Debian and RedHat have issued an advisory today (September 24): https://lists.debian.org/debian-security-announce/2014/msg00220.html https://rhn.redhat.com/errata/RHSA-2014-1293.html Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated bash packages fix security vulnerability: A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-6271). Bash has been updated version 4.2 patch level 37 to patch level 48 to fix this issue, as well as several other bugs. See the upstream patches for details on the other bugs. This vulnerability can be exposed and exploited through several other pieces of software and should be considered highly critical. Please refer to the RedHat Knowledge Base article and blog post for more information. All users and sysadmins are advised to update their bash package immediately. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 https://rhn.redhat.com/errata/RHSA-2014-1293.html https://access.redhat.com/articles/1200223 https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ ftp://ftp.cwru.edu/pub/bash/bash-4.2-patches/ ======================== Updated packages in core/updates_testing: ======================== bash-4.2-48.1.mga3 bash-doc-4.2-48.1.mga3 bash-4.2-48.1.mga4 bash-doc-4.2-48.1.mga4 from SRPMS: bash-4.2-48.1.mga3.src.rpm bash-4.2-48.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
PoC: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test With update should get something like.. $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Direct links to a mirror that already has the packages, for the impatient :o): http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/3/i586/media/core/updates_testing/bash-4.2-48.1.mga3.i586.rpm http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/3/i586/media/core/updates_testing/bash-doc-4.2-48.1.mga3.i586.rpm http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/3/x86_64/media/core/updates_testing/bash-4.2-48.1.mga3.x86_64.rpm http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/3/x86_64/media/core/updates_testing/bash-doc-4.2-48.1.mga3.x86_64.rpm http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates_testing/bash-4.2-48.1.mga4.i586.rpm http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates_testing/bash-doc-4.2-48.1.mga4.i586.rpm http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/bash-4.2-48.1.mga4.x86_64.rpm http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/bash-doc-4.2-48.1.mga4.x86_64.rpm
Testing complete mga4 64 $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
FWIW I've confirmed the vulnerability and fix on Mageia 3 i586 and Mageia 4 i586.
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
I can confirm the vulnerability and fix on Cauldron. bash still works as expected as far as I can tell.
CC: (none) => remi
Tested ssh between various hosts also. Validating. Advisory uploaded. Could sysadmin please urgently push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/613004/
pushed, looks there was an issue with the bot https://advisories.mageia.org/MGASA-2014-0388.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
It wasn't an issue, we delayed the announcement on purpose to allow time for the update to reach the mirrors.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0388.html
apparently the fix isn't complete yet and needs additional or new patching...
Status: RESOLVED => REOPENEDCC: (none) => alienResolution: FIXED => (none)
A new bug will be used for the next update.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
for reference: https://bugs.mageia.org/show_bug.cgi?id=14169