BASH PATCH REPORT ================= Bash-Release: 4.3 Patch-ID: bash43-048 Bug-Reported-by: up201407890@alunos.dcc.fc.up.pt Bug-Reference-ID: <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2015-12/msg00054.html Bug-Description: If a malicious user can inject a value of $SHELLOPTS containing `xtrace' and a value for $PS4 that includes a command substitution into a shell running as root, bash will expand the command substitution as part of expanding $PS4 when it executes a traced command. Patch (apply with `patch -p0'): *** ../bash-4.3-patched/variables.c 2015-11-26 12:31:21.000000000 -0500 --- variables.c 2015-12-23 10:19:01.000000000 -0500 *************** *** 496,500 **** set_if_not ("PS2", secondary_prompt); } ! set_if_not ("PS4", "+ "); /* Don't allow IFS to be imported from the environment. */ --- 496,504 ---- set_if_not ("PS2", secondary_prompt); } ! ! if (current_user.euid == 0) ! bind_variable ("PS4", "+ ", 0); ! else ! set_if_not ("PS4", "+ "); /* Don't allow IFS to be imported from the environment. */ *** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500 --- patchlevel.h 2014-03-20 20:01:28.000000000 -0400 *************** *** 26,30 **** looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 47 #endif /* _PATCHLEVEL_H_ */ --- 26,30 ---- looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 48 #endif /* _PATCHLEVEL_H_ */