bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU Bash profile code execution vulnerability enquiry


From: Chet Ramey
Subject: Re: GNU Bash profile code execution vulnerability enquiry
Date: Wed, 28 Oct 2020 14:21:03 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.3.3

On 10/28/20 1:11 PM, Rachel Alderman wrote:
> Hi Bash Maintainers,
> 
> I've been made aware of a GNU Bash profile code execution vulnerability 
> https://exchange.xforce.ibmcloud.com/vulnerabilities/173116 reported last 
> December (2019-12-16)
> Description: GNU Bash could allow a remote attacker to execute arbitrary 
> code on the system, caused by improper access control by the Bash profile. 
> By persuading a victim to open the Bash terminal, an attacker could 
> exploit this vulnerability to execute arbitrary code on the system. 

Hi, Rachel. Thanks for the report. This does not describe a bash
vulnerability. Executing a profile file at shell startup is a standard
shell feature. If an  attacker has write access to a user's profile file,
they can modify it to include potentially malicious commands, but this does
not constitute a bash vulnerability.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]