Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME

[Chet Ramey <chet.ramey () case edu>]

On 9/16/16 12:16 PM, John Haxby wrote:
> Hello All,
>
> A little while ago, one of our users discovered that by setting the
> hostname to $(something unpleasant), bash would run "something
> unpleasant" when it expanded \h in the prompt string.

I finally got this message, three hours later.

I assume you're using $HOSTNAME as a shorthand; bash only uses the
return value from gethostname().

It's unlikely that something like this could be accomplished without
existing privilege.  If you have a fake DHCP server on your network, for
instance, you have massive problems aside from this issue.  If someone
sets the hostname on the local machine, he already has privilege.

> I believe the fix in parse.y is this (Chet, please correct me if I'm wrong):

Yes, that is the current fix for this.  There are other ways to do it.

This issue has been public since October, 2015, in Ubuntu's bash bug
database.

https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet () case edu    http://cnswww.cns.cwru.edu/~chet/