Bug 14167 - bash new security issue CVE-2014-6271
Summary: bash new security issue CVE-2014-6271
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/613004/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-24 17:45 CEST by David Walser
Modified: 2014-09-26 11:14 CEST (History)
3 users (show)

See Also:
Source RPM: bash-4.2-37.4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-09-24 17:45:03 CEST
Debian and RedHat have issued an advisory today (September 24):
https://lists.debian.org/debian-security-announce/2014/msg00220.html
https://rhn.redhat.com/errata/RHSA-2014-1293.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated bash packages fix security vulnerability:

A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-6271).

Bash has been updated version 4.2 patch level 37 to patch level 48 to fix
this issue, as well as several other bugs.  See the upstream patches for
details on the other bugs.

This vulnerability can be exposed and exploited through several other
pieces of software and should be considered highly critical.  Please refer
to the RedHat Knowledge Base article and blog post for more information.

All users and sysadmins are advised to update their bash package immediately.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
https://rhn.redhat.com/errata/RHSA-2014-1293.html
https://access.redhat.com/articles/1200223
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
ftp://ftp.cwru.edu/pub/bash/bash-4.2-patches/
========================

Updated packages in core/updates_testing:
========================
bash-4.2-48.1.mga3
bash-doc-4.2-48.1.mga3
bash-4.2-48.1.mga4
bash-doc-4.2-48.1.mga4

from SRPMS:
bash-4.2-48.1.mga3.src.rpm
bash-4.2-48.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-09-24 17:45:09 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-09-24 17:47:50 CEST
PoC: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

With update should get something like..

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 3 claire robinson 2014-09-24 18:03:38 CEST
Testing complete mga4 64

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 4 David Walser 2014-09-24 18:07:27 CEST
FWIW I've confirmed the vulnerability and fix on Mageia 3 i586 and Mageia 4 i586.
Comment 5 claire robinson 2014-09-24 18:07:50 CEST
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

claire robinson 2014-09-24 18:08:06 CEST

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-09-24 18:12:13 CEST
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 7 Rémi Verschelde 2014-09-24 18:14:19 CEST
I can confirm the vulnerability and fix on Cauldron. bash still works as expected as far as I can tell.

CC: (none) => remi

Comment 8 claire robinson 2014-09-24 18:15:57 CEST
Tested ssh between various hosts also.

Validating. Advisory uploaded.

Could sysadmin please urgently push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

David Walser 2014-09-24 19:06:24 CEST

URL: (none) => http://lwn.net/Vulnerabilities/613004/

Comment 9 Manuel Hiebel 2014-09-24 19:45:51 CEST
pushed, looks there was an issue with the bot

https://advisories.mageia.org/MGASA-2014-0388.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2014-09-24 19:56:13 CEST
It wasn't an issue, we delayed the announcement on purpose to allow time for the update to reach the mirrors.
Comment 11 Mageia Robot 2014-09-24 20:42:27 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0388.html
Comment 12 AL13N 2014-09-25 13:31:48 CEST
apparently the fix isn't complete yet and needs additional or new patching...

Status: RESOLVED => REOPENED
CC: (none) => alien
Resolution: FIXED => (none)

Comment 13 claire robinson 2014-09-25 13:33:26 CEST
A new bug will be used for the next update.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 14 AL13N 2014-09-26 11:14:00 CEST
for reference: https://bugs.mageia.org/show_bug.cgi?id=14169

Note You need to log in before you can comment on or make changes to this bug.