On 9/26/14, 12:58 PM, Alan Wild wrote: > I've been searching for some clarification on these two "fixes" and I'm > utterly confused. I've been lead to believe RedHat's first patch (6271) is > based on code from Chet that just causes bash to reject functions where > code appears outside of the function body. > > However, this patch was labeled as "insufficient" and 7169 now appears to > completely remove the ability to receive function definitions from the > environment.
There is a second problem (caused by a different issue) that happens to be reachable via the same attack vector. The Red Hat patch changes the acceptable name space for function exports; it doesn't remove the ability to export shell functions. Here's something I wrote on the issue for another mailing list: Red Hat got impatient and is a day or two ahead of me. The patch I posted yesterday solves the underlying issue that CVE-2014-7169 exploits (leaving a stray character in a lookahead buffer). The Red Hat patch cuts off the attack vector by changing the restrictions on the namespace of functions the shell will import from the environment. You need both: if someone finds a vector that allows them to remotely specify arbitrary environment variable names, it's easy enough to match the namespace that bash will be using, so you'd like to fix the underlying vulnerability rather than simply blocking the way to it. I understand Red Hat's impatience: they have users with contracts to support, and they only have one version of bash to modify (as far as I know, they only support bash-4.2, but they may have bash-4.1 as well). They were able to produce a patch quickly that blocked existing attacks and they have a pipeline to distribute it. I haven't looked at their patch, so I don't know whether it includes the fix I distributed in bash43-026. I have patches that I will package up and distribute later today that are essentially identical to Red Hat's and change the allowable function import namespace. It takes me a little while longer: I want to fix the root cause; I have to produce, at least in these cases, patches for many more version of bash (8); and I have some backwards compatibility concerns that Red Hat has probably deemed less important than getting their fix to their customers. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/