bash velnerability

[Jason Hellenthal]

I would agree with that. Considering the korn shell was found out to be importing functions from bash this morning that it does not completely know how to interpret goes to say that there is a much bigger issue at face here than the mere sys admins can begin to fathom quite yet.

There is still more to come from this. We may not see the end of it for the next 10 years.

But also to state bash 4.3.27 on 10-RELEASE-p9 reports as not vulnerable to the five known CVEs right now but that same shell compiled on a 9.1-RELEASE system is still vulnerable to the last two CVEs … That said this is deep just when you think you have it conquered.

On Sep 30, 2014, at 16:25, Charles Swiger <cswiger at mac.com> wrote:

> On Sep 30, 2014, at 12:46 PM, Bryan Drewery <bdrewery at FreeBSD.org> wrote:
> [ ... ]
>> I even saw a reddit post last night complaining that OSX had updated
>> bash only to leave it "still vulnerable" because of the redir_stack issue.
> 
> It doesn't seem to be?
> 
> bash-3.2$ bash --version
> GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13)
> Copyright (C) 2007 Free Software Foundation, Inc.
> 
> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)"
> Testing Exploit 4 (CVE-2014-7186)
> bash-3.2$ CVE7186="$(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null ||echo -n V)"
> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE"
> NOT VULNERABLE
> 
> This being said, I'm not confident that there won't be further issues found with bash....
> 
> Regards,
> -- 
> -Chuck
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

-- 
 Jason Hellenthal
 Mobile: +1 (616) 953-0176
 jhellenthal at DataIX.net
 JJH48-ARIN