[Bug 1507025] Re: Shell Command Injection with the hostname
Even our oldest supported (as extended security maintenance) release Ubuntu 12.04 had bash 4.2 (https://launchpad.net/ubuntu/+source/bash) - so whether this affects bash 3.2.57 is not relevant to Ubuntu anymore. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
This bug was not fixed Upto bash v4.3 , this bug also arises in v3.2.57. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
This bug was fixed in the package bash - 4.3-7ubuntu1.7 --- bash (4.3-7ubuntu1.7) trusty-security; urgency=medium * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025) - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c. - CVE-2016-0634 * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4 (LP: #1689304) - debian/patches/bash43-048.diff: check for root in variables.c. - CVE-2016-7543 * SECURITY UPDATE: restricted shell bypass via use-after-free - debian/patches/bash44-006.diff: check for negative offsets in builtins/pushd.def. - CVE-2016-9401 -- Marc Deslauriers Tue, 16 May 2017 07:52:48 -0400 ** Changed in: bash (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
This bug was fixed in the package bash - 4.3-14ubuntu1.2 --- bash (4.3-14ubuntu1.2) xenial-security; urgency=medium * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025) - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c. - CVE-2016-0634 * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4 (LP: #1689304) - debian/patches/bash43-048.diff: check for root in variables.c. - CVE-2016-7543 * SECURITY UPDATE: restricted shell bypass via use-after-free - debian/patches/bash44-006.diff: check for negative offsets in builtins/pushd.def. - CVE-2016-9401 -- Marc Deslauriers Tue, 16 May 2017 07:51:45 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
This bug was fixed in the package bash - 4.3-15ubuntu1.1 --- bash (4.3-15ubuntu1.1) yakkety-security; urgency=medium * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025) - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c. - CVE-2016-0634 * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4 (LP: #1689304) - debian/patches/bash43-048.diff: check for root in variables.c. - CVE-2016-7543 * SECURITY UPDATE: restricted shell bypass via use-after-free - debian/patches/bash44-006.diff: check for negative offsets in builtins/pushd.def. - CVE-2016-9401 -- Marc Deslauriers Tue, 16 May 2017 07:44:56 -0400 ** Changed in: bash (Ubuntu) Status: New => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7543 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-9401 ** Changed in: bash (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
This issue was assigned CVE-2016-0634. See the oss-security notice here: http://openwall.com/lists/oss-security/2016/09/16/8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-0634 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
@Marc Yes , if some application has a bug , for example MintNanny : https://bugs.launchpad.net/linuxmint/+bug/1460835 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
I'm not sure what the attack vector here is. /etc/hostname is only writeable by root. Is there any way for an attacker to control /etc/hostname? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
#! /bin/sh # run this as root early in the boot order. No other script like hostname.sh should run later HOSTNAME="$(hostname|sed 's/[^A-Za-z0-9_\-\.]/x/g')";hostname "$HOSTNAME" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
script ** Attachment added: "changehostname.sh" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4510099/+files/changehostname.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
Workaround ... to make my modified "hostname.sh" script run at startup, i changed the file /etc/rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. /etc/init.d/hostname.sh start exit 0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
Thats better ... (the "-" was wrong in my previous posting )
HOSTNAME="${HOSTNAME//[^A-Za-z0-9_\-]/x}"
i attached a modified hostname.sh wich uses bash.
it can be startet manualy with
sudo /etc/init.d/hostname.sh start
The command should somehow run at startup ... but does not by default ?
** Attachment added: "hostname.sh"
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4499613/+files/hostname.sh
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
Patch :
HOSTNAME=${HOSTNAME//[^A-Za-z0-9-_]/_}
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
german demo video https://www.youtube.com/watch?v=qYuVzHsklS8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
typo ... the path is /etc/init.d/hostname.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
I agree, i think the hostname should be in the hands of the kernel only. Should not be overwritten by /etc/hostname.sh. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
I can't imagine the effort involved in hardening all applications to treat the hostname as untrusted input. ISPs that sell vservers are really no different from Intel or AMD or whoever makes your CPU -- you trust them completely and totally with your data, your executables, and your entire operating environment. They can inject anything they wish into your system's memory whenever they wish. Making sure the dhcp clients don't allow setting these kinds of hostnames however, that might be a good idea. Enforcing the usual dns guidelines of a-zA-Z0-9-_ might be worthwhile.. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1507025] Re: Shell Command Injection with the hostname
** Attachment removed: "Dependencies.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497264/+files/Dependencies.txt ** Attachment removed: "JournalErrors.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497265/+files/JournalErrors.txt ** Attachment removed: "ProcEnviron.txt" https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+attachment/4497266/+files/ProcEnviron.txt ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1507025 Title: Shell Command Injection with the hostname To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
