[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: GNU Bash profile code execution vulnerability enquiry
From: |
Rachel Alderman |
Subject: |
RE: GNU Bash profile code execution vulnerability enquiry |
Date: |
Thu, 29 Oct 2020 08:59:22 +0000 |
Thanks Chet and Greg for your swift replies. I'll park it as a
non-vulnerability.
Regards
Rachel
Rachel Alderman
IBM Cloud Kubernetes Security Compliance
IBM United Kingdom Limited,
Mailpoint 211, Hursley,
Winchester, SO21 2JN.
Email: rachel_alderman@uk.ibm.com
I work part-time and my working days are Wednesday, Thursday and Friday.
IBM United Kingdom Limited
Registered in England and Wales with number 741598
Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU
From: Chet Ramey <chet.ramey@case.edu>
To: Rachel Alderman <rachel_alderman@uk.ibm.com>, bug-bash@gnu.org
Cc: chet.ramey@case.edu
Date: 28/10/2020 18:21
Subject: [EXTERNAL] Re: GNU Bash profile code execution
vulnerability enquiry
On 10/28/20 1:11 PM, Rachel Alderman wrote:
> Hi Bash Maintainers,
>
> I've been made aware of a GNU Bash profile code execution vulnerability
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__exchange.xforce.ibmcloud.com_vulnerabilities_173116&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=n8y5uKM5g4nhsINWSXY-6PahOH6ZD7tHCCCT1n2Jwds&m=dD-fw0FFUuB8yk2vU9EDQMfpw9sR_9KXp1y1wqryDuI&s=exih7GRA372ne8AH5dBECaDKdYkAJ0DaOWfwxMExcFc&e=
reported last
> December (2019-12-16)
> Description: GNU Bash could allow a remote attacker to execute arbitrary
> code on the system, caused by improper access control by the Bash
profile.
> By persuading a victim to open the Bash terminal, an attacker could
> exploit this vulnerability to execute arbitrary code on the system.
Hi, Rachel. Thanks for the report. This does not describe a bash
vulnerability. Executing a profile file at shell startup is a standard
shell feature. If an attacker has write access to a user's profile file,
they can modify it to include potentially malicious commands, but this
does
not constitute a bash vulnerability.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu
https://urldefense.proofpoint.com/v2/url?u=http-3A__tiswww.cwru.edu_-7Echet_&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=n8y5uKM5g4nhsINWSXY-6PahOH6ZD7tHCCCT1n2Jwds&m=dD-fw0FFUuB8yk2vU9EDQMfpw9sR_9KXp1y1wqryDuI&s=NRtTflYJyUK8VIImivppfYCSpSg7Nt65PYReNZRAiI0&e=
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
smime.p7s
Description: S/MIME Cryptographic Signature