Univention Bugzilla – Bug 36008
bash: Multiple issues (3.2)
Last modified: 2014-09-26 17:57:29 CEST
+++ This bug was initially created as a clone of Bug #35992 +++ > Added patch for CVE-2014-7169 Upstream's patch for the issue was extended to modify another file too. We should follow the patch from upstream. Additionally there are two out-of-bounds array accesses in the bash parser, which were revealed in Red Hat's internal analysis for these issues and also independently reported by Todd Sabin: CVE-2014-7186 Parser can allow out-of-bounds memory access while handling redir_stack. CVE-2014-7187 Off-by-one error in deeply nested flow control constructs.
(In reply to Janek Walkenhorst from comment #0) > +++ This bug was initially created as a clone of Bug #35992 +++ > > Added patch for CVE-2014-7169 > Upstream's patch for the issue was extended to modify another file too. > We should follow the patch from upstream. This has no affect: The y.tab.c (currently not patched) is generated from the parse.y (currently patched) file during the build of the package. (The y.tab.c files is in fact removed when unpacking the upstream source archive) Thus the fix for CVE-2014-7169 is already complete with Bug #35992. CVE-2014-7186 and CVE-2014-7187 still need fixing.
squeeze-lts version (4.1-3+deb6u2) built. Tests (amd64, i386): OK Advisory: 2014-09-26-bash.yaml
OK - amd64/i386 -> env x='() { :;}; echo vulnerable' bash -c 'echo hello' hello OK - reboot/boot still works OK - YAML
http://errata.univention.de/ucs/3.2/217.html