Univention Bugzilla – Bug 36003
bash: Missing sanitising (3.1)
Last modified: 2014-12-11 08:08:11 CET
Please make a backport for UCS 3.1. +++ This bug was initially created as a clone of Bug #35992 +++ CVE-2014-6271 Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell. Additional writeup: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Additionally there are two out-of-bounds array accesses in the bash parser, which were revealed in Red Hat's internal analysis for these issues and also independently reported by Todd Sabin: CVE-2014-7186 Parser can allow out-of-bounds memory access while handling redir_stack. CVE-2014-7187 Off-by-one error in deeply nested flow control constructs.
squeeze-lts version (4.1-3+deb6u2) built. Tests (amd64, i386): OK Advisory: 2014-09-24-bash.yaml
OK - amd64/i386 -> env x='() { :;}; echo vulnerable' bash -c 'echo hello' hello OK - reboot/boot still works OK - YAML
http://errata.univention.de/ucs/3.1/233.html
This update also fixed CVE-2014-6277 and CVE-2014-6278