On 10/28/20 1:11 PM, Rachel Alderman wrote:
> Hi Bash Maintainers,
>
> I've been made aware of a GNU Bash profile code execution vulnerability
> https://exchange.xforce.ibmcloud.com/vulnerabilities/173116 reported last
> December (2019-12-16)
> Description: GNU Bash could allow a remote attacker to execute arbitrary
> code on the system, caused by improper access control by the Bash profile.
> By persuading a victim to open the Bash terminal, an attacker could
> exploit this vulnerability to execute arbitrary code on the system.
Hi, Rachel. Thanks for the report. This does not describe a bash
vulnerability. Executing a profile file at shell startup is a standard
shell feature. If an attacker has write access to a user's profile file,
they can modify it to include potentially malicious commands, but this does
not constitute a bash vulnerability.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://tiswww.cwru.edu/~chet/
