From 5418a65b77cf33e078fdb64da876204fd0b3103c Mon Sep 17 00:00:00 2001
From: Chet Ramey <chet.ramey@case.edu>
Date: Mon, 25 Nov 2019 02:05:27 +0100
Subject: bash: BASH_CMD is writable in restricted bash shells

rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying
BASH_CMDS, thus allowing the user to execute any command with the permissions
of the shell.

Fixes CVE-2019-9924

Change-Id: I1276b0920e28edd2096c3e9a346ce1d79304a66b
---
 variables.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/variables.c b/variables.c
index f816ffe..b059b1a 100644
--- a/variables.c
+++ b/variables.c
@@ -1601,6 +1601,13 @@ assign_hashcmd (self, value, ind, key)
      arrayind_t ind;
      char *key;
 {
+#if defined (RESTRICTED_SHELL)
+  if (restricted && strchr (value, '/'))
+    {
+      sh_restricted (value);
+      return (SHELL_VAR *)NULL;
+    }
+#endif
   phash_insert (key, value, 0, 0);
   return (build_hashcmd (self));
 }
-- 
cgit v1.2.3