bash velnerability
Jung-uk Kim
jkim at FreeBSD.org
Tue Sep 30 18:54:16 UTC 2014
On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
> On 9/29/2014 11:01 AM, Mike Tancsa wrote:
>> On 9/26/2014 5:01 PM, Bryan Drewery wrote:
>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote:
>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote:
>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
>>>>>> Apparently, the full fix is still not delivered, accordingly to this:
>>>>>> http://seclists.org/oss-sec/2014/q3/741
>>>>>>
>>>>>> Kind regards,
>>>>>> Bartek Rutkowski
>>>>>>
>>>>>
>>>>> I'm pretty sure they call that a "feature". This is a bit different.
>>>
>>> I've disabled environment function importing in the port. Using
>>> --import-functions will allow it to work if you need it.
>>
>> Hi Bryan,
>> With the latest ports, bashcheck still sees some issues with bash.
>> Are these false positives on FreeBSD ?
>>
>> Using
>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
>>
>> Not vulnerable to CVE-2014-6271 (original shellshock)
>> Not vulnerable to CVE-2014-7169 (taviso bug)
>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash
>> -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
>> Vulnerable to CVE-2014-7186 (redir_stack bug)
>> Test for CVE-2014-7187 not reliable without address sanitizer
>> Variable function parser inactive, likely safe from unknown parser bugs
>>
>> ---Mike
>
> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.
Applying the first patch for parse.y from the following post passed the
tests for me.
http://www.openwall.com/lists/oss-security/2014/09/25/32
In fact, all major Linux distros seem to use it now.
FYI,
Jung-uk Kim
More information about the freebsd-ports
mailing list