability. Executing a profile file at shell startup is a standard shell feature. If an attacker has write access to a user's profile file, they can modify it to include potentially malicious commands, but this does not constitute a bash vulnerability. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU c...@case.edu https://urldefense.proofpoint.com/v2/url?u=http-3A__tiswww.cwru.edu_-7Echet_&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=n8y5uKM5g4nhsINWSXY-6PahOH6ZD7tHCCCT1n2Jwds&m=dD-fw0FFUuB8yk2vU9EDQMfpw9sR_9KXp1y1wqryDuI&s=NRtTflYJyUK8VIImivppfYCSpSg7Nt65PYReNZRAiI0&e= Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
smime.p7s
Description: S/MIME Cryptographic Signature
