[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU Bash profile code execution vulnerability enquiry
|
From: |
Chet Ramey |
|
Subject: |
Re: GNU Bash profile code execution vulnerability enquiry |
|
Date: |
Wed, 28 Oct 2020 14:21:03 -0400 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.3.3 |
On 10/28/20 1:11 PM, Rachel Alderman wrote:
> Hi Bash Maintainers,
>
> I've been made aware of a GNU Bash profile code execution vulnerability
> https://exchange.xforce.ibmcloud.com/vulnerabilities/173116 reported last
> December (2019-12-16)
> Description: GNU Bash could allow a remote attacker to execute arbitrary
> code on the system, caused by improper access control by the Bash profile.
> By persuading a victim to open the Bash terminal, an attacker could
> exploit this vulnerability to execute arbitrary code on the system.
Hi, Rachel. Thanks for the report. This does not describe a bash
vulnerability. Executing a profile file at shell startup is a standard
shell feature. If an attacker has write access to a user's profile file,
they can modify it to include potentially malicious commands, but this does
not constitute a bash vulnerability.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/