Re: Correction of CVE-2016-7543 is incomplete

[up201407890]

Quoting "Ola Lundqvist" <ola@inguza.com>:

This is known.

I "complained" at the time, as it can be seen here:
https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html


> Version: all (see note below)
> Hardware: all
> Operating system: Debian GNU Linux (but all should be affected)
> Compiler: gcc
>
> Hi
>
> In CVE-2016-7543 a problem was reported that it is possible to privilege
> escalate to root.
> The correction as seen here
> http://lists.gnu.org/archive/html/bug-bash/2016-10/msg00009.html
> is not complete. Well it do prevent privilege escalation to root, but it is
> possible to escalate to any other user and that may be bad too.
>
> The problem has also been reported (by me) in Debian as you can see here:
> http://bugs.debian.org/841856
>
> I have attached a tar file with exploit code. The exploit code is used like
> this:
> make
> sudo make root
> make test
>
> Test 1 is the exploit for CVE-2016-7543
> Test 2 is the exploit for this problem
> Test 3 is just a reference test.
>
> The proposed patch essentially disable the whole PS4 variable support for
> all users (not only root as the patch was for CVE-2016-7543. Please let me
> know if you have a better idea on how to handle this.
>
> Version note: The attached correction is made on a 4.2 system with a patch
> for CVE-2016-7543.
> However it should apply on 4.4 as well.
>
> Let me know if you need any further details.
>
> Best regards
>
> // Ola
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  ola@inguza.com                    Folkebogatan 26            \
> |  opal@debian.org                   654 68 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.