Bug 35992

Summary:	bash: Missing sanitising (3.2)
Product:	UCS	Reporter:	Moritz Muehlenhoff <jmm>
Component:	Security updates	Assignee:	Janek Walkenhorst <walkenhorst>
Status:	CLOSED FIXED	QA Contact:	Felix Botner <botner>
Severity:	normal
Priority:	P3	CC:	gohmann, michelsmidt, walkenhorst
Version:	UCS 3.2
Target Milestone:	UCS 3.2-3-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	---	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):
Max CVSS v3 score:
Bug Depends on:
Bug Blocks:	36040

Description Moritz Muehlenhoff

2014-09-24 17:53:15 CEST

CVE-2014-6271

Stephane Chazelas discovered a vulnerability in bash, the GNU
Bourne-Again Shell, related to how environment variables are
processed.  In many common configurations, this vulnerability is
exploitable over the network, especially if bash has been configured
as the system shell.

Additional writeup: 
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

Comment 1 Moritz Muehlenhoff

2014-09-25 11:38:46 CEST

A regression was found in the initial fix. Updated patch:

*** ../bash-20140912/parse.y    2014-08-26 15:09:42.000000000 -0400
--- parse.y     2014-09-24 22:47:28.000000000 -0400
***************
*** 2959,2962 ****
--- 2959,2964 ----
    word_desc_to_read = (WORD_DESC *)NULL;

+   eol_ungetc_lookahead = 0;
+
    current_token = '\n';               /* XXX */
    last_read_token = '\n';

Comment 2 Janek Walkenhorst

2014-09-25 12:17:49 CEST

(In reply to Moritz Muehlenhoff from comment #1)
> A regression was found in the initial fix.
This is know as CVE-2014-7169

Comment 3 Janek Walkenhorst

2014-09-25 13:33:23 CEST

Imported 4.1-3+deb6u1 from squeeze-lts for CVE-2014-6271
Added patch for CVE-2014-7169
Advisory: 2014-09-24-bash.yaml
Tests (amd64/i386): OK

Comment 4 Felix Botner

2014-09-25 13:40:49 CEST

OK - installation on amd64/i386

-> env x='() { echo a ;}; echo vulnerable' bash -c "x; echo this is a test"
bash: Warnung: x: ignoring function definition attempt
bash: Fehler beim Importieren der Funktionsdefinition für `x'.
bash: x: Kommando nicht gefunden.
this is a test

-> env x='() { echo a ;}' bash -c "x; echo this is a test"
a
this is a test

OK - YAML

Comment 5 Janek Walkenhorst

2014-09-25 14:32:40 CEST

http://errata.univention.de/ucs/3.2/213.html

Comment 6 Moritz Muehlenhoff

2014-09-26 12:26:00 CEST

This update also fixed CVE-2014-7186 CVE-2014-7187, two side aspects of the initial vulnerability. One is a out-of-bounds acces in redir_stack and the ofher one an off-by-one in loop handling.

Comment 7 Janek Walkenhorst

2014-09-26 12:31:57 CEST

(In reply to Moritz Muehlenhoff from comment #6)
> This update also fixed CVE-2014-7186 CVE-2014-7187, two side aspects of the
> initial vulnerability. One is a out-of-bounds acces in redir_stack and the
> ofher one an off-by-one in loop handling.
These are as of yet unfixed, tracked at Bug #36008.

Comment 8 Moritz Muehlenhoff

2014-09-26 12:36:56 CEST

(In reply to Janek Walkenhorst from comment #7)
> (In reply to Moritz Muehlenhoff from comment #6)
> > This update also fixed CVE-2014-7186 CVE-2014-7187, two side aspects of the
> > initial vulnerability. One is a out-of-bounds acces in redir_stack and the
> > ofher one an off-by-one in loop handling.
> These are as of yet unfixed, tracked at Bug #36008.

Did you use the squeeze-lts fix? It has these already fixed.

Comment 9 Janek Walkenhorst

2014-09-26 12:45:36 CEST

(In reply to Moritz Muehlenhoff from comment #8)
> Did you use the squeeze-lts fix? It has these already fixed.
The current 3.2 fix is based on 4.1-3+deb6u1 from sueeze-lts.
In squeeze-lts the current version is 4.1-3+deb6u2 which fixes the additional issues too.

Comment 10 Moritz Muehlenhoff

2014-12-11 08:08:05 CET

This update also fixed CVE-2014-6277 and CVE-2014-6278