Re: Bash-4.3 Official Patch 25

On 09/26/2014 06:05 AM, Greg Wooledge wrote: > HP-UX 10.20 (which is from 1994, and was end-of-lifed many years ago) > only has a Bourne shell in /usr/old/bin/sh. It's not used in normal > operations. The /bin/sh on HP-UX is basically a stripped-down ksh. > > Unfortunately it's a bit tricky to

Re: Bash-4.3 Official Patch 25

On Thu, Sep 25, 2014 at 07:58:56PM -0400, Chet Ramey wrote: > We used to do that, and part of the code that I removed in patch 25 > supported the original `name()=() {'. We didn't use that very long; it > turns out that the Bourne shell (and others, at that time) dumps core on > malformed environm

Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)

- SOFT/LAN > To: Ralf Naegele > Cc: "Eduardo A. Bustamante López" , bug-bash@gnu.org > Subject: Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271) > > On 26/09/2014 08:23, Ralf Naegele wrote: > > Hello Eduardo, > > > > I haven't installed th

Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)

ing: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test Regards, Ralf On Thu, 25 Sep 2014, Greg Wooledge wrote: > Date: Thu, 25 Sep 2014 16:52:19 -0400 > From: Greg Wooledge > To: ralf.naeg...@she.net > Cc: bug-bash@gnu.org >

Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)

On 26/09/2014 08:23, Ralf Naegele wrote: Hello Eduardo, I haven't installed the patched bash yet. I called it in the source directory after compiling, it with ./bash so I think this should start the patched bash. You started ./bash as the parent reading the offending line, but did you also mo

Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)

0 > From: Eduardo A. Bustamante López > To: ralf.naeg...@she.net > Cc: bug-bash@gnu.org > Subject: Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271) > > On Thu, Sep 25, 2014 at 05:33:38PM +0200, ralf.naeg...@she.net wrote: > > Hello, > > > > I&#

Re: Bash-4.3 Official Patch 25

On Friday, September 26, 2014 9:58:56 AM UTC+10, Chet Ramey wrote: > On 9/24/14, 5:38 PM, Eric Blake wrote: > > > > > and I'd feel much more comfortable with exporting f()=... as the > > > backdoor for passing the function definition, _particularly_ since the > > > shell already allows functio

Re: Bash-4.3 Official Patch 25

On 09/25/2014 05:58 PM, Chet Ramey wrote: > On 9/24/14, 5:38 PM, Eric Blake wrote: > >> and I'd feel much more comfortable with exporting f()=... as the >> backdoor for passing the function definition, _particularly_ since the >> shell already allows functions and variables to co-exist: > > We us

Re: Bash-4.3 Official Patch 25

On 9/24/14, 5:38 PM, Eric Blake wrote: > and I'd feel much more comfortable with exporting f()=... as the > backdoor for passing the function definition, _particularly_ since the > shell already allows functions and variables to co-exist: We used to do that, and part of the code that I removed in

Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)

On Thu, Sep 25, 2014 at 05:33:38PM +0200, ralf.naeg...@she.net wrote: > Hello, > > I've downloaded the source for bash 4.3 and all patches, patched the source > to Patch 25. > But according some description I've found (http://heise.de/-2403305 sorry, > only in German > available), you can test

Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)

On 09/25/2014 09:33 AM, ralf.naeg...@she.net wrote: > Hello, > > I've downloaded the source for bash 4.3 and all patches, patched the source > to Patch 25. > But according some description I've found (http://heise.de/-2403305 sorry, > only in German > available), you can test with the command >

Re: Bash-4.3 Official Patch 25 Bug 896776 - (CVE-2014-6271)

On Thu, Sep 25, 2014 at 05:33:38PM +0200, ralf.naeg...@she.net wrote: > env x='() { :;}; echo vulnerable' bash -c "echo this is a test" Did you *install* the patched version so that it is the first "bash" in your PATH before running this? If not, you should specify a path to bash (e.g. ./bash -c

Re: Bash-4.3 Official Patch 25

Oops, sorry, this issue is nothing to do with the bash43-025 patch - I just verified that the same issue occurs with bash 4.1.2(1) . The issue was that a script that does an 'stty' command was failing when run in a 'while read ... ' loop. It wasn't using 'stty -F', so was trying to stty on stdin,

Re: Bash-4.3 Official Patch 25

Jason Vas Dias writes: > > #!/bin/bash > tty > echo $'1\n2' > test.list; > while read line; do > tty; > done < test.list > > > Its output illustrates the problem: > > > $ ./bash /tmp/t.sh > /dev/pts/6 > not a tty > not a tty > tty uses stdin, so this is the expected output. Why do you

Re: Bash-4.3 Official Patch 25

On Thu, Sep 25, 2014 at 02:50:03PM +0100, Jason Vas Dias wrote: > But now there is an issue - bash seems to lose its idea of stdout / stderr > being > a terminal within read loops, as illustrated by this test script (/tmp/t.sh): > > > #!/bin/bash > tty > echo $'1\n2' > test.list; > while read l

Re: Bash-4.3 Official Patch 25

Good day Chet, bash-list - I just checked out the latest git head, applied the bash43-025 patch, and built $ ./bash --version GNU bash, version 4.3.25(3)-release (x86_64-unknown-linux-gnu) ... which PASSED its 'make check' test suite, both under Ubuntu 14.04.1 LTS and under RHEL-6.5+ , on an x

Re: Bash-4.3 Official Patch 25

>Are you absolutely sure that the "bash" your command is invoking is >the patched one? You are right! I had like 4 other bash versions in my PATH So case closed... ;) Thanks! Michael

Re: Bash-4.3 Official Patch 25

On 9/24/14, 6:50 PM, Wesley Hirsch wrote: > Also, you can embed arguments, allowing for arbitrary execution: > > $ env -i X='() { (a)=>\' bash -c 'echo curl -s https://bugzilla.redhat.com/'; > head echo > bash: X: line 1: syntax error near unexpected token `=' > bash: X: line 1: `' This is an un

Re: Bash-4.3 Official Patch 25

Ah great, thanks for that...though since there's still the bug in p025 (see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 ) I'll keep spinning my wheels and watching the git branches until p026 rolls out. ta, Mark On Thu, Sep 25, 2014 at 3:55 PM, Chris F.A. Johnson wrote: > On Wed

Re: Bash-4.3 Official Patch 25

On 9/25/14, 9:02 AM, gnu.bash.bug wrote: > Hi, > > This patch does not seem to work on HP-UX: > > $ ./bash --version > GNU bash, version 4.3.25(1)-release (ia64-hp-hpux11.31) > Copyright (C) 2013 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later

Re: Bash-4.3 Official Patch 25

On Thu, Sep 25, 2014 at 06:02:11AM -0700, gnu.bash.bug wrote: > Hi, > > This patch does not seem to work on HP-UX: Worked for me on 10.20. > > $ /usr/bin/env x='() { :;}; echo vulnerable' bash -c 'echo hello' > vulnerable > hello imadev:~$ uname -a HP-UX imadev B.10.20 A 9000/785 2008897791 tw

Re: Bash-4.3 Official Patch 25

Hi, This patch does not seem to work on HP-UX: $ ./bash --version GNU bash, version 4.3.25(1)-release (ia64-hp-hpux11.31) Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software; you are free to change

Re: Bash-4.3 Official Patch 25

On Wed, 24 Sep 2014, m...@ibiblio.org wrote: Bash-Release:4.3 Patch-ID:bash43-025 As a binary distribution archive maintainer, I'd be keen to see the authors distributing a cumulative bash-4.3p025.tar.gz source bundle (probably p026 to nail the new issues above). The ftp://ft

Re: Bash-4.3 Official Patch 25

>Bash-Release:4.3 >Patch-ID:bash43-025 As a binary distribution archive maintainer, I'd be keen to see the authors distributing a cumulative bash-4.3p025.tar.gz source bundle (probably p026 to nail the new issues above). The ftp://ftp.cwru.edu/pub/bash site just has the main 4.

Re: Bash-4.3 Official Patch 25

Also, you can embed arguments, allowing for arbitrary execution: $ env -i X='() { (a)=>\' bash -c 'echo curl -s https://bugzilla.redhat.com/'; head echo bash: X: line 1: syntax error near unexpected token `=' bash: X: line 1: `' bash: error importing function definition for `X' http://www.w3.org/

Re: Bash-4.3 Official Patch 25

Eric Blake wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1141597 describes this bug > (aka CVE-2014-6271), and points out that even _with_ this patch, there > is still a flaw that attackers can use to overwrite portions of the > filesystem, which is also a possible exploitation avenue: > >

Re: Bash-4.3 Official Patch 25

On 09/24/2014 08:27 AM, Chet Ramey wrote: >BASH PATCH REPORT >= > > Bash-Release: 4.3 > Patch-ID: bash43-025 > > Bug-Reported-by: Stephane Chazelas > Bug-Reference-ID: > Bug-Reference-URL: https://bugzilla.redhat.c