Ubuntu
bash package

Unfixed Code Execution Vulnerability CVE-2016-7543

Bug #1689304 reported by Luminousbit on 2017-05-08

268

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	bash (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

I think I must be missing something:

CVE-2016-7543 is a high-impact code execution vulnerability for bash.

https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7543.html Is listed as needed for Precise/Trusty/Xenial.

The patch has been released for a few months, and is available as an upstream package in debian: https://security-tracker.debian.org/tracker/CVE-2016-7543

But I can't find any tracking of whether Canonical maintainers will or intend to release an updated package for the supported operating systems. I thought maybe it was fixed in a later release or is otherwise deemed to be not-applicable. But as far as I can tell, the issue is still open.

An open high danger (CVSS 3 Score: 8.4) CVE shows up on all our security scans. Is there any sanctioned way to address this? Is an updated package planned?

-- I previously asked this as a question and was told to report a security bug: https://answers.launchpad.net/ubuntu/+source/bash/+question/631268

CVE References

Luminousbit (j-ubuntr-9) on 2017-05-08

information type:

Private Security → Public Security

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-05-09:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bash (Ubuntu):
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-05-17:

This bug was fixed in the package bash - 4.3-15ubuntu1.1

---------------
bash (4.3-15ubuntu1.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
    - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
    - CVE-2016-0634
  * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4
    (LP: #1689304)
    - debian/patches/bash43-048.diff: check for root in variables.c.
    - CVE-2016-7543
  * SECURITY UPDATE: restricted shell bypass via use-after-free
    - debian/patches/bash44-006.diff: check for negative offsets in
      builtins/pushd.def.
    - CVE-2016-9401

-- Marc Deslauriers <email address hidden> Tue, 16 May 2017 07:44:56 -0400

Changed in bash (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntubash package