#3680 closed defect (fixed)
bash security hole
| Reported by: | Thierry Nuttens | Owned by: | Armin |
|---|---|---|---|
| Priority: | high | Milestone: | 7.7 |
| Component: | Book | Version: | SVN |
| Severity: | critical | Keywords: | |
| Cc: |
Description
They found a new big security hole in bash
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCPOlRYkVxF
I did not find any patch yet
Regards
Thierry
Change History (7)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
| Priority: | normal → high |
|---|---|
| Type: | task → defect |
Patch 025 is an incomplete fix for the issue. New CVE entry has been filled for that:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
https://access.redhat.com/security/cve/CVE-2014-7169
After that has been settled we should update the errata for at least 2 current LFS releases.
comment:3 by , 10 years ago
I built bash with the -25 patch. Without the patch I ran:
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello
With the patch I get:
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello
I would be easy enough to update bash-4.3-upstream_fixes-3.patch.
A better example is:
$ env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] &&
echo "still vulnerable :("
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
still vulnerable :(
$ bash --version |head -n1
GNU bash, version 4.3.25(1)-release (x86_64-unknown-linux-gnu)
I think I'll wait for upstream because we don't want two fixes, especially if the first one is incomplete.
comment:4 by , 10 years ago
I see that Archlinux has patch 026 too but I don't see it in bash-4.3-patches @ ftp.gnu.org. It is, however, formatted as the ussual bash patches are. There are also two separate fixes for the second CVE entry. Fedora has 2 similar (or same, more or less) and one more (one line change). So I don't really know what should be done.
I could easily squash all of them into one patch.
Thoughts?
comment:5 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
OK, found the references to patches:
Will squash them into one.
comment:6 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
$ env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("
echo vuln
cat: echo: No such file or directory
$ bash --version
GNU bash, version 4.3.26(1)-release (x86_64-unknown-linux-gnu)
Fixed in LFS Development and LFS systemd Development versions at r10764.
For now you can download: http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025
Do the patch that is suggested at the bash page here
then apply the patch from the bash download page
and then the rest of procedure.