RE: GNU Bash profile code execution vulnerability enquiry

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: GNU Bash profile code execution vulnerability enquiry

From:	Rachel Alderman
Subject:	RE: GNU Bash profile code execution vulnerability enquiry
Date:	Thu, 29 Oct 2020 08:59:22 +0000

Thanks Chet and Greg for your swift replies. I'll park it as a 
non-vulnerability.

Regards
Rachel

Rachel Alderman
IBM Cloud Kubernetes Security Compliance 
IBM United Kingdom Limited,
Mailpoint 211, Hursley,
Winchester, SO21 2JN.
Email: rachel_alderman@uk.ibm.com

I work part-time and my working days are Wednesday, Thursday and Friday.

IBM United Kingdom Limited 
Registered in England and Wales with number 741598 
Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU 

From:   Chet Ramey <chet.ramey@case.edu>
To:     Rachel Alderman <rachel_alderman@uk.ibm.com>, bug-bash@gnu.org
Cc:     chet.ramey@case.edu
Date:   28/10/2020 18:21
Subject:        [EXTERNAL] Re: GNU Bash profile code execution 
vulnerability enquiry

On 10/28/20 1:11 PM, Rachel Alderman wrote:
> Hi Bash Maintainers,
> 
> I've been made aware of a GNU Bash profile code execution vulnerability 
> 
https://urldefense.proofpoint.com/v2/url?u=https-3A__exchange.xforce.ibmcloud.com_vulnerabilities_173116&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=n8y5uKM5g4nhsINWSXY-6PahOH6ZD7tHCCCT1n2Jwds&m=dD-fw0FFUuB8yk2vU9EDQMfpw9sR_9KXp1y1wqryDuI&s=exih7GRA372ne8AH5dBECaDKdYkAJ0DaOWfwxMExcFc&e=

 reported last 
> December (2019-12-16)
> Description: GNU Bash could allow a remote attacker to execute arbitrary 

> code on the system, caused by improper access control by the Bash 
profile. 
> By persuading a victim to open the Bash terminal, an attacker could 
> exploit this vulnerability to execute arbitrary code on the system. 

Hi, Rachel. Thanks for the report. This does not describe a bash
vulnerability. Executing a profile file at shell startup is a standard
shell feature. If an  attacker has write access to a user's profile file,
they can modify it to include potentially malicious commands, but this 
does
not constitute a bash vulnerability.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                                  ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    
https://urldefense.proofpoint.com/v2/url?u=http-3A__tiswww.cwru.edu_-7Echet_&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=n8y5uKM5g4nhsINWSXY-6PahOH6ZD7tHCCCT1n2Jwds&m=dD-fw0FFUuB8yk2vU9EDQMfpw9sR_9KXp1y1wqryDuI&s=NRtTflYJyUK8VIImivppfYCSpSg7Nt65PYReNZRAiI0&e=

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

smime.p7s
Description: S/MIME Cryptographic Signature

[Prev in Thread]

Current Thread

[Next in Thread]

GNU Bash profile code execution vulnerability enquiry, Rachel Alderman, 2020/10/28
- Re: GNU Bash profile code execution vulnerability enquiry, Greg Wooledge, 2020/10/28
- Re: GNU Bash profile code execution vulnerability enquiry, Eli Schwartz, 2020/10/28
- Re: GNU Bash profile code execution vulnerability enquiry, Chet Ramey, 2020/10/28
  - RE: GNU Bash profile code execution vulnerability enquiry, Rachel Alderman <=

Prev by Date: Re: possible bugs with colored-stats
Next by Date: Re: possible bugs with colored-stats
Previous by thread: Re: GNU Bash profile code execution vulnerability enquiry
Next by thread: possible bugs with colored-stats
Index(es):
- Date
- Thread