Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#42112 - [bash] CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix)

Attached to Project: Arch Linux
Opened by Peter Weber (hoschi) - Thursday, 25 September 2014, 09:13 GMT
Last edited by Allan McRae (Allan) - Thursday, 25 September 2014, 11:18 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


Hello the vulnerability is not fixed, as it looks like. I didn't reviewed it, but Red Hat believes it is not fixed:

Additional info:
* package version(s): 4.3.024-2
* sources: # initally caused by 6271 # bypass existing fix # probably a fix, didn't checked it

This task depends upon

Closed by  Allan McRae (Allan)
Thursday, 25 September 2014, 11:18 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#42109 
Comment by Peter Weber (hoschi) - Thursday, 25 September 2014, 09:17 GMT
Bad timing: # there is also a fix linked, looks more mature # just as reference
Comment by Philipp (hollunder) - Thursday, 25 September 2014, 09:39 GMT
This demonstrates that the fix is insufficient:
Just try this: env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

This is a patch that supposedly removes the whole feature and hence should reliably fix this bug:
Comment by Peter Weber (hoschi) - Thursday, 25 September 2014, 11:03 GMT
I don't think that Archlinux will remove an entire feature with a security update.

a) non compatible change, affectes users:
awful, breaks applications is therefore a production show stopper
b) not a major release, by developers:
only a major release can deprecated or even remove features
c) doesn't come from upstream, policy by archlinux:
by policy archlinux uses vanilla-code from upstream, exceptions only reasonable for absolutely required changes or code which will become soon pulished by upstream or similiar
d) workaround possible, countermeasures:
disabe CGI/PHP or similiar things
Comment by Allan McRae (Allan) - Thursday, 25 September 2014, 11:17 GMT
Upstream are providing the patches. So we will remove whatever they decide to.

Closing as a duplicate.