FS#42112 - [bash] CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix)

Attached to Project: Arch Linux
Opened by Peter Weber (hoschi) - Thursday, 25 September 2014, 09:13 GMT
Last edited by Allan McRae (Allan) - Thursday, 25 September 2014, 11:18 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
Hello the vulnerability is not fixed, as it looks like. I didn't reviewed it, but Red Hat believes it is not fixed:


Additional info:
* package version(s): 4.3.024-2
* sources:
https://access.redhat.com/security/cve/CVE-2014-7169 # initally caused by 6271
https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23 # bypass existing fix
http://www.openwall.com/lists/oss-security/2014/09/25/10 # probably a fix, didn't checked it

This task depends upon

Closed by  Allan McRae (Allan)
Thursday, 25 September 2014, 11:18 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#42109 
Comment by Peter Weber (hoschi) - Thursday, 25 September 2014, 09:17 GMT
Bad timing:
https://bugs.archlinux.org/task/42109 # there is also a fix linked, looks more mature
https://bugzilla.novell.com/attachment.cgi?id=606672&action=edit # just as reference
Comment by Philipp (hollunder) - Thursday, 25 September 2014, 09:39 GMT
This demonstrates that the fix is insufficient: https://twitter.com/taviso/status/514887394294652929
Just try this: env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

This is a patch that supposedly removes the whole feature and hence should reliably fix this bug: http://pastebin.com/mT7hY37Z
Comment by Peter Weber (hoschi) - Thursday, 25 September 2014, 11:03 GMT
I don't think that Archlinux will remove an entire feature with a security update.

a) non compatible change, affectes users:
awful, breaks applications is therefore a production show stopper
b) not a major release, by developers:
only a major release can deprecated or even remove features
c) doesn't come from upstream, policy by archlinux:
by policy archlinux uses vanilla-code from upstream, exceptions only reasonable for absolutely required changes or code which will become soon pulished by upstream or similiar
d) workaround possible, countermeasures:
disabe CGI/PHP or similiar things
Comment by Allan McRae (Allan) - Thursday, 25 September 2014, 11:17 GMT
Upstream are providing the patches. So we will remove whatever they decide to.

Closing as a duplicate.

Loading...