oss-sec mailing list archives

CVE-2016-0634 -- bash prompt expanding $HOSTNAME

From: John Haxby <john.haxby () oracle com>
Date: Fri, 16 Sep 2016 17:16:06 +0100

Hello All,

A little while ago, one of our users discovered that by setting the
hostname to $(something unpleasant), bash would run "something
unpleasant" when it expanded \h in the prompt string.

We informed Chet (cc'd) and this has been fixed in the recently
announced bash-4.4.

I believe the fix in parse.y is this (Chet, please correct me if I'm wrong):

--------------------
@@ -5569,9 +5703,17 @@ decode_prompt_string (string)

            case 'h':
            case 'H':
-             temp = savestring (current_host_name);
-             if (c == 'h' && (t = (char *)strchr (temp, '.')))
+             t_host = savestring (current_host_name);
+             if (c == 'h' && (t = (char *)strchr (t_host, '.')))
                *t = '\0';
+             if (promptvars || posixly_correct)
+               /* Make sure that expand_prompt_string is called with a
+                  second argument of Q_DOUBLE_QUOTES if we use this
+                  function here. */
+               temp = sh_backslash_quote_for_double_quotes (t_host);
+             else
+               temp = savestring (t_host);
+             free (t_host);
              goto add_string;

            case '#':
--------------------

There is a related fix (but not one necessarily covered by CVE-2016-0634):

--------------------
@@ -5479,7 +5609,11 @@ decode_prompt_string (string)

            case 's':
              temp = base_pathname (shell_name);
-             temp = savestring (temp);
+             /* Try to quote anything the user can set in the file system */
+             if (promptvars || posixly_correct)
+               temp = sh_backslash_quote_for_double_quotes (temp);
+             else
+               temp = savestring (temp);
              goto add_string;

            case 'v':
--------------------

I appreciate that it's relatively difficult to set the hostname to a
string of your choosing but there are plenty of helpful agents that will
call sethostname(2) on your behalf.

jch

Current thread:

CVE-2016-0634 -- bash prompt expanding $HOSTNAME John Haxby (Sep 16)
- Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Jan Schaumann (Sep 16)
  - Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Chet Ramey (Sep 16)
    - Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME John Haxby (Sep 18)
    - Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Seth Arnold (Sep 19)
    - Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME John Haxby (Sep 20)
- Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Chet Ramey (Sep 16)
  - Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Chet Ramey (Sep 16)
    - Re: Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Leo Famulari (Sep 27)
    - Re: Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Chet Ramey (Sep 29)