Bug 36040

Summary: bash: Missing sanitising (4.0)
Product: UCS Reporter: Stefan Gohmann <gohmann>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P3 CC: gohmann, jmm, michelsmidt, najjar, walkenhorst
Version: UCS 4.0Keywords: interim-2
Target Milestone: UCS 4.0   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 35992    
Bug Blocks:    

Description Stefan Gohmann univentionstaff 2014-10-02 11:03:33 CEST 
Please merge the current bash patches to UCS 4.

+++ This bug was initially created as a clone of Bug #35992 +++

CVE-2014-6271

Stephane Chazelas discovered a vulnerability in bash, the GNU
Bourne-Again Shell, related to how environment variables are
processed.  In many common configurations, this vulnerability is
exploitable over the network, especially if bash has been configured
as the system shell.

Additional writeup: 
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Comment 1 Philipp Hahn univentionstaff 2014-10-06 09:55:35 CEST 
OK: CVE-2014-6271 CVE-2014-7169
OK: zless /usr/share/doc/bash/changelog.Debian.gz
OK: dpkg-query -W bash # 4.2+dfsg-0.1.46.201410021458
OK: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
OK: cd /tmp;rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date";cat /tmp/echo
OK: amd64/bash_4.2+dfsg-0.1.46.201410021458_amd64.deb
OK:  i386/bash_4.2+dfsg-0.1.46.201410021458_i386.deb
Comment 2 Philipp Hahn univentionstaff 2014-10-06 09:58:50 CEST 
OK: isoinfo -f -R -i isotests/ucs_4.0-0-latest-amd64.iso | grep bash_
/amd64/bash_4.2+dfsg-0.1.46.201410021458_amd64.deb

TODO: isoinfo -f -R -i isotests/ucs_4.0-0-latest-i386.iso | grep bash_
/i386/bash_4.2+dfsg-0.1.29.201403141200_i386.deb
Comment 3 Philipp Hahn univentionstaff 2014-10-06 10:15:44 CEST 
FIXED: isoinfo -f -R -i isotests/ucs_4.0-0-20141006-095844-dvd-i386.iso |grep bash_
/i386/bash_4.2+dfsg-0.1.46.201410021458_i386.deb
Comment 4 Stefan Gohmann univentionstaff 2014-11-26 06:54:49 CET 
UCS 4.0-0 has been released:
 http://docs.univention.de/release-notes-4.0-0-en.html
 http://docs.univention.de/release-notes-4.0-0-de.html

If this error occurs again, please use "Clone This Bug".