[Bug 1689304] Re: Unfixed Code Execution Vulnerability CVE-2016-7543

Launchpad Bug Tracker 1689304 at bugs.launchpad.net
Wed May 17 16:53:29 UTC 2017 

This bug was fixed in the package bash - 4.3-15ubuntu1.1

---------------
bash (4.3-15ubuntu1.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
    - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
    - CVE-2016-0634
  * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4
    (LP: #1689304)
    - debian/patches/bash43-048.diff: check for root in variables.c.
    - CVE-2016-7543
  * SECURITY UPDATE: restricted shell bypass via use-after-free
    - debian/patches/bash44-006.diff: check for negative offsets in
      builtins/pushd.def.
    - CVE-2016-9401

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Tue, 16 May 2017
07:44:56 -0400

** Changed in: bash (Ubuntu)
       Status: Confirmed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-0634

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-9401

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1689304

Title:
  Unfixed Code Execution Vulnerability CVE-2016-7543

Status in bash package in Ubuntu:
  Fix Released

Bug description:
  I think I must be missing something:

  CVE-2016-7543 is a high-impact code execution vulnerability for bash.

  https://people.canonical.com/~ubuntu-
  security/cve/2016/CVE-2016-7543.html Is listed as needed for
  Precise/Trusty/Xenial.

  The patch has been released for a few months, and is available as an
  upstream package in debian: https://security-
  tracker.debian.org/tracker/CVE-2016-7543

  But I can't find any tracking of whether Canonical maintainers will or
  intend to release an updated package for the supported operating
  systems. I thought maybe it was fixed in a later release or is
  otherwise deemed to be not-applicable. But as far as I can tell, the
  issue is still open.

  An open high danger (CVSS 3 Score: 8.4) CVE shows up on all our
  security scans. Is there any sanctioned way to address this? Is an
  updated package planned?

  -- I previously asked this as a question and was told to report a
  security bug:
  https://answers.launchpad.net/ubuntu/+source/bash/+question/631268

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1689304/+subscriptions

More information about the foundations-bugs mailing list