Bug 36008 - bash: Multiple issues (3.2)
bash: Multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P3 normal (vote)
: UCS 3.2-3-errata
Assigned To: Janek Walkenhorst
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-26 11:56 CEST by Janek Walkenhorst
Modified: 2014-09-26 17:57 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Janek Walkenhorst univentionstaff 2014-09-26 11:56:21 CEST
+++ This bug was initially created as a clone of Bug #35992 +++
> Added patch for CVE-2014-7169
Upstream's patch for the issue was extended to modify another file too.
We should follow the patch from upstream.


Additionally there are two out-of-bounds array accesses in the bash parser, which were revealed in Red Hat's internal analysis for these issues and also independently reported by Todd Sabin:

CVE-2014-7186
Parser can allow out-of-bounds memory access while handling redir_stack.

CVE-2014-7187
Off-by-one error in deeply nested flow control constructs.
Comment 1 Janek Walkenhorst univentionstaff 2014-09-26 13:14:38 CEST
(In reply to Janek Walkenhorst from comment #0)
> +++ This bug was initially created as a clone of Bug #35992 +++
> > Added patch for CVE-2014-7169
> Upstream's patch for the issue was extended to modify another file too.
> We should follow the patch from upstream.
This has no affect: The y.tab.c (currently not patched) is generated from the parse.y (currently patched) file during the build of the package.
(The y.tab.c files is in fact removed when unpacking the upstream source archive)

Thus the fix for CVE-2014-7169 is already complete with Bug #35992.

CVE-2014-7186 and CVE-2014-7187 still need fixing.
Comment 2 Janek Walkenhorst univentionstaff 2014-09-26 14:37:08 CEST
squeeze-lts version (4.1-3+deb6u2) built.
Tests (amd64, i386): OK
Advisory: 2014-09-26-bash.yaml
Comment 3 Felix Botner univentionstaff 2014-09-26 14:48:36 CEST
OK - amd64/i386

-> env x='() { :;}; echo vulnerable' bash -c 'echo hello'
hello

OK - reboot/boot still works

OK - YAML
Comment 4 Janek Walkenhorst univentionstaff 2014-09-26 17:57:29 CEST
http://errata.univention.de/ucs/3.2/217.html