From owner-freebsd-ports@FreeBSD.ORG Tue Sep 30 22:00:56 2014 Return-Path: Delivered-To: freebsd-ports@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 13B83251; Tue, 30 Sep 2014 22:00:56 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AD9FAA0B; Tue, 30 Sep 2014 22:00:55 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.9/8.14.9) with ESMTP id s8UM0rRk040776; Tue, 30 Sep 2014 18:00:54 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <542B27FF.10204@sentex.net> Date: Tue, 30 Sep 2014 18:00:31 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Charles Swiger , Bryan Drewery Subject: Re: bash velnerability References: <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.75 Cc: freebsd-security , freebsd-ports , Jung-uk Kim X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2014 22:00:56 -0000 On 9/30/2014 5:25 PM, Charles Swiger wrote: > bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)" > Testing Exploit 4 (CVE-2014-7186) > bash-3.2$ CVE7186="$(bash -c 'true </dev/null ||echo -n V)" > bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT VULNERABLE" > NOT VULNERABLE > > This being said, I'm not confident that there won't be further issues found with bash.... > What are people using to check these issues ? I was using https://github.com/hannob/bashcheck Not sure if that gives false positives ? Even on linux with all patches applied, it coredumps on 7186. Yet the BASH maintainer says all holes are patched ? Or does he consider 2014-7186 not a security issue ? http://lists.gnu.org/archive/html/bug-bash/2014-09/msg00341.html # bash ./bashcheck Not vulnerable to CVE-2014-6271 (original shellshock) Not vulnerable to CVE-2014-7169 (taviso bug) ./bashcheck: line 18: 19749 Segmentation fault (core dumped) bash -c "true $(printf '< /dev/null Vulnerable to CVE-2014-7186 (redir_stack bug) Test for CVE-2014-7187 not reliable without address sanitizer Variable function parser inactive, likely safe from unknown parser bugs # -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/