Bug 14167

Summary: bash new security issue CVE-2014-6271
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: alien, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/613004/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: bash-4.2-37.4.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-09-24 17:45:03 CEST 
Debian and RedHat have issued an advisory today (September 24):
https://lists.debian.org/debian-security-announce/2014/msg00220.html
https://rhn.redhat.com/errata/RHSA-2014-1293.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated bash packages fix security vulnerability:

A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-6271).

Bash has been updated version 4.2 patch level 37 to patch level 48 to fix
this issue, as well as several other bugs.  See the upstream patches for
details on the other bugs.

This vulnerability can be exposed and exploited through several other
pieces of software and should be considered highly critical.  Please refer
to the RedHat Knowledge Base article and blog post for more information.

All users and sysadmins are advised to update their bash package immediately.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
https://rhn.redhat.com/errata/RHSA-2014-1293.html
https://access.redhat.com/articles/1200223
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
ftp://ftp.cwru.edu/pub/bash/bash-4.2-patches/
========================

Updated packages in core/updates_testing:
========================
bash-4.2-48.1.mga3
bash-doc-4.2-48.1.mga3
bash-4.2-48.1.mga4
bash-doc-4.2-48.1.mga4

from SRPMS:
bash-4.2-48.1.mga3.src.rpm
bash-4.2-48.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-24 17:45:09 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-09-24 17:47:50 CEST 
PoC: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

With update should get something like..

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 3 claire robinson 2014-09-24 18:03:38 CEST 
Testing complete mga4 64

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 4 David Walser 2014-09-24 18:07:27 CEST 
FWIW I've confirmed the vulnerability and fix on Mageia 3 i586 and Mageia 4 i586.
Comment 5 claire robinson 2014-09-24 18:07:50 CEST 
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

claire robinson 2014-09-24 18:08:06 CEST

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-09-24 18:12:13 CEST 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 7 RĂ©mi Verschelde 2014-09-24 18:14:19 CEST 
I can confirm the vulnerability and fix on Cauldron. bash still works as expected as far as I can tell.

CC: (none) => remi

Comment 8 claire robinson 2014-09-24 18:15:57 CEST 
Tested ssh between various hosts also.

Validating. Advisory uploaded.

Could sysadmin please urgently push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

David Walser 2014-09-24 19:06:24 CEST

URL: (none) => http://lwn.net/Vulnerabilities/613004/

Comment 9 Manuel Hiebel 2014-09-24 19:45:51 CEST 
pushed, looks there was an issue with the bot

https://advisories.mageia.org/MGASA-2014-0388.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2014-09-24 19:56:13 CEST 
It wasn't an issue, we delayed the announcement on purpose to allow time for the update to reach the mirrors.
Comment 11 Mageia Robot 2014-09-24 20:42:27 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0388.html
Comment 12 AL13N 2014-09-25 13:31:48 CEST 
apparently the fix isn't complete yet and needs additional or new patching...

Status: RESOLVED => REOPENED
CC: (none) => alien
Resolution: FIXED => (none)

Comment 13 claire robinson 2014-09-25 13:33:26 CEST 
A new bug will be used for the next update.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 14 AL13N 2014-09-26 11:14:00 CEST 
for reference: https://bugs.mageia.org/show_bug.cgi?id=14169