From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 07:09:17 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 61DAA6B6 for ; Mon, 29 Sep 2014 07:09:17 +0000 (UTC) Received: from forward13.mail.yandex.net (forward13.mail.yandex.net [IPv6:2a02:6b8:0:801::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 17A60A93 for ; Mon, 29 Sep 2014 07:09:16 +0000 (UTC) Received: from web12j.yandex.ru (web12j.yandex.ru [5.45.198.53]) by forward13.mail.yandex.net (Yandex) with ESMTP id 5B4E11422C5; Mon, 29 Sep 2014 11:09:04 +0400 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web12j.yandex.ru (Yandex) with ESMTP id 44C31BC05B0; Mon, 29 Sep 2014 11:09:03 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1411974543; bh=ObuhRtHqjoO0HEtI4MHthKoAl2Kil7TJiH2LnoS4Qko=; h=From:To:Cc:Subject:Date; b=IiViiWeygwNTQfqo4ZgALcHBepyDZ3eCZ+3AAF3OAdmg+b4wwZGEOrNy72nxAAD4j L4i+bEocZHtBzkUGI6YNnxHbq2e7Zbdh6zVFxrPLjqFh2EjhMP6z9p/YCwv2mwmUqH /M1/TshxXP9EEMQt60NaAK68QsLWJG4ETAymk7O4= Received: from broadband-46-188-123-17.2com.net (broadband-46-188-123-17.2com.net [46.188.123.17]) by web12j.yandex.ru with HTTP; Mon, 29 Sep 2014 11:09:02 +0400 From: Kuleshov Aleksey To: freebsd-security@freebsd.org Subject: Re: Bash ShellShock bug(s) MIME-Version: 1.0 Message-Id: <2423691411974542@web12j.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 29 Sep 2014 11:09:02 +0400 Content-Transfer-Encoding: 7bit Content-Type: text/plain Cc: na@rtfm.net, robert@ml.erje.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 07:09:17 -0000 There is a repository https://github.com/hannob/bashcheck with convenient script to check for vulnerabilities. % sh bashcheck Vulnerable to CVE-2014-6271 (original shellshock) Vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Vulnerable to CVE-2014-7187 (nessted loops off by one) Variable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) Does it mean that FreeBSD's sh is subject to such vulnerabilities? From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 07:25:39 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2E895964 for ; Mon, 29 Sep 2014 07:25:39 +0000 (UTC) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id E9BBAC70 for ; Mon, 29 Sep 2014 07:25:38 +0000 (UTC) Received: from patpro.univ-lyon2.fr (patpro.univ-lyon2.fr [159.84.113.250]) by rack.patpro.net (Postfix) with ESMTPSA id E1346550; Mon, 29 Sep 2014 09:16:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=patpro; t=1411974962; bh=uiMdMntu1ASUxm6fgrtxvoPZ0BShd/G6bgiB4dVKk34=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=UtE3mIQ5odLWDilSqB+ydDR8CXR09xLdX+XBdngGd8vyhlmjHt83eWIwazbshf9kI 6UgSaV6q3MqaIC1YY/QE4HKhgg+N5trnwNdlojoYwY3WNrTfFmCyZelTEk0p4PPHCz 6Q1lPLTxpX0VrWBGqikAxUuHx5/otXNIu/JIqyUQ= Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Subject: Re: Bash ShellShock bug(s) From: Patrick Proniewski In-Reply-To: <2423691411974542@web12j.yandex.ru> Date: Mon, 29 Sep 2014 09:16:00 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <2423691411974542@web12j.yandex.ru> To: Kuleshov Aleksey X-Mailer: Apple Mail (2.1510) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 07:25:39 -0000 On 29 sept. 2014, at 09:09, Kuleshov Aleksey wrote: > There is a repository https://github.com/hannob/bashcheck with = convenient script to check for vulnerabilities. >=20 > % sh bashcheck=20 > Vulnerable to CVE-2014-6271 (original shellshock) > Vulnerable to CVE-2014-7169 (taviso bug) > Not vulnerable to CVE-2014-7186 (redir_stack bug) > Vulnerable to CVE-2014-7187 (nessted loops off by one) > Variable function parser still active, likely vulnerable to yet = unknown parser bugs like CVE-2014-6277 (lcamtuf bug) >=20 > Does it mean that FreeBSD's sh is subject to such vulnerabilities? No, it just means the script uses bash and your bash is vulnerable. patpro= From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 07:34:56 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3A393C96 for ; Mon, 29 Sep 2014 07:34:56 +0000 (UTC) Received: from forward1o.mail.yandex.net (forward1o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DDA05D6C for ; Mon, 29 Sep 2014 07:34:55 +0000 (UTC) Received: from web22o.yandex.ru (web22o.yandex.ru [95.108.205.122]) by forward1o.mail.yandex.net (Yandex) with ESMTP id 45AB9130142C; Mon, 29 Sep 2014 11:34:43 +0400 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web22o.yandex.ru (Yandex) with ESMTP id C02991800CFA; Mon, 29 Sep 2014 11:34:42 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1411976082; bh=9q9qNDcnIv02ESQR3RKHBRFNWAoe8qe6pBemq1WjeUY=; h=From:To:Cc:In-Reply-To:References:Subject:Date; b=OGt4YaQKp2+JNEL29jAsVlgEoH9AQY31Rfx9AOMI37AHGtj1KV5vgV43J7YrKEiLn DvXOQax5QvBRGxVlJUA3AkV8/XYWgDQbwkssejGkyaBp0t4YY4wqJwfcctGtEQd7aH eYsL/ais54zlVQ02iZIbuIaDGo7ippgslUqlDvNE= Received: from broadband-46-188-123-17.2com.net (broadband-46-188-123-17.2com.net [46.188.123.17]) by web22o.yandex.ru with HTTP; Mon, 29 Sep 2014 11:34:42 +0400 From: =?koi8-r?B?69XMxdvP1yDhzMXL08XK?= To: Patrick Proniewski In-Reply-To: References: <2423691411974542@web12j.yandex.ru> Subject: Re: Bash ShellShock bug(s) MIME-Version: 1.0 Message-Id: <1771201411976082@web22o.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 29 Sep 2014 11:34:42 +0400 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=koi8-r Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 07:34:56 -0000 Right. Okay then, here it is: # pkg remove bash ... change 'bash' to 'sh' in bashcheck ... # sh bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) Not vulnerable to CVE-2014-7186 (redir_stack bug) Vulnerable to CVE-2014-7187 (nessted loops off by one) Variable function parser inactive, likely safe from unknown parser bugs So, there is no bash on my system anymore, but script says it has one vulnerability. Is it actually vulnerability or it's me who must take a good sleep? :) 29.09.2014, 11:16, "Patrick Proniewski" : > On 29 sept. 2014, at 09:09, Kuleshov Aleksey wrote: >> šThere is a repository https://github.com/hannob/bashcheck with convenient script to check for vulnerabilities. >> >> š% sh bashcheck >> šVulnerable to CVE-2014-6271 (original shellshock) >> šVulnerable to CVE-2014-7169 (taviso bug) >> šNot vulnerable to CVE-2014-7186 (redir_stack bug) >> šVulnerable to CVE-2014-7187 (nessted loops off by one) >> šVariable function parser still active, likely vulnerable to yet unknown parser bugs like CVE-2014-6277 (lcamtuf bug) >> >> šDoes it mean that FreeBSD's sh is subject to such vulnerabilities? > > No, it just means the script uses bash and your bash is vulnerable. > > patpro From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 07:55:12 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1DDCB1B9; Mon, 29 Sep 2014 07:55:12 +0000 (UTC) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id D6FD1F3E; Mon, 29 Sep 2014 07:55:11 +0000 (UTC) Received: from patpro.univ-lyon2.fr (patpro.univ-lyon2.fr [159.84.113.250]) by rack.patpro.net (Postfix) with ESMTPSA id 857C85AF; Mon, 29 Sep 2014 09:55:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=patpro; t=1411977311; bh=qJckMWu+Uoca48bxr+mGSklp+Yv4hZy1lAS1rlC/7xs=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=bNW5+NreDRd9QYNVea7C5yuf3tCrGtto4CitYQHoAQrGLMsXrbD96/9+2fwhTUd9E FPj833RONMFW7HHxSEe0jyxE5zC5wsTw3H5tCdmLB6/oQwg70nPES5tHT7YARhQ258 5i1WW8qnnk+j/GAaZJtfBtM69sriqXUD4AbXSlEI= Content-Type: text/plain; charset=koi8-r Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Subject: Re: Bash ShellShock bug(s) From: Patrick Proniewski In-Reply-To: <1771201411976082@web22o.yandex.ru> Date: Mon, 29 Sep 2014 09:55:09 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <7B489747-0FF8-4081-A001-7A510C3C6FA1@patpro.net> References: <2423691411974542@web12j.yandex.ru> <1771201411976082@web22o.yandex.ru> To: =?koi8-r?B?69XMxdvP1yDhzMXL08XK?= X-Mailer: Apple Mail (2.1510) Cc: "freebsd-security@freebsd.org FreeBSD-security" , ehaupt@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 07:55:12 -0000 (cc ehaupt@ about the core dump of latest bash port) On 29 sept. 2014, at 09:34, =EB=D5=CC=C5=DB=CF=D7 =E1=CC=C5=CB=D3=C5=CA = wrote: > Right. Okay then, here it is: >=20 > # pkg remove bash > ... change 'bash' to 'sh' in bashcheck ... > # sh bashcheck > Not vulnerable to CVE-2014-6271 (original shellshock) > Not vulnerable to CVE-2014-7169 (taviso bug) > Not vulnerable to CVE-2014-7186 (redir_stack bug) > Vulnerable to CVE-2014-7187 (nessted loops off by one) > Variable function parser inactive, likely safe from unknown parser = bugs >=20 > So, there is no bash on my system anymore, but script says it has one = vulnerability. > Is it actually vulnerability or it's me who must take a good sleep? :) This is odd. As far as I know, no one reported sh as being vulnerable to = CVE-2014-7187. But may be it's only on FreeBSD... I don't have an answer = to that. Side note about bashcheck on a patched bash (latest bash available in = ports): it yields to a core dump. $ bash --version GNU bash, version 4.3.27(0)-release (amd64-portbld-freebsd8.4) -------- Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) /tmp/bashtest: line 18: 37449 Segmentation fault: 11 (core dumped) bash = -c "true $(printf '< /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs --------= From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 09:26:55 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CDB98A0D for ; Mon, 29 Sep 2014 09:26:55 +0000 (UTC) Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9791EBC3 for ; Mon, 29 Sep 2014 09:26:55 +0000 (UTC) Received: by mail-oi0-f45.google.com with SMTP id i138so4262122oig.18 for ; Mon, 29 Sep 2014 02:26:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=98DEVeVL6U2vgszMc+WEOvYV9BPRoeSu9Lyj5Vf3xDQ=; b=iQccwu7BbfEHaXpDZeOsOtStH/3OQi7gdCi50oklVpRkgjHjHngJhUJ5pw5GMvdFpF VAKiBk28+SRxeU3xK+hQ0TNe/PoiuJf6wDneCxapa6uRK174wUku9ki4wEcNDdvJJJI0 x0hGZjnZI0Nyez0ovn64RzdHjymQ+i/kvASrzWCJRjNEgZP7UMR2nRw2kuQy7uR0LBJP 1vZJBcKYu/mP77J7SEAZt7EJNAQOKdMJEvA52uRkmr4eUsb+XKPKUPXpdvSuM1wVGOPY uT39CepJhCI86KwVM5XktYkrBJSlKgpBlmmcN7bk5bGxNHndNRqk2olZppvWIQlFBHkv N6MQ== X-Received: by 10.182.24.101 with SMTP id t5mr37464729obf.31.1411982814768; Mon, 29 Sep 2014 02:26:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.76.132.98 with HTTP; Mon, 29 Sep 2014 02:26:34 -0700 (PDT) In-Reply-To: <7B489747-0FF8-4081-A001-7A510C3C6FA1@patpro.net> References: <2423691411974542@web12j.yandex.ru> <1771201411976082@web22o.yandex.ru> <7B489747-0FF8-4081-A001-7A510C3C6FA1@patpro.net> From: n j Date: Mon, 29 Sep 2014 11:26:34 +0200 Message-ID: Subject: Re: Bash ShellShock bug(s) To: "freebsd-security@freebsd.org FreeBSD-security" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 09:26:55 -0000 Hi, On Mon, Sep 29, 2014 at 9:55 AM, Patrick Proniewski wrote: > > On 29 sept. 2014, at 09:34, =D0=9A=D1=83=D0=BB=D0=B5=D1=88=D0=BE=D0=B2 = =D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B5=D0=B9 wrote: > > > Right. Okay then, here it is: > > > > # pkg remove bash > > ... change 'bash' to 'sh' in bashcheck ... > > # sh bashcheck > > Not vulnerable to CVE-2014-6271 (original shellshock) > > Not vulnerable to CVE-2014-7169 (taviso bug) > > Not vulnerable to CVE-2014-7186 (redir_stack bug) > > Vulnerable to CVE-2014-7187 (nessted loops off by one) > > Variable function parser inactive, likely safe from unknown parser bugs > > > > So, there is no bash on my system anymore, but script says it has one > vulnerability. > > Is it actually vulnerability or it's me who must take a good sleep? :) > > This is odd. As far as I know, no one reported sh as being vulnerable to > CVE-2014-7187. But may be it's only on FreeBSD... I don't have an answer = to > that. > I'd say the test is not relevant for sh. The line that tests for CVE-2014-7187 uses {1..200} construct which is not understood by sh. E.g. sh$ for i in {1..5}; do echo -n $i; done {1..5} bash$ for i in {1..5}; do echo -n $i; done 12345 Br, --=20 Nino From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 10:36:35 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 457F09DE for ; Mon, 29 Sep 2014 10:36:35 +0000 (UTC) Received: from forward2m.mail.yandex.net (forward2m.mail.yandex.net [37.140.138.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E66D2329 for ; Mon, 29 Sep 2014 10:36:34 +0000 (UTC) Received: from web15m.yandex.ru (web15m.yandex.ru [37.140.138.106]) by forward2m.mail.yandex.net (Yandex) with ESMTP id B2C575CA0152; Mon, 29 Sep 2014 14:36:24 +0400 (MSK) Received: from 127.0.0.1 (localhost [127.0.0.1]) by web15m.yandex.ru (Yandex) with ESMTP id CEB9D1EA0FF7; Mon, 29 Sep 2014 14:36:23 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1411986984; bh=Nb12zBIRUTE5c6c/rdMUIscnHh9GxwfZ2OteWK8lPWQ=; h=From:To:In-Reply-To:References:Subject:Date; b=bWiBIHsRkIc4WM3Wv3bn+npn4bQebMcLYjjY93ESISZvf75hUCqiLLXDnKTTlF9b3 gK6whTohDG0KiRw/HYYuoKpKXM7wL9GD9h7lcTO1AXh1c/WM+oUcSJdAx3bEzm6wwX lA0HXdiVHX3mOjdjmSG5H2py/5AHJALNZpduihzs= Received: from broadband-46-188-123-17.2com.net (broadband-46-188-123-17.2com.net [46.188.123.17]) by web15m.yandex.ru with HTTP; Mon, 29 Sep 2014 14:36:23 +0400 From: Kulesho To: n j , "freebsd-security@freebsd.org FreeBSD-security" In-Reply-To: References: <2423691411974542@web12j.yandex.ru> <1771201411976082@web22o.yandex.ru> <7B489747-0FF8-4081-A001-7A510C3C6FA1@patpro.net> Subject: Re: Bash ShellShock bug(s) MIME-Version: 1.0 Message-Id: <2709351411986983@web15m.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 29 Sep 2014 14:36:23 +0400 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=koi8-r X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 10:36:35 -0000 Thank you for explanation! Now I can sleep calmly. 29.09.2014, 13:27, "n j" : > Hi, > > On Mon, Sep 29, 2014 at 9:55 AM, Patrick Proniewski > wrote: >> šOn 29 sept. 2014, at 09:34, ëŐĚĹŰĎ× áĚĹËÓĹĘ wrote: >>> šRight. Okay then, here it is: >>> >>> š# pkg remove bash >>> š... change 'bash' to 'sh' in bashcheck ... >>> š# sh bashcheck >>> šNot vulnerable to CVE-2014-6271 (original shellshock) >>> šNot vulnerable to CVE-2014-7169 (taviso bug) >>> šNot vulnerable to CVE-2014-7186 (redir_stack bug) >>> šVulnerable to CVE-2014-7187 (nessted loops off by one) >>> šVariable function parser inactive, likely safe from unknown parser bugs >>> >>> šSo, there is no bash on my system anymore, but script says it has one >> švulnerability. >>> šIs it actually vulnerability or it's me who must take a good sleep? :) >> šThis is odd. As far as I know, no one reported sh as being vulnerable to >> šCVE-2014-7187. But may be it's only on FreeBSD... I don't have an answer to >> šthat. > > I'd say the test is not relevant for sh. The line that tests for > CVE-2014-7187 uses {1..200} construct which is not understood by sh. > > E.g. > sh$ for i in {1..5}; do echo -n š$i; done > {1..5} > bash$ for i in {1..5}; do echo -n $i; done > 12345 > > Br, > -- > Nino > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 16:02:06 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B9CACC10; Mon, 29 Sep 2014 16:02:06 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7E1B2E5C; Mon, 29 Sep 2014 16:02:06 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id s8TG22Ah041229; Mon, 29 Sep 2014 12:02:02 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <54298266.1090201@sentex.net> Date: Mon, 29 Sep 2014 12:01:42 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Bryan Drewery Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> In-Reply-To: <5425D427.8090309@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.74 Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 16:02:06 -0000 On 9/26/2014 5:01 PM, Bryan Drewery wrote: > On 9/26/2014 12:41 PM, Bryan Drewery wrote: >> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>> Apparently, the full fix is still not delivered, accordingly to this: >>>> http://seclists.org/oss-sec/2014/q3/741 >>>> >>>> Kind regards, >>>> Bartek Rutkowski >>>> >>> >>> I'm pretty sure they call that a "feature". This is a bit different. > > I've disabled environment function importing in the port. Using > --import-functions will allow it to work if you need it. Hi Bryan, With the latest ports, bashcheck still sees some issues with bash. Are these false positives on FreeBSD ? Using https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash -c "true $(printf '< /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 16:13:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2AE4B145 for ; Mon, 29 Sep 2014 16:13:27 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 070E5FB0 for ; Mon, 29 Sep 2014 16:13:27 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s8TGDQLi028725 for ; Mon, 29 Sep 2014 16:13:26 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s8TGDQhI028724 for freebsd-security@freebsd.org; Mon, 29 Sep 2014 16:13:26 GMT (envelope-from bdrewery) Received: (qmail 66561 invoked from network); 29 Sep 2014 11:13:23 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 29 Sep 2014 11:13:23 -0500 Message-ID: <5429851B.8060500@FreeBSD.org> Date: Mon, 29 Sep 2014 11:13:15 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Mike Tancsa Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> In-Reply-To: <54298266.1090201@sentex.net> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WnwBbtxL7ruIvscKEEnwqn9IU5DllfvDL" X-Mailman-Approved-At: Mon, 29 Sep 2014 16:39:53 +0000 Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 16:13:27 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --WnwBbtxL7ruIvscKEEnwqn9IU5DllfvDL Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 9/29/2014 11:01 AM, Mike Tancsa wrote: > On 9/26/2014 5:01 PM, Bryan Drewery wrote: >> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>> Apparently, the full fix is still not delivered, accordingly to thi= s: >>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>> >>>>> Kind regards, >>>>> Bartek Rutkowski >>>>> >>>> >>>> I'm pretty sure they call that a "feature". This is a bit different.= >> >> I've disabled environment function importing in the port. Using >> --import-functions will allow it to work if you need it. >=20 > Hi Bryan, > With the latest ports, bashcheck still sees some issues with bash. > Are these false positives on FreeBSD ? >=20 > Using > https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >=20 > Not vulnerable to CVE-2014-6271 (original shellshock) > Not vulnerable to CVE-2014-7169 (taviso bug) > ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash > -c "true $(printf '< /dev/null > Vulnerable to CVE-2014-7186 (redir_stack bug) > Test for CVE-2014-7187 not reliable without address sanitizer > Variable function parser inactive, likely safe from unknown parser bugs= >=20 > ---Mike Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187= =2E --=20 Regards, Bryan Drewery --WnwBbtxL7ruIvscKEEnwqn9IU5DllfvDL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUKYUgAAoJEDXXcbtuRpfPxHoH/iDXF2fAIe7vAq5FN2eOsrky 7fvj1bfMc/NXlbBzICavrhl/LU5ii+OyVhtTTQkhRMi8aWfdPbxOX4TQpqRr7LJd fxQL1hegSTCSS+ksZ/GJOnzW92BaET2byp2e9zjv52ENl+ufPoSJ8GDPTSmki320 f0AczT04vOn/ICPx6tEVh6yI77pU2rXyDRUUapzMXmpmro1KTCNO/jOk5sAYNRJo Ky6K+RDKmHTDUeLwDXp1c0S/CUnVDKP+HO+l5XoSBVRZA78OCdNdThQo9HvuVZqH 5N5eXt9qF20gNkxCp4Pwusq6HU29iDI22tJ94+9aQpSbCjWBiiZa+LZnjdrpq34= =hSbO -----END PGP SIGNATURE----- --WnwBbtxL7ruIvscKEEnwqn9IU5DllfvDL-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 18:54:16 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by hub.freebsd.org (Postfix) with ESMTP id 52315EE8; Tue, 30 Sep 2014 18:54:13 +0000 (UTC) Message-ID: <542AFC54.9010405@FreeBSD.org> Date: Tue, 30 Sep 2014 14:54:12 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Bryan Drewery , Mike Tancsa Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> In-Reply-To: <5429851B.8060500@FreeBSD.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 18:54:16 -0000 On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: > On 9/29/2014 11:01 AM, Mike Tancsa wrote: >> On 9/26/2014 5:01 PM, Bryan Drewery wrote: >>> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>>> Apparently, the full fix is still not delivered, accordingly to this: >>>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>>> >>>>>> Kind regards, >>>>>> Bartek Rutkowski >>>>>> >>>>> >>>>> I'm pretty sure they call that a "feature". This is a bit different. >>> >>> I've disabled environment function importing in the port. Using >>> --import-functions will allow it to work if you need it. >> >> Hi Bryan, >> With the latest ports, bashcheck still sees some issues with bash. >> Are these false positives on FreeBSD ? >> >> Using >> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >> >> Not vulnerable to CVE-2014-6271 (original shellshock) >> Not vulnerable to CVE-2014-7169 (taviso bug) >> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bash >> -c "true $(printf '< /dev/null >> Vulnerable to CVE-2014-7186 (redir_stack bug) >> Test for CVE-2014-7187 not reliable without address sanitizer >> Variable function parser inactive, likely safe from unknown parser bugs >> >> ---Mike > > Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7187. Applying the first patch for parse.y from the following post passed the tests for me. http://www.openwall.com/lists/oss-security/2014/09/25/32 In fact, all major Linux distros seem to use it now. FYI, Jung-uk Kim From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 18:58:12 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2A7711C1 for ; Tue, 30 Sep 2014 18:58:12 +0000 (UTC) Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DAA85A84 for ; Tue, 30 Sep 2014 18:58:11 +0000 (UTC) Received: by mail-ig0-f180.google.com with SMTP id a13so6148188igq.13 for ; Tue, 30 Sep 2014 11:58:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=CjMJxlELlhiE7C0Ub1qUh3/+bfjObFPutphnfZej/ok=; b=gkaOPPBIh09K5+teiEytehXfMXYk5Z8hMKkZob59+UQ8RYLOS3lnMfdJhK3Axu93X0 hSds9PFDh5kv4lZrqj7QIjUGCFAlaxHasDmHADp3I0HtlV7Tn7XU6unUxeqeIhWVUcNU sYBoLndcTgni1q1yHcGwzF2py05Ur9iZb/4k4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=CjMJxlELlhiE7C0Ub1qUh3/+bfjObFPutphnfZej/ok=; b=Pz8ZsZXJn+guNqZD+7InNIXee0sLuO9fU5sgN6nZ5MRSzywsm52l+VXvrkMmPbRXXf K0zLd46kwlYWLLbkdVrseS5RrTKMP1OBjO5jUvH9RhQGVyTSgCMeQxsO7uZbipU0+B/H ez4Uj+I4G2LtEJHwPPFyJMPAVckXzmzlcmvLI6oRmPEiZ/jYFJYdYfxHJs8EhyAflz1f eJ+IKnnyXQYRz/nXi+q/ReOp2K5VXcv6RddC4yj66axAKA0AOQ3P9+/X07iIhZJyv9pZ jg6zvtueO4Qm2vo4XWYiUcV4Qvk33CrixKb5rbdy2fitz0QLJo6mQX4PdsWtWrzoNIF+ i4Fw== X-Gm-Message-State: ALoCoQn+JnbfUFudB9HYJtzHraXis6ldHtore2ga40NQkqHNBC3hSX0JAAozsi9al/s5ihOHmXWg X-Received: by 10.50.13.100 with SMTP id g4mr11069517igc.44.1412103491068; Tue, 30 Sep 2014 11:58:11 -0700 (PDT) Received: from [192.168.8.85] ([66.195.151.70]) by mx.google.com with ESMTPSA id ki5sm14033434igb.2.2014.09.30.11.58.09 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 30 Sep 2014 11:58:10 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: bash velnerability From: Jason Hellenthal In-Reply-To: <542AFC54.9010405@FreeBSD.org> Date: Tue, 30 Sep 2014 13:58:07 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <2366B611-36BB-4543-9EEA-4777CCC9D127@dataix.net> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> To: Jung-uk Kim X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-security , freebsd-ports , Bryan Drewery X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 18:58:12 -0000 echo "Testing Exploit 1 (CVE-2014-6271)" CVE6271=3D"$(env x=3D'() { :;}; echo -n V' bash -c : 2>/dev/null)" [ "${CVE7187}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT = VULNERABLE" echo "Testing Exploit 2 (CVE-2014-7169)" CVE7169=3D"$(env X=3D'() { (4lpi.com)=3D>\' bash -c "echo date" = 2>/dev/null; cat echo 2>/dev/null; rm -f echo)" [ ! "${CVE7169}" =3D=3D "date" ] && echo "VULNERABLE" || echo "NOT = VULNERABLE" echo "Testing Exploit 3 (CVE-2014-6277)" CVE6277=3D"$(env -i X=3D' () { }; echo -n V' bash -c :)" [ "${CVE6277}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT = VULNERABLE" echo "Testing Exploit 4 (CVE-2014-7186)" CVE7186=3D"$(bash -c 'true </dev/null ||echo -n V)" [ "${CVE7186}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT = VULNERABLE" echo "Testing Exploit 5 (CVE-2014-7187)" CVE7187=3D"$((for x in {1..200}; do echo "for x$x in ; do :"; done; for = x in {1..200}; do echo done; done) |bash 2>/dev/null ||echo -n V)" [ "${CVE7187}" =3D=3D "V" ] && echo "VULNERABLE" || echo "NOT = VULNERABLE=94 Good luck ;-) On Sep 30, 2014, at 13:54, Jung-uk Kim wrote: > On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: >> On 9/29/2014 11:01 AM, Mike Tancsa wrote: >>> On 9/26/2014 5:01 PM, Bryan Drewery wrote: >>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>>>> Apparently, the full fix is still not delivered, accordingly to = this: >>>>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>>>>=20 >>>>>>> Kind regards, >>>>>>> Bartek Rutkowski >>>>>>>=20 >>>>>>=20 >>>>>> I'm pretty sure they call that a "feature". This is a bit = different. >>>>=20 >>>> I've disabled environment function importing in the port. Using >>>> --import-functions will allow it to work if you need it. >>>=20 >>> Hi Bryan, >>> With the latest ports, bashcheck still sees some issues with = bash. >>> Are these false positives on FreeBSD ? >>>=20 >>> Using >>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >>>=20 >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) = bash >>> -c "true $(printf '< /dev/null >>> Vulnerable to CVE-2014-7186 (redir_stack bug) >>> Test for CVE-2014-7187 not reliable without address sanitizer >>> Variable function parser inactive, likely safe from unknown parser = bugs >>>=20 >>> ---Mike >>=20 >> Yes we have not applied the RedHat fix for CVE-2014-7186 or = CVE-2014-7187. >=20 > Applying the first patch for parse.y from the following post passed = the > tests for me. >=20 > http://www.openwall.com/lists/oss-security/2014/09/25/32 >=20 > In fact, all major Linux distros seem to use it now. >=20 > FYI, >=20 > Jung-uk Kim > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --=20 Jason Hellenthal Mobile: +1 (616) 953-0176 jhellenthal@DataIX.net JJH48-ARIN From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 19:59:06 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by hub.freebsd.org (Postfix) with ESMTP id 7AF3A2A4; Tue, 30 Sep 2014 19:58:59 +0000 (UTC) Message-ID: <542B0B82.3020201@FreeBSD.org> Date: Tue, 30 Sep 2014 15:58:58 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Jason Hellenthal Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <2366B611-36BB-4543-9EEA-4777CCC9D127@dataix.net> In-Reply-To: <2366B611-36BB-4543-9EEA-4777CCC9D127@dataix.net> Content-Type: multipart/mixed; boundary="------------040100080403030600080603" Cc: freebsd-security , Bryan Drewery , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 19:59:06 -0000 This is a multi-part message in MIME format. --------------040100080403030600080603 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit On 2014-09-30 14:58:07 -0400, Jason Hellenthal wrote: > echo "Testing Exploit 1 (CVE-2014-6271)" > CVE6271="$(env x='() { :;}; echo -n V' bash -c : 2>/dev/null)" > [ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 2 (CVE-2014-7169)" > CVE7169="$(env X='() { (4lpi.com)=>\' bash -c "echo date" 2>/dev/null; cat echo 2>/dev/null; rm -f echo)" > [ ! "${CVE7169}" == "date" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 3 (CVE-2014-6277)" > CVE6277="$(env -i X=' () { }; echo -n V' bash -c :)" > [ "${CVE6277}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 4 (CVE-2014-7186)" > CVE7186="$(bash -c 'true </dev/null ||echo -n V)" > [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > > echo "Testing Exploit 5 (CVE-2014-7187)" > CVE7187="$((for x in {1..200}; do echo "for x$x in ; do :"; done; for x in {1..200}; do echo done; done) |bash 2>/dev/null ||echo -n V)" > [ "${CVE7187}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE” > > Good luck ;-) Yes, it passes all tests (the patch attached). Jung-uk Kim --------------040100080403030600080603 Content-Type: text/plain; charset=UTF-8; name="patch-parse.y" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="patch-parse.y" --- parse.y.orig 2014-09-30 12:58:08.462512373 -0400 +++ parse.y 2014-09-30 12:58:08.629018000 -0400 @@ -265,9 +265,21 @@ /* Variables to manage the task of reading here documents, because we need to defer the reading until after a complete command has been collected. */ -static REDIRECT *redir_stack[10]; +static REDIRECT **redir_stack; int need_here_doc; +/* Pushes REDIR onto redir_stack, resizing it as needed. */ +static void +push_redir_stack (REDIRECT *redir) +{ + /* Guard against oveflow. */ + if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack)) + abort (); + redir_stack = xrealloc (redir_stack, + (need_here_doc + 1) * sizeof (*redir_stack)); + redir_stack[need_here_doc++] = redir; +} + /* Where shell input comes from. History expansion is performed on each line when the shell is interactive. */ static char *shell_input_line = (char *)NULL; @@ -520,42 +532,42 @@ source.dest = 0; redir.filename = $2; $$ = make_redirection (source, r_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | NUMBER LESS_LESS WORD { source.dest = $1; redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | REDIR_WORD LESS_LESS WORD { source.filename = $1; redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | LESS_LESS_MINUS WORD { source.dest = 0; redir.filename = $2; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | NUMBER LESS_LESS_MINUS WORD { source.dest = $1; redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | REDIR_WORD LESS_LESS_MINUS WORD { source.filename = $1; redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | LESS_LESS_LESS WORD { @@ -4905,7 +4917,7 @@ case CASE: case SELECT: case FOR: - if (word_top < MAX_CASE_NEST) + if (word_top + 1 < MAX_CASE_NEST) word_top++; word_lineno[word_top] = line_number; break; --------------040100080403030600080603-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 19:46:12 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BFA68FF6 for ; Tue, 30 Sep 2014 19:46:12 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9A962A9 for ; Tue, 30 Sep 2014 19:46:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s8UJkCBo076203 for ; Tue, 30 Sep 2014 19:46:12 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s8UJkCXD076202 for freebsd-security@freebsd.org; Tue, 30 Sep 2014 19:46:12 GMT (envelope-from bdrewery) Received: (qmail 59932 invoked from network); 30 Sep 2014 14:46:10 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 30 Sep 2014 14:46:10 -0500 Message-ID: <542B087D.3040903@FreeBSD.org> Date: Tue, 30 Sep 2014 14:46:05 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Jung-uk Kim , Mike Tancsa Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> In-Reply-To: <542AFC54.9010405@FreeBSD.org> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wsjMID0hKhfcat1uIaEEKkBl1T7BLqVmp" X-Mailman-Approved-At: Tue, 30 Sep 2014 20:54:44 +0000 Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 19:46:12 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --wsjMID0hKhfcat1uIaEEKkBl1T7BLqVmp Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 9/30/2014 1:54 PM, Jung-uk Kim wrote: > On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: >> On 9/29/2014 11:01 AM, Mike Tancsa wrote: >>> On 9/26/2014 5:01 PM, Bryan Drewery wrote: >>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>>>> Apparently, the full fix is still not delivered, accordingly to t= his: >>>>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>>>> >>>>>>> Kind regards, >>>>>>> Bartek Rutkowski >>>>>>> >>>>>> >>>>>> I'm pretty sure they call that a "feature". This is a bit differen= t. >>>> >>>> I've disabled environment function importing in the port. Using >>>> --import-functions will allow it to work if you need it. >>> >>> Hi Bryan, >>> With the latest ports, bashcheck still sees some issues with bash= =2E >>> Are these false positives on FreeBSD ? >>> >>> Using >>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >>> >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bas= h >>> -c "true $(printf '< /dev/null >>> Vulnerable to CVE-2014-7186 (redir_stack bug) >>> Test for CVE-2014-7187 not reliable without address sanitizer >>> Variable function parser inactive, likely safe from unknown parser bu= gs >>> >>> ---Mike >> >> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7= 187. >=20 > Applying the first patch for parse.y from the following post passed the= > tests for me. >=20 > http://www.openwall.com/lists/oss-security/2014/09/25/32 >=20 > In fact, all major Linux distros seem to use it now. >=20 > FYI, >=20 > Jung-uk Kim I was holding off on this one as it had not proven to be remotely exploitable from what I saw. I was also wanting to see what upstream did before throwing more intrusive patches at our port. I even saw a reddit post last night complaining that OSX had updated bash only to leave it "still vulnerable" because of the redir_stack issue= =2E I will apply the redir_stack patch since it's becoming an FAQ. --=20 Regards, Bryan Drewery --wsjMID0hKhfcat1uIaEEKkBl1T7BLqVmp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUKwh+AAoJEDXXcbtuRpfPj2oH/3BLQYSuHDovrK2WmZF73dUs lXL0TY8JI/K19NJDDtHZbdSnJnNOVgp1CjTLKib6T/JQ9jQ8/aTIiCJxgPDMIMVi 4OTDlohszIgsSK5xOkBdLUllVwFaLpSIGJTLfUW7aOkT8Fk6/Bshg9zeE9Qw+n0O Wu0hgQcjtJWKB9/bel8vROsN9CrfbPtscD119U0E2/GNgyiy/FogW3heRJR440xv h4ttubqPyBHstR6AhvVau7ReLxZ2fnQefIdVyB5/QYKXSSVRiOBxpNeRrfX51EZd 367uoP4Wvf3C2MJt/8eDq6wUrgZfK/WDqKv6hMGPuYl1N5I07Jm1WjWvRbSgYko= =RqWM -----END PGP SIGNATURE----- --wsjMID0hKhfcat1uIaEEKkBl1T7BLqVmp-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 21:25:17 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C4C75DE; Tue, 30 Sep 2014 21:25:17 +0000 (UTC) Received: from mail-in2.apple.com (mail-out2.apple.com [17.151.62.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9783CFAF; Tue, 30 Sep 2014 21:25:17 +0000 (UTC) Received: from mail-out.apple.com (honeycrisp.apple.com [17.151.62.51]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id 2B.20.26497.DBF1B245; Tue, 30 Sep 2014 14:25:17 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from relay3.apple.com ([17.128.113.83]) by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0NCQ00JK6GTF4EA1@local.mail-out.apple.com>; Tue, 30 Sep 2014 14:25:17 -0700 (PDT) X-AuditID: 11973e11-f79f76d000006781-f6-542b1fbd3a06 Received: from [17.149.232.248] (Unknown_Domain [17.149.232.248]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by relay3.apple.com (Apple SCV relay) with SMTP id 42.D7.08757.0CF1B245; Tue, 30 Sep 2014 14:25:20 -0700 (PDT) Subject: Re: bash velnerability From: Charles Swiger In-reply-to: <542B087D.3040903@FreeBSD.org> Date: Tue, 30 Sep 2014 14:25:15 -0700 Message-id: References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> To: Bryan Drewery X-Mailer: Apple Mail (2.1878.6) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLLMWRmVeSWpSXmKPExsUiON3OWHevvHaIwZmFnBYntnxgsdh0+C2j Rc+mJ2wWKz9fZXJg8ZjxaT5LAGMUl01Kak5mWWqRvl0CV8amiy+ZCq6yVbw7tp69gXEnaxcj J4eEgInEhPnLWSBsMYkL99azgdhCAnOYJO51ioHYvAKCEj8m3wOq4eBgFpCXOHheFiTMLKAl 8f1RK1CYC6i8iUnizqSPrCA1IDOvt7NDxPuZJP70PASbLwzU29BwkA2khk1ATWLCRB6QMKeA tsS1zudg57AIqEo0dE8F62UWWMgo0XBiMdhMXgEriY37DSFOe8wi8WetJ4gtIqAh8b/1EjPE +fISHz4cB+uVEJjEJvH6zkGWCYzCs5C8MAvhhVlIXljAyLyKUSg3MTNHNzPPSC+xoCAnVS85 P3cTIyS8BXcwHl9ldYhRgINRiYeXQ14rRIg1say4MvcQozQHi5I479lzmiFCAumJJanZqakF qUXxRaU5qcWHGJk4OKUaGDMz9jHMypBhuFlh3uo+8wRjhNnvZW3rxVYVaD6JyHkoWD5tR80+ 15Z31VPOHNXT2XDhxhvp1j/RpT8SN4Z4cHx6HvlQL6zlM69/MdsDbXatt80dBqJnL7w/acaw caurhIGNt9fz/OYlFXZffCU3r35YMWGNq3G038QjfafehR3XyAu6r3uyTYmlOCPRUIu5qDgR AKm2csRQAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrELMWRmVeSWpSXmKPExsUiOPXFD90D8tohBite6Fmc2PKBxWLT4beM Fj2bnrBZrPx8lcli06xZ7A6sHjM+zWfxOHzrP1sAUxSXTUpqTmZZapG+XQJXxs2ljxgL3rNV fHswi7WB8QRrFyMHh4SAicT1dvYuRk4gU0ziwr31bF2MXBxCAv1MEtumnmcDSTAL6EnsuP6L FcTmFTCQWLJrEzOILSwgL9HQcJANZA6bgJrEhIk8IGFOAW2Jr+vbwFpZBFQlGrqnsoPMZBZY zChxcvMMJoiZ2hLLFr5mhphpJTFldiM7xOKLLBJ/Jy0D6xYR0JD433qJGeI6eYkPH46zT2Dk n4XkpllIbpqFZO4CRuZVjAJFqTmJlcZ6iQUFOal6yfm5mxhBIdlQGLyD8c8yq0OMAhyMSjy8 kRu0QoRYE8uKK3MPMUpwMCuJ8LrKaIcI8aYkVlalFuXHF5XmpBYfYpTmYFES5/1ZrhIiJJCe WJKanZpakFoEk2Xi4JRqYGQzTtVeyLBl8695PeXTHPQc5FdVSW9J6ylyqdy6USFD5qfpb/P6 5g+/d1m2yJctK+c+Ylv2VtlB/LWWNJeH9fQH090O9JZULJK9VvdQYeKTX+pTghTn1NfO2stT s+lTz17hWln2qfMvijVUGy7TjGZn/349b/aKAzkvyk8JWtfN/yzoyrjbX4mlOCPRUIu5qDgR AJqUDc9FAgAA Cc: freebsd-security , freebsd-ports , Jung-uk Kim X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 21:25:18 -0000 On Sep 30, 2014, at 12:46 PM, Bryan Drewery wrote: [ ... ] > I even saw a reddit post last night complaining that OSX had updated > bash only to leave it "still vulnerable" because of the redir_stack issue. It doesn't seem to be? bash-3.2$ bash --version GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc. bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)" Testing Exploit 4 (CVE-2014-7186) bash-3.2$ CVE7186="$(bash -c 'true </dev/null ||echo -n V)" bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" NOT VULNERABLE This being said, I'm not confident that there won't be further issues found with bash.... Regards, -- -Chuck From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 21:48:21 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 586BDBB6 for ; Tue, 30 Sep 2014 21:48:21 +0000 (UTC) Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 149067EA for ; Tue, 30 Sep 2014 21:48:21 +0000 (UTC) Received: by mail-ig0-f175.google.com with SMTP id uq10so6100igb.14 for ; Tue, 30 Sep 2014 14:48:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=h7uyCswl7L1JCbZzWb8+imALYLIP9zSoXmXww2NDkTM=; b=fba2F+5R+p41y2noNjgwShIu+TXMeE1NlvLzY5aTEMEs3qaSLdEQgBKhm0P90sGsm5 8w+eZqUyV9K4elm2F/porJGqQCX6ajnBDMTC8in+se1z8TrrNn4BsXulpLMW8YJ/yRXd XMj28mX94Ye0+s6p4t1sCd5W9oZBCMwJNMwPY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=h7uyCswl7L1JCbZzWb8+imALYLIP9zSoXmXww2NDkTM=; b=lfQ4MK8fG0wNJag+sD+S0b7hWDGhUTzelVi7fVrQJFnxFyMX93i51LPqfBhAFQ/8nI 8ZW7bfl92d1i7Imz48NuwFqBkOMZlMedHUKzoqv9m0HJyiWiTRwVIxibiqHQTAQHaZJ+ UvPoVpakNZx5H3rgDMWQHSODTbtP2oqP5QpgK6E7kRa5ddJtjtpbU/52+UenTgjUHyvy KR8FdiVhN8FMYuGru66okporUg51PPJ+CNtXtMKN6JBHdR6CE+GifMyg6pXpxofNKUi7 5578ghYJZx9j+GDTbQqaThFl8+vvKa7v5OhOv/sWwOCBI7HpAeVnXEXUDfvHcY+LOs/M qnFg== X-Gm-Message-State: ALoCoQkVYpguHkno2fjKB7K/ZuBO/2O5Phy4RKVbnnU2DdlTotzBomCUO2yEQmJMqGOA0k70BXfD X-Received: by 10.50.33.100 with SMTP id q4mr12870394igi.8.1412113700322; Tue, 30 Sep 2014 14:48:20 -0700 (PDT) Received: from [192.168.8.85] ([66.195.151.70]) by mx.google.com with ESMTPSA id qo8sm14086367igb.7.2014.09.30.14.48.19 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 30 Sep 2014 14:48:19 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: bash velnerability From: Jason Hellenthal In-Reply-To: Date: Tue, 30 Sep 2014 16:48:17 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <915DA264-1022-441B-93DE-229739A861B3@dataix.net> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> To: Charles Swiger X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-security , Jung-uk Kim , freebsd-ports , Bryan Drewery X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 21:48:21 -0000 I would agree with that. Considering the korn shell was found out to be = importing functions from bash this morning that it does not completely = know how to interpret goes to say that there is a much bigger issue at = face here than the mere sys admins can begin to fathom quite yet. There is still more to come from this. We may not see the end of it for = the next 10 years. But also to state bash 4.3.27 on 10-RELEASE-p9 reports as not vulnerable = to the five known CVEs right now but that same shell compiled on a = 9.1-RELEASE system is still vulnerable to the last two CVEs =85 That = said this is deep just when you think you have it conquered. On Sep 30, 2014, at 16:25, Charles Swiger wrote: > On Sep 30, 2014, at 12:46 PM, Bryan Drewery = wrote: > [ ... ] >> I even saw a reddit post last night complaining that OSX had updated >> bash only to leave it "still vulnerable" because of the redir_stack = issue. >=20 > It doesn't seem to be? >=20 > bash-3.2$ bash --version > GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) > Copyright (C) 2007 Free Software Foundation, Inc. >=20 > bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)" > Testing Exploit 4 (CVE-2014-7186) > bash-3.2$ CVE7186=3D"$(bash -c 'true </dev/null = ||echo -n V)" > bash-3.2$ [ "${CVE7186}" =3D=3D "V" ] && echo "VULNERABLE" || echo = "NOT VULNERABLE" > NOT VULNERABLE >=20 > This being said, I'm not confident that there won't be further issues = found with bash.... >=20 > Regards, > --=20 > -Chuck >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --=20 Jason Hellenthal Mobile: +1 (616) 953-0176 jhellenthal@DataIX.net JJH48-ARIN From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 22:00:56 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 13B83251; Tue, 30 Sep 2014 22:00:56 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AD9FAA0B; Tue, 30 Sep 2014 22:00:55 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id s8UM0rRk040776; Tue, 30 Sep 2014 18:00:54 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <542B27FF.10204@sentex.net> Date: Tue, 30 Sep 2014 18:00:31 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Charles Swiger , Bryan Drewery Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.75 Cc: freebsd-security , freebsd-ports , Jung-uk Kim X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 22:00:56 -0000 On 9/30/2014 5:25 PM, Charles Swiger wrote: > bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)" > Testing Exploit 4 (CVE-2014-7186) > bash-3.2$ CVE7186="$(bash -c 'true </dev/null ||echo -n V)" > bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > NOT VULNERABLE > > This being said, I'm not confident that there won't be further issues found with bash.... > What are people using to check these issues ? I was using https://github.com/hannob/bashcheck Not sure if that gives false positives ? Even on linux with all patches applied, it coredumps on 7186. Yet the BASH maintainer says all holes are patched ? Or does he consider 2014-7186 not a security issue ? http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00341.html # bash ./bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 19749 Segmentation fault (core dumped) bash -c "true $(printf '< /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs # -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 22:08:05 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by hub.freebsd.org (Postfix) with ESMTP id 8D7345A5; Tue, 30 Sep 2014 22:08:02 +0000 (UTC) Message-ID: <542B29C1.7010505@FreeBSD.org> Date: Tue, 30 Sep 2014 18:08:01 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Mike Tancsa , Charles Swiger , Bryan Drewery Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> <542B27FF.10204@sentex.net> In-Reply-To: <542B27FF.10204@sentex.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 22:08:05 -0000 On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote: > On 9/30/2014 5:25 PM, Charles Swiger wrote: >> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)" >> Testing Exploit 4 (CVE-2014-7186) >> bash-3.2$ CVE7186="$(bash -c 'true <> </dev/null ||echo -n >> V)" >> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT >> VULNERABLE" >> NOT VULNERABLE >> >> This being said, I'm not confident that there won't be further issues >> found with bash.... >> > > What are people using to check these issues ? I was using > > https://github.com/hannob/bashcheck > > Not sure if that gives false positives ? ... Yes, it seems it does. https://github.com/hannob/bashcheck/commit/5b611b36 Jung-uk Kim From owner-freebsd-security@FreeBSD.ORG Tue Sep 30 22:29:30 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C7DA6D47; Tue, 30 Sep 2014 22:29:30 +0000 (UTC) Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 95B37D17; Tue, 30 Sep 2014 22:29:30 +0000 (UTC) Received: from mail-out.apple.com (crispin.apple.com [17.151.62.50]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id 03.60.24750.9CE2B245; Tue, 30 Sep 2014 15:29:29 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from relay2.apple.com ([17.128.113.67]) by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0NCQ00GLQJSY4IL0@local.mail-out.apple.com>; Tue, 30 Sep 2014 15:29:29 -0700 (PDT) X-AuditID: 11973e15-f79956d0000060ae-9f-542b2ec9cc78 Received: from [17.149.232.248] (Unknown_Domain [17.149.232.248]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by relay2.apple.com (Apple SCV relay) with SMTP id D9.11.19003.5CE2B245; Tue, 30 Sep 2014 15:29:26 -0700 (PDT) Subject: Re: bash velnerability From: Charles Swiger In-reply-to: <542B29C1.7010505@FreeBSD.org> Date: Tue, 30 Sep 2014 15:29:28 -0700 Message-id: <7943146A-CB56-4744-BFB5-268B306D3738@mac.com> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> <542B27FF.10204@sentex.net> <542B29C1.7010505@FreeBSD.org> To: Jung-uk Kim X-Mailer: Apple Mail (2.1878.6) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrILMWRmVeSWpSXmKPExsUiON3OSPeknnaIwYQ5AhYntnxgsdh0+C2j Rc+mJ2wWKz9fZXJg8ZjxaT5LAGMUl01Kak5mWWqRvl0CV8aCjR+YC9ZzVWzf84i5gXEZRxcj J4eEgInEiz8r2CBsMYkL99YD2VwcQgIzmST2PXnBApLgFRCU+DH5HpDNwcEsIC9x8LwsSJhZ QEvi+6NWFoj6JiaJaxv/sMIMXb3kDTtEop9J4tnV38wgCWGg5oaGg2wgg9gE1CQmTOQBCXMK aEu0TlgC1ssioCpxqPkaM0gvs8ByRoldZ+6xQhxhJdHeMZcJYuh5Vomlz44wgiREBJQkfnw9 wg6xWV7iw4fjYJslBCaxSew/eZZ5AqPwLCRfzEL4YhaSLxYwMq9iFMpNzMzRzcwz00ssKMhJ 1UvOz93ECAlz0R2MZ1ZZHWIU4GBU4uHlkNcKEWJNLCuuzD3EKM3BoiTOe/acZoiQQHpiSWp2 ampBalF8UWlOavEhRiYOTqkGRv+YrWtuan9IeT1vZZ+Pn1lR1a14tsVyNw7dv9x9LfbMRNbd T+9Nu/bp8LkXq+tmfsy+WFU5IXGafr6f9h7GLfPLpnmGZeo2XRENvVT4Qapu0cVNqe7njuuu bVvstePcstqG7Uuj7h157vnE9cbTdQ22scdeKx73TFGQ6+y/ZODlN3endu5pv2wlluKMREMt 5qLiRAAONQ1pVAIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrMLMWRmVeSWpSXmKPExsUiOPXFD91jetohBiu+8lmc2PKBxWLT4beM Fj2bnrBZrPx8lcli06xZ7A6sHjM+zWfxOHzrP1sAUxSXTUpqTmZZapG+XQJXxrI769kKbnJV LD/bx9jAeJaji5GTQ0LARGL1kjfsELaYxIV769m6GLk4hAT6mSS+/v/LBJJgFtCT2HH9FyuI zStgILFk1yZmEFtYQF6ioeEgUAMHB5uAmsSEiTwgYU4BbYnnjx+wgdgsAqoSh5qvMYPMZBZY ySjx/9cENoiZ2hLLFr5mhphpJfHywxJ2iMW7WSXO3VsFdpGIgJLEj69HoK6Tl/jw4Tj7BEb+ WUhumoXkpllI5i5gZF7FKFCUmpNYaaSXWFCQk6qXnJ+7iREUlA2FzjsYjy2zOsQowMGoxMPL Ia8VIsSaWFZcmXuIUYKDWUmEd4O8dogQb0piZVVqUX58UWlOavEhRmkOFiVx3s/lKiFCAumJ JanZqakFqUUwWSYOTqkGxuWlU1J3rqzW4ZBZ3Bfs3MKpwBiyscZ2v9o6xc7/D+04Pz0UMwyL 1poqav7OZ/lzSaGO7f7xotV9iruftRXv8ZDfbbaVqaJlctVfr6rL7Jfn3a48t2DGoboQr22d Lu5H/mTm+oet7DzB5Sl399PbkG2/zs25v19F99hVi22ae/68YVp4hu/GWyWW4oxEQy3mouJE ABvjoRdGAgAA Cc: freebsd-security , Bryan Drewery , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 22:29:31 -0000 On Sep 30, 2014, at 3:08 PM, Jung-uk Kim wrote: > On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote: >> On 9/30/2014 5:25 PM, Charles Swiger wrote: >>> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)" >>> Testing Exploit 4 (CVE-2014-7186) >>> bash-3.2$ CVE7186="$(bash -c 'true <>> </dev/null ||echo -n >>> V)" >>> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT >>> VULNERABLE" >>> NOT VULNERABLE >>> >>> This being said, I'm not confident that there won't be further issues >>> found with bash.... >>> >> >> What are people using to check these issues ? I was using >> >> https://github.com/hannob/bashcheck >> >> Not sure if that gives false positives ? > ... > > Yes, it seems it does. > > https://github.com/hannob/bashcheck/commit/5b611b36 > > Jung-uk Kim Checking, and agreed. bash -c "true $(printf '</dev/null ...works OK, but this crashes with a SIGSEGV: bash -c "true $(printf '</dev/null Seems to be blowing out a ~84K malloc buffer located just above the __TEXT page for /bin/bash; it's not blowing out the stack directly and isn't affected by changing ulimit -s. Regards, -- -Chuck From owner-freebsd-security@FreeBSD.ORG Wed Oct 1 03:32:32 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8B5A55A1 for ; Wed, 1 Oct 2014 03:32:32 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 65F64FB6 for ; Wed, 1 Oct 2014 03:32:32 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s913WWpS039190 for ; Wed, 1 Oct 2014 03:32:32 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s913WWee039187 for freebsd-security@freebsd.org; Wed, 1 Oct 2014 03:32:32 GMT (envelope-from bdrewery) Received: (qmail 18782 invoked from network); 30 Sep 2014 22:32:30 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 30 Sep 2014 22:32:30 -0500 Message-ID: <542B75C9.7050106@FreeBSD.org> Date: Tue, 30 Sep 2014 22:32:25 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Jung-uk Kim , Bryan Drewery , Mike Tancsa Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> In-Reply-To: <542AFC54.9010405@FreeBSD.org> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="amBkfTpbOspVJbWlxxlajlskkTkx1KqNd" X-Mailman-Approved-At: Wed, 01 Oct 2014 04:35:11 +0000 Cc: freebsd-security , freebsd-ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2014 03:32:32 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --amBkfTpbOspVJbWlxxlajlskkTkx1KqNd Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 9/30/2014 1:54 PM, Jung-uk Kim wrote: > On 2014-09-29 12:13:15 -0400, Bryan Drewery wrote: >> On 9/29/2014 11:01 AM, Mike Tancsa wrote: >>> On 9/26/2014 5:01 PM, Bryan Drewery wrote: >>>> On 9/26/2014 12:41 PM, Bryan Drewery wrote: >>>>> On 9/26/2014 11:51 AM, Bryan Drewery wrote: >>>>>> On 9/26/2014 11:46 AM, Bartek Rutkowski wrote: >>>>>>> Apparently, the full fix is still not delivered, accordingly to t= his: >>>>>>> http://seclists.org/oss-sec/2014/q3/741 >>>>>>> >>>>>>> Kind regards, >>>>>>> Bartek Rutkowski >>>>>>> >>>>>> >>>>>> I'm pretty sure they call that a "feature". This is a bit differen= t. >>>> >>>> I've disabled environment function importing in the port. Using >>>> --import-functions will allow it to work if you need it. >>> >>> Hi Bryan, >>> With the latest ports, bashcheck still sees some issues with bash= =2E >>> Are these false positives on FreeBSD ? >>> >>> Using >>> https://raw.githubusercontent.com/hannob/bashcheck/master/bashcheck >>> >>> Not vulnerable to CVE-2014-6271 (original shellshock) >>> Not vulnerable to CVE-2014-7169 (taviso bug) >>> ./bashcheck: line 18: 54908 Segmentation fault (core dumped) bas= h >>> -c "true $(printf '< /dev/null >>> Vulnerable to CVE-2014-7186 (redir_stack bug) >>> Test for CVE-2014-7187 not reliable without address sanitizer >>> Variable function parser inactive, likely safe from unknown parser bu= gs >>> >>> ---Mike >> >> Yes we have not applied the RedHat fix for CVE-2014-7186 or CVE-2014-7= 187. >=20 > Applying the first patch for parse.y from the following post passed the= > tests for me. >=20 > http://www.openwall.com/lists/oss-security/2014/09/25/32 >=20 > In fact, all major Linux distros seem to use it now. >=20 > FYI, >=20 > Jung-uk Kim For some reason the redir_stack issue is not showing up at all for me on head without the patch. It does show up on an 8.4 system of mine without the patch though. I have applied it now to the port. --=20 Regards, Bryan Drewery --amBkfTpbOspVJbWlxxlajlskkTkx1KqNd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJUK3XJAAoJEDXXcbtuRpfPKQgH/iRF8yHFcG7VTloaK34cirlo 9L6oX9pPjT2W8dYfMeRKOIQ825RptlHyZIpzgEu1Hel1MQIsgV6y71xnMOLfYmyA leHoJRsPnTgQ+OAVkx71CRj49uoUM0Y8GHeR9nC5jlYQxlhGe1QwG7VhHUXuhnSG zMS1l7tA5yf4U6X7FTn3tay8zgJXJHeSu69KY4CSZeb6qH+pnlJXZvSWUm6EyfWp eDBKBm/dJc63MDM+POiKgfwDbb5HiLJcSsnaX+zwEr2K9nITnjQf+i219RppgXLq ucxNUB1KuWQdADMLF4TyG2pj9fJLtA/gbjFnaegqyKDHJ1uuhwBorVSXUgg92Nc= =a47H -----END PGP SIGNATURE----- --amBkfTpbOspVJbWlxxlajlskkTkx1KqNd-- From owner-freebsd-security@FreeBSD.ORG Wed Oct 1 17:09:07 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4F90CA76 for ; Wed, 1 Oct 2014 17:09:07 +0000 (UTC) Received: from smtp-4-out.integrity.hu (smtp-4-out.integrity.hu [212.52.165.214]) by mx1.freebsd.org (Postfix) with ESMTP id 04B5176E for ; Wed, 1 Oct 2014 17:09:06 +0000 (UTC) Received: from webmail.integrity.hu (mail-fe-1.integrity.hu [10.1.64.120]) by mail-smtp.integrity.hu (Postfix) with ESMTPA id C600A41CC6; Wed, 1 Oct 2014 18:58:58 +0200 (CEST) Received: from zdVoLRd6w40t4UCI2L+C0tI/jsbk7SwFs3NDj+p4OGi+SU9BxByfUw== (BdAP7fG/oxFA//PrBoCo1GXlOhMCsTKr) by webmail.integrity.hu with HTTP (HTTP/1.1 POST); Wed, 01 Oct 2014 18:58:58 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Wed, 01 Oct 2014 18:58:58 +0200 From: gabor@zahemszky.hu To: Subject: Re: bash velnerability In-Reply-To: <915DA264-1022-441B-93DE-229739A861B3@dataix.net> References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> <915DA264-1022-441B-93DE-229739A861B3@dataix.net> Message-ID: X-Sender: gabor@zahemszky.hu User-Agent: Roundcube Webmail/0.8.4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2014 17:09:07 -0000 2014-09-30 23:48 idĹ‘pontban Jason Hellenthal ezt Ă­rta: > I would agree with that. Considering the korn shell was found out to > be importing functions from bash this morning that it does not > completely know how to interpret goes to say that there is a much > bigger issue at face here than the mere sys admins can begin to > fathom > quite yet. Can you provide us links to this Korn-shell problem? And which version of Korn-shell are you talking about? Eg. in FreeBSD ports, we have at least three different type of kshs: shells/ksh93 - the original, from AT&T's David Korn shells/pdksh - a public domain reimplementation of the old ksh88 shells/mksh - the MirBSD's Korn-shell (a fork of pdksh) Thanks, Gabor < Gabor at Zahemszky dot HU > From owner-freebsd-security@FreeBSD.ORG Wed Oct 1 20:59:03 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 33092F76 for ; Wed, 1 Oct 2014 20:59:03 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 12B68852 for ; Wed, 1 Oct 2014 20:59:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s91Kx2W6087263 for ; Wed, 1 Oct 2014 20:59:02 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s91Kx2xc087260 for freebsd-security@FreeBSD.ORG; Wed, 1 Oct 2014 20:59:02 GMT (envelope-from bdrewery) Received: (qmail 88316 invoked from network); 1 Oct 2014 15:58:56 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 1 Oct 2014 15:58:56 -0500 Message-ID: <542C6B0A.9060503@FreeBSD.org> Date: Wed, 01 Oct 2014 15:58:50 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: d@delphij.net, freebsd-security@FreeBSD.ORG, Jung-uk Kim Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> In-Reply-To: <53B4B7FB.6070407@FreeBSD.org> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lJroknRCnBAuOSrgOxbREAEs0rj95cVGK" X-Mailman-Approved-At: Wed, 01 Oct 2014 22:14:18 +0000 Cc: Ben Laurie , gecko@FreeBSD.org, Dirk Meyer , re , FreeBSD Ports Management Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2014 20:59:03 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lJroknRCnBAuOSrgOxbREAEs0rj95cVGK Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 7/2/2014 8:55 PM, Bryan Drewery wrote: > On 7/2/2014 6:45 PM, Xin Li wrote: >> Hi, >> >> Currently, FreeBSD does not install a default /etc/ssl/cert.pem >> because we do not maintain one ourselves. We do, however, provide a >> port, security/ca_root_nss, which have an option to install a symbolic= >> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt, >> which is not the default option. >> >> This become a problem when applications, e.g. fetch(8), have grown the= >> support of doing certificate validation. I think now it makes sense >> to have a default cert.pem installed with the base system. >> >> So my proposal would be: >> >> 1. Import a set of trusted root certificates, and install if >> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; >> >> 2. In src/etc/Makefile, automatically create a symbolic link if it's >> not already present in ${DESTDIR}/etc/ssl; >> >> 3. Teach mergemaster(8) and other similar applications to create the >> symbolic link on demand; >> >> 4. Change the install/deinstall behavior of security/ca_root_nss: >> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on >> install then overwrite with new symlink, and restore on deinstall. >> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, >> install new a symlink; on deinstall, if >> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a= >> symlink to there, or remove if the file does not exist. >> >> Comments/objections? >> >> Cheers, >=20 > Please see r266291. >=20 > libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl. >=20 > The next step was to have the port always install the symlink there. > It's fallen through the cracks though. >=20 > This only allows fixing applications that use libfetch though and not > other applications that expect a /etc/ssl/cert.pem like curl. This seems to have been dropped. We do need some sort of solution though.= I've found that curl already does the right thing and looking at the proper /usr/local location for the ca_root_nss bundle due to being configured in the curl port to do so. The remaining piece IMHO would be fixing base openssl to look for /usr/local/etc/ssl/cert.pem before /etc/ssl/cert.pem. The port currently looks in /usr/local/openssl by default and not /etc/ssl. Here is a patch for the port to check /usr/local/etc/ssl first: https://people.freebsd.org/~bdrewery/patches/port-openssl-local-cert-pem.= diff And a patch for base libcrypto to check /usr/local/etc/ssl first: https://people.freebsd.org/~bdrewery/patches/base-openssl-local-cert-pem.= diff These allow things like wget to work by default once ca_root_nss is installed with the /usr/local/etc/ssl/cert.pem symlink. As for installing a CA root bundle by default, we could just bootstrap it along with pkg from ca_root_nss. --=20 Regards, Bryan Drewery --lJroknRCnBAuOSrgOxbREAEs0rj95cVGK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJULGsKAAoJEDXXcbtuRpfPxGkIALaY6B7kUyyfErgtWJdIiHJX U4AdHBhH15nbuA8tskDSIu+KA+8IH/PZR5rI7vB73yAxb2qOoCAPUva5H+qNT9Q/ iGG7qiQlWQLJbRGvoIzF5Qr+szsr4lKrSLTb4Ai8aSNlV2P2punH/Wd4oaTnsnBf koyeIrfQlAnBImVjeNS4UipvtvD5kuQKZ5Adj/q0VsJiYRYPH3pyRusrcfhFhWSb 73HRcJhvMzO5cKZS0N6C/o08/5fnTsYHquadex9otrBZs01KvqGN9hZSF47wLvpv WzwK9S/GKU4LSfIkF0ZsEVv/z4sWwJv/hfQtgPa3wxgcHCUxHTj4s1S8vI+X9T8= =xTEo -----END PGP SIGNATURE----- --lJroknRCnBAuOSrgOxbREAEs0rj95cVGK-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 08:22:15 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 83F8E2C6 for ; Thu, 2 Oct 2014 08:22:15 +0000 (UTC) Received: from nimbus.fccf.net (nimbus.fccf.net [77.77.144.35]) by mx1.freebsd.org (Postfix) with ESMTP id 3A41BB92 for ; Thu, 2 Oct 2014 08:22:14 +0000 (UTC) Received: from straylight.m.ringlet.net (unknown [46.233.30.128]) by nimbus.fccf.net (Postfix) with ESMTPSA id 742675D for ; Thu, 2 Oct 2014 11:15:49 +0300 (EEST) Received: from roam (uid 1000) (envelope-from roam@ringlet.net) id 254004c by straylight.m.ringlet.net (DragonFly Mail Agent v0.9); Thu, 02 Oct 2014 11:14:16 +0300 Date: Thu, 2 Oct 2014 11:14:16 +0300 From: Peter Pentchev To: gabor@zahemszky.hu Subject: Re: bash velnerability Message-ID: <20141002081416.GA2633@straylight.m.ringlet.net> Mail-Followup-To: gabor@zahemszky.hu, freebsd-security@freebsd.org References: <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> <915DA264-1022-441B-93DE-229739A861B3@dataix.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 08:22:15 -0000 --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 01, 2014 at 06:58:58PM +0200, gabor@zahemszky.hu wrote: > 2014-09-30 23:48 id=C5=91pontban Jason Hellenthal ezt =C3=ADrta: > >I would agree with that. Considering the korn shell was found out to > >be importing functions from bash this morning that it does not > >completely know how to interpret goes to say that there is a much > >bigger issue at face here than the mere sys admins can begin to fathom > >quite yet. >=20 > Can you provide us links to this Korn-shell problem? I think that Jason may have been referring to the discussion at: https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00350.html It talks about ksh misimporting environment variables in general, not just Bash functions. > And which > version of Korn-shell are you talking about? Eg. in FreeBSD ports, > we have at least three different type of kshs: >=20 > shells/ksh93 - the original, from AT&T's David Korn > shells/pdksh - a public domain reimplementation of the old ksh88 > shells/mksh - the MirBSD's Korn-shell (a fork of pdksh) Well, the test with the following command: env 'a|b=3D1' ksh -c 'set' | fgrep -e 'a|b' =20 =2E..shows that ksh93 is vulnerable, pdksh and mksh are not. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org p.penchev@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 --tThc/1wpZn/ma/RB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJULQlTAAoJEGUe77AlJ98TQJwP/37nhgC1Ebbum58j4YNKr5Dy ougSQYRE2DMU+BETzR8hP53yLPC28zxRucADSMAceelCNyv1d4Ht1kT7idgaOcX5 o2wI6Yjfr1qyFPG546IyQ+lMJ2AIqp5LUYWn+Kh85RXhQbxlX9yVPhHKIhr2C3B/ g4yo2ouNVpmRL1FHrApIyxSKie9wNPZoEwfT9UmpTYacaF9N2a5oaP4bn0nZt+GI KjhY8OUmUCnHpqTUqLIGUOlwLOFlmd2I4E9jntFSxheHDv2ZG/8A5VToxWV2a0HO hxwJB64b2q/LDEchFkxRdwOKrOoQ8OuvjdgDuFcsyEp0wjJ/Jbxo1sO/7WrWAbZS ZbLQ9mFZ09ffhWj8VINPOY5XY8atz+ua+EjACPutfYnqm49QF44mE2nlyCYywIKI Sqz772p946Bahl6uxUhVCGxMXbuO6NUy8tH0lyYukjprwAk4ImqOUN8a9SGKS97j g1jxYwkPHREZj+ZbaVQK8UYf6xKLZGLMVquF84gCYsyarUmayb3fy1TyuV+zFj4g VLb70YxRw59vVQwkEmKJfdW94U2717JXjMQq1iDzZRwDgT5j9EZOVkrhTnYd/Kh9 vjNLPagn8lxdGlgWEqDrCkDSbF8OKG3uUX7TpzYVCP2YUWfjxdaffRQon8QKDe+9 9PfwkdazafQGVrUA4iiH =bgjR -----END PGP SIGNATURE----- --tThc/1wpZn/ma/RB-- From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 04:51:49 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 342F2998 for ; Thu, 2 Oct 2014 04:51:49 +0000 (UTC) Received: from mail-yk0-x241.google.com (mail-yk0-x241.google.com [IPv6:2607:f8b0:4002:c07::241]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EF1F31BF for ; Thu, 2 Oct 2014 04:51:48 +0000 (UTC) Received: by mail-yk0-f193.google.com with SMTP id q200so205213ykb.4 for ; Wed, 01 Oct 2014 21:51:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=evKlClDKgySwnTUcm9agbvFiEYRnPbo0OS/RBuDrk+M=; b=Be+hvlCgRZd3QFegjmpRyCe41wsTGKBewaX94c3124JP9Pl341pxIbaYvD5zQLItXj RdhDD+tvrSRn71f8PgwonilUnLaXTyY6hRW4UaPkhyo2ht6Sai/kw+bP4xf2YbrqOdD8 wkJuGbQkN0SpG1AKj+U1D0pehUNJ7YutjvsXGwA4usgVGWCp6iDSaw+i4m/qmGS32mvf ZXVXtuqAmlly0vh1TK3r/IhTgSXMyMUBHKL2QlDrm3gfgb3E7uSSTWazWK7d6sza+Eu9 l/mw2BEeg3QfcfNzNCIhNM50XtqbzT2v4mcM/8UC5zSNwfeJVUTAi0dilsY/hWsC059l Ggpg== MIME-Version: 1.0 X-Received: by 10.52.164.136 with SMTP id yq8mr38110920vdb.23.1412225508051; Wed, 01 Oct 2014 21:51:48 -0700 (PDT) Received: by 10.31.14.65 with HTTP; Wed, 1 Oct 2014 21:51:48 -0700 (PDT) Date: Wed, 1 Oct 2014 21:51:48 -0700 Message-ID: Subject: net.inet.ip.forwarding From: Baxter Milliwew To: freebsd-security@freebsd.org X-Mailman-Approved-At: Thu, 02 Oct 2014 11:25:14 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 04:51:49 -0000 Should this value ever change without user intervention ? From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 12:38:42 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6214D3A0 for ; Thu, 2 Oct 2014 12:38:42 +0000 (UTC) Received: from mail2.mbox.lu (mail.mbox.lu [85.93.212.24]) by mx1.freebsd.org (Postfix) with ESMTP id 24C66B7A for ; Thu, 2 Oct 2014 12:38:40 +0000 (UTC) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTP id C52E9323B1; Thu, 2 Oct 2014 14:27:36 +0200 (CEST) Received: from [10.78.71.76] (unknown [185.40.60.139]) by mail2.mbox.lu (Postfix) with ESMTPSA id A883A323A7; Thu, 2 Oct 2014 14:27:36 +0200 (CEST) References: Mime-Version: 1.0 (1.0) In-Reply-To: Message-Id: X-Mailer: iPhone Mail (12A405) From: Steve Clement Subject: Re: net.inet.ip.forwarding Date: Thu, 2 Oct 2014 14:28:40 +0200 To: Baxter Milliwew Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 12:38:42 -0000 Could you be more specific. Installing a random port that switches this on is user intervention too. --=20 Steve Clement /!\ Sent from a mobile device, trust accordingly /!\ https://www.twitter.com/SteveClement mailto:steve@localhost.lu .lu: +352 20 333 66 > On 2 oct. 2014, at 06:51, Baxter Milliwew wrot= e: >=20 > Should this value ever change without user intervention ? From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 13:25:46 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4388D2F4; Thu, 2 Oct 2014 13:25:46 +0000 (UTC) Received: from smtp.vangyzen.net (hotblack.vangyzen.net [IPv6:2607:fc50:1000:7400:216:3eff:fe72:314f]) by mx1.freebsd.org (Postfix) with ESMTP id 20637173; Thu, 2 Oct 2014 13:25:42 +0000 (UTC) Received: from marvin.lab.vangyzen.net (c-24-125-214-90.hsd1.va.comcast.net [24.125.214.90]) by smtp.vangyzen.net (Postfix) with ESMTPSA id D0D3856443; Thu, 2 Oct 2014 08:25:41 -0500 (CDT) Message-ID: <542D5254.2050508@vangyzen.net> Date: Thu, 02 Oct 2014 09:25:40 -0400 From: Eric van Gyzen User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Bryan Drewery , d@delphij.net, freebsd-security@FreeBSD.ORG, Jung-uk Kim Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <542C6B0A.9060503@FreeBSD.org> In-Reply-To: <542C6B0A.9060503@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , gecko@FreeBSD.org, Dirk Meyer , re , FreeBSD Ports Management Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 13:25:46 -0000 On 10/01/2014 16:58, Bryan Drewery wrote: > On 7/2/2014 8:55 PM, Bryan Drewery wrote: >> On 7/2/2014 6:45 PM, Xin Li wrote: >>> Hi, >>> >>> Currently, FreeBSD does not install a default /etc/ssl/cert.pem >>> because we do not maintain one ourselves. We do, however, provide a >>> port, security/ca_root_nss, which have an option to install a symbolic >>> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt, >>> which is not the default option. >>> >>> This become a problem when applications, e.g. fetch(8), have grown the >>> support of doing certificate validation. I think now it makes sense >>> to have a default cert.pem installed with the base system. >>> >>> So my proposal would be: >>> >>> 1. Import a set of trusted root certificates, and install if >>> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; >>> >>> 2. In src/etc/Makefile, automatically create a symbolic link if it's >>> not already present in ${DESTDIR}/etc/ssl; >>> >>> 3. Teach mergemaster(8) and other similar applications to create the >>> symbolic link on demand; >>> >>> 4. Change the install/deinstall behavior of security/ca_root_nss: >>> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on >>> install then overwrite with new symlink, and restore on deinstall. >>> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, >>> install new a symlink; on deinstall, if >>> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with a >>> symlink to there, or remove if the file does not exist. >>> >>> Comments/objections? >>> >>> Cheers, >> Please see r266291. >> >> libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl. >> >> The next step was to have the port always install the symlink there. >> It's fallen through the cracks though. >> >> This only allows fixing applications that use libfetch though and not >> other applications that expect a /etc/ssl/cert.pem like curl. > This seems to have been dropped. We do need some sort of solution though. > > I've found that curl already does the right thing and looking at the > proper /usr/local location for the ca_root_nss bundle due to being > configured in the curl port to do so. > > The remaining piece IMHO would be fixing base openssl to look for > /usr/local/etc/ssl/cert.pem before /etc/ssl/cert.pem. The port currently > looks in /usr/local/openssl by default and not /etc/ssl. > > Here is a patch for the port to check /usr/local/etc/ssl first: > > https://people.freebsd.org/~bdrewery/patches/port-openssl-local-cert-pem.diff > > And a patch for base libcrypto to check /usr/local/etc/ssl first: > > https://people.freebsd.org/~bdrewery/patches/base-openssl-local-cert-pem.diff This is a good idea, and the patches look fine to me. > These allow things like wget to work by default once ca_root_nss is > installed with the /usr/local/etc/ssl/cert.pem symlink. > > As for installing a CA root bundle by default, we could just bootstrap > it along with pkg from ca_root_nss. From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 16:03:22 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F3209CDE for ; Thu, 2 Oct 2014 16:03:22 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D294F8F3 for ; Thu, 2 Oct 2014 16:03:22 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id s92G3Lfs074804 for ; Thu, 2 Oct 2014 16:03:21 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id s92G3LEg074799 for freebsd-security@FreeBSD.ORG; Thu, 2 Oct 2014 16:03:21 GMT (envelope-from bdrewery) Received: (qmail 25693 invoked from network); 2 Oct 2014 11:03:20 -0500 Received: from unknown (HELO ?10.10.0.24?) (freebsd@shatow.net@10.10.0.24) by sweb.xzibition.com with ESMTPA; 2 Oct 2014 11:03:20 -0500 Message-ID: <542D7740.6030901@FreeBSD.org> Date: Thu, 02 Oct 2014 11:03:12 -0500 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Jung-uk Kim Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <542C6B0A.9060503@FreeBSD.org> <542D5254.2050508@vangyzen.net> In-Reply-To: <542D5254.2050508@vangyzen.net> OpenPGP: id=6E4697CF; url=http://www.shatow.net/bryan/bryan2.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02" X-Mailman-Approved-At: Thu, 02 Oct 2014 17:01:28 +0000 Cc: Ben Laurie , freebsd-security@FreeBSD.ORG, Dirk Meyer , d@delphij.net, gecko@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 16:03:23 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 10/2/2014 8:25 AM, Eric van Gyzen wrote: > On 10/01/2014 16:58, Bryan Drewery wrote: >> On 7/2/2014 8:55 PM, Bryan Drewery wrote: >>> On 7/2/2014 6:45 PM, Xin Li wrote: >>>> Hi, >>>> >>>> Currently, FreeBSD does not install a default /etc/ssl/cert.pem >>>> because we do not maintain one ourselves. We do, however, provide a= >>>> port, security/ca_root_nss, which have an option to install a symbol= ic >>>> link as /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt,= >>>> which is not the default option. >>>> >>>> This become a problem when applications, e.g. fetch(8), have grown t= he >>>> support of doing certificate validation. I think now it makes sense= >>>> to have a default cert.pem installed with the base system. >>>> >>>> So my proposal would be: >>>> >>>> 1. Import a set of trusted root certificates, and install if >>>> MK_OPENSSL is yes, to /usr/share/misc/ca-root-freebsd.pem; >>>> >>>> 2. In src/etc/Makefile, automatically create a symbolic link if it's= >>>> not already present in ${DESTDIR}/etc/ssl; >>>> >>>> 3. Teach mergemaster(8) and other similar applications to create the= >>>> symbolic link on demand; >>>> >>>> 4. Change the install/deinstall behavior of security/ca_root_nss: >>>> ETCSYMLINK checked: If /etc/ssl/cert.pem exists, back it up on >>>> install then overwrite with new symlink, and restore on deinstall. >>>> ETCSYMLINK unchecked: If /etc/ssl/cert.pem do not pre-exist, >>>> install new a symlink; on deinstall, if >>>> /usr/share/misc/ca-root-freebsd.pem exists, replace the symlink with= a >>>> symlink to there, or remove if the file does not exist. >>>> >>>> Comments/objections? >>>> >>>> Cheers, >>> Please see r266291. >>> >>> libfetch will now look in /usr/local/etc/ssl/ before /etc/ssl. >>> >>> The next step was to have the port always install the symlink there. >>> It's fallen through the cracks though. >>> >>> This only allows fixing applications that use libfetch though and not= >>> other applications that expect a /etc/ssl/cert.pem like curl. >> This seems to have been dropped. We do need some sort of solution thou= gh. >> >> I've found that curl already does the right thing and looking at the >> proper /usr/local location for the ca_root_nss bundle due to being >> configured in the curl port to do so. >> >> The remaining piece IMHO would be fixing base openssl to look for >> /usr/local/etc/ssl/cert.pem before /etc/ssl/cert.pem. The port current= ly >> looks in /usr/local/openssl by default and not /etc/ssl. >> >> Here is a patch for the port to check /usr/local/etc/ssl first: >> >> https://people.freebsd.org/~bdrewery/patches/port-openssl-local-cert-p= em.diff >> >> And a patch for base libcrypto to check /usr/local/etc/ssl first: >> >> https://people.freebsd.org/~bdrewery/patches/base-openssl-local-cert-p= em.diff >=20 > This is a good idea, and the patches look fine to me. >=20 >> These allow things like wget to work by default once ca_root_nss is >> installed with the /usr/local/etc/ssl/cert.pem symlink. >> >> As for installing a CA root bundle by default, we could just bootstrap= >> it along with pkg from ca_root_nss. My main question is about the proper way to modify the base libssl for style/impact such that it does not lose the change on imports. --=20 Regards, Bryan Drewery --0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iQEcBAEBAgAGBQJULXdBAAoJEDXXcbtuRpfP5QQIAMOhZvXqPW+peOhxMX9TnIPL JCOOPh+bEqpDXApbGUkwMEoWrfTgz5kb/YQ75ljUiw1fCyWf1em/VckPJcg9CPaL xTq03DMYm0w7OjFrmZXf4MQ8cJCtujmKLwhFBAF2TggjUHRXeEFXU9nK70NA1WSZ 9LzmR3lG1mCnTTq06plHFOciz0tTCIfkQ5LA7SBvntralDaY7F5jOkfCZSaO54dy tl4gYvYXGZJW55Noek720pzdMryBH8kdK9A3hCK5BzQzL0ivRc5nHZI0shk41bQ8 81u1m4X614zxpFS5XVIuutOxZ3CjuI3qc5mtiMGF0WmDYJDQLBioRotmZF4E/dk= =i4bU -----END PGP SIGNATURE----- --0At8Ro6LcTuvkG4eDmBo0X5foqneOAJ02--