Univention Bugzilla – Full Text Bug Listing |
Summary: | bash: Missing sanitising (3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Moritz Muehlenhoff <jmm> |
Component: | Security updates | Assignee: | Janek Walkenhorst <walkenhorst> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P3 | CC: | gohmann, michelsmidt, walkenhorst |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 36040 |
Description
Moritz Muehlenhoff
2014-09-24 17:53:15 CEST
A regression was found in the initial fix. Updated patch: *** ../bash-20140912/parse.y 2014-08-26 15:09:42.000000000 -0400 --- parse.y 2014-09-24 22:47:28.000000000 -0400 *************** *** 2959,2962 **** --- 2959,2964 ---- word_desc_to_read = (WORD_DESC *)NULL; + eol_ungetc_lookahead = 0; + current_token = '\n'; /* XXX */ last_read_token = '\n'; (In reply to Moritz Muehlenhoff from comment #1) > A regression was found in the initial fix. This is know as CVE-2014-7169 Imported 4.1-3+deb6u1 from squeeze-lts for CVE-2014-6271 Added patch for CVE-2014-7169 Advisory: 2014-09-24-bash.yaml Tests (amd64/i386): OK OK - installation on amd64/i386 -> env x='() { echo a ;}; echo vulnerable' bash -c "x; echo this is a test" bash: Warnung: x: ignoring function definition attempt bash: Fehler beim Importieren der Funktionsdefinition für `x'. bash: x: Kommando nicht gefunden. this is a test -> env x='() { echo a ;}' bash -c "x; echo this is a test" a this is a test OK - YAML This update also fixed CVE-2014-7186 CVE-2014-7187, two side aspects of the initial vulnerability. One is a out-of-bounds acces in redir_stack and the ofher one an off-by-one in loop handling. (In reply to Moritz Muehlenhoff from comment #6) > This update also fixed CVE-2014-7186 CVE-2014-7187, two side aspects of the > initial vulnerability. One is a out-of-bounds acces in redir_stack and the > ofher one an off-by-one in loop handling. These are as of yet unfixed, tracked at Bug #36008. (In reply to Janek Walkenhorst from comment #7) > (In reply to Moritz Muehlenhoff from comment #6) > > This update also fixed CVE-2014-7186 CVE-2014-7187, two side aspects of the > > initial vulnerability. One is a out-of-bounds acces in redir_stack and the > > ofher one an off-by-one in loop handling. > These are as of yet unfixed, tracked at Bug #36008. Did you use the squeeze-lts fix? It has these already fixed. (In reply to Moritz Muehlenhoff from comment #8) > Did you use the squeeze-lts fix? It has these already fixed. The current 3.2 fix is based on 4.1-3+deb6u1 from sueeze-lts. In squeeze-lts the current version is 4.1-3+deb6u2 which fixes the additional issues too. This update also fixed CVE-2014-6277 and CVE-2014-6278 |