On 09/26/2014 10:27 AM, Brady Cummings wrote: > Bash Maintainers, > > Bash Version : GNU bash, version 4.3.25(2)-release (i686-pc-linux-gnu) > OS Version : Fedora release 8 > Processor : Intel Atom D425 1.8GHz Single-core > RAM : 1GB > Compilation Flags : Defaults (compiles fine) > > Bug: Exploit 2 (CVE-2014-7169) still exists 4.3.25(2) version when complied > in Fedora Core 8.
Yes. We know. Chet will shortly be publishing 4.3.26: http://www.openwall.com/lists/oss-security/2014/09/26/1 Meanwhile, I _highly_ recommend this additional patch: http://www.openwall.com/lists/oss-security/2014/09/25/13 as it will also make you immune to CVE-2014-7186 and CVE-2014-7187, at least from the perspective that arbitrary variable assignments can no longer trigger those crashes (even if your bash in isolation is still buggy, the point of the patch is to put exported variables in a different namespace than normal shell variables, and also has the benefit of making bash no longer violate POSIX with regards to exporting normal variables with arbitrary contents). I have not yet seen one-liner formulas to probe whether your build of bash is vulnerable to those two CVEs through environment variables, but as those parser bugs are public, here goes my attempt: $ env 'f=() { true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ~/bash/bash -c 'echo hi' Segmentation fault (core dumped) Although my formula only triggers a core dump, I suspect it's only a matter of time before someone figures out how to convert that core dump into a heap corruption that can be exploited into full arbitrary code execution. Contrast that to what happens for an immune build, such as the bash on my recently-updated Fedora 20 box: $ echo $BASH_VERSION 4.2.47(1)-release bash: f: line 2: syntax error: unexpected end of file bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') ... bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: make_here_document: bad instruction type 33 bash: error importing function definition for `f' hi For more details on these two: http://www.openwall.com/lists/oss-security/2014/09/25/32 > This message is for the named person's use only. You must not, directly or > indirectly, use, Sorry, but this is a publicly archived list. Your employer's legalese blurb is unenforceable here. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
