bash velnerability

Bryan Drewery bdrewery at FreeBSD.org
Tue Sep 30 19:46:15 UTC 2014 

On 9/30/2014 1:54 PM, Jung-uk Kim wrote:
> On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote:
>> On 9/29/2014 11:01 AM, Mike Tancsa wrote:
>>> On 9/26/2014 5:01 PM, Bryan Drewery wrote:
>>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote:
>>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote:
>>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote:
>>>>>>> Apparently, the full fix is still not delivered, accordingly to this:
>>>>>>> http://seclists.org/oss-sec/2014/q3/741
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Bartek Rutkowski
>>>>>>>
>>>>>>
>>>>>> I'm pretty sure they call that a "feature". This is a bit different.
>>>>
>>>> I've disabled environment function importing in the port. Using
>>>> --import-functions will allow it to work if you need it.
>>>
>>> Hi Bryan,
>>>     With the latest ports, bashcheck still sees some issues with bash.
>>> Are these false positives on FreeBSD ?
>>>
>>> Using
>>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck
>>>
>>> Not vulnerable to CVE-2014-6271 (original shellshock)
>>> Not vulnerable to CVE-2014-7169 (taviso bug)
>>> ./bashcheck: line 18: 54908 Segmentation fault      (core dumped) bash
>>> -c "true $(printf '<<EOF %.0s' {1..79})" 2> /dev/null
>>> Vulnerable to CVE-2014-7186 (redir_stack bug)
>>> Test for CVE-2014-7187 not reliable without address sanitizer
>>> Variable function parser inactive, likely safe from unknown parser bugs
>>>
>>>     ---Mike
>>
>> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187.
> 
> Applying the first patch for parse.y from the following post passed the
> tests for me.
> 
> http://www.openwall.com/lists/oss-security/2014/09/25/32
> 
> In fact, all major Linux distros seem to use it now.
> 
> FYI,
> 
> Jung-uk Kim

I was holding off on this one as it had not proven to be remotely
exploitable from what I saw. I was also wanting to see what upstream did
before throwing more intrusive patches at our port.

I even saw a reddit post last night complaining that OSX had updated
bash only to leave it "still vulnerable" because of the redir_stack issue.

I will apply the redir_stack patch since it's becoming an FAQ.

-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20140930/a55c263b/attachment.sig>

More information about the freebsd-ports mailing list