Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 223963 - .bash_logout: use full path for 'clear'
Summary: .bash_logout: use full path for 'clear'
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: bash
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Janousek
QA Contact: Chris Ward
URL:
Whiteboard:
Depends On: 380421
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-23 11:26 UTC by Tim Waugh
Modified: 2008-05-21 15:35 UTC (History)
0 users

Fixed In Version: RHBA-2008-0380
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-21 15:35:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0380 normal SHIPPED_LIVE bash bug fix update 2008-05-20 16:48:21 UTC

Description Tim Waugh 2007-01-23 11:26:56 UTC
+++ This bug was initially created as a clone of Bug #223960 +++

Description of problem:
/etc/skel/.bash_logout invokes "clear"

i.e. "clear" is being searched on $PATH.
This breaks if users screw up their $PATH. 

IMO, this should be /usr/bin/clear instead.

Version-Release number of selected component (if applicable):
bash-3.1-16.1

How reproducible:
Deterministic.

Steps to Reproduce:
1. copy /etc/skel/.bash_logout to $(HOME):
cp /etc/skel/.bash_logout ~

2. Break your $PATH, e.g.
export PATH=/foo/bar:PATH
[A classical typo users trip into when modifying $PATH]

3. logout:
exit
  
Actual results:
> exit
logout
-bash: clear: command not found

Expected results:
Function.

Additional info:
IMO, this also is a security leak. "clear" is a too common name to search for on
$PATH.

Comment 1 RHEL Product and Program Management 2007-01-23 11:40:35 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 2 Florian La Roche 2007-01-24 11:32:34 UTC
Moving onto the 5.1 list.

regards,

Florian La Roche


Comment 3 Daniel Riek 2007-03-15 18:48:57 UTC
Clearing left-over pm_ack

Comment 4 Lubomir Kundrak 2007-03-28 11:40:11 UTC
I disagree with that this is a security issue. clear is _not_ guaranteed to
clear a scrollback buffer, nor does it do so on Linux console, nor are terminals
required to be able to do it. Removing Security keyword.

Comment 5 RHEL Product and Program Management 2007-06-05 20:40:33 UTC
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Since this
bugzilla is in a component that is not approved for the current
release, it has been closed with resolution deferred.  You may
reopen this bugzilla for consideration in the next release.

Comment 6 Tim Waugh 2007-06-06 08:35:28 UTC
Proposing for RHEL-5.2.0.

Comment 7 RHEL Product and Program Management 2007-10-16 04:05:46 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 12 errata-xmlrpc 2008-05-21 15:35:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0380.html



Note You need to log in before you can comment on or make changes to this bug.