CVE-2010-0002

2022-10-0316:21:13

Debian Security Bug Tracker

security-tracker.debian.org

mandriva bash package

bash 2.05b

3.0

3.2

3.2.48

4.0

local users

escape sequences

terminal emulators

crafted filename

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

0.0004 Low

EPSS

Percentile

16.2%

JSON

The /etc/profile.d/60alias.sh script in the Mandriva bash package for Bash 2.05b, 3.0, 3.2, 3.2.48, and 4.0 enables the --show-control-chars option in LS_OPTIONS, which allows local users to send escape sequences to terminal emulators, or hide the existence of a file, via a crafted filename.

OSVersionArchitecturePackageVersionFilename
Debian12allbash< 5.2.15-2bash_5.2.15-2_all.deb
Debian11allbash< 5.1-2+deb11u1bash_5.1-2+deb11u1_all.deb
Debian999allbash< 5.2.21-2.1bash_5.2.21-2.1_all.deb
Debian13allbash< 5.2.21-2.1bash_5.2.21-2.1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	bash	< 5.2.15-2	bash_5.2.15-2_all.deb
Debian	11	all	bash	< 5.1-2+deb11u1	bash_5.1-2+deb11u1_all.deb
Debian	999	all	bash	< 5.2.21-2.1	bash_5.2.21-2.1_all.deb
Debian	13	all	bash	< 5.2.21-2.1	bash_5.2.21-2.1_all.deb