Bug 14239

Summary: bash: final update to fix remaining parser bugs related to shellshock
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: cmrisolde, rverschelde, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/614411/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok MGA3-64-OK MGA4-64-OK MGA4-32-OK
Source RPM: bash-4.2-50.2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-10-06 17:47:49 CEST 
First, let me be very clear:

This is not a security update.

See my last comments in the previous bug for more about that, such as:
https://bugs.mageia.org/show_bug.cgi?id=14193#c19

So, the purpose of this update is to fix the remaining known bugs in the parser used when importing functions.  These bugs were assigned CVE-2014-6277 and CVE-2014-6278.  They are only security flaws if you do not have the 4.2-50 or 4.3-27 patch I added in the previous update.  Now, they are simply bugs that should be fixed, but otherwise don't have much of an impact.

Advisory:
----------------------------------------

Bash has been updated to version 4.2 patch level 53, which fixes the last
remaining known bugs in the parser that bash uses when importing functions.

These bugs are known as CVE-2014-6277 and CVE-2014-6278, but they are not
actually exploitable security issues since 4.2 patch level 50, which was
provided as an update in MGASA-2014-0394.

References:
ftp://ftp.cwru.edu/pub/bash/bash-4.2-patches/
http://advisories.mageia.org/MGASA-2014-0394.html
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
bash-4.2-53.1.mga3
bash-doc-4.2-53.1.mga3
bash-4.2-53.1.mga4
bash-doc-4.2-53.1.mga4

from SRPMS:
bash-4.2-53.1.mga3.src.rpm
bash-4.2-53.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-06 17:47:55 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Rémi Verschelde 2014-10-07 00:30:06 CEST 
I guess this can still be tested with bashcheck: https://github.com/hannob/bashcheck
See bug 14193 for details on how the latest update was tested.

CC: (none) => remi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 Rémi Verschelde 2014-10-07 00:40:07 CEST 
Testing on Mageia 4 64bit:

== With bash 4.2-50.2 from Core Updates ==
$ ./bashcheck 
Testing /usr/bin/bash ...
GNU bash, Version 4.2.50(1)-release (x86_64-mageia-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Found non-exploitable CVE-2014-6277 (lcamtuf bug #1)
Found non-exploitable CVE-2014-6278 (lcamtuf bug #2)

== With bash 4.2-53.1 from Core Updates Testing ==
$ ./bashcheck 
Testing /usr/bin/bash ...
GNU bash, Version 4.2.53(2)-release (x86_64-mageia-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)


This seems to confirm what Luigi reported in comment 0: this is a bugfix updates for the bugs related to CVE-2014-6277 and 6278, but the actual security vulnerabilities are already prevented by the patches of the current package in Core Updates.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK

Comment 3 Rémi Verschelde 2014-10-07 00:53:12 CEST 
Testing complete on Mageia 3 64bit.

Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK

Comment 4 Carolyn Rowse 2014-10-07 12:28:09 CEST 
Did the same for Mga4 32 bit, same output.

CC: (none) => cmrisolde

Carolyn Rowse 2014-10-07 12:28:27 CEST

Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK

Comment 5 Carolyn Rowse 2014-10-07 13:09:33 CEST 
Going to look at Mga 32 bit now.
Comment 6 Carolyn Rowse 2014-10-07 13:23:17 CEST 
For Mga3 32 bit I can't get the 4.2.53.1 package to show up on my list.  I added another mirror, the one suggested at the QA meeting, but still nothing.
Comment 7 Rémi Verschelde 2014-10-07 13:28:00 CEST 
I guess you made sure all mirrors were up-to-date with:
# urpmi.update ""
Comment 8 Carolyn Rowse 2014-10-07 13:35:50 CEST 
Yes, I had done it via the graphical menus, but I just tried again from the CLI to be sure, still nothing.
Comment 9 claire robinson 2014-10-07 13:48:37 CEST 
This is either a mirror or media issue Carolyn. I would imagine you haven't configured your Core Updates Testing media as an update media. Please come to IRC if you'd like help.

installing bash-doc-4.2-53.1.mga3.i586.rpm bash-4.2-53.1.mga3.i586.rpm from /var/cache/urpmi/rpms                          
Preparing...                     #######
      1/2: bash                  #######
      2/2: bash-doc              #######
      1/2: removing bash-doc-4.2-50.2.mga3.i586
                                 #######
      2/2: removing bash-4.2-50.2.mga3.i586
                                 #######

Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok MGA3-64-OK MGA4-64-OK MGA4-32-OK

Comment 10 Carolyn Rowse 2014-10-07 14:09:00 CEST 
Oh I see what's happened. I scrolled too far (as I thought) down the list in MCC and now I can see it's listed all the media again at the bottom of the main list after I added the other mirror, so there was another Core Updates Testing that had to be ticked.  Didn't realise it did that.
Comment 11 claire robinson 2014-10-07 18:56:30 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure advisory mga3-32-ok MGA3-64-OK MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2014-10-09 16:06:43 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2014-0180.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 13 Thomas Backlund 2014-10-09 18:43:57 CEST 

Also pushed on Mga infra

CC: (none) => tmb