SB2016110829 - Command injection in bash (Alpine package)
Published: November 8, 2016
Security Bulletin ID
SB2016110829
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Command injection (CVE-ID: CVE-2016-7543)
The vulnerability allows a local attacker to execute arbitrary commands on the target system.
The weakness exists due to insufficient validation of user-supplied input. A local attacker can supply specially crafted SHELLOPTS and PS4 environment variables, inject and execute arbitrary commands with root privileges.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=a8d4c6b2ae3c6a9fab61de635621692ded81feac
- https://git.alpinelinux.org/aports/commit/?id=630926c392b8eb520465b96ba0171e7c60b1b26d
- https://git.alpinelinux.org/aports/commit/?id=5e512d21e6544cb8588b5836937faa98bfc0f57a
- https://git.alpinelinux.org/aports/commit/?id=891d75f26c0329dc70c7fbefeeaf6756bcf9bcff
- https://git.alpinelinux.org/aports/commit/?id=d198fd6c88ffb4b71426140ab49c88545bab4297
- https://git.alpinelinux.org/aports/commit/?id=10b14aa5a6cca577a3b339f7183c0b772de664ea
- https://git.alpinelinux.org/aports/commit/?id=38eb1971090dee7ec5924cfec648274e021800f9