Univention Bugzilla – Bug 35992
bash: Missing sanitising (3.2)
Last modified: 2014-12-11 08:08:05 CET
CVE-2014-6271 Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell. Additional writeup: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
A regression was found in the initial fix. Updated patch: *** ../bash-20140912/parse.y 2014-08-26 15:09:42.000000000 -0400 --- parse.y 2014-09-24 22:47:28.000000000 -0400 *************** *** 2959,2962 **** --- 2959,2964 ---- word_desc_to_read = (WORD_DESC *)NULL; + eol_ungetc_lookahead = 0; + current_token = '\n'; /* XXX */ last_read_token = '\n';
(In reply to Moritz Muehlenhoff from comment #1) > A regression was found in the initial fix. This is know as CVE-2014-7169
Imported 4.1-3+deb6u1 from squeeze-lts for CVE-2014-6271 Added patch for CVE-2014-7169 Advisory: 2014-09-24-bash.yaml Tests (amd64/i386): OK
OK - installation on amd64/i386 -> env x='() { echo a ;}; echo vulnerable' bash -c "x; echo this is a test" bash: Warnung: x: ignoring function definition attempt bash: Fehler beim Importieren der Funktionsdefinition für `x'. bash: x: Kommando nicht gefunden. this is a test -> env x='() { echo a ;}' bash -c "x; echo this is a test" a this is a test OK - YAML
http://errata.univention.de/ucs/3.2/213.html
This update also fixed CVE-2014-7186 CVE-2014-7187, two side aspects of the initial vulnerability. One is a out-of-bounds acces in redir_stack and the ofher one an off-by-one in loop handling.
(In reply to Moritz Muehlenhoff from comment #6) > This update also fixed CVE-2014-7186 CVE-2014-7187, two side aspects of the > initial vulnerability. One is a out-of-bounds acces in redir_stack and the > ofher one an off-by-one in loop handling. These are as of yet unfixed, tracked at Bug #36008.
(In reply to Janek Walkenhorst from comment #7) > (In reply to Moritz Muehlenhoff from comment #6) > > This update also fixed CVE-2014-7186 CVE-2014-7187, two side aspects of the > > initial vulnerability. One is a out-of-bounds acces in redir_stack and the > > ofher one an off-by-one in loop handling. > These are as of yet unfixed, tracked at Bug #36008. Did you use the squeeze-lts fix? It has these already fixed.
(In reply to Moritz Muehlenhoff from comment #8) > Did you use the squeeze-lts fix? It has these already fixed. The current 3.2 fix is based on 4.1-3+deb6u1 from sueeze-lts. In squeeze-lts the current version is 4.1-3+deb6u2 which fixes the additional issues too.
This update also fixed CVE-2014-6277 and CVE-2014-6278