Michael Zelewski, a.k.a. lcamtuf, has lifted the embargo on the details of CVE-2014-6277 and CVE-2014-6278:- http://lcamtuf.blogspot.co.uk/2014/10/bash-bug-how-we-finally-cracked.html Hanno's bashcheck script has been updated with test cases for these two bugs:- https://github.com/hannob/bashcheck/blob/master/bashcheck One important point that Michael makes is as thus:- "NOTE: If you or your distro maintainers have already deployed Florian's patch, there is no reason for alarm - you are almost certainly not vulnerable to attacks." Here, I believe he is referring to the variables-affix patch that was initially pushed out per bug 523742. Presumably, new upstream versions will appear soon enough.
(In reply to Kerin Millar from comment #0) > "NOTE: If you or your distro maintainers have already deployed Florian's > patch, there is no reason for alarm - you are almost certainly not > vulnerable to attacks." Then it is more or less invalid because we are not affected....
(In reply to Agostino Sarubbo from comment #1) > Then it is more or less invalid because we are not affected.... From the point of view of security, I suppose so. In any case, it's all fixed by the following patches: * bash43-029 * bash42-052 * bash41-016 * bash40-043 * bash32-056 * bash31-022 * bash30-021 * bash205b-012
Actually, the new patches fix CVE-2014-6277 but not CVE-2014-6278. Still, non-exploitable.
+*bash-4.3_p29 (03 Oct 2014) +*bash-4.2_p52 (03 Oct 2014) +*bash-4.1_p16 (03 Oct 2014) +*bash-4.0_p43 (03 Oct 2014) +*bash-3.2_p56 (03 Oct 2014) +*bash-3.1_p22 (03 Oct 2014) + + 03 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> +bash-3.1_p22.ebuild, + +bash-3.2_p56.ebuild, +bash-4.0_p43.ebuild, +bash-4.1_p16.ebuild, + +bash-4.2_p52.ebuild, -bash-4.3_p28.ebuild, +bash-4.3_p29.ebuild: + Security bump (bug #524256). Should fix CVE-2014-6277. + Arches, please test and mark stable the following bash versions: =app-shells/bash-3.1_p22 =app-shells/bash-3.2_p56 =app-shells/bash-4.0_p43 =app-shells/bash-4.1_p16 =app-shells/bash-4.2_p52 Target KEYWORDS are: alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
All five stable on alpha.
Stable for HPPA.
Just to reiterate, Lars' ebuilds in comment #4 fix CVE-2014-6277, but bashcheck shows that CVE-2014-6278 is still exposed. Tested with =app-shells/bash-4.2_p52.
+ 04 Oct 2014; Agostino Sarubbo <ago@gentoo.org> bash-3.1_p22.ebuild, + bash-3.2_p56.ebuild, bash-4.0_p43.ebuild, bash-4.1_p16.ebuild, + bash-4.2_p52.ebuild: + Stable for amd64/arm/ia64/ppc/ppc64/sparc/sh/x86 wrt the security bug #524256
CVE-2014-6278 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6278): GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. CVE-2014-6277 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6277): GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
This issue was resolved and addressed in GLSA 201410-01 at http://security.gentoo.org/glsa/glsa-201410-01.xml by GLSA coordinator Tobias Heinlein (keytoaster).
Re-opening for remaining arches.
New upstream versions are available, resolving CVE-2014-6278. * bash43-030 * bash42-053 * bash41-017 * bash40-044 * bash32-057 * bash31-023 * bash30-022 * bash205b-013
According to bashcheck (https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck), version 4.2_p53 seems fine (amd64): Testing /bin/bash ... GNU bash, version 4.2.53(1)-release (x86_64-pc-linux-gnu) Variable function parser pre/suffixed [%%, upstream], bugs not exploitable Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Not vulnerable to CVE-2014-6277 (lcamtuf bug #1) Not vulnerable to CVE-2014-6278 (lcamtuf bug #2)
+*bash-4.3_p30 (06 Oct 2014) +*bash-4.2_p53 (06 Oct 2014) +*bash-4.1_p17 (06 Oct 2014) +*bash-4.0_p44 (06 Oct 2014) +*bash-3.2_p57 (06 Oct 2014) +*bash-3.1_p23 (06 Oct 2014) + + 06 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> +bash-3.1_p23.ebuild, + +bash-3.2_p57.ebuild, +bash-4.0_p44.ebuild, +bash-4.1_p17.ebuild, + +bash-4.2_p53.ebuild, -bash-4.3_p29.ebuild, +bash-4.3_p30.ebuild: + Security bump (bug #524256). Should fix CVE-2014-6278. + Arches, please test and mark stable the following bash versions: =app-shells/bash-3.1_p23 =app-shells/bash-3.2_p57 =app-shells/bash-4.0_p44 =app-shells/bash-4.1_p17 =app-shells/bash-4.2_p53 Target KEYWORDS are: alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
+ 06 Oct 2014; Agostino Sarubbo <ago@gentoo.org> bash-3.1_p23.ebuild, + bash-3.2_p57.ebuild, bash-4.0_p44.ebuild, bash-4.1_p17.ebuild, + bash-4.2_p53.ebuild: + Stable for alpha/amd64/arm/ia64/ppc/ppc64/sparc/sh/x86 wrt the security bug + #524256
arm64/m68k/s390/sh stable
+ 08 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> -bash-3.1_p21.ebuild, + -bash-3.1_p22.ebuild, -bash-3.2_p55.ebuild, -bash-3.2_p56.ebuild, + -bash-4.0_p42.ebuild, -bash-4.0_p43.ebuild, -bash-4.1_p15.ebuild, + -bash-4.1_p16.ebuild, -bash-4.2_p51.ebuild, -bash-4.2_p52.ebuild: + Removed vulnerable versions. +
Thanks everyone. Another GLSA is not needed here.