Bug 14169 - bash new security issue CVE-2014-7169
Summary: bash new security issue CVE-2014-7169
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/613200/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-09-25 14:29 CEST by Florian Hubold
Modified: 2014-09-28 14:18 CEST (History)
9 users (show)

See Also:
Source RPM: bash-4.2-48.1.mga4.src.rpm
CVE: CVE-2014-7169
Status comment:


Attachments

Description Florian Hubold 2014-09-25 14:29:49 CEST
Description of problem:

This is a followup on bug 14167 - bash new security issue CVE-2014-6271

The last patch issued by Redhat was incomplete, see https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c27 for more details.

Further references:
https://access.redhat.com/articles/1200223
https://access.redhat.com/security/cve/CVE-2014-7169



Reproducible: 

Steps to Reproduce:
Florian Hubold 2014-09-25 14:31:23 CEST

Severity: normal => critical
CC: (none) => doktor5000, eeeemail, luigiwalser
CVE: (none) => CVE-2014-7169

David Walser 2014-09-25 21:26:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/613200/
Version: 4 => Cauldron
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Dave Hodgins 2014-09-26 03:25:23 CEST
As bash is included in the intrd, shouldn't installing the update trigger a
rebuild of it?

CC: (none) => davidwhodgins

Dave Hodgins 2014-09-26 03:26:09 CEST

CC: (none) => mageia

Comment 2 David Walser 2014-09-26 03:54:19 CEST
I don't believe we have any mechanisms in place to automatically rebuild initrds when things like that are updated.  Don't worry though, nobody's injecting any untrusted data into the environment in your initrd :o)
Comment 3 Oden Eriksson 2014-09-26 08:46:32 CEST
Fixed with bash-4.2-48.2.mga3 & bash-4.2-48.2.mga4. Oh no, I didn't use subrel here, does it matter?

CC: (none) => oe

Comment 4 Oden Eriksson 2014-09-26 08:57:44 CEST
Pre:

[oden@localhost SPECS]$ LC_ALL=C bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF'
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: make_here_document: bad instruction type 33
Segmenteringsfel

Post:
[oden@localhost SPECS]$ LC_ALL=C bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF'
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
Comment 6 claire robinson 2014-09-26 09:57:54 CEST
Testing mga4 64

tl;dr; Does seem to fix the issue, can we confirm which patch was used though please there are some non-upstream patches which may not be the appropriate fix.

bash
bash-doc

Before
------
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri 26 Sep 08:50:02 BST 2014


$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF'
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: make_here_document: bad instruction type 33
Segmentation fault



After
-----
$ rm echo
rm: remove regular file âechoâ? y

$ env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory


$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF'
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
Comment 7 Oden Eriksson 2014-09-26 10:31:57 CEST
Also fixed in cauldron with r724877, needs submission by someone.
Comment 8 AL13N 2014-09-26 11:40:56 CEST
this looks like the upstream patch: http://seclists.org/oss-sec/2014/q3/734

CC: (none) => alien

Comment 9 claire robinson 2014-09-26 13:21:12 CEST
Testing complete mga3 64

I'll get it tested so we're ready to go when we're ready to go.

Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO, MGA3TOO has_procedure mga3-64-ok mga4-64-ok

Comment 10 Oden Eriksson 2014-09-26 13:35:55 CEST
To clearify. I used the redhat patch from https://rhn.redhat.com/errata/RHSA-2014-1306.html
Comment 11 claire robinson 2014-09-26 13:38:34 CEST
Testing complete mga3 32 and mga4 32

Mga3 doesn't fail the EOF PoC as mga4 does but both are fixed for the other PoC with the update.

So it currently needs submitting in Cauldron (comment 7) and an advisory for mga3 & 4 and then assigning to QA. It's QA ready to be validated & pushed if we're going ahead with this patch.

Whiteboard: MGA4TOO, MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA4TOO, MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 12 David Walser 2014-09-26 14:27:53 CEST
There's still no new patch upstream.  This issue isn't as serious as the original one.  We don't need to rush out another incomplete fix.
Comment 13 AL13N 2014-09-26 14:43:24 CEST
is it incomplete?

the link that i pasted for upstream patch, that's the developer of bash that's posted that... i'm assuming that's a complete patch?
Comment 14 Sander Lepik 2014-09-26 14:55:19 CEST
http://www.openwall.com/lists/oss-security/2014/09/26/8

CC: (none) => mageia

Comment 15 David Walser 2014-09-26 14:57:22 CEST
Chet, the upstream developer posted patches to the list for comment, to see if there's any more issues.  It's still under discussion.  When he's satisfied with them, he'll officially post them here:
ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/
Comment 16 David Walser 2014-09-27 00:06:08 CEST
Upstream has officially uploaded their next patch.

I've removed the RedHat patch that Oden added for now, as it conflicts with the new upstream patch.  I've pushed the build to Cauldron, as well as Mageia 3 and Mageia 4 updates_testing.

There are different patch sets other distros used for this update, and Debian also fixed two other issues which have received CVEs.  This will probably need more investigation to determine what we want to push as the next update.  I don't have time to look into it further right now, and won't until probably Tuesday.  So I won't push to QA officially now, but feel free to test it with known PoCs.

Whiteboard: MGA4TOO, MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure
Version: Cauldron => 4

Comment 17 David Walser 2014-09-27 00:31:55 CEST
If you determine the current build fixes the current PoCs and want to push the update now and do a third update next week, I won't object.

You can use the advisory at the bottom of this message.

My understanding is that this will fix CVE-2014-1306, but it doesn't include the further hardening against possible future issues due to this feature that other distros have added, which originated from Debian (RedHat apparently used them to), that causes backward incompatible changes in the usage of this feature (the whole BASH_FUNC_ prefix and () suffix you may have seen mentioned elsewhere).  Upstream is still considering adopting that change or something like it.

Furthermore, there's also the unrelated CVE-2014-7186 and CVE-2014-7187 issues found during discussion of all this, which Debian and RedHat at least have also patched for, but upstream hasn't addressed yet.  Ideally, I'd like to at least get those addressed before pushing another update.  I'm not sure the timetable on upstream's next change(s).

Advisory:
========================

Updated bash packages fix security vulnerability:

It was found that the fix for CVE-2014-6271 was incomplete, and Bash still
allowed certain characters to be injected into other environments via
specially crafted environment variables. An attacker could potentially use
this flaw to override or bypass environment restrictions to execute shell
commands. Certain services and applications allow remote unauthenticated
attackers to provide environment variables, allowing them to exploit this
issue (CVE-2014-7169).

Bash has been updated to version 4.2 patch level 49 to fix this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
https://rhn.redhat.com/errata/RHSA-2014-1306.html
========================

Updated packages in core/updates_testing:
========================
bash-4.2-49.1.mga3
bash-doc-4.2-49.1.mga3
bash-4.2-49.1.mga4
bash-doc-4.2-49.1.mga4

from SRPMS:
bash-4.2-49.1.mga3.src.rpm
bash-4.2-49.1.mga4.src.rpm
Comment 18 claire robinson 2014-09-27 12:32:51 CEST
Testing mga4 64

This one now segfaults again but the other is still Ok.

$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF'
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF')
bash: line 2: make_here_document: bad instruction type 33
Segmentation fault

$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory
Comment 19 claire robinson 2014-09-27 12:40:27 CEST
Testing mga3 32 & 64

Ok. Unchanged from previous patch.

$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF'
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')


$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
date
cat: echo: No such file or directory

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 20 claire robinson 2014-09-27 12:57:02 CEST
mga4 32 is the same as mga4 64. This does appear to fix the CVE but we'll need to look at the other patches next week and probably update again, as you say. I'd like to get this fix pushed though, thanks.


Validating. Advisory from comment 17 uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Keywords: (none) => validated_update
Assignee: bugsquad => qa-bugs
CC: (none) => sysadmin-bugs

Comment 21 Mageia Robot 2014-09-28 14:18:04 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0393.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.