Unfixed Code Execution Vulnerability CVE-2016-7543

Bug #1689304 reported by Luminousbit on 2017-05-08
268
This bug affects 3 people
Affects Status Importance Assigned to Milestone
bash (Ubuntu)
Undecided
Unassigned

Bug Description

I think I must be missing something:

CVE-2016-7543 is a high-impact code execution vulnerability for bash.

https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7543.html Is listed as needed for Precise/Trusty/Xenial.

The patch has been released for a few months, and is available as an upstream package in debian: https://security-tracker.debian.org/tracker/CVE-2016-7543

But I can't find any tracking of whether Canonical maintainers will or intend to release an updated package for the supported operating systems. I thought maybe it was fixed in a later release or is otherwise deemed to be not-applicable. But as far as I can tell, the issue is still open.

An open high danger (CVSS 3 Score: 8.4) CVE shows up on all our security scans. Is there any sanctioned way to address this? Is an updated package planned?

-- I previously asked this as a question and was told to report a security bug: https://answers.launchpad.net/ubuntu/+source/bash/+question/631268

CVE References

Luminousbit (j-ubuntr-9) on 2017-05-08
information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bash (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bash - 4.3-15ubuntu1.1

---------------
bash (4.3-15ubuntu1.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
    - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
    - CVE-2016-0634
  * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4
    (LP: #1689304)
    - debian/patches/bash43-048.diff: check for root in variables.c.
    - CVE-2016-7543
  * SECURITY UPDATE: restricted shell bypass via use-after-free
    - debian/patches/bash44-006.diff: check for negative offsets in
      builtins/pushd.def.
    - CVE-2016-9401

 -- Marc Deslauriers <email address hidden> Tue, 16 May 2017 07:44:56 -0400

Changed in bash (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Related questions