Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#3680 closed defect (fixed)

bash security hole

Reported by: Thierry Nuttens Owned by: Armin
Priority: high Milestone: 7.7
Component: Book Version: SVN
Severity: critical Keywords:
Cc:

Description

They found a new big security hole in bash

http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCPOlRYkVxF

I did not find any patch yet

Regards

Thierry

Change History (7)

comment:1 by aeon, 7 years ago

For now you can download: http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025

Do the patch that is suggested at the bash page here

patch -Np1 -i ../bash-4.3-upstream_fixes-3.patch

then apply the patch from the bash download page

patch -Np0 -i ../bash43-025

and then the rest of procedure.

comment:2 by Armin, 7 years ago

Priority: normalhigh
Type: taskdefect

Patch 025 is an incomplete fix for the issue. New CVE entry has been filled for that:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
https://access.redhat.com/security/cve/CVE-2014-7169

After that has been settled we should update the errata for at least 2 current LFS releases.

comment:3 by bdubbs@…, 7 years ago

I built bash with the -25 patch. Without the patch I ran:

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello

With the patch I get:

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

I would be easy enough to update bash-4.3-upstream_fixes-3.patch.

A better example is:

$ env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && 
echo "still vulnerable :("
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
still vulnerable :(

$ bash --version |head -n1
GNU bash, version 4.3.25(1)-release (x86_64-unknown-linux-gnu)

I think I'll wait for upstream because we don't want two fixes, especially if the first one is incomplete.

comment:4 by Armin, 7 years ago

I see that Archlinux has patch 026 too but I don't see it in bash-4.3-patches @ ftp.gnu.org. It is, however, formatted as the ussual bash patches are. There are also two separate fixes for the second CVE entry. Fedora has 2 similar (or same, more or less) and one more (one line change). So I don't really know what should be done.

I could easily squash all of them into one patch.

Thoughts?

comment:5 by Armin, 7 years ago

Owner: changed from lfs-book@… to Armin
Status: newassigned

comment:6 by Armin, 7 years ago

Resolution: fixed
Status: assignedclosed
$ env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("
echo vuln
cat: echo: No such file or directory

$ bash --version
GNU bash, version 4.3.26(1)-release (x86_64-unknown-linux-gnu)

Fixed in LFS Development and LFS systemd Development versions at r10764.

comment:7 by bdubbs@…, 7 years ago

Fixed at revision 10764 with bash-4.3-upstream_fixes-4.patch

Note: See TracTickets for help on using tickets.