ALT-PU-2018-2880-3

BDU:2019-01405

HIGH7.8

Уязвимость ограниченного командного интерпретатора rbash командной оболочки Bash, позволяющая нарушителю выполнить произвольные команды

Опубликовано: 2019-04-17Изменено: 2021-03-23

CVSS 3.xВЫСОКАЯ 7.8

CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0ВЫСОКАЯ 7.2

CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C

Ссылки

CVE-2019-9924

CVE-2012-6711

HIGH7.8

A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the "echo -e" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().

Опубликовано: 2019-06-18Изменено: 2024-11-21

CVSS 2.0СРЕДНЯЯ 4.6

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xВЫСОКАЯ 7.8

CVSS:3.x/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2016-7543

HIGH8.4

Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables.

Опубликовано: 2017-01-19Изменено: 2025-04-20

CVSS 2.0ВЫСОКАЯ 7.2

CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS 3.xВЫСОКАЯ 8.4

CVSS:3.x/CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2016-9401

MEDIUM5.5

popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.

Опубликовано: 2017-01-23Изменено: 2025-08-06

CVSS 2.0НИЗКАЯ 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xСРЕДНЯЯ 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Ссылки

CVE-2019-9924

HIGH7.8

rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Опубликовано: 2019-03-22Изменено: 2024-11-21

CVSS 2.0ВЫСОКАЯ 7.2

CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS 3.xВЫСОКАЯ 7.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

Обновление пакета bash4 в ветке sisyphus

Закрытые проблемы (5)

Уязвимость ограниченного командного интерпретатора rbash командной оболочки Bash, позволяющая нарушителю выполнить произвольные команды

Bash before 4.4 allows local users to execute arbitrary commands with root privileges via crafted SHELLOPTS and PS4 environment variables.

popd in bash might allow local users to bypass the restricted shell and cause a use-after-free via a crafted address.

rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Закрытые ошибки (3)

bash4.info is not seen in the catalogue

sh4 --rpm-requires segfaults in the new version (4.3.42)

Обновить bash4 до версии 4.4