Hello. Look like Mageia 4 is vulnerable to CVE-2014-7186 (redir_stack bug). Details about 7186: * http://seclists.org/oss-sec/2014/q3/712 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 * https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 Checking with bashchecker: https://github.com/hannob/bashcheck/blob/master/bashcheck [xxblx@localhost ~]$ LC_ALL=C ./bashcheck bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 5228 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) Checking without bashchecker script: bash -c "true $(printf '<<EOF %.0s' {1..79})" 2>/dev/null If segfault then vulnerable to CVE-2014-7186. p.s. tested on Mageia 4 i586 fully updated. Reproducible: Steps to Reproduce:
Known issue, on our TODO list. Other possible ones are CVE-2014-6277 and CVE-2014-7187, cited here: https://rhn.redhat.com/errata/RHSA-2014-1306.html http://openwall.com/lists/oss-security/2014/09/26/2 There's also a reported regression from the last bash updates, supposedly fixed with another upstream patch.
Summary: CVE-2014-7186 (redir_stack bug) => bash new security issues CVE-2014-6277, CVE-2014-7186, CVE-2014-7187
URL: (none) => http://lwn.net/Vulnerabilities/614052/
Note to QA for later, some resources for PoCs for various bash issues are linked in these messages: http://openwall.com/lists/oss-security/2014/09/27/17 http://openwall.com/lists/oss-security/2014/09/29/25
CC: (none) => luigiwalser, qa-bugs
There's also CVE-2014-6278: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6278
Summary: bash new security issues CVE-2014-6277, CVE-2014-7186, CVE-2014-7187 => bash new security issues CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187
I've updated to the latest upstream (4.2-50 and 4.3-27) for Mageia 3/4 and Cauldron, which adds the backward-incompatible prefix/suffix additions, similar to what several other distros did in their second bash update, so we'll have to add references to the advisory about that. This should also mitigate CVE-2014-627[78] and any further similar issues, such that they can't be exploited. Hopefully upstream will have patches for CVE-2014-718[67] this week. Otherwise I'll have to look at the patches other distros used for those when I get a chance. I've pushed the 4.2-50 to updates_testing, but not pushing to QA yet until CVE-2014-718[67] have been addressed.
Nevermind, I'm not waiting: http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html I've added the patch Fedora used for CVE-2014-7186/CVE-2014-7187, which gets us back up to date with RedHat and most other distros' updates. Advisory coming. Fixed package versions: bash-4.3-27.2.mga5 bash-4.2-50.2.mga4 bash-4.2-50.2.mga3
Severity: normal => criticalCC: qa-bugs => (none)Assignee: bugsquad => qa-bugs
Advisory: ======================== Updated bash packages fix security vulnerabilities: Bash has been updated to version 4.2 patch level 50, which further mitigates ShellShock-type vulnerabilities. Two such issues have already been discovered (CVE-2014-6277, CVE-2014-6278). See the RedHat article on the backward-incompatible changes introduced by the latest patch, caused by adding prefixes and suffixes to the variable names used for exporting functions. Note that the RedHat article mentions these variable names will have parentheses "()" at the end of their names, however, the latest upstream patch uses two percent signs "%%" at the end instead. Two other unrelated security issues in the parser have also been fixed in this update (CVE-2014-7186, CVE-2014-7187). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 https://access.redhat.com/articles/1200223 https://rhn.redhat.com/errata/RHSA-2014-1306.html ======================== Updated packages in core/updates_testing: ======================== bash-4.2-50.2.mga3 bash-doc-4.2-50.2.mga3 bash-4.2-50.2.mga4 bash-doc-4.2-50.2.mga4 from SRPMS: bash-4.2-50.2.mga3.src.rpm bash-4.2-50.2.mga4.src.rpm
Addendum; I meant to also add these to the References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6277 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6278
Source RPM: (none) => bash
CC: (none) => remiSource RPM: bash => bash-4.2-49.1.mga4
PoC's: CVE-2014-7186 $ bash -c "true $(printf '<<EOF %.0s' {1..16})" bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: warning: here-document at line 2 delimited by end-of-file (wanted `EOF') bash: line 2: make_here_document: bad instruction type 33 Segmentation fault CVE-2014-7187 $ (for x in {1..2000} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno" bash: line 909: syntax error near unexpected token `newline' bash: line 909: `for x909 in ; do :' CVE-2014-7187 vulnerable, word_lineno CVE-2014-6278 foo='() { echo not patched; }' bash -c foo not patched Still looking for PoC for CVE-2014-6277
https://github.com/mubix/shellshocker-pocs
CC: (none) => oe
Tested Mageia 3 32bit and 64bit with bashcheck from https://github.com/hannob/bashcheck It seems Mageia 3 is not vulnerable at all to CVE-2014-7186 (or reports a false negative). I've check with bash-4.2-37.4 to make sure. Tested with bashcheck from https://github.com/hannob/bashcheck Before: ======= $ rpm -qa | grep bash bash-4.2-49.1.mga3 $ ./bashcheck bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) $ foo='() { echo "CVE-2014-6277 vulnerable"; }' bash -c foo CVE-2014-6277 vulnerable After: ====== $ rpm -qa | grep bash bash-4.2-50.2.mga3 $ ./bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs $ $ foo='() { echo "CVE-2014-6277 vulnerable"; }' bash -c foo bash: foo: command not found.
Whiteboard: (none) => MGA3TOO MGA3-32-OK MGA3-64-OK
Testing complete mga4 64 7187 appears not vulnerable with the current test until the loop count is increased, but then it shows the same output with the patch applied too. I think this is a problem with the test rather than the patch though. ie. "Test for CVE-2014-7187 not reliable without address sanitizer" $ bash -c "true $(printf '<<EOF %.0s' {1..16})" bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') $ foo='() { echo not patched; }' bash -c foo bash: foo: command not found
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK mga4-64-ok
Testing complete mga4 32 Bashcheck shows the address sanitiser is deactivated in the update for 7187. $ ./bashcheck bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 6752 Segmentation fault bash -c "true $(printf '<<EOF %.0s' {1..16})" 2> /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) After ----- $ ./bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs $ foo='() { echo not patched; }' bash -c foo bash: foo: command not found
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK mga4-64-ok => MGA3TOO MGA3-32-OK MGA3-64-OK mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please urgently push to 3 & 4 updates Thanks to all involved for getting this out quickly
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK mga4-32-ok mga4-64-ok => MGA3TOO advisory MGA3-32-OK MGA3-64-OK mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0394.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2014-6277 and CVE-2014-6278 do not seem to be fixed, according to bashcheck, the author just added the checks for those a few hours ago: [doktor5000@Mageia4 ~]$ rpm -q bash bash-4.2-50.2.mga4 [doktor5000@Mageia4 ~]$ ./bashcheck.sh Testing /usr/bin/bash ... GNU bash, Version 4.2.50(1)-release (x86_64-mageia-linux-gnu) Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer _Vulnerable to CVE-2014-6277 (lcamtuf bug #1) [no patch]_ _Vulnerable to CVE-2014-6278 (lcamtuf bug #2) [prefix/%%-suffix]_
Status: RESOLVED => REOPENEDCC: (none) => doktor5000Resolution: FIXED => (none)
LWN reference for CVE-2014-6277 and CVE-2014-6278: http://lwn.net/Vulnerabilities/614411/ Note that upstream has said there will be real fixes for these soon (as this update only mitigates them to make it harder or maybe impossible to exploit them remotely in practice): http://openwall.com/lists/oss-security/2014/10/01/18
Please don't reopen this bug. We'll do new updates when the new patches are available.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED
Note that the bash one-liners that you run *within bash* to check for these CVEs are irrelevant to the concern of whether they're actually *remotely* exploitable (and thus, an actual security vulnerability).
Just so you know I'm not making this up, see this message, as well as the ones that follow after it in the thread: http://openwall.com/lists/oss-security/2014/10/02/5