Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 524256 (CVE-2014-6277) - <app-shells/bash{3.1_p23,3.2_p57,4.0_p44,4.1_p17,4.2_p53}: New remote code execution vulnerabilities discovered by lcamtuf (CVE-2014-{6277,6278})
Summary: <app-shells/bash{3.1_p23,3.2_p57,4.0_p44,4.1_p17,4.2_p53}: New remote code ex...
Status: RESOLVED FIXED
Alias: CVE-2014-6277
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: http://lcamtuf.blogspot.co.uk/2014/10...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-02 04:27 UTC by Kerin Millar
Modified: 2014-10-08 17:49 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kerin Millar 2014-10-02 04:27:56 UTC
Michael Zelewski, a.k.a. lcamtuf, has lifted the embargo on the details of CVE-2014-6277 and CVE-2014-6278:-

  http://lcamtuf.blogspot.co.uk/2014/10/bash-bug-how-we-finally-cracked.html

Hanno's bashcheck script has been updated with test cases for these two bugs:-

  https://github.com/hannob/bashcheck/blob/master/bashcheck

One important point that Michael makes is as thus:-

"NOTE: If you or your distro maintainers have already deployed Florian's patch, there is no reason for alarm - you are almost certainly not vulnerable to attacks."

Here, I believe he is referring to the variables-affix patch that was initially pushed out per bug 523742.

Presumably, new upstream versions will appear soon enough.
Comment 1 Agostino Sarubbo gentoo-dev 2014-10-02 12:46:40 UTC
(In reply to Kerin Millar from comment #0)
> "NOTE: If you or your distro maintainers have already deployed Florian's
> patch, there is no reason for alarm - you are almost certainly not
> vulnerable to attacks."

Then it is more or less invalid because we are not affected....
Comment 2 Kerin Millar 2014-10-03 08:56:38 UTC
(In reply to Agostino Sarubbo from comment #1)
> Then it is more or less invalid because we are not affected....

From the point of view of security, I suppose so. In any case, it's all fixed by the following patches:

* bash43-029
* bash42-052
* bash41-016
* bash40-043
* bash32-056
* bash31-022
* bash30-021
* bash205b-012
Comment 3 Kerin Millar 2014-10-03 09:13:11 UTC
Actually, the new patches fix CVE-2014-6277 but not CVE-2014-6278. Still, non-exploitable.
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2014-10-03 10:00:51 UTC
+*bash-4.3_p29 (03 Oct 2014)
+*bash-4.2_p52 (03 Oct 2014)
+*bash-4.1_p16 (03 Oct 2014)
+*bash-4.0_p43 (03 Oct 2014)
+*bash-3.2_p56 (03 Oct 2014)
+*bash-3.1_p22 (03 Oct 2014)
+
+  03 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> +bash-3.1_p22.ebuild,
+  +bash-3.2_p56.ebuild, +bash-4.0_p43.ebuild, +bash-4.1_p16.ebuild,
+  +bash-4.2_p52.ebuild, -bash-4.3_p28.ebuild, +bash-4.3_p29.ebuild:
+  Security bump (bug #524256). Should fix CVE-2014-6277.
+

Arches, please test and mark stable the following bash versions:

=app-shells/bash-3.1_p22
=app-shells/bash-3.2_p56
=app-shells/bash-4.0_p43
=app-shells/bash-4.1_p16
=app-shells/bash-4.2_p52

Target KEYWORDS are:
alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 5 Tobias Klausmann gentoo-dev 2014-10-03 17:18:02 UTC
All five stable on alpha.
Comment 6 Jeroen Roovers gentoo-dev 2014-10-03 21:37:38 UTC
Stable for HPPA.
Comment 7 Jack Suter 2014-10-04 01:00:19 UTC
Just to reiterate, Lars' ebuilds in comment #4 fix CVE-2014-6277, but bashcheck shows that CVE-2014-6278 is still exposed. Tested with =app-shells/bash-4.2_p52.
Comment 8 Agostino Sarubbo gentoo-dev 2014-10-04 08:54:08 UTC
+  04 Oct 2014; Agostino Sarubbo <ago@gentoo.org> bash-3.1_p22.ebuild,
+  bash-3.2_p56.ebuild, bash-4.0_p43.ebuild, bash-4.1_p16.ebuild,
+  bash-4.2_p52.ebuild:
+  Stable for amd64/arm/ia64/ppc/ppc64/sparc/sh/x86 wrt the security bug #524256
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-10-04 18:02:44 UTC
CVE-2014-6278 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6278):
  GNU Bash through 4.3 bash43-026 does not properly parse function definitions
  in the values of environment variables, which allows remote attackers to
  execute arbitrary commands via a crafted environment, as demonstrated by
  vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and
  mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified
  DHCP clients, and other situations in which setting the environment occurs
  across a privilege boundary from Bash execution.  NOTE: this vulnerability
  exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and
  CVE-2014-6277.

CVE-2014-6277 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6277):
  GNU Bash through 4.3 bash43-026 does not properly parse function definitions
  in the values of environment variables, which allows remote attackers to
  execute arbitrary code or cause a denial of service (uninitialized memory
  access, and untrusted-pointer read and write operations) via a crafted
  environment, as demonstrated by vectors involving the ForceCommand feature
  in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server,
  scripts executed by unspecified DHCP clients, and other situations in which
  setting the environment occurs across a privilege boundary from Bash
  execution.  NOTE: this vulnerability exists because of an incomplete fix for
  CVE-2014-6271 and CVE-2014-7169.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-10-04 22:14:39 UTC
This issue was resolved and addressed in
 GLSA 201410-01 at http://security.gentoo.org/glsa/glsa-201410-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2014-10-05 09:06:38 UTC
Re-opening for remaining arches.
Comment 12 Kerin Millar 2014-10-06 07:07:44 UTC
New upstream versions are available, resolving CVE-2014-6278.

* bash43-030
* bash42-053
* bash41-017
* bash40-044
* bash32-057
* bash31-023
* bash30-022
* bash205b-013
Comment 13 Tomáš Mózes 2014-10-06 11:26:42 UTC
According to bashcheck (https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck), version 4.2_p53 seems fine (amd64):

Testing /bin/bash ...
GNU bash, version 4.2.53(1)-release (x86_64-pc-linux-gnu)

Variable function parser pre/suffixed [%%, upstream], bugs not exploitable
Not vulnerable to CVE-2014-6271 (original shellshock)
Not vulnerable to CVE-2014-7169 (taviso bug)
Not vulnerable to CVE-2014-7186 (redir_stack bug)
Test for CVE-2014-7187 not reliable without address sanitizer
Not vulnerable to CVE-2014-6277 (lcamtuf bug #1)
Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
Comment 14 Lars Wendler (Polynomial-C) gentoo-dev 2014-10-06 12:26:24 UTC
+*bash-4.3_p30 (06 Oct 2014)
+*bash-4.2_p53 (06 Oct 2014)
+*bash-4.1_p17 (06 Oct 2014)
+*bash-4.0_p44 (06 Oct 2014)
+*bash-3.2_p57 (06 Oct 2014)
+*bash-3.1_p23 (06 Oct 2014)
+
+  06 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> +bash-3.1_p23.ebuild,
+  +bash-3.2_p57.ebuild, +bash-4.0_p44.ebuild, +bash-4.1_p17.ebuild,
+  +bash-4.2_p53.ebuild, -bash-4.3_p29.ebuild, +bash-4.3_p30.ebuild:
+  Security bump (bug #524256). Should fix CVE-2014-6278.
+

Arches, please test and mark stable the following bash versions:

=app-shells/bash-3.1_p23
=app-shells/bash-3.2_p57
=app-shells/bash-4.0_p44
=app-shells/bash-4.1_p17
=app-shells/bash-4.2_p53

Target KEYWORDS are:
alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 15 Jeroen Roovers gentoo-dev 2014-10-06 16:24:35 UTC
Stable for HPPA.
Comment 16 Agostino Sarubbo gentoo-dev 2014-10-06 18:15:09 UTC
+  06 Oct 2014; Agostino Sarubbo <ago@gentoo.org> bash-3.1_p23.ebuild,
+  bash-3.2_p57.ebuild, bash-4.0_p44.ebuild, bash-4.1_p17.ebuild,
+  bash-4.2_p53.ebuild:
+  Stable for alpha/amd64/arm/ia64/ppc/ppc64/sparc/sh/x86 wrt the security bug
+  #524256
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2014-10-08 10:51:09 UTC
arm64/m68k/s390/sh stable
Comment 18 Lars Wendler (Polynomial-C) gentoo-dev 2014-10-08 16:21:31 UTC
+  08 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> -bash-3.1_p21.ebuild,
+  -bash-3.1_p22.ebuild, -bash-3.2_p55.ebuild, -bash-3.2_p56.ebuild,
+  -bash-4.0_p42.ebuild, -bash-4.0_p43.ebuild, -bash-4.1_p15.ebuild,
+  -bash-4.1_p16.ebuild, -bash-4.2_p51.ebuild, -bash-4.2_p52.ebuild:
+  Removed vulnerable versions.
+
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2014-10-08 17:49:30 UTC
Thanks everyone.

Another GLSA is not needed here.