what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2011-1073-01

Red Hat Security Advisory 2011-1073-01
Posted Jul 21, 2011
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2011-1073-01 - Bash is the default shell for Red Hat Enterprise Linux. It was found that certain scripts bundled with the Bash documentation created temporary files in an insecure way. A malicious, local user could use this flaw to conduct a symbolic link attack, allowing them to overwrite the contents of arbitrary files accessible to the victim running the scripts.

tags | advisory, arbitrary, shell, local, bash
systems | linux, redhat
advisories | CVE-2008-5374
SHA-256 | da80973cdb57a59681cc067e56a8278bae1bfd43df6a23dd382af358ee780211

Red Hat Security Advisory 2011-1073-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Low: bash security, bug fix, and enhancement update
Advisory ID: RHSA-2011:1073-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1073.html
Issue date: 2011-07-21
CVE Names: CVE-2008-5374
=====================================================================

1. Summary:

An updated bash package that fixes one security issue, several bugs, and
adds one enhancement is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

Bash is the default shell for Red Hat Enterprise Linux.

It was found that certain scripts bundled with the Bash documentation
created temporary files in an insecure way. A malicious, local user could
use this flaw to conduct a symbolic link attack, allowing them to overwrite
the contents of arbitrary files accessible to the victim running the
scripts. (CVE-2008-5374)

This update fixes the following bugs:

* When using the source builtin at location ".", occasionally, bash
opted to preserve internal consistency and abort scripts. This caused
bash to abort scripts that assigned values to read-only variables.
This is now fixed to ensure that such scripts are now executed as
written and not aborted. (BZ#448508)

* When the tab key was pressed for auto-completion options for the typed
text, the cursor moved to an unexpected position on a previous line if
the prompt contained characters that cannot be viewed and a "\]". This
is now fixed to retain the cursor at the expected position at the end of
the target line after autocomplete options correctly display. (BZ#463880)

* Bash attempted to interpret the NOBITS .dynamic section of the ELF
header. This resulted in a "^D: bad ELF interpreter: No such
file or directory" message. This is fixed to ensure that the invalid
"^D" does not appear in the error message. (BZ#484809)

* The $RANDOM variable in Bash carried over values from a previous
execution for later jobs. This is fixed and the $RANDOM variable
generates a new random number for each use. (BZ#492908)

* When Bash ran a shell script with an embedded null character, bash's
source builtin parsed the script incorrectly. This is fixed and
bash's source builtin correctly parses shell script null characters.
(BZ#503701)

* The bash manual page for "trap" did not mention that signals ignored upon
entry cannot be listed later. The manual page was updated for this update
and now specifically notes that "Signals ignored upon entry to the shell
cannot be trapped, reset or listed". (BZ#504904)

* Bash's readline incorrectly displayed additional text when resizing
the terminal window when text spanned more than one line, which caused
incorrect display output. This is now fixed to ensure that text in more
than one line in a resized window displays as expected. (BZ#525474)

* Previously, bash incorrectly displayed "Broken pipe" messages for
builtins like "echo" and "printf" when output did not succeed due to
EPIPE. This is fixed to ensure that the unnecessary "Broken pipe"
messages no longer display. (BZ#546529)

* Inserts with the repeat function were not possible after a deletion in
vi-mode. This has been corrected and, with this update, the repeat function
works as expected after a deletion. (BZ#575076)

* In some situations, bash incorrectly appended "/" to files instead of
just directories during tab-completion, causing incorrect
auto-completions. This is fixed and auto-complete appends "/" only to
directories. (BZ#583919)

* Bash had a memory leak in the "read" builtin when the number of fields
being read was not equal to the number of variables passed as arguments,
causing a shell script crash. This is fixed to prevent a memory leak and
shell script crash. (BZ#618393)

* /usr/share/doc/bash-3.2/loadables in the bash package contained source
files which would not build due to missing C header files. With this
update, the unusable (and unbuildable) source files were removed from the
package. (BZ#663656)

This update also adds the following enhancement:

* The system-wide "/etc/bash.bash_logout" bash logout file is now enabled.
This allows administrators to write system-wide logout actions for all
users. (BZ#592979)

Users of bash are advised to upgrade to this updated package, which
contains backported patches to resolve these issues and add this
enhancement.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

448508 - Parsing of {} broken; breaks startup scripts
463880 - bash completion in UTF8 locale has cursor positioning errors with long $PS1
475474 - CVE-2008-5374 bash: Insecure temporary file use in aliasconv.sh, aliasconv.bash, cshtobash (symlink attack)
484809 - [RHEL5] bash includes Control-D in "bad ELF interpreter" message
492908 - $RANDOM value remains the same
503701 - Cannot process scripts beyond an embedded NULL character when running in 'source' mode
504904 - trap -p not displaying ignored signal when run from child bash
525474 - bash/readline not detecting window resize properly
583919 - tab-completion appends slash to non-directories
592979 - system global bash.bash_logout is diabled in config-top.h
618393 - memory leak in bash reading files
663656 - Unusable loadables in /doc

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/bash-3.2-32.el5.src.rpm

i386:
bash-3.2-32.el5.i386.rpm
bash-debuginfo-3.2-32.el5.i386.rpm

x86_64:
bash-3.2-32.el5.x86_64.rpm
bash-debuginfo-3.2-32.el5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/bash-3.2-32.el5.src.rpm

i386:
bash-3.2-32.el5.i386.rpm
bash-debuginfo-3.2-32.el5.i386.rpm

ia64:
bash-3.2-32.el5.i386.rpm
bash-3.2-32.el5.ia64.rpm
bash-debuginfo-3.2-32.el5.i386.rpm
bash-debuginfo-3.2-32.el5.ia64.rpm

ppc:
bash-3.2-32.el5.ppc.rpm
bash-debuginfo-3.2-32.el5.ppc.rpm

s390x:
bash-3.2-32.el5.s390x.rpm
bash-debuginfo-3.2-32.el5.s390x.rpm

x86_64:
bash-3.2-32.el5.x86_64.rpm
bash-debuginfo-3.2-32.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2008-5374.html
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFOKCw3XlSAg2UNWIIRArwvAJ9JNXfDUEPE4WBoXAl87SjLpXU2NgCgpMxt
sjSMOq2nb017SKjNDrKey0U=
=hzBD
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close