Opened 10 years ago

Closed 10 years ago

#45162 closed defect (fixed)

bash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169)

Reported by: kost.hc@… Owned by: raimue (Rainer Müller)
Priority: High Milestone:
Component: ports Version: 2.3.1
Keywords: Cc: cooljeanius (Eric Gallager), neverpanic (Clemens Lang), hahn.seb@…, breiter (Brian Reiter), sierkb@…
Port: bash

Description

Bash is still vulnerable to the shellshock bash:

$ sudo port selfupdate
Password:
--->  Updating MacPorts base sources using rsync
MacPorts base version 2.3.1 installed,
MacPorts base version 2.3.1 downloaded.
--->  Updating the ports tree
--->  MacPorts base is already the latest version

The ports tree has been updated. To upgrade your installed ports, you should run
  port upgrade outdated
$ sudo port install bash
--->  Computing dependencies for bash
--->  Cleaning bash
--->  Scanning binaries for linking errors
--->  No broken files found.


$ bash --version
GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.2.0)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

It is not vulnerable to this:

$ env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
/bin/sh: warning: X: ignoring function definition attempt
/bin/sh: error importing function definition for `X'
stuff

But still vulnerable to this:

$ env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri Sep 26 00:48:31 CEST 2014

If you need more info, check this URL: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Attachments (2)

bash-port-debian-patches-fixes-cve-2014-7169.diff (9.5 KB) - added by neverpanic (Clemens Lang) 10 years ago.
Patch against the Portfile porting all three changes from debian
bash-port-debian-patches.diff (9.2 KB) - added by neverpanic (Clemens Lang) 10 years ago.
Patch against the Portfile updating to 4.3.26 and porting Debian's patches

Download all attachments as: .zip

Change History (27)

comment:1 Changed 10 years ago by kost.hc@…

Ticket you already have: https://trac.macports.org/ticket/45150

Fixes introduced in ticket 45150 fixes CVE-2014-6271, but bash is still vulnerable to second test (CVE-2014-7169): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169

Version 0, edited 10 years ago by kost.hc@… (next)

comment:2 Changed 10 years ago by mf2k (Frank Schima)

Owner: changed from macports-tickets@… to raimue@…

In the future, please Cc the port maintainers (port info --maintainers bash) so that this can actually get fixed.

comment:3 Changed 10 years ago by mf2k (Frank Schima)

For reference the actual test is (as mentioned by the reporter in the description):

$ rm -f echo
$ env X='() { (a)=>\' sh -c "echo date"; cat echo

sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Fri Sep 26 11:29:03 MDT 2014

The fact that the date prints out is the bug. In a properly patched system, here is the output:

$ rm -f echo
$ env X='() { (a)=>\' sh -c "echo date"; cat echo

date
cat: echo: No such file or directory
Last edited 10 years ago by mf2k (Frank Schima) (previous) (diff)

comment:4 Changed 10 years ago by raimue (Rainer Müller)

Status: newassigned
Summary: Bash still vulnerablebash @4.3.25: Vulnerable to code execution in environment variables (CVE-2014-7169)

Duplicate of

comment:5 Changed 10 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

comment:6 Changed 10 years ago by neverpanic (Clemens Lang)

Cc: cal@… added

It seems Debian pushed two new versions of bash with security fixes:

  • 4.2+dfsg-0.1+deb7u2 with a fix for CVE-2014-7169, see https://tracker.debian.org/news/573425
  • 4.2+dfsg-0.1+deb7u3 fixing an out-of-bound array access in the bash parser and a patch that moves all exported function definitions into a separate "namespace".

The patches in question are:

I'll test those in a second and attach a patch.

comment:7 Changed 10 years ago by sierkb@…

As of late, an official fix for CVE-2014-7169 has been published by GNU project: http://ftp.gnu.org/gnu/bash/, patch 26 for Bash 4.3 http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026, see also http://seclists.org/oss-sec/2014/q3/734.

Please update MacPorts' bash portfile in version, patchlevel and checksums of the patches accordingly from 4.3.25 to this new availlable patch level 4.3.26 as soon as possible.

Last edited 10 years ago by sierkb@… (previous) (diff)

Changed 10 years ago by neverpanic (Clemens Lang)

Patch against the Portfile porting all three changes from debian

Changed 10 years ago by neverpanic (Clemens Lang)

Patch against the Portfile updating to 4.3.26 and porting Debian's patches

comment:8 Changed 10 years ago by neverpanic (Clemens Lang)

The official fix in patchlevel 26 is the same as in Debian's CVE-2014-7169.diff. I've attached a patch that updates the port and also ports Debian's patches. I'll leave it up to you to decide whether you also want Debian's patches or just upstream's fix.

I've verified that function exports work after this patch. When they get exported into environment variables, they are prefixed with BASH_FUNC_ and suffixed with ().

comment:9 in reply to:  8 Changed 10 years ago by sierkb@…

Replying to cal@…:

The official fix in patchlevel 26 is the same as in Debian's CVE-2014-7169.diff. I've attached a patch that updates the port and also ports Debian's patches. I'll leave it up to you to decide whether you also want Debian's patches or just upstream's fix.

More details:

Debian's additional so far non-official patches seem to be these here: https://lists.debian.org/debian-devel-changes/2014/09/msg03214.html, brought onto the table by Red Hat (Florian Weimer, Huzaifa Sidhpurwala) as so far non-upstream patches (not yet officially completely verified and assimilated upstream by the GNU Bash project) and discussed here: seclists.org (oss-sec): Fwd: Non-upstream patches for bash http://seclists.org/oss-sec/2014/q3/712. Additional to the official patch against CVE-2014-7169, they add so-far-non-upsteam fixes against CVE-2014-7186 https://access.redhat.com/security/cve/CVE-2014-7186 and CVE-2014-7187 https://access.redhat.com/security/cve/CVE-2014-7187. If these additional so-far-non-upstream-patches maybe will be followed by a further official upstream patch by the GNU project (the chance is not zero, that this might happen), is out of my knowledge at this time of writing.

I back the statement in comment:8, it's up to you, as the maintainer of this port, wether you want to be conservative and be on par with the current upstream status or anticipate its status by going a (yet unofficial) step ahead.

comment:10 Changed 10 years ago by larryv (Lawrence Velázquez)

Cc: hahn.seb@… added

Has duplicate #45173.

comment:11 Changed 10 years ago by breiter (Brian Reiter)

The NetBSD and FreeBSD solution is an excellent mitigation. It removes the whole misfeature of passing function definitions to child shells by default.

https://svnweb.freebsd.org/ports?view=revision&revision=369341

comment:12 in reply to:  11 Changed 10 years ago by neverpanic (Clemens Lang)

Replying to brian.reiter@…:

The NetBSD and FreeBSD solution is an excellent mitigation. It removes the whole misfeature of passing function definitions to child shells by default.

That may be your opinion, but doing this breaks people's scripts, and is not something I'd be willing to do, unless bash upstream is also going to. I think the Debian patch reduces the attack surface for future bugs in function importing from the environment to situations where attackers control the variable name, which mitigates the remote code execution problems.

comment:13 Changed 10 years ago by raimue (Rainer Müller)

I committed an update to bash @4.3.26 in r125830.

I think at this point it also makes sense to also take the other patches from Debian, especially for the new issues CVE-2014-7186 and CVE-2014-7187.

Clemens (cal@), what is the source of the patches you posted? I would like to add a proper "Upstream: <URL>" or "Origin: <URL>" attribution in the patch files so we can reconstruct where they came from originally.

comment:14 Changed 10 years ago by neverpanic (Clemens Lang)

I got them from the Debian URLs posted above. Not sure where they got them from.

comment:15 Changed 10 years ago by breiter (Brian Reiter)

Cc: brian.reiter@… added

Cc Me!

comment:16 Changed 10 years ago by hahn.seb@…

In the meantime, there's an official 4.3.27 out. I assume attaching a patch would make it more work for you compared than just making it yourself ;)

comment:17 Changed 10 years ago by raimue (Rainer Müller)

Update to bash @4.3.27 committed in r125869.

comment:18 Changed 10 years ago by neverpanic (Clemens Lang)

Patchlevel 27 contains the namespaced function exports, but as far as I can see the parser OOB accesses are still unfixed. AFAIK meanwhile CVE numbers have been assigned for those, too.

comment:19 Changed 10 years ago by sierkb@…

Cc: sierkb@… added

Cc Me!

comment:20 Changed 10 years ago by sierkb@…

Just for the record:
Ticket #45234: Checksum (sha1) mismatch for bash43-028

comment:21 Changed 10 years ago by sierkb@…

Please update to bash @4.3.29 (Patchlevel 29, published 10/03/2014 upstream at ftp://ftp.gnu.org/gnu/bash/bash-4.3-patches/).

comment:24 Changed 10 years ago by raimue (Rainer Müller)

bash @4.3.30 committed in r126243.

comment:25 Changed 10 years ago by raimue (Rainer Müller)

Resolution: fixed
Status: assignedclosed

With all the patches in place, I consider this particular issue as fixed. If new security vulnerabilities arise, please open a new ticket.

Note: See TracTickets for help on using tickets.