The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

S-96-48: Vulnerability in "bash" (fwd)

To: maintonly@bugs.debian.org, security@debian.org
Subject: S-96-48: Vulnerability in "bash" (fwd)
From: jdassen@wi.leidenuniv.nl (J.H.M.Dassen)
Date: Fri, 23 Aug 1996 13:37:57 +0200 (MDT)
Delivered-to: security@debian.org
Old-return-path: <jdassen@wi.leidenuniv.nl>
Organization: Leiden University, Dept. of Mathematics & Computer Science, The Netherlands
Resent-cc: recipient list not shown: ;
Resent-date: 23 Aug 1996 12:06:58 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"mFEqr.0.317.YxP7o"@vega>
Resent-sender: debian-private-request@lists.debian.org

Package: bash
Version: 1.14.6-4

Forwarded message:
> From: Gert.Meijerink@utwente.nl
> Subject: S-96-48: Vulnerability in "bash"
> Sender: GERT A MEIJERINK +31 53 892326 <RCGERT@utwente.nl>
> To: cert-nl-ssc@dl.surfnet.nl
> Cc: cert-nl@surfnet.nl
> Message-id: <D9262816E00002F3@UTWENTE.NL>
> X-VMS-To: IN%"cert-nl-ssc@surfnet.nl"
> X-VMS-Cc: IN%"cert-nl@surfnet.nl",RCGERT
> Content-transfer-encoding: 7BIT
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> ===============================================================================
> Security Advisory                                                       CERT-NL
> ===============================================================================
> Author/Source : Gert Meijerink                              Index  :    S-96-48
> Distribution  : World                                       Page   :          1
> Classification: External                                    Version:          1
> Subject       : Vulnerability in "bash"                     Date   :  22-aug-96
> ===============================================================================
> 
> By courtesy of IBM's Internet Emergency Response Service (IBM-ERS) we received 
> information on a vulnerability in the GNU Project's Bourne Again SHell ("bash") 
> 
> CERT-NL recommends to apply the provided patch
> 
> ==============================================================================
> 
>                           EMERGENCY RESPONSE SERVICE
>                           SECURITY VULNERABILITY ALERT
> 
> 21 August 1996 13:00 GMT                         Number: ERS-SVA-E01-1996:004.1
> ===============================================================================
>                              VULNERABILITY  SUMMARY
> 
> VULNERABILITY:  A variable declaration error in "bash" allows the character
>                 with value 255 decimal to be used as a command separator.
> 
> PLATFORMS:      Bash 1.14.6 and earlier versions.
> 
> SOLUTION:       Apply the patch provided below.
> 
> THREAT:         When used in environments where users provide strings to be
>                 used as commands or arguments to commands, "bash" can be
>                 tricked into executing arbitrary commands.
> 
> ===============================================================================
>                               DETAILED INFORMATION
> 
> I. Description
> 
>    A. Introduction
> 
>       The GNU Project's Bourne Again SHell ("bash") is a drop-in replacement
>       for the UNIX Bourne shell (/bin/sh).  It offers the same syntax as the
>       standard shell, but also includes additional functionality such as job
>       control, command line editing, and history.
> 
>       Although "bash" can be compiled and installed on almost any UNIX
>       platform, its most prevalent use is on "free" versions of UNIX such as
>       Linux, where it has been installed as "/bin/sh" (the default shell for
>       most uses).
> 
>       The "bash" source code is freely available from many sites on the
>       Internet.
> 
>    B. Vulnerability Details
> 
>       There is a variable declaration error in the "yy_string_get()" function
>       in the "parser.y" module of the "bash" source code.  This function is
>       responsible for parsing the user-provided command line into separate
>       tokens (commands, special characters, arguments, etc.).  The error
>       involves the variable "string," which has been declared to be of type
>       "char *."
> 
>       The "string" variable is used to traverse the character string
>       containing the command line to be parsed.  As characters are retrieved
>       from this pointer, they are stored in a variable of type "int."  On
>       systems/compilers where the "char" type defaults to "signed char", this
>       vaule will be sign-extended when it is assigned to the "int" variable.
>       For character code 255 decimal (-1 in two's complement form), this sign
>       extension results in the value (-1) being assigned to the integer.
> 
>       However, (-1) is used in other parts of the parser to indicate the end
>       of a command.  Thus, the character code 255 decimal (377 octal) will
>       serve as an unintended command separator for commands given to "bash"
>       via the "-c" option.  For example,
> 
>         bash -c 'ls\377who'
> 
>       (where "\377" represents the single character with value 255 decimal)
>       will execute two commands, "ls" and "who."
> 
> II. Impact
> 
> This unexpected command separator can be dangerous, especially on systems such
> as Linux where "bash" has been installed as "/bin/sh," when a program executes
> a command with a string provided by a user as an argument using the "system()"
> or "popen()" functions (or by calling "/bin/sh -c string" directly).
> 
> This is especially true for the CGI programming interface in World Wide Web
> servers, many of which do not strip out characters with value 255 decimal.  If
> a user sending data to the server can specify the character code 255 in a
> string that is passed to a shell, and that shell is "bash," the user can
> execute any arbitrary command with the user-id and permissions of the user
> running the server (frequently "root").
> 
> The "bash" built-in commands "eval," "source," and "fc" are also potentially
> vulnerable to this problem.
> 
> III. Solutions
> 
>    A. How to alleviate the problem
> 
>       This problem can be alleviated by changing the declaration of the
>       "string" variable in the "yy_string_get()" function from "char *" to
>       "unsigned char *."
> 
>    B. Official fix from the "bash" maintainers
> 
>       The "bash" maintainers have told us they plan to fix this problem in
>       Version 2.0 of "bash," but this will not be released for at least a few
>       more months.
> 
>    C. Unofficial fix until the official version is released
> 
>       Until the "bash" maintainers release Version 2.0, this problem can be
>       fixed by applying the patch below to the "bash" source code, recompiling
>       the program, and installing the new version.
> 
>       The patch below is for Version 1.14.6 of "bash."  Source code for this
>       version can be obtained from
> 
>          ftp://prep.ai.mit.edu/pub/gnu/bash-1.14.6.tar.gz
> 
>       as well as many other sites around the Internet.
> 
> - ---------------------------------- cut here ----------------------------------
> *** parse.y.old Thu Nov  2 15:00:51 1995
> - --- parse.y     Tue Aug 20 09:16:48 1996
> ***************
> *** 904,910 ****
>   static int
>   yy_string_get ()
>   {
> !   register char *string;
>     register int c;
>   
>     string = bash_input.location.string;
> - --- 904,910 ----
>   static int
>   yy_string_get ()
>   {
> !   register unsigned char *string;
>     register int c;
>   
>     string = bash_input.location.string;
> - ---------------------------------- cut here ----------------------------------
> 
>       To apply this patch, save the text between the two "--- cut here ---"
>       lines to a file, change directories to the "bash" source directory, and
>       issue the command
> 
>         patch < filename
> 
>       If you do not have the "patch" program, you can obtain it from
> 
>         ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz
> 
>       or you can apply the patch by hand.
> 
>       After applying the patch, recompile and reinstall the "bash" program by
>       following the directions in the "INSTALL" file, included as part of the
>       "bash" distribution.
> 
>       This patch is provided "AS IS" without warranty of any kind, including,
>       without limitation, any implied warranties of merchantibility or fitness
>       for a particular purpose.  This advisory does not create or imply any
>       support obligations or any other liability on the part of IBM or its
>       subsidiaries.
> 
> IV. Acknowledgements
> 
> IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at the
> IBM T. J. Watson Research Center for their discovery of this vulnerability,
> bringing it to our attention, providing the patch to fix it, and assistance in
> developing this alert.
> 
> UNIX is a technology trademark of X/Open Company, Ltd.
> 
> ===============================================================================
> 
> 
> 
> ==============================================================================
> 
> CERT-NL is the Computer Emergency Response Team for SURFnet customers. 
> SURFnet is the Dutch network for educational, research and related institutes.
> CERT-NL is a member of the Forum of Incident Response and Security Teams 
> (FIRST). 
> 
> All CERT-NL material is available under:
>   http://www.surfnet.nl/surfnet/security/cert-nl.html
>   ftp://ftp.surfnet.nl/surfnet/net-security 
>   
> In case of computer or network security problems please contact your 
> local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet 
> customer please address the appropriate (local) CERT/security-team).
> 
> CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
> i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
>    Email:     cert-nl@surfnet.nl
>    Phone:     +31 302 305 305
>    Fax:       +31 302 305 329
>    Snailmail: SURFnet bv
>               Attn. CERT-NL
>               P.O. Box 19035
>               NL - 3501 DA  UTRECHT
>               The Netherlands
>    A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
>    members on request.
> ==============================================================================
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3i
> Charset: cp850
> 
> iQCVAwUBMhx5cWL2fnkJN/jpAQFqWgQAmrBL1kiLDGik2PhmpZSvzYzlWfaNq7M9
> +CcWXyqcK+GMXZ1hiqvcmZ5cVrf53sw+9xCVHRFtQeb81mOqpRGL054d49UqIy7X
> RStxkf3EMJyLYu0xJd5cJXEIvg32cmema209epG0kW3AhxVNvcszV0DfkIA7L4pV
> AX46VCcds9M=
> =BbQE
> -----END PGP SIGNATURE-----

As far as I can see, this applies to our version of bash too.

Ray
-- 
Cyberspace, a final frontier. These are the voyages of my messages, 
on a lightspeed mission to explore strange new systems and to boldly go
where no data has gone before.

Prev by Date: debian@debian.org address
Next by Date: Website (was Re: Debian Policy and Dpkg programmer's manuals)
Previous by thread: debian@debian.org address
Next by thread: Website (was Re: Debian Policy and Dpkg programmer's manuals)
Index(es):
- Date
- Thread