Description of problem: This is a followup on bug 14167 - bash new security issue CVE-2014-6271 The last patch issued by Redhat was incomplete, see https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c27 for more details. Further references: https://access.redhat.com/articles/1200223 https://access.redhat.com/security/cve/CVE-2014-7169 Reproducible: Steps to Reproduce:
Severity: normal => criticalCC: (none) => doktor5000, eeeemail, luigiwalserCVE: (none) => CVE-2014-7169
URL: (none) => http://lwn.net/Vulnerabilities/613200/Version: 4 => CauldronWhiteboard: (none) => MGA4TOO, MGA3TOO
As bash is included in the intrd, shouldn't installing the update trigger a rebuild of it?
CC: (none) => davidwhodgins
CC: (none) => mageia
I don't believe we have any mechanisms in place to automatically rebuild initrds when things like that are updated. Don't worry though, nobody's injecting any untrusted data into the environment in your initrd :o)
Fixed with bash-4.2-48.2.mga3 & bash-4.2-48.2.mga4. Oh no, I didn't use subrel here, does it matter?
CC: (none) => oe
Pre: [oden@localhost SPECS]$ LC_ALL=C bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: make_here_document: bad instruction type 33 Segmenteringsfel Post: [oden@localhost SPECS]$ LC_ALL=C bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:190/
Testing mga4 64 tl;dr; Does seem to fix the issue, can we confirm which patch was used though please there are some non-upstream patches which may not be the appropriate fix. bash bash-doc Before ------ $ env X='() { (a)=>\' sh -c "echo date"; cat echo sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `' sh: error importing function definition for `X' Fri 26 Sep 08:50:02 BST 2014 $ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: make_here_document: bad instruction type 33 Segmentation fault After ----- $ rm echo rm: remove regular file âechoâ? y $ env X='() { (a)=>\' sh -c "echo date"; cat echo date cat: echo: No such file or directory $ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
Also fixed in cauldron with r724877, needs submission by someone.
this looks like the upstream patch: http://seclists.org/oss-sec/2014/q3/734
CC: (none) => alien
Testing complete mga3 64 I'll get it tested so we're ready to go when we're ready to go.
Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO, MGA3TOO has_procedure mga3-64-ok mga4-64-ok
To clearify. I used the redhat patch from https://rhn.redhat.com/errata/RHSA-2014-1306.html
Testing complete mga3 32 and mga4 32 Mga3 doesn't fail the EOF PoC as mga4 does but both are fixed for the other PoC with the update. So it currently needs submitting in Cauldron (comment 7) and an advisory for mga3 & 4 and then assigning to QA. It's QA ready to be validated & pushed if we're going ahead with this patch.
Whiteboard: MGA4TOO, MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA4TOO, MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
There's still no new patch upstream. This issue isn't as serious as the original one. We don't need to rush out another incomplete fix.
is it incomplete? the link that i pasted for upstream patch, that's the developer of bash that's posted that... i'm assuming that's a complete patch?
http://www.openwall.com/lists/oss-security/2014/09/26/8
Chet, the upstream developer posted patches to the list for comment, to see if there's any more issues. It's still under discussion. When he's satisfied with them, he'll officially post them here: ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/ ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/
Upstream has officially uploaded their next patch. I've removed the RedHat patch that Oden added for now, as it conflicts with the new upstream patch. I've pushed the build to Cauldron, as well as Mageia 3 and Mageia 4 updates_testing. There are different patch sets other distros used for this update, and Debian also fixed two other issues which have received CVEs. This will probably need more investigation to determine what we want to push as the next update. I don't have time to look into it further right now, and won't until probably Tuesday. So I won't push to QA officially now, but feel free to test it with known PoCs.
Whiteboard: MGA4TOO, MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedureVersion: Cauldron => 4
If you determine the current build fixes the current PoCs and want to push the update now and do a third update next week, I won't object. You can use the advisory at the bottom of this message. My understanding is that this will fix CVE-2014-1306, but it doesn't include the further hardening against possible future issues due to this feature that other distros have added, which originated from Debian (RedHat apparently used them to), that causes backward incompatible changes in the usage of this feature (the whole BASH_FUNC_ prefix and () suffix you may have seen mentioned elsewhere). Upstream is still considering adopting that change or something like it. Furthermore, there's also the unrelated CVE-2014-7186 and CVE-2014-7187 issues found during discussion of all this, which Debian and RedHat at least have also patched for, but upstream hasn't addressed yet. Ideally, I'd like to at least get those addressed before pushing another update. I'm not sure the timetable on upstream's next change(s). Advisory: ======================== Updated bash packages fix security vulnerability: It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169). Bash has been updated to version 4.2 patch level 49 to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 https://rhn.redhat.com/errata/RHSA-2014-1306.html ======================== Updated packages in core/updates_testing: ======================== bash-4.2-49.1.mga3 bash-doc-4.2-49.1.mga3 bash-4.2-49.1.mga4 bash-doc-4.2-49.1.mga4 from SRPMS: bash-4.2-49.1.mga3.src.rpm bash-4.2-49.1.mga4.src.rpm
Testing mga4 64 This one now segfaults again but the other is still Ok. $ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: make_here_document: bad instruction type 33 Segmentation fault $ env X='() { (a)=>\' sh -c "echo date"; cat echo sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `' sh: error importing function definition for `X' date cat: echo: No such file or directory
Testing mga3 32 & 64 Ok. Unchanged from previous patch. $ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') $ env X='() { (a)=>\' sh -c "echo date"; cat echo sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `' sh: error importing function definition for `X' date cat: echo: No such file or directory
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
mga4 32 is the same as mga4 64. This does appear to fix the CVE but we'll need to look at the other patches next week and probably update again, as you say. I'd like to get this fix pushed though, thanks. Validating. Advisory from comment 17 uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okKeywords: (none) => validated_updateAssignee: bugsquad => qa-bugsCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0393.html
Status: NEW => RESOLVEDResolution: (none) => FIXED