CVE-2016-7543: Fix for arbitrary code execution via SHELLOPTS+PS4 variables

Resolves: #1379634
2016-09-30 13:22:15 +05:30 · 2016-09-30 13:22:15 +05:30 · b1104ec130
commit b1104ec130
parent d430777020
2 changed files with 39 additions and 1 deletions
--- a/bash-4.4-cve-2016-7543.patch
+++ b/bash-4.4-cve-2016-7543.patch
@ -0,0 +1,29 @@
+From f43310742819253bfa6add2dce406701bb8cc2bb Mon Sep 17 00:00:00 2001
+From: Siteshwar Vashisht <svashisht@redhat.com>
+Date: Wed, 28 Sep 2016 18:33:55 +0530
+Subject: [PATCH] CVE-2016-7543: Patch imported from bash-4.4
+
+---
+ variables.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/variables.c b/variables.c
+index ac587f3..ffd39e8 100644
+--- a/variables.c
+++ b/variables.c
+@@ -496,7 +496,11 @@ initialize_shell_variables (env, privmode)
+ #endif
+       set_if_not ("PS2", secondary_prompt);
+     }
+-  set_if_not ("PS4", "+ ");
+
+  if (current_user.euid == 0)
+    bind_variable ("PS4", "+ ", 0);
+  else
+    set_if_not ("PS4", "+ ");
+ 
+   /* Don't allow IFS to be imported from the environment. */
+   temp_var = bind_variable ("IFS", " \t\n", 0);
+-- 
+2.5.5
+
--- a/bash.spec
+++ b/bash.spec
@ -8,7 +8,7 @@
 Version: %{baseversion}%{patchleveltag}
 Name: bash
 Summary: The GNU Bourne Again shell
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: System Environment/Shells
 License: GPLv3+
 Url: http://www.gnu.org/software/bash
@ -147,6 +147,10 @@ Patch140: bash-tilda-race-condition.patch
 # NOTE: This fix is already included in bash-4.4.
 Patch141: bash-4.3-cve-2016-0634.patch

+#1379634- security fix CVE-2016-7543 (Specially crafted SHELLOPTS+PS4 variables allows command substitution)
+# NOTE: This fix is already included in bash-4.4.
+Patch142: bash-4.4-cve-2016-7543.patch
+
 BuildRequires: texinfo bison
 BuildRequires: ncurses-devel
 BuildRequires: autoconf, gettext
@ -251,6 +255,7 @@ This package contains documentation files for %{name}.
 %patch139 -p1 -b .oldleak
 %patch140 -p1 -b .tilda_expansion
 %patch141 -p1 -b .cve-2016-0634
+%patch142 -p1 -b .cve-2016-7543

 echo %{version} > _distribution
 echo %{release} > _patchlevel
@ -452,6 +457,10 @@ end
 %doc doc/*.ps doc/*.0 doc/*.html doc/article.txt

 %changelog
+* Fri Sep 30 2016 Siteshwar Vashisht <svashisht@redhat.com> - 4.3.43-4
+- CVE-2016-7543: Fix for arbitrary code execution via SHELLOPTS+PS4 variables
+  Resolves: #1379634
+
 * Wed Sep 21 2016 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 4.3.43-3
 - CVE-2016-0634 - Fix for arbitrary code execution via malicious hostname
  Resolves: #1377614