FS#42109 - [bash] CVE-2014-7169, remote code execution; follow up to CVE-2014-6271

Attached to Project: Arch Linux
Opened by Doug Newgard (Scimmia) - Thursday, 25 September 2014, 03:18 GMT
Last edited by Felix Yan (felixonmars) - Friday, 26 September 2014, 03:53 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Bartłomiej Piotrowski (Barthalion)
Felix Yan (felixonmars)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 9
Private No
This task depends upon

Closed by  Felix Yan (felixonmars)
Friday, 26 September 2014, 03:53 GMT
Reason for closing:  Fixed
Additional comments about closing:  4.3.026-1
Comment by georg (fordprefect) - Thursday, 25 September 2014, 09:12 GMT
there is a patch available in [0]. also, upstream released a new patch (#025) [1].

[0] https://bugzilla.novell.com/attachment.cgi?id=606672&action=edit
[1] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/
Comment by Levente Polyak (anthraxx) - Thursday, 25 September 2014, 23:47 GMT
just some information about this one:
looks like debian's security team resolved this CVE by applying a non-upstream patch from Chet Ramey [0].
Additionally they applied fixes [1] for two out-of-bounds array accesses [2] (which do not yet have a CVE assigned)

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762760#16
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762760#51
[2] http://www.openwall.com/lists/oss-security/2014/09/25/32

Loading...