Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi Stable release managers, X-Debbugs-CC Matthias Klose <d...@debian.org> if he agrees, or would me to drop in case he would like to do the upload himself. bash in Stable is affected by CVE-2016-0634: Arbitrary code execution via malicious hostname and CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows command substitution which both are considered no-dsa (actually the first one unimportant, thus it's not tagged no-dsa in the security tracker). I have prepared an update for bash picking the two upstream patches for th 4.3 branch. Attached is the debdiff. Would it be acceptable for the/an upcoming Jessie point release? Regards, Salvatore
diff -Nru bash-4.3/debian/changelog bash-4.3/debian/changelog --- bash-4.3/debian/changelog 2014-10-07 16:22:00.000000000 +0200 +++ bash-4.3/debian/changelog 2016-10-09 17:35:21.000000000 +0200 @@ -1,3 +1,12 @@ +bash (4.3-11+deb8u1) jessie; urgency=medium + + * Non-maintainer upload. + * CVE-2016-0634: Arbitrary code execution via malicious hostname + * CVE-2016-7543: Specially crafted SHELLOPTS+PS4 variables allows command + substitution + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 09 Oct 2016 17:35:21 +0200 + bash (4.3-11) unstable; urgency=medium * Apply upstream patches 028 - 030. diff -Nru bash-4.3/debian/patches/CVE-2016-0634.diff bash-4.3/debian/patches/CVE-2016-0634.diff --- bash-4.3/debian/patches/CVE-2016-0634.diff 1970-01-01 01:00:00.000000000 +0100 +++ bash-4.3/debian/patches/CVE-2016-0634.diff 2016-10-09 17:35:21.000000000 +0200 @@ -0,0 +1,109 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.3 +Patch-ID: bash43-047 + +Bug-Reported-by: Bernd Dietzel +Bug-Reference-ID: +Bug-Reference-URL: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 + +Bug-Description: + +Bash performs word expansions on the prompt strings after the special +escape sequences are expanded. If a malicious user can modify the system +hostname or change the name of the bash executable and coerce a user into +executing it, and the new name contains word expansions (including +command substitution), bash will expand them in prompt strings containing +the \h or \H and \s escape sequences, respectively. + +Patch (apply with `patch -p0'): + +--- a/parse.y ++++ b/parse.y +@@ -5251,7 +5251,7 @@ decode_prompt_string (string) + #if defined (PROMPT_STRING_DECODE) + int result_size, result_index; + int c, n, i; +- char *temp, octal_string[4]; ++ char *temp, *t_host, octal_string[4]; + struct tm *tm; + time_t the_time; + char timebuf[128]; +@@ -5399,7 +5399,11 @@ decode_prompt_string (string) + + case 's': + temp = base_pathname (shell_name); +- temp = savestring (temp); ++ /* Try to quote anything the user can set in the file system */ ++ if (promptvars || posixly_correct) ++ temp = sh_backslash_quote_for_double_quotes (temp); ++ else ++ temp = savestring (temp); + goto add_string; + + case 'v': +@@ -5489,9 +5493,17 @@ decode_prompt_string (string) + + case 'h': + case 'H': +- temp = savestring (current_host_name); +- if (c == 'h' && (t = (char *)strchr (temp, '.'))) ++ t_host = savestring (current_host_name); ++ if (c == 'h' && (t = (char *)strchr (t_host, '.'))) + *t = '\0'; ++ if (promptvars || posixly_correct) ++ /* Make sure that expand_prompt_string is called with a ++ second argument of Q_DOUBLE_QUOTES if we use this ++ function here. */ ++ temp = sh_backslash_quote_for_double_quotes (t_host); ++ else ++ temp = savestring (t_host); ++ free (t_host); + goto add_string; + + case '#': +--- a/y.tab.c ++++ b/y.tab.c +@@ -7563,7 +7563,7 @@ decode_prompt_string (string) + #if defined (PROMPT_STRING_DECODE) + int result_size, result_index; + int c, n, i; +- char *temp, octal_string[4]; ++ char *temp, *t_host, octal_string[4]; + struct tm *tm; + time_t the_time; + char timebuf[128]; +@@ -7711,7 +7711,11 @@ decode_prompt_string (string) + + case 's': + temp = base_pathname (shell_name); +- temp = savestring (temp); ++ /* Try to quote anything the user can set in the file system */ ++ if (promptvars || posixly_correct) ++ temp = sh_backslash_quote_for_double_quotes (temp); ++ else ++ temp = savestring (temp); + goto add_string; + + case 'v': +@@ -7801,9 +7805,17 @@ decode_prompt_string (string) + + case 'h': + case 'H': +- temp = savestring (current_host_name); +- if (c == 'h' && (t = (char *)strchr (temp, '.'))) ++ t_host = savestring (current_host_name); ++ if (c == 'h' && (t = (char *)strchr (t_host, '.'))) + *t = '\0'; ++ if (promptvars || posixly_correct) ++ /* Make sure that expand_prompt_string is called with a ++ second argument of Q_DOUBLE_QUOTES if we use this ++ function here. */ ++ temp = sh_backslash_quote_for_double_quotes (t_host); ++ else ++ temp = savestring (t_host); ++ free (t_host); + goto add_string; + + case '#': diff -Nru bash-4.3/debian/patches/CVE-2016-7543.diff bash-4.3/debian/patches/CVE-2016-7543.diff --- bash-4.3/debian/patches/CVE-2016-7543.diff 1970-01-01 01:00:00.000000000 +0100 +++ bash-4.3/debian/patches/CVE-2016-7543.diff 2016-10-09 17:35:21.000000000 +0200 @@ -0,0 +1,34 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.3 +Patch-ID: bash43-048 + +Bug-Reported-by: up201407...@alunos.dcc.fc.up.pt +Bug-Reference-ID: <20151210201649.126444eionzfs...@webmail.alunos.dcc.fc.up.pt> +Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html + +Bug-Description: + +If a malicious user can inject a value of $SHELLOPTS containing `xtrace' +and a value for $PS4 that includes a command substitution into a shell +running as root, bash will expand the command substitution as part of +expanding $PS4 when it executes a traced command. + +Patch (apply with `patch -p0'): + +--- a/variables.c ++++ b/variables.c +@@ -495,7 +495,11 @@ initialize_shell_variables (env, privmod + #endif + set_if_not ("PS2", secondary_prompt); + } +- set_if_not ("PS4", "+ "); ++ ++ if (current_user.euid == 0) ++ bind_variable ("PS4", "+ ", 0); ++ else ++ set_if_not ("PS4", "+ "); + + /* Don't allow IFS to be imported from the environment. */ + temp_var = bind_variable ("IFS", " \t\n", 0); diff -Nru bash-4.3/debian/patches/series bash-4.3/debian/patches/series --- bash-4.3/debian/patches/series 2014-10-07 16:22:08.000000000 +0200 +++ bash-4.3/debian/patches/series 2016-10-09 17:35:21.000000000 +0200 @@ -49,3 +49,5 @@ # no-brk-caching.diff use-system-texi2html.diff bzero.diff +CVE-2016-0634.diff +CVE-2016-7543.diff
