Bug#762760: marked as done (Re: Bug#762760: bash: CVE-2014-7169 due to incomplete fix)

[Debian Bug Tracking System]

Your message dated Thu, 25 Sep 2014 22:48:37 +0000
with message-id <e1xxhq1-00007x...@franck.debian.org>
and subject line Bug#762760: fixed in bash 4.1-3+deb6u2
has caused the Debian Bug report #762760,
regarding Re: Bug#762760: bash: CVE-2014-7169 due to incomplete fix
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
762760: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762760
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: bash
Version: 4.2+dfsg-0.1+deb7u1
Severity: critical
Tags: security

As Tavis Ormandy has tweeted[0], the existing patch is not sufficient to
solve the problem:

  vauxhall ok % dpkg -l bash | grep ^ii; rm -f echo; env X='() { (a)=>\' bash 
-c "echo date"; cat echo
  ii  bash           4.2+dfsg-0.1+deb7u1 amd64        GNU Bourne Again SHell
  bash: X: line 1: syntax error near unexpected token `='
  bash: X: line 1: `'
  bash: error importing function definition for `X'
  Wed Sep 24 23:32:32 UTC 2014

This means all Debian systems are still vulnerable, as bash is an
essential package.

[0] https://twitter.com/taviso/status/514887394294652929
-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.17-rc5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bash depends on:
ii  base-files   7.5
ii  dash         0.5.7-4
ii  debianutils  4.4
ii  libc6        2.19-11
ii  libtinfo5    5.9+20140913-1

Versions of packages bash recommends:
pn  bash-completion  <none>

Versions of packages bash suggests:
pn  bash-doc  <none>

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: bash
Source-Version: 4.1-3+deb6u2

We believe that the bug you reported is fixed in the latest version of
bash, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 762...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <th...@debian.org> (supplier of updated bash package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 26 Sep 2014 00:10:13 +0200
Source: bash
Binary: bash bash-static bash-builtins bash-doc bashdb
Architecture: source all amd64
Version: 4.1-3+deb6u2
Distribution: squeeze-lts
Urgency: high
Maintainer: Matthias Klose <d...@debian.org>
Changed-By: Thijs Kinkhorst <th...@debian.org>
Description: 
 bash       - The GNU Bourne Again SHell
 bash-builtins - Bash loadable builtins - headers & examples
 bash-doc   - Documentation and examples for the The GNU Bourne Again SHell
 bash-static - The GNU Bourne Again SHell (static version)
 bashdb     - The GNU Bourne Again SHell Debugger
Closes: 762760 762761
Changes: 
 bash (4.1-3+deb6u2) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add variables-affix.patch patch.
     Apply patch from Florian Weimer to add prefix and suffix for environment
     variable names which contain shell functions.
   * Add parser-oob.patch patch.
     Fixes two out-of-bound array accesses in the bash parser.
   * Add CVE-2014-7169.diff diff.
     CVE-2014-7169: Incomplete fix for CVE-2014-6271. (Closes: #762760, #762761)
Checksums-Sha1: 
 184bc50031cb14c7c34c33160bac67c7c9ac958f 1492 bash_4.1-3+deb6u2.dsc
 97bc09677759cc4009a129cf574301f54a30dfc8 85777 bash_4.1-3+deb6u2.diff.gz
 11d84b8c6c44b22856a886f18f6e4aea84da37fb 678314 bash-doc_4.1-3+deb6u2_all.deb
 f7d3cf7d97e2416d965f9f11685af1b589586a38 1328258 bash_4.1-3+deb6u2_amd64.deb
 a61de3da62f6abbfeb10f779f9e82ddaaccc8443 106852 
bash-builtins_4.1-3+deb6u2_amd64.deb
 ee5da1eb1d39f6542749550810ee8ce9bf4f5f13 884112 
bash-static_4.1-3+deb6u2_amd64.deb
Checksums-Sha256: 
 dcf440868e901733ce02389a5a357eb3eb4794de48ad45d813946168e900f524 1492 
bash_4.1-3+deb6u2.dsc
 e64ee3179d581b8274ca245661fb713d532f861b369e9a1f1319df1c34c46012 85777 
bash_4.1-3+deb6u2.diff.gz
 8c9e6467f24c3837d4d03801f9abbbb03f7447fabb85ad68e15690c500a77f4d 678314 
bash-doc_4.1-3+deb6u2_all.deb
 7400f04d074f1699a1993fb79e16d77531fae5739122d87db80ea128cbd62275 1328258 
bash_4.1-3+deb6u2_amd64.deb
 15d75c3fcfe3b7d0b9196fed15ca951101ffd82845bfc66224bf8dd151fcd4de 106852 
bash-builtins_4.1-3+deb6u2_amd64.deb
 eec0ef7041c9ed999958ad1aa389da3c33a1bf1f9265eb2d7e9fb6728c198e95 884112 
bash-static_4.1-3+deb6u2_amd64.deb
Files: 
 b01b6c1fa57365c86af7674f286f086b 1492 base required bash_4.1-3+deb6u2.dsc
 565e6ccf144d817df95f956a6b6a49d1 85777 base required bash_4.1-3+deb6u2.diff.gz
 31f749233b5dff0b2c3d7ba878f3c769 678314 doc optional 
bash-doc_4.1-3+deb6u2_all.deb
 ecac954e1879785164537809c6d0d053 1328258 shells required 
bash_4.1-3+deb6u2_amd64.deb
 2ef90833c809470c1a79960b817c4a2e 106852 utils optional 
bash-builtins_4.1-3+deb6u2_amd64.deb
 bdc1a77978d90544b792751982423ce4 884112 shells optional 
bash-static_4.1-3+deb6u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUJJfBAAoJEFb2GnlAHawElcIH/RH9oZhc7JVAPUcYQ9PpRsHn
tZdMbFrR4tHTUkvi9x8af8V4jpeoEzLaxW2aZkFsdvn4kAje9ghnX0BzDFl9qb8r
KoWvEsGuwEELyVNOCHWMteg2kTUhVZduWVu0DwzlbG53lUn7N/HWQ8haSTSX1/TH
+QVhmwQ8DXlNChA6fQ5NLP36jHO7lbRRYeLG7pEzlbFzve4WCK/yb/hci5AiSHQ9
ZH7xAiZlQAnzx1CWUNnT8QgdUxPhXg1MEGJ7rtl4soDB6dngxCP0Uen9NYAb8PY6
l7AeGYecobZ3Em78d66Kola/IGnaVq3kcHHDRspeiUzsUunxb3v5pmszcthKsgg=
=SmT0
-----END PGP SIGNATURE-----

--- End Message ---